From 792e6e66ca2675a3007843d80268dfafe4d05a6f Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Mon, 20 Apr 2020 20:00:51 +0200 Subject: [PATCH 001/686] python/tests: add DynamicTestCase setUpDynamicTestCases() infrastructure This can be used in order to run a sepcific test (coded just once) with an autogenerated set of arguments. BUG: https://bugzilla.samba.org/show_bug.cgi?id=14531 Pair-Programmed-With: Douglas Bagnall Signed-off-by: Stefan Metzmacher Signed-off-by: Douglas Bagnall (cherry picked from commit 80347deb544b38be6c6814e5d1b82e48ebe83fd1) --- python/samba/tests/__init__.py | 27 +++++++++++++++++++++++++++ 1 file changed, 27 insertions(+) diff --git a/python/samba/tests/__init__.py b/python/samba/tests/__init__.py index ef0fdabbfa2..13d42779262 100644 --- a/python/samba/tests/__init__.py +++ b/python/samba/tests/__init__.py @@ -62,10 +62,37 @@ BINDIR = os.path.abspath(os.path.join(os.path.dirname(__file__), HEXDUMP_FILTER = bytearray([x if ((len(repr(chr(x))) == 3) and (x < 127)) else ord('.') for x in range(256)]) +def DynamicTestCase(cls): + cls.setUpDynamicTestCases() + return cls class TestCase(unittest.TestCase): """A Samba test case.""" + @classmethod + def generate_dynamic_test(cls, fnname, suffix, *args): + """ + fnname is something like "test_dynamic_sum" + suffix is something like "1plus2" + argstr could be (1, 2) + + This would generate a test case called + "test_dynamic_sum_1plus2(self)" that + calls + self._test_dynamic_sum_with_args(1, 2) + """ + def fn(self): + getattr(self, "_%s_with_args" % fnname)(*args) + setattr(cls, "%s_%s" % (fnname, suffix), fn) + + @classmethod + def setUpDynamicTestCases(cls): + """This can be implemented in order to call cls.generate_dynamic_test() + In order to implement autogenerated testcase permutations. + """ + msg = "%s needs setUpDynamicTestCases() if @DynamicTestCase is used!" % (cls) + raise Exception(msg) + def setUp(self): super(TestCase, self).setUp() test_debug_level = os.getenv("TEST_DEBUG_LEVEL") -- 2.35.0 From cfc26524d591b2b276ed2e944c8e0cd0d3c65b14 Mon Sep 17 00:00:00 2001 From: Noel Power Date: Wed, 15 May 2019 10:30:29 +0100 Subject: [PATCH 002/686] lib/ldb: Fix incorrect return type for (setter) func type BUG: https://bugzilla.samba.org/show_bug.cgi?id=13948 Signed-off-by: Noel Power Reviewed-by: Andreas Schneider (cherry picked from commit 27d99eefe7676669343b9040f550480df6554a6e) --- lib/ldb/pyldb.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lib/ldb/pyldb.c b/lib/ldb/pyldb.c index b2cac8a3497..794b2184941 100644 --- a/lib/ldb/pyldb.c +++ b/lib/ldb/pyldb.c @@ -199,7 +199,7 @@ static PyObject *py_ldb_control_get_critical(PyLdbControlObject *self) return PyBool_FromLong(self->data->critical); } -static PyObject *py_ldb_control_set_critical(PyLdbControlObject *self, PyObject *value, void *closure) +static int py_ldb_control_set_critical(PyLdbControlObject *self, PyObject *value, void *closure) { if (PyObject_IsTrue(value)) { self->data->critical = true; -- 2.35.0 From b79d9a304174e0fc08f1952fffcdf861ba48096b Mon Sep 17 00:00:00 2001 From: Douglas Bagnall Date: Sun, 17 Mar 2019 14:47:40 +1300 Subject: [PATCH 003/686] tests: ensure that most python scripts have usage text When a script is run with the wrong arguments, it should at least say something like this: Usage: samba-foo [OPTIONS] For many samba scripts, especially without a server environment, having no arguments is the wrong arguments. Here we look for every executable file with '#![...]python[3]' on the first line, and exclude certain files and directories that have excuses to fail the test. For example, many selftest scripts are stream-oriented and will hang forever waiting for stdin, which is not an error. Some test modules are designed so they can be optionally run from the command line, but this option is typically only used by the developer who is writing them. Signed-off-by: Douglas Bagnall Reviewed-by: Andrew Bartlett (cherry picked from commit 538ffe1960a8640875759ca194cc4cc9fae2c5bc) [jsutton@samba.org Backported to fix conflict in source4/selftest/tests.py] --- python/samba/tests/usage.py | 205 ++++++++++++++++++++++++++++++++++++ selftest/knownfail.d/usage | 28 +++++ source4/selftest/tests.py | 2 + 3 files changed, 235 insertions(+) create mode 100644 python/samba/tests/usage.py create mode 100644 selftest/knownfail.d/usage diff --git a/python/samba/tests/usage.py b/python/samba/tests/usage.py new file mode 100644 index 00000000000..30c083076ff --- /dev/null +++ b/python/samba/tests/usage.py @@ -0,0 +1,205 @@ +# Unix SMB/CIFS implementation. +# Copyright © Douglas Bagnall +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; either version 3 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see . + +import os +import sys +import subprocess +from samba.tests import TestCase +from unittest import TestSuite +import re +import stat + +if 'SRCDIR_ABS' in os.environ: + BASEDIR = os.environ['SRCDIR_ABS'] +else: + BASEDIR = os.path.abspath(os.path.join(os.path.dirname(__file__), + '../../..')) + +TEST_DIRS = [ + "bootstrap", + "testdata", + "ctdb", + "dfs_server", + "pidl", + "auth", + "packaging", + "python", + "include", + "nsswitch", + "libcli", + "coverity", + "release-scripts", + "testprogs", + "bin", + "source3", + "docs-xml", + "buildtools", + "file_server", + "dynconfig", + "source4", + "tests", + "libds", + "selftest", + "lib", + "script", + "traffic", + "testsuite", + "libgpo", + "wintest", + "librpc", +] + + +EXCLUDE_USAGE = { + 'script/autobuild.py', # defaults to mount /memdisk/ + 'script/bisect-test.py', + 'ctdb/utils/etcd/ctdb_etcd_lock', + 'selftest/filter-subunit', + 'selftest/format-subunit', + 'bin/gen_output.py', # too much output! + 'source4/scripting/bin/gen_output.py', + 'lib/ldb/tests/python/index.py', + 'lib/ldb/tests/python/api.py', + 'source4/selftest/tests.py', + 'buildtools/bin/waf', + 'selftest/tap2subunit', + 'script/show_test_time', + 'source4/scripting/bin/subunitrun', + 'source3/selftest/tests.py', + 'selftest/tests.py', + 'python/samba/subunit/run.py', + 'bin/python/samba/subunit/run.py', + 'python/samba/tests/dcerpc/raw_protocol.py' +} + + +EXCLUDE_DIRS = { + 'source3/script/tests', + 'python/examples', + 'source4/dsdb/tests/python', + 'bin/ab', + 'bin/python/samba/tests', + 'bin/python/samba/tests/dcerpc', +} + + +def _init_git_file_finder(): + """Generate a function that quickly answers the question: + 'is this a git file?' + """ + git_file_cache = set() + p = subprocess.run(['git', + '-C', BASEDIR, + 'ls-files', + '-z'], + stdout=subprocess.PIPE) + if p.returncode == 0: + for fn in p.stdout.split(b'\0'): + git_file_cache.add(os.path.join(BASEDIR, fn.decode('utf-8'))) + return git_file_cache.__contains__ + + +is_git_file = _init_git_file_finder() + + +def python_script_iterator(d=BASEDIR, _cache={}): + """Generate an iterator over executable Python scripts. By default it + walks the entire source tree. + """ + if d not in _cache: + cache = {} + _cache[d] = cache + pyshebang = re.compile(br'#!.+python').match + safename = re.compile(r'\W+').sub + for subdir in TEST_DIRS: + sd = os.path.join(d, subdir) + for root, dirs, files in os.walk(sd, followlinks=False): + for fn in files: + if fn.endswith('~'): + continue + if fn.endswith('.inst'): + continue + ffn = os.path.join(root, fn) + if not (subdir == 'bin' or is_git_file(ffn)): + continue + + try: + s = os.stat(ffn) + except FileNotFoundError: + continue + if not s.st_mode & stat.S_IXUSR: + continue + try: + f = open(ffn, 'rb') + except OSError as e: + print("could not open %s: %s" % (ffn, e)) + continue + line = f.read(40) + f.close() + if not pyshebang(line): + continue + name = safename('_', fn) + while name in cache: + name += '_' + cache[name] = ffn + + return _cache[d].items() + + +class PythonScriptUsageTests(TestCase): + """Python scripts run without arguments should print a usage string, + not fail with a traceback. + """ + + @classmethod + def initialise(cls): + for name, filename in python_script_iterator(): + # We add the actual tests after the class definition so we + # can give individual names to them, so we can have a + # knownfail list. + fn = filename.replace(BASEDIR, '').lstrip('/') + + if fn in EXCLUDE_USAGE: + print("skipping %s (EXCLUDE_USAGE)" % filename) + continue + + if os.path.dirname(fn) in EXCLUDE_DIRS: + print("skipping %s (EXCLUDE_DIRS)" % filename) + continue + + def _f(self, filename=filename): + print(filename) + try: + p = subprocess.Popen(['python3', filename], + stderr=subprocess.PIPE, + stdout=subprocess.PIPE) + out, err = p.communicate(timeout=5) + except OSError as e: + self.fail("Error: %s" % e) + except subprocess.SubprocessError as e: + self.fail("Subprocess error: %s" % e) + + err = err.decode('utf-8') + out = out.decode('utf-8') + self.assertNotIn('Traceback', err) + + self.assertIn('usage', out.lower() + err.lower(), + 'stdout:\n%s\nstderr:\n%s' % (out, err)) + + setattr(cls, 'test_%s' % name, _f) + + +PythonScriptUsageTests.initialise() diff --git a/selftest/knownfail.d/usage b/selftest/knownfail.d/usage new file mode 100644 index 00000000000..3c526f32f22 --- /dev/null +++ b/selftest/knownfail.d/usage @@ -0,0 +1,28 @@ +samba.tests.usage.samba.tests.usage.PythonScriptUsageTests.test_chgtdcpass.none. +samba.tests.usage.samba.tests.usage.PythonScriptUsageTests.test_compare_cc_results_py.none. +samba.tests.usage.samba.tests.usage.PythonScriptUsageTests.test_demodirsync_py.none. +samba.tests.usage.samba.tests.usage.PythonScriptUsageTests.test_dns_hub_py.none. +samba.tests.usage.samba.tests.usage.PythonScriptUsageTests.test_findprovisionusnranges.none. +samba.tests.usage.samba.tests.usage.PythonScriptUsageTests.test_get_descriptors.none. +samba.tests.usage.samba.tests.usage.PythonScriptUsageTests.test_mymachinepw.none. +samba.tests.usage.samba.tests.usage.PythonScriptUsageTests.test_rebuildextendeddn.none. +samba.tests.usage.samba.tests.usage.PythonScriptUsageTests.test_renamedc.none. +samba.tests.usage.samba.tests.usage.PythonScriptUsageTests.test_repl_cleartext_pwd_py.none. +samba.tests.usage.samba.tests.usage.PythonScriptUsageTests.test_rodcdns.none. +samba.tests.usage.samba.tests.usage.PythonScriptUsageTests.test_samba_dnsupdate.none. +samba.tests.usage.samba.tests.usage.PythonScriptUsageTests.test_samba_dnsupdate_.none. +samba.tests.usage.samba.tests.usage.PythonScriptUsageTests.test_sambadowngradedatabase.none. +samba.tests.usage.samba.tests.usage.PythonScriptUsageTests.test_samba_gpupdate.none. +samba.tests.usage.samba.tests.usage.PythonScriptUsageTests.test_samba_gpupdate_.none. +samba.tests.usage.samba.tests.usage.PythonScriptUsageTests.test_samba_kcc.none. +samba.tests.usage.samba.tests.usage.PythonScriptUsageTests.test_samba_kcc_.none. +samba.tests.usage.samba.tests.usage.PythonScriptUsageTests.test_samba_spnupdate.none. +samba.tests.usage.samba.tests.usage.PythonScriptUsageTests.test_samba_spnupdate_.none. +samba.tests.usage.samba.tests.usage.PythonScriptUsageTests.test_samba_upgradedns.none. +samba.tests.usage.samba.tests.usage.PythonScriptUsageTests.test_samba_upgradedns_.none. +samba.tests.usage.samba.tests.usage.PythonScriptUsageTests.test_samba_upgradeprovision.none. +samba.tests.usage.samba.tests.usage.PythonScriptUsageTests.test_samba_upgradeprovision_.none. +samba.tests.usage.samba.tests.usage.PythonScriptUsageTests.test_smbstatus.none. +samba.tests.usage.samba.tests.usage.PythonScriptUsageTests.test_test_s3_py.none. +samba.tests.usage.samba.tests.usage.PythonScriptUsageTests.test_test_s4_howto_py.none. +samba.tests.usage.samba.tests.usage.PythonScriptUsageTests.test_traffic_learner.none. diff --git a/source4/selftest/tests.py b/source4/selftest/tests.py index 8cf54841e86..1561f068ca1 100755 --- a/source4/selftest/tests.py +++ b/source4/selftest/tests.py @@ -1333,3 +1333,5 @@ planoldpythontestsuite("proclimitdc:local", 'SOCKET_WRAPPER_DEFAULT_IFACE': 11}, name="samba.tests.process_limits", py3_compatible=True) + +planoldpythontestsuite("none", "samba.tests.usage") -- 2.35.0 From 8b56a822d4c526760d451537b45381efcbf17620 Mon Sep 17 00:00:00 2001 From: Michael Hanselmann Date: Fri, 12 Apr 2019 00:46:37 +0200 Subject: [PATCH 004/686] ldb: Avoid read beyond buffer Calling the "ldb_parse_tree" function with a filter consisting of exactly a single space (" ") would trigger a read beyond the input buffer. A unittest is included. BUG: https://bugzilla.samba.org/show_bug.cgi?id=13900 Signed-off-by: Michael Hanselmann Reviewed-by: Andrew Bartlett Reviewed-by: Tim Beale (cherry picked from commit 7f48fbcf7bad06a6df7812bb4fd3b0fca8edb4ea) [jsutton@samba.org Adapted to fix conflicts in lib/ldb/wscript] --- lib/ldb/common/ldb_parse.c | 6 +-- lib/ldb/tests/ldb_parse_test.c | 93 ++++++++++++++++++++++++++++++++++ lib/ldb/wscript | 8 ++- 3 files changed, 103 insertions(+), 4 deletions(-) create mode 100644 lib/ldb/tests/ldb_parse_test.c diff --git a/lib/ldb/common/ldb_parse.c b/lib/ldb/common/ldb_parse.c index db420091311..452c5830ed5 100644 --- a/lib/ldb/common/ldb_parse.c +++ b/lib/ldb/common/ldb_parse.c @@ -328,7 +328,7 @@ static enum ldb_parse_op ldb_parse_filtertype(TALLOC_CTX *mem_ctx, char **type, if (*p == '=') { filter = LDB_OP_EQUALITY; - } else if (*(p + 1) == '=') { + } else if (*p != '\0' && *(p + 1) == '=') { switch (*p) { case '<': filter = LDB_OP_LESS; @@ -679,12 +679,12 @@ static struct ldb_parse_tree *ldb_parse_filter(TALLOC_CTX *mem_ctx, const char * */ struct ldb_parse_tree *ldb_parse_tree(TALLOC_CTX *mem_ctx, const char *s) { + while (s && isspace((unsigned char)*s)) s++; + if (s == NULL || *s == 0) { s = "(|(objectClass=*)(distinguishedName=*))"; } - while (isspace((unsigned char)*s)) s++; - if (*s == '(') { return ldb_parse_filter(mem_ctx, &s); } diff --git a/lib/ldb/tests/ldb_parse_test.c b/lib/ldb/tests/ldb_parse_test.c new file mode 100644 index 00000000000..a739d7795d1 --- /dev/null +++ b/lib/ldb/tests/ldb_parse_test.c @@ -0,0 +1,93 @@ +/* + * Tests exercising the ldb parse operations. + * + * Copyright (C) Catalyst.NET Ltd 2017 + * Copyright (C) Michael Hanselmann 2019 + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program. If not, see . + * + */ + +#include +#include +#include +#include +#include + +#include "../include/ldb.h" + +struct test_ctx +{ +}; + +static int setup(void **state) +{ + struct test_ctx *ctx; + + ctx = talloc_zero(NULL, struct test_ctx); + assert_non_null(ctx); + + *state = ctx; + + return 0; +} + +static int teardown(void **state) +{ + struct test_ctx *ctx = + talloc_get_type_abort(*state, struct test_ctx); + + talloc_free(ctx); + + return 0; +} + +static void test_roundtrip(TALLOC_CTX *mem_ctx, const char *filter, const char *expected) +{ + struct ldb_parse_tree *tree; + char *serialized; + + assert_non_null(filter); + assert_non_null(expected); + + tree = ldb_parse_tree(mem_ctx, filter); + assert_non_null(tree); + + serialized = ldb_filter_from_tree(mem_ctx, tree); + assert_non_null(serialized); + + assert_string_equal(serialized, expected); +} + +static void test_parse_filtertype(void **state) +{ + struct test_ctx *ctx = + talloc_get_type_abort(*state, struct test_ctx); + + test_roundtrip(ctx, "", "(|(objectClass=*)(distinguishedName=*))"); + test_roundtrip(ctx, "a=value", "(a=value)"); + test_roundtrip(ctx, "(|(foo=bar)(baz=hello))", "(|(foo=bar)(baz=hello))"); + test_roundtrip(ctx, " ", "(|(objectClass=*)(distinguishedName=*))"); +} + +int main(int argc, const char **argv) +{ + const struct CMUnitTest tests[] = { + cmocka_unit_test_setup_teardown(test_parse_filtertype, setup, teardown), + }; + + cmocka_set_message_output(CM_OUTPUT_SUBUNIT); + + return cmocka_run_group_tests(tests, NULL, NULL); +} diff --git a/lib/ldb/wscript b/lib/ldb/wscript index 58240222d5f..2197a304e94 100644 --- a/lib/ldb/wscript +++ b/lib/ldb/wscript @@ -516,6 +516,11 @@ def build(bld): deps='cmocka ldb', install=False) + bld.SAMBA_BINARY('ldb_parse_test', + source='tests/ldb_parse_test.c', + deps='cmocka ldb ldb_tdb_err_map', + install=False) + if bld.CONFIG_SET('HAVE_LMDB'): bld.SAMBA_BINARY('ldb_mdb_mod_op_test', source='tests/ldb_mod_op_test.c', @@ -584,7 +589,8 @@ def test(ctx): # fit > 4G of data into the DB), it would fill up the disk on # many of our test instances 'ldb_mdb_kv_ops_test', - 'ldb_match_test'] + 'ldb_match_test', + 'ldb_parse_test'] for test_exe in test_exes: cmd = os.path.join(Context.g_module.out, test_exe) -- 2.35.0 From 687ee8e9eb30442dce905b7037a76f76e451d1c3 Mon Sep 17 00:00:00 2001 From: Douglas Bagnall Date: Tue, 8 Dec 2020 21:32:09 +1300 Subject: [PATCH 005/686] CVE-2021-20277 ldb/attrib_handlers casefold: stay in bounds For a string that had N spaces at the beginning, we would try to move N bytes beyond the end of the string. BUG: https://bugzilla.samba.org/show_bug.cgi?id=14655 Signed-off-by: Douglas Bagnall Reviewed-by: Andrew Bartlett (cherry picked from commit 1fe8c790b2294fd10fe9c9c6254ecf2b6c00b709) --- lib/ldb/common/attrib_handlers.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lib/ldb/common/attrib_handlers.c b/lib/ldb/common/attrib_handlers.c index 4b94d392cc6..409b8c62025 100644 --- a/lib/ldb/common/attrib_handlers.c +++ b/lib/ldb/common/attrib_handlers.c @@ -76,7 +76,7 @@ int ldb_handler_fold(struct ldb_context *ldb, void *mem_ctx, /* remove leading spaces if any */ if (*s == ' ') { - for (t = s; *s == ' '; s++) ; + for (t = s; *s == ' '; s++, l--) ; /* remove leading spaces by moving down the string */ memmove(t, s, l); -- 2.35.0 From 6d9b2bf77bb3649d6f46ed427a2e035a3b0b623f Mon Sep 17 00:00:00 2001 From: Noel Power Date: Tue, 22 Jan 2019 18:26:23 +0000 Subject: [PATCH 006/686] Decrement references to python objects passed to Py_BuildValue Py_BuildValue when processing format 'O' will 'Pass a Python object untouched (except for its reference count, which is incremented by one' Basically this means if you are using a new reference to a PyObject to pass to BuildValue (to be used with the 'O' format) the reference *isn't* stolen so you really do need to DECREF it in order to ensure it gets cleaned up. Signed-off-by: Noel Power Reviewed-by: Douglas Bagnall (cherry picked from commit a8e10a12493fdb6b8347b14e157aeb619cf2d2da) --- auth/credentials/pycredentials.c | 7 ++++--- lib/ldb/pyldb.c | 15 +++++++++++---- source3/libsmb/pylibsmb.c | 7 +++++-- source4/dns_server/pydns.c | 6 +++++- 4 files changed, 25 insertions(+), 10 deletions(-) diff --git a/auth/credentials/pycredentials.c b/auth/credentials/pycredentials.c index 7f9bc38af8e..6fb2c807ed6 100644 --- a/auth/credentials/pycredentials.c +++ b/auth/credentials/pycredentials.c @@ -75,9 +75,10 @@ static PyObject *py_creds_get_ntlm_username_domain(PyObject *self, PyObject *unu PyObject *ret = NULL; cli_credentials_get_ntlm_username_domain(PyCredentials_AsCliCredentials(self), frame, &user, &domain); - ret = Py_BuildValue("(OO)", - PyString_FromStringOrNULL(user), - PyString_FromStringOrNULL(domain)); + ret = Py_BuildValue("(ss)", + user, + domain); + TALLOC_FREE(frame); return ret; } diff --git a/lib/ldb/pyldb.c b/lib/ldb/pyldb.c index 794b2184941..9dd5c2019b6 100644 --- a/lib/ldb/pyldb.c +++ b/lib/ldb/pyldb.c @@ -1673,9 +1673,13 @@ static PyObject *ldb_ldif_to_pyobject(struct ldb_ldif *ldif) Py_RETURN_NONE; } else { /* We don't want this attached to the 'ldb' any more */ - return Py_BuildValue(discard_const_p(char, "(iO)"), - ldif->changetype, - PyLdbMessage_FromMessage(ldif->msg)); + PyObject *obj = PyLdbMessage_FromMessage(ldif->msg); + PyObject *result = + Py_BuildValue(discard_const_p(char, "(iO)"), + ldif->changetype, + obj); + Py_CLEAR(obj); + return result; } } @@ -3427,12 +3431,15 @@ static PyObject *py_ldb_msg_items(PyLdbMessageObject *self) Py_ssize_t i, j = 0; PyObject *l = PyList_New(msg->num_elements + (msg->dn == NULL?0:1)); if (msg->dn != NULL) { - PyList_SetItem(l, 0, Py_BuildValue("(sO)", "dn", pyldb_Dn_FromDn(msg->dn))); + PyObject *obj = pyldb_Dn_FromDn(msg->dn); + PyList_SetItem(l, 0, Py_BuildValue("(sO)", "dn", obj)); + Py_CLEAR(obj); j++; } for (i = 0; i < msg->num_elements; i++, j++) { PyObject *py_el = PyLdbMessageElement_FromMessageElement(&msg->elements[i], msg->elements); PyObject *value = Py_BuildValue("(sO)", msg->elements[i].name, py_el); + Py_CLEAR(py_el); PyList_SetItem(l, j, value); } return l; diff --git a/source3/libsmb/pylibsmb.c b/source3/libsmb/pylibsmb.c index b4903a9b8c5..b63101b85a0 100644 --- a/source3/libsmb/pylibsmb.c +++ b/source3/libsmb/pylibsmb.c @@ -1124,13 +1124,14 @@ static NTSTATUS list_helper(const char *mntpoint, struct file_info *finfo, { PyObject *result = (PyObject *)state; PyObject *file = NULL; + PyObject *size = NULL; int ret; /* suppress '.' and '..' in the results we return */ if (ISDOT(finfo->name) || ISDOTDOT(finfo->name)) { return NT_STATUS_OK; } - + size = PyLong_FromUnsignedLongLong(finfo->size); /* * Build a dictionary representing the file info. * Note: Windows does not always return short_name (so it may be None) @@ -1139,10 +1140,12 @@ static NTSTATUS list_helper(const char *mntpoint, struct file_info *finfo, "name", finfo->name, "attrib", (int)finfo->mode, "short_name", finfo->short_name, - "size", PyLong_FromUnsignedLongLong(finfo->size), + "size", size, "mtime", convert_timespec_to_time_t(finfo->mtime_ts)); + Py_CLEAR(size); + if (file == NULL) { return NT_STATUS_NO_MEMORY; } diff --git a/source4/dns_server/pydns.c b/source4/dns_server/pydns.c index a4441ddef56..16d22dfe4b8 100644 --- a/source4/dns_server/pydns.c +++ b/source4/dns_server/pydns.c @@ -100,6 +100,7 @@ static PyObject *py_dsdb_dns_lookup(PyObject *self, struct ldb_context *samdb; PyObject *py_ldb, *ret, *pydn; PyObject *py_dns_partition = NULL; + PyObject *result = NULL; char *dns_name; TALLOC_CTX *frame; NTSTATUS status; @@ -156,7 +157,10 @@ static PyObject *py_dsdb_dns_lookup(PyObject *self, ret = py_dnsp_DnssrvRpcRecord_get_list(records, num_records); pydn = pyldb_Dn_FromDn(dn); talloc_free(frame); - return Py_BuildValue("(OO)", pydn, ret); + result = Py_BuildValue("(OO)", pydn, ret); + Py_CLEAR(ret); + Py_CLEAR(pydn); + return result; } static PyObject *py_dsdb_dns_extract(PyObject *self, PyObject *args) -- 2.35.0 From 67bb93f85f5fe8cddd5cc1c1184e2aa064b838ed Mon Sep 17 00:00:00 2001 From: Noel Power Date: Fri, 25 Jan 2019 12:02:50 +0000 Subject: [PATCH 007/686] Examine result of SetList (and prevent sending NULL to PyList_SetItem) Signed-off-by: Noel Power Reviewed-by: Douglas Bagnall (cherry picked from commit 1be9b0cf1bc95715e83c27eabecbd4fa2022530b) --- lib/ldb/pyldb.c | 30 +++++++++++++++++++++++++++--- 1 file changed, 27 insertions(+), 3 deletions(-) diff --git a/lib/ldb/pyldb.c b/lib/ldb/pyldb.c index 9dd5c2019b6..56614a850df 100644 --- a/lib/ldb/pyldb.c +++ b/lib/ldb/pyldb.c @@ -3430,17 +3430,41 @@ static PyObject *py_ldb_msg_items(PyLdbMessageObject *self) struct ldb_message *msg = pyldb_Message_AsMessage(self); Py_ssize_t i, j = 0; PyObject *l = PyList_New(msg->num_elements + (msg->dn == NULL?0:1)); + if (l == NULL) { + return PyErr_NoMemory(); + } if (msg->dn != NULL) { + PyObject *value = NULL; PyObject *obj = pyldb_Dn_FromDn(msg->dn); - PyList_SetItem(l, 0, Py_BuildValue("(sO)", "dn", obj)); + int res = 0; + value = Py_BuildValue("(sO)", "dn", obj); Py_CLEAR(obj); + if (value == NULL) { + Py_CLEAR(l); + return NULL; + } + res = PyList_SetItem(l, 0, value); + if (res == -1) { + Py_CLEAR(l); + return NULL; + } j++; } for (i = 0; i < msg->num_elements; i++, j++) { + PyObject *value = NULL; PyObject *py_el = PyLdbMessageElement_FromMessageElement(&msg->elements[i], msg->elements); - PyObject *value = Py_BuildValue("(sO)", msg->elements[i].name, py_el); + int res = 0; Py_CLEAR(py_el); - PyList_SetItem(l, j, value); + value = Py_BuildValue("(sO)", msg->elements[i].name, py_el); + if (value == NULL ) { + Py_CLEAR(l); + return NULL; + } + res = PyList_SetItem(l, 0, value); + if (res == -1) { + Py_CLEAR(l); + return NULL; + } } return l; } -- 2.35.0 From 954763500b055723949649556d1b630206640edb Mon Sep 17 00:00:00 2001 From: Noel Power Date: Thu, 2 May 2019 19:51:05 +0100 Subject: [PATCH 008/686] lib/ldb: squash 'cast between incompatible function types' warning To avoid warning above produced by using -Wcast-function-type we; + ensure PyCFunctions of type METH_NOARGS defined dummy arg + ensure PyCFunctions of type METH_KEYWORDS use PY_DISCARD_FUNC_SIG macro Signed-off-by: Noel Power Reviewed-by: Andreas Schneider (cherry picked from commit 51f146de5adbb5a58a528e168e7fe9faa4477880) --- lib/ldb/pyldb.c | 139 ++++++++++++++++++++++++++++++++---------------- 1 file changed, 94 insertions(+), 45 deletions(-) diff --git a/lib/ldb/pyldb.c b/lib/ldb/pyldb.c index 56614a850df..92a4e206feb 100644 --- a/lib/ldb/pyldb.c +++ b/lib/ldb/pyldb.c @@ -34,6 +34,9 @@ #include "pyldb.h" #include "dlinklist.h" +/* discard signature of 'func' in favour of 'target_sig' */ +#define PY_DISCARD_FUNC_SIG(target_sig, func) (target_sig)(void(*)(void))func + struct py_ldb_search_iterator_reply; typedef struct { @@ -189,12 +192,14 @@ static PyObject *wrap_text(const char *type, PyObject *wrapped) return inst; } -static PyObject *py_ldb_control_get_oid(PyLdbControlObject *self) +static PyObject *py_ldb_control_get_oid(PyLdbControlObject *self, + PyObject *Py_UNUSED(ignored)) { return PyStr_FromString(self->data->oid); } -static PyObject *py_ldb_control_get_critical(PyLdbControlObject *self) +static PyObject *py_ldb_control_get_critical(PyLdbControlObject *self, + PyObject *Py_UNUSED(ignored)) { return PyBool_FromLong(self->data->critical); } @@ -487,27 +492,32 @@ static struct ldb_result *PyLdbResult_AsResult(TALLOC_CTX *mem_ctx, return res; } -static PyObject *py_ldb_dn_validate(PyLdbDnObject *self) +static PyObject *py_ldb_dn_validate(PyLdbDnObject *self, + PyObject *Py_UNUSED(ignored)) { return PyBool_FromLong(ldb_dn_validate(self->dn)); } -static PyObject *py_ldb_dn_is_valid(PyLdbDnObject *self) +static PyObject *py_ldb_dn_is_valid(PyLdbDnObject *self, + PyObject *Py_UNUSED(ignored)) { return PyBool_FromLong(ldb_dn_is_valid(self->dn)); } -static PyObject *py_ldb_dn_is_special(PyLdbDnObject *self) +static PyObject *py_ldb_dn_is_special(PyLdbDnObject *self, + PyObject *Py_UNUSED(ignored)) { return PyBool_FromLong(ldb_dn_is_special(self->dn)); } -static PyObject *py_ldb_dn_is_null(PyLdbDnObject *self) +static PyObject *py_ldb_dn_is_null(PyLdbDnObject *self, + PyObject *Py_UNUSED(ignored)) { return PyBool_FromLong(ldb_dn_is_null(self->dn)); } -static PyObject *py_ldb_dn_get_casefold(PyLdbDnObject *self) +static PyObject *py_ldb_dn_get_casefold(PyLdbDnObject *self, + PyObject *Py_UNUSED(ignored)) { return PyStr_FromString(ldb_dn_get_casefold(self->dn)); } @@ -517,12 +527,14 @@ static PyObject *py_ldb_dn_get_linearized(PyLdbDnObject *self) return PyStr_FromString(ldb_dn_get_linearized(self->dn)); } -static PyObject *py_ldb_dn_canonical_str(PyLdbDnObject *self) +static PyObject *py_ldb_dn_canonical_str(PyLdbDnObject *self, + PyObject *Py_UNUSED(ignored)) { return PyStr_FromString(ldb_dn_canonical_string(self->dn, self->dn)); } -static PyObject *py_ldb_dn_canonical_ex_str(PyLdbDnObject *self) +static PyObject *py_ldb_dn_canonical_ex_str(PyLdbDnObject *self, + PyObject *Py_UNUSED(ignored)) { return PyStr_FromString(ldb_dn_canonical_ex_string(self->dn, self->dn)); } @@ -618,7 +630,8 @@ static PyObject *py_ldb_dn_richcmp(PyObject *dn1, PyObject *dn2, int op) return richcmp(ret, op); } -static PyObject *py_ldb_dn_get_parent(PyLdbDnObject *self) +static PyObject *py_ldb_dn_get_parent(PyLdbDnObject *self, + PyObject *Py_UNUSED(ignored)) { struct ldb_dn *dn = pyldb_Dn_AsDn((PyObject *)self); struct ldb_dn *parent; @@ -760,7 +773,8 @@ static PyObject *py_ldb_dn_set_component(PyLdbDnObject *self, PyObject *args) Py_RETURN_NONE; } -static PyObject *py_ldb_dn_get_rdn_name(PyLdbDnObject *self) +static PyObject *py_ldb_dn_get_rdn_name(PyLdbDnObject *self, + PyObject *Py_UNUSED(ignored)) { struct ldb_dn *dn; const char *name; @@ -775,7 +789,8 @@ static PyObject *py_ldb_dn_get_rdn_name(PyLdbDnObject *self) return PyStr_FromString(name); } -static PyObject *py_ldb_dn_get_rdn_value(PyLdbDnObject *self) +static PyObject *py_ldb_dn_get_rdn_value(PyLdbDnObject *self, + PyObject *Py_UNUSED(ignored)) { struct ldb_dn *dn; const struct ldb_val *val; @@ -803,7 +818,9 @@ static PyMethodDef py_ldb_dn_methods[] = { "Check whether this is a null DN." }, { "get_casefold", (PyCFunction)py_ldb_dn_get_casefold, METH_NOARGS, NULL }, - { "get_linearized", (PyCFunction)py_ldb_dn_get_linearized, METH_NOARGS, + { "get_linearized", PY_DISCARD_FUNC_SIG(PyCFunction, + py_ldb_dn_get_linearized), + METH_NOARGS, NULL }, { "canonical_str", (PyCFunction)py_ldb_dn_canonical_str, METH_NOARGS, "S.canonical_str() -> string\n" @@ -813,7 +830,9 @@ static PyMethodDef py_ldb_dn_methods[] = { { "canonical_ex_str", (PyCFunction)py_ldb_dn_canonical_ex_str, METH_NOARGS, "S.canonical_ex_str() -> string\n" "Canonical version of this DN (like a posix path, with terminating newline)." }, - { "extended_str", (PyCFunction)py_ldb_dn_extended_str, METH_VARARGS | METH_KEYWORDS, + { "extended_str", PY_DISCARD_FUNC_SIG(PyCFunction, + py_ldb_dn_extended_str), + METH_VARARGS | METH_KEYWORDS, "S.extended_str(mode=1) -> string\n" "Extended version of this DN" }, { "parent", (PyCFunction)py_ldb_dn_get_parent, METH_NOARGS, @@ -1027,7 +1046,8 @@ static PyObject *py_ldb_set_modules_dir(PyTypeObject *self, PyObject *args) Py_RETURN_NONE; } -static PyObject *py_ldb_transaction_start(PyLdbObject *self) +static PyObject *py_ldb_transaction_start(PyLdbObject *self, + PyObject *Py_UNUSED(ignored)) { struct ldb_context *ldb_ctx = pyldb_Ldb_AsLdbContext(self); int ldb_err; @@ -1036,7 +1056,8 @@ static PyObject *py_ldb_transaction_start(PyLdbObject *self) Py_RETURN_NONE; } -static PyObject *py_ldb_transaction_commit(PyLdbObject *self) +static PyObject *py_ldb_transaction_commit(PyLdbObject *self, + PyObject *Py_UNUSED(ignored)) { struct ldb_context *ldb_ctx = pyldb_Ldb_AsLdbContext(self); int ldb_err; @@ -1045,7 +1066,8 @@ static PyObject *py_ldb_transaction_commit(PyLdbObject *self) Py_RETURN_NONE; } -static PyObject *py_ldb_transaction_prepare_commit(PyLdbObject *self) +static PyObject *py_ldb_transaction_prepare_commit(PyLdbObject *self, + PyObject *Py_UNUSED(ignored)) { struct ldb_context *ldb_ctx = pyldb_Ldb_AsLdbContext(self); int ldb_err; @@ -1054,7 +1076,8 @@ static PyObject *py_ldb_transaction_prepare_commit(PyLdbObject *self) Py_RETURN_NONE; } -static PyObject *py_ldb_transaction_cancel(PyLdbObject *self) +static PyObject *py_ldb_transaction_cancel(PyLdbObject *self, + PyObject *Py_UNUSED(ignored)) { struct ldb_context *ldb_ctx = pyldb_Ldb_AsLdbContext(self); int ldb_err; @@ -1063,7 +1086,8 @@ static PyObject *py_ldb_transaction_cancel(PyLdbObject *self) Py_RETURN_NONE; } -static PyObject *py_ldb_setup_wellknown_attributes(PyLdbObject *self) +static PyObject *py_ldb_setup_wellknown_attributes(PyLdbObject *self, + PyObject *Py_UNUSED(ignored)) { struct ldb_context *ldb_ctx = pyldb_Ldb_AsLdbContext(self); int ldb_err; @@ -1077,7 +1101,8 @@ static PyObject *py_ldb_repr(PyLdbObject *self) return PyStr_FromString(""); } -static PyObject *py_ldb_get_root_basedn(PyLdbObject *self) +static PyObject *py_ldb_get_root_basedn(PyLdbObject *self, + PyObject *Py_UNUSED(ignored)) { struct ldb_dn *dn = ldb_get_root_basedn(pyldb_Ldb_AsLdbContext(self)); if (dn == NULL) @@ -1086,7 +1111,8 @@ static PyObject *py_ldb_get_root_basedn(PyLdbObject *self) } -static PyObject *py_ldb_get_schema_basedn(PyLdbObject *self) +static PyObject *py_ldb_get_schema_basedn(PyLdbObject *self, + PyObject *Py_UNUSED(ignored)) { struct ldb_dn *dn = ldb_get_schema_basedn(pyldb_Ldb_AsLdbContext(self)); if (dn == NULL) @@ -1094,7 +1120,8 @@ static PyObject *py_ldb_get_schema_basedn(PyLdbObject *self) return py_ldb_dn_copy(dn); } -static PyObject *py_ldb_get_config_basedn(PyLdbObject *self) +static PyObject *py_ldb_get_config_basedn(PyLdbObject *self, + PyObject *Py_UNUSED(ignored)) { struct ldb_dn *dn = ldb_get_config_basedn(pyldb_Ldb_AsLdbContext(self)); if (dn == NULL) @@ -1102,7 +1129,8 @@ static PyObject *py_ldb_get_config_basedn(PyLdbObject *self) return py_ldb_dn_copy(dn); } -static PyObject *py_ldb_get_default_basedn(PyLdbObject *self) +static PyObject *py_ldb_get_default_basedn(PyLdbObject *self, + PyObject *Py_UNUSED(ignored)) { struct ldb_dn *dn = ldb_get_default_basedn(pyldb_Ldb_AsLdbContext(self)); if (dn == NULL) @@ -2195,7 +2223,8 @@ static PyObject *py_ldb_set_opaque(PyLdbObject *self, PyObject *args) Py_RETURN_NONE; } -static PyObject *py_ldb_modules(PyLdbObject *self) +static PyObject *py_ldb_modules(PyLdbObject *self, + PyObject *Py_UNUSED(ignored)) { struct ldb_context *ldb = pyldb_Ldb_AsLdbContext(self); PyObject *ret = PyList_New(0); @@ -2234,7 +2263,8 @@ static const struct ldb_dn_extended_syntax test_dn_syntax = { .write_hex_fn = ldb_handler_copy, }; -static PyObject *py_ldb_register_test_extensions(PyLdbObject *self) +static PyObject *py_ldb_register_test_extensions(PyLdbObject *self, + PyObject *Py_UNUSED(ignored)) { struct ldb_context *ldb = pyldb_Ldb_AsLdbContext(self); int ret; @@ -2280,22 +2310,28 @@ static PyMethodDef py_ldb_methods[] = { NULL }, { "get_config_basedn", (PyCFunction)py_ldb_get_config_basedn, METH_NOARGS, NULL }, - { "connect", (PyCFunction)py_ldb_connect, METH_VARARGS|METH_KEYWORDS, + { "connect", PY_DISCARD_FUNC_SIG(PyCFunction, py_ldb_connect), + METH_VARARGS|METH_KEYWORDS, "S.connect(url, flags=0, options=None) -> None\n" "Connect to a LDB URL." }, - { "modify", (PyCFunction)py_ldb_modify, METH_VARARGS|METH_KEYWORDS, + { "modify", PY_DISCARD_FUNC_SIG(PyCFunction, py_ldb_modify), + METH_VARARGS|METH_KEYWORDS, "S.modify(message, controls=None, validate=False) -> None\n" "Modify an entry." }, - { "add", (PyCFunction)py_ldb_add, METH_VARARGS|METH_KEYWORDS, + { "add", PY_DISCARD_FUNC_SIG(PyCFunction, py_ldb_add), + METH_VARARGS|METH_KEYWORDS, "S.add(message, controls=None) -> None\n" "Add an entry." }, - { "delete", (PyCFunction)py_ldb_delete, METH_VARARGS|METH_KEYWORDS, + { "delete", PY_DISCARD_FUNC_SIG(PyCFunction, py_ldb_delete), + METH_VARARGS|METH_KEYWORDS, "S.delete(dn, controls=None) -> None\n" "Remove an entry." }, - { "rename", (PyCFunction)py_ldb_rename, METH_VARARGS|METH_KEYWORDS, + { "rename", PY_DISCARD_FUNC_SIG(PyCFunction, py_ldb_rename), + METH_VARARGS|METH_KEYWORDS, "S.rename(old_dn, new_dn, controls=None) -> None\n" "Rename an entry." }, - { "search", (PyCFunction)py_ldb_search, METH_VARARGS|METH_KEYWORDS, + { "search", PY_DISCARD_FUNC_SIG(PyCFunction, py_ldb_search), + METH_VARARGS|METH_KEYWORDS, "S.search(base=None, scope=None, expression=None, attrs=None, controls=None) -> result\n" "Search in a database.\n" "\n" @@ -2306,7 +2342,9 @@ static PyMethodDef py_ldb_methods[] = { ":param controls: Optional list of controls\n" ":return: ldb.Result object\n" }, - { "search_iterator", (PyCFunction)py_ldb_search_iterator, METH_VARARGS|METH_KEYWORDS, + { "search_iterator", PY_DISCARD_FUNC_SIG(PyCFunction, + py_ldb_search_iterator), + METH_VARARGS|METH_KEYWORDS, "S.search_iterator(base=None, scope=None, expression=None, attrs=None, controls=None, timeout=None) -> iterator\n" "Search in a database.\n" "\n" @@ -2623,7 +2661,8 @@ static PyObject *py_ldb_search_iterator_next(PyLdbSearchIteratorObject *self) return py_ret; } -static PyObject *py_ldb_search_iterator_result(PyLdbSearchIteratorObject *self) +static PyObject *py_ldb_search_iterator_result(PyLdbSearchIteratorObject *self, + PyObject *Py_UNUSED(ignored)) { PyObject *py_ret = NULL; @@ -2657,7 +2696,8 @@ static PyObject *py_ldb_search_iterator_result(PyLdbSearchIteratorObject *self) return py_ret; } -static PyObject *py_ldb_search_iterator_abandon(PyLdbSearchIteratorObject *self) +static PyObject *py_ldb_search_iterator_abandon(PyLdbSearchIteratorObject *self, + PyObject *Py_UNUSED(ignored)) { if (self->state.req == NULL) { PyErr_SetString(PyExc_RuntimeError, @@ -2707,19 +2747,22 @@ static PyObject *py_ldb_module_str(PyLdbModuleObject *self) return PyStr_FromString(pyldb_Module_AsModule(self)->ops->name); } -static PyObject *py_ldb_module_start_transaction(PyLdbModuleObject *self) +static PyObject *py_ldb_module_start_transaction(PyLdbModuleObject *self, + PyObject *Py_UNUSED(ignored)) { pyldb_Module_AsModule(self)->ops->start_transaction(pyldb_Module_AsModule(self)); Py_RETURN_NONE; } -static PyObject *py_ldb_module_end_transaction(PyLdbModuleObject *self) +static PyObject *py_ldb_module_end_transaction(PyLdbModuleObject *self, + PyObject *Py_UNUSED(ignored)) { pyldb_Module_AsModule(self)->ops->end_transaction(pyldb_Module_AsModule(self)); Py_RETURN_NONE; } -static PyObject *py_ldb_module_del_transaction(PyLdbModuleObject *self) +static PyObject *py_ldb_module_del_transaction(PyLdbModuleObject *self, + PyObject *Py_UNUSED(ignored)) { pyldb_Module_AsModule(self)->ops->del_transaction(pyldb_Module_AsModule(self)); Py_RETURN_NONE; @@ -2859,7 +2902,8 @@ static PyObject *py_ldb_module_rename(PyLdbModuleObject *self, PyObject *args) } static PyMethodDef py_ldb_module_methods[] = { - { "search", (PyCFunction)py_ldb_module_search, METH_VARARGS|METH_KEYWORDS, NULL }, + { "search", PY_DISCARD_FUNC_SIG(PyCFunction, py_ldb_module_search), + METH_VARARGS|METH_KEYWORDS, NULL }, { "add", (PyCFunction)py_ldb_module_add, METH_VARARGS, NULL }, { "modify", (PyCFunction)py_ldb_module_modify, METH_VARARGS, NULL }, { "rename", (PyCFunction)py_ldb_module_rename, METH_VARARGS, NULL }, @@ -3345,7 +3389,8 @@ static PyObject *py_ldb_msg_remove_attr(PyLdbMessageObject *self, PyObject *args Py_RETURN_NONE; } -static PyObject *py_ldb_msg_keys(PyLdbMessageObject *self) +static PyObject *py_ldb_msg_keys(PyLdbMessageObject *self, + PyObject *Py_UNUSED(ignored)) { struct ldb_message *msg = pyldb_Message_AsMessage(self); Py_ssize_t i, j = 0; @@ -3425,7 +3470,8 @@ static PyObject *py_ldb_msg_get(PyLdbMessageObject *self, PyObject *args, PyObje return PyObject_FromLdbValue(&el->values[idx]); } -static PyObject *py_ldb_msg_items(PyLdbMessageObject *self) +static PyObject *py_ldb_msg_items(PyLdbMessageObject *self, + PyObject *Py_UNUSED(ignored)) { struct ldb_message *msg = pyldb_Message_AsMessage(self); Py_ssize_t i, j = 0; @@ -3469,7 +3515,8 @@ static PyObject *py_ldb_msg_items(PyLdbMessageObject *self) return l; } -static PyObject *py_ldb_msg_elements(PyLdbMessageObject *self) +static PyObject *py_ldb_msg_elements(PyLdbMessageObject *self, + PyObject *Py_UNUSED(ignored)) { struct ldb_message *msg = pyldb_Message_AsMessage(self); Py_ssize_t i = 0; @@ -3525,13 +3572,14 @@ static PyMethodDef py_ldb_msg_methods[] = { "Message.from_dict(ldb, dict, mod_flag=FLAG_MOD_REPLACE) -> ldb.Message\n" "Class method to create ldb.Message object from Dictionary.\n" "mod_flag is one of FLAG_MOD_ADD, FLAG_MOD_REPLACE or FLAG_MOD_DELETE."}, - { "keys", (PyCFunction)py_ldb_msg_keys, METH_NOARGS, + { "keys", (PyCFunction)py_ldb_msg_keys, METH_NOARGS, "S.keys() -> list\n\n" "Return sequence of all attribute names." }, { "remove", (PyCFunction)py_ldb_msg_remove_attr, METH_VARARGS, "S.remove(name)\n\n" "Remove all entries for attributes with the specified name."}, - { "get", (PyCFunction)py_ldb_msg_get, METH_VARARGS | METH_KEYWORDS, + { "get", PY_DISCARD_FUNC_SIG(PyCFunction, py_ldb_msg_get), + METH_VARARGS | METH_KEYWORDS, "msg.get(name,default=None,idx=None) -> string\n" "idx is the index into the values array\n" "if idx is None, then a list is returned\n" @@ -3549,7 +3597,7 @@ static PyObject *py_ldb_msg_iter(PyLdbMessageObject *self) { PyObject *list, *iter; - list = py_ldb_msg_keys(self); + list = py_ldb_msg_keys(self, NULL); iter = PyObject_GetIter(list); Py_DECREF(list); return iter; @@ -4202,7 +4250,8 @@ static PyMethodDef py_ldb_global_methods[] = { { "valid_attr_name", py_valid_attr_name, METH_VARARGS, "S.valid_attr_name(name) -> bool\n\nn" "Check whether the supplied name is a valid attribute name." }, - { "open", (PyCFunction)py_ldb_new, METH_VARARGS|METH_KEYWORDS, + { "open", PY_DISCARD_FUNC_SIG(PyCFunction,py_ldb_new), + METH_VARARGS|METH_KEYWORDS, "S.open() -> Ldb\n\n" "Open a new LDB context." }, { "binary_encode", py_binary_encode, METH_VARARGS, -- 2.35.0 From b33a518419f8e8f93cf01316198ea83f4fec71be Mon Sep 17 00:00:00 2001 From: Douglas Bagnall Date: Fri, 5 Mar 2021 15:47:56 +1300 Subject: [PATCH 009/686] ldb: add tests for ldb_wildcard_compare MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit BUG: https://bugzilla.samba.org/show_bug.cgi?id=14044 Signed-off-by: Douglas Bagnall Reviewed-by: Björn Jacke Reviewed-by: Andrew Bartlett (cherry picked from commit 33a95a1e75b85e9795c4490b78ead2162e2a1f47) --- lib/ldb/tests/ldb_match_test.c | 134 ++++++++++++++++++++++++++++++--- 1 file changed, 124 insertions(+), 10 deletions(-) diff --git a/lib/ldb/tests/ldb_match_test.c b/lib/ldb/tests/ldb_match_test.c index e09f50c86ba..3028aed072c 100644 --- a/lib/ldb/tests/ldb_match_test.c +++ b/lib/ldb/tests/ldb_match_test.c @@ -91,6 +91,33 @@ static int teardown(void **state) return 0; } +static void escape_string(uint8_t *buf, size_t buflen, + const uint8_t *s, size_t len) +{ + size_t i; + size_t j = 0; + for (i = 0; i < len; i++) { + if (j == buflen - 1) { + goto fin; + } + if (s[i] >= 0x20) { + buf[j] = s[i]; + j++; + } else { + if (j >= buflen - 4) { + goto fin; + } + /* utf-8 control char representation */ + buf[j] = 0xE2; + buf[j + 1] = 0x90; + buf[j + 2] = 0x80 + s[i]; + j+= 3; + } + } +fin: + buf[j] = 0; +} + /* * The wild card pattern "attribute=*" is parsed as an LDB_OP_PRESENT operation @@ -122,23 +149,110 @@ static void test_wildcard_match_star(void **state) * Test basic wild card matching * */ +struct wildcard_test { + uint8_t *val; + size_t val_size; + const char *search; + bool should_match; + bool fold; +}; + +/* + * Q: Why this macro rather than plain struct values? + * A: So we can get the size of the const char[] value while it is still a + * true array, not a pointer. + * + * Q: but why not just use strlen? + * A: so values can contain '\0', which we supposedly allow. + */ + +#define TEST_ENTRY(val, search, should_match, fold) \ + { \ + (uint8_t*)discard_const(val), \ + sizeof(val) - 1, \ + search, \ + should_match, \ + fold \ + } + static void test_wildcard_match(void **state) { struct ldbtest_ctx *ctx = *state; - bool matched = false; - - uint8_t value[] = "The value.......end"; - struct ldb_val val = { - .data = value, - .length = (sizeof(value)) + size_t failed = 0; + size_t i; + struct wildcard_test tests[] = { + TEST_ENTRY("The value.......end", "*end", true, true), + TEST_ENTRY("The value.......end", "*fend", false, true), + TEST_ENTRY("The value.......end", "*eel", false, true), + TEST_ENTRY("The value.......end", "*d", true, true), + TEST_ENTRY("The value.......end", "*D*", true, true), + TEST_ENTRY("The value.......end", "*e*d*", true, true), + TEST_ENTRY("end", "*e*d*", true, true), + TEST_ENTRY("end", " *e*d*", true, true), + TEST_ENTRY("1.0.0.0.0.0.0.0aaaaaaaaaaaa", "*aaaaa", true, true), + TEST_ENTRY("1.0..0.0.0.0.0.0.0aAaaaAAAAAAA", "*a", true, true), + TEST_ENTRY("1.0.0.0.0.0.0.0.0.0.0aaaa", "*aaaaa", false, true), + TEST_ENTRY("1.0.0.0.0.0.0.0.0.0.0", "*0.0", true, true), + TEST_ENTRY("1.0.0.0.0.0.0.0.0.0.0", "*0.0.0", true, true), + TEST_ENTRY("1.0.0.0.0.0.0.0.0.0", "1*0*0*0*0*0*0*0*0*0", true, + true), + TEST_ENTRY("1.0.0.0.0.0.0.0.0", "1*0*0*0*0*0*0*0*0*0", false, + true), + TEST_ENTRY("1.0.0.0.000.0.0.0.0", "1*0*0*0*0*0*0*0*0*0", true, + true), + TEST_ENTRY("1\n0\r0\t000.0.0.0.0", "1*0*0*0*0*0*0*0*0", true, + true), + /* + * We allow NUL bytes in non-casefolding syntaxes. + */ + TEST_ENTRY("1\x00 x", "1*x", true, false), + TEST_ENTRY("1\x00 x", "*x", true, false), + TEST_ENTRY("1\x00 x", "*x*", true, false), + TEST_ENTRY("1\x00 x", "* *", true, false), + TEST_ENTRY("1\x00 x", "1*", true, false), + TEST_ENTRY("1\x00 b* x", "1*b*", true, false), + TEST_ENTRY("1.0..0.0.0.0.0.0.0aAaaaAAAAAAA", "*a", false, false), }; - struct ldb_parse_tree *tree = ldb_parse_tree(ctx, "objectClass=*end"); - assert_non_null(tree); - ldb_wildcard_compare(ctx->ldb, tree, val, &matched); - assert_true(matched); + for (i = 0; i < ARRAY_SIZE(tests); i++) { + bool matched; + int ret; + struct ldb_val val = { + .data = (uint8_t *)tests[i].val, + .length = tests[i].val_size + }; + const char *attr = tests[i].fold ? "objectclass" : "birthLocation"; + const char *s = talloc_asprintf(ctx, "%s=%s", + attr, tests[i].search); + struct ldb_parse_tree *tree = ldb_parse_tree(ctx, s); + assert_non_null(tree); + ret = ldb_wildcard_compare(ctx->ldb, tree, val, &matched); + if (ret != LDB_SUCCESS) { + uint8_t buf[100]; + escape_string(buf, sizeof(buf), + tests[i].val, tests[i].val_size); + print_error("%zu val: «%s», search «%s» FAILED with %d\n", + i, buf, tests[i].search, ret); + failed++; + } + if (matched != tests[i].should_match) { + uint8_t buf[100]; + escape_string(buf, sizeof(buf), + tests[i].val, tests[i].val_size); + print_error("%zu val: «%s», search «%s» should %s\n", + i, buf, tests[i].search, + matched ? "not match" : "match"); + failed++; + } + } + if (failed != 0) { + fail_msg("wrong results for %zu/%zu wildcard searches\n", + failed, ARRAY_SIZE(tests)); + } } +#undef TEST_ENTRY + /* * ldb_handler_copy and ldb_val_dup over allocate by one and add a trailing '\0' -- 2.35.0 From eda03ddd4d83e1d73b480a014366e5773bc1f925 Mon Sep 17 00:00:00 2001 From: Douglas Bagnall Date: Fri, 5 Mar 2021 20:13:01 +1300 Subject: [PATCH 010/686] CVE-2021-20277 ldb tests: ldb_match tests with extra spaces BUG: https://bugzilla.samba.org/show_bug.cgi?id=14655 Signed-off-by: Douglas Bagnall Reviewed-by: Andrew Bartlett (cherry picked from commit ea4bd2c437fbb5801fb82e2a038d9cdb5abea4c0) --- lib/ldb/tests/ldb_match_test.c | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/lib/ldb/tests/ldb_match_test.c b/lib/ldb/tests/ldb_match_test.c index 3028aed072c..ba6ea56be15 100644 --- a/lib/ldb/tests/ldb_match_test.c +++ b/lib/ldb/tests/ldb_match_test.c @@ -181,6 +181,8 @@ static void test_wildcard_match(void **state) size_t failed = 0; size_t i; struct wildcard_test tests[] = { + TEST_ENTRY(" 1 0", "1*0*", true, true), + TEST_ENTRY(" 1 0", "1 *0", true, true), TEST_ENTRY("The value.......end", "*end", true, true), TEST_ENTRY("The value.......end", "*fend", false, true), TEST_ENTRY("The value.......end", "*eel", false, true), @@ -203,8 +205,12 @@ static void test_wildcard_match(void **state) TEST_ENTRY("1\n0\r0\t000.0.0.0.0", "1*0*0*0*0*0*0*0*0", true, true), /* - * We allow NUL bytes in non-casefolding syntaxes. + * We allow NUL bytes and redundant spaces in non-casefolding + * syntaxes. */ + TEST_ENTRY(" 1 0", "*1 0", true, false), + TEST_ENTRY(" 1 0", "*1 0", true, false), + TEST_ENTRY("1 0", "*1 0", false, false), TEST_ENTRY("1\x00 x", "1*x", true, false), TEST_ENTRY("1\x00 x", "*x", true, false), TEST_ENTRY("1\x00 x", "*x*", true, false), -- 2.35.0 From 0a0ac0ed97f23a9987271696f29af622f7cf644f Mon Sep 17 00:00:00 2001 From: Joe Guo Date: Thu, 7 Mar 2019 12:34:15 +1300 Subject: [PATCH 011/686] subunit/run.py: make iso8601 UTC usage python 2/3 compatible In `iso8601/iso8601.py`: if sys.version_info >= (3, 2, 0): UTC = datetime.timezone.utc ... else: class Utc(datetime.tzinfo): ... UTC = Utc() The class `Utc` is only available for python < 3.2.0. Use `UTC` instance instead, which is python 2/3 compatible. Signed-off-by: Joe Guo Reviewed-by: Andrew Bartlett Reviewed-by: Noel Power (cherry picked from commit 02c7b8c03d4970421a5170e44c57cbc3cda82827) --- python/samba/subunit/run.py | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/python/samba/subunit/run.py b/python/samba/subunit/run.py index 8f32d46ef49..89ca8a8050b 100755 --- a/python/samba/subunit/run.py +++ b/python/samba/subunit/run.py @@ -24,7 +24,7 @@ $ python -m samba.subunit.run mylib.tests.test_suite """ -from iso8601.iso8601 import Utc +from iso8601.iso8601 import UTC import datetime import os @@ -184,7 +184,7 @@ class TestProtocolClient(unittest.TestResult): ":param datetime: A datetime.datetime object. """ - time = a_datetime.astimezone(Utc()) + time = a_datetime.astimezone(UTC) self._stream.write("time: %04d-%02d-%02d %02d:%02d:%02d.%06dZ\n" % ( time.year, time.month, time.day, time.hour, time.minute, time.second, time.microsecond)) @@ -458,7 +458,7 @@ class AutoTimingTestResultDecorator(HookedTestResultDecorator): time = self._time if time is not None: return - time = datetime.datetime.utcnow().replace(tzinfo=Utc()) + time = datetime.datetime.utcnow().replace(tzinfo=UTC) self.decorated.time(time) @property -- 2.35.0 From c9abe5f3835070fb12d58891bea45c41465c2e1c Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Tue, 26 Feb 2019 14:01:10 +0100 Subject: [PATCH 012/686] selftest:Samba4: add fl2008dc as alias to ad_dc_ntvfs Using aliases it will be possible to split the large amount of tests which use ad_dc_ntvfs into multiple autobuild/ci tasks/jobs later. Signed-off-by: Stefan Metzmacher Reviewed-by: Andreas Schneider (cherry picked from commit 62eeab8f6cb6d9c85353738a2da073e0a16bd418) [jsutton@samba.org Adapted to fix conflicts and remove autobuild.py changes] --- selftest/target/Samba4.pm | 17 +++++++++++++++++ 1 file changed, 17 insertions(+) diff --git a/selftest/target/Samba4.pm b/selftest/target/Samba4.pm index a7a6c4c9587..b4c89a5a4bb 100755 --- a/selftest/target/Samba4.pm +++ b/selftest/target/Samba4.pm @@ -2371,9 +2371,26 @@ sub check_env($$) labdc => ["backupfromdc"], proclimitdc => [], + # aliases in order to split autbuild tasks + fl2008dc => ["ad_dc_ntvfs"], + none => [], ); +sub return_alias_env +{ + my ($self, $path, $env) = @_; + + # just an alias + return $env; +} + +sub setup_fl2008dc +{ + my ($self, $path, $dep_env) = @_; + return $self->return_alias_env($path, $dep_env) +} + sub setup_s4member { my ($self, $path, $dc_vars) = @_; -- 2.35.0 From fe8f577acc4fc975c9fd96067c46a3b62c7b7381 Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Tue, 26 Feb 2019 14:03:29 +0100 Subject: [PATCH 013/686] selftest:Samba4: add ad_dc_default alias to ad_dc_ntvfs This will allow us to run really most tests in an isolated autobuild/ci task later. This will apply to tests, which may not rely on the ntvfs backend, so the ad_dc_default alias can point to another environment in future. Signed-off-by: Stefan Metzmacher Reviewed-by: Andreas Schneider (cherry picked from commit c217a15a2c3c6b6c171d28a57f9b0248dacaec53) [jsutton@samba.org Adapted to fix conflicts and remove autobuild.py changes] --- selftest/target/Samba4.pm | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/selftest/target/Samba4.pm b/selftest/target/Samba4.pm index b4c89a5a4bb..2fbd5e24928 100755 --- a/selftest/target/Samba4.pm +++ b/selftest/target/Samba4.pm @@ -2373,6 +2373,7 @@ sub check_env($$) # aliases in order to split autbuild tasks fl2008dc => ["ad_dc_ntvfs"], + ad_dc_default => ["ad_dc_ntvfs"], none => [], ); @@ -2391,6 +2392,12 @@ sub setup_fl2008dc return $self->return_alias_env($path, $dep_env) } +sub setup_ad_dc_default +{ + my ($self, $path, $dep_env) = @_; + return $self->return_alias_env($path, $dep_env) +} + sub setup_s4member { my ($self, $path, $dc_vars) = @_; -- 2.35.0 From 1c17bd8fd3771682c8e8fee3e23b9f4cdc0ca90f Mon Sep 17 00:00:00 2001 From: Michael Hanselmann Date: Thu, 4 Apr 2019 00:04:23 +0200 Subject: [PATCH 014/686] ndrdump: Remove local variables for pipes There's no need for the local variables as the NDR call structure pointer is kept around anyway. Signed-off-by: Michael Hanselmann Reviewed-by: Andrew Bartlett (cherry picked from commit 10dd15010bddb929128b3585f1280ae1eb7b6b99) --- librpc/tools/ndrdump.c | 12 ++++-------- 1 file changed, 4 insertions(+), 8 deletions(-) diff --git a/librpc/tools/ndrdump.c b/librpc/tools/ndrdump.c index e26d3719429..b7eae70833e 100644 --- a/librpc/tools/ndrdump.c +++ b/librpc/tools/ndrdump.c @@ -229,8 +229,6 @@ static void ndr_print_dummy(struct ndr_print *ndr, const char *format, ...) POPT_COMMON_VERSION { NULL } }; - const struct ndr_interface_call_pipes *in_pipes = NULL; - const struct ndr_interface_call_pipes *out_pipes = NULL; uint32_t highest_ofs; struct dcerpc_sec_verification_trailer *sec_vt = NULL; @@ -319,11 +317,9 @@ static void ndr_print_dummy(struct ndr_print *ndr, const char *format, ...) if (strcmp(inout, "in") == 0 || strcmp(inout, "request") == 0) { flags = NDR_IN; - in_pipes = &f->in_pipes; } else if (strcmp(inout, "out") == 0 || strcmp(inout, "response") == 0) { flags = NDR_OUT; - out_pipes = &f->out_pipes; } else { printf("Bad inout value '%s'\n", inout); exit(1); @@ -445,8 +441,8 @@ static void ndr_print_dummy(struct ndr_print *ndr, const char *format, ...) } TALLOC_FREE(sec_vt); - if (out_pipes) { - status = ndrdump_pull_and_print_pipes(function, ndr_pull, ndr_print, out_pipes); + if (flags & NDR_OUT) { + status = ndrdump_pull_and_print_pipes(function, ndr_pull, ndr_print, &f->out_pipes); if (!NT_STATUS_IS_OK(status)) { printf("dump FAILED\n"); exit(1); @@ -483,8 +479,8 @@ static void ndr_print_dummy(struct ndr_print *ndr, const char *format, ...) exit(1); } - if (in_pipes) { - status = ndrdump_pull_and_print_pipes(function, ndr_pull, ndr_print, in_pipes); + if (flags & NDR_IN) { + status = ndrdump_pull_and_print_pipes(function, ndr_pull, ndr_print, &f->in_pipes); if (!NT_STATUS_IS_OK(status)) { printf("dump FAILED\n"); exit(1); -- 2.35.0 From 9b1673b1daa498baad570c836df3c591c1c3ce6b Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Fri, 12 Apr 2019 15:10:35 +1200 Subject: [PATCH 015/686] ndrdump: change behaviour of flags to operate as flags These are called flags because that is what they become to the ndr_pull function, but to avoid total confusion treat them as flags generally even if the values are always exclusive (at the moment). Signed-off-by: Andrew Bartlett Reviewed-by: Douglas Bagnall (cherry picked from commit c9e6331afc1ee0e85a9582c6682ff95885135792) --- librpc/tools/ndrdump.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/librpc/tools/ndrdump.c b/librpc/tools/ndrdump.c index b7eae70833e..ef7f9c66139 100644 --- a/librpc/tools/ndrdump.c +++ b/librpc/tools/ndrdump.c @@ -201,7 +201,7 @@ static void ndr_print_dummy(struct ndr_print *ndr, const char *format, ...) struct ndr_pull *ndr_pull; struct ndr_print *ndr_print; TALLOC_CTX *mem_ctx; - int flags; + int flags = 0; poptContext pc; NTSTATUS status; enum ndr_err_code ndr_err; @@ -316,10 +316,10 @@ static void ndr_print_dummy(struct ndr_print *ndr, const char *format, ...) if (strcmp(inout, "in") == 0 || strcmp(inout, "request") == 0) { - flags = NDR_IN; + flags |= NDR_IN; } else if (strcmp(inout, "out") == 0 || strcmp(inout, "response") == 0) { - flags = NDR_OUT; + flags |= NDR_OUT; } else { printf("Bad inout value '%s'\n", inout); exit(1); @@ -340,7 +340,7 @@ static void ndr_print_dummy(struct ndr_print *ndr, const char *format, ...) } if (ctx_filename) { - if (flags == NDR_IN) { + if (flags & NDR_IN) { printf("Context file can only be used for \"out\" packages\n"); exit(1); } -- 2.35.0 From 5cf870906c585a649194dd318523f8990f73b700 Mon Sep 17 00:00:00 2001 From: Gary Lockyer Date: Tue, 4 Jun 2019 14:01:49 +1200 Subject: [PATCH 016/686] tests blackbox ndrdump: Add test for struct printing Add test for the dumping of a public structure with ndrdump. This removes the need to define decode_* functions in the idl. Signed-off-by: Gary Lockyer Reviewed-by: Andrew Bartlett (cherry picked from commit 0e771f0ed6cb900e6eccc3a4205120ae8c0f7ee2) --- python/samba/tests/blackbox/ndrdump.py | 12 ++++++++++-- selftest/knownfail.d/ndrdump | 1 + 2 files changed, 11 insertions(+), 2 deletions(-) create mode 100644 selftest/knownfail.d/ndrdump diff --git a/python/samba/tests/blackbox/ndrdump.py b/python/samba/tests/blackbox/ndrdump.py index 350d576bc81..7ca7b93f559 100644 --- a/python/samba/tests/blackbox/ndrdump.py +++ b/python/samba/tests/blackbox/ndrdump.py @@ -22,7 +22,7 @@ from __future__ import print_function """Blackbox tests for ndrdump.""" import os -from samba.tests import BlackboxTestCase +from samba.tests import BlackboxTestCase, BlackboxProcessError for p in ["../../../../../source4/librpc/tests", "../../../../../librpc/tests"]: data_path_dir = os.path.abspath(os.path.join(os.path.dirname(__file__), p)) @@ -49,6 +49,14 @@ class NdrDumpTests(BlackboxTestCase): def test_ndrdump_with_validate(self): self.check_run("ndrdump --validate samr samr_CreateUser in %s" % (self.data_path("samr-CreateUser-in.dat"))) - def test_ndrdump_with_hex(self): + def test_ndrdump_with_hex_decode_function(self): self.check_run("ndrdump dns decode_dns_name_packet in --hex-input %s" % self.data_path("dns-decode_dns_name_packet-hex.dat")) + + def test_ndrdump_with_hex_struct_name(self): + try: + self.check_run( + "ndrdump dns dns_name_packet struct --hex-input %s" % + self.data_path("dns-decode_dns_name_packet-hex.dat")) + except BlackboxProcessError as e: + self.fail(e) diff --git a/selftest/knownfail.d/ndrdump b/selftest/knownfail.d/ndrdump new file mode 100644 index 00000000000..9f7335f5d0b --- /dev/null +++ b/selftest/knownfail.d/ndrdump @@ -0,0 +1 @@ +^samba.tests.blackbox.ndrdump.samba.tests.blackbox.ndrdump.NdrDumpTests.test_ndrdump_with_hex_struct_name\(none\) -- 2.35.0 From 3b21fec3c417fc1c17dbe9ce0b925e165343bdd6 Mon Sep 17 00:00:00 2001 From: Gary Lockyer Date: Wed, 5 Jun 2019 08:43:33 +1200 Subject: [PATCH 017/686] pidl: Allow ndrdump to print public structures Generate code to allow ndrdump to operate on public structures. Signed-off-by: Gary Lockyer Reviewed-by: Andrew Bartlett Pair-Programmed-With: Andrew Bartlett (cherry picked from commit 5d67e87d1c4504593f5da712f00de85371f8942f) --- librpc/ndr/libndr.h | 10 ++++++ pidl/lib/Parse/Pidl/Samba4/NDR/Parser.pm | 41 +++++++++++++++++++++++- 2 files changed, 50 insertions(+), 1 deletion(-) diff --git a/librpc/ndr/libndr.h b/librpc/ndr/libndr.h index 8a15fccfe09..8ece7374b9a 100644 --- a/librpc/ndr/libndr.h +++ b/librpc/ndr/libndr.h @@ -455,6 +455,14 @@ struct ndr_interface_call { struct ndr_interface_call_pipes out_pipes; }; +struct ndr_interface_public_struct { + const char *name; + size_t struct_size; + ndr_push_flags_fn_t ndr_push; + ndr_pull_flags_fn_t ndr_pull; + ndr_print_function_t ndr_print; +}; + struct ndr_interface_string_array { uint32_t count; const char * const *names; @@ -466,6 +474,8 @@ struct ndr_interface_table { const char *helpstring; uint32_t num_calls; const struct ndr_interface_call *calls; + uint32_t num_public_structs; + const struct ndr_interface_public_struct *public_structs; const struct ndr_interface_string_array *endpoints; const struct ndr_interface_string_array *authservices; }; diff --git a/pidl/lib/Parse/Pidl/Samba4/NDR/Parser.pm b/pidl/lib/Parse/Pidl/Samba4/NDR/Parser.pm index 432e52f89c4..2fc4327faf4 100644 --- a/pidl/lib/Parse/Pidl/Samba4/NDR/Parser.pm +++ b/pidl/lib/Parse/Pidl/Samba4/NDR/Parser.pm @@ -1833,6 +1833,9 @@ sub ParseStructNdrSize($$$$) sub DeclStruct($$$$) { my ($e,$t,$name,$varname) = @_; + if ($t eq "base") { + return "struct $name $varname"; + } return ($t ne "pull"?"const ":"") . "struct $name *$varname"; } @@ -2175,6 +2178,9 @@ sub ParseUnionPull($$$$) sub DeclUnion($$$$) { my ($e,$t,$name,$varname) = @_; + if ($t eq "base") { + return "union $name $varname"; + } return ($t ne "pull"?"const ":"") . "union $name *$varname"; } @@ -2752,21 +2758,52 @@ sub FunctionCallEntry($$) return 1; } +sub StructEntry($$) +{ + my ($self, $d) = @_; + my $type_decl = $typefamily{$d->{TYPE}}->{DECL}->($d, "base", $d->{NAME}, ""); + + $self->pidl("\t{"); + $self->pidl("\t\t.name = \"$d->{NAME}\","); + $self->pidl("\t\t.struct_size = sizeof($type_decl),"); + $self->pidl("\t\t.ndr_push = (ndr_push_flags_fn_t) ndr_push_$d->{NAME},"); + $self->pidl("\t\t.ndr_pull = (ndr_pull_flags_fn_t) ndr_pull_$d->{NAME},"); + $self->pidl("\t\t.ndr_print = (ndr_print_function_t) ndr_print_$d->{NAME},"); + $self->pidl("\t},"); + return 1; +} + ##################################################################### # produce a function call table sub FunctionTable($$) { my($self,$interface) = @_; my $count = 0; + my $count_public_structs = 0; my $uname = uc $interface->{NAME}; - return if ($#{$interface->{FUNCTIONS}}+1 == 0); + foreach my $d (@{$interface->{TYPES}}) { + next unless (has_property($d, "public")); + $count_public_structs += 1; + } + return if ($#{$interface->{FUNCTIONS}}+1 == 0 and + $count_public_structs == 0); return unless defined ($interface->{PROPERTIES}->{uuid}); foreach my $d (@{$interface->{INHERITED_FUNCTIONS}},@{$interface->{FUNCTIONS}}) { $self->FunctionCallPipes($d); } + $self->pidl("static const struct ndr_interface_public_struct $interface->{NAME}\_public_structs[] = {"); + + foreach my $d (@{$interface->{TYPES}}) { + next unless (has_property($d, "public")); + $self->StructEntry($d) + } + $self->pidl("\t{ .name = NULL }"); + $self->pidl("};"); + $self->pidl(""); + $self->pidl("static const struct ndr_interface_call $interface->{NAME}\_calls[] = {"); foreach my $d (@{$interface->{INHERITED_FUNCTIONS}},@{$interface->{FUNCTIONS}}) { @@ -2807,6 +2844,8 @@ sub FunctionTable($$) $self->pidl("\t.helpstring\t= NDR_$uname\_HELPSTRING,"); $self->pidl("\t.num_calls\t= $count,"); $self->pidl("\t.calls\t\t= $interface->{NAME}\_calls,"); + $self->pidl("\t.num_public_structs\t= $count_public_structs,"); + $self->pidl("\t.public_structs\t\t= $interface->{NAME}\_public_structs,"); $self->pidl("\t.endpoints\t= &$interface->{NAME}\_endpoints,"); $self->pidl("\t.authservices\t= &$interface->{NAME}\_authservices"); $self->pidl("};"); -- 2.35.0 From 73ff07d6873beebd2f36c7555c6e5b4f110b4a1b Mon Sep 17 00:00:00 2001 From: Gary Lockyer Date: Wed, 5 Jun 2019 08:44:09 +1200 Subject: [PATCH 018/686] ndrdump: print public structures Add a struct option to ndrdump that will allow it to print public structures. i.e. binn/ndrdump dns dns_name_packet struct data.file Signed-off-by: Gary Lockyer Reviewed-by: Andrew Bartlett Pair-Programmed-With: Andrew Bartlett Signed-off-by: Andrew Bartlett (cherry picked from commit 3bf05fbfd7106f46b35ee027f57be4c6af72f22e) --- librpc/tools/ndrdump.1.xml | 15 +++--- librpc/tools/ndrdump.c | 98 +++++++++++++++++++++++++++++------- selftest/knownfail.d/ndrdump | 1 - 3 files changed, 88 insertions(+), 26 deletions(-) delete mode 100644 selftest/knownfail.d/ndrdump diff --git a/librpc/tools/ndrdump.1.xml b/librpc/tools/ndrdump.1.xml index e148eee0f03..fa6d763d18f 100644 --- a/librpc/tools/ndrdump.1.xml +++ b/librpc/tools/ndrdump.1.xml @@ -21,8 +21,8 @@ ndrdump -c context pipe - function - in|out + format + in|out|struct filename @@ -38,15 +38,18 @@ DESCRIPTION ndrdump tries to parse the specified filename - using Samba's parser for the specified pipe and function. The + using Samba's parser for the specified pipe and format. The third argument should be - either in or out, depending - on whether the data should be parsed as a request or a reply. + either in, out + or structdepending + on whether the data should be parsed as a request, reply or a + public structure. Running ndrdump without arguments will list the pipes for which parsers are available. - Running ndrdump with one argument will list the functions that + Running ndrdump with one argument will list the functions and + public structures that Samba can parse for the specified pipe. The primary function of ndrdump is debugging Samba's internal diff --git a/librpc/tools/ndrdump.c b/librpc/tools/ndrdump.c index ef7f9c66139..bd4f277607b 100644 --- a/librpc/tools/ndrdump.c +++ b/librpc/tools/ndrdump.c @@ -48,6 +48,35 @@ static const struct ndr_interface_call *find_function( return &p->calls[i]; } +/* + * Find a public structure on the pipe and return it as if it were + * a function (as the rest of ndrdump is based around functions) + */ +static const struct ndr_interface_call *find_struct( + const struct ndr_interface_table *p, + const char *struct_name, + struct ndr_interface_call *out_buffer) +{ + int i; + for (i=0;inum_public_structs;i++) { + if (strcmp(p->public_structs[i].name, struct_name) == 0) { + break; + } + } + if (i == p->num_public_structs) { + printf("Public structure '%s' not found\n", struct_name); + exit(1); + } + *out_buffer = (struct ndr_interface_call) { + .name = p->public_structs[i].name, + .struct_size = p->public_structs[i].struct_size, + .ndr_pull = p->public_structs[i].ndr_pull, + .ndr_push = p->public_structs[i].ndr_push, + .ndr_print = p->public_structs[i].ndr_print + }; + return out_buffer; +} + _NORETURN_ static void show_pipes(void) { const struct ndr_interface_list *l; @@ -71,6 +100,10 @@ _NORETURN_ static void show_functions(const struct ndr_interface_table *p) for (i=0;inum_calls;i++) { printf("\t0x%02x (%2d) %s\n", i, i, p->calls[i].name); } + printf("known public structures on '%s' are:\n", p->name); + for (i=0;inum_public_structs;i++) { + printf("\t%s\n", p->public_structs[i].name); + } exit(1); } @@ -194,7 +227,21 @@ static void ndr_print_dummy(struct ndr_print *ndr, const char *format, ...) { const struct ndr_interface_table *p = NULL; const struct ndr_interface_call *f; - const char *pipe_name, *function, *inout, *filename; + struct ndr_interface_call f_buffer; + const char *pipe_name = NULL; + const char *filename = NULL; + /* + * The format type: + * in: a request + * out: a response + * struct: a public structure + */ + const char *type = NULL; + /* + * Format is either the name of the decoding function or the + * name of a public structure + */ + const char *format = NULL; uint8_t *data; size_t size; DATA_BLOB blob; @@ -244,7 +291,7 @@ static void ndr_print_dummy(struct ndr_print *ndr, const char *format, ...) pc = poptGetContext("ndrdump", argc, argv, long_options, 0); poptSetOtherOptionHelp( - pc, " []"); + pc, " []"); while ((opt = poptGetNextOpt(pc)) != -1) { switch (opt) { @@ -302,29 +349,34 @@ static void ndr_print_dummy(struct ndr_print *ndr, const char *format, ...) exit(1); } - function = poptGetArg(pc); - inout = poptGetArg(pc); + format = poptGetArg(pc); + type = poptGetArg(pc); filename = poptGetArg(pc); - if (!function || !inout) { + if (!format || !type) { poptPrintUsage(pc, stderr, 0); show_functions(p); exit(1); } - f = find_function(p, function); - - if (strcmp(inout, "in") == 0 || - strcmp(inout, "request") == 0) { - flags |= NDR_IN; - } else if (strcmp(inout, "out") == 0 || - strcmp(inout, "response") == 0) { - flags |= NDR_OUT; + if (strcmp(type, "struct") == 0) { + flags = 0; /* neither NDR_IN nor NDR_OUT */ + f = find_struct(p, format, &f_buffer); } else { - printf("Bad inout value '%s'\n", inout); - exit(1); + f = find_function(p, format); + if (strcmp(type, "in") == 0 || + strcmp(type, "request") == 0) { + flags |= NDR_IN; + } else if (strcmp(type, "out") == 0 || + strcmp(type, "response") == 0) { + flags |= NDR_OUT; + } else { + printf("Bad type value '%s'\n", type); + exit(1); + } } + mem_ctx = talloc_init("ndrdump"); st = talloc_zero_size(mem_ctx, f->struct_size); @@ -442,7 +494,10 @@ static void ndr_print_dummy(struct ndr_print *ndr, const char *format, ...) TALLOC_FREE(sec_vt); if (flags & NDR_OUT) { - status = ndrdump_pull_and_print_pipes(function, ndr_pull, ndr_print, &f->out_pipes); + status = ndrdump_pull_and_print_pipes(format, + ndr_pull, + ndr_print, + &f->out_pipes); if (!NT_STATUS_IS_OK(status)) { printf("dump FAILED\n"); exit(1); @@ -472,7 +527,7 @@ static void ndr_print_dummy(struct ndr_print *ndr, const char *format, ...) ndrdump_data(blob.data, blob.length, dumpdata); } - f->ndr_print(ndr_print, function, flags, st); + f->ndr_print(ndr_print, format, flags, st); if (!NT_STATUS_IS_OK(status)) { printf("dump FAILED\n"); @@ -480,7 +535,10 @@ static void ndr_print_dummy(struct ndr_print *ndr, const char *format, ...) } if (flags & NDR_IN) { - status = ndrdump_pull_and_print_pipes(function, ndr_pull, ndr_print, &f->in_pipes); + status = ndrdump_pull_and_print_pipes(format, + ndr_pull, + ndr_print, + &f->in_pipes); if (!NT_STATUS_IS_OK(status)) { printf("dump FAILED\n"); exit(1); @@ -554,7 +612,9 @@ static void ndr_print_dummy(struct ndr_print *ndr, const char *format, ...) ndr_v_print = talloc_zero(mem_ctx, struct ndr_print); ndr_v_print->print = ndr_print_debug_helper; ndr_v_print->depth = 1; - f->ndr_print(ndr_v_print, function, flags, v_st); + f->ndr_print(ndr_v_print, + format, + flags, v_st); if (blob.length != v_blob.length) { printf("WARNING! orig bytes:%llu validated pushed bytes:%llu\n", diff --git a/selftest/knownfail.d/ndrdump b/selftest/knownfail.d/ndrdump deleted file mode 100644 index 9f7335f5d0b..00000000000 --- a/selftest/knownfail.d/ndrdump +++ /dev/null @@ -1 +0,0 @@ -^samba.tests.blackbox.ndrdump.samba.tests.blackbox.ndrdump.NdrDumpTests.test_ndrdump_with_hex_struct_name\(none\) -- 2.35.0 From 583a28173c451455979437d1865a5199a6055b1b Mon Sep 17 00:00:00 2001 From: Isaac Boukris Date: Sat, 15 Feb 2020 18:33:33 +0100 Subject: [PATCH 019/686] python/tests/krb5: add crypto.py from greghudson/pyk5 as kcrypto.py This is crypto.py of commit f0612aa908062fb239d1c3873595e7204ae1691d from https://github.com/greghudson/pyk5.git This will be used in order to do raw protocol testing against [MS-KILE] KDCs. Pair-Programmed-With: Stefan Metzmacher Signed-off-by: Isaac Boukris Signed-off-by: Stefan Metzmacher Reviewed-by: Stefan Metzmacher (cherry picked from commit 679bb52c957dafcec96ff37f87d8c3496996b909) --- python/samba/tests/krb5/kcrypto.py | 713 +++++++++++++++++++++++++++++ python/samba/tests/source.py | 6 + python/samba/tests/usage.py | 4 +- 3 files changed, 722 insertions(+), 1 deletion(-) create mode 100644 python/samba/tests/krb5/kcrypto.py diff --git a/python/samba/tests/krb5/kcrypto.py b/python/samba/tests/krb5/kcrypto.py new file mode 100644 index 00000000000..18c0f71c24c --- /dev/null +++ b/python/samba/tests/krb5/kcrypto.py @@ -0,0 +1,713 @@ +# Copyright (C) 2013 by the Massachusetts Institute of Technology. +# All rights reserved. +# +# Redistribution and use in source and binary forms, with or without +# modification, are permitted provided that the following conditions +# are met: +# +# * Redistributions of source code must retain the above copyright +# notice, this list of conditions and the following disclaimer. +# +# * Redistributions in binary form must reproduce the above copyright +# notice, this list of conditions and the following disclaimer in +# the documentation and/or other materials provided with the +# distribution. +# +# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS +# "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT +# LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS +# FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE +# COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, +# INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES +# (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR +# SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, +# STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) +# ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED +# OF THE POSSIBILITY OF SUCH DAMAGE. + +# XXX current status: +# * Done and tested +# - AES encryption, checksum, string2key, prf +# - cf2 (needed for FAST) +# * Still to do: +# - DES enctypes and cksumtypes +# - RC4 exported enctype (if we need it for anything) +# - Unkeyed checksums +# - Special RC4, raw DES/DES3 operations for GSSAPI +# * Difficult or low priority: +# - Camellia not supported by PyCrypto +# - Cipher state only needed for kcmd suite +# - Nonstandard enctypes and cksumtypes like des-hmac-sha1 + +from math import gcd +from functools import reduce +from struct import pack, unpack +from Crypto.Cipher import AES, DES3, ARC4 +from Crypto.Hash import HMAC, MD4, MD5, SHA +from Crypto.Protocol.KDF import PBKDF2 +from Crypto.Random import get_random_bytes + + +class Enctype(object): + DES_CRC = 1 + DES_MD4 = 2 + DES_MD5 = 3 + DES3 = 16 + AES128 = 17 + AES256 = 18 + RC4 = 23 + + +class Cksumtype(object): + CRC32 = 1 + MD4 = 2 + MD4_DES = 3 + MD5 = 7 + MD5_DES = 8 + SHA1 = 9 + SHA1_DES3 = 12 + SHA1_AES128 = 15 + SHA1_AES256 = 16 + HMAC_MD5 = -138 + + +class InvalidChecksum(ValueError): + pass + + +def _zeropad(s, padsize): + # Return s padded with 0 bytes to a multiple of padsize. + padlen = (padsize - (len(s) % padsize)) % padsize + return s + bytes(padlen) + + +def _xorbytes(b1, b2): + # xor two strings together and return the resulting string. + assert len(b1) == len(b2) + return bytes([x ^ y for x, y in zip(b1, b2)]) + + +def _mac_equal(mac1, mac2): + # Constant-time comparison function. (We can't use HMAC.verify + # since we use truncated macs.) + assert len(mac1) == len(mac2) + res = 0 + for x, y in zip(mac1, mac2): + res |= x ^ y + return res == 0 + + +def _nfold(str, nbytes): + # Convert str to a string of length nbytes using the RFC 3961 nfold + # operation. + + # Rotate the bytes in str to the right by nbits bits. + def rotate_right(str, nbits): + nbytes, remain = (nbits//8) % len(str), nbits % 8 + return bytes([(str[i-nbytes] >> remain) | + (str[i-nbytes-1] << (8-remain) & 0xff) + for i in range(len(str))]) + + # Add equal-length strings together with end-around carry. + def add_ones_complement(str1, str2): + n = len(str1) + v = [a + b for a, b in zip(str1, str2)] + # Propagate carry bits to the left until there aren't any left. + while any(x & ~0xff for x in v): + v = [(v[i-n+1]>>8) + (v[i]&0xff) for i in range(n)] + return bytes([x for x in v]) + + # Concatenate copies of str to produce the least common multiple + # of len(str) and nbytes, rotating each copy of str to the right + # by 13 bits times its list position. Decompose the concatenation + # into slices of length nbytes, and add them together as + # big-endian ones' complement integers. + slen = len(str) + lcm = nbytes * slen // gcd(nbytes, slen) + bigstr = b''.join((rotate_right(str, 13 * i) for i in range(lcm // slen))) + slices = (bigstr[p:p+nbytes] for p in range(0, lcm, nbytes)) + return reduce(add_ones_complement, slices) + + +def _is_weak_des_key(keybytes): + return keybytes in (b'\x01\x01\x01\x01\x01\x01\x01\x01', + b'\xFE\xFE\xFE\xFE\xFE\xFE\xFE\xFE', + b'\x1F\x1F\x1F\x1F\x0E\x0E\x0E\x0E', + b'\xE0\xE0\xE0\xE0\xF1\xF1\xF1\xF1', + b'\x01\xFE\x01\xFE\x01\xFE\x01\xFE', + b'\xFE\x01\xFE\x01\xFE\x01\xFE\x01', + b'\x1F\xE0\x1F\xE0\x0E\xF1\x0E\xF1', + b'\xE0\x1F\xE0\x1F\xF1\x0E\xF1\x0E', + b'\x01\xE0\x01\xE0\x01\xF1\x01\xF1', + b'\xE0\x01\xE0\x01\xF1\x01\xF1\x01', + b'\x1F\xFE\x1F\xFE\x0E\xFE\x0E\xFE', + b'\xFE\x1F\xFE\x1F\xFE\x0E\xFE\x0E', + b'\x01\x1F\x01\x1F\x01\x0E\x01\x0E', + b'\x1F\x01\x1F\x01\x0E\x01\x0E\x01', + b'\xE0\xFE\xE0\xFE\xF1\xFE\xF1\xFE', + b'\xFE\xE0\xFE\xE0\xFE\xF1\xFE\xF1') + + +class _EnctypeProfile(object): + # Base class for enctype profiles. Usable enctype classes must define: + # * enctype: enctype number + # * keysize: protocol size of key in bytes + # * seedsize: random_to_key input size in bytes + # * random_to_key (if the keyspace is not dense) + # * string_to_key + # * encrypt + # * decrypt + # * prf + + @classmethod + def random_to_key(cls, seed): + if len(seed) != cls.seedsize: + raise ValueError('Wrong seed length') + return Key(cls.enctype, seed) + + +class _SimplifiedEnctype(_EnctypeProfile): + # Base class for enctypes using the RFC 3961 simplified profile. + # Defines the encrypt, decrypt, and prf methods. Subclasses must + # define: + # * blocksize: Underlying cipher block size in bytes + # * padsize: Underlying cipher padding multiple (1 or blocksize) + # * macsize: Size of integrity MAC in bytes + # * hashmod: PyCrypto hash module for underlying hash function + # * basic_encrypt, basic_decrypt: Underlying CBC/CTS cipher + + @classmethod + def derive(cls, key, constant): + # RFC 3961 only says to n-fold the constant only if it is + # shorter than the cipher block size. But all Unix + # implementations n-fold constants if their length is larger + # than the block size as well, and n-folding when the length + # is equal to the block size is a no-op. + plaintext = _nfold(constant, cls.blocksize) + rndseed = b'' + while len(rndseed) < cls.seedsize: + ciphertext = cls.basic_encrypt(key, plaintext) + rndseed += ciphertext + plaintext = ciphertext + return cls.random_to_key(rndseed[0:cls.seedsize]) + + @classmethod + def encrypt(cls, key, keyusage, plaintext, confounder): + ki = cls.derive(key, pack('>iB', keyusage, 0x55)) + ke = cls.derive(key, pack('>iB', keyusage, 0xAA)) + if confounder is None: + confounder = get_random_bytes(cls.blocksize) + basic_plaintext = confounder + _zeropad(plaintext, cls.padsize) + hmac = HMAC.new(ki.contents, basic_plaintext, cls.hashmod).digest() + return cls.basic_encrypt(ke, basic_plaintext) + hmac[:cls.macsize] + + @classmethod + def decrypt(cls, key, keyusage, ciphertext): + ki = cls.derive(key, pack('>iB', keyusage, 0x55)) + ke = cls.derive(key, pack('>iB', keyusage, 0xAA)) + if len(ciphertext) < cls.blocksize + cls.macsize: + raise ValueError('ciphertext too short') + basic_ctext, mac = ciphertext[:-cls.macsize], ciphertext[-cls.macsize:] + if len(basic_ctext) % cls.padsize != 0: + raise ValueError('ciphertext does not meet padding requirement') + basic_plaintext = cls.basic_decrypt(ke, basic_ctext) + hmac = HMAC.new(ki.contents, basic_plaintext, cls.hashmod).digest() + expmac = hmac[:cls.macsize] + if not _mac_equal(mac, expmac): + raise InvalidChecksum('ciphertext integrity failure') + # Discard the confounder. + return basic_plaintext[cls.blocksize:] + + @classmethod + def prf(cls, key, string): + # Hash the input. RFC 3961 says to truncate to the padding + # size, but implementations truncate to the block size. + hashval = cls.hashmod.new(string).digest() + truncated = hashval[:-(len(hashval) % cls.blocksize)] + # Encrypt the hash with a derived key. + kp = cls.derive(key, b'prf') + return cls.basic_encrypt(kp, truncated) + + +class _DES3CBC(_SimplifiedEnctype): + enctype = Enctype.DES3 + keysize = 24 + seedsize = 21 + blocksize = 8 + padsize = 8 + macsize = 20 + hashmod = SHA + + @classmethod + def random_to_key(cls, seed): + # XXX Maybe reframe as _DESEnctype.random_to_key and use that + # way from DES3 random-to-key when DES is implemented, since + # MIT does this instead of the RFC 3961 random-to-key. + def expand(seed): + def parity(b): + # Return b with the low-order bit set to yield odd parity. + b &= ~1 + return b if bin(b & ~1).count('1') % 2 else b | 1 + assert len(seed) == 7 + firstbytes = [parity(b & ~1) for b in seed] + lastbyte = parity(sum((seed[i]&1) << i+1 for i in range(7))) + keybytes = bytes([b for b in firstbytes + [lastbyte]]) + if _is_weak_des_key(keybytes): + keybytes[7] = bytes([keybytes[7] ^ 0xF0]) + return keybytes + + if len(seed) != 21: + raise ValueError('Wrong seed length') + k1, k2, k3 = expand(seed[:7]), expand(seed[7:14]), expand(seed[14:]) + return Key(cls.enctype, k1 + k2 + k3) + + @classmethod + def string_to_key(cls, string, salt, params): + if params is not None and params != b'': + raise ValueError('Invalid DES3 string-to-key parameters') + k = cls.random_to_key(_nfold(string + salt, 21)) + return cls.derive(k, b'kerberos') + + @classmethod + def basic_encrypt(cls, key, plaintext): + assert len(plaintext) % 8 == 0 + des3 = DES3.new(key.contents, AES.MODE_CBC, bytes(8)) + return des3.encrypt(plaintext) + + @classmethod + def basic_decrypt(cls, key, ciphertext): + assert len(ciphertext) % 8 == 0 + des3 = DES3.new(key.contents, AES.MODE_CBC, bytes(8)) + return des3.decrypt(ciphertext) + + +class _AESEnctype(_SimplifiedEnctype): + # Base class for aes128-cts and aes256-cts. + blocksize = 16 + padsize = 1 + macsize = 12 + hashmod = SHA + + @classmethod + def string_to_key(cls, string, salt, params): + (iterations,) = unpack('>L', params or b'\x00\x00\x10\x00') + prf = lambda p, s: HMAC.new(p, s, SHA).digest() + seed = PBKDF2(string, salt, cls.seedsize, iterations, prf) + tkey = cls.random_to_key(seed) + return cls.derive(tkey, b'kerberos') + + @classmethod + def basic_encrypt(cls, key, plaintext): + assert len(plaintext) >= 16 + aes = AES.new(key.contents, AES.MODE_CBC, bytes(16)) + ctext = aes.encrypt(_zeropad(plaintext, 16)) + if len(plaintext) > 16: + # Swap the last two ciphertext blocks and truncate the + # final block to match the plaintext length. + lastlen = len(plaintext) % 16 or 16 + ctext = ctext[:-32] + ctext[-16:] + ctext[-32:-16][:lastlen] + return ctext + + @classmethod + def basic_decrypt(cls, key, ciphertext): + assert len(ciphertext) >= 16 + aes = AES.new(key.contents, AES.MODE_ECB) + if len(ciphertext) == 16: + return aes.decrypt(ciphertext) + # Split the ciphertext into blocks. The last block may be partial. + cblocks = [ciphertext[p:p+16] for p in range(0, len(ciphertext), 16)] + lastlen = len(cblocks[-1]) + # CBC-decrypt all but the last two blocks. + prev_cblock = bytes(16) + plaintext = b'' + for b in cblocks[:-2]: + plaintext += _xorbytes(aes.decrypt(b), prev_cblock) + prev_cblock = b + # Decrypt the second-to-last cipher block. The left side of + # the decrypted block will be the final block of plaintext + # xor'd with the final partial cipher block; the right side + # will be the omitted bytes of ciphertext from the final + # block. + b = aes.decrypt(cblocks[-2]) + lastplaintext =_xorbytes(b[:lastlen], cblocks[-1]) + omitted = b[lastlen:] + # Decrypt the final cipher block plus the omitted bytes to get + # the second-to-last plaintext block. + plaintext += _xorbytes(aes.decrypt(cblocks[-1] + omitted), prev_cblock) + return plaintext + lastplaintext + + +class _AES128CTS(_AESEnctype): + enctype = Enctype.AES128 + keysize = 16 + seedsize = 16 + + +class _AES256CTS(_AESEnctype): + enctype = Enctype.AES256 + keysize = 32 + seedsize = 32 + + +class _RC4(_EnctypeProfile): + enctype = Enctype.RC4 + keysize = 16 + seedsize = 16 + + @staticmethod + def usage_str(keyusage): + # Return a four-byte string for an RFC 3961 keyusage, using + # the RFC 4757 rules. Per the errata, do not map 9 to 8. + table = {3: 8, 23: 13} + msusage = table[keyusage] if keyusage in table else keyusage + return pack('iB', keyusage, 0x99)) + hmac = HMAC.new(kc.contents, text, cls.enc.hashmod).digest() + return hmac[:cls.macsize] + + @classmethod + def verify(cls, key, keyusage, text, cksum): + if key.enctype != cls.enc.enctype: + raise ValueError('Wrong key type for checksum') + super(_SimplifiedChecksum, cls).verify(key, keyusage, text, cksum) + + +class _SHA1AES128(_SimplifiedChecksum): + macsize = 12 + enc = _AES128CTS + + +class _SHA1AES256(_SimplifiedChecksum): + macsize = 12 + enc = _AES256CTS + + +class _SHA1DES3(_SimplifiedChecksum): + macsize = 20 + enc = _DES3CBC + + +class _HMACMD5(_ChecksumProfile): + @classmethod + def checksum(cls, key, keyusage, text): + ksign = HMAC.new(key.contents, b'signaturekey\0', MD5).digest() + md5hash = MD5.new(_RC4.usage_str(keyusage) + text).digest() + return HMAC.new(ksign, md5hash, MD5).digest() + + @classmethod + def verify(cls, key, keyusage, text, cksum): + if key.enctype != Enctype.RC4: + raise ValueError('Wrong key type for checksum') + super(_HMACMD5, cls).verify(key, keyusage, text, cksum) + + +_enctype_table = { + Enctype.DES3: _DES3CBC, + Enctype.AES128: _AES128CTS, + Enctype.AES256: _AES256CTS, + Enctype.RC4: _RC4 +} + + +_checksum_table = { + Cksumtype.SHA1_DES3: _SHA1DES3, + Cksumtype.SHA1_AES128: _SHA1AES128, + Cksumtype.SHA1_AES256: _SHA1AES256, + Cksumtype.HMAC_MD5: _HMACMD5 +} + + +def _get_enctype_profile(enctype): + if enctype not in _enctype_table: + raise ValueError('Invalid enctype %d' % enctype) + return _enctype_table[enctype] + + +def _get_checksum_profile(cksumtype): + if cksumtype not in _checksum_table: + raise ValueError('Invalid cksumtype %d' % cksumtype) + return _checksum_table[cksumtype] + + +class Key(object): + def __init__(self, enctype, contents): + e = _get_enctype_profile(enctype) + if len(contents) != e.keysize: + raise ValueError('Wrong key length') + self.enctype = enctype + self.contents = contents + + +def seedsize(enctype): + e = _get_enctype_profile(enctype) + return e.seedsize + + +def random_to_key(enctype, seed): + e = _get_enctype_profile(enctype) + if len(seed) != e.seedsize: + raise ValueError('Wrong crypto seed length') + return e.random_to_key(seed) + + +def string_to_key(enctype, string, salt, params=None): + e = _get_enctype_profile(enctype) + return e.string_to_key(string, salt, params) + + +def encrypt(key, keyusage, plaintext, confounder=None): + e = _get_enctype_profile(key.enctype) + return e.encrypt(key, keyusage, plaintext, confounder) + + +def decrypt(key, keyusage, ciphertext): + # Throw InvalidChecksum on checksum failure. Throw ValueError on + # invalid key enctype or malformed ciphertext. + e = _get_enctype_profile(key.enctype) + return e.decrypt(key, keyusage, ciphertext) + + +def prf(key, string): + e = _get_enctype_profile(key.enctype) + return e.prf(key, string) + + +def make_checksum(cksumtype, key, keyusage, text): + c = _get_checksum_profile(cksumtype) + return c.checksum(key, keyusage, text) + + +def verify_checksum(cksumtype, key, keyusage, text, cksum): + # Throw InvalidChecksum exception on checksum failure. Throw + # ValueError on invalid cksumtype, invalid key enctype, or + # malformed checksum. + c = _get_checksum_profile(cksumtype) + c.verify(key, keyusage, text, cksum) + + +def prfplus(key, pepper, l): + # Produce l bytes of output using the RFC 6113 PRF+ function. + out = b'' + count = 1 + while len(out) < l: + out += prf(key, bytes([count]) + pepper) + count += 1 + return out[:l] + + +def cf2(enctype, key1, key2, pepper1, pepper2): + # Combine two keys and two pepper strings to produce a result key + # of type enctype, using the RFC 6113 KRB-FX-CF2 function. + e = _get_enctype_profile(enctype) + return e.random_to_key(_xorbytes(prfplus(key1, pepper1, e.seedsize), + prfplus(key2, pepper2, e.seedsize))) + + +if __name__ == '__main__': + def h(hexstr): + return bytes.fromhex(hexstr) + + # AES128 encrypt and decrypt + kb = h('9062430C8CDA3388922E6D6A509F5B7A') + conf = h('94B491F481485B9A0678CD3C4EA386AD') + keyusage = 2 + plain = b'9 bytesss' + ctxt = h('68FB9679601F45C78857B2BF820FD6E53ECA8D42FD4B1D7024A09205ABB7CD2E' + 'C26C355D2F') + k = Key(Enctype.AES128, kb) + assert(encrypt(k, keyusage, plain, conf) == ctxt) + assert(decrypt(k, keyusage, ctxt) == plain) + + # AES256 encrypt and decrypt + kb = h('F1C795E9248A09338D82C3F8D5B567040B0110736845041347235B1404231398') + conf = h('E45CA518B42E266AD98E165E706FFB60') + keyusage = 4 + plain = b'30 bytes bytes bytes bytes byt' + ctxt = h('D1137A4D634CFECE924DBC3BF6790648BD5CFF7DE0E7B99460211D0DAEF3D79A' + '295C688858F3B34B9CBD6EEBAE81DAF6B734D4D498B6714F1C1D') + k = Key(Enctype.AES256, kb) + assert(encrypt(k, keyusage, plain, conf) == ctxt) + assert(decrypt(k, keyusage, ctxt) == plain) + + # AES128 checksum + kb = h('9062430C8CDA3388922E6D6A509F5B7A') + keyusage = 3 + plain = b'eight nine ten eleven twelve thirteen' + cksum = h('01A4B088D45628F6946614E3') + k = Key(Enctype.AES128, kb) + verify_checksum(Cksumtype.SHA1_AES128, k, keyusage, plain, cksum) + + # AES256 checksum + kb = h('B1AE4CD8462AFF1677053CC9279AAC30B796FB81CE21474DD3DDBCFEA4EC76D7') + keyusage = 4 + plain = b'fourteen' + cksum = h('E08739E3279E2903EC8E3836') + k = Key(Enctype.AES256, kb) + verify_checksum(Cksumtype.SHA1_AES256, k, keyusage, plain, cksum) + + # AES128 string-to-key + string = b'password' + salt = b'ATHENA.MIT.EDUraeburn' + params = h('00000002') + kb = h('C651BF29E2300AC27FA469D693BDDA13') + k = string_to_key(Enctype.AES128, string, salt, params) + assert(k.contents == kb) + + # AES256 string-to-key + string = b'X' * 64 + salt = b'pass phrase equals block size' + params = h('000004B0') + kb = h('89ADEE3608DB8BC71F1BFBFE459486B05618B70CBAE22092534E56C553BA4B34') + k = string_to_key(Enctype.AES256, string, salt, params) + assert(k.contents == kb) + + # AES128 prf + kb = h('77B39A37A868920F2A51F9DD150C5717') + k = string_to_key(Enctype.AES128, b'key1', b'key1') + assert(prf(k, b'\x01\x61') == kb) + + # AES256 prf + kb = h('0D674DD0F9A6806525A4D92E828BD15A') + k = string_to_key(Enctype.AES256, b'key2', b'key2') + assert(prf(k, b'\x02\x62') == kb) + + # AES128 cf2 + kb = h('97DF97E4B798B29EB31ED7280287A92A') + k1 = string_to_key(Enctype.AES128, b'key1', b'key1') + k2 = string_to_key(Enctype.AES128, b'key2', b'key2') + k = cf2(Enctype.AES128, k1, k2, b'a', b'b') + assert(k.contents == kb) + + # AES256 cf2 + kb = h('4D6CA4E629785C1F01BAF55E2E548566B9617AE3A96868C337CB93B5E72B1C7B') + k1 = string_to_key(Enctype.AES256, b'key1', b'key1') + k2 = string_to_key(Enctype.AES256, b'key2', b'key2') + k = cf2(Enctype.AES256, k1, k2, b'a', b'b') + assert(k.contents == kb) + + # DES3 encrypt and decrypt + kb = h('0DD52094E0F41CECCB5BE510A764B35176E3981332F1E598') + conf = h('94690A17B2DA3C9B') + keyusage = 3 + plain = b'13 bytes byte' + ctxt = h('839A17081ECBAFBCDC91B88C6955DD3C4514023CF177B77BF0D0177A16F705E8' + '49CB7781D76A316B193F8D30') + k = Key(Enctype.DES3, kb) + assert(encrypt(k, keyusage, plain, conf) == ctxt) + assert(decrypt(k, keyusage, ctxt) == _zeropad(plain, 8)) + + # DES3 string-to-key + string = b'password' + salt = b'ATHENA.MIT.EDUraeburn' + kb = h('850BB51358548CD05E86768C313E3BFEF7511937DCF72C3E') + k = string_to_key(Enctype.DES3, string, salt) + assert(k.contents == kb) + + # DES3 checksum + kb = h('7A25DF8992296DCEDA0E135BC4046E2375B3C14C98FBC162') + keyusage = 2 + plain = b'six seven' + cksum = h('0EEFC9C3E049AABC1BA5C401677D9AB699082BB4') + k = Key(Enctype.DES3, kb) + verify_checksum(Cksumtype.SHA1_DES3, k, keyusage, plain, cksum) + + # DES3 cf2 + kb = h('E58F9EB643862C13AD38E529313462A7F73E62834FE54A01') + k1 = string_to_key(Enctype.DES3, b'key1', b'key1') + k2 = string_to_key(Enctype.DES3, b'key2', b'key2') + k = cf2(Enctype.DES3, k1, k2, b'a', b'b') + assert(k.contents == kb) + + # RC4 encrypt and decrypt + kb = h('68F263DB3FCE15D031C9EAB02D67107A') + conf = h('37245E73A45FBF72') + keyusage = 4 + plain = b'30 bytes bytes bytes bytes byt' + ctxt = h('95F9047C3AD75891C2E9B04B16566DC8B6EB9CE4231AFB2542EF87A7B5A0F260' + 'A99F0460508DE0CECC632D07C354124E46C5D2234EB8') + k = Key(Enctype.RC4, kb) + assert(encrypt(k, keyusage, plain, conf) == ctxt) + assert(decrypt(k, keyusage, ctxt) == plain) + + # RC4 string-to-key + string = b'foo' + kb = h('AC8E657F83DF82BEEA5D43BDAF7800CC') + k = string_to_key(Enctype.RC4, string, None) + assert(k.contents == kb) + + # RC4 checksum + kb = h('F7D3A155AF5E238A0B7A871A96BA2AB2') + keyusage = 6 + plain = b'seventeen eighteen nineteen twenty' + cksum = h('EB38CC97E2230F59DA4117DC5859D7EC') + k = Key(Enctype.RC4, kb) + verify_checksum(Cksumtype.HMAC_MD5, k, keyusage, plain, cksum) + + # RC4 cf2 + kb = h('24D7F6B6BAE4E5C00D2082C5EBAB3672') + k1 = string_to_key(Enctype.RC4, b'key1', b'key1') + k2 = string_to_key(Enctype.RC4, b'key2', b'key2') + k = cf2(Enctype.RC4, k1, k2, b'a', b'b') + assert(k.contents == kb) diff --git a/python/samba/tests/source.py b/python/samba/tests/source.py index 4bb652c4204..b7608b1bab3 100644 --- a/python/samba/tests/source.py +++ b/python/samba/tests/source.py @@ -90,6 +90,9 @@ class TestSource(TestCase): if "wafsamba" in fname: # FIXME: No copyright headers in wafsamba continue + if fname.endswith("python/samba/tests/krb5/kcrypto.py"): + # Imported from MIT testing repo + continue match = copyright_re.search(text) if not match: incorrect.append((fname, 'no copyright line found\n')) @@ -132,6 +135,9 @@ class TestSource(TestCase): # Imported from subunit/testtools, which are dual # Apache2/BSD-3. continue + if fname.endswith("python/samba/tests/krb5/kcrypto.py"): + # Imported from MIT testing repo + continue if not gpl_re.search(text): incorrect.append(fname) diff --git a/python/samba/tests/usage.py b/python/samba/tests/usage.py index 30c083076ff..cebc54461b9 100644 --- a/python/samba/tests/usage.py +++ b/python/samba/tests/usage.py @@ -82,7 +82,8 @@ EXCLUDE_USAGE = { 'selftest/tests.py', 'python/samba/subunit/run.py', 'bin/python/samba/subunit/run.py', - 'python/samba/tests/dcerpc/raw_protocol.py' + 'python/samba/tests/dcerpc/raw_protocol.py', + 'python/samba/tests/krb5/kcrypto.py', } @@ -93,6 +94,7 @@ EXCLUDE_DIRS = { 'bin/ab', 'bin/python/samba/tests', 'bin/python/samba/tests/dcerpc', + 'bin/python/samba/tests/krb5', } -- 2.35.0 From cc6523ffe3c6c65373e2f0b0e5c6c9d963fd2983 Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Fri, 20 Mar 2020 12:47:39 +0100 Subject: [PATCH 020/686] python/tests/krb5: convert kcrypto.py to python3-cryptography and a few Samba helpers Signed-off-by: Stefan Metzmacher Reviewed-by: Isaac Boukris (cherry picked from commit 8bdd37997686d4ca60584bdfda78440be8432405) --- python/samba/tests/krb5/kcrypto.py | 422 +++++++++++++++++------------ 1 file changed, 254 insertions(+), 168 deletions(-) mode change 100644 => 100755 python/samba/tests/krb5/kcrypto.py diff --git a/python/samba/tests/krb5/kcrypto.py b/python/samba/tests/krb5/kcrypto.py old mode 100644 new mode 100755 index 18c0f71c24c..0907d881b68 --- a/python/samba/tests/krb5/kcrypto.py +++ b/python/samba/tests/krb5/kcrypto.py @@ -1,3 +1,5 @@ +#!/usr/bin/env python3 +# # Copyright (C) 2013 by the Massachusetts Institute of Technology. # All rights reserved. # @@ -40,14 +42,26 @@ # - Cipher state only needed for kcmd suite # - Nonstandard enctypes and cksumtypes like des-hmac-sha1 +import sys +import os + +sys.path.insert(0, "bin/python") +os.environ["PYTHONUNBUFFERED"] = "1" + from math import gcd from functools import reduce from struct import pack, unpack -from Crypto.Cipher import AES, DES3, ARC4 -from Crypto.Hash import HMAC, MD4, MD5, SHA -from Crypto.Protocol.KDF import PBKDF2 -from Crypto.Random import get_random_bytes - +from cryptography.hazmat.primitives import hashes +from cryptography.hazmat.primitives import hmac +from cryptography.hazmat.primitives.ciphers import algorithms as ciphers +from cryptography.hazmat.primitives.ciphers import modes +from cryptography.hazmat.primitives.ciphers.base import Cipher +from cryptography.hazmat.backends import default_backend +from cryptography.hazmat.primitives.kdf.pbkdf2 import PBKDF2HMAC +from samba.tests import TestCase +from samba.credentials import Credentials +from samba import generate_random_bytes as get_random_bytes +from samba.compat import get_string, get_bytes class Enctype(object): DES_CRC = 1 @@ -97,6 +111,15 @@ def _mac_equal(mac1, mac2): res |= x ^ y return res == 0 +def SIMPLE_HASH(string, algo_cls): + hash_ctx = hashes.Hash(algo_cls(), default_backend()) + hash_ctx.update(string) + return hash_ctx.finalize() + +def HMAC_HASH(key, string, algo_cls): + hmac_ctx = hmac.HMAC(key, algo_cls(), default_backend()) + hmac_ctx.update(string) + return hmac_ctx.finalize() def _nfold(str, nbytes): # Convert str to a string of length nbytes using the RFC 3961 nfold @@ -199,7 +222,7 @@ class _SimplifiedEnctype(_EnctypeProfile): if confounder is None: confounder = get_random_bytes(cls.blocksize) basic_plaintext = confounder + _zeropad(plaintext, cls.padsize) - hmac = HMAC.new(ki.contents, basic_plaintext, cls.hashmod).digest() + hmac = HMAC_HASH(ki.contents, basic_plaintext, cls.hashalgo) return cls.basic_encrypt(ke, basic_plaintext) + hmac[:cls.macsize] @classmethod @@ -212,7 +235,7 @@ class _SimplifiedEnctype(_EnctypeProfile): if len(basic_ctext) % cls.padsize != 0: raise ValueError('ciphertext does not meet padding requirement') basic_plaintext = cls.basic_decrypt(ke, basic_ctext) - hmac = HMAC.new(ki.contents, basic_plaintext, cls.hashmod).digest() + hmac = HMAC_HASH(ki.contents, basic_plaintext, cls.hashalgo) expmac = hmac[:cls.macsize] if not _mac_equal(mac, expmac): raise InvalidChecksum('ciphertext integrity failure') @@ -223,7 +246,7 @@ class _SimplifiedEnctype(_EnctypeProfile): def prf(cls, key, string): # Hash the input. RFC 3961 says to truncate to the padding # size, but implementations truncate to the block size. - hashval = cls.hashmod.new(string).digest() + hashval = SIMPLE_HASH(string, cls.hashalgo) truncated = hashval[:-(len(hashval) % cls.blocksize)] # Encrypt the hash with a derived key. kp = cls.derive(key, b'prf') @@ -237,7 +260,7 @@ class _DES3CBC(_SimplifiedEnctype): blocksize = 8 padsize = 8 macsize = 20 - hashmod = SHA + hashalgo = hashes.SHA1 @classmethod def random_to_key(cls, seed): @@ -272,14 +295,20 @@ class _DES3CBC(_SimplifiedEnctype): @classmethod def basic_encrypt(cls, key, plaintext): assert len(plaintext) % 8 == 0 - des3 = DES3.new(key.contents, AES.MODE_CBC, bytes(8)) - return des3.encrypt(plaintext) + algo = ciphers.TripleDES(key.contents) + cbc = modes.CBC(bytes(8)) + encryptor = Cipher(algo, cbc, default_backend()).encryptor() + ciphertext = encryptor.update(plaintext) + return ciphertext @classmethod def basic_decrypt(cls, key, ciphertext): assert len(ciphertext) % 8 == 0 - des3 = DES3.new(key.contents, AES.MODE_CBC, bytes(8)) - return des3.decrypt(ciphertext) + algo = ciphers.TripleDES(key.contents) + cbc = modes.CBC(bytes(8)) + decryptor = Cipher(algo, cbc, default_backend()).decryptor() + plaintext = decryptor.update(ciphertext) + return plaintext class _AESEnctype(_SimplifiedEnctype): @@ -287,21 +316,35 @@ class _AESEnctype(_SimplifiedEnctype): blocksize = 16 padsize = 1 macsize = 12 - hashmod = SHA + hashalgo = hashes.SHA1 @classmethod def string_to_key(cls, string, salt, params): (iterations,) = unpack('>L', params or b'\x00\x00\x10\x00') - prf = lambda p, s: HMAC.new(p, s, SHA).digest() - seed = PBKDF2(string, salt, cls.seedsize, iterations, prf) + pwbytes = get_bytes(string) + kdf = PBKDF2HMAC(algorithm=hashes.SHA1(), + length=cls.seedsize, + salt=salt, + iterations=iterations, + backend=default_backend()) + seed = kdf.derive(pwbytes) tkey = cls.random_to_key(seed) return cls.derive(tkey, b'kerberos') @classmethod def basic_encrypt(cls, key, plaintext): assert len(plaintext) >= 16 - aes = AES.new(key.contents, AES.MODE_CBC, bytes(16)) - ctext = aes.encrypt(_zeropad(plaintext, 16)) + + algo = ciphers.AES(key.contents) + cbc = modes.CBC(bytes(16)) + aes_ctx = Cipher(algo, cbc, default_backend()) + + def aes_encrypt(plaintext): + encryptor = aes_ctx.encryptor() + ciphertext = encryptor.update(plaintext) + return ciphertext + + ctext = aes_encrypt(_zeropad(plaintext, 16)) if len(plaintext) > 16: # Swap the last two ciphertext blocks and truncate the # final block to match the plaintext length. @@ -312,9 +355,18 @@ class _AESEnctype(_SimplifiedEnctype): @classmethod def basic_decrypt(cls, key, ciphertext): assert len(ciphertext) >= 16 - aes = AES.new(key.contents, AES.MODE_ECB) + + algo = ciphers.AES(key.contents) + cbc = modes.CBC(bytes(16)) + aes_ctx = Cipher(algo, cbc, default_backend()) + + def aes_decrypt(ciphertext): + decryptor = aes_ctx.decryptor() + plaintext = decryptor.update(ciphertext) + return plaintext + if len(ciphertext) == 16: - return aes.decrypt(ciphertext) + return aes_decrypt(ciphertext) # Split the ciphertext into blocks. The last block may be partial. cblocks = [ciphertext[p:p+16] for p in range(0, len(ciphertext), 16)] lastlen = len(cblocks[-1]) @@ -322,19 +374,19 @@ class _AESEnctype(_SimplifiedEnctype): prev_cblock = bytes(16) plaintext = b'' for b in cblocks[:-2]: - plaintext += _xorbytes(aes.decrypt(b), prev_cblock) + plaintext += _xorbytes(aes_decrypt(b), prev_cblock) prev_cblock = b # Decrypt the second-to-last cipher block. The left side of # the decrypted block will be the final block of plaintext # xor'd with the final partial cipher block; the right side # will be the omitted bytes of ciphertext from the final # block. - b = aes.decrypt(cblocks[-2]) + b = aes_decrypt(cblocks[-2]) lastplaintext =_xorbytes(b[:lastlen], cblocks[-1]) omitted = b[lastlen:] # Decrypt the final cipher block plus the omitted bytes to get # the second-to-last plaintext block. - plaintext += _xorbytes(aes.decrypt(cblocks[-1] + omitted), prev_cblock) + plaintext += _xorbytes(aes_decrypt(cblocks[-1] + omitted), prev_cblock) return plaintext + lastplaintext @@ -365,32 +417,43 @@ class _RC4(_EnctypeProfile): @classmethod def string_to_key(cls, string, salt, params): - utf16string = string.decode('UTF-8').encode('UTF-16LE') - return Key(cls.enctype, MD4.new(utf16string).digest()) + utf8string = get_string(string) + tmp = Credentials() + tmp.set_anonymous() + tmp.set_password(utf8string) + nthash = tmp.get_nt_hash() + return Key(cls.enctype, nthash) @classmethod def encrypt(cls, key, keyusage, plaintext, confounder): if confounder is None: confounder = get_random_bytes(8) - ki = HMAC.new(key.contents, cls.usage_str(keyusage), MD5).digest() - cksum = HMAC.new(ki, confounder + plaintext, MD5).digest() - ke = HMAC.new(ki, cksum, MD5).digest() - return cksum + ARC4.new(ke).encrypt(confounder + plaintext) + ki = HMAC_HASH(key.contents, cls.usage_str(keyusage), hashes.MD5) + cksum = HMAC_HASH(ki, confounder + plaintext, hashes.MD5) + ke = HMAC_HASH(ki, cksum, hashes.MD5) + + encryptor = Cipher(ciphers.ARC4(ke), None, default_backend()).encryptor() + ctext = encryptor.update(confounder + plaintext) + + return cksum + ctext @classmethod def decrypt(cls, key, keyusage, ciphertext): if len(ciphertext) < 24: raise ValueError('ciphertext too short') cksum, basic_ctext = ciphertext[:16], ciphertext[16:] - ki = HMAC.new(key.contents, cls.usage_str(keyusage), MD5).digest() - ke = HMAC.new(ki, cksum, MD5).digest() - basic_plaintext = ARC4.new(ke).decrypt(basic_ctext) - exp_cksum = HMAC.new(ki, basic_plaintext, MD5).digest() + ki = HMAC_HASH(key.contents, cls.usage_str(keyusage), hashes.MD5) + ke = HMAC_HASH(ki, cksum, hashes.MD5) + + decryptor = Cipher(ciphers.ARC4(ke), None, default_backend()).decryptor() + basic_plaintext = decryptor.update(basic_ctext) + + exp_cksum = HMAC_HASH(ki, basic_plaintext, hashes.MD5) ok = _mac_equal(cksum, exp_cksum) if not ok and keyusage == 9: # Try again with usage 8, due to RFC 4757 errata. - ki = HMAC.new(key.contents, pack('iB', keyusage, 0x99)) - hmac = HMAC.new(kc.contents, text, cls.enc.hashmod).digest() + hmac = HMAC_HASH(kc.contents, text, cls.enc.hashalgo) return hmac[:cls.macsize] @classmethod @@ -452,9 +515,9 @@ class _SHA1DES3(_SimplifiedChecksum): class _HMACMD5(_ChecksumProfile): @classmethod def checksum(cls, key, keyusage, text): - ksign = HMAC.new(key.contents, b'signaturekey\0', MD5).digest() - md5hash = MD5.new(_RC4.usage_str(keyusage) + text).digest() - return HMAC.new(ksign, md5hash, MD5).digest() + ksign = HMAC_HASH(key.contents, b'signaturekey\0', hashes.MD5) + md5hash = SIMPLE_HASH(_RC4.usage_str(keyusage) + text, hashes.MD5) + return HMAC_HASH(ksign, md5hash, hashes.MD5) @classmethod def verify(cls, key, keyusage, text, cksum): @@ -564,150 +627,173 @@ def cf2(enctype, key1, key2, pepper1, pepper2): return e.random_to_key(_xorbytes(prfplus(key1, pepper1, e.seedsize), prfplus(key2, pepper2, e.seedsize))) +def h(hexstr): + return bytes.fromhex(hexstr) -if __name__ == '__main__': - def h(hexstr): - return bytes.fromhex(hexstr) +class KcrytoTest(TestCase): + """kcrypto Test case.""" - # AES128 encrypt and decrypt - kb = h('9062430C8CDA3388922E6D6A509F5B7A') - conf = h('94B491F481485B9A0678CD3C4EA386AD') - keyusage = 2 - plain = b'9 bytesss' - ctxt = h('68FB9679601F45C78857B2BF820FD6E53ECA8D42FD4B1D7024A09205ABB7CD2E' - 'C26C355D2F') - k = Key(Enctype.AES128, kb) - assert(encrypt(k, keyusage, plain, conf) == ctxt) - assert(decrypt(k, keyusage, ctxt) == plain) + def test_aes128_crypr(self): + # AES128 encrypt and decrypt + kb = h('9062430C8CDA3388922E6D6A509F5B7A') + conf = h('94B491F481485B9A0678CD3C4EA386AD') + keyusage = 2 + plain = b'9 bytesss' + ctxt = h('68FB9679601F45C78857B2BF820FD6E53ECA8D42FD4B1D7024A09205ABB7CD2E' + 'C26C355D2F') + k = Key(Enctype.AES128, kb) + self.assertEqual(encrypt(k, keyusage, plain, conf), ctxt) + self.assertEqual(decrypt(k, keyusage, ctxt), plain) - # AES256 encrypt and decrypt - kb = h('F1C795E9248A09338D82C3F8D5B567040B0110736845041347235B1404231398') - conf = h('E45CA518B42E266AD98E165E706FFB60') - keyusage = 4 - plain = b'30 bytes bytes bytes bytes byt' - ctxt = h('D1137A4D634CFECE924DBC3BF6790648BD5CFF7DE0E7B99460211D0DAEF3D79A' - '295C688858F3B34B9CBD6EEBAE81DAF6B734D4D498B6714F1C1D') - k = Key(Enctype.AES256, kb) - assert(encrypt(k, keyusage, plain, conf) == ctxt) - assert(decrypt(k, keyusage, ctxt) == plain) + def test_aes256_crypt(self): + # AES256 encrypt and decrypt + kb = h('F1C795E9248A09338D82C3F8D5B567040B0110736845041347235B1404231398') + conf = h('E45CA518B42E266AD98E165E706FFB60') + keyusage = 4 + plain = b'30 bytes bytes bytes bytes byt' + ctxt = h('D1137A4D634CFECE924DBC3BF6790648BD5CFF7DE0E7B99460211D0DAEF3D79A' + '295C688858F3B34B9CBD6EEBAE81DAF6B734D4D498B6714F1C1D') + k = Key(Enctype.AES256, kb) + self.assertEqual(encrypt(k, keyusage, plain, conf), ctxt) + self.assertEqual(decrypt(k, keyusage, ctxt), plain) - # AES128 checksum - kb = h('9062430C8CDA3388922E6D6A509F5B7A') - keyusage = 3 - plain = b'eight nine ten eleven twelve thirteen' - cksum = h('01A4B088D45628F6946614E3') - k = Key(Enctype.AES128, kb) - verify_checksum(Cksumtype.SHA1_AES128, k, keyusage, plain, cksum) + def test_aes128_checksum(self): + # AES128 checksum + kb = h('9062430C8CDA3388922E6D6A509F5B7A') + keyusage = 3 + plain = b'eight nine ten eleven twelve thirteen' + cksum = h('01A4B088D45628F6946614E3') + k = Key(Enctype.AES128, kb) + verify_checksum(Cksumtype.SHA1_AES128, k, keyusage, plain, cksum) - # AES256 checksum - kb = h('B1AE4CD8462AFF1677053CC9279AAC30B796FB81CE21474DD3DDBCFEA4EC76D7') - keyusage = 4 - plain = b'fourteen' - cksum = h('E08739E3279E2903EC8E3836') - k = Key(Enctype.AES256, kb) - verify_checksum(Cksumtype.SHA1_AES256, k, keyusage, plain, cksum) + def test_aes256_checksum(self): + # AES256 checksum + kb = h('B1AE4CD8462AFF1677053CC9279AAC30B796FB81CE21474DD3DDBCFEA4EC76D7') + keyusage = 4 + plain = b'fourteen' + cksum = h('E08739E3279E2903EC8E3836') + k = Key(Enctype.AES256, kb) + verify_checksum(Cksumtype.SHA1_AES256, k, keyusage, plain, cksum) - # AES128 string-to-key - string = b'password' - salt = b'ATHENA.MIT.EDUraeburn' - params = h('00000002') - kb = h('C651BF29E2300AC27FA469D693BDDA13') - k = string_to_key(Enctype.AES128, string, salt, params) - assert(k.contents == kb) + def test_aes128_string_to_key(self): + # AES128 string-to-key + string = b'password' + salt = b'ATHENA.MIT.EDUraeburn' + params = h('00000002') + kb = h('C651BF29E2300AC27FA469D693BDDA13') + k = string_to_key(Enctype.AES128, string, salt, params) + self.assertEqual(k.contents, kb) - # AES256 string-to-key - string = b'X' * 64 - salt = b'pass phrase equals block size' - params = h('000004B0') - kb = h('89ADEE3608DB8BC71F1BFBFE459486B05618B70CBAE22092534E56C553BA4B34') - k = string_to_key(Enctype.AES256, string, salt, params) - assert(k.contents == kb) + def test_aes256_string_to_key(self): + # AES256 string-to-key + string = b'X' * 64 + salt = b'pass phrase equals block size' + params = h('000004B0') + kb = h('89ADEE3608DB8BC71F1BFBFE459486B05618B70CBAE22092534E56C553BA4B34') + k = string_to_key(Enctype.AES256, string, salt, params) + self.assertEqual(k.contents, kb) - # AES128 prf - kb = h('77B39A37A868920F2A51F9DD150C5717') - k = string_to_key(Enctype.AES128, b'key1', b'key1') - assert(prf(k, b'\x01\x61') == kb) + def test_aes128_prf(self): + # AES128 prf + kb = h('77B39A37A868920F2A51F9DD150C5717') + k = string_to_key(Enctype.AES128, b'key1', b'key1') + self.assertEqual(prf(k, b'\x01\x61'), kb) - # AES256 prf - kb = h('0D674DD0F9A6806525A4D92E828BD15A') - k = string_to_key(Enctype.AES256, b'key2', b'key2') - assert(prf(k, b'\x02\x62') == kb) + def test_aes256_prf(self): + # AES256 prf + kb = h('0D674DD0F9A6806525A4D92E828BD15A') + k = string_to_key(Enctype.AES256, b'key2', b'key2') + self.assertEqual(prf(k, b'\x02\x62'), kb) - # AES128 cf2 - kb = h('97DF97E4B798B29EB31ED7280287A92A') - k1 = string_to_key(Enctype.AES128, b'key1', b'key1') - k2 = string_to_key(Enctype.AES128, b'key2', b'key2') - k = cf2(Enctype.AES128, k1, k2, b'a', b'b') - assert(k.contents == kb) + def test_aes128_cf2(self): + # AES128 cf2 + kb = h('97DF97E4B798B29EB31ED7280287A92A') + k1 = string_to_key(Enctype.AES128, b'key1', b'key1') + k2 = string_to_key(Enctype.AES128, b'key2', b'key2') + k = cf2(Enctype.AES128, k1, k2, b'a', b'b') + self.assertEqual(k.contents, kb) - # AES256 cf2 - kb = h('4D6CA4E629785C1F01BAF55E2E548566B9617AE3A96868C337CB93B5E72B1C7B') - k1 = string_to_key(Enctype.AES256, b'key1', b'key1') - k2 = string_to_key(Enctype.AES256, b'key2', b'key2') - k = cf2(Enctype.AES256, k1, k2, b'a', b'b') - assert(k.contents == kb) + def test_aes256_cf2(self): + # AES256 cf2 + kb = h('4D6CA4E629785C1F01BAF55E2E548566B9617AE3A96868C337CB93B5E72B1C7B') + k1 = string_to_key(Enctype.AES256, b'key1', b'key1') + k2 = string_to_key(Enctype.AES256, b'key2', b'key2') + k = cf2(Enctype.AES256, k1, k2, b'a', b'b') + self.assertEqual(k.contents, kb) - # DES3 encrypt and decrypt - kb = h('0DD52094E0F41CECCB5BE510A764B35176E3981332F1E598') - conf = h('94690A17B2DA3C9B') - keyusage = 3 - plain = b'13 bytes byte' - ctxt = h('839A17081ECBAFBCDC91B88C6955DD3C4514023CF177B77BF0D0177A16F705E8' - '49CB7781D76A316B193F8D30') - k = Key(Enctype.DES3, kb) - assert(encrypt(k, keyusage, plain, conf) == ctxt) - assert(decrypt(k, keyusage, ctxt) == _zeropad(plain, 8)) + def test_des3_crypt(self): + # DES3 encrypt and decrypt + kb = h('0DD52094E0F41CECCB5BE510A764B35176E3981332F1E598') + conf = h('94690A17B2DA3C9B') + keyusage = 3 + plain = b'13 bytes byte' + ctxt = h('839A17081ECBAFBCDC91B88C6955DD3C4514023CF177B77BF0D0177A16F705E8' + '49CB7781D76A316B193F8D30') + k = Key(Enctype.DES3, kb) + self.assertEqual(encrypt(k, keyusage, plain, conf), ctxt) + self.assertEqual(decrypt(k, keyusage, ctxt), _zeropad(plain, 8)) - # DES3 string-to-key - string = b'password' - salt = b'ATHENA.MIT.EDUraeburn' - kb = h('850BB51358548CD05E86768C313E3BFEF7511937DCF72C3E') - k = string_to_key(Enctype.DES3, string, salt) - assert(k.contents == kb) + def test_des3_string_to_key(self): + # DES3 string-to-key + string = b'password' + salt = b'ATHENA.MIT.EDUraeburn' + kb = h('850BB51358548CD05E86768C313E3BFEF7511937DCF72C3E') + k = string_to_key(Enctype.DES3, string, salt) + self.assertEqual(k.contents, kb) - # DES3 checksum - kb = h('7A25DF8992296DCEDA0E135BC4046E2375B3C14C98FBC162') - keyusage = 2 - plain = b'six seven' - cksum = h('0EEFC9C3E049AABC1BA5C401677D9AB699082BB4') - k = Key(Enctype.DES3, kb) - verify_checksum(Cksumtype.SHA1_DES3, k, keyusage, plain, cksum) + def test_des3_checksum(self): + # DES3 checksum + kb = h('7A25DF8992296DCEDA0E135BC4046E2375B3C14C98FBC162') + keyusage = 2 + plain = b'six seven' + cksum = h('0EEFC9C3E049AABC1BA5C401677D9AB699082BB4') + k = Key(Enctype.DES3, kb) + verify_checksum(Cksumtype.SHA1_DES3, k, keyusage, plain, cksum) - # DES3 cf2 - kb = h('E58F9EB643862C13AD38E529313462A7F73E62834FE54A01') - k1 = string_to_key(Enctype.DES3, b'key1', b'key1') - k2 = string_to_key(Enctype.DES3, b'key2', b'key2') - k = cf2(Enctype.DES3, k1, k2, b'a', b'b') - assert(k.contents == kb) + def test_des3_cf2(self): + # DES3 cf2 + kb = h('E58F9EB643862C13AD38E529313462A7F73E62834FE54A01') + k1 = string_to_key(Enctype.DES3, b'key1', b'key1') + k2 = string_to_key(Enctype.DES3, b'key2', b'key2') + k = cf2(Enctype.DES3, k1, k2, b'a', b'b') + self.assertEqual(k.contents, kb) - # RC4 encrypt and decrypt - kb = h('68F263DB3FCE15D031C9EAB02D67107A') - conf = h('37245E73A45FBF72') - keyusage = 4 - plain = b'30 bytes bytes bytes bytes byt' - ctxt = h('95F9047C3AD75891C2E9B04B16566DC8B6EB9CE4231AFB2542EF87A7B5A0F260' - 'A99F0460508DE0CECC632D07C354124E46C5D2234EB8') - k = Key(Enctype.RC4, kb) - assert(encrypt(k, keyusage, plain, conf) == ctxt) - assert(decrypt(k, keyusage, ctxt) == plain) + def test_rc4_crypt(self): + # RC4 encrypt and decrypt + kb = h('68F263DB3FCE15D031C9EAB02D67107A') + conf = h('37245E73A45FBF72') + keyusage = 4 + plain = b'30 bytes bytes bytes bytes byt' + ctxt = h('95F9047C3AD75891C2E9B04B16566DC8B6EB9CE4231AFB2542EF87A7B5A0F260' + 'A99F0460508DE0CECC632D07C354124E46C5D2234EB8') + k = Key(Enctype.RC4, kb) + self.assertEqual(encrypt(k, keyusage, plain, conf), ctxt) + self.assertEqual(decrypt(k, keyusage, ctxt), plain) - # RC4 string-to-key - string = b'foo' - kb = h('AC8E657F83DF82BEEA5D43BDAF7800CC') - k = string_to_key(Enctype.RC4, string, None) - assert(k.contents == kb) + def test_rc4_string_to_key(self): + # RC4 string-to-key + string = b'foo' + kb = h('AC8E657F83DF82BEEA5D43BDAF7800CC') + k = string_to_key(Enctype.RC4, string, None) + self.assertEqual(k.contents, kb) - # RC4 checksum - kb = h('F7D3A155AF5E238A0B7A871A96BA2AB2') - keyusage = 6 - plain = b'seventeen eighteen nineteen twenty' - cksum = h('EB38CC97E2230F59DA4117DC5859D7EC') - k = Key(Enctype.RC4, kb) - verify_checksum(Cksumtype.HMAC_MD5, k, keyusage, plain, cksum) + def test_rc4_checksum(self): + # RC4 checksum + kb = h('F7D3A155AF5E238A0B7A871A96BA2AB2') + keyusage = 6 + plain = b'seventeen eighteen nineteen twenty' + cksum = h('EB38CC97E2230F59DA4117DC5859D7EC') + k = Key(Enctype.RC4, kb) + verify_checksum(Cksumtype.HMAC_MD5, k, keyusage, plain, cksum) - # RC4 cf2 - kb = h('24D7F6B6BAE4E5C00D2082C5EBAB3672') - k1 = string_to_key(Enctype.RC4, b'key1', b'key1') - k2 = string_to_key(Enctype.RC4, b'key2', b'key2') - k = cf2(Enctype.RC4, k1, k2, b'a', b'b') - assert(k.contents == kb) + def test_rc4_cf2(self): + # RC4 cf2 + kb = h('24D7F6B6BAE4E5C00D2082C5EBAB3672') + k1 = string_to_key(Enctype.RC4, b'key1', b'key1') + k2 = string_to_key(Enctype.RC4, b'key2', b'key2') + k = cf2(Enctype.RC4, k1, k2, b'a', b'b') + self.assertEqual(k.contents, kb) + +if __name__ == "__main__": + import unittest + unittest.main() -- 2.35.0 From ead9d90c013c4e475ddcd4df5d89148a68e5bd94 Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Wed, 25 Mar 2020 22:07:39 +0100 Subject: [PATCH 021/686] s4:selftest: run samba.tests.krb5.kcrypto test Signed-off-by: Stefan Metzmacher Reviewed-by: Isaac Boukris (cherry picked from commit 7010a1311d193c78e9f26adeafe98458217edbca) --- source4/selftest/tests.py | 2 ++ 1 file changed, 2 insertions(+) diff --git a/source4/selftest/tests.py b/source4/selftest/tests.py index 1561f068ca1..e627158d2f9 100755 --- a/source4/selftest/tests.py +++ b/source4/selftest/tests.py @@ -713,6 +713,8 @@ planoldpythontestsuite("nt4_dc", "samba.tests.netbios", extra_args=['-U"$USERNAM planoldpythontestsuite("ad_dc:local", "samba.tests.gpo", extra_args=['-U"$USERNAME%$PASSWORD"'], py3_compatible=True) planoldpythontestsuite("ad_dc:local", "samba.tests.dckeytab", extra_args=['-U"$USERNAME%$PASSWORD"'], py3_compatible=True) +planoldpythontestsuite("none", "samba.tests.krb5.kcrypto") + for env in ["ad_dc", smbv1_disabled_testenv]: planoldpythontestsuite(env, "samba.tests.smb", extra_args=['-U"$USERNAME%$PASSWORD"'], py3_compatible=True) planoldpythontestsuite(env + ":local", "samba.tests.ntacls_backup", -- 2.35.0 From 6595c7f5b045d6ec34b3d47e7f10df2c7ae410d4 Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Mon, 23 Mar 2020 08:53:54 +0100 Subject: [PATCH 022/686] python/tests/krb5: add support for Cksumtype.MD5 Signed-off-by: Stefan Metzmacher Reviewed-by: Isaac Boukris (cherry picked from commit 47385248c8e462162e01afc3d3d68b97dff3542c) --- python/samba/tests/krb5/kcrypto.py | 43 +++++++++++++++++++++++++++++- 1 file changed, 42 insertions(+), 1 deletion(-) diff --git a/python/samba/tests/krb5/kcrypto.py b/python/samba/tests/krb5/kcrypto.py index 0907d881b68..ed3c84fa186 100755 --- a/python/samba/tests/krb5/kcrypto.py +++ b/python/samba/tests/krb5/kcrypto.py @@ -526,6 +526,13 @@ class _HMACMD5(_ChecksumProfile): super(_HMACMD5, cls).verify(key, keyusage, text, cksum) +class _MD5(_ChecksumProfile): + @classmethod + def checksum(cls, key, keyusage, text): + # This is unkeyed! + return SIMPLE_HASH(text, hashes.MD5) + + _enctype_table = { Enctype.DES3: _DES3CBC, Enctype.AES128: _AES128CTS, @@ -538,7 +545,8 @@ _checksum_table = { Cksumtype.SHA1_DES3: _SHA1DES3, Cksumtype.SHA1_AES128: _SHA1AES128, Cksumtype.SHA1_AES256: _SHA1AES256, - Cksumtype.HMAC_MD5: _HMACMD5 + Cksumtype.HMAC_MD5: _HMACMD5, + Cksumtype.MD5: _MD5, } @@ -794,6 +802,39 @@ class KcrytoTest(TestCase): k = cf2(Enctype.RC4, k1, k2, b'a', b'b') self.assertEqual(k.contents, kb) + def _test_md5_unkeyed_checksum(self, etype, usage): + # MD5 unkeyed checksum + pw = b'pwd' + salt = b'bytes' + key = string_to_key(etype, pw, salt) + plain = b'seventeen eighteen nineteen twenty' + cksum = h('9d9588cdef3a8cefc9d2c208d978f60c') + verify_checksum(Cksumtype.MD5, key, usage, plain, cksum) + + def test_md5_unkeyed_checksum_des3_usage_40(self): + return self._test_md5_unkeyed_checksum(Enctype.DES3, 40) + + def test_md5_unkeyed_checksum_des3_usage_50(self): + return self._test_md5_unkeyed_checksum(Enctype.DES3, 50) + + def test_md5_unkeyed_checksum_rc4_usage_40(self): + return self._test_md5_unkeyed_checksum(Enctype.RC4, 40) + + def test_md5_unkeyed_checksum_rc4_usage_50(self): + return self._test_md5_unkeyed_checksum(Enctype.RC4, 50) + + def test_md5_unkeyed_checksum_aes128_usage_40(self): + return self._test_md5_unkeyed_checksum(Enctype.AES128, 40) + + def test_md5_unkeyed_checksum_aes128_usage_50(self): + return self._test_md5_unkeyed_checksum(Enctype.AES128, 50) + + def test_md5_unkeyed_checksum_aes256_usage_40(self): + return self._test_md5_unkeyed_checksum(Enctype.AES256, 40) + + def test_md5_unkeyed_checksum_aes256_usage_50(self): + return self._test_md5_unkeyed_checksum(Enctype.AES256, 50) + if __name__ == "__main__": import unittest unittest.main() -- 2.35.0 From 6787614b1c49aad410734c73cfabd392985f6079 Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Thu, 13 Feb 2020 16:29:38 +0100 Subject: [PATCH 023/686] python/tests/krb5: add rfc4120.asn1 Signed-off-by: Stefan Metzmacher Reviewed-by: Isaac Boukris (cherry picked from commit a2f75c314e9946f74e9dacceac690295999925b5) --- python/samba/tests/krb5/rfc4120.asn1 | 392 +++++++++++++++++++++++++++ 1 file changed, 392 insertions(+) create mode 100644 python/samba/tests/krb5/rfc4120.asn1 diff --git a/python/samba/tests/krb5/rfc4120.asn1 b/python/samba/tests/krb5/rfc4120.asn1 new file mode 100644 index 00000000000..ec44557f45a --- /dev/null +++ b/python/samba/tests/krb5/rfc4120.asn1 @@ -0,0 +1,392 @@ +KerberosV5Spec2 { + iso(1) identified-organization(3) dod(6) internet(1) + security(5) kerberosV5(2) modules(4) krb5spec2(2) +} DEFINITIONS EXPLICIT TAGS ::= BEGIN + +-- OID arc for KerberosV5 +-- +-- This OID may be used to identify Kerberos protocol messages +-- encapsulated in other protocols. +-- +-- This OID also designates the OID arc for KerberosV5-related OIDs. +-- +-- NOTE: RFC 1510 had an incorrect value (5) for "dod" in its OID. +id-krb5 OBJECT IDENTIFIER ::= { + iso(1) identified-organization(3) dod(6) internet(1) + security(5) kerberosV5(2) +} + +Int32 ::= INTEGER (-2147483648..2147483647) + -- signed values representable in 32 bits + +UInt32 ::= INTEGER (0..4294967295) + -- unsigned 32 bit values + +Microseconds ::= INTEGER (0..999999) + -- microseconds + +KerberosString ::= GeneralString (IA5String) + +Realm ::= KerberosString + +PrincipalName ::= SEQUENCE { + name-type [0] Int32, + name-string [1] SEQUENCE OF KerberosString +} + +KerberosTime ::= GeneralizedTime -- with no fractional seconds + +HostAddress ::= SEQUENCE { + addr-type [0] Int32, + address [1] OCTET STRING +} + +-- NOTE: HostAddresses is always used as an OPTIONAL field and +-- should not be empty. +HostAddresses -- NOTE: subtly different from rfc1510, + -- but has a value mapping and encodes the same + ::= SEQUENCE OF HostAddress + +-- NOTE: AuthorizationData is always used as an OPTIONAL field and +-- should not be empty. +AuthorizationData ::= SEQUENCE OF SEQUENCE { + ad-type [0] Int32, + ad-data [1] OCTET STRING +} + +PA-DATA ::= SEQUENCE { + -- NOTE: first tag is [1], not [0] + padata-type [1] Int32, + padata-value [2] OCTET STRING -- might be encoded AP-REQ +} + +KerberosFlags ::= BIT STRING (SIZE (32..MAX)) + -- minimum number of bits shall be sent, + -- but no fewer than 32 + +EncryptedData ::= SEQUENCE { + etype [0] Int32 -- EncryptionType --, + kvno [1] UInt32 OPTIONAL, + cipher [2] OCTET STRING -- ciphertext +} + +EncryptionKey ::= SEQUENCE { + keytype [0] Int32 -- actually encryption type --, + keyvalue [1] OCTET STRING +} + +Checksum ::= SEQUENCE { + cksumtype [0] Int32, + checksum [1] OCTET STRING +} + +Ticket ::= [APPLICATION 1] SEQUENCE { + tkt-vno [0] INTEGER (5), + realm [1] Realm, + sname [2] PrincipalName, + enc-part [3] EncryptedData -- EncTicketPart +} + +-- Encrypted part of ticket +EncTicketPart ::= [APPLICATION 3] SEQUENCE { + flags [0] TicketFlags, + key [1] EncryptionKey, + crealm [2] Realm, + cname [3] PrincipalName, + transited [4] TransitedEncoding, + authtime [5] KerberosTime, + starttime [6] KerberosTime OPTIONAL, + endtime [7] KerberosTime, + renew-till [8] KerberosTime OPTIONAL, + caddr [9] HostAddresses OPTIONAL, + authorization-data [10] AuthorizationData OPTIONAL +} + +-- encoded Transited field +TransitedEncoding ::= SEQUENCE { + tr-type [0] Int32 -- must be registered --, + contents [1] OCTET STRING +} + +TicketFlags ::= KerberosFlags + -- reserved(0), + -- forwardable(1), + -- forwarded(2), + -- proxiable(3), + -- proxy(4), + -- may-postdate(5), + -- postdated(6), + -- invalid(7), + -- renewable(8), + -- initial(9), + -- pre-authent(10), + -- hw-authent(11), +-- the following are new since 1510 + -- transited-policy-checked(12), + -- ok-as-delegate(13) + +AS-REQ ::= [APPLICATION 10] KDC-REQ + +TGS-REQ ::= [APPLICATION 12] KDC-REQ + +KDC-REQ ::= SEQUENCE { + -- NOTE: first tag is [1], not [0] + pvno [1] INTEGER (5) , + msg-type [2] INTEGER (10 -- AS -- | 12 -- TGS --), + padata [3] SEQUENCE OF PA-DATA OPTIONAL + -- NOTE: not empty --, + req-body [4] KDC-REQ-BODY +} + +KDC-REQ-BODY ::= SEQUENCE { + kdc-options [0] KDCOptions, + cname [1] PrincipalName OPTIONAL + -- Used only in AS-REQ --, + realm [2] Realm + -- Server's realm + -- Also client's in AS-REQ --, + sname [3] PrincipalName OPTIONAL, + from [4] KerberosTime OPTIONAL, + till [5] KerberosTime, + rtime [6] KerberosTime OPTIONAL, + nonce [7] UInt32, + etype [8] SEQUENCE OF Int32 -- EncryptionType + -- in preference order --, + addresses [9] HostAddresses OPTIONAL, + enc-authorization-data [10] EncryptedData OPTIONAL + -- AuthorizationData --, + additional-tickets [11] SEQUENCE OF Ticket OPTIONAL + -- NOTE: not empty +} + +KDCOptions ::= KerberosFlags + -- reserved(0), + -- forwardable(1), + -- forwarded(2), + -- proxiable(3), + -- proxy(4), + -- allow-postdate(5), + -- postdated(6), + -- unused7(7), + -- renewable(8), + -- unused9(9), + -- unused10(10), + -- opt-hardware-auth(11), + -- unused12(12), + -- unused13(13), +-- 15 is reserved for canonicalize + -- unused15(15), +-- 26 was unused in 1510 + -- disable-transited-check(26), +-- + -- renewable-ok(27), + -- enc-tkt-in-skey(28), + -- renew(30), + -- validate(31) + +AS-REP ::= [APPLICATION 11] KDC-REP + +TGS-REP ::= [APPLICATION 13] KDC-REP + +KDC-REP ::= SEQUENCE { + pvno [0] INTEGER (5), + msg-type [1] INTEGER (11 -- AS -- | 13 -- TGS --), + padata [2] SEQUENCE OF PA-DATA OPTIONAL + -- NOTE: not empty --, + crealm [3] Realm, + cname [4] PrincipalName, + ticket [5] Ticket, + enc-part [6] EncryptedData + -- EncASRepPart or EncTGSRepPart, + -- as appropriate +} + +EncASRepPart ::= [APPLICATION 25] EncKDCRepPart + +EncTGSRepPart ::= [APPLICATION 26] EncKDCRepPart + +EncKDCRepPart ::= SEQUENCE { + key [0] EncryptionKey, + last-req [1] LastReq, + nonce [2] UInt32, + key-expiration [3] KerberosTime OPTIONAL, + flags [4] TicketFlags, + authtime [5] KerberosTime, + starttime [6] KerberosTime OPTIONAL, + endtime [7] KerberosTime, + renew-till [8] KerberosTime OPTIONAL, + srealm [9] Realm, + sname [10] PrincipalName, + caddr [11] HostAddresses OPTIONAL +} + +LastReq ::= SEQUENCE OF SEQUENCE { + lr-type [0] Int32, + lr-value [1] KerberosTime +} + +AP-REQ ::= [APPLICATION 14] SEQUENCE { + pvno [0] INTEGER (5), + msg-type [1] INTEGER (14), + ap-options [2] APOptions, + ticket [3] Ticket, + authenticator [4] EncryptedData -- Authenticator +} + +APOptions ::= KerberosFlags + -- reserved(0), + -- use-session-key(1), + -- mutual-required(2) + +-- Unencrypted authenticator +Authenticator ::= [APPLICATION 2] SEQUENCE { + authenticator-vno [0] INTEGER (5), + crealm [1] Realm, + cname [2] PrincipalName, + cksum [3] Checksum OPTIONAL, + cusec [4] Microseconds, + ctime [5] KerberosTime, + subkey [6] EncryptionKey OPTIONAL, + seq-number [7] UInt32 OPTIONAL, + authorization-data [8] AuthorizationData OPTIONAL +} + +AP-REP ::= [APPLICATION 15] SEQUENCE { + pvno [0] INTEGER (5), + msg-type [1] INTEGER (15), + enc-part [2] EncryptedData -- EncAPRepPart +} + +EncAPRepPart ::= [APPLICATION 27] SEQUENCE { + ctime [0] KerberosTime, + cusec [1] Microseconds, + subkey [2] EncryptionKey OPTIONAL, + seq-number [3] UInt32 OPTIONAL +} + +KRB-SAFE ::= [APPLICATION 20] SEQUENCE { + pvno [0] INTEGER (5), + msg-type [1] INTEGER (20), + safe-body [2] KRB-SAFE-BODY, + cksum [3] Checksum +} + +KRB-SAFE-BODY ::= SEQUENCE { + user-data [0] OCTET STRING, + timestamp [1] KerberosTime OPTIONAL, + usec [2] Microseconds OPTIONAL, + seq-number [3] UInt32 OPTIONAL, + s-address [4] HostAddress, + r-address [5] HostAddress OPTIONAL +} + +KRB-PRIV ::= [APPLICATION 21] SEQUENCE { + pvno [0] INTEGER (5), + msg-type [1] INTEGER (21), + -- NOTE: there is no [2] tag + enc-part [3] EncryptedData -- EncKrbPrivPart +} + +EncKrbPrivPart ::= [APPLICATION 28] SEQUENCE { + user-data [0] OCTET STRING, + timestamp [1] KerberosTime OPTIONAL, + usec [2] Microseconds OPTIONAL, + seq-number [3] UInt32 OPTIONAL, + s-address [4] HostAddress -- sender's addr --, + r-address [5] HostAddress OPTIONAL -- recip's addr +} + +KRB-CRED ::= [APPLICATION 22] SEQUENCE { + pvno [0] INTEGER (5), + msg-type [1] INTEGER (22), + tickets [2] SEQUENCE OF Ticket, + enc-part [3] EncryptedData -- EncKrbCredPart +} + +EncKrbCredPart ::= [APPLICATION 29] SEQUENCE { + ticket-info [0] SEQUENCE OF KrbCredInfo, + nonce [1] UInt32 OPTIONAL, + timestamp [2] KerberosTime OPTIONAL, + usec [3] Microseconds OPTIONAL, + s-address [4] HostAddress OPTIONAL, + r-address [5] HostAddress OPTIONAL +} + +KrbCredInfo ::= SEQUENCE { + key [0] EncryptionKey, + prealm [1] Realm OPTIONAL, + pname [2] PrincipalName OPTIONAL, + flags [3] TicketFlags OPTIONAL, + authtime [4] KerberosTime OPTIONAL, + starttime [5] KerberosTime OPTIONAL, + endtime [6] KerberosTime OPTIONAL, + renew-till [7] KerberosTime OPTIONAL, + srealm [8] Realm OPTIONAL, + sname [9] PrincipalName OPTIONAL, + caddr [10] HostAddresses OPTIONAL +} + +KRB-ERROR ::= [APPLICATION 30] SEQUENCE { + pvno [0] INTEGER (5), + msg-type [1] INTEGER (30), + ctime [2] KerberosTime OPTIONAL, + cusec [3] Microseconds OPTIONAL, + stime [4] KerberosTime, + susec [5] Microseconds, + error-code [6] Int32, + crealm [7] Realm OPTIONAL, + cname [8] PrincipalName OPTIONAL, + realm [9] Realm -- service realm --, + sname [10] PrincipalName -- service name --, + e-text [11] KerberosString OPTIONAL, + e-data [12] OCTET STRING OPTIONAL +} + +METHOD-DATA ::= SEQUENCE OF PA-DATA + +TYPED-DATA ::= SEQUENCE SIZE (1..MAX) OF SEQUENCE { + data-type [0] Int32, + data-value [1] OCTET STRING OPTIONAL +} + +-- preauth stuff follows + +PA-ENC-TIMESTAMP ::= EncryptedData -- PA-ENC-TS-ENC + +PA-ENC-TS-ENC ::= SEQUENCE { + patimestamp [0] KerberosTime -- client's time --, + pausec [1] Microseconds OPTIONAL +} + +ETYPE-INFO-ENTRY ::= SEQUENCE { + etype [0] Int32, + salt [1] OCTET STRING OPTIONAL +} + +ETYPE-INFO ::= SEQUENCE OF ETYPE-INFO-ENTRY + +ETYPE-INFO2-ENTRY ::= SEQUENCE { + etype [0] Int32, + salt [1] KerberosString OPTIONAL, + s2kparams [2] OCTET STRING OPTIONAL +} + +ETYPE-INFO2 ::= SEQUENCE SIZE (1..MAX) OF ETYPE-INFO2-ENTRY + +AD-IF-RELEVANT ::= AuthorizationData + +AD-KDCIssued ::= SEQUENCE { + ad-checksum [0] Checksum, + i-realm [1] Realm OPTIONAL, + i-sname [2] PrincipalName OPTIONAL, + elements [3] AuthorizationData +} + +AD-AND-OR ::= SEQUENCE { + condition-count [0] Int32, + elements [1] AuthorizationData +} + +AD-MANDATORY-FOR-KDC ::= AuthorizationData + +END -- 2.35.0 From 2ef5715c30bdd14ed86cab262abcda5ca6e60fb9 Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Thu, 13 Feb 2020 16:29:38 +0100 Subject: [PATCH 024/686] python/tests/krb5: modify rfc4120.asn1 in order to generate pyasn1 code The pyasn1 bindings are generated by pyasn1gen.py from https://github.com/kimgr/asn1ate.git Signed-off-by: Stefan Metzmacher Reviewed-by: Isaac Boukris (cherry picked from commit 94d068427f6cf23ab68c135ed9833db4b9155b65) --- python/samba/tests/krb5/rfc4120.asn1 | 293 +++++- python/samba/tests/krb5/rfc4120_pyasn1.py | 914 ++++++++++++++++++ .../samba/tests/krb5/rfc4120_pyasn1_regen.sh | 41 + python/samba/tests/source.py | 6 + 4 files changed, 1243 insertions(+), 11 deletions(-) create mode 100644 python/samba/tests/krb5/rfc4120_pyasn1.py create mode 100755 python/samba/tests/krb5/rfc4120_pyasn1_regen.sh diff --git a/python/samba/tests/krb5/rfc4120.asn1 b/python/samba/tests/krb5/rfc4120.asn1 index ec44557f45a..05b43106034 100644 --- a/python/samba/tests/krb5/rfc4120.asn1 +++ b/python/samba/tests/krb5/rfc4120.asn1 @@ -25,15 +25,23 @@ UInt32 ::= INTEGER (0..4294967295) Microseconds ::= INTEGER (0..999999) -- microseconds -KerberosString ::= GeneralString (IA5String) +-- +-- asn1ate doesn't support 'GeneralString (IA5String)' +-- only 'GeneralString' or 'IA5String', on the wire +-- GeneralString is used. +-- +-- KerberosString ::= GeneralString (IA5String) +KerberosString ::= GeneralString Realm ::= KerberosString PrincipalName ::= SEQUENCE { - name-type [0] Int32, + name-type [0] NameType, -- Int32, name-string [1] SEQUENCE OF KerberosString } +NameType ::= Int32 + KerberosTime ::= GeneralizedTime -- with no fractional seconds HostAddress ::= SEQUENCE { @@ -50,36 +58,48 @@ HostAddresses -- NOTE: subtly different from rfc1510, -- NOTE: AuthorizationData is always used as an OPTIONAL field and -- should not be empty. AuthorizationData ::= SEQUENCE OF SEQUENCE { - ad-type [0] Int32, + ad-type [0] AuthDataType, -- Int32, ad-data [1] OCTET STRING } +AuthDataType ::= Int32 + PA-DATA ::= SEQUENCE { -- NOTE: first tag is [1], not [0] - padata-type [1] Int32, + padata-type [1] PADataType, -- Int32 padata-value [2] OCTET STRING -- might be encoded AP-REQ } -KerberosFlags ::= BIT STRING (SIZE (32..MAX)) +PADataType ::= Int32 + +-- +-- asn1ate doesn't support 'MAX' nor a lower range != 1. +-- We'll use a custom enodeValue() hooks for BitString +-- in order to encode them with at least 32-Bit. +-- +-- KerberosFlags ::= BIT STRING (SIZE (32..MAX)) +KerberosFlags ::= BIT STRING (SIZE (1..32)) -- minimum number of bits shall be sent, -- but no fewer than 32 EncryptedData ::= SEQUENCE { - etype [0] Int32 -- EncryptionType --, + etype [0] EncryptionType, --Int32 EncryptionType -- kvno [1] UInt32 OPTIONAL, cipher [2] OCTET STRING -- ciphertext } EncryptionKey ::= SEQUENCE { - keytype [0] Int32 -- actually encryption type --, + keytype [0] EncryptionType, -- Int32 actually encryption type -- keyvalue [1] OCTET STRING } Checksum ::= SEQUENCE { - cksumtype [0] Int32, + cksumtype [0] ChecksumType, -- Int32, checksum [1] OCTET STRING } +ChecksumType ::= Int32 + Ticket ::= [APPLICATION 1] SEQUENCE { tkt-vno [0] INTEGER (5), realm [1] Realm, @@ -150,7 +170,7 @@ KDC-REQ-BODY ::= SEQUENCE { till [5] KerberosTime, rtime [6] KerberosTime OPTIONAL, nonce [7] UInt32, - etype [8] SEQUENCE OF Int32 -- EncryptionType + etype [8] SEQUENCE OF EncryptionType -- Int32 - EncryptionType -- in preference order --, addresses [9] HostAddresses OPTIONAL, enc-authorization-data [10] EncryptedData OPTIONAL @@ -159,6 +179,8 @@ KDC-REQ-BODY ::= SEQUENCE { -- NOTE: not empty } +EncryptionType ::= Int32 + KDCOptions ::= KerberosFlags -- reserved(0), -- forwardable(1), @@ -344,7 +366,11 @@ KRB-ERROR ::= [APPLICATION 30] SEQUENCE { METHOD-DATA ::= SEQUENCE OF PA-DATA -TYPED-DATA ::= SEQUENCE SIZE (1..MAX) OF SEQUENCE { +-- +-- asn1ate doesn't support 'MAX' +-- +-- TYPED-DATA ::= SEQUENCE SIZE (1..MAX) OF SEQUENCE { +TYPED-DATA ::= SEQUENCE SIZE (1..256) OF SEQUENCE { data-type [0] Int32, data-value [1] OCTET STRING OPTIONAL } @@ -371,7 +397,7 @@ ETYPE-INFO2-ENTRY ::= SEQUENCE { s2kparams [2] OCTET STRING OPTIONAL } -ETYPE-INFO2 ::= SEQUENCE SIZE (1..MAX) OF ETYPE-INFO2-ENTRY +ETYPE-INFO2 ::= SEQUENCE SIZE (1..256) OF ETYPE-INFO2-ENTRY AD-IF-RELEVANT ::= AuthorizationData @@ -389,4 +415,249 @@ AD-AND-OR ::= SEQUENCE { AD-MANDATORY-FOR-KDC ::= AuthorizationData + + + + + +-- +-- +-- prettyPrint values +-- +-- + +NameTypeValues ::= INTEGER { -- Int32 + kRB5-NT-UNKNOWN(0), -- Name type not known + kRB5-NT-PRINCIPAL(1), -- Just the name of the principal as in + kRB5-NT-SRV-INST(2), -- Service and other unique instance (krbtgt) + kRB5-NT-SRV-HST(3), -- Service with host name as instance + kRB5-NT-SRV-XHST(4), -- Service with host as remaining components + kRB5-NT-UID(5), -- Unique ID + kRB5-NT-X500-PRINCIPAL(6), -- PKINIT + kRB5-NT-SMTP-NAME(7), -- Name in form of SMTP email name + kRB5-NT-ENTERPRISE-PRINCIPAL(10), -- Windows 2000 UPN + kRB5-NT-WELLKNOWN(11), -- Wellknown + kRB5-NT-ENT-PRINCIPAL-AND-ID(-130), -- Windows 2000 UPN and SID + kRB5-NT-MS-PRINCIPAL(-128), -- NT 4 style name + kRB5-NT-MS-PRINCIPAL-AND-ID(-129) -- NT style name and SID +} +NameTypeSequence ::= SEQUENCE { + dummy [0] NameTypeValues +} + +TicketFlagsValues ::= BIT STRING { -- KerberosFlags + reserved(0), + forwardable(1), + forwarded(2), + proxiable(3), + proxy(4), + may-postdate(5), + postdated(6), + invalid(7), + renewable(8), + initial(9), + pre-authent(10), + hw-authent(11), +-- the following are new since 1510 + transited-policy-checked(12), + ok-as-delegate(13) +} +TicketFlagsSequence ::= SEQUENCE { + dummy [0] TicketFlagsValues +} + +KDCOptionsValues ::= BIT STRING { -- KerberosFlags + reserved(0), + forwardable(1), + forwarded(2), + proxiable(3), + proxy(4), + allow-postdate(5), + postdated(6), + unused7(7), + renewable(8), + unused9(9), + unused10(10), + opt-hardware-auth(11), + unused12(12), + unused13(13), +-- 15 is reserved for canonicalize + unused15(15), +-- 26 was unused in 1510 + disable-transited-check(26), +-- + renewable-ok(27), + enc-tkt-in-skey(28), + renew(30), + validate(31) +} +KDCOptionsSequence ::= SEQUENCE { + dummy [0] KDCOptionsValues +} + +MessageTypeValues ::= INTEGER { + krb-as-req(10), -- Request for initial authentication + krb-as-rep(11), -- Response to KRB_AS_REQ request + krb-tgs-req(12), -- Request for authentication based on TGT + krb-tgs-rep(13), -- Response to KRB_TGS_REQ request + krb-ap-req(14), -- application request to server + krb-ap-rep(15), -- Response to KRB_AP_REQ_MUTUAL + krb-safe(20), -- Safe (checksummed) application message + krb-priv(21), -- Private (encrypted) application message + krb-cred(22), -- Private (encrypted) message to forward credentials + krb-error(30) -- Error response +} +MessageTypeSequence ::= SEQUENCE { + dummy [0] MessageTypeValues +} + +PADataTypeValues ::= INTEGER { + kRB5-PADATA-NONE(0), + -- kRB5-PADATA-TGS-REQ(1), + -- kRB5-PADATA-AP-REQ(1), + kRB5-PADATA-KDC-REQ(1), + kRB5-PADATA-ENC-TIMESTAMP(2), + kRB5-PADATA-PW-SALT(3), + kRB5-PADATA-ENC-UNIX-TIME(5), + kRB5-PADATA-SANDIA-SECUREID(6), + kRB5-PADATA-SESAME(7), + kRB5-PADATA-OSF-DCE(8), + kRB5-PADATA-CYBERSAFE-SECUREID(9), + kRB5-PADATA-AFS3-SALT(10), + kRB5-PADATA-ETYPE-INFO(11), + kRB5-PADATA-SAM-CHALLENGE(12), -- (sam/otp) + kRB5-PADATA-SAM-RESPONSE(13), -- (sam/otp) + kRB5-PADATA-PK-AS-REQ-19(14), -- (PKINIT-19) + kRB5-PADATA-PK-AS-REP-19(15), -- (PKINIT-19) + -- kRB5-PADATA-PK-AS-REQ-WIN(15), - (PKINIT - old number) + kRB5-PADATA-PK-AS-REQ(16), -- (PKINIT-25) + kRB5-PADATA-PK-AS-REP(17), -- (PKINIT-25) + kRB5-PADATA-PA-PK-OCSP-RESPONSE(18), + kRB5-PADATA-ETYPE-INFO2(19), + -- kRB5-PADATA-USE-SPECIFIED-KVNO(20), + kRB5-PADATA-SVR-REFERRAL-INFO(20), --- old ms referral number + kRB5-PADATA-SAM-REDIRECT(21), -- (sam/otp) + kRB5-PADATA-GET-FROM-TYPED-DATA(22), + kRB5-PADATA-SAM-ETYPE-INFO(23), + kRB5-PADATA-SERVER-REFERRAL(25), + kRB5-PADATA-ALT-PRINC(24), -- (crawdad@fnal.gov) + kRB5-PADATA-SAM-CHALLENGE2(30), -- (kenh@pobox.com) + kRB5-PADATA-SAM-RESPONSE2(31), -- (kenh@pobox.com) + kRB5-PA-EXTRA-TGT(41), -- Reserved extra TGT + kRB5-PADATA-TD-KRB-PRINCIPAL(102), -- PrincipalName + kRB5-PADATA-PK-TD-TRUSTED-CERTIFIERS(104), -- PKINIT + kRB5-PADATA-PK-TD-CERTIFICATE-INDEX(105), -- PKINIT + kRB5-PADATA-TD-APP-DEFINED-ERROR(106), -- application specific + kRB5-PADATA-TD-REQ-NONCE(107), -- INTEGER + kRB5-PADATA-TD-REQ-SEQ(108), -- INTEGER + kRB5-PADATA-PA-PAC-REQUEST(128), -- jbrezak@exchange.microsoft.com + kRB5-PADATA-FOR-USER(129), -- MS-KILE + kRB5-PADATA-FOR-X509-USER(130), -- MS-KILE + kRB5-PADATA-FOR-CHECK-DUPS(131), -- MS-KILE + kRB5-PADATA-AS-CHECKSUM(132), -- MS-KILE + -- kRB5-PADATA-PK-AS-09-BINDING(132), - client send this to + -- tell KDC that is supports + -- the asCheckSum in the + -- PK-AS-REP + kRB5-PADATA-FX-COOKIE(133), -- krb-wg-preauth-framework + kRB5-PADATA-AUTHENTICATION-SET(134), -- krb-wg-preauth-framework + kRB5-PADATA-AUTH-SET-SELECTED(135), -- krb-wg-preauth-framework + kRB5-PADATA-FX-FAST(136), -- krb-wg-preauth-framework + kRB5-PADATA-FX-ERROR(137), -- krb-wg-preauth-framework + kRB5-PADATA-ENCRYPTED-CHALLENGE(138), -- krb-wg-preauth-framework + kRB5-PADATA-OTP-CHALLENGE(141), -- (gareth.richards@rsa.com) + kRB5-PADATA-OTP-REQUEST(142), -- (gareth.richards@rsa.com) + kBB5-PADATA-OTP-CONFIRM(143), -- (gareth.richards@rsa.com) + kRB5-PADATA-OTP-PIN-CHANGE(144), -- (gareth.richards@rsa.com) + kRB5-PADATA-EPAK-AS-REQ(145), + kRB5-PADATA-EPAK-AS-REP(146), + kRB5-PADATA-PKINIT-KX(147), -- krb-wg-anon + kRB5-PADATA-PKU2U-NAME(148), -- zhu-pku2u + kRB5-PADATA-REQ-ENC-PA-REP(149), -- + kRB5-PADATA-SUPPORTED-ETYPES(165) -- MS-KILE +} +PADataTypeSequence ::= SEQUENCE { + dummy [0] PADataTypeValues +} + +AuthDataTypeValues ::= INTEGER { + kRB5-AUTHDATA-IF-RELEVANT(1), + kRB5-AUTHDATA-INTENDED-FOR-SERVER(2), + kRB5-AUTHDATA-INTENDED-FOR-APPLICATION-CLASS(3), + kRB5-AUTHDATA-KDC-ISSUED(4), + kRB5-AUTHDATA-AND-OR(5), + kRB5-AUTHDATA-MANDATORY-TICKET-EXTENSIONS(6), + kRB5-AUTHDATA-IN-TICKET-EXTENSIONS(7), + kRB5-AUTHDATA-MANDATORY-FOR-KDC(8), + kRB5-AUTHDATA-INITIAL-VERIFIED-CAS(9), + kRB5-AUTHDATA-OSF-DCE(64), + kRB5-AUTHDATA-SESAME(65), + kRB5-AUTHDATA-OSF-DCE-PKI-CERTID(66), + kRB5-AUTHDATA-WIN2K-PAC(128), + kRB5-AUTHDATA-GSS-API-ETYPE-NEGOTIATION(129), -- Authenticator only + kRB5-AUTHDATA-SIGNTICKET-OLDER(-17), + kRB5-AUTHDATA-SIGNTICKET-OLD(142), + kRB5-AUTHDATA-SIGNTICKET(512) +} +AuthDataTypeSequence ::= SEQUENCE { + dummy [0] AuthDataTypeValues +} + +ChecksumTypeValues ::= INTEGER { + kRB5-CKSUMTYPE-NONE(0), + kRB5-CKSUMTYPE-CRC32(1), + kRB5-CKSUMTYPE-RSA-MD4(2), + kRB5-CKSUMTYPE-RSA-MD4-DES(3), + kRB5-CKSUMTYPE-DES-MAC(4), + kRB5-CKSUMTYPE-DES-MAC-K(5), + kRB5-CKSUMTYPE-RSA-MD4-DES-K(6), + kRB5-CKSUMTYPE-RSA-MD5(7), + kRB5-CKSUMTYPE-RSA-MD5-DES(8), + kRB5-CKSUMTYPE-RSA-MD5-DES3(9), + kRB5-CKSUMTYPE-SHA1-OTHER(10), + kRB5-CKSUMTYPE-HMAC-SHA1-DES3(12), + kRB5-CKSUMTYPE-SHA1(14), + kRB5-CKSUMTYPE-HMAC-SHA1-96-AES-128(15), + kRB5-CKSUMTYPE-HMAC-SHA1-96-AES-256(16), + kRB5-CKSUMTYPE-GSSAPI(32771), -- 0x8003 + kRB5-CKSUMTYPE-HMAC-MD5(-138), -- unofficial microsoft number + kRB5-CKSUMTYPE-HMAC-MD5-ENC(-1138) -- even more unofficial +} +ChecksumTypeSequence ::= SEQUENCE { + dummy [0] ChecksumTypeValues +} + +EncryptionTypeValues ::= INTEGER { + kRB5-ENCTYPE-NULL(0), + kRB5-ENCTYPE-DES-CBC-CRC(1), + kRB5-ENCTYPE-DES-CBC-MD4(2), + kRB5-ENCTYPE-DES-CBC-MD5(3), + kRB5-ENCTYPE-DES3-CBC-MD5(5), + kRB5-ENCTYPE-OLD-DES3-CBC-SHA1(7), + kRB5-ENCTYPE-SIGN-DSA-GENERATE(8), + kRB5-ENCTYPE-ENCRYPT-RSA-PRIV(9), + kRB5-ENCTYPE-ENCRYPT-RSA-PUB(10), + kRB5-ENCTYPE-DES3-CBC-SHA1(16), -- with key derivation + kRB5-ENCTYPE-AES128-CTS-HMAC-SHA1-96(17), + kRB5-ENCTYPE-AES256-CTS-HMAC-SHA1-96(18), + kRB5-ENCTYPE-ARCFOUR-HMAC-MD5(23), + kRB5-ENCTYPE-ARCFOUR-HMAC-MD5-56(24), + kRB5-ENCTYPE-ENCTYPE-PK-CROSS(48), +-- some "old" windows types + kRB5-ENCTYPE-ARCFOUR-MD4(-128), + kRB5-ENCTYPE-ARCFOUR-HMAC-OLD(-133), + kRB5-ENCTYPE-ARCFOUR-HMAC-OLD-EXP(-135), +-- these are for Heimdal internal use +-- kRB5-ENCTYPE-DES-CBC-NONE(-0x1000), +-- kRB5-ENCTYPE-DES3-CBC-NONE(-0x1001), +-- kRB5-ENCTYPE-DES-CFB64-NONE(-0x1002), +-- kRB5-ENCTYPE-DES-PCBC-NONE(-0x1003), +-- kRB5-ENCTYPE-DIGEST-MD5-NONE(-0x1004), - private use, lukeh@padl.com +-- kRB5-ENCTYPE-CRAM-MD5-NONE(-0x1005) - private use, lukeh@padl.com + kRB5-ENCTYPE-DUMMY(-1111) +} +EncryptionTypeSequence ::= SEQUENCE { + dummy [0] EncryptionTypeValues +} + END diff --git a/python/samba/tests/krb5/rfc4120_pyasn1.py b/python/samba/tests/krb5/rfc4120_pyasn1.py new file mode 100644 index 00000000000..b2627aa3dcb --- /dev/null +++ b/python/samba/tests/krb5/rfc4120_pyasn1.py @@ -0,0 +1,914 @@ +# Auto-generated by asn1ate v.0.6.1.dev0 from rfc4120.asn1 +# (last modified on 2020-03-26 10:28:24.346775) + +# KerberosV5Spec2 +from pyasn1.type import univ, char, namedtype, namedval, tag, constraint, useful + + +def _OID(*components): + output = [] + for x in tuple(components): + if isinstance(x, univ.ObjectIdentifier): + output.extend(list(x)) + else: + output.append(int(x)) + + return univ.ObjectIdentifier(output) + + +class Int32(univ.Integer): + pass + + +Int32.subtypeSpec = constraint.ValueRangeConstraint(-2147483648, 2147483647) + + +class AuthDataType(Int32): + pass + + +class AuthorizationData(univ.SequenceOf): + pass + + +AuthorizationData.componentType = univ.Sequence(componentType=namedtype.NamedTypes( + namedtype.NamedType('ad-type', AuthDataType().subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 0))), + namedtype.NamedType('ad-data', univ.OctetString().subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 1))) +)) + + +class AD_AND_OR(univ.Sequence): + pass + + +AD_AND_OR.componentType = namedtype.NamedTypes( + namedtype.NamedType('condition-count', Int32().subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 0))), + namedtype.NamedType('elements', AuthorizationData().subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 1))) +) + + +class AD_IF_RELEVANT(AuthorizationData): + pass + + +class ChecksumType(Int32): + pass + + +class Checksum(univ.Sequence): + pass + + +Checksum.componentType = namedtype.NamedTypes( + namedtype.NamedType('cksumtype', ChecksumType().subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 0))), + namedtype.NamedType('checksum', univ.OctetString().subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 1))) +) + + +class KerberosString(char.GeneralString): + pass + + +class NameType(Int32): + pass + + +class PrincipalName(univ.Sequence): + pass + + +PrincipalName.componentType = namedtype.NamedTypes( + namedtype.NamedType('name-type', NameType().subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 0))), + namedtype.NamedType('name-string', univ.SequenceOf(componentType=KerberosString()).subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 1))) +) + + +class Realm(KerberosString): + pass + + +class AD_KDCIssued(univ.Sequence): + pass + + +AD_KDCIssued.componentType = namedtype.NamedTypes( + namedtype.NamedType('ad-checksum', Checksum().subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatConstructed, 0))), + namedtype.OptionalNamedType('i-realm', Realm().subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 1))), + namedtype.OptionalNamedType('i-sname', PrincipalName().subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatConstructed, 2))), + namedtype.NamedType('elements', AuthorizationData().subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 3))) +) + + +class AD_MANDATORY_FOR_KDC(AuthorizationData): + pass + + +class EncryptionType(Int32): + pass + + +class UInt32(univ.Integer): + pass + + +UInt32.subtypeSpec = constraint.ValueRangeConstraint(0, 4294967295) + + +class EncryptedData(univ.Sequence): + pass + + +EncryptedData.componentType = namedtype.NamedTypes( + namedtype.NamedType('etype', EncryptionType().subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 0))), + namedtype.OptionalNamedType('kvno', UInt32().subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 1))), + namedtype.NamedType('cipher', univ.OctetString().subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 2))) +) + + +class AP_REP(univ.Sequence): + pass + + +AP_REP.tagSet = univ.Sequence.tagSet.tagExplicitly(tag.Tag(tag.tagClassApplication, tag.tagFormatConstructed, 15)) +AP_REP.componentType = namedtype.NamedTypes( + namedtype.NamedType('pvno', univ.Integer().subtype(subtypeSpec=constraint.SingleValueConstraint(5)).subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 0))), + namedtype.NamedType('msg-type', univ.Integer().subtype(subtypeSpec=constraint.SingleValueConstraint(15)).subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 1))), + namedtype.NamedType('enc-part', EncryptedData().subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatConstructed, 2))) +) + + +class KerberosFlags(univ.BitString): + pass + + +KerberosFlags.subtypeSpec=constraint.ValueSizeConstraint(1, 32) + + +class APOptions(KerberosFlags): + pass + + +class Ticket(univ.Sequence): + pass + + +Ticket.tagSet = univ.Sequence.tagSet.tagExplicitly(tag.Tag(tag.tagClassApplication, tag.tagFormatConstructed, 1)) +Ticket.componentType = namedtype.NamedTypes( + namedtype.NamedType('tkt-vno', univ.Integer().subtype(subtypeSpec=constraint.SingleValueConstraint(5)).subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 0))), + namedtype.NamedType('realm', Realm().subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 1))), + namedtype.NamedType('sname', PrincipalName().subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatConstructed, 2))), + namedtype.NamedType('enc-part', EncryptedData().subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatConstructed, 3))) +) + + +class AP_REQ(univ.Sequence): + pass + + +AP_REQ.tagSet = univ.Sequence.tagSet.tagExplicitly(tag.Tag(tag.tagClassApplication, tag.tagFormatConstructed, 14)) +AP_REQ.componentType = namedtype.NamedTypes( + namedtype.NamedType('pvno', univ.Integer().subtype(subtypeSpec=constraint.SingleValueConstraint(5)).subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 0))), + namedtype.NamedType('msg-type', univ.Integer().subtype(subtypeSpec=constraint.SingleValueConstraint(14)).subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 1))), + namedtype.NamedType('ap-options', APOptions().subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 2))), + namedtype.NamedType('ticket', Ticket().subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 3))), + namedtype.NamedType('authenticator', EncryptedData().subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatConstructed, 4))) +) + + +class PADataType(Int32): + pass + + +class PA_DATA(univ.Sequence): + pass + + +PA_DATA.componentType = namedtype.NamedTypes( + namedtype.NamedType('padata-type', PADataType().subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 1))), + namedtype.NamedType('padata-value', univ.OctetString().subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 2))) +) + + +class KDC_REP(univ.Sequence): + pass + + +KDC_REP.componentType = namedtype.NamedTypes( + namedtype.NamedType('pvno', univ.Integer().subtype(subtypeSpec=constraint.SingleValueConstraint(5)).subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 0))), + namedtype.NamedType('msg-type', univ.Integer().subtype(subtypeSpec=constraint.SingleValueConstraint(11, 13)).subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 1))), + namedtype.OptionalNamedType('padata', univ.SequenceOf(componentType=PA_DATA()).subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 2))), + namedtype.NamedType('crealm', Realm().subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 3))), + namedtype.NamedType('cname', PrincipalName().subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatConstructed, 4))), + namedtype.NamedType('ticket', Ticket().subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 5))), + namedtype.NamedType('enc-part', EncryptedData().subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatConstructed, 6))) +) + + +class AS_REP(KDC_REP): + pass + + +AS_REP.tagSet = KDC_REP.tagSet.tagExplicitly(tag.Tag(tag.tagClassApplication, tag.tagFormatConstructed, 11)) + + +class HostAddress(univ.Sequence): + pass + + +HostAddress.componentType = namedtype.NamedTypes( + namedtype.NamedType('addr-type', Int32().subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 0))), + namedtype.NamedType('address', univ.OctetString().subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 1))) +) + + +class HostAddresses(univ.SequenceOf): + pass + + +HostAddresses.componentType = HostAddress() + + +class KDCOptions(KerberosFlags): + pass + + +class KerberosTime(useful.GeneralizedTime): + pass + + +class KDC_REQ_BODY(univ.Sequence): + pass + + +KDC_REQ_BODY.componentType = namedtype.NamedTypes( + namedtype.NamedType('kdc-options', KDCOptions().subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 0))), + namedtype.OptionalNamedType('cname', PrincipalName().subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatConstructed, 1))), + namedtype.NamedType('realm', Realm().subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 2))), + namedtype.OptionalNamedType('sname', PrincipalName().subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatConstructed, 3))), + namedtype.OptionalNamedType('from', KerberosTime().subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 4))), + namedtype.NamedType('till', KerberosTime().subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 5))), + namedtype.OptionalNamedType('rtime', KerberosTime().subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 6))), + namedtype.NamedType('nonce', UInt32().subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 7))), + namedtype.NamedType('etype', univ.SequenceOf(componentType=EncryptionType()).subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 8))), + namedtype.OptionalNamedType('addresses', HostAddresses().subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 9))), + namedtype.OptionalNamedType('enc-authorization-data', EncryptedData().subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatConstructed, 10))), + namedtype.OptionalNamedType('additional-tickets', univ.SequenceOf(componentType=Ticket()).subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 11))) +) + + +class KDC_REQ(univ.Sequence): + pass + + +KDC_REQ.componentType = namedtype.NamedTypes( + namedtype.NamedType('pvno', univ.Integer().subtype(subtypeSpec=constraint.SingleValueConstraint(5)).subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 1))), + namedtype.NamedType('msg-type', univ.Integer().subtype(subtypeSpec=constraint.SingleValueConstraint(10, 12)).subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 2))), + namedtype.OptionalNamedType('padata', univ.SequenceOf(componentType=PA_DATA()).subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 3))), + namedtype.NamedType('req-body', KDC_REQ_BODY().subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatConstructed, 4))) +) + + +class AS_REQ(KDC_REQ): + pass + + +AS_REQ.tagSet = KDC_REQ.tagSet.tagExplicitly(tag.Tag(tag.tagClassApplication, tag.tagFormatConstructed, 10)) + + +class AuthDataTypeValues(univ.Integer): + pass + + +AuthDataTypeValues.namedValues = namedval.NamedValues( + ('kRB5-AUTHDATA-IF-RELEVANT', 1), + ('kRB5-AUTHDATA-INTENDED-FOR-SERVER', 2), + ('kRB5-AUTHDATA-INTENDED-FOR-APPLICATION-CLASS', 3), + ('kRB5-AUTHDATA-KDC-ISSUED', 4), + ('kRB5-AUTHDATA-AND-OR', 5), + ('kRB5-AUTHDATA-MANDATORY-TICKET-EXTENSIONS', 6), + ('kRB5-AUTHDATA-IN-TICKET-EXTENSIONS', 7), + ('kRB5-AUTHDATA-MANDATORY-FOR-KDC', 8), + ('kRB5-AUTHDATA-INITIAL-VERIFIED-CAS', 9), + ('kRB5-AUTHDATA-OSF-DCE', 64), + ('kRB5-AUTHDATA-SESAME', 65), + ('kRB5-AUTHDATA-OSF-DCE-PKI-CERTID', 66), + ('kRB5-AUTHDATA-WIN2K-PAC', 128), + ('kRB5-AUTHDATA-GSS-API-ETYPE-NEGOTIATION', 129), + ('kRB5-AUTHDATA-SIGNTICKET-OLDER', -17), + ('kRB5-AUTHDATA-SIGNTICKET-OLD', 142), + ('kRB5-AUTHDATA-SIGNTICKET', 512) +) + + +class AuthDataTypeSequence(univ.Sequence): + pass + + +AuthDataTypeSequence.componentType = namedtype.NamedTypes( + namedtype.NamedType('dummy', AuthDataTypeValues().subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 0))) +) + + +class EncryptionKey(univ.Sequence): + pass + + +EncryptionKey.componentType = namedtype.NamedTypes( + namedtype.NamedType('keytype', EncryptionType().subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 0))), + namedtype.NamedType('keyvalue', univ.OctetString().subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 1))) +) + + +class Microseconds(univ.Integer): + pass + + +Microseconds.subtypeSpec = constraint.ValueRangeConstraint(0, 999999) + + +class Authenticator(univ.Sequence): + pass + + +Authenticator.tagSet = univ.Sequence.tagSet.tagExplicitly(tag.Tag(tag.tagClassApplication, tag.tagFormatConstructed, 2)) +Authenticator.componentType = namedtype.NamedTypes( + namedtype.NamedType('authenticator-vno', univ.Integer().subtype(subtypeSpec=constraint.SingleValueConstraint(5)).subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 0))), + namedtype.NamedType('crealm', Realm().subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 1))), + namedtype.NamedType('cname', PrincipalName().subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatConstructed, 2))), + namedtype.OptionalNamedType('cksum', Checksum().subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatConstructed, 3))), + namedtype.NamedType('cusec', Microseconds().subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 4))), + namedtype.NamedType('ctime', KerberosTime().subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 5))), + namedtype.OptionalNamedType('subkey', EncryptionKey().subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatConstructed, 6))), + namedtype.OptionalNamedType('seq-number', UInt32().subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 7))), + namedtype.OptionalNamedType('authorization-data', AuthorizationData().subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 8))) +) + + +class ChecksumTypeValues(univ.Integer): + pass + + +ChecksumTypeValues.namedValues = namedval.NamedValues( + ('kRB5-CKSUMTYPE-NONE', 0), + ('kRB5-CKSUMTYPE-CRC32', 1), + ('kRB5-CKSUMTYPE-RSA-MD4', 2), + ('kRB5-CKSUMTYPE-RSA-MD4-DES', 3), + ('kRB5-CKSUMTYPE-DES-MAC', 4), + ('kRB5-CKSUMTYPE-DES-MAC-K', 5), + ('kRB5-CKSUMTYPE-RSA-MD4-DES-K', 6), + ('kRB5-CKSUMTYPE-RSA-MD5', 7), + ('kRB5-CKSUMTYPE-RSA-MD5-DES', 8), + ('kRB5-CKSUMTYPE-RSA-MD5-DES3', 9), + ('kRB5-CKSUMTYPE-SHA1-OTHER', 10), + ('kRB5-CKSUMTYPE-HMAC-SHA1-DES3', 12), + ('kRB5-CKSUMTYPE-SHA1', 14), + ('kRB5-CKSUMTYPE-HMAC-SHA1-96-AES-128', 15), + ('kRB5-CKSUMTYPE-HMAC-SHA1-96-AES-256', 16), + ('kRB5-CKSUMTYPE-GSSAPI', 32771), + ('kRB5-CKSUMTYPE-HMAC-MD5', -138), + ('kRB5-CKSUMTYPE-HMAC-MD5-ENC', -1138) +) + + +class ChecksumTypeSequence(univ.Sequence): + pass + + +ChecksumTypeSequence.componentType = namedtype.NamedTypes( + namedtype.NamedType('dummy', ChecksumTypeValues().subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 0))) +) + + +class ETYPE_INFO_ENTRY(univ.Sequence): + pass + + +ETYPE_INFO_ENTRY.componentType = namedtype.NamedTypes( + namedtype.NamedType('etype', Int32().subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 0))), + namedtype.OptionalNamedType('salt', univ.OctetString().subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 1))) +) + + +class ETYPE_INFO(univ.SequenceOf): + pass + + +ETYPE_INFO.componentType = ETYPE_INFO_ENTRY() + + +class ETYPE_INFO2_ENTRY(univ.Sequence): + pass + + +ETYPE_INFO2_ENTRY.componentType = namedtype.NamedTypes( + namedtype.NamedType('etype', Int32().subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 0))), + namedtype.OptionalNamedType('salt', KerberosString().subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 1))), + namedtype.OptionalNamedType('s2kparams', univ.OctetString().subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 2))) +) + + +class ETYPE_INFO2(univ.SequenceOf): + pass + + +ETYPE_INFO2.componentType = ETYPE_INFO2_ENTRY() +ETYPE_INFO2.subtypeSpec=constraint.ValueSizeConstraint(1, 256) + + +class EncAPRepPart(univ.Sequence): + pass + + +EncAPRepPart.tagSet = univ.Sequence.tagSet.tagExplicitly(tag.Tag(tag.tagClassApplication, tag.tagFormatConstructed, 27)) +EncAPRepPart.componentType = namedtype.NamedTypes( + namedtype.NamedType('ctime', KerberosTime().subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 0))), + namedtype.NamedType('cusec', Microseconds().subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 1))), + namedtype.OptionalNamedType('subkey', EncryptionKey().subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatConstructed, 2))), + namedtype.OptionalNamedType('seq-number', UInt32().subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 3))) +) + + +class LastReq(univ.SequenceOf): + pass + + +LastReq.componentType = univ.Sequence(componentType=namedtype.NamedTypes( + namedtype.NamedType('lr-type', Int32().subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 0))), + namedtype.NamedType('lr-value', KerberosTime().subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 1))) +)) + + +class TicketFlags(KerberosFlags): + pass + + +class EncKDCRepPart(univ.Sequence): + pass + + +EncKDCRepPart.componentType = namedtype.NamedTypes( + namedtype.NamedType('key', EncryptionKey().subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatConstructed, 0))), + namedtype.NamedType('last-req', LastReq().subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 1))), + namedtype.NamedType('nonce', UInt32().subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 2))), + namedtype.OptionalNamedType('key-expiration', KerberosTime().subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 3))), + namedtype.NamedType('flags', TicketFlags().subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 4))), + namedtype.NamedType('authtime', KerberosTime().subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 5))), + namedtype.OptionalNamedType('starttime', KerberosTime().subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 6))), + namedtype.NamedType('endtime', KerberosTime().subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 7))), + namedtype.OptionalNamedType('renew-till', KerberosTime().subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 8))), + namedtype.NamedType('srealm', Realm().subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 9))), + namedtype.NamedType('sname', PrincipalName().subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatConstructed, 10))), + namedtype.OptionalNamedType('caddr', HostAddresses().subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 11))) +) + + +class EncASRepPart(EncKDCRepPart): + pass + + +EncASRepPart.tagSet = EncKDCRepPart.tagSet.tagExplicitly(tag.Tag(tag.tagClassApplication, tag.tagFormatConstructed, 25)) + + +class KrbCredInfo(univ.Sequence): + pass + + +KrbCredInfo.componentType = namedtype.NamedTypes( + namedtype.NamedType('key', EncryptionKey().subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatConstructed, 0))), + namedtype.OptionalNamedType('prealm', Realm().subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 1))), + namedtype.OptionalNamedType('pname', PrincipalName().subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatConstructed, 2))), + namedtype.OptionalNamedType('flags', TicketFlags().subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 3))), + namedtype.OptionalNamedType('authtime', KerberosTime().subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 4))), + namedtype.OptionalNamedType('starttime', KerberosTime().subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 5))), + namedtype.OptionalNamedType('endtime', KerberosTime().subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 6))), + namedtype.OptionalNamedType('renew-till', KerberosTime().subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 7))), + namedtype.OptionalNamedType('srealm', Realm().subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 8))), + namedtype.OptionalNamedType('sname', PrincipalName().subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatConstructed, 9))), + namedtype.OptionalNamedType('caddr', HostAddresses().subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 10))) +) + + +class EncKrbCredPart(univ.Sequence): + pass + + +EncKrbCredPart.tagSet = univ.Sequence.tagSet.tagExplicitly(tag.Tag(tag.tagClassApplication, tag.tagFormatConstructed, 29)) +EncKrbCredPart.componentType = namedtype.NamedTypes( + namedtype.NamedType('ticket-info', univ.SequenceOf(componentType=KrbCredInfo()).subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 0))), + namedtype.OptionalNamedType('nonce', UInt32().subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 1))), + namedtype.OptionalNamedType('timestamp', KerberosTime().subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 2))), + namedtype.OptionalNamedType('usec', Microseconds().subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 3))), + namedtype.OptionalNamedType('s-address', HostAddress().subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatConstructed, 4))), + namedtype.OptionalNamedType('r-address', HostAddress().subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatConstructed, 5))) +) + + +class EncKrbPrivPart(univ.Sequence): + pass + + +EncKrbPrivPart.tagSet = univ.Sequence.tagSet.tagExplicitly(tag.Tag(tag.tagClassApplication, tag.tagFormatConstructed, 28)) +EncKrbPrivPart.componentType = namedtype.NamedTypes( + namedtype.NamedType('user-data', univ.OctetString().subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 0))), + namedtype.OptionalNamedType('timestamp', KerberosTime().subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 1))), + namedtype.OptionalNamedType('usec', Microseconds().subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 2))), + namedtype.OptionalNamedType('seq-number', UInt32().subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 3))), + namedtype.NamedType('s-address', HostAddress().subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatConstructed, 4))), + namedtype.OptionalNamedType('r-address', HostAddress().subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatConstructed, 5))) +) + + +class EncTGSRepPart(EncKDCRepPart): + pass + + +EncTGSRepPart.tagSet = EncKDCRepPart.tagSet.tagExplicitly(tag.Tag(tag.tagClassApplication, tag.tagFormatConstructed, 26)) + + +class TransitedEncoding(univ.Sequence): + pass + + +TransitedEncoding.componentType = namedtype.NamedTypes( + namedtype.NamedType('tr-type', Int32().subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 0))), + namedtype.NamedType('contents', univ.OctetString().subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 1))) +) + + +class EncTicketPart(univ.Sequence): + pass + + +EncTicketPart.tagSet = univ.Sequence.tagSet.tagExplicitly(tag.Tag(tag.tagClassApplication, tag.tagFormatConstructed, 3)) +EncTicketPart.componentType = namedtype.NamedTypes( + namedtype.NamedType('flags', TicketFlags().subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 0))), + namedtype.NamedType('key', EncryptionKey().subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatConstructed, 1))), + namedtype.NamedType('crealm', Realm().subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 2))), + namedtype.NamedType('cname', PrincipalName().subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatConstructed, 3))), + namedtype.NamedType('transited', TransitedEncoding().subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatConstructed, 4))), + namedtype.NamedType('authtime', KerberosTime().subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 5))), + namedtype.OptionalNamedType('starttime', KerberosTime().subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 6))), + namedtype.NamedType('endtime', KerberosTime().subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 7))), + namedtype.OptionalNamedType('renew-till', KerberosTime().subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 8))), + namedtype.OptionalNamedType('caddr', HostAddresses().subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 9))), + namedtype.OptionalNamedType('authorization-data', AuthorizationData().subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 10))) +) + + +class EncryptionTypeValues(univ.Integer): + pass + + +EncryptionTypeValues.namedValues = namedval.NamedValues( + ('kRB5-ENCTYPE-NULL', 0), + ('kRB5-ENCTYPE-DES-CBC-CRC', 1), + ('kRB5-ENCTYPE-DES-CBC-MD4', 2), + ('kRB5-ENCTYPE-DES-CBC-MD5', 3), + ('kRB5-ENCTYPE-DES3-CBC-MD5', 5), + ('kRB5-ENCTYPE-OLD-DES3-CBC-SHA1', 7), + ('kRB5-ENCTYPE-SIGN-DSA-GENERATE', 8), + ('kRB5-ENCTYPE-ENCRYPT-RSA-PRIV', 9), + ('kRB5-ENCTYPE-ENCRYPT-RSA-PUB', 10), + ('kRB5-ENCTYPE-DES3-CBC-SHA1', 16), + ('kRB5-ENCTYPE-AES128-CTS-HMAC-SHA1-96', 17), + ('kRB5-ENCTYPE-AES256-CTS-HMAC-SHA1-96', 18), + ('kRB5-ENCTYPE-ARCFOUR-HMAC-MD5', 23), + ('kRB5-ENCTYPE-ARCFOUR-HMAC-MD5-56', 24), + ('kRB5-ENCTYPE-ENCTYPE-PK-CROSS', 48), + ('kRB5-ENCTYPE-ARCFOUR-MD4', -128), + ('kRB5-ENCTYPE-ARCFOUR-HMAC-OLD', -133), + ('kRB5-ENCTYPE-ARCFOUR-HMAC-OLD-EXP', -135), + ('kRB5-ENCTYPE-DUMMY', -1111) +) + + +class EncryptionTypeSequence(univ.Sequence): + pass + + +EncryptionTypeSequence.componentType = namedtype.NamedTypes( + namedtype.NamedType('dummy', EncryptionTypeValues().subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 0))) +) + + +class KDCOptionsValues(univ.BitString): + pass + + +KDCOptionsValues.namedValues = namedval.NamedValues( + ('reserved', 0), + ('forwardable', 1), + ('forwarded', 2), + ('proxiable', 3), + ('proxy', 4), + ('allow-postdate', 5), + ('postdated', 6), + ('unused7', 7), + ('renewable', 8), + ('unused9', 9), + ('unused10', 10), + ('opt-hardware-auth', 11), + ('unused12', 12), + ('unused13', 13), + ('unused15', 15), + ('disable-transited-check', 26), + ('renewable-ok', 27), + ('enc-tkt-in-skey', 28), + ('renew', 30), + ('validate', 31) +) + + +class KDCOptionsSequence(univ.Sequence): + pass + + +KDCOptionsSequence.componentType = namedtype.NamedTypes( + namedtype.NamedType('dummy', KDCOptionsValues().subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 0))) +) + + +class KRB_CRED(univ.Sequence): + pass + + +KRB_CRED.tagSet = univ.Sequence.tagSet.tagExplicitly(tag.Tag(tag.tagClassApplication, tag.tagFormatConstructed, 22)) +KRB_CRED.componentType = namedtype.NamedTypes( + namedtype.NamedType('pvno', univ.Integer().subtype(subtypeSpec=constraint.SingleValueConstraint(5)).subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 0))), + namedtype.NamedType('msg-type', univ.Integer().subtype(subtypeSpec=constraint.SingleValueConstraint(22)).subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 1))), + namedtype.NamedType('tickets', univ.SequenceOf(componentType=Ticket()).subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 2))), + namedtype.NamedType('enc-part', EncryptedData().subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatConstructed, 3))) +) + + +class KRB_ERROR(univ.Sequence): + pass + + +KRB_ERROR.tagSet = univ.Sequence.tagSet.tagExplicitly(tag.Tag(tag.tagClassApplication, tag.tagFormatConstructed, 30)) +KRB_ERROR.componentType = namedtype.NamedTypes( + namedtype.NamedType('pvno', univ.Integer().subtype(subtypeSpec=constraint.SingleValueConstraint(5)).subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 0))), + namedtype.NamedType('msg-type', univ.Integer().subtype(subtypeSpec=constraint.SingleValueConstraint(30)).subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 1))), + namedtype.OptionalNamedType('ctime', KerberosTime().subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 2))), + namedtype.OptionalNamedType('cusec', Microseconds().subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 3))), + namedtype.NamedType('stime', KerberosTime().subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 4))), + namedtype.NamedType('susec', Microseconds().subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 5))), + namedtype.NamedType('error-code', Int32().subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 6))), + namedtype.OptionalNamedType('crealm', Realm().subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 7))), + namedtype.OptionalNamedType('cname', PrincipalName().subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatConstructed, 8))), + namedtype.NamedType('realm', Realm().subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 9))), + namedtype.NamedType('sname', PrincipalName().subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatConstructed, 10))), + namedtype.OptionalNamedType('e-text', KerberosString().subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 11))), + namedtype.OptionalNamedType('e-data', univ.OctetString().subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 12))) +) + + +class KRB_PRIV(univ.Sequence): + pass + + +KRB_PRIV.tagSet = univ.Sequence.tagSet.tagExplicitly(tag.Tag(tag.tagClassApplication, tag.tagFormatConstructed, 21)) +KRB_PRIV.componentType = namedtype.NamedTypes( + namedtype.NamedType('pvno', univ.Integer().subtype(subtypeSpec=constraint.SingleValueConstraint(5)).subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 0))), + namedtype.NamedType('msg-type', univ.Integer().subtype(subtypeSpec=constraint.SingleValueConstraint(21)).subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 1))), + namedtype.NamedType('enc-part', EncryptedData().subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatConstructed, 3))) +) + + +class KRB_SAFE_BODY(univ.Sequence): + pass + + +KRB_SAFE_BODY.componentType = namedtype.NamedTypes( + namedtype.NamedType('user-data', univ.OctetString().subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 0))), + namedtype.OptionalNamedType('timestamp', KerberosTime().subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 1))), + namedtype.OptionalNamedType('usec', Microseconds().subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 2))), + namedtype.OptionalNamedType('seq-number', UInt32().subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 3))), + namedtype.NamedType('s-address', HostAddress().subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatConstructed, 4))), + namedtype.OptionalNamedType('r-address', HostAddress().subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatConstructed, 5))) +) + + +class KRB_SAFE(univ.Sequence): + pass + + +KRB_SAFE.tagSet = univ.Sequence.tagSet.tagExplicitly(tag.Tag(tag.tagClassApplication, tag.tagFormatConstructed, 20)) +KRB_SAFE.componentType = namedtype.NamedTypes( + namedtype.NamedType('pvno', univ.Integer().subtype(subtypeSpec=constraint.SingleValueConstraint(5)).subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 0))), + namedtype.NamedType('msg-type', univ.Integer().subtype(subtypeSpec=constraint.SingleValueConstraint(20)).subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 1))), + namedtype.NamedType('safe-body', KRB_SAFE_BODY().subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatConstructed, 2))), + namedtype.NamedType('cksum', Checksum().subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatConstructed, 3))) +) + + +class METHOD_DATA(univ.SequenceOf): + pass + + +METHOD_DATA.componentType = PA_DATA() + + +class MessageTypeValues(univ.Integer): + pass + + +MessageTypeValues.namedValues = namedval.NamedValues( + ('krb-as-req', 10), + ('krb-as-rep', 11), + ('krb-tgs-req', 12), + ('krb-tgs-rep', 13), + ('krb-ap-req', 14), + ('krb-ap-rep', 15), + ('krb-safe', 20), + ('krb-priv', 21), + ('krb-cred', 22), + ('krb-error', 30) +) + + +class MessageTypeSequence(univ.Sequence): + pass + + +MessageTypeSequence.componentType = namedtype.NamedTypes( + namedtype.NamedType('dummy', MessageTypeValues().subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 0))) +) + + +class NameTypeValues(univ.Integer): + pass + + +NameTypeValues.namedValues = namedval.NamedValues( + ('kRB5-NT-UNKNOWN', 0), + ('kRB5-NT-PRINCIPAL', 1), + ('kRB5-NT-SRV-INST', 2), + ('kRB5-NT-SRV-HST', 3), + ('kRB5-NT-SRV-XHST', 4), + ('kRB5-NT-UID', 5), + ('kRB5-NT-X500-PRINCIPAL', 6), + ('kRB5-NT-SMTP-NAME', 7), + ('kRB5-NT-ENTERPRISE-PRINCIPAL', 10), + ('kRB5-NT-WELLKNOWN', 11), + ('kRB5-NT-ENT-PRINCIPAL-AND-ID', -130), + ('kRB5-NT-MS-PRINCIPAL', -128), + ('kRB5-NT-MS-PRINCIPAL-AND-ID', -129) +) + + +class NameTypeSequence(univ.Sequence): + pass + + +NameTypeSequence.componentType = namedtype.NamedTypes( + namedtype.NamedType('dummy', NameTypeValues().subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 0))) +) + + +class PA_ENC_TIMESTAMP(EncryptedData): + pass + + +class PA_ENC_TS_ENC(univ.Sequence): + pass + + +PA_ENC_TS_ENC.componentType = namedtype.NamedTypes( + namedtype.NamedType('patimestamp', KerberosTime().subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 0))), + namedtype.OptionalNamedType('pausec', Microseconds().subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 1))) +) + + +class PADataTypeValues(univ.Integer): + pass + + +PADataTypeValues.namedValues = namedval.NamedValues( + ('kRB5-PADATA-NONE', 0), + ('kRB5-PADATA-KDC-REQ', 1), + ('kRB5-PADATA-ENC-TIMESTAMP', 2), + ('kRB5-PADATA-PW-SALT', 3), + ('kRB5-PADATA-ENC-UNIX-TIME', 5), + ('kRB5-PADATA-SANDIA-SECUREID', 6), + ('kRB5-PADATA-SESAME', 7), + ('kRB5-PADATA-OSF-DCE', 8), + ('kRB5-PADATA-CYBERSAFE-SECUREID', 9), + ('kRB5-PADATA-AFS3-SALT', 10), + ('kRB5-PADATA-ETYPE-INFO', 11), + ('kRB5-PADATA-SAM-CHALLENGE', 12), + ('kRB5-PADATA-SAM-RESPONSE', 13), + ('kRB5-PADATA-PK-AS-REQ-19', 14), + ('kRB5-PADATA-PK-AS-REP-19', 15), + ('kRB5-PADATA-PK-AS-REQ', 16), + ('kRB5-PADATA-PK-AS-REP', 17), + ('kRB5-PADATA-PA-PK-OCSP-RESPONSE', 18), + ('kRB5-PADATA-ETYPE-INFO2', 19), + ('kRB5-PADATA-SVR-REFERRAL-INFO', 20), + ('kRB5-PADATA-SAM-REDIRECT', 21), + ('kRB5-PADATA-GET-FROM-TYPED-DATA', 22), + ('kRB5-PADATA-SAM-ETYPE-INFO', 23), + ('kRB5-PADATA-SERVER-REFERRAL', 25), + ('kRB5-PADATA-ALT-PRINC', 24), + ('kRB5-PADATA-SAM-CHALLENGE2', 30), + ('kRB5-PADATA-SAM-RESPONSE2', 31), + ('kRB5-PA-EXTRA-TGT', 41), + ('kRB5-PADATA-TD-KRB-PRINCIPAL', 102), + ('kRB5-PADATA-PK-TD-TRUSTED-CERTIFIERS', 104), + ('kRB5-PADATA-PK-TD-CERTIFICATE-INDEX', 105), + ('kRB5-PADATA-TD-APP-DEFINED-ERROR', 106), + ('kRB5-PADATA-TD-REQ-NONCE', 107), + ('kRB5-PADATA-TD-REQ-SEQ', 108), + ('kRB5-PADATA-PA-PAC-REQUEST', 128), + ('kRB5-PADATA-FOR-USER', 129), + ('kRB5-PADATA-FOR-X509-USER', 130), + ('kRB5-PADATA-FOR-CHECK-DUPS', 131), + ('kRB5-PADATA-AS-CHECKSUM', 132), + ('kRB5-PADATA-FX-COOKIE', 133), + ('kRB5-PADATA-AUTHENTICATION-SET', 134), + ('kRB5-PADATA-AUTH-SET-SELECTED', 135), + ('kRB5-PADATA-FX-FAST', 136), + ('kRB5-PADATA-FX-ERROR', 137), + ('kRB5-PADATA-ENCRYPTED-CHALLENGE', 138), + ('kRB5-PADATA-OTP-CHALLENGE', 141), + ('kRB5-PADATA-OTP-REQUEST', 142), + ('kBB5-PADATA-OTP-CONFIRM', 143), + ('kRB5-PADATA-OTP-PIN-CHANGE', 144), + ('kRB5-PADATA-EPAK-AS-REQ', 145), + ('kRB5-PADATA-EPAK-AS-REP', 146), + ('kRB5-PADATA-PKINIT-KX', 147), + ('kRB5-PADATA-PKU2U-NAME', 148), + ('kRB5-PADATA-REQ-ENC-PA-REP', 149), + ('kRB5-PADATA-SUPPORTED-ETYPES', 165) +) + + +class PADataTypeSequence(univ.Sequence): + pass + + +PADataTypeSequence.componentType = namedtype.NamedTypes( + namedtype.NamedType('dummy', PADataTypeValues().subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 0))) +) + + +class TGS_REP(KDC_REP): + pass + + +TGS_REP.tagSet = KDC_REP.tagSet.tagExplicitly(tag.Tag(tag.tagClassApplication, tag.tagFormatConstructed, 13)) + + +class TGS_REQ(KDC_REQ): + pass + + +TGS_REQ.tagSet = KDC_REQ.tagSet.tagExplicitly(tag.Tag(tag.tagClassApplication, tag.tagFormatConstructed, 12)) + + +class TYPED_DATA(univ.SequenceOf): + pass + + +TYPED_DATA.componentType = univ.Sequence(componentType=namedtype.NamedTypes( + namedtype.NamedType('data-type', Int32().subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 0))), + namedtype.OptionalNamedType('data-value', univ.OctetString().subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 1))) +)) + +TYPED_DATA.subtypeSpec=constraint.ValueSizeConstraint(1, 256) + + +class TicketFlagsValues(univ.BitString): + pass + + +TicketFlagsValues.namedValues = namedval.NamedValues( + ('reserved', 0), + ('forwardable', 1), + ('forwarded', 2), + ('proxiable', 3), + ('proxy', 4), + ('may-postdate', 5), + ('postdated', 6), + ('invalid', 7), + ('renewable', 8), + ('initial', 9), + ('pre-authent', 10), + ('hw-authent', 11), + ('transited-policy-checked', 12), + ('ok-as-delegate', 13) +) + + +class TicketFlagsSequence(univ.Sequence): + pass + + +TicketFlagsSequence.componentType = namedtype.NamedTypes( + namedtype.NamedType('dummy', TicketFlagsValues().subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 0))) +) + + +id_krb5 = _OID(1, 3, 6, 1, 5, 2) + + diff --git a/python/samba/tests/krb5/rfc4120_pyasn1_regen.sh b/python/samba/tests/krb5/rfc4120_pyasn1_regen.sh new file mode 100755 index 00000000000..2e3995688f2 --- /dev/null +++ b/python/samba/tests/krb5/rfc4120_pyasn1_regen.sh @@ -0,0 +1,41 @@ +#!/bin/bash +# + +# +# I used https://github.com/kimgr/asn1ate.git +# to generate pyasn1 bindings for rfc4120.asn1 +# + +PATH_TO_ASN1ATE_CHECKOUT=$1 +PATH_TO_ASN1_INPUT_FILE=$2 + +set -u +set -e + +usage() { + echo "usage: $0 PATH_TO_ASN1ATE_CHECKOUT PATH_TO_ASN1_INPUT_FILE > PATH_TO_PYASN1_OUTPUT_FILE" +} + +test -n "${PATH_TO_ASN1ATE_CHECKOUT}" || { + usage + exit 1 +} +test -n "${PATH_TO_ASN1_INPUT_FILE}" || { + usage + exit 1 +} +test -d "${PATH_TO_ASN1ATE_CHECKOUT}" || { + usage + exit 1 +} +test -f "${PATH_TO_ASN1_INPUT_FILE}" || { + usage + exit 1 +} + +PATH_TO_PYASN1GEN_PY="${PATH_TO_ASN1ATE_CHECKOUT}/asn1ate/pyasn1gen.py" + +PYTHONPATH="${PATH_TO_ASN1ATE_CHECKOUT}:${PYTHONPATH-}" +export PYTHONPATH + +python3 "${PATH_TO_PYASN1GEN_PY}" "${PATH_TO_ASN1_INPUT_FILE}" diff --git a/python/samba/tests/source.py b/python/samba/tests/source.py index b7608b1bab3..cebfb9ae8fb 100644 --- a/python/samba/tests/source.py +++ b/python/samba/tests/source.py @@ -93,6 +93,9 @@ class TestSource(TestCase): if fname.endswith("python/samba/tests/krb5/kcrypto.py"): # Imported from MIT testing repo continue + if fname.endswith("python/samba/tests/krb5/rfc4120_pyasn1.py"): + # Autogenerated + continue match = copyright_re.search(text) if not match: incorrect.append((fname, 'no copyright line found\n')) @@ -138,6 +141,9 @@ class TestSource(TestCase): if fname.endswith("python/samba/tests/krb5/kcrypto.py"): # Imported from MIT testing repo continue + if fname.endswith("python/samba/tests/krb5/rfc4120_pyasn1.py"): + # Autogenerated + continue if not gpl_re.search(text): incorrect.append(fname) -- 2.35.0 From d92ae29eef2621c927bff521cc97ebb14df77f1c Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Thu, 13 Feb 2020 16:29:38 +0100 Subject: [PATCH 025/686] python/tests/krb5: add raw_testcase.py as the base for our Kerberos protocol testing Pair-Programmed-With: Isaac Boukris Signed-off-by: Stefan Metzmacher Signed-off-by: Isaac Boukris Reviewed-by: Isaac Boukris (cherry picked from commit fb7cba50ae3472b29aa806208badc1ded8979073) --- python/samba/tests/krb5/raw_testcase.py | 869 ++++++++++++++++++++++++ 1 file changed, 869 insertions(+) create mode 100644 python/samba/tests/krb5/raw_testcase.py diff --git a/python/samba/tests/krb5/raw_testcase.py b/python/samba/tests/krb5/raw_testcase.py new file mode 100644 index 00000000000..6c7bcd418a0 --- /dev/null +++ b/python/samba/tests/krb5/raw_testcase.py @@ -0,0 +1,869 @@ +# Unix SMB/CIFS implementation. +# Copyright (C) Isaac Boukris 2020 +# Copyright (C) Stefan Metzmacher 2020 +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; either version 3 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see . +# + +import sys +import socket +import struct +import time +import datetime +import random + +import samba.tests +from samba.credentials import Credentials +from samba.tests import TestCase +import samba.tests.krb5.rfc4120_pyasn1 as krb5_asn1 +import samba.tests.krb5.kcrypto as kcrypto + +from pyasn1.codec.der.decoder import decode as pyasn1_der_decode +from pyasn1.codec.der.encoder import encode as pyasn1_der_encode +from pyasn1.codec.native.decoder import decode as pyasn1_native_decode +from pyasn1.codec.native.encoder import encode as pyasn1_native_encode + +from pyasn1.codec.ber.encoder import BitStringEncoder as BitStringEncoder +def BitStringEncoder_encodeValue32(self, value, asn1Spec, encodeFun, **options): + # + # BitStrings like KDCOptions or TicketFlags should at least + # be 32-Bit on the wire + # + if asn1Spec is not None: + # TODO: try to avoid ASN.1 schema instantiation + value = asn1Spec.clone(value) + + valueLength = len(value) + if valueLength % 8: + alignedValue = value << (8 - valueLength % 8) + else: + alignedValue = value + + substrate = alignedValue.asOctets() + length = len(substrate) + # We need at least 32-Bit / 4-Bytes + if length < 4: + padding = 4 - length + else: + padding = 0 + ret = b'\x00' + substrate + (b'\x00' * padding) + return ret, False, True +BitStringEncoder.encodeValue = BitStringEncoder_encodeValue32 + +def BitString_NamedValues_prettyPrint(self, scope=0): + ret = "%s" % self.asBinary() + bits = [] + highest_bit = 32 + for byte in self.asNumbers(): + for bit in [7,6,5,4,3,2,1,0]: + mask = 1 << bit + if byte & mask: + val = 1 + else: + val = 0 + bits.append(val) + if len(bits) < highest_bit: + for bitPosition in range(len(bits), highest_bit): + bits.append(0) + indent = " " * scope + delim = ": (\n%s " % indent + for bitPosition in range(highest_bit): + if bitPosition in self.prettyPrintNamedValues: + name = self.prettyPrintNamedValues[bitPosition] + elif bits[bitPosition] != 0: + name = "unknown-bit-%u" % bitPosition + else: + continue + ret += "%s%s:%u" % (delim, name, bits[bitPosition]) + delim = ",\n%s " % indent + ret += "\n%s)" % indent + return ret +krb5_asn1.TicketFlags.prettyPrintNamedValues = krb5_asn1.TicketFlagsValues.namedValues +krb5_asn1.TicketFlags.namedValues = krb5_asn1.TicketFlagsValues.namedValues +krb5_asn1.TicketFlags.prettyPrint = BitString_NamedValues_prettyPrint +krb5_asn1.KDCOptions.prettyPrintNamedValues = krb5_asn1.KDCOptionsValues.namedValues +krb5_asn1.KDCOptions.namedValues = krb5_asn1.KDCOptionsValues.namedValues +krb5_asn1.KDCOptions.prettyPrint = BitString_NamedValues_prettyPrint + +def Integer_NamedValues_prettyPrint(self, scope=0): + intval = int(self) + if intval in self.prettyPrintNamedValues: + name = self.prettyPrintNamedValues[intval] + else: + name = "<__unknown__>" + ret = "%d (0x%x) %s" % (intval, intval, name) + return ret +krb5_asn1.NameType.prettyPrintNamedValues = krb5_asn1.NameTypeValues.namedValues +krb5_asn1.NameType.prettyPrint = Integer_NamedValues_prettyPrint +krb5_asn1.AuthDataType.prettyPrintNamedValues = krb5_asn1.AuthDataTypeValues.namedValues +krb5_asn1.AuthDataType.prettyPrint = Integer_NamedValues_prettyPrint +krb5_asn1.PADataType.prettyPrintNamedValues = krb5_asn1.PADataTypeValues.namedValues +krb5_asn1.PADataType.prettyPrint = Integer_NamedValues_prettyPrint +krb5_asn1.EncryptionType.prettyPrintNamedValues = krb5_asn1.EncryptionTypeValues.namedValues +krb5_asn1.EncryptionType.prettyPrint = Integer_NamedValues_prettyPrint +krb5_asn1.ChecksumType.prettyPrintNamedValues = krb5_asn1.ChecksumTypeValues.namedValues +krb5_asn1.ChecksumType.prettyPrint = Integer_NamedValues_prettyPrint + +class Krb5EncryptionKey(object): + def __init__(self, key, kvno): + EncTypeChecksum = { + kcrypto.Enctype.AES256: kcrypto.Cksumtype.SHA1_AES256, + kcrypto.Enctype.AES128: kcrypto.Cksumtype.SHA1_AES128, + kcrypto.Enctype.RC4: kcrypto.Cksumtype.HMAC_MD5, + } + self.key = key + self.etype = key.enctype + self.ctype = EncTypeChecksum[self.etype] + self.kvno = kvno + return + + def encrypt(self, usage, plaintext): + ciphertext = kcrypto.encrypt(self.key, usage, plaintext) + return ciphertext + + def decrypt(self, usage, ciphertext): + plaintext = kcrypto.decrypt(self.key, usage, ciphertext) + return plaintext + + def make_checksum(self, usage, plaintext, ctype=None): + if ctype is None: + ctype = self.ctype + cksum = kcrypto.make_checksum(ctype, self.key, usage, plaintext) + return cksum + + def export_obj(self): + EncryptionKey_obj = { + 'keytype': self.etype, + 'keyvalue': self.key.contents, + }; + return EncryptionKey_obj + +class RawKerberosTest(TestCase): + """A raw Kerberos Test case.""" + + def setUp(self): + super(RawKerberosTest, self).setUp() + self.do_asn1_print = False + self.do_hexdump = False + + self.host = samba.tests.env_get_var_value('SERVER') + + self.s = None + + def tearDown(self): + self._disconnect("tearDown") + super(TestCase, self).tearDown() + + def _disconnect(self, reason): + if self.s is None: + return + self.s.close() + self.s = None + if self.do_hexdump: + sys.stderr.write("disconnect[%s]\n" % reason) + + def _connect_tcp(self): + tcp_port = 88 + try: + self.a = socket.getaddrinfo(self.host, tcp_port, socket.AF_UNSPEC, + socket.SOCK_STREAM, socket.SOL_TCP, + 0) + self.s = socket.socket(self.a[0][0], self.a[0][1], self.a[0][2]) + self.s.settimeout(10) + self.s.connect(self.a[0][4]) + except socket.error as e: + self.s.close() + raise + except IOError as e: + self.s.close() + raise + except Exception as e: + raise + finally: + pass + + def connect(self): + self.assertNotConnected() + self._connect_tcp() + if self.do_hexdump: + sys.stderr.write("connected[%s]\n" % self.host) + return + + def get_user_creds(self): + c = Credentials() + c.guess() + domain = samba.tests.env_get_var_value('DOMAIN') + realm = samba.tests.env_get_var_value('REALM') + username = samba.tests.env_get_var_value('USERNAME') + password = samba.tests.env_get_var_value('PASSWORD') + c.set_domain(domain) + c.set_realm(realm) + c.set_username(username) + c.set_password(password) + return c + + def get_service_creds(self, allow_missing_password=False): + c = Credentials() + c.guess() + domain = samba.tests.env_get_var_value('DOMAIN') + realm = samba.tests.env_get_var_value('REALM') + username = samba.tests.env_get_var_value('SERVICE_USERNAME') + password = samba.tests.env_get_var_value('SERVICE_PASSWORD', + allow_missing=allow_missing_password) + c.set_domain(domain) + c.set_realm(realm) + c.set_username(username) + if password is not None: + c.set_password(password) + return c + + def get_anon_creds(self): + c = Credentials() + c.set_anonymous() + return c + + def asn1_dump(self, name, obj, asn1_print=None): + if asn1_print is None: + asn1_print = self.do_asn1_print + if asn1_print: + if name is not None: + sys.stderr.write("%s:\n%s" % (name, obj)) + else: + sys.stderr.write("%s" % (obj)) + + def hex_dump(self, name, blob, hexdump=None): + if hexdump is None: + hexdump = self.do_hexdump + if hexdump: + sys.stderr.write("%s: %d\n%s" % (name, len(blob), self.hexdump(blob))) + + def der_decode(self, blob, asn1Spec=None, native_encode=True, asn1_print=None, hexdump=None): + if asn1Spec is not None: + class_name = type(asn1Spec).__name__.split(':')[0] + else: + class_name = "" + self.hex_dump(class_name, blob, hexdump=hexdump) + obj,_ = pyasn1_der_decode(blob, asn1Spec=asn1Spec) + self.asn1_dump(None, obj, asn1_print=asn1_print) + if native_encode: + obj = pyasn1_native_encode(obj) + return obj + + def der_encode(self, obj, asn1Spec=None, native_decode=True, asn1_print=None, hexdump=None): + if native_decode: + obj = pyasn1_native_decode(obj, asn1Spec=asn1Spec) + class_name = type(obj).__name__.split(':')[0] + if class_name is not None: + self.asn1_dump(None, obj, asn1_print=asn1_print) + blob = pyasn1_der_encode(obj) + if class_name is not None: + self.hex_dump(class_name, blob, hexdump=hexdump) + return blob + + def send_pdu(self, req, asn1_print=None, hexdump=None): + try: + k5_pdu = self.der_encode(req, native_decode=False, asn1_print=asn1_print, hexdump=False) + header = struct.pack('>I', len(k5_pdu)) + req_pdu = header + req_pdu += k5_pdu + self.hex_dump("send_pdu", header, hexdump=hexdump) + self.hex_dump("send_pdu", k5_pdu, hexdump=hexdump) + while True: + sent = self.s.send(req_pdu, 0) + if sent == len(req_pdu): + break + req_pdu = req_pdu[sent:] + except socket.error as e: + self._disconnect("send_pdu: %s" % e) + raise + except IOError as e: + self._disconnect("send_pdu: %s" % e) + raise + finally: + pass + + def recv_raw(self, num_recv=0xffff, hexdump=None, timeout=None): + rep_pdu = None + try: + if timeout is not None: + self.s.settimeout(timeout) + rep_pdu = self.s.recv(num_recv, 0) + self.s.settimeout(10) + if len(rep_pdu) == 0: + self._disconnect("recv_raw: EOF") + return None + self.hex_dump("recv_raw", rep_pdu, hexdump=hexdump) + except socket.timeout as e: + self.s.settimeout(10) + sys.stderr.write("recv_raw: TIMEOUT\n") + pass + except socket.error as e: + self._disconnect("recv_raw: %s" % e) + raise + except IOError as e: + self._disconnect("recv_raw: %s" % e) + raise + finally: + pass + return rep_pdu + + def recv_pdu_raw(self, asn1_print=None, hexdump=None, timeout=None): + rep_pdu = None + rep = None + try: + raw_pdu = self.recv_raw(num_recv=4, hexdump=hexdump, timeout=timeout) + if raw_pdu is None: + return (None, None) + header = struct.unpack(">I", raw_pdu[0:4]) + k5_len = header[0] + if k5_len == 0: + return (None, "") + missing = k5_len + rep_pdu = b'' + while missing > 0: + raw_pdu = self.recv_raw(num_recv=missing, hexdump=hexdump, timeout=timeout) + self.assertGreaterEqual(len(raw_pdu), 1) + rep_pdu += raw_pdu + missing = k5_len - len(rep_pdu) + k5_raw = self.der_decode(rep_pdu, asn1Spec=None, native_encode=False, + asn1_print=False, hexdump=False) + pvno=k5_raw['field-0'] + self.assertEqual(pvno, 5) + msg_type=k5_raw['field-1'] + self.assertIn(msg_type, [11,13,30]) + if msg_type == 11: + asn1Spec=krb5_asn1.AS_REP() + elif msg_type == 13: + asn1Spec=krb5_asn1.TGS_REP() + elif msg_type == 30: + asn1Spec=krb5_asn1.KRB_ERROR() + rep = self.der_decode(rep_pdu, asn1Spec=asn1Spec, + asn1_print=asn1_print, hexdump=False) + finally: + pass + return (rep, rep_pdu) + + def recv_pdu(self, asn1_print=None, hexdump=None, timeout=None): + (rep, rep_pdu) = self.recv_pdu_raw(asn1_print=asn1_print, + hexdump=hexdump, + timeout=timeout) + return rep + + def assertIsConnected(self): + self.assertIsNotNone(self.s, msg="Not connected") + return + + def assertNotConnected(self): + self.assertIsNone(self.s, msg="Is connected") + return + + def send_recv_transaction(self, req, asn1_print=None, hexdump=None, timeout=None): + self.connect() + try: + self.send_pdu(req, asn1_print=asn1_print, hexdump=hexdump) + rep = self.recv_pdu(asn1_print=asn1_print, hexdump=hexdump, timeout=timeout) + except Exception: + self._disconnect("transaction failed") + raise + self._disconnect("transaction done") + return rep + + def assertNoValue(self, value): + self.assertTrue(value.isNoValue) + return + + def assertHasValue(self, value): + self.assertIsNotNone(value) + return + + def assertPrincipalEqual(self, princ1, princ2): + self.assertEqual(princ1['name-type'], princ2['name-type']) + self.assertEqual(len(princ1['name-string']), len(princ2['name-string']), + msg="princ1=%s != princ2=%s" % (princ1, princ2)) + for idx in range(len(princ1['name-string'])): + self.assertEqual(princ1['name-string'][idx], princ2['name-string'][idx], + msg="princ1=%s != princ2=%s" % (princ1, princ2)) + return + + def get_KerberosTimeWithUsec(self, epoch=None, offset=None): + if epoch is None: + epoch = time.time() + if offset is not None: + epoch = epoch + int(offset) + dt = datetime.datetime.fromtimestamp(epoch, tz=datetime.timezone.utc) + return (dt.strftime("%Y%m%d%H%M%SZ"), dt.microsecond) + + def get_KerberosTime(self, epoch=None, offset=None): + (s, _) = self.get_KerberosTimeWithUsec(epoch=epoch, offset=offset) + return s + + def SessionKey_create(self, etype, contents, kvno=None): + key = kcrypto.Key(etype, contents) + return Krb5EncryptionKey(key, kvno) + + def PasswordKey_create(self, etype=None, pwd=None, salt=None, kvno=None): + key = kcrypto.string_to_key(etype, pwd, salt) + return Krb5EncryptionKey(key, kvno) + + def PasswordKey_from_etype_info2(self, creds, etype_info2, kvno=None): + e = etype_info2['etype'] + salt = None + try: + salt = etype_info2['salt'] + except: + pass + + if e == kcrypto.Enctype.RC4: + self.assertIsNone(salt) + nthash = creds.get_nt_hash() + return self.SessionKey_create(etype=e, contents=nthash, kvno=kvno) + + password = creds.get_password() + return self.PasswordKey_create(etype=e, pwd=password, salt=salt, kvno=kvno) + + def RandomKey(self, etype): + e = kcrypto._get_enctype_profile(etype) + contents = samba.generate_random_bytes(e.keysize) + return self.SessionKey_create(etype=etype, contents=contents) + + def EncryptionKey_import(self, EncryptionKey_obj): + return self.SessionKey_create(EncryptionKey_obj['keytype'], + EncryptionKey_obj['keyvalue']) + + def EncryptedData_create(self, key, usage, plaintext): + # EncryptedData ::= SEQUENCE { + # etype [0] Int32 -- EncryptionType --, + # kvno [1] UInt32 OPTIONAL, + # cipher [2] OCTET STRING -- ciphertext + # } + ciphertext = key.encrypt(usage, plaintext) + EncryptedData_obj = { + 'etype': key.etype, + 'cipher': ciphertext + } + if key.kvno is not None: + EncryptedData_obj['kvno'] = key.kvno + return EncryptedData_obj + + def Checksum_create(self, key, usage, plaintext, ctype=None): + #Checksum ::= SEQUENCE { + # cksumtype [0] Int32, + # checksum [1] OCTET STRING + #} + if ctype is None: + ctype = key.ctype + checksum = key.make_checksum(usage, plaintext, ctype=ctype) + Checksum_obj = { + 'cksumtype': ctype, + 'checksum': checksum, + } + return Checksum_obj + + def PrincipalName_create(self, name_type, names): + # PrincipalName ::= SEQUENCE { + # name-type [0] Int32, + # name-string [1] SEQUENCE OF KerberosString + # } + PrincipalName_obj = { + 'name-type': name_type, + 'name-string': names, + } + return PrincipalName_obj + + def PA_DATA_create(self, padata_type, padata_value): + # PA-DATA ::= SEQUENCE { + # -- NOTE: first tag is [1], not [0] + # padata-type [1] Int32, + # padata-value [2] OCTET STRING -- might be encoded AP-REQ + # } + PA_DATA_obj = { + 'padata-type': padata_type, + 'padata-value': padata_value, + } + return PA_DATA_obj + + def PA_ENC_TS_ENC_create(self, ts, usec): + #PA-ENC-TS-ENC ::= SEQUENCE { + # patimestamp[0] KerberosTime, -- client's time + # pausec[1] krb5int32 OPTIONAL + #} + PA_ENC_TS_ENC_obj = { + 'patimestamp': ts, + 'pausec': usec, + } + return PA_ENC_TS_ENC_obj + + def KDC_REQ_BODY_create(self, + kdc_options, + cname, + realm, + sname, + from_time, + till_time, + renew_time, + nonce, + etypes, + addresses, + EncAuthorizationData, + EncAuthorizationData_key, + additional_tickets, + asn1_print=None, + hexdump=None): + #KDC-REQ-BODY ::= SEQUENCE { + # kdc-options [0] KDCOptions, + # cname [1] PrincipalName OPTIONAL + # -- Used only in AS-REQ --, + # realm [2] Realm + # -- Server's realm + # -- Also client's in AS-REQ --, + # sname [3] PrincipalName OPTIONAL, + # from [4] KerberosTime OPTIONAL, + # till [5] KerberosTime, + # rtime [6] KerberosTime OPTIONAL, + # nonce [7] UInt32, + # etype [8] SEQUENCE OF Int32 -- EncryptionType + # -- in preference order --, + # addresses [9] HostAddresses OPTIONAL, + # enc-authorization-data [10] EncryptedData OPTIONAL + # -- AuthorizationData --, + # additional-tickets [11] SEQUENCE OF Ticket OPTIONAL + # -- NOTE: not empty + #} + if EncAuthorizationData is not None: + enc_ad_plain = self.der_encode(EncAuthorizationData, + asn1Spec=krb5_asn1.AuthorizationData(), + asn1_print=asn1_print, + hexdump=hexdump) + enc_ad = self.EncryptedData_create(EncAuthorizationData_key, enc_ad_plain) + else: + enc_ad = None + KDC_REQ_BODY_obj = { + 'kdc-options': kdc_options, + 'realm': realm, + 'till': till_time, + 'nonce': nonce, + 'etype': etypes, + } + if cname is not None: + KDC_REQ_BODY_obj['cname'] = cname + if sname is not None: + KDC_REQ_BODY_obj['sname'] = sname + if from_time is not None: + KDC_REQ_BODY_obj['from'] = from_time + if renew_time is not None: + KDC_REQ_BODY_obj['rtime'] = renew_time + if addresses is not None: + KDC_REQ_BODY_obj['addresses'] = addresses + if enc_ad is not None: + KDC_REQ_BODY_obj['enc-authorization-data'] = enc_ad + if additional_tickets is not None: + KDC_REQ_BODY_obj['additional-tickets'] = additional_tickets + return KDC_REQ_BODY_obj + + def KDC_REQ_create(self, + msg_type, + padata, + kdc_options, + cname, + realm, + sname, + from_time, + till_time, + renew_time, + nonce, + etypes, + addresses, + EncAuthorizationData, + EncAuthorizationData_key, + additional_tickets, + asn1Spec=None, + asn1_print=None, + hexdump=None): + #KDC-REQ ::= SEQUENCE { + # -- NOTE: first tag is [1], not [0] + # pvno [1] INTEGER (5) , + # msg-type [2] INTEGER (10 -- AS -- | 12 -- TGS --), + # padata [3] SEQUENCE OF PA-DATA OPTIONAL + # -- NOTE: not empty --, + # req-body [4] KDC-REQ-BODY + #} + # + KDC_REQ_BODY_obj = self.KDC_REQ_BODY_create(kdc_options, + cname, + realm, + sname, + from_time, + till_time, + renew_time, + nonce, + etypes, + addresses, + EncAuthorizationData, + EncAuthorizationData_key, + additional_tickets, + asn1_print=asn1_print, + hexdump=hexdump) + KDC_REQ_obj = { + 'pvno': 5, + 'msg-type': msg_type, + 'req-body': KDC_REQ_BODY_obj, + } + if padata is not None: + KDC_REQ_obj['padata'] = padata + if asn1Spec is not None: + KDC_REQ_decoded = pyasn1_native_decode(KDC_REQ_obj, asn1Spec=asn1Spec) + else: + KDC_REQ_decoded = None + return KDC_REQ_obj, KDC_REQ_decoded + + def AS_REQ_create(self, + padata, # optional + kdc_options, # required + cname, # optional + realm, # required + sname, # optional + from_time, # optional + till_time, # required + renew_time, # optional + nonce, # required + etypes, # required + addresses, # optional + EncAuthorizationData, + EncAuthorizationData_key, + additional_tickets, + native_decoded_only=True, + asn1_print=None, + hexdump=None): + #KDC-REQ ::= SEQUENCE { + # -- NOTE: first tag is [1], not [0] + # pvno [1] INTEGER (5) , + # msg-type [2] INTEGER (10 -- AS -- | 12 -- TGS --), + # padata [3] SEQUENCE OF PA-DATA OPTIONAL + # -- NOTE: not empty --, + # req-body [4] KDC-REQ-BODY + #} + # + #KDC-REQ-BODY ::= SEQUENCE { + # kdc-options [0] KDCOptions, + # cname [1] PrincipalName OPTIONAL + # -- Used only in AS-REQ --, + # realm [2] Realm + # -- Server's realm + # -- Also client's in AS-REQ --, + # sname [3] PrincipalName OPTIONAL, + # from [4] KerberosTime OPTIONAL, + # till [5] KerberosTime, + # rtime [6] KerberosTime OPTIONAL, + # nonce [7] UInt32, + # etype [8] SEQUENCE OF Int32 -- EncryptionType + # -- in preference order --, + # addresses [9] HostAddresses OPTIONAL, + # enc-authorization-data [10] EncryptedData OPTIONAL + # -- AuthorizationData --, + # additional-tickets [11] SEQUENCE OF Ticket OPTIONAL + # -- NOTE: not empty + #} + obj,decoded = self.KDC_REQ_create(msg_type=10, + padata=padata, + kdc_options=kdc_options, + cname=cname, + realm=realm, + sname=sname, + from_time=from_time, + till_time=till_time, + renew_time=renew_time, + nonce=nonce, + etypes=etypes, + addresses=addresses, + EncAuthorizationData=EncAuthorizationData, + EncAuthorizationData_key=EncAuthorizationData_key, + additional_tickets=additional_tickets, + asn1Spec=krb5_asn1.AS_REQ(), + asn1_print=asn1_print, + hexdump=hexdump) + if native_decoded_only: + return decoded + return decoded, obj + + def AP_REQ_create(self, ap_options, ticket, authenticator): + # AP-REQ ::= [APPLICATION 14] SEQUENCE { + # pvno [0] INTEGER (5), + # msg-type [1] INTEGER (14), + # ap-options [2] APOptions, + # ticket [3] Ticket, + # authenticator [4] EncryptedData -- Authenticator + #} + AP_REQ_obj = { + 'pvno': 5, + 'msg-type': 14, + 'ap-options': ap_options, + 'ticket': ticket, + 'authenticator': authenticator, + } + return AP_REQ_obj + + def Authenticator_create(self, crealm, cname, cksum, cusec, ctime, subkey, seq_number, + authorization_data): + # -- Unencrypted authenticator + # Authenticator ::= [APPLICATION 2] SEQUENCE { + # authenticator-vno [0] INTEGER (5), + # crealm [1] Realm, + # cname [2] PrincipalName, + # cksum [3] Checksum OPTIONAL, + # cusec [4] Microseconds, + # ctime [5] KerberosTime, + # subkey [6] EncryptionKey OPTIONAL, + # seq-number [7] UInt32 OPTIONAL, + # authorization-data [8] AuthorizationData OPTIONAL + #} + Authenticator_obj = { + 'authenticator-vno': 5, + 'crealm': crealm, + 'cname': cname, + 'cusec': cusec, + 'ctime': ctime, + } + if cksum is not None: + Authenticator_obj['cksum'] = cksum + if subkey is not None: + Authenticator_obj['subkey'] = subkey + if seq_number is not None: + Authenticator_obj['seq-number'] = seq_number + if authorization_data is not None: + Authenticator_obj['authorization-data'] = authorization_data + return Authenticator_obj + + def TGS_REQ_create(self, + padata, # optional + cusec, + ctime, + ticket, + kdc_options, # required + cname, # optional + realm, # required + sname, # optional + from_time, # optional + till_time, # required + renew_time, # optional + nonce, # required + etypes, # required + addresses, # optional + EncAuthorizationData, + EncAuthorizationData_key, + additional_tickets, + ticket_session_key, + authenticator_subkey=None, + body_checksum_type=None, + native_decoded_only=True, + asn1_print=None, + hexdump=None): + #KDC-REQ ::= SEQUENCE { + # -- NOTE: first tag is [1], not [0] + # pvno [1] INTEGER (5) , + # msg-type [2] INTEGER (10 -- AS -- | 12 -- TGS --), + # padata [3] SEQUENCE OF PA-DATA OPTIONAL + # -- NOTE: not empty --, + # req-body [4] KDC-REQ-BODY + #} + # + #KDC-REQ-BODY ::= SEQUENCE { + # kdc-options [0] KDCOptions, + # cname [1] PrincipalName OPTIONAL + # -- Used only in AS-REQ --, + # realm [2] Realm + # -- Server's realm + # -- Also client's in AS-REQ --, + # sname [3] PrincipalName OPTIONAL, + # from [4] KerberosTime OPTIONAL, + # till [5] KerberosTime, + # rtime [6] KerberosTime OPTIONAL, + # nonce [7] UInt32, + # etype [8] SEQUENCE OF Int32 -- EncryptionType + # -- in preference order --, + # addresses [9] HostAddresses OPTIONAL, + # enc-authorization-data [10] EncryptedData OPTIONAL + # -- AuthorizationData --, + # additional-tickets [11] SEQUENCE OF Ticket OPTIONAL + # -- NOTE: not empty + #} + + req_body = self.KDC_REQ_BODY_create(kdc_options=kdc_options, + cname=None, + realm=realm, + sname=sname, + from_time=from_time, + till_time=till_time, + renew_time=renew_time, + nonce=nonce, + etypes=etypes, + addresses=addresses, + EncAuthorizationData=EncAuthorizationData, + EncAuthorizationData_key=EncAuthorizationData_key, + additional_tickets=additional_tickets) + req_body = self.der_encode(req_body, asn1Spec=krb5_asn1.KDC_REQ_BODY(), + asn1_print=asn1_print, hexdump=hexdump) + + req_body_checksum = self.Checksum_create(ticket_session_key, 6, req_body, + ctype=body_checksum_type) + + subkey_obj = None + if authenticator_subkey is not None: + subkey_obj = authenticator_subkey.export_obj() + seq_number = random.randint(0, 0xfffffffe) + authenticator = self.Authenticator_create(crealm=realm, + cname=cname, + cksum=req_body_checksum, + cusec=cusec, + ctime=ctime, + subkey=subkey_obj, + seq_number=seq_number, + authorization_data=None) + authenticator = self.der_encode(authenticator, asn1Spec=krb5_asn1.Authenticator(), + asn1_print=asn1_print, hexdump=hexdump) + + authenticator = self.EncryptedData_create(ticket_session_key, 7, authenticator) + + ap_options = krb5_asn1.APOptions('0') + ap_req = self.AP_REQ_create(ap_options=str(ap_options), + ticket=ticket, + authenticator=authenticator) + ap_req = self.der_encode(ap_req, asn1Spec=krb5_asn1.AP_REQ(), + asn1_print=asn1_print, hexdump=hexdump) + pa_tgs_req = self.PA_DATA_create(1, ap_req) + if padata is not None: + padata.append(pa_tgs_req) + else: + padata = [pa_tgs_req] + + obj,decoded = self.KDC_REQ_create(msg_type=12, + padata=padata, + kdc_options=kdc_options, + cname=None, + realm=realm, + sname=sname, + from_time=from_time, + till_time=till_time, + renew_time=renew_time, + nonce=nonce, + etypes=etypes, + addresses=addresses, + EncAuthorizationData=EncAuthorizationData, + EncAuthorizationData_key=EncAuthorizationData_key, + additional_tickets=additional_tickets, + asn1Spec=krb5_asn1.TGS_REQ(), + asn1_print=asn1_print, + hexdump=hexdump) + if native_decoded_only: + return decoded + return decoded, obj -- 2.35.0 From 015a78ece7fb01834374dcf327037b56335136e0 Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Thu, 13 Feb 2020 16:29:38 +0100 Subject: [PATCH 026/686] python/tests/krb5: add simple_tests.py with the first simple test This just demonstrates that the infrastructure works:-) I'm running this as: SERVER=172.31.9.188 DOMAIN=W2012R2-L6 REALM=W2012R2-L6.BASE \ USERNAME=administrator PASSWORD=A1b2C3d4 SERVICE_USERNAME="w2012r2-188" \ python/samba/tests/krb5/simple_tests.py Pair-Programmed-With: Isaac Boukris Signed-off-by: Stefan Metzmacher Signed-off-by: Isaac Boukris Reviewed-by: Isaac Boukris (cherry picked from commit 4f6d26609a66a42df671a540677af15e67efc0df) --- python/samba/tests/krb5/simple_tests.py | 171 ++++++++++++++++++++++++ python/samba/tests/usage.py | 1 + 2 files changed, 172 insertions(+) create mode 100755 python/samba/tests/krb5/simple_tests.py diff --git a/python/samba/tests/krb5/simple_tests.py b/python/samba/tests/krb5/simple_tests.py new file mode 100755 index 00000000000..c9998c4d2db --- /dev/null +++ b/python/samba/tests/krb5/simple_tests.py @@ -0,0 +1,171 @@ +#!/usr/bin/env python3 +# Unix SMB/CIFS implementation. +# Copyright (C) Stefan Metzmacher 2020 +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; either version 3 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see . +# + +import sys +import os + +sys.path.insert(0, "bin/python") +os.environ["PYTHONUNBUFFERED"] = "1" + +from samba.tests.krb5.raw_testcase import RawKerberosTest +import samba.tests.krb5.rfc4120_pyasn1 as krb5_asn1 + +global_asn1_print = False +global_hexdump = False + +class SimpleKerberosTests(RawKerberosTest): + + def setUp(self): + super(SimpleKerberosTests, self).setUp() + self.do_asn1_print = global_asn1_print + self.do_hexdump = global_hexdump + + def test_simple(self): + user_creds = self.get_user_creds() + user = user_creds.get_username() + realm = user_creds.get_realm() + + cname = self.PrincipalName_create(name_type=1, names=[user]) + sname = self.PrincipalName_create(name_type=2, names=["krbtgt", realm]) + + till = self.get_KerberosTime(offset=36000) + + kdc_options = krb5_asn1.KDCOptions('forwardable') + padata = None + + etypes=(18,17,23) + + req = self.AS_REQ_create(padata=padata, + kdc_options=str(kdc_options), + cname=cname, + realm=realm, + sname=sname, + from_time=None, + till_time=till, + renew_time=None, + nonce=0x7fffffff, + etypes=etypes, + addresses=None, + EncAuthorizationData=None, + EncAuthorizationData_key=None, + additional_tickets=None) + rep = self.send_recv_transaction(req) + self.assertIsNotNone(rep) + + self.assertEqual(rep['msg-type'], 30) + self.assertEqual(rep['error-code'], 25) + rep_padata = self.der_decode(rep['e-data'], asn1Spec=krb5_asn1.METHOD_DATA()) + + for pa in rep_padata: + if pa['padata-type'] == 19: + etype_info2 = pa['padata-value'] + break + + etype_info2 = self.der_decode(etype_info2, asn1Spec=krb5_asn1.ETYPE_INFO2()) + + key = self.PasswordKey_from_etype_info2(user_creds, etype_info2[0]) + + (patime, pausec) = self.get_KerberosTimeWithUsec() + pa_ts = self.PA_ENC_TS_ENC_create(patime, pausec) + pa_ts = self.der_encode(pa_ts, asn1Spec=krb5_asn1.PA_ENC_TS_ENC()) + + enc_pa_ts_usage = 1 + pa_ts = self.EncryptedData_create(key, enc_pa_ts_usage, pa_ts) + pa_ts = self.der_encode(pa_ts, asn1Spec=krb5_asn1.EncryptedData()) + + pa_ts = self.PA_DATA_create(2, pa_ts) + + kdc_options = krb5_asn1.KDCOptions('forwardable') + padata = [pa_ts] + + req = self.AS_REQ_create(padata=padata, + kdc_options=str(kdc_options), + cname=cname, + realm=realm, + sname=sname, + from_time=None, + till_time=till, + renew_time=None, + nonce=0x7fffffff, + etypes=etypes, + addresses=None, + EncAuthorizationData=None, + EncAuthorizationData_key=None, + additional_tickets=None) + rep = self.send_recv_transaction(req) + self.assertIsNotNone(rep) + + msg_type = rep['msg-type'] + self.assertEqual(msg_type, 11) + + usage = 3 + enc_part2 = key.decrypt(usage, rep['enc-part']['cipher']) + enc_part2 = self.der_decode(enc_part2, asn1Spec=krb5_asn1.EncASRepPart()) + + # TGS Request + service_creds = self.get_service_creds(allow_missing_password=True) + service_name = service_creds.get_username() + + sname = self.PrincipalName_create(name_type=2, names=["host", service_name]) + kdc_options = krb5_asn1.KDCOptions('forwardable') + till = self.get_KerberosTime(offset=36000) + ticket = rep['ticket'] + ticket_session_key = self.EncryptionKey_import(enc_part2['key']) + padata = [] + + subkey = self.RandomKey(ticket_session_key.etype) + subkey_usage = 9 + + (ctime, cusec) = self.get_KerberosTimeWithUsec() + + req = self.TGS_REQ_create(padata=padata, + cusec=cusec, + ctime=ctime, + ticket=ticket, + kdc_options=str(kdc_options), + cname=cname, + realm=realm, + sname=sname, + from_time=None, + till_time=till, + renew_time=None, + nonce=0x7ffffffe, + etypes=etypes, + addresses=None, + EncAuthorizationData=None, + EncAuthorizationData_key=None, + additional_tickets=None, + ticket_session_key=ticket_session_key, + authenticator_subkey=subkey) + rep = self.send_recv_transaction(req) + self.assertIsNotNone(rep) + + msg_type = rep['msg-type'] + self.assertEqual(msg_type, 13) + + enc_part2 = subkey.decrypt(subkey_usage, rep['enc-part']['cipher']) + enc_part2 = self.der_decode(enc_part2, asn1Spec=krb5_asn1.EncTGSRepPart()) + + return + + +if __name__ == "__main__": + global_asn1_print = True + global_hexdump = True + import unittest + unittest.main() diff --git a/python/samba/tests/usage.py b/python/samba/tests/usage.py index cebc54461b9..de144f1d6a4 100644 --- a/python/samba/tests/usage.py +++ b/python/samba/tests/usage.py @@ -84,6 +84,7 @@ EXCLUDE_USAGE = { 'bin/python/samba/subunit/run.py', 'python/samba/tests/dcerpc/raw_protocol.py', 'python/samba/tests/krb5/kcrypto.py', + 'python/samba/tests/krb5/simple_tests.py', } -- 2.35.0 From 7e61df106d6d973e82aeec46a31549bfdf5e44de Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Thu, 13 Feb 2020 16:29:38 +0100 Subject: [PATCH 027/686] s4:selftest: run samba.tests.krb5.simple_tests against ad_dc_default Signed-off-by: Stefan Metzmacher Reviewed-by: Isaac Boukris Autobuild-User(master): Stefan Metzmacher Autobuild-Date(master): Fri Mar 27 19:54:25 UTC 2020 on sn-devel-184 (cherry picked from commit c4ccdf4b30de1b1e63d3fd99d33b924b816a5d37) --- source4/selftest/tests.py | 2 ++ 1 file changed, 2 insertions(+) diff --git a/source4/selftest/tests.py b/source4/selftest/tests.py index e627158d2f9..06828a53dae 100755 --- a/source4/selftest/tests.py +++ b/source4/selftest/tests.py @@ -714,6 +714,8 @@ planoldpythontestsuite("ad_dc:local", "samba.tests.gpo", extra_args=['-U"$USERNA planoldpythontestsuite("ad_dc:local", "samba.tests.dckeytab", extra_args=['-U"$USERNAME%$PASSWORD"'], py3_compatible=True) planoldpythontestsuite("none", "samba.tests.krb5.kcrypto") +planoldpythontestsuite("ad_dc_default", "samba.tests.krb5.simple_tests", + environ={'SERVICE_USERNAME':'$SERVER'}) for env in ["ad_dc", smbv1_disabled_testenv]: planoldpythontestsuite(env, "samba.tests.smb", extra_args=['-U"$USERNAME%$PASSWORD"'], py3_compatible=True) -- 2.35.0 From 06adb65d6ba2ed45fd5aeb2b57413021704d5565 Mon Sep 17 00:00:00 2001 From: Isaac Boukris Date: Thu, 7 May 2020 17:17:12 +0200 Subject: [PATCH 028/686] Revert "CVE-2018-16860 selftest: Add test for S4U2Self with unkeyed checksum" This reverts commit 5639e973c1f6f1b28b122741763f1d05b47bc2d8. This is no longer needed as the next commit includes a Python test for this, without the complexity of being inside krb5.kdc.canon. Signed-off-by: Isaac Boukris Reviewed-by: Andrew Bartlett (cherry picked from commit 19875a37318a7cd5585572616cf12a775591193f) --- source4/torture/krb5/kdc-canon-heimdal.c | 105 +---------------------- 1 file changed, 4 insertions(+), 101 deletions(-) diff --git a/source4/torture/krb5/kdc-canon-heimdal.c b/source4/torture/krb5/kdc-canon-heimdal.c index ee3045181dc..30eca87cb52 100644 --- a/source4/torture/krb5/kdc-canon-heimdal.c +++ b/source4/torture/krb5/kdc-canon-heimdal.c @@ -44,8 +44,7 @@ #define TEST_S4U2SELF 0x0000080 #define TEST_REMOVEDOLLAR 0x0000100 #define TEST_AS_REQ_SPN 0x0000200 -#define TEST_MITM_S4U2SELF 0x0000400 -#define TEST_ALL 0x00007FF +#define TEST_ALL 0x00003FF struct test_data { const char *test_name; @@ -63,7 +62,6 @@ struct test_data { bool upn; bool other_upn_suffix; bool s4u2self; - bool mitm_s4u2self; bool removedollar; bool as_req_spn; bool spn_is_upn; @@ -214,67 +212,6 @@ static bool test_accept_ticket(struct torture_context *tctx, return true; } -krb5_error_code -_krb5_s4u2self_to_checksumdata(krb5_context context, - const PA_S4U2Self *self, - krb5_data *data); - -/* Helper function to modify the principal in PA_FOR_USER padata */ -static bool change_for_user_principal(struct torture_krb5_context *test_context, - krb5_data *modified_send_buf) -{ - PA_DATA *for_user; - int i = 0; - size_t used; - krb5_error_code ret; - PA_S4U2Self self, mod_self; - krb5_data cksum_data; - krb5_principal admin; - heim_octet_string orig_padata_value; - krb5_context k5_ctx = test_context->smb_krb5_context->krb5_context; - - for_user = krb5_find_padata(test_context->tgs_req.padata->val, - test_context->tgs_req.padata->len, KRB5_PADATA_FOR_USER, &i); - torture_assert(test_context->tctx, for_user != NULL, "No PA_FOR_USER in s4u2self request"); - orig_padata_value = for_user->padata_value; - - torture_assert_int_equal(test_context->tctx, - krb5_make_principal(k5_ctx, &admin, test_context->test_data->realm, - "Administrator", NULL), - 0, "krb5_make_principal() failed"); - torture_assert_int_equal(test_context->tctx, - decode_PA_S4U2Self(for_user->padata_value.data, - for_user->padata_value.length, &self, NULL), - 0, "decode_PA_S4U2Self() failed"); - mod_self = self; - mod_self.name = admin->name; - - torture_assert_int_equal(test_context->tctx, - _krb5_s4u2self_to_checksumdata(k5_ctx, &mod_self, &cksum_data), - 0, "_krb5_s4u2self_to_checksumdata() failed"); - torture_assert_int_equal(test_context->tctx, - krb5_create_checksum(k5_ctx, NULL, KRB5_KU_OTHER_CKSUM, - CKSUMTYPE_CRC32, cksum_data.data, - cksum_data.length, &mod_self.cksum), - 0, "krb5_create_checksum() failed"); - - ASN1_MALLOC_ENCODE(PA_S4U2Self, for_user->padata_value.data, for_user->padata_value.length, - &mod_self, &used, ret); - torture_assert(test_context->tctx, ret == 0, "Failed to encode PA_S4U2Self ASN1 struct"); - ASN1_MALLOC_ENCODE(TGS_REQ, modified_send_buf->data, modified_send_buf->length, - &test_context->tgs_req, &used, ret); - torture_assert(test_context->tctx, ret == 0, "Failed to encode TGS_REQ ASN1 struct"); - - free(for_user->padata_value.data); - for_user->padata_value = orig_padata_value; - - free_PA_S4U2Self(&self); - krb5_data_free(&cksum_data); - free_Checksum(&mod_self.cksum); - - return true; -} - /* * TEST_AS_REQ and TEST_AS_REQ_SELF - SEND * @@ -694,12 +631,7 @@ static bool torture_krb5_pre_send_tgs_req_canon_test(struct torture_krb5_context } - if (test_context->test_data->mitm_s4u2self) { - torture_assert(test_context->tctx, change_for_user_principal(test_context, modified_send_buf), - "Failed to modify PA_FOR_USER principal name"); - } else { - *modified_send_buf = *send_buf; - } + *modified_send_buf = *send_buf; return true; } @@ -718,7 +650,6 @@ static bool torture_krb5_post_recv_tgs_req_canon_test(struct torture_krb5_contex { KRB_ERROR error; size_t used; - krb5_error_code expected_error; /* * If this account did not have a servicePrincipalName, then @@ -729,13 +660,9 @@ static bool torture_krb5_post_recv_tgs_req_canon_test(struct torture_krb5_contex torture_assert_int_equal(test_context->tctx, error.pvno, 5, "Got wrong error.pvno"); - expected_error = KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN - KRB5KDC_ERR_NONE; - if (error.error_code != expected_error && test_context->test_data->mitm_s4u2self) { - expected_error = KRB5KRB_AP_ERR_INAPP_CKSUM - KRB5KDC_ERR_NONE; - } torture_assert_int_equal(test_context->tctx, error.error_code, - expected_error, + KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN - KRB5KDC_ERR_NONE, "Got wrong error.error_code"); } else { torture_assert_int_equal(test_context->tctx, @@ -778,8 +705,6 @@ static bool torture_krb5_post_recv_tgs_req_canon_test(struct torture_krb5_contex torture_assert_int_equal(test_context->tctx, *test_context->tgs_rep.ticket.enc_part.kvno & 0xFFFF0000, 0, "Unexpecedly got a RODC number in the KVNO, should just be principal KVNO"); - torture_assert(test_context->tctx, test_context->test_data->mitm_s4u2self == false, - "KDC accepted PA_S4U2Self with unkeyed checksum!"); free_TGS_REP(&test_context->tgs_rep); } torture_assert(test_context->tctx, test_context->packet_count == 0, "too many packets"); @@ -2081,23 +2006,7 @@ static bool torture_krb5_as_req_canon(struct torture_context *tctx, const void * && (test_data->enterprise || test_data->spn_is_upn || test_data->upn == false)) { - - if (test_data->mitm_s4u2self) { - torture_assert_int_equal(tctx, k5ret, KRB5KRB_AP_ERR_INAPP_CKSUM, - assertion_message); - /* Done testing mitm-s4u2self */ - return true; - } - torture_assert_int_equal(tctx, k5ret, 0, assertion_message); - - /* Check that the impersonate principal is not being canonicalized by the KDC. */ - if (test_data->s4u2self) { - torture_assert(tctx, krb5_principal_compare(k5_context, server_creds->client, - principal), - "TGS-REP cname does not match requested client principal"); - } - torture_assert_int_equal(tctx, krb5_cc_store_cred(k5_context, ccache, server_creds), 0, "krb5_cc_store_cred failed"); @@ -2571,7 +2480,7 @@ struct torture_suite *torture_krb5_canon(TALLOC_CTX *mem_ctx) (i & TEST_UPN) ? "upn" : ((i & TEST_AS_REQ_SPN) ? "spn" : ((i & TEST_REMOVEDOLLAR) ? "removedollar" : "samaccountname")), - (i & TEST_S4U2SELF) ? (i & TEST_MITM_S4U2SELF) ? "mitm-s4u2self" : "s4u2self" : "normal"); + (i & TEST_S4U2SELF) ? "s4u2self" : "normal"); struct torture_suite *sub_suite = torture_suite_create(mem_ctx, name); struct test_data *test_data = talloc_zero(suite, struct test_data); @@ -2585,11 +2494,6 @@ struct torture_suite *torture_krb5_canon(TALLOC_CTX *mem_ctx) continue; } } - if (i & TEST_MITM_S4U2SELF) { - if (!(i & TEST_S4U2SELF)) { - continue; - } - } test_data->test_name = name; test_data->real_realm @@ -2610,7 +2514,6 @@ struct torture_suite *torture_krb5_canon(TALLOC_CTX *mem_ctx) test_data->win2k = (i & TEST_WIN2K) != 0; test_data->upn = (i & TEST_UPN) != 0; test_data->s4u2self = (i & TEST_S4U2SELF) != 0; - test_data->mitm_s4u2self = (i & TEST_MITM_S4U2SELF) != 0; test_data->removedollar = (i & TEST_REMOVEDOLLAR) != 0; test_data->as_req_spn = (i & TEST_AS_REQ_SPN) != 0; torture_suite_add_simple_tcase_const(sub_suite, name, torture_krb5_as_req_canon, -- 2.35.0 From 53713bfed5031df8951d43e5ed0d0a737d3d5687 Mon Sep 17 00:00:00 2001 From: Isaac Boukris Date: Mon, 4 May 2020 18:09:53 +0200 Subject: [PATCH 029/686] selftest: add python S4U2Self tests including unkeyed checksums To test the CRC32 I reverted the unkeyed-checksum fix (43958af1) and the weak-crypto fix (389d1b97). Note that the unkeyed-md5 still worked even with weak-crypto disabled, and that the unkeyed-sha1 never worked but I left it anyway. Signed-off-by: Isaac Boukris Reviewed-by: Andrew Bartlett Autobuild-User(master): Andrew Bartlett Autobuild-Date(master): Fri May 15 12:25:40 UTC 2020 on sn-devel-184 (cherry picked from commit 8b5e7644130146bcc4e5a0dd05da6458a6025dd8) --- python/samba/tests/krb5/kcrypto.py | 85 ++++++++++ python/samba/tests/krb5/raw_testcase.py | 23 +++ python/samba/tests/krb5/rfc4120.asn1 | 8 + python/samba/tests/krb5/rfc4120_pyasn1.py | 14 +- python/samba/tests/krb5/s4u_tests.py | 197 ++++++++++++++++++++++ python/samba/tests/usage.py | 1 + selftest/knownfail | 2 + selftest/skip_mit_kdc | 1 + selftest/target/Samba4.pm | 23 +++ source4/selftest/tests.py | 4 + 10 files changed, 357 insertions(+), 1 deletion(-) create mode 100755 python/samba/tests/krb5/s4u_tests.py diff --git a/python/samba/tests/krb5/kcrypto.py b/python/samba/tests/krb5/kcrypto.py index ed3c84fa186..2572fa5bab3 100755 --- a/python/samba/tests/krb5/kcrypto.py +++ b/python/samba/tests/krb5/kcrypto.py @@ -51,6 +51,7 @@ os.environ["PYTHONUNBUFFERED"] = "1" from math import gcd from functools import reduce from struct import pack, unpack +from binascii import crc32 from cryptography.hazmat.primitives import hashes from cryptography.hazmat.primitives import hmac from cryptography.hazmat.primitives.ciphers import algorithms as ciphers @@ -533,6 +534,21 @@ class _MD5(_ChecksumProfile): return SIMPLE_HASH(text, hashes.MD5) +class _SHA1(_ChecksumProfile): + @classmethod + def checksum(cls, key, keyusage, text): + # This is unkeyed! + return SIMPLE_HASH(text, hashes.SHA1) + + +class _CRC32(_ChecksumProfile): + @classmethod + def checksum(cls, key, keyusage, text): + # This is unkeyed! + cksum = (~crc32(text, 0xffffffff)) & 0xffffffff + return pack('. +# + +import sys +import os + +sys.path.insert(0, "bin/python") +os.environ["PYTHONUNBUFFERED"] = "1" + +from samba.tests import env_get_var_value +from samba.tests.krb5.kcrypto import Cksumtype +from samba.tests.krb5.raw_testcase import RawKerberosTest +import samba.tests.krb5.rfc4120_pyasn1 as krb5_asn1 + +global_asn1_print = False +global_hexdump = False + +class S4UKerberosTests(RawKerberosTest): + + def setUp(self): + super(S4UKerberosTests, self).setUp() + self.do_asn1_print = global_asn1_print + self.do_hexdump = global_hexdump + + def _test_s4u2self(self, pa_s4u2self_ctype=None): + service_creds = self.get_service_creds() + service = service_creds.get_username() + realm = service_creds.get_realm() + + cname = self.PrincipalName_create(name_type=1, names=[service]) + sname = self.PrincipalName_create(name_type=2, names=["krbtgt", realm]) + + till = self.get_KerberosTime(offset=36000) + + kdc_options = krb5_asn1.KDCOptions('forwardable') + padata = None + + etypes=(18,17,23) + + req = self.AS_REQ_create(padata=padata, + kdc_options=str(kdc_options), + cname=cname, + realm=realm, + sname=sname, + from_time=None, + till_time=till, + renew_time=None, + nonce=0x7fffffff, + etypes=etypes, + addresses=None, + EncAuthorizationData=None, + EncAuthorizationData_key=None, + additional_tickets=None) + rep = self.send_recv_transaction(req) + self.assertIsNotNone(rep) + + self.assertEqual(rep['msg-type'], 30) + self.assertEqual(rep['error-code'], 25) + rep_padata = self.der_decode(rep['e-data'], asn1Spec=krb5_asn1.METHOD_DATA()) + + for pa in rep_padata: + if pa['padata-type'] == 19: + etype_info2 = pa['padata-value'] + break + + etype_info2 = self.der_decode(etype_info2, asn1Spec=krb5_asn1.ETYPE_INFO2()) + + key = self.PasswordKey_from_etype_info2(service_creds, etype_info2[0]) + + (patime, pausec) = self.get_KerberosTimeWithUsec() + pa_ts = self.PA_ENC_TS_ENC_create(patime, pausec) + pa_ts = self.der_encode(pa_ts, asn1Spec=krb5_asn1.PA_ENC_TS_ENC()) + + enc_pa_ts_usage = 1 + pa_ts = self.EncryptedData_create(key, enc_pa_ts_usage, pa_ts) + pa_ts = self.der_encode(pa_ts, asn1Spec=krb5_asn1.EncryptedData()) + + pa_ts = self.PA_DATA_create(2, pa_ts) + + kdc_options = krb5_asn1.KDCOptions('forwardable') + padata = [pa_ts] + + req = self.AS_REQ_create(padata=padata, + kdc_options=str(kdc_options), + cname=cname, + realm=realm, + sname=sname, + from_time=None, + till_time=till, + renew_time=None, + nonce=0x7fffffff, + etypes=etypes, + addresses=None, + EncAuthorizationData=None, + EncAuthorizationData_key=None, + additional_tickets=None) + rep = self.send_recv_transaction(req) + self.assertIsNotNone(rep) + + msg_type = rep['msg-type'] + self.assertEqual(msg_type, 11) + + usage = 3 + enc_part2 = key.decrypt(usage, rep['enc-part']['cipher']) + enc_part2 = self.der_decode(enc_part2, asn1Spec=krb5_asn1.EncASRepPart()) + + # S4U2Self Request + sname = cname + + for_user_name = env_get_var_value('FOR_USER') + uname = self.PrincipalName_create(name_type=1, names=[for_user_name]) + + kdc_options = krb5_asn1.KDCOptions('forwardable') + till = self.get_KerberosTime(offset=36000) + ticket = rep['ticket'] + ticket_session_key = self.EncryptionKey_import(enc_part2['key']) + pa_s4u = self.PA_S4U2Self_create(name=uname, realm=realm, + tgt_session_key=ticket_session_key, + ctype=pa_s4u2self_ctype) + padata = [pa_s4u] + + subkey = self.RandomKey(ticket_session_key.etype) + subkey_usage = 9 + + (ctime, cusec) = self.get_KerberosTimeWithUsec() + + req = self.TGS_REQ_create(padata=padata, + cusec=cusec, + ctime=ctime, + ticket=ticket, + kdc_options=str(kdc_options), + cname=cname, + realm=realm, + sname=sname, + from_time=None, + till_time=till, + renew_time=None, + nonce=0x7ffffffe, + etypes=etypes, + addresses=None, + EncAuthorizationData=None, + EncAuthorizationData_key=None, + additional_tickets=None, + ticket_session_key=ticket_session_key, + authenticator_subkey=subkey) + rep = self.send_recv_transaction(req) + self.assertIsNotNone(rep) + + msg_type = rep['msg-type'] + if msg_type == 13: + enc_part2 = subkey.decrypt(subkey_usage, rep['enc-part']['cipher']) + enc_part2 = self.der_decode(enc_part2, asn1Spec=krb5_asn1.EncTGSRepPart()) + + return msg_type + + # Using the checksum type from the tgt_session_key happens to work everywhere + def test_s4u2self(self): + msg_type = self._test_s4u2self() + self.assertEqual(msg_type, 13) + + # Per spec, the checksum of PA-FOR-USER is HMAC_MD5, see [MS-SFU] 2.2.1 + def test_s4u2self_hmac_md5_checksum(self): + msg_type = self._test_s4u2self(pa_s4u2self_ctype=Cksumtype.HMAC_MD5) + self.assertEqual(msg_type, 13) + + def test_s4u2self_md5_unkeyed_checksum(self): + msg_type = self._test_s4u2self(pa_s4u2self_ctype=Cksumtype.MD5) + self.assertEqual(msg_type, 30) + + def test_s4u2self_sha1_unkeyed_checksum(self): + msg_type = self._test_s4u2self(pa_s4u2self_ctype=Cksumtype.SHA1) + self.assertEqual(msg_type, 30) + + def test_s4u2self_crc32_unkeyed_checksum(self): + msg_type = self._test_s4u2self(pa_s4u2self_ctype=Cksumtype.CRC32) + self.assertEqual(msg_type, 30) + +if __name__ == "__main__": + global_asn1_print = True + global_hexdump = True + import unittest + unittest.main() diff --git a/python/samba/tests/usage.py b/python/samba/tests/usage.py index de144f1d6a4..8af43bc8299 100644 --- a/python/samba/tests/usage.py +++ b/python/samba/tests/usage.py @@ -85,6 +85,7 @@ EXCLUDE_USAGE = { 'python/samba/tests/dcerpc/raw_protocol.py', 'python/samba/tests/krb5/kcrypto.py', 'python/samba/tests/krb5/simple_tests.py', + 'python/samba/tests/krb5/s4u_tests.py', } diff --git a/selftest/knownfail b/selftest/knownfail index 1817db384e0..3a851b06e8e 100644 --- a/selftest/knownfail +++ b/selftest/knownfail @@ -361,3 +361,5 @@ ^samba.tests.ntlmdisabled.python\(ktest\).python2.ntlmdisabled.NtlmDisabledTests.test_samr_change_password\(ktest\) ^samba.tests.ntlmdisabled.python\(ad_dc_no_ntlm\).python3.ntlmdisabled.NtlmDisabledTests.test_ntlm_connection\(ad_dc_no_ntlm\) ^samba.tests.ntlmdisabled.python\(ad_dc_no_ntlm\).python2.ntlmdisabled.NtlmDisabledTests.test_ntlm_connection\(ad_dc_no_ntlm\) +# Fixed upstream heimdal in PR #439 +^samba.tests.krb5.s4u_tests.samba.tests.krb5.s4u_tests.S4UKerberosTests.test_s4u2self_hmac_md5_checksum diff --git a/selftest/skip_mit_kdc b/selftest/skip_mit_kdc index 4a51c98ea0b..ea644638c9f 100644 --- a/selftest/skip_mit_kdc +++ b/selftest/skip_mit_kdc @@ -3,3 +3,4 @@ .*RODC ^samba4.ntvfs.cifs.ntlm.base.unlink ^samba4.ntvfs.cifs.krb5.base.unlink +^samba.tests.krb5.s4u_tests diff --git a/selftest/target/Samba4.pm b/selftest/target/Samba4.pm index 2fbd5e24928..aa12e823ae5 100755 --- a/selftest/target/Samba4.pm +++ b/selftest/target/Samba4.pm @@ -954,6 +954,29 @@ sub provision_raw_step2($$$) return undef; } + my $srv_account = "srv_account"; + $samba_tool_cmd = ""; + $samba_tool_cmd .= "RESOLV_CONF=\"$ret->{RESOLV_CONF}\" "; + $samba_tool_cmd .= "KRB5_CONFIG=\"$ret->{KRB5_CONFIG}\" "; + $samba_tool_cmd .= "KRB5CCNAME=\"$ret->{KRB5_CCACHE}\" "; + $samba_tool_cmd .= Samba::bindir_path($self, "samba-tool") + . " user create --configfile=$ctx->{smb_conf} $srv_account $ctx->{password}"; + unless (system($samba_tool_cmd) == 0) { + warn("Unable to add $srv_account user: \n$samba_tool_cmd\n"); + return undef; + } + + $samba_tool_cmd = ""; + $samba_tool_cmd .= "RESOLV_CONF=\"$ret->{RESOLV_CONF}\" "; + $samba_tool_cmd .= "KRB5_CONFIG=\"$ret->{KRB5_CONFIG}\" "; + $samba_tool_cmd .= "KRB5CCNAME=\"$ret->{KRB5_CCACHE}\" "; + $samba_tool_cmd .= Samba::bindir_path($self, "samba-tool") + . " spn add HOST/$srv_account --configfile=$ctx->{smb_conf} $srv_account"; + unless (system($samba_tool_cmd) == 0) { + warn("Unable to add spn for $srv_account: \n$samba_tool_cmd\n"); + return undef; + } + my $ldbmodify = ""; $ldbmodify .= "KRB5_CONFIG=\"$ret->{KRB5_CONFIG}\" "; $ldbmodify .= "KRB5CCNAME=\"$ret->{KRB5_CCACHE}\" "; diff --git a/source4/selftest/tests.py b/source4/selftest/tests.py index 06828a53dae..dd3b894203b 100755 --- a/source4/selftest/tests.py +++ b/source4/selftest/tests.py @@ -716,6 +716,10 @@ planoldpythontestsuite("ad_dc:local", "samba.tests.dckeytab", extra_args=['-U"$U planoldpythontestsuite("none", "samba.tests.krb5.kcrypto") planoldpythontestsuite("ad_dc_default", "samba.tests.krb5.simple_tests", environ={'SERVICE_USERNAME':'$SERVER'}) +planoldpythontestsuite("ad_dc_default:local", "samba.tests.krb5.s4u_tests", + environ={'SERVICE_USERNAME':'srv_account', + 'SERVICE_PASSWORD':'$PASSWORD', + 'FOR_USER':'$USERNAME'}) for env in ["ad_dc", smbv1_disabled_testenv]: planoldpythontestsuite(env, "samba.tests.smb", extra_args=['-U"$USERNAME%$PASSWORD"'], py3_compatible=True) -- 2.35.0 From f7d02d3e4a94ceebe0b0a50ce093757f004c20d9 Mon Sep 17 00:00:00 2001 From: Isaac Boukris Date: Sun, 19 Jan 2020 16:24:24 +0100 Subject: [PATCH 030/686] selftest: add test for disallowed-forwardable server BUG: https://bugzilla.samba.org/show_bug.cgi?id=14233 Signed-off-by: Isaac Boukris Reviewed-by: Andreas Schneider Reviewed-by: Andrew Bartlett (cherry picked from commit 197f97bc13c513ae6ae2b4129b23489081f63c64) --- selftest/knownfail.d/disallowed_forwardable_server | 1 + testprogs/blackbox/test_s4u_heimdal.sh | 13 +++++++++++-- 2 files changed, 12 insertions(+), 2 deletions(-) create mode 100644 selftest/knownfail.d/disallowed_forwardable_server diff --git a/selftest/knownfail.d/disallowed_forwardable_server b/selftest/knownfail.d/disallowed_forwardable_server new file mode 100644 index 00000000000..2e05909ab89 --- /dev/null +++ b/selftest/knownfail.d/disallowed_forwardable_server @@ -0,0 +1 @@ +^samba4.blackbox.krb5.s4u.test S4U2Proxy using received ticket diff --git a/testprogs/blackbox/test_s4u_heimdal.sh b/testprogs/blackbox/test_s4u_heimdal.sh index 0e12c7ec096..c6ada54e85b 100755 --- a/testprogs/blackbox/test_s4u_heimdal.sh +++ b/testprogs/blackbox/test_s4u_heimdal.sh @@ -54,7 +54,7 @@ testit "set not-delegated flag" $samba_tool user sensitive $princ on || failed=` echo $PASSWORD > $PREFIX/tmppassfile -testit "kinit with password" $samba4kinit -f --password-file=$PREFIX/tmppassfile $impersonator || failed=`expr $failed + 1` +testit "kinit impersonator" $samba4kinit -f --password-file=$PREFIX/tmppassfile $impersonator || failed=`expr $failed + 1` testit "test S4U2Self with normal user" $samba4kgetcred --out-cache=$ocache --forwardable --impersonate=${USERNAME} $impersonator || failed=`expr $failed + 1` testit "test S4U2Proxy with normal user" $samba4kgetcred --out-cache=$ocache --delegation-credential-cache=${ocache} $target || failed=`expr $failed + 1` @@ -68,6 +68,15 @@ testit "unset not-delegated flag" $samba_tool user sensitive $princ off || faile testit "test S4U2Self after unsetting ND flag" $samba4kgetcred --out-cache=$ocache --forwardable --impersonate=$princ $impersonator || failed=`expr $failed + 1` testit "test S4U2Proxy after unsetting ND flag" $samba4kgetcred --out-cache=$ocache --delegation-credential-cache=${ocache} $target || failed=`expr $failed + 1` +testit "kinit user cache" $samba4kinit -c $ocache -f --password-file=$PREFIX/tmppassfile $USERNAME || failed=`expr $failed + 1` +testit "get a ticket to impersonator" $samba4kgetcred -c $ocache --forwardable $impersonator || failed=`expr $failed + 1` +testit "test S4U2Proxy evidence ticket obtained by TGS" $samba4kgetcred --out-cache=$ocache --delegation-credential-cache=${ocache} $target || failed=`expr $failed + 1` -rm -f $ocache $PREFIX/tmpccache tmppassfile +testit "set not-delegated on impersonator" $samba_tool user sensitive $impersonator on || failed=`expr $failed + 1` +testit "kinit user cache again" $samba4kinit -c $ocache -f --password-file=$PREFIX/tmppassfile $USERNAME || failed=`expr $failed + 1` +testit "get a ticket to sensitive impersonator" $samba4kgetcred -c $ocache --forwardable $impersonator || failed=`expr $failed + 1` +testit_expect_failure "test S4U2Proxy using received ticket" $samba4kgetcred --out-cache=$ocache --delegation-credential-cache=${ocache} $target || failed=`expr $failed + 1` + + +rm -f $ocache $PREFIX/tmpccache $PREFIX/tmppassfile exit $failed -- 2.35.0 From 1e32e8292e30bb55fb54c1fcf43c997fd279fb44 Mon Sep 17 00:00:00 2001 From: Isaac Boukris Date: Mon, 13 Jan 2020 23:42:54 +0100 Subject: [PATCH 031/686] heimdal: apply disallow-forwardable on server in TGS request upstream commit: 839b073facd2aecda6740224d73e560bc79965dc BUG: https://bugzilla.samba.org/show_bug.cgi?id=14233 Signed-off-by: Isaac Boukris Reviewed-by: Andreas Schneider Reviewed-by: Andrew Bartlett (cherry picked from commit 8fdff19c5461315556014d25d237a958edeed1a2) --- selftest/knownfail.d/disallowed_forwardable_server | 1 - source4/heimdal/kdc/krb5tgs.c | 6 ++++++ 2 files changed, 6 insertions(+), 1 deletion(-) delete mode 100644 selftest/knownfail.d/disallowed_forwardable_server diff --git a/selftest/knownfail.d/disallowed_forwardable_server b/selftest/knownfail.d/disallowed_forwardable_server deleted file mode 100644 index 2e05909ab89..00000000000 --- a/selftest/knownfail.d/disallowed_forwardable_server +++ /dev/null @@ -1 +0,0 @@ -^samba4.blackbox.krb5.s4u.test S4U2Proxy using received ticket diff --git a/source4/heimdal/kdc/krb5tgs.c b/source4/heimdal/kdc/krb5tgs.c index ee3ac3d8f53..efbdd6ed77f 100644 --- a/source4/heimdal/kdc/krb5tgs.c +++ b/source4/heimdal/kdc/krb5tgs.c @@ -866,6 +866,12 @@ tgs_make_reply(krb5_context context, et.flags.anonymous = tgt->flags.anonymous; et.flags.ok_as_delegate = server->entry.flags.ok_as_delegate; + /* See MS-KILE 3.3.5.1 */ + if (!server->entry.flags.forwardable) + et.flags.forwardable = 0; + if (!server->entry.flags.proxiable) + et.flags.proxiable = 0; + if(rspac->length) { /* * No not need to filter out the any PAC from the -- 2.35.0 From de202bb4a903470b684eb277d719dea772f3c443 Mon Sep 17 00:00:00 2001 From: Isaac Boukris Date: Thu, 7 May 2020 01:25:36 +0200 Subject: [PATCH 032/686] selftest: allow EncASRepPart to be encoded as EncTGSRepPart that's how MIT kdc encodes it, clients accept both. BUG: https://bugzilla.samba.org/show_bug.cgi?id=14233 Signed-off-by: Isaac Boukris Reviewed-by: Andreas Schneider Reviewed-by: Andrew Bartlett (cherry picked from commit a823cc1e8bc9a68a7e662022705039397a5df7e1) --- python/samba/tests/krb5/simple_tests.py | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/python/samba/tests/krb5/simple_tests.py b/python/samba/tests/krb5/simple_tests.py index c9998c4d2db..236fbda1cd5 100755 --- a/python/samba/tests/krb5/simple_tests.py +++ b/python/samba/tests/krb5/simple_tests.py @@ -115,7 +115,12 @@ class SimpleKerberosTests(RawKerberosTest): usage = 3 enc_part2 = key.decrypt(usage, rep['enc-part']['cipher']) - enc_part2 = self.der_decode(enc_part2, asn1Spec=krb5_asn1.EncASRepPart()) + + # MIT KDC encodes both EncASRepPart and EncTGSRepPart with application tag 26 + try: + enc_part2 = self.der_decode(enc_part2, asn1Spec=krb5_asn1.EncASRepPart()) + except Exception: + enc_part2 = self.der_decode(enc_part2, asn1Spec=krb5_asn1.EncTGSRepPart()) # TGS Request service_creds = self.get_service_creds(allow_missing_password=True) -- 2.35.0 From 03f9acf088dc65243466b26bfc83e7012ff3ca0e Mon Sep 17 00:00:00 2001 From: Isaac Boukris Date: Wed, 6 May 2020 15:54:55 +0200 Subject: [PATCH 033/686] selftest: test forwardable flag in cross-realm tgt tickets BUG: https://bugzilla.samba.org/show_bug.cgi?id=14233 Signed-off-by: Isaac Boukris Reviewed-by: Andreas Schneider Reviewed-by: Andrew Bartlett (cherry picked from commit 9b302a57ff0d4c3a373f762f2ad4daf736b0853b) --- python/samba/tests/krb5/xrealm_tests.py | 180 ++++++++++++++++++++++++ python/samba/tests/usage.py | 1 + selftest/knownfail.d/xrealm | 1 + source4/selftest/tests.py | 2 + 4 files changed, 184 insertions(+) create mode 100755 python/samba/tests/krb5/xrealm_tests.py create mode 100644 selftest/knownfail.d/xrealm diff --git a/python/samba/tests/krb5/xrealm_tests.py b/python/samba/tests/krb5/xrealm_tests.py new file mode 100755 index 00000000000..64064b8a670 --- /dev/null +++ b/python/samba/tests/krb5/xrealm_tests.py @@ -0,0 +1,180 @@ +#!/usr/bin/env python3 +# Unix SMB/CIFS implementation. +# Copyright (C) Stefan Metzmacher 2020 +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; either version 3 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see . +# + +import sys +import os + +sys.path.insert(0, "bin/python") +os.environ["PYTHONUNBUFFERED"] = "1" + +from samba.tests.krb5.raw_testcase import RawKerberosTest +import samba.tests.krb5.rfc4120_pyasn1 as krb5_asn1 +import samba.tests + +global_asn1_print = False +global_hexdump = False + +class XrealmKerberosTests(RawKerberosTest): + + def setUp(self): + super(XrealmKerberosTests, self).setUp() + self.do_asn1_print = global_asn1_print + self.do_hexdump = global_hexdump + + def test_xrealm(self): + user_creds = self.get_user_creds() + user = user_creds.get_username() + realm = user_creds.get_realm() + + cname = self.PrincipalName_create(name_type=1, names=[user]) + sname = self.PrincipalName_create(name_type=2, names=["krbtgt", realm]) + + till = self.get_KerberosTime(offset=36000) + + kdc_options = krb5_asn1.KDCOptions('forwardable') + padata = None + + etypes=(18,17,23) + + req = self.AS_REQ_create(padata=padata, + kdc_options=str(kdc_options), + cname=cname, + realm=realm, + sname=sname, + from_time=None, + till_time=till, + renew_time=None, + nonce=0x7fffffff, + etypes=etypes, + addresses=None, + EncAuthorizationData=None, + EncAuthorizationData_key=None, + additional_tickets=None) + rep = self.send_recv_transaction(req) + self.assertIsNotNone(rep) + + self.assertEqual(rep['msg-type'], 30) + self.assertEqual(rep['error-code'], 25) + rep_padata = self.der_decode(rep['e-data'], asn1Spec=krb5_asn1.METHOD_DATA()) + + for pa in rep_padata: + if pa['padata-type'] == 19: + etype_info2 = pa['padata-value'] + break + + etype_info2 = self.der_decode(etype_info2, asn1Spec=krb5_asn1.ETYPE_INFO2()) + + key = self.PasswordKey_from_etype_info2(user_creds, etype_info2[0]) + + (patime, pausec) = self.get_KerberosTimeWithUsec() + pa_ts = self.PA_ENC_TS_ENC_create(patime, pausec) + pa_ts = self.der_encode(pa_ts, asn1Spec=krb5_asn1.PA_ENC_TS_ENC()) + + enc_pa_ts_usage = 1 + pa_ts = self.EncryptedData_create(key, enc_pa_ts_usage, pa_ts) + pa_ts = self.der_encode(pa_ts, asn1Spec=krb5_asn1.EncryptedData()) + + pa_ts = self.PA_DATA_create(2, pa_ts) + + kdc_options = krb5_asn1.KDCOptions('forwardable') + padata = [pa_ts] + + req = self.AS_REQ_create(padata=padata, + kdc_options=str(kdc_options), + cname=cname, + realm=realm, + sname=sname, + from_time=None, + till_time=till, + renew_time=None, + nonce=0x7fffffff, + etypes=etypes, + addresses=None, + EncAuthorizationData=None, + EncAuthorizationData_key=None, + additional_tickets=None) + rep = self.send_recv_transaction(req) + self.assertIsNotNone(rep) + + msg_type = rep['msg-type'] + self.assertEqual(msg_type, 11) + + usage = 3 + enc_part2 = key.decrypt(usage, rep['enc-part']['cipher']) + + # MIT KDC encodes both EncASRepPart and EncTGSRepPart with application tag 26 + try: + enc_part2 = self.der_decode(enc_part2, asn1Spec=krb5_asn1.EncASRepPart()) + except Exception: + enc_part2 = self.der_decode(enc_part2, asn1Spec=krb5_asn1.EncTGSRepPart()) + + # TGS Request (for cross-realm TGT) + trust_realm = samba.tests.env_get_var_value('TRUST_REALM') + sname = self.PrincipalName_create(name_type=2, names=["krbtgt", trust_realm]) + + kdc_options = krb5_asn1.KDCOptions('forwardable') + till = self.get_KerberosTime(offset=36000) + ticket = rep['ticket'] + ticket_session_key = self.EncryptionKey_import(enc_part2['key']) + padata = [] + + subkey = self.RandomKey(ticket_session_key.etype) + subkey_usage = 9 + + (ctime, cusec) = self.get_KerberosTimeWithUsec() + + req = self.TGS_REQ_create(padata=padata, + cusec=cusec, + ctime=ctime, + ticket=ticket, + kdc_options=str(kdc_options), + cname=cname, + realm=realm, + sname=sname, + from_time=None, + till_time=till, + renew_time=None, + nonce=0x7ffffffe, + etypes=etypes, + addresses=None, + EncAuthorizationData=None, + EncAuthorizationData_key=None, + additional_tickets=None, + ticket_session_key=ticket_session_key, + authenticator_subkey=subkey) + rep = self.send_recv_transaction(req) + self.assertIsNotNone(rep) + + msg_type = rep['msg-type'] + self.assertEqual(msg_type, 13) + + enc_part2 = subkey.decrypt(subkey_usage, rep['enc-part']['cipher']) + enc_part2 = self.der_decode(enc_part2, asn1Spec=krb5_asn1.EncTGSRepPart()) + + # Check the forwardable flag + fwd_pos = len(tuple(krb5_asn1.TicketFlags('forwardable'))) -1 + assert(krb5_asn1.TicketFlags(enc_part2['flags'])[fwd_pos]) + + return + + +if __name__ == "__main__": + global_asn1_print = True + global_hexdump = True + import unittest + unittest.main() diff --git a/python/samba/tests/usage.py b/python/samba/tests/usage.py index 8af43bc8299..27cdb4c0cb3 100644 --- a/python/samba/tests/usage.py +++ b/python/samba/tests/usage.py @@ -86,6 +86,7 @@ EXCLUDE_USAGE = { 'python/samba/tests/krb5/kcrypto.py', 'python/samba/tests/krb5/simple_tests.py', 'python/samba/tests/krb5/s4u_tests.py', + 'python/samba/tests/krb5/xrealm_tests.py', } diff --git a/selftest/knownfail.d/xrealm b/selftest/knownfail.d/xrealm new file mode 100644 index 00000000000..2e09644b1d8 --- /dev/null +++ b/selftest/knownfail.d/xrealm @@ -0,0 +1 @@ +^samba.tests.krb5.xrealm_tests.samba.tests.krb5.xrealm_tests.XrealmKerberosTests.test_xrealm diff --git a/source4/selftest/tests.py b/source4/selftest/tests.py index dd3b894203b..4aed6e1af91 100755 --- a/source4/selftest/tests.py +++ b/source4/selftest/tests.py @@ -721,6 +721,8 @@ planoldpythontestsuite("ad_dc_default:local", "samba.tests.krb5.s4u_tests", 'SERVICE_PASSWORD':'$PASSWORD', 'FOR_USER':'$USERNAME'}) +planoldpythontestsuite("fl2008r2dc:local", "samba.tests.krb5.xrealm_tests") + for env in ["ad_dc", smbv1_disabled_testenv]: planoldpythontestsuite(env, "samba.tests.smb", extra_args=['-U"$USERNAME%$PASSWORD"'], py3_compatible=True) planoldpythontestsuite(env + ":local", "samba.tests.ntacls_backup", -- 2.35.0 From f3d50b33a50fc9939e45df8070104f64d8f91d9f Mon Sep 17 00:00:00 2001 From: Isaac Boukris Date: Sat, 9 May 2020 16:26:45 +0200 Subject: [PATCH 034/686] selftest: test forwardable flag in cross-realm with s4u2proxy Signed-off-by: Isaac Boukris Reviewed-by: Andrew Bartlett (cherry picked from commit fb7dfdbe8f94f7f053d67832e7f28a751136d733) [jsutton@samba.org Backported to fix conflicts] --- selftest/knownfail.d/s4u2p_fwd | 2 ++ source4/selftest/tests.py | 2 +- testprogs/blackbox/test_s4u_heimdal.sh | 17 ++++++++++++++--- 3 files changed, 17 insertions(+), 4 deletions(-) create mode 100644 selftest/knownfail.d/s4u2p_fwd diff --git a/selftest/knownfail.d/s4u2p_fwd b/selftest/knownfail.d/s4u2p_fwd new file mode 100644 index 00000000000..63ade3eece0 --- /dev/null +++ b/selftest/knownfail.d/s4u2p_fwd @@ -0,0 +1,2 @@ +^samba4.blackbox.krb5.s4u.get a ticket to impersonator for trust user +^samba4.blackbox.krb5.s4u.test S4U2Proxy evidence ticket obtained by TGS of trust user diff --git a/source4/selftest/tests.py b/source4/selftest/tests.py index 4aed6e1af91..91c25cfb978 100755 --- a/source4/selftest/tests.py +++ b/source4/selftest/tests.py @@ -460,7 +460,7 @@ if have_heimdal_support: plantestsuite("samba4.blackbox.kinit_trust(fl2003dc:local)", "fl2003dc:local", [os.path.join(bbdir, "test_kinit_trusts_heimdal.sh"), '$SERVER', '$USERNAME', '$PASSWORD', '$REALM', '$DOMAIN', '$TRUST_SERVER', '$TRUST_USERNAME', '$TRUST_PASSWORD', '$TRUST_REALM', '$TRUST_DOMAIN', '$PREFIX', "external", "arcfour-hmac-md5"]) plantestsuite("samba4.blackbox.export.keytab(ad_dc_ntvfs:local)", "ad_dc_ntvfs:local", [os.path.join(bbdir, "test_export_keytab_heimdal.sh"), '$SERVER', '$USERNAME', '$REALM', '$DOMAIN', "$PREFIX", smbclient4]) plantestsuite("samba4.blackbox.kpasswd(ad_dc_ntvfs:local)", "ad_dc_ntvfs:local", [os.path.join(bbdir, "test_kpasswd_heimdal.sh"), '$SERVER', '$USERNAME', '$PASSWORD', '$REALM', '$DOMAIN', "$PREFIX/ad_dc_ntvfs"]) - plantestsuite("samba4.blackbox.krb5.s4u", "fl2008r2dc:local", [os.path.join(bbdir, "test_s4u_heimdal.sh"), '$SERVER', '$USERNAME', '$PASSWORD', '$REALM', '$DOMAIN', '$PREFIX', configuration]) + plantestsuite("samba4.blackbox.krb5.s4u", "fl2008r2dc:local", [os.path.join(bbdir, "test_s4u_heimdal.sh"), '$SERVER', '$USERNAME', '$PASSWORD', '$REALM', '$DOMAIN', '$TRUST_SERVER', '$TRUST_USERNAME', '$TRUST_PASSWORD', '$TRUST_REALM', '$TRUST_DOMAIN', '$PREFIX', configuration]) else: plantestsuite("samba4.blackbox.kinit(ad_dc_ntvfs:local)", "ad_dc_ntvfs:local", [os.path.join(bbdir, "test_kinit_mit.sh"), '$SERVER', '$USERNAME', '$PASSWORD', '$REALM', '$DOMAIN', '$PREFIX', smbclient4, configuration]) plantestsuite("samba4.blackbox.kinit(fl2000dc:local)", "fl2000dc:local", [os.path.join(bbdir, "test_kinit_mit.sh"), '$SERVER', '$USERNAME', '$PASSWORD', '$REALM', '$DOMAIN', '$PREFIX', smbclient4, configuration]) diff --git a/testprogs/blackbox/test_s4u_heimdal.sh b/testprogs/blackbox/test_s4u_heimdal.sh index c6ada54e85b..c63eeaa2e30 100755 --- a/testprogs/blackbox/test_s4u_heimdal.sh +++ b/testprogs/blackbox/test_s4u_heimdal.sh @@ -12,8 +12,13 @@ USERNAME=$2 PASSWORD=$3 REALM=$4 DOMAIN=$5 -PREFIX=$6 -shift 6 +TRUST_SERVER=$6 +TRUST_USERNAME=$7 +TRUST_PASSWORD=$8 +TRUST_REALM=$9 +TRUST_DOMAIN=${10} +PREFIX=${11} +shift 11 failed=0 @@ -39,7 +44,7 @@ export KRB5CCNAME rm -rf $KRB5CCNAME_PATH princ=test_impersonate_princ -impersonator=test_impersonator +impersonator=test_impersonator.$REALM target="CIFS/$SERVER.$REALM" @@ -72,6 +77,12 @@ testit "kinit user cache" $samba4kinit -c $ocache -f --password-file=$PREFIX/tmp testit "get a ticket to impersonator" $samba4kgetcred -c $ocache --forwardable $impersonator || failed=`expr $failed + 1` testit "test S4U2Proxy evidence ticket obtained by TGS" $samba4kgetcred --out-cache=$ocache --delegation-credential-cache=${ocache} $target || failed=`expr $failed + 1` +echo $TRUST_PASSWORD > $PREFIX/tmppassfile +testit "kinit trust user cache" $samba4kinit -c $ocache -f --password-file=$PREFIX/tmppassfile $TRUST_USERNAME@$TRUST_REALM || failed=`expr $failed + 1` +testit "get a ticket to impersonator for trust user" $samba4kgetcred -c $ocache --forwardable $impersonator || failed=`expr $failed + 1` +testit "test S4U2Proxy evidence ticket obtained by TGS of trust user" $samba4kgetcred --out-cache=$ocache --delegation-credential-cache=${ocache} $target || failed=`expr $failed + 1` + +echo $PASSWORD > $PREFIX/tmppassfile testit "set not-delegated on impersonator" $samba_tool user sensitive $impersonator on || failed=`expr $failed + 1` testit "kinit user cache again" $samba4kinit -c $ocache -f --password-file=$PREFIX/tmppassfile $USERNAME || failed=`expr $failed + 1` testit "get a ticket to sensitive impersonator" $samba4kgetcred -c $ocache --forwardable $impersonator || failed=`expr $failed + 1` -- 2.35.0 From 97c650f07d250804b47b0da27807b71d29bb3f38 Mon Sep 17 00:00:00 2001 From: Isaac Boukris Date: Tue, 14 Jan 2020 13:16:02 +0100 Subject: [PATCH 035/686] db-glue.c: set forwardable flag on cross-realm tgt tickets BUG: https://bugzilla.samba.org/show_bug.cgi?id=14233 Match Windows behavior and allow the forwardable flag to be set in cross-realm tickets. We used to allow forwardable to any server, but now that we apply disallow-forwardable policy in heimdal we need to explicitly allow in the corss-realm case (and remove the workaround we have for it the MIT plugin). Signed-off-by: Isaac Boukris Reviewed-by: Andreas Schneider Reviewed-by: Andrew Bartlett Autobuild-User(master): Andrew Bartlett Autobuild-Date(master): Fri Jun 12 22:10:34 UTC 2020 on sn-devel-184 (cherry picked from commit 7655a0298e5f55582bf48ec776d8cd8b79fb5dd9) --- selftest/knownfail.d/s4u2p_fwd | 2 -- selftest/knownfail.d/xrealm | 1 - source4/kdc/db-glue.c | 3 +++ source4/kdc/mit_samba.c | 5 ----- 4 files changed, 3 insertions(+), 8 deletions(-) delete mode 100644 selftest/knownfail.d/s4u2p_fwd delete mode 100644 selftest/knownfail.d/xrealm diff --git a/selftest/knownfail.d/s4u2p_fwd b/selftest/knownfail.d/s4u2p_fwd deleted file mode 100644 index 63ade3eece0..00000000000 --- a/selftest/knownfail.d/s4u2p_fwd +++ /dev/null @@ -1,2 +0,0 @@ -^samba4.blackbox.krb5.s4u.get a ticket to impersonator for trust user -^samba4.blackbox.krb5.s4u.test S4U2Proxy evidence ticket obtained by TGS of trust user diff --git a/selftest/knownfail.d/xrealm b/selftest/knownfail.d/xrealm deleted file mode 100644 index 2e09644b1d8..00000000000 --- a/selftest/knownfail.d/xrealm +++ /dev/null @@ -1 +0,0 @@ -^samba.tests.krb5.xrealm_tests.samba.tests.krb5.xrealm_tests.XrealmKerberosTests.test_xrealm diff --git a/source4/kdc/db-glue.c b/source4/kdc/db-glue.c index f62a633c6c7..63d910eccb4 100644 --- a/source4/kdc/db-glue.c +++ b/source4/kdc/db-glue.c @@ -1556,6 +1556,9 @@ static krb5_error_code samba_kdc_trust_message2entry(krb5_context context, entry_ex->entry.max_renew = NULL; + /* Match Windows behavior and allow forwardable flag in cross-realm. */ + entry_ex->entry.flags.forwardable = 1; + ret = samba_kdc_sort_encryption_keys(entry_ex); if (ret != 0) { krb5_clear_error_message(context); diff --git a/source4/kdc/mit_samba.c b/source4/kdc/mit_samba.c index 5a4f6e73e97..54dcd545ea1 100644 --- a/source4/kdc/mit_samba.c +++ b/source4/kdc/mit_samba.c @@ -304,11 +304,6 @@ fetch_referral_principal: sdb_free_entry(&sentry); - if ((kflags & KRB5_KDB_FLAG_CLIENT_REFERRALS_ONLY) == 0) { - kentry->attributes &= ~KRB5_KDB_DISALLOW_FORWARDABLE; - kentry->attributes &= ~KRB5_KDB_DISALLOW_PROXIABLE; - } - done: krb5_free_principal(ctx->context, referral_principal); referral_principal = NULL; -- 2.35.0 From 211b557a5f2dab795c840837a8f0536f109f81a9 Mon Sep 17 00:00:00 2001 From: Gary Lockyer Date: Tue, 3 Nov 2020 09:25:48 +1300 Subject: [PATCH 036/686] selftest: add mit kdc specific known fail Add a MIT kerberos specific known fail, will be needed by subsequent commits. Signed-off-by: Gary Lockyer Reviewed-by: Andrew Bartlett BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817 (cherry picked from commit 04248f5e868d38498bdc8f9705c9a60fcfe79c09) --- selftest/knownfail_mit_kdc | 0 selftest/wscript | 2 ++ 2 files changed, 2 insertions(+) create mode 100644 selftest/knownfail_mit_kdc diff --git a/selftest/knownfail_mit_kdc b/selftest/knownfail_mit_kdc new file mode 100644 index 00000000000..e69de29bb2d diff --git a/selftest/wscript b/selftest/wscript index b7eec2c2605..80e0f1feabd 100644 --- a/selftest/wscript +++ b/selftest/wscript @@ -268,6 +268,8 @@ def cmd_testonly(opt): if CONFIG_GET(opt, 'USING_SYSTEM_KRB5') and CONFIG_GET(opt, 'MIT_KDC_PATH'): env.OPTIONS += " --mitkrb5 --exclude=${srcdir}/selftest/skip_mit_kdc" + env.FILTER_XFAIL += " --expected-failures=${srcdir}/selftest/"\ + "knownfail_mit_kdc" if not CONFIG_GET(opt, 'HAVE_GSS_KRB5_CRED_NO_CI_FLAGS_X'): # older MIT krb5 libraries (< 1.14) don't have -- 2.35.0 From 84dc4b5a69268080d65a9e4997b302ed2e1cfdd4 Mon Sep 17 00:00:00 2001 From: Gary Lockyer Date: Tue, 27 Oct 2020 09:29:56 +1300 Subject: [PATCH 037/686] tests python krb5: Make PrincipalName_create a class method Make PrincipalName_create a class method, so it can be used in helper classes. Signed-off-by: Gary Lockyer Reviewed-by: Andrew Bartlett BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817 (cherry picked from commit b14dca7c1c063e069517ff01b33c63a000d398c3) --- python/samba/tests/krb5/raw_testcase.py | 1 + 1 file changed, 1 insertion(+) diff --git a/python/samba/tests/krb5/raw_testcase.py b/python/samba/tests/krb5/raw_testcase.py index f43ce9cbc3c..45e46e0b7ba 100644 --- a/python/samba/tests/krb5/raw_testcase.py +++ b/python/samba/tests/krb5/raw_testcase.py @@ -470,6 +470,7 @@ class RawKerberosTest(TestCase): } return Checksum_obj + @classmethod def PrincipalName_create(self, name_type, names): # PrincipalName ::= SEQUENCE { # name-type [0] Int32, -- 2.35.0 From b1119482bc2a198a9fd9fd66d9f7b9b9b85f26a9 Mon Sep 17 00:00:00 2001 From: Gary Lockyer Date: Tue, 27 Oct 2020 09:31:24 +1300 Subject: [PATCH 038/686] tests python krb5: Add canonicalize flag to ASN1 Add the canonicalize flag to KerberosFlags, so that it can be used in python based canonicalization tests. Signed-off-by: Gary Lockyer Reviewed-by: Andrew Bartlett BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817 (cherry picked from commit 41c8aa4b991aad306d731b08d068c480eb5c7fed) --- python/samba/tests/krb5/rfc4120.asn1 | 8 ++++---- python/samba/tests/krb5/rfc4120_pyasn1.py | 4 ++-- 2 files changed, 6 insertions(+), 6 deletions(-) diff --git a/python/samba/tests/krb5/rfc4120.asn1 b/python/samba/tests/krb5/rfc4120.asn1 index 98ba887729d..58e0c1636a1 100644 --- a/python/samba/tests/krb5/rfc4120.asn1 +++ b/python/samba/tests/krb5/rfc4120.asn1 @@ -196,8 +196,8 @@ KDCOptions ::= KerberosFlags -- opt-hardware-auth(11), -- unused12(12), -- unused13(13), --- 15 is reserved for canonicalize - -- unused15(15), +-- Canonicalize is used in RFC 6806 + -- canonicalize(15), -- 26 was unused in 1510 -- disable-transited-check(26), -- @@ -489,8 +489,8 @@ KDCOptionsValues ::= BIT STRING { -- KerberosFlags opt-hardware-auth(11), unused12(12), unused13(13), --- 15 is reserved for canonicalize - unused15(15), +-- Canonicalize is used by RFC 6806 + canonicalize(15), -- 26 was unused in 1510 disable-transited-check(26), -- diff --git a/python/samba/tests/krb5/rfc4120_pyasn1.py b/python/samba/tests/krb5/rfc4120_pyasn1.py index 05304a8a099..b4ea678afd8 100644 --- a/python/samba/tests/krb5/rfc4120_pyasn1.py +++ b/python/samba/tests/krb5/rfc4120_pyasn1.py @@ -1,5 +1,5 @@ # Auto-generated by asn1ate v.0.6.1.dev0 from rfc4120.asn1 -# (last modified on 2020-05-06 17:51:00.323318) +# (last modified on 2020-11-03 14:07:15.270009) # KerberosV5Spec2 from pyasn1.type import univ, char, namedtype, namedval, tag, constraint, useful @@ -610,7 +610,7 @@ KDCOptionsValues.namedValues = namedval.NamedValues( ('opt-hardware-auth', 11), ('unused12', 12), ('unused13', 13), - ('unused15', 15), + ('canonicalize', 15), ('disable-transited-check', 26), ('renewable-ok', 27), ('enc-tkt-in-skey', 28), -- 2.35.0 From bd4c44d5ee15cf8890066032df770975ab8a9715 Mon Sep 17 00:00:00 2001 From: Gary Lockyer Date: Tue, 27 Oct 2020 09:32:21 +1300 Subject: [PATCH 039/686] tests python krb5: Add python kerberos canonicalization tests Add python canonicalization tests, loosely based on the code in source4/torture/krb5/kdc-canon-heimdal.c. The long term goal is to move the integration level tests out of kdc-canon-heimdal, leaving it as a heimdal library unit test. Signed-off-by: Gary Lockyer Reviewed-by: Andrew Bartlett BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817 (cherry picked from commit 005435dc4d7de9d442c7513edec8c782fe20fda3) --- .../tests/krb5/as_canonicalization_tests.py | 499 ++++++++++++++++++ python/samba/tests/usage.py | 1 + selftest/knownfail_mit_kdc | 144 +++++ source4/selftest/tests.py | 1 + 4 files changed, 645 insertions(+) create mode 100755 python/samba/tests/krb5/as_canonicalization_tests.py diff --git a/python/samba/tests/krb5/as_canonicalization_tests.py b/python/samba/tests/krb5/as_canonicalization_tests.py new file mode 100755 index 00000000000..7b599ad6e44 --- /dev/null +++ b/python/samba/tests/krb5/as_canonicalization_tests.py @@ -0,0 +1,499 @@ +#!/usr/bin/env python3 +# Unix SMB/CIFS implementation. +# +# Copyright (C) Catalyst IT Ltd. 2020 +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; either version 3 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see . +# + +import sys +import os +from enum import Enum, unique +import pyasn1 + +sys.path.insert(0, "bin/python") +os.environ["PYTHONUNBUFFERED"] = "1" + +from samba.tests.krb5.raw_testcase import RawKerberosTest +import samba.tests.krb5.rfc4120_pyasn1 as krb5_asn1 +import samba +from samba.auth import system_session +from samba.credentials import ( + Credentials, + CLI_CRED_NTLMv2_AUTH, + CLI_CRED_NTLM_AUTH, + DONT_USE_KERBEROS) +from samba.dcerpc.misc import SEC_CHAN_WKSTA +from samba.dsdb import ( + UF_WORKSTATION_TRUST_ACCOUNT, + UF_PASSWD_NOTREQD, + UF_NORMAL_ACCOUNT) +from samba.samdb import SamDB +from samba.tests import delete_force, DynamicTestCase + +global_asn1_print = False +global_hexdump = False + + +@unique +class TestOptions(Enum): + Canonicalize = 1 + Enterprise = 2 + UpperRealm = 4 + UpperUserName = 8 + NetbiosRealm = 16 + UPN = 32 + RemoveDollar = 64 + Last = 128 + + def is_set(self, x): + return self.value & x + + +@unique +class CredentialsType(Enum): + User = 1 + Machine = 2 + + def is_set(self, x): + return self.value & x + + +class TestData: + + def __init__(self, options, creds): + self.options = options + self.user_creds = creds + self.user_name = self.get_username(options, creds) + self.realm = self.get_realm(options, creds) + self.cname = RawKerberosTest.PrincipalName_create( + name_type=1, names=[self.user_name]) + self.sname = RawKerberosTest.PrincipalName_create( + name_type=2, names=["krbtgt", self.realm]) + self.canonicalize = TestOptions.Canonicalize.is_set(options) + + def get_realm(self, options, creds): + realm = creds.get_realm() + if TestOptions.NetbiosRealm.is_set(options): + realm = creds.get_domain() + if TestOptions.UpperRealm.is_set(options): + realm = realm.upper() + else: + realm = realm.lower() + return realm + + def get_username(self, options, creds): + name = creds.get_username() + if TestOptions.RemoveDollar.is_set(options) and name.endswith("$"): + name = name[:-1] + if TestOptions.Enterprise.is_set(options): + realm = creds.get_realm() + name = "{0}@{1}".format(name, realm) + if TestOptions.UpperUserName.is_set(options): + name = name.upper() + return name + + def __repr__(self): + rep = "Test Data: " + rep += "options = '" + "{:08b}".format(self.options) + "'" + rep += "user name = '" + self.user_name + "'" + rep += ", realm = '" + self.realm + "'" + rep += ", cname = '" + str(self.cname) + "'" + rep += ", sname = '" + str(self.sname) + "'" + return rep + + +MACHINE_NAME = "tstkrb5cnnusr" +USER_NAME = "tstkrb5cnnmch" + +# Encryption types +AES256_CTS_HMAC_SHA1_96 = int( + krb5_asn1.EncryptionTypeValues('kRB5-ENCTYPE-AES256-CTS-HMAC-SHA1-96')) +AES128_CTS_HMAC_SHA1_96 = int( + krb5_asn1.EncryptionTypeValues('kRB5-ENCTYPE-AES128-CTS-HMAC-SHA1-96')) +ARCFOUR_HMAC_MD5 = int( + krb5_asn1.EncryptionTypeValues('kRB5-ENCTYPE-ARCFOUR-HMAC-MD5')) + +# Message types +KRB_ERROR = int(krb5_asn1.MessageTypeValues('krb-error')) +KRB_AS_REP = int(krb5_asn1.MessageTypeValues('krb-as-rep')) + +# PAData types +PADATA_ENC_TIMESTAMP = int( + krb5_asn1.PADataTypeValues('kRB5-PADATA-ENC-TIMESTAMP')) +PADATA_ETYPE_INFO2 = int( + krb5_asn1.PADataTypeValues('kRB5-PADATA-ETYPE-INFO2')) + +# Error codes +KDC_ERR_C_PRINCIPAL_UNKNOWN = 6 +KDC_ERR_PREAUTH_REQUIRED = 25 + +# Name types +NT_UNKNOWN = int(krb5_asn1.NameTypeValues('kRB5-NT-UNKNOWN')) +NT_PRINCIPAL = int(krb5_asn1.NameTypeValues('kRB5-NT-PRINCIPAL')) +NT_SRV_INST = int(krb5_asn1.NameTypeValues('kRB5-NT-SRV-INST')) + + +@DynamicTestCase +class KerberosASCanonicalizationTests(RawKerberosTest): + + @classmethod + def setUpDynamicTestCases(cls): + + def skip(ct, options): + ''' Filter out any mutually exclusive test options ''' + if ct != CredentialsType.Machine and\ + TestOptions.RemoveDollar.is_set(options): + return True + return False + + def build_test_name(ct, options): + name = "%sCredentials" % ct.name + for opt in TestOptions: + if opt.is_set(options): + name += ("_%s" % opt.name) + return name + + for ct in CredentialsType: + for x in range(TestOptions.Last.value): + if skip(ct, x): + continue + name = build_test_name(ct, x) + cls.generate_dynamic_test("test", name, x, ct) + + @classmethod + def setUpClass(cls): + cls.lp = cls.get_loadparm(cls) + cls.username = os.environ["USERNAME"] + cls.password = os.environ["PASSWORD"] + cls.domain = os.environ["DOMAIN"] + cls.realm = os.environ["REALM"] + cls.host = os.environ["SERVER"] + + c = Credentials() + c.set_username(cls.username) + c.set_password(cls.password) + c.set_domain(cls.domain) + c.set_realm(cls.realm) + cls.credentials = c + + cls.session = system_session() + cls.ldb = SamDB(url="ldap://%s" % cls.host, + session_info=cls.session, + credentials=cls.credentials, + lp=cls.lp) + cls.create_machine_account() + cls.create_user_account() + + @classmethod + def tearDownClass(cls): + super(KerberosASCanonicalizationTests, cls).tearDownClass() + delete_force(cls.ldb, cls.machine_dn) + delete_force(cls.ldb, cls.user_dn) + + def setUp(self): + super(KerberosASCanonicalizationTests, self).setUp() + self.do_asn1_print = global_asn1_print + self.do_hexdump = global_hexdump + + # + # Create a test user account + @classmethod + def create_user_account(cls): + cls.user_pass = samba.generate_random_password(32, 32) + cls.user_name = USER_NAME + cls.user_dn = "cn=%s,%s" % (cls.user_name, cls.ldb.domain_dn()) + + # remove the account if it exists, this will happen if a previous test + # run failed + delete_force(cls.ldb, cls.user_dn) + + utf16pw = ('"%s"' % cls.user_pass).encode('utf-16-le') + cls.ldb.add({ + "dn": cls.user_dn, + "objectclass": "user", + "sAMAccountName": "%s" % cls.user_name, + "userAccountControl": str(UF_NORMAL_ACCOUNT), + "unicodePwd": utf16pw}) + + cls.user_creds = Credentials() + cls.user_creds.guess(cls.lp) + cls.user_creds.set_password(cls.user_pass) + cls.user_creds.set_username(cls.user_name) + cls.user_creds.set_workstation(cls.machine_name) + + # + # Create the machine account + @classmethod + def create_machine_account(cls): + cls.machine_pass = samba.generate_random_password(32, 32) + cls.machine_name = MACHINE_NAME + cls.machine_dn = "cn=%s,%s" % (cls.machine_name, cls.ldb.domain_dn()) + + # remove the account if it exists, this will happen if a previous test + # run failed + delete_force(cls.ldb, cls.machine_dn) + + utf16pw = ('"%s"' % cls.machine_pass).encode('utf-16-le') + cls.ldb.add({ + "dn": cls.machine_dn, + "objectclass": "computer", + "sAMAccountName": "%s$" % cls.machine_name, + "userAccountControl": + str(UF_WORKSTATION_TRUST_ACCOUNT | UF_PASSWD_NOTREQD), + "unicodePwd": utf16pw}) + + cls.machine_creds = Credentials() + cls.machine_creds.guess(cls.lp) + cls.machine_creds.set_secure_channel_type(SEC_CHAN_WKSTA) + cls.machine_creds.set_kerberos_state(DONT_USE_KERBEROS) + cls.machine_creds.set_password(cls.machine_pass) + cls.machine_creds.set_username(cls.machine_name + "$") + cls.machine_creds.set_workstation(cls.machine_name) + + def _test_with_args(self, x, ct): + if ct == CredentialsType.User: + creds = self.user_creds + elif ct == CredentialsType.Machine: + creds = self.machine_creds + else: + raise Exception("Unexpected credential type") + data = TestData(x, creds) + + try: + (rep, as_rep) = self.as_req(data) + except pyasn1.error.PyAsn1Error as e: + import traceback + self.fail("ASN1 Error, Options {0:08b}:{1} {2}".format( + traceback.format_exc(), + data.options, + e)) + # If as_req triggered an expected server error response + # No need to test the response data. + if rep is not None: + # The kvno is optional, heimdal includes it + # MIT does not. + if 'kvno' in rep['enc-part']: + kvno = rep['enc-part']['kvno'] + self.check_kvno(kvno, data) + + cname = rep['cname'] + self.check_cname(cname, data) + + crealm = rep['crealm'].decode('ascii') + self.check_crealm(crealm, data) + + sname = as_rep['sname'] + self.check_sname(sname, data) + + srealm = as_rep['srealm'].decode('ascii') + self.check_srealm(srealm, data) + + def as_req(self, data): + user_creds = data.user_creds + realm = data.realm + + cname = data.cname + sname = data.sname + + till = self.get_KerberosTime(offset=36000) + + kdc_options = "0" + if data.canonicalize: + kdc_options = str(krb5_asn1.KDCOptions('canonicalize')) + + padata = None + + # Set the allowable encryption types + etypes = ( + AES256_CTS_HMAC_SHA1_96, + AES128_CTS_HMAC_SHA1_96, + ARCFOUR_HMAC_MD5) + + req = self.AS_REQ_create(padata=padata, + kdc_options=kdc_options, + cname=cname, + realm=realm, + sname=sname, + from_time=None, + till_time=till, + renew_time=None, + nonce=0x7fffffff, + etypes=etypes, + addresses=None, + EncAuthorizationData=None, + EncAuthorizationData_key=None, + additional_tickets=None) + rep = self.send_recv_transaction(req) + self.assertIsNotNone(rep) + + # + # Check the protocol version, should be 5 + self.assertEqual( + rep['pvno'], 5, "Data {0}".format(str(data))) + + self.assertEqual( + rep['msg-type'], KRB_ERROR, "Data {0}".format(str(data))) + + # We should get KDC_ERR_PREAUTH_REQUIRED + # unless the RemoveDollar and Enterprise options are set + # then we should get a KDC_ERR_C_PRINCIPAL_UNKNOWN + if TestOptions.RemoveDollar.is_set(data.options) and\ + TestOptions.Enterprise.is_set(data.options): + self.assertEqual( + rep['error-code'], + KDC_ERR_C_PRINCIPAL_UNKNOWN, + "Error code {0}, Data {1}".format(rep['error-code'], str(data))) + return (None, None) + + self.assertEqual( + rep['error-code'], + KDC_ERR_PREAUTH_REQUIRED, + "Error code {0}, Data {1}".format(rep['error-code'], str(data))) + + rep_padata = self.der_decode( + rep['e-data'], asn1Spec=krb5_asn1.METHOD_DATA()) + + for pa in rep_padata: + if pa['padata-type'] == 19: + etype_info2 = pa['padata-value'] + break + + etype_info2 = self.der_decode( + etype_info2, asn1Spec=krb5_asn1.ETYPE_INFO2()) + + key = self.PasswordKey_from_etype_info2(user_creds, etype_info2[0]) + + (patime, pausec) = self.get_KerberosTimeWithUsec() + pa_ts = self.PA_ENC_TS_ENC_create(patime, pausec) + pa_ts = self.der_encode(pa_ts, asn1Spec=krb5_asn1.PA_ENC_TS_ENC()) + + enc_pa_ts_usage = 1 + pa_ts = self.EncryptedData_create(key, enc_pa_ts_usage, pa_ts) + pa_ts = self.der_encode(pa_ts, asn1Spec=krb5_asn1.EncryptedData()) + + pa_ts = self.PA_DATA_create(PADATA_ENC_TIMESTAMP, pa_ts) + + kdc_options = "0" + if data.canonicalize: + kdc_options = str(krb5_asn1.KDCOptions('canonicalize')) + padata = [pa_ts] + + req = self.AS_REQ_create(padata=padata, + kdc_options=kdc_options, + cname=cname, + realm=realm, + sname=sname, + from_time=None, + till_time=till, + renew_time=None, + nonce=0x7fffffff, + etypes=etypes, + addresses=None, + EncAuthorizationData=None, + EncAuthorizationData_key=None, + additional_tickets=None) + rep = self.send_recv_transaction(req) + self.assertIsNotNone(rep) + + # + # Check the protocol version, should be 5 + self.assertEqual( + rep['pvno'], 5, "Data {0}".format(str(data))) + + msg_type = rep['msg-type'] + # Should not have got an error. + # If we did, fail and print the error code to help debugging + self.assertNotEqual( + msg_type, + KRB_ERROR, + "Error code {0}, Data {1}".format( + rep.get('error-code', ''), + str(data))) + + self.assertEqual(msg_type, KRB_AS_REP, "Data {0}".format(str(data))) + + # Decrypt and decode the EncKdcRepPart + enc = key.decrypt(3, rep['enc-part']['cipher']) + if enc[0] == 0x7A: + # MIT Kerberos Tags the EncASRepPart as a EncKDCRepPart + # i.e. tag number 26 instead of tag number 25 + as_rep = self.der_decode(enc, asn1Spec=krb5_asn1.EncTGSRepPart()) + else: + as_rep = self.der_decode(enc, asn1Spec=krb5_asn1.EncASRepPart()) + + return (rep, as_rep) + + def check_cname(self, cname, data): + nt = cname['name-type'] + self.assertEqual( + NT_PRINCIPAL, + nt, + "cname name-type, Options {0:08b}".format(data.options)) + + ns = cname['name-string'] + name = ns[0].decode('ascii') + + expected = data.user_name + if TestOptions.Canonicalize.is_set(data.options): + expected = data.user_creds.get_username() + self.assertEqual( + expected, + name, + "cname principal, Options {0:08b}".format(data.options)) + + def check_crealm(self, crealm, data): + realm = data.user_creds.get_realm() + self.assertEqual( + realm, crealm, "crealm, Options {0:08b}".format(data.options)) + + def check_sname(self, sname, data): + nt = sname['name-type'] + self.assertEqual( + NT_SRV_INST, + nt, + "sname name-type, Options {0:08b}".format(data.options)) + + ns = sname['name-string'] + name = ns[0].decode('ascii') + self.assertEqual( + 'krbtgt', + name, + "sname principal, Options {0:08b}".format(data.options)) + + realm = ns[1].decode('ascii') + expected = data.realm + if TestOptions.Canonicalize.is_set(data.options): + expected = data.user_creds.get_realm().upper() + self.assertEqual( + expected, + realm, + "sname realm, Options {0:08b}".format(data.options)) + + def check_srealm(self, srealm, data): + realm = data.user_creds.get_realm() + self.assertEqual( + realm, srealm, "srealm, Options {0:08b}".format(data.options)) + + def check_kvno(self, kvno, data): + self.assertEqual( + 1, kvno, "kvno, Options {0:08b}".format(data.options)) + + +if __name__ == "__main__": + global_asn1_print = True + global_hexdump = True + import unittest + + unittest.main() diff --git a/python/samba/tests/usage.py b/python/samba/tests/usage.py index 27cdb4c0cb3..dc86f4808ae 100644 --- a/python/samba/tests/usage.py +++ b/python/samba/tests/usage.py @@ -87,6 +87,7 @@ EXCLUDE_USAGE = { 'python/samba/tests/krb5/simple_tests.py', 'python/samba/tests/krb5/s4u_tests.py', 'python/samba/tests/krb5/xrealm_tests.py', + 'python/samba/tests/krb5/as_canonicalization_tests.py', } diff --git a/selftest/knownfail_mit_kdc b/selftest/knownfail_mit_kdc index e69de29bb2d..96d3e51da5c 100644 --- a/selftest/knownfail_mit_kdc +++ b/selftest/knownfail_mit_kdc @@ -0,0 +1,144 @@ +# +# Currently MOST but not quite all the Canonicalization tests fail on the +# MIT KDC +# +samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials\( +samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Canonicalize\( +samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Canonicalize_Enterprise\( +samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Canonicalize_Enterprise_NetbiosRealm\( +samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Canonicalize_Enterprise_NetbiosRealm_UPN\( +samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Canonicalize_Enterprise_UPN\( +samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Canonicalize_Enterprise_UpperRealm\( +samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Canonicalize_Enterprise_UpperRealm_NetbiosRealm\( +samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Canonicalize_Enterprise_UpperRealm_NetbiosRealm_UPN\( +samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Canonicalize_Enterprise_UpperRealm_UPN\( +samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Canonicalize_Enterprise_UpperRealm_UpperUserName\( +samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Canonicalize_Enterprise_UpperRealm_UpperUserName_NetbiosRealm\( +samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Canonicalize_Enterprise_UpperRealm_UpperUserName_NetbiosRealm_UPN\( +samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Canonicalize_Enterprise_UpperRealm_UpperUserName_UPN\( +samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Canonicalize_Enterprise_UpperUserName\( +samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Canonicalize_Enterprise_UpperUserName_NetbiosRealm\( +samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Canonicalize_Enterprise_UpperUserName_NetbiosRealm_UPN\( +samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Canonicalize_Enterprise_UpperUserName_UPN\( +samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Canonicalize_NetbiosRealm\( +samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Canonicalize_NetbiosRealm_RemoveDollar\( +samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Canonicalize_NetbiosRealm_UPN\( +samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Canonicalize_NetbiosRealm_UPN_RemoveDollar\( +samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Canonicalize_RemoveDollar\( +samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Canonicalize_UPN\( +samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Canonicalize_UPN_RemoveDollar\( +samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Canonicalize_UpperRealm\( +samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Canonicalize_UpperRealm_NetbiosRealm\( +samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Canonicalize_UpperRealm_NetbiosRealm_RemoveDollar\( +samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Canonicalize_UpperRealm_NetbiosRealm_UPN\( +samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Canonicalize_UpperRealm_NetbiosRealm_UPN_RemoveDollar\( +samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Canonicalize_UpperRealm_RemoveDollar\( +samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Canonicalize_UpperRealm_UPN\( +samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Canonicalize_UpperRealm_UPN_RemoveDollar\( +samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Canonicalize_UpperRealm_UpperUserName\( +samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Canonicalize_UpperRealm_UpperUserName_NetbiosRealm\( +samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Canonicalize_UpperRealm_UpperUserName_NetbiosRealm_RemoveDollar\( +samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Canonicalize_UpperRealm_UpperUserName_NetbiosRealm_UPN\( +samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Canonicalize_UpperRealm_UpperUserName_NetbiosRealm_UPN_RemoveDollar\( +samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Canonicalize_UpperRealm_UpperUserName_RemoveDollar\( +samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Canonicalize_UpperRealm_UpperUserName_UPN\( +samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Canonicalize_UpperRealm_UpperUserName_UPN_RemoveDollar\( +samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Canonicalize_UpperUserName\( +samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Canonicalize_UpperUserName_NetbiosRealm\( +samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Canonicalize_UpperUserName_NetbiosRealm_RemoveDollar\( +samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Canonicalize_UpperUserName_NetbiosRealm_UPN\( +samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Canonicalize_UpperUserName_NetbiosRealm_UPN_RemoveDollar\( +samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Canonicalize_UpperUserName_RemoveDollar\( +samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Canonicalize_UpperUserName_UPN\( +samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Canonicalize_UpperUserName_UPN_RemoveDollar\( +samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Enterprise\( +samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Enterprise_NetbiosRealm\( +samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Enterprise_NetbiosRealm_UPN\( +samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Enterprise_UPN\( +samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Enterprise_UpperRealm_NetbiosRealm\( +samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Enterprise_UpperRealm_NetbiosRealm_UPN\( +samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Enterprise_UpperRealm_UpperUserName_NetbiosRealm\( +samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Enterprise_UpperRealm_UpperUserName_NetbiosRealm_UPN\( +samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Enterprise_UpperUserName\( +samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Enterprise_UpperUserName_NetbiosRealm\( +samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Enterprise_UpperUserName_NetbiosRealm_UPN\( +samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Enterprise_UpperUserName_UPN\( +samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_NetbiosRealm\( +samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_NetbiosRealm_RemoveDollar\( +samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_NetbiosRealm_UPN\( +samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_NetbiosRealm_UPN_RemoveDollar\( +samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_RemoveDollar\( +samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_UPN\( +samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_UPN_RemoveDollar\( +samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_UpperRealm_NetbiosRealm\( +samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_UpperRealm_NetbiosRealm_RemoveDollar\( +samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_UpperRealm_NetbiosRealm_UPN\( +samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_UpperRealm_NetbiosRealm_UPN_RemoveDollar\( +samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_UpperRealm_UpperUserName_NetbiosRealm\( +samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_UpperRealm_UpperUserName_NetbiosRealm_RemoveDollar\( +samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_UpperRealm_UpperUserName_NetbiosRealm_UPN\( +samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_UpperRealm_UpperUserName_NetbiosRealm_UPN_RemoveDollar\( +samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_UpperUserName\( +samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_UpperUserName_NetbiosRealm\( +samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_UpperUserName_NetbiosRealm_RemoveDollar\( +samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_UpperUserName_NetbiosRealm_UPN\( +samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_UpperUserName_NetbiosRealm_UPN_RemoveDollar\( +samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_UpperUserName_RemoveDollar\( +samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_UpperUserName_UPN\( +samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_UpperUserName_UPN_RemoveDollar\( +samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_UserCredentials\( +samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_UserCredentials_Canonicalize\( +samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_UserCredentials_Canonicalize_Enterprise\( +samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_UserCredentials_Canonicalize_Enterprise_NetbiosRealm\( +samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_UserCredentials_Canonicalize_Enterprise_NetbiosRealm_UPN\( +samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_UserCredentials_Canonicalize_Enterprise_UPN\( +samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_UserCredentials_Canonicalize_Enterprise_UpperRealm\( +samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_UserCredentials_Canonicalize_Enterprise_UpperRealm_NetbiosRealm\( +samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_UserCredentials_Canonicalize_Enterprise_UpperRealm_NetbiosRealm_UPN\( +samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_UserCredentials_Canonicalize_Enterprise_UpperRealm_UPN\( +samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_UserCredentials_Canonicalize_Enterprise_UpperRealm_UpperUserName\( +samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_UserCredentials_Canonicalize_Enterprise_UpperRealm_UpperUserName_NetbiosRealm\( +samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_UserCredentials_Canonicalize_Enterprise_UpperRealm_UpperUserName_NetbiosRealm_UPN\( +samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_UserCredentials_Canonicalize_Enterprise_UpperRealm_UpperUserName_UPN\( +samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_UserCredentials_Canonicalize_Enterprise_UpperUserName\( +samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_UserCredentials_Canonicalize_Enterprise_UpperUserName_NetbiosRealm\( +samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_UserCredentials_Canonicalize_Enterprise_UpperUserName_NetbiosRealm_UPN\( +samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_UserCredentials_Canonicalize_Enterprise_UpperUserName_UPN\( +samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_UserCredentials_Canonicalize_NetbiosRealm\( +samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_UserCredentials_Canonicalize_NetbiosRealm_UPN\( +samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_UserCredentials_Canonicalize_UPN\( +samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_UserCredentials_Canonicalize_UpperRealm\( +samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_UserCredentials_Canonicalize_UpperRealm_NetbiosRealm\( +samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_UserCredentials_Canonicalize_UpperRealm_NetbiosRealm_UPN\( +samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_UserCredentials_Canonicalize_UpperRealm_UPN\( +samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_UserCredentials_Canonicalize_UpperRealm_UpperUserName\( +samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_UserCredentials_Canonicalize_UpperRealm_UpperUserName_NetbiosRealm\( +samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_UserCredentials_Canonicalize_UpperRealm_UpperUserName_NetbiosRealm_UPN\( +samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_UserCredentials_Canonicalize_UpperRealm_UpperUserName_UPN\( +samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_UserCredentials_Canonicalize_UpperUserName\( +samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_UserCredentials_Canonicalize_UpperUserName_NetbiosRealm\( +samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_UserCredentials_Canonicalize_UpperUserName_NetbiosRealm_UPN\( +samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_UserCredentials_Canonicalize_UpperUserName_UPN\( +samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_UserCredentials_Enterprise\( +samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_UserCredentials_Enterprise_NetbiosRealm\( +samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_UserCredentials_Enterprise_NetbiosRealm_UPN\( +samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_UserCredentials_Enterprise_UPN\( +samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_UserCredentials_Enterprise_UpperRealm_NetbiosRealm\( +samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_UserCredentials_Enterprise_UpperRealm_NetbiosRealm_UPN\( +samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_UserCredentials_Enterprise_UpperRealm_UpperUserName_NetbiosRealm\( +samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_UserCredentials_Enterprise_UpperRealm_UpperUserName_NetbiosRealm_UPN\( +samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_UserCredentials_Enterprise_UpperUserName\( +samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_UserCredentials_Enterprise_UpperUserName_NetbiosRealm\( +samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_UserCredentials_Enterprise_UpperUserName_NetbiosRealm_UPN\( +samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_UserCredentials_Enterprise_UpperUserName_UPN\( +samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_UserCredentials_NetbiosRealm\( +samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_UserCredentials_NetbiosRealm_UPN\( +samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_UserCredentials_UPN\( +samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_UserCredentials_UpperRealm_NetbiosRealm\( +samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_UserCredentials_UpperRealm_NetbiosRealm_UPN\( +samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_UserCredentials_UpperRealm_UpperUserName_NetbiosRealm\( +samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_UserCredentials_UpperRealm_UpperUserName_NetbiosRealm_UPN\( +samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_UserCredentials_UpperUserName\( +samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_UserCredentials_UpperUserName_NetbiosRealm\( +samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_UserCredentials_UpperUserName_NetbiosRealm_UPN\( +samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_UserCredentials_UpperUserName_UPN\( diff --git a/source4/selftest/tests.py b/source4/selftest/tests.py index 91c25cfb978..d56226bf561 100755 --- a/source4/selftest/tests.py +++ b/source4/selftest/tests.py @@ -1228,6 +1228,7 @@ for env in ["rodc", "promoted_dc", "fl2000dc", "fl2008r2dc"]: '--option=torture:expect_machine_account=true'] + extra_options, "samba4.krb5.kdc with machine account") +planpythontestsuite("ad_dc", "samba.tests.krb5.as_canonicalization_tests") for env in [ 'vampire_dc', -- 2.35.0 From 60f6914a3146d3fbacc221710bcca1db30c1768f Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Tue, 10 Nov 2020 11:09:13 +1300 Subject: [PATCH 040/686] selftest: Send enterprise principals tagged as such This test passed against Samba but failed against Windows when an enterprise principal (user@domain.com@REALM) was encoded as NT_PRINCIPAL. Signed-off-by: Andrew Bartlett Reviewed-by: Gary Lockyer BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817 (cherry picked from commit d7f731ed3577b407370d8fe7a62b4c3ee2dd9c75) --- .../tests/krb5/as_canonicalization_tests.py | 24 ++++++-- selftest/knownfail.d/kdc-enterprise | 57 +++++++++++++++++++ selftest/knownfail_mit_kdc | 8 +++ 3 files changed, 84 insertions(+), 5 deletions(-) create mode 100644 selftest/knownfail.d/kdc-enterprise diff --git a/python/samba/tests/krb5/as_canonicalization_tests.py b/python/samba/tests/krb5/as_canonicalization_tests.py index 7b599ad6e44..3f8ed5c5a11 100755 --- a/python/samba/tests/krb5/as_canonicalization_tests.py +++ b/python/samba/tests/krb5/as_canonicalization_tests.py @@ -77,10 +77,16 @@ class TestData: self.user_creds = creds self.user_name = self.get_username(options, creds) self.realm = self.get_realm(options, creds) + + if TestOptions.Enterprise.is_set(options): + client_name_type = NT_ENTERPRISE_PRINCIPAL + else: + client_name_type = NT_PRINCIPAL + self.cname = RawKerberosTest.PrincipalName_create( - name_type=1, names=[self.user_name]) + name_type=client_name_type, names=[self.user_name]) self.sname = RawKerberosTest.PrincipalName_create( - name_type=2, names=["krbtgt", self.realm]) + name_type=NT_SRV_INST, names=["krbtgt", self.realm]) self.canonicalize = TestOptions.Canonicalize.is_set(options) def get_realm(self, options, creds): @@ -143,6 +149,7 @@ KDC_ERR_PREAUTH_REQUIRED = 25 NT_UNKNOWN = int(krb5_asn1.NameTypeValues('kRB5-NT-UNKNOWN')) NT_PRINCIPAL = int(krb5_asn1.NameTypeValues('kRB5-NT-PRINCIPAL')) NT_SRV_INST = int(krb5_asn1.NameTypeValues('kRB5-NT-SRV-INST')) +NT_ENTERPRISE_PRINCIPAL = int(krb5_asn1.NameTypeValues('kRB5-NT-ENTERPRISE-PRINCIPAL')) @DynamicTestCase @@ -436,10 +443,17 @@ class KerberosASCanonicalizationTests(RawKerberosTest): return (rep, as_rep) def check_cname(self, cname, data): - nt = cname['name-type'] + if TestOptions.Canonicalize.is_set(data.options): + expected_name_type = NT_PRINCIPAL + elif TestOptions.Enterprise.is_set(data.options): + expected_name_type = NT_ENTERPRISE_PRINCIPAL + else: + expected_name_type = NT_PRINCIPAL + + name_type = cname['name-type'] self.assertEqual( - NT_PRINCIPAL, - nt, + expected_name_type, + name_type, "cname name-type, Options {0:08b}".format(data.options)) ns = cname['name-string'] diff --git a/selftest/knownfail.d/kdc-enterprise b/selftest/knownfail.d/kdc-enterprise new file mode 100644 index 00000000000..4e4f8a93e03 --- /dev/null +++ b/selftest/knownfail.d/kdc-enterprise @@ -0,0 +1,57 @@ +samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Canonicalize_Enterprise_NetbiosRealm_RemoveDollar\( +samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Canonicalize_Enterprise_NetbiosRealm_UPN_RemoveDollar\( +samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Canonicalize_Enterprise_RemoveDollar\( +samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Canonicalize_Enterprise_UPN_RemoveDollar\( +samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Canonicalize_Enterprise_UpperRealm_NetbiosRealm_RemoveDollar\( +samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Canonicalize_Enterprise_UpperRealm_NetbiosRealm_UPN_RemoveDollar\( +samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Canonicalize_Enterprise_UpperRealm_RemoveDollar\( +samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Canonicalize_Enterprise_UpperRealm_UPN_RemoveDollar\( +samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Canonicalize_Enterprise_UpperRealm_UpperUserName_NetbiosRealm_RemoveDollar\( +samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Canonicalize_Enterprise_UpperRealm_UpperUserName_NetbiosRealm_UPN_RemoveDollar\( +samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Canonicalize_Enterprise_UpperRealm_UpperUserName_RemoveDollar\( +samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Canonicalize_Enterprise_UpperRealm_UpperUserName_UPN_RemoveDollar\( +samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Canonicalize_Enterprise_UpperUserName_NetbiosRealm_RemoveDollar\( +samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Canonicalize_Enterprise_UpperUserName_NetbiosRealm_UPN_RemoveDollar\( +samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Canonicalize_Enterprise_UpperUserName_RemoveDollar\( +samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Canonicalize_Enterprise_UpperUserName_UPN_RemoveDollar\( +samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Enterprise\( +samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Enterprise_NetbiosRealm\( +samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Enterprise_NetbiosRealm_RemoveDollar\( +samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Enterprise_NetbiosRealm_UPN\( +samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Enterprise_NetbiosRealm_UPN_RemoveDollar\( +samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Enterprise_RemoveDollar\( +samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Enterprise_UPN\( +samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Enterprise_UPN_RemoveDollar\( +samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Enterprise_UpperRealm_NetbiosRealm\( +samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Enterprise_UpperRealm_NetbiosRealm_RemoveDollar\( +samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Enterprise_UpperRealm_NetbiosRealm_UPN\( +samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Enterprise_UpperRealm_NetbiosRealm_UPN_RemoveDollar\( +samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Enterprise_UpperRealm_RemoveDollar\( +samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Enterprise_UpperRealm_UPN_RemoveDollar\( +samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Enterprise_UpperRealm_UpperUserName_NetbiosRealm\( +samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Enterprise_UpperRealm_UpperUserName_NetbiosRealm_RemoveDollar\( +samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Enterprise_UpperRealm_UpperUserName_NetbiosRealm_UPN\( +samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Enterprise_UpperRealm_UpperUserName_NetbiosRealm_UPN_RemoveDollar\( +samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Enterprise_UpperRealm_UpperUserName_RemoveDollar\( +samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Enterprise_UpperRealm_UpperUserName_UPN_RemoveDollar\( +samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Enterprise_UpperUserName\( +samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Enterprise_UpperUserName_NetbiosRealm\( +samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Enterprise_UpperUserName_NetbiosRealm_RemoveDollar\( +samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Enterprise_UpperUserName_NetbiosRealm_UPN\( +samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Enterprise_UpperUserName_NetbiosRealm_UPN_RemoveDollar\( +samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Enterprise_UpperUserName_RemoveDollar\( +samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Enterprise_UpperUserName_UPN\( +samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Enterprise_UpperUserName_UPN_RemoveDollar\( +samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_UserCredentials_Enterprise\( +samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_UserCredentials_Enterprise_NetbiosRealm\( +samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_UserCredentials_Enterprise_NetbiosRealm_UPN\( +samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_UserCredentials_Enterprise_UPN\( +samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_UserCredentials_Enterprise_UpperRealm_NetbiosRealm\( +samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_UserCredentials_Enterprise_UpperRealm_NetbiosRealm_UPN\( +samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_UserCredentials_Enterprise_UpperRealm_UpperUserName_NetbiosRealm\( +samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_UserCredentials_Enterprise_UpperRealm_UpperUserName_NetbiosRealm_UPN\( +samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_UserCredentials_Enterprise_UpperUserName\( +samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_UserCredentials_Enterprise_UpperUserName_NetbiosRealm\( +samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_UserCredentials_Enterprise_UpperUserName_NetbiosRealm_UPN\( +samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_UserCredentials_Enterprise_UpperUserName_UPN\( + diff --git a/selftest/knownfail_mit_kdc b/selftest/knownfail_mit_kdc index 96d3e51da5c..9bac4737591 100644 --- a/selftest/knownfail_mit_kdc +++ b/selftest/knownfail_mit_kdc @@ -142,3 +142,11 @@ samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_ samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_UserCredentials_UpperUserName_NetbiosRealm\( samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_UserCredentials_UpperUserName_NetbiosRealm_UPN\( samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_UserCredentials_UpperUserName_UPN\( +samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Enterprise_UpperRealm\( +samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Enterprise_UpperRealm_UPN\( +samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Enterprise_UpperRealm_UpperUserName\( +samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Enterprise_UpperRealm_UpperUserName_UPN\( +samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_UserCredentials_Enterprise_UpperRealm\( +samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_UserCredentials_Enterprise_UpperRealm_UPN\( +samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_UserCredentials_Enterprise_UpperRealm_UpperUserName\( +samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_UserCredentials_Enterprise_UpperRealm_UpperUserName_UPN\( -- 2.35.0 From 3698512019c94a39dba7bda02dbaaa0d1f580b14 Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Tue, 10 Nov 2020 11:09:59 +1300 Subject: [PATCH 041/686] selftest: Fix flipped machine and user constants This naturally does not change the test, but reduces developer confusion. Signed-off-by: Andrew Bartlett Reviewed-by: Gary Lockyer BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817 (cherry picked from commit 579a3c641c72b65f6ba39141a55c765b517bd7f8) --- python/samba/tests/krb5/as_canonicalization_tests.py | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/python/samba/tests/krb5/as_canonicalization_tests.py b/python/samba/tests/krb5/as_canonicalization_tests.py index 3f8ed5c5a11..7cdf614482e 100755 --- a/python/samba/tests/krb5/as_canonicalization_tests.py +++ b/python/samba/tests/krb5/as_canonicalization_tests.py @@ -120,8 +120,8 @@ class TestData: return rep -MACHINE_NAME = "tstkrb5cnnusr" -USER_NAME = "tstkrb5cnnmch" +MACHINE_NAME = "tstkrb5cnnmch" +USER_NAME = "tstkrb5cnnusr" # Encryption types AES256_CTS_HMAC_SHA1_96 = int( -- 2.35.0 From 44a69bddec46f854aadc852f1c5b53558d8f406a Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Tue, 10 Nov 2020 11:12:13 +1300 Subject: [PATCH 042/686] selftest: Make as_canonicalization_tests.py easier to run outside "make test" This takes the realm from the LDAP base DN and so avoids one easy mistake to make. So far the NT4 domain name is not auto-detected, so much be read from the smb.conf. By using .guess() the smb.conf is read for the unspecified parts (eg workstation for an NTLM login to the LDAP server if the target server is an IP address). Signed-off-by: Andrew Bartlett Reviewed-by: Gary Lockyer BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817 (cherry picked from commit d85e71f449037fa035fa2fae6b64caf695c53cb3) --- python/samba/tests/krb5/as_canonicalization_tests.py | 12 ++++++++++-- 1 file changed, 10 insertions(+), 2 deletions(-) diff --git a/python/samba/tests/krb5/as_canonicalization_tests.py b/python/samba/tests/krb5/as_canonicalization_tests.py index 7cdf614482e..c0c3208d216 100755 --- a/python/samba/tests/krb5/as_canonicalization_tests.py +++ b/python/samba/tests/krb5/as_canonicalization_tests.py @@ -185,14 +185,20 @@ class KerberosASCanonicalizationTests(RawKerberosTest): cls.username = os.environ["USERNAME"] cls.password = os.environ["PASSWORD"] cls.domain = os.environ["DOMAIN"] - cls.realm = os.environ["REALM"] cls.host = os.environ["SERVER"] c = Credentials() c.set_username(cls.username) c.set_password(cls.password) c.set_domain(cls.domain) - c.set_realm(cls.realm) + try: + realm = os.environ["REALM"] + c.set_realm(realm) + except KeyError: + pass + + c.guess() + cls.credentials = c cls.session = system_session() @@ -236,6 +242,7 @@ class KerberosASCanonicalizationTests(RawKerberosTest): cls.user_creds = Credentials() cls.user_creds.guess(cls.lp) + cls.user_creds.set_realm(cls.ldb.domain_dns_name().upper()) cls.user_creds.set_password(cls.user_pass) cls.user_creds.set_username(cls.user_name) cls.user_creds.set_workstation(cls.machine_name) @@ -263,6 +270,7 @@ class KerberosASCanonicalizationTests(RawKerberosTest): cls.machine_creds = Credentials() cls.machine_creds.guess(cls.lp) + cls.machine_creds.set_realm(cls.ldb.domain_dns_name().upper()) cls.machine_creds.set_secure_channel_type(SEC_CHAN_WKSTA) cls.machine_creds.set_kerberos_state(DONT_USE_KERBEROS) cls.machine_creds.set_password(cls.machine_pass) -- 2.35.0 From 17124682d4db13bd11d29f31e5bc1e154c446b48 Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Tue, 10 Nov 2020 13:46:28 +1300 Subject: [PATCH 043/686] samdb: Add samdb.domain_netbios_name() Signed-off-by: Andrew Bartlett Reviewed-by: Gary Lockyer BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817 [abartlet@samba.org: Backported from commit d79218dbba3d0f26d6a0e22b3c91b0731bf641dd as this backport to Samba 4.13 does not include 07ce48088824bba2054e029edfa6fbae972c1921 (samba-tool: Create unix user with modified template homedir)] [jsutton@samba.org Backported to fix conflicts in selftests/tests.py and remove changes in python/samba/netcmd/user.py] --- python/samba/samdb.py | 15 +++++++++++++++ python/samba/tests/samdb.py | 13 ++++++++++--- selftest/tests.py | 1 + 3 files changed, 26 insertions(+), 3 deletions(-) diff --git a/python/samba/samdb.py b/python/samba/samdb.py index 308b5f96a7b..0d76d98783e 100644 --- a/python/samba/samdb.py +++ b/python/samba/samdb.py @@ -751,6 +751,21 @@ accountExpires: %u domain_dn = self.get_default_basedn() return domain_dn.canonical_str().split('/')[0] + def domain_netbios_name(self): + """return the NetBIOS name of the domain root""" + domain_dn = self.get_default_basedn() + dns_name = self.domain_dns_name() + filter = "(&(objectClass=crossRef)(nETBIOSName=*)(ncName=%s)(dnsroot=%s))" % (domain_dn, dns_name) + partitions_dn = self.get_partitions_dn() + res = self.search(partitions_dn, + scope=ldb.SCOPE_ONELEVEL, + expression=filter) + try: + netbios_domain = res[0]["nETBIOSName"][0].decode() + except IndexError: + return None + return netbios_domain + def forest_dns_name(self): """return the DNS name of the forest root""" forest_dn = self.get_root_basedn() diff --git a/python/samba/tests/samdb.py b/python/samba/tests/samdb.py index a185a1566e3..834c5a204a6 100644 --- a/python/samba/tests/samdb.py +++ b/python/samba/tests/samdb.py @@ -38,13 +38,13 @@ class SamDBTestCase(TestCaseInTempDir): super(SamDBTestCase, self).setUp() self.session = system_session() logger = logging.getLogger("selftest") - domain = "dsdb" - realm = "dsdb.samba.example.com" + self.domain = "dsdb" + self.realm = "dsdb.samba.example.com" host_name = "test" server_role = "active directory domain controller" self.result = provision(logger, self.session, targetdir=self.tempdir, - realm=realm, domain=domain, + realm=self.realm, domain=self.domain, hostname=host_name, use_ntvfs=True, serverrole=server_role, @@ -61,3 +61,10 @@ class SamDBTestCase(TestCaseInTempDir): shutil.rmtree(os.path.join(self.tempdir, d)) super(SamDBTestCase, self).tearDown() + + +class SamDBTests(SamDBTestCase): + + def test_get_domain(self): + self.assertEqual(self.samdb.domain_dns_name(), self.realm.lower()) + self.assertEqual(self.samdb.domain_netbios_name(), self.domain.upper()) diff --git a/selftest/tests.py b/selftest/tests.py index e7639c4da27..1748feeefb4 100644 --- a/selftest/tests.py +++ b/selftest/tests.py @@ -163,6 +163,7 @@ planpythontestsuite("none", "samba.tests.graph", py3_compatible=True) plantestsuite("wafsamba.duplicate_symbols", "none", [os.path.join(srcdir(), "buildtools/wafsamba/test_duplicate_symbol.sh")]) planpythontestsuite("none", "samba.tests.glue", py3_compatible=True) planpythontestsuite("none", "samba.tests.tdb_util", py3_compatible=True) +planpythontestsuite("none", "samba.tests.samdb", py3_compatible=True) planpythontestsuite("none", "samba.tests.samdb_api", py3_compatible=True) if with_pam: -- 2.35.0 From a02f0134aa14f12a8de49904f40cc6b24917b9e1 Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Tue, 10 Nov 2020 13:47:30 +1300 Subject: [PATCH 044/686] selftest: Make as_canonicalization_tests.py auto-detect the NT4 domain name Signed-off-by: Andrew Bartlett Reviewed-by: Gary Lockyer BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817 (cherry picked from commit 2693f12fbe321e0f4932b1f74d7006dbac140e8e) --- python/samba/tests/krb5/as_canonicalization_tests.py | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/python/samba/tests/krb5/as_canonicalization_tests.py b/python/samba/tests/krb5/as_canonicalization_tests.py index c0c3208d216..221ff486fd8 100755 --- a/python/samba/tests/krb5/as_canonicalization_tests.py +++ b/python/samba/tests/krb5/as_canonicalization_tests.py @@ -184,18 +184,21 @@ class KerberosASCanonicalizationTests(RawKerberosTest): cls.lp = cls.get_loadparm(cls) cls.username = os.environ["USERNAME"] cls.password = os.environ["PASSWORD"] - cls.domain = os.environ["DOMAIN"] cls.host = os.environ["SERVER"] c = Credentials() c.set_username(cls.username) c.set_password(cls.password) - c.set_domain(cls.domain) try: realm = os.environ["REALM"] c.set_realm(realm) except KeyError: pass + try: + domain = os.environ["DOMAIN"] + c.set_domain(domain) + except KeyError: + pass c.guess() @@ -243,6 +246,7 @@ class KerberosASCanonicalizationTests(RawKerberosTest): cls.user_creds = Credentials() cls.user_creds.guess(cls.lp) cls.user_creds.set_realm(cls.ldb.domain_dns_name().upper()) + cls.user_creds.set_domain(cls.ldb.domain_netbios_name().upper()) cls.user_creds.set_password(cls.user_pass) cls.user_creds.set_username(cls.user_name) cls.user_creds.set_workstation(cls.machine_name) @@ -271,6 +275,7 @@ class KerberosASCanonicalizationTests(RawKerberosTest): cls.machine_creds = Credentials() cls.machine_creds.guess(cls.lp) cls.machine_creds.set_realm(cls.ldb.domain_dns_name().upper()) + cls.machine_creds.set_domain(cls.ldb.domain_netbios_name().upper()) cls.machine_creds.set_secure_channel_type(SEC_CHAN_WKSTA) cls.machine_creds.set_kerberos_state(DONT_USE_KERBEROS) cls.machine_creds.set_password(cls.machine_pass) -- 2.35.0 From 62248f37287caf877c8daa85212aa34afb115756 Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Tue, 10 Nov 2020 11:21:24 +1300 Subject: [PATCH 045/686] selftest: Fix formatting of failure (traceback and options swapped in format string) Signed-off-by: Andrew Bartlett Reviewed-by: Gary Lockyer BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817 (cherry picked from commit ab8c0a181bebe17a597af49790f6e7b17e13c29b) --- python/samba/tests/krb5/as_canonicalization_tests.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/python/samba/tests/krb5/as_canonicalization_tests.py b/python/samba/tests/krb5/as_canonicalization_tests.py index 221ff486fd8..f0e9f6307f6 100755 --- a/python/samba/tests/krb5/as_canonicalization_tests.py +++ b/python/samba/tests/krb5/as_canonicalization_tests.py @@ -296,8 +296,8 @@ class KerberosASCanonicalizationTests(RawKerberosTest): except pyasn1.error.PyAsn1Error as e: import traceback self.fail("ASN1 Error, Options {0:08b}:{1} {2}".format( - traceback.format_exc(), data.options, + traceback.format_exc(), e)) # If as_req triggered an expected server error response # No need to test the response data. -- 2.35.0 From fc51d9cd4ff25fba6d74b0b1da8f5e4ad22b47b6 Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Tue, 10 Nov 2020 11:27:06 +1300 Subject: [PATCH 046/686] selftest: Add in encrypted-pa-data from RFC 6806 This comes from Windows 2019 which supports FAST. Signed-off-by: Andrew Bartlett Reviewed-by: Gary Lockyer BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817 (cherry picked from commit fc77ece0e2b5fd324809e17a9b208cc7854cee4b) --- python/samba/tests/krb5/rfc4120.asn1 | 3 ++- python/samba/tests/krb5/rfc4120_pyasn1.py | 19 ++++++++++--------- 2 files changed, 12 insertions(+), 10 deletions(-) diff --git a/python/samba/tests/krb5/rfc4120.asn1 b/python/samba/tests/krb5/rfc4120.asn1 index 58e0c1636a1..654f9788ca7 100644 --- a/python/samba/tests/krb5/rfc4120.asn1 +++ b/python/samba/tests/krb5/rfc4120.asn1 @@ -239,7 +239,8 @@ EncKDCRepPart ::= SEQUENCE { renew-till [8] KerberosTime OPTIONAL, srealm [9] Realm, sname [10] PrincipalName, - caddr [11] HostAddresses OPTIONAL + caddr [11] HostAddresses OPTIONAL, + encrypted-pa-data[12] METHOD-DATA OPTIONAL } LastReq ::= SEQUENCE OF SEQUENCE { diff --git a/python/samba/tests/krb5/rfc4120_pyasn1.py b/python/samba/tests/krb5/rfc4120_pyasn1.py index b4ea678afd8..1d89f94adf1 100644 --- a/python/samba/tests/krb5/rfc4120_pyasn1.py +++ b/python/samba/tests/krb5/rfc4120_pyasn1.py @@ -1,5 +1,5 @@ # Auto-generated by asn1ate v.0.6.1.dev0 from rfc4120.asn1 -# (last modified on 2020-11-03 14:07:15.270009) +# (last modified on 2020-11-06 11:30:42.476808) # KerberosV5Spec2 from pyasn1.type import univ, char, namedtype, namedval, tag, constraint, useful @@ -438,6 +438,13 @@ LastReq.componentType = univ.Sequence(componentType=namedtype.NamedTypes( )) +class METHOD_DATA(univ.SequenceOf): + pass + + +METHOD_DATA.componentType = PA_DATA() + + class TicketFlags(KerberosFlags): pass @@ -458,7 +465,8 @@ EncKDCRepPart.componentType = namedtype.NamedTypes( namedtype.OptionalNamedType('renew-till', KerberosTime().subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 8))), namedtype.NamedType('srealm', Realm().subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 9))), namedtype.NamedType('sname', PrincipalName().subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatConstructed, 10))), - namedtype.OptionalNamedType('caddr', HostAddresses().subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 11))) + namedtype.OptionalNamedType('caddr', HostAddresses().subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 11))), + namedtype.OptionalNamedType('encrypted-pa-data', METHOD_DATA().subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 12))) ) @@ -702,13 +710,6 @@ KRB_SAFE.componentType = namedtype.NamedTypes( ) -class METHOD_DATA(univ.SequenceOf): - pass - - -METHOD_DATA.componentType = PA_DATA() - - class MessageTypeValues(univ.Integer): pass -- 2.35.0 From 2b5bf4903566bb48b1f290c0e50bbfa2031a177c Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Tue, 10 Nov 2020 13:50:37 +1300 Subject: [PATCH 047/686] selftest: Windows 2019 implements the RemoveDollar behaviour for Enterprise principals This is documented in MS-KILE. Signed-off-by: Andrew Bartlett Reviewed-by: Gary Lockyer BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817 Autobuild-User(master): Gary Lockyer Autobuild-Date(master): Wed Nov 11 02:38:46 UTC 2020 on sn-devel-184 (cherry picked from commit f214a3ba5a3e9f129f10062392ae03edd62d8186) --- .../tests/krb5/as_canonicalization_tests.py | 11 ---------- selftest/knownfail.d/kdc-enterprise | 20 ------------------- selftest/knownfail_mit_kdc | 20 +++++++++++++++++++ 3 files changed, 20 insertions(+), 31 deletions(-) diff --git a/python/samba/tests/krb5/as_canonicalization_tests.py b/python/samba/tests/krb5/as_canonicalization_tests.py index f0e9f6307f6..caa186bed41 100755 --- a/python/samba/tests/krb5/as_canonicalization_tests.py +++ b/python/samba/tests/krb5/as_canonicalization_tests.py @@ -366,17 +366,6 @@ class KerberosASCanonicalizationTests(RawKerberosTest): self.assertEqual( rep['msg-type'], KRB_ERROR, "Data {0}".format(str(data))) - # We should get KDC_ERR_PREAUTH_REQUIRED - # unless the RemoveDollar and Enterprise options are set - # then we should get a KDC_ERR_C_PRINCIPAL_UNKNOWN - if TestOptions.RemoveDollar.is_set(data.options) and\ - TestOptions.Enterprise.is_set(data.options): - self.assertEqual( - rep['error-code'], - KDC_ERR_C_PRINCIPAL_UNKNOWN, - "Error code {0}, Data {1}".format(rep['error-code'], str(data))) - return (None, None) - self.assertEqual( rep['error-code'], KDC_ERR_PREAUTH_REQUIRED, diff --git a/selftest/knownfail.d/kdc-enterprise b/selftest/knownfail.d/kdc-enterprise index 4e4f8a93e03..d15d67c8af6 100644 --- a/selftest/knownfail.d/kdc-enterprise +++ b/selftest/knownfail.d/kdc-enterprise @@ -1,19 +1,3 @@ -samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Canonicalize_Enterprise_NetbiosRealm_RemoveDollar\( -samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Canonicalize_Enterprise_NetbiosRealm_UPN_RemoveDollar\( -samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Canonicalize_Enterprise_RemoveDollar\( -samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Canonicalize_Enterprise_UPN_RemoveDollar\( -samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Canonicalize_Enterprise_UpperRealm_NetbiosRealm_RemoveDollar\( -samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Canonicalize_Enterprise_UpperRealm_NetbiosRealm_UPN_RemoveDollar\( -samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Canonicalize_Enterprise_UpperRealm_RemoveDollar\( -samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Canonicalize_Enterprise_UpperRealm_UPN_RemoveDollar\( -samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Canonicalize_Enterprise_UpperRealm_UpperUserName_NetbiosRealm_RemoveDollar\( -samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Canonicalize_Enterprise_UpperRealm_UpperUserName_NetbiosRealm_UPN_RemoveDollar\( -samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Canonicalize_Enterprise_UpperRealm_UpperUserName_RemoveDollar\( -samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Canonicalize_Enterprise_UpperRealm_UpperUserName_UPN_RemoveDollar\( -samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Canonicalize_Enterprise_UpperUserName_NetbiosRealm_RemoveDollar\( -samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Canonicalize_Enterprise_UpperUserName_NetbiosRealm_UPN_RemoveDollar\( -samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Canonicalize_Enterprise_UpperUserName_RemoveDollar\( -samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Canonicalize_Enterprise_UpperUserName_UPN_RemoveDollar\( samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Enterprise\( samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Enterprise_NetbiosRealm\( samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Enterprise_NetbiosRealm_RemoveDollar\( @@ -26,14 +10,10 @@ samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_ samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Enterprise_UpperRealm_NetbiosRealm_RemoveDollar\( samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Enterprise_UpperRealm_NetbiosRealm_UPN\( samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Enterprise_UpperRealm_NetbiosRealm_UPN_RemoveDollar\( -samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Enterprise_UpperRealm_RemoveDollar\( -samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Enterprise_UpperRealm_UPN_RemoveDollar\( samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Enterprise_UpperRealm_UpperUserName_NetbiosRealm\( samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Enterprise_UpperRealm_UpperUserName_NetbiosRealm_RemoveDollar\( samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Enterprise_UpperRealm_UpperUserName_NetbiosRealm_UPN\( samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Enterprise_UpperRealm_UpperUserName_NetbiosRealm_UPN_RemoveDollar\( -samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Enterprise_UpperRealm_UpperUserName_RemoveDollar\( -samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Enterprise_UpperRealm_UpperUserName_UPN_RemoveDollar\( samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Enterprise_UpperUserName\( samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Enterprise_UpperUserName_NetbiosRealm\( samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Enterprise_UpperUserName_NetbiosRealm_RemoveDollar\( diff --git a/selftest/knownfail_mit_kdc b/selftest/knownfail_mit_kdc index 9bac4737591..00edbc0c34d 100644 --- a/selftest/knownfail_mit_kdc +++ b/selftest/knownfail_mit_kdc @@ -150,3 +150,23 @@ samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_ samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_UserCredentials_Enterprise_UpperRealm_UPN\( samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_UserCredentials_Enterprise_UpperRealm_UpperUserName\( samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_UserCredentials_Enterprise_UpperRealm_UpperUserName_UPN\( +samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Canonicalize_Enterprise_NetbiosRealm_RemoveDollar\( +samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Canonicalize_Enterprise_NetbiosRealm_UPN_RemoveDollar\( +samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Canonicalize_Enterprise_RemoveDollar\( +samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Canonicalize_Enterprise_UPN_RemoveDollar\( +samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Canonicalize_Enterprise_UpperRealm_NetbiosRealm_RemoveDollar\( +samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Canonicalize_Enterprise_UpperRealm_NetbiosRealm_UPN_RemoveDollar\( +samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Canonicalize_Enterprise_UpperRealm_RemoveDollar\( +samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Canonicalize_Enterprise_UpperRealm_UPN_RemoveDollar\( +samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Canonicalize_Enterprise_UpperRealm_UpperUserName_NetbiosRealm_RemoveDollar\( +samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Canonicalize_Enterprise_UpperRealm_UpperUserName_NetbiosRealm_UPN_RemoveDollar\( +samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Canonicalize_Enterprise_UpperRealm_UpperUserName_RemoveDollar\( +samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Canonicalize_Enterprise_UpperRealm_UpperUserName_UPN_RemoveDollar\( +samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Canonicalize_Enterprise_UpperUserName_NetbiosRealm_RemoveDollar\( +samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Canonicalize_Enterprise_UpperUserName_NetbiosRealm_UPN_RemoveDollar\( +samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Canonicalize_Enterprise_UpperUserName_RemoveDollar\( +samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Canonicalize_Enterprise_UpperUserName_UPN_RemoveDollar\( +samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Enterprise_UpperRealm_RemoveDollar\( +samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Enterprise_UpperRealm_UPN_RemoveDollar\( +samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Enterprise_UpperRealm_UpperUserName_RemoveDollar\( +samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Enterprise_UpperRealm_UpperUserName_UPN_RemoveDollar\( -- 2.35.0 From 20a659bdcd56a614d9af60789e3f13557907c18d Mon Sep 17 00:00:00 2001 From: Gary Lockyer Date: Wed, 4 Nov 2020 13:54:46 +1300 Subject: [PATCH 048/686] selftest: add heimdal kdc specific known fail Add a heimdal kerberos specific known fail, will be needed by subsequent commits. Signed-off-by: Gary Lockyer Reviewed-by: Andrew Bartlett BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817 (cherry picked from commit 5cb5134377f099353e0f91c44cc11e45d548d40f) --- selftest/knownfail_heimdal_kdc | 0 selftest/wscript | 3 +++ 2 files changed, 3 insertions(+) create mode 100644 selftest/knownfail_heimdal_kdc diff --git a/selftest/knownfail_heimdal_kdc b/selftest/knownfail_heimdal_kdc new file mode 100644 index 00000000000..e69de29bb2d diff --git a/selftest/wscript b/selftest/wscript index 80e0f1feabd..257dae04156 100644 --- a/selftest/wscript +++ b/selftest/wscript @@ -270,6 +270,9 @@ def cmd_testonly(opt): env.OPTIONS += " --mitkrb5 --exclude=${srcdir}/selftest/skip_mit_kdc" env.FILTER_XFAIL += " --expected-failures=${srcdir}/selftest/"\ "knownfail_mit_kdc" + else: + env.FILTER_XFAIL += " --expected-failures=${srcdir}/selftest/"\ + "knownfail_heimdal_kdc" if not CONFIG_GET(opt, 'HAVE_GSS_KRB5_CRED_NO_CI_FLAGS_X'): # older MIT krb5 libraries (< 1.14) don't have -- 2.35.0 From bde1c7591392ba07d46b0c2f37667e93466529a8 Mon Sep 17 00:00:00 2001 From: Gary Lockyer Date: Wed, 4 Nov 2020 13:58:24 +1300 Subject: [PATCH 049/686] tests python krb5: Add python kerberos compatability tests Add new python test to document the differences between the MIT and Heimdal Kerberos implementations. Signed-off-by: Gary Lockyer Reviewed-by: Andrew Bartlett BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817 (cherry picked from commit 1e1d8b9c83f32c06ecab31214a20b77529ee038e) --- .../samba/tests/krb5/compatability_tests.py | 174 ++++++++++++++++++ python/samba/tests/usage.py | 1 + selftest/knownfail_heimdal_kdc | 4 + selftest/knownfail_mit_kdc | 4 + source4/selftest/tests.py | 1 + 5 files changed, 184 insertions(+) create mode 100755 python/samba/tests/krb5/compatability_tests.py diff --git a/python/samba/tests/krb5/compatability_tests.py b/python/samba/tests/krb5/compatability_tests.py new file mode 100755 index 00000000000..63bd5269c2b --- /dev/null +++ b/python/samba/tests/krb5/compatability_tests.py @@ -0,0 +1,174 @@ +#!/usr/bin/env python3 +# Unix SMB/CIFS implementation. +# Copyright (C) Stefan Metzmacher 2020 +# Copyright (C) Catalyst.Net Ltd 2020 +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; either version 3 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see . +# + +import sys +import os + +sys.path.insert(0, "bin/python") +os.environ["PYTHONUNBUFFERED"] = "1" + +from samba.tests.krb5.raw_testcase import RawKerberosTest +import samba.tests.krb5.rfc4120_pyasn1 as krb5_asn1 + +global_asn1_print = False +global_hexdump = False + + +class SimpleKerberosTests(RawKerberosTest): + + def setUp(self): + super(SimpleKerberosTests, self).setUp() + self.do_asn1_print = global_asn1_print + self.do_hexdump = global_hexdump + + def test_mit_EncASRepPart_tag(self): + creds = self.get_user_creds() + (enc, _) = self.as_req(creds) + self.assertEqual(0x7a, enc[0]) + + def test_heimdal_EncASRepPart_tag(self): + creds = self.get_user_creds() + (enc, _) = self.as_req(creds) + self.assertEqual(0x79, enc[0]) + + def test_mit_EncryptedData_kvno(self): + creds = self.get_user_creds() + (_, enc) = self.as_req(creds) + if 'kvno' in enc: + self.fail("kvno present in EncryptedData") + + def test_heimdal_EncryptedData_kvno(self): + creds = self.get_user_creds() + (_, enc) = self.as_req(creds) + if 'kvno' not in enc: + self.fail("kvno absent in EncryptedData") + + def test_mit_EncASRepPart_FAST_support(self): + creds = self.get_user_creds() + (enc, _) = self.as_req(creds) + self.assertEqual(0x7A, enc[0]) + as_rep = self.der_decode(enc, asn1Spec=krb5_asn1.EncTGSRepPart()) + flags = int(as_rep['flags'], base=2) + # MIT sets enc-pa-rep, flag bit 15 + # RFC 6806 11. Negotiation of FAST and Detecting Modified Requests + self.assertTrue(0x00010000 & flags) + + def test_heimdal_EncASRepPart_FAST_support(self): + creds = self.get_user_creds() + (enc, _) = self.as_req(creds) + self.assertEqual(0x79, enc[0]) + as_rep = self.der_decode(enc, asn1Spec=krb5_asn1.EncASRepPart()) + flags = as_rep['flags'] + flags = int(as_rep['flags'], base=2) + # Heimdal does not set enc-pa-rep, flag bit 15 + # RFC 6806 11. Negotiation of FAST and Detecting Modified Requests + self.assertFalse(0x00010000 & flags) + + def as_req(self, creds): + user = creds.get_username() + realm = creds.get_realm() + + cname = self.PrincipalName_create(name_type=1, names=[user]) + sname = self.PrincipalName_create(name_type=2, names=["krbtgt", realm]) + + till = self.get_KerberosTime(offset=36000) + + kdc_options = krb5_asn1.KDCOptions('forwardable') + padata = None + + etypes = (18, 17, 23) + + req = self.AS_REQ_create(padata=padata, + kdc_options=str(kdc_options), + cname=cname, + realm=realm, + sname=sname, + from_time=None, + till_time=till, + renew_time=None, + nonce=0x7fffffff, + etypes=etypes, + addresses=None, + EncAuthorizationData=None, + EncAuthorizationData_key=None, + additional_tickets=None) + rep = self.send_recv_transaction(req) + self.assertIsNotNone(rep) + + self.assertEqual(rep['msg-type'], 30) + self.assertEqual(rep['error-code'], 25) + rep_padata = self.der_decode( + rep['e-data'], + asn1Spec=krb5_asn1.METHOD_DATA()) + + for pa in rep_padata: + if pa['padata-type'] == 19: + etype_info2 = pa['padata-value'] + break + + etype_info2 = self.der_decode( + etype_info2, + asn1Spec=krb5_asn1.ETYPE_INFO2()) + + key = self.PasswordKey_from_etype_info2(creds, etype_info2[0]) + + (patime, pausec) = self.get_KerberosTimeWithUsec() + pa_ts = self.PA_ENC_TS_ENC_create(patime, pausec) + pa_ts = self.der_encode(pa_ts, asn1Spec=krb5_asn1.PA_ENC_TS_ENC()) + + enc_pa_ts_usage = 1 + pa_ts = self.EncryptedData_create(key, enc_pa_ts_usage, pa_ts) + pa_ts = self.der_encode(pa_ts, asn1Spec=krb5_asn1.EncryptedData()) + + pa_ts = self.PA_DATA_create(2, pa_ts) + + kdc_options = krb5_asn1.KDCOptions('forwardable') + padata = [pa_ts] + + req = self.AS_REQ_create(padata=padata, + kdc_options=str(kdc_options), + cname=cname, + realm=realm, + sname=sname, + from_time=None, + till_time=till, + renew_time=None, + nonce=0x7fffffff, + etypes=etypes, + addresses=None, + EncAuthorizationData=None, + EncAuthorizationData_key=None, + additional_tickets=None) + rep = self.send_recv_transaction(req) + self.assertIsNotNone(rep) + + msg_type = rep['msg-type'] + self.assertEqual(msg_type, 11) + + usage = 3 + enc_part = rep['enc-part'] + enc_as_rep_part = key.decrypt(usage, rep['enc-part']['cipher']) + return (enc_as_rep_part, enc_part) + + +if __name__ == "__main__": + global_asn1_print = True + global_hexdump = True + import unittest + unittest.main() diff --git a/python/samba/tests/usage.py b/python/samba/tests/usage.py index dc86f4808ae..cf1314ac9c6 100644 --- a/python/samba/tests/usage.py +++ b/python/samba/tests/usage.py @@ -88,6 +88,7 @@ EXCLUDE_USAGE = { 'python/samba/tests/krb5/s4u_tests.py', 'python/samba/tests/krb5/xrealm_tests.py', 'python/samba/tests/krb5/as_canonicalization_tests.py', + 'python/samba/tests/krb5/compatability_tests.py', } diff --git a/selftest/knownfail_heimdal_kdc b/selftest/knownfail_heimdal_kdc index e69de29bb2d..7ab56b6721b 100644 --- a/selftest/knownfail_heimdal_kdc +++ b/selftest/knownfail_heimdal_kdc @@ -0,0 +1,4 @@ +# +# We expect all the MIT specific compatability tests to fail on heimdal +# kerberos +^samba.tests.krb5.compatability_tests.samba.tests.krb5.compatability_tests.SimpleKerberosTests.test_mit_ diff --git a/selftest/knownfail_mit_kdc b/selftest/knownfail_mit_kdc index 00edbc0c34d..9953d51f21d 100644 --- a/selftest/knownfail_mit_kdc +++ b/selftest/knownfail_mit_kdc @@ -1,4 +1,8 @@ # +# We expect all the heimdal specific compatability tests to fail on MIT +# kerberos +^samba.tests.krb5.compatability_tests.samba.tests.krb5.compatability_tests.SimpleKerberosTests.test_heimdal_ +# # Currently MOST but not quite all the Canonicalization tests fail on the # MIT KDC # diff --git a/source4/selftest/tests.py b/source4/selftest/tests.py index d56226bf561..c37b9050c2b 100755 --- a/source4/selftest/tests.py +++ b/source4/selftest/tests.py @@ -1229,6 +1229,7 @@ for env in ["rodc", "promoted_dc", "fl2000dc", "fl2008r2dc"]: "samba4.krb5.kdc with machine account") planpythontestsuite("ad_dc", "samba.tests.krb5.as_canonicalization_tests") +planpythontestsuite("ad_dc", "samba.tests.krb5.compatability_tests") for env in [ 'vampire_dc', -- 2.35.0 From 35462395fe6919610e960527584948b5b5ba9a38 Mon Sep 17 00:00:00 2001 From: Gary Lockyer Date: Tue, 10 Nov 2020 11:19:02 +1300 Subject: [PATCH 050/686] tests python krb5: Add constants module Extract the constants used in the tests into a separate module. To reduce code duplication Signed-off-by: Gary Lockyer Reviewed-by: Andrew Bartlett BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817 (cherry picked from commit 532c941fbb8fc5fc5da4aa2d0e170229076e9aa7) --- python/samba/tests/krb5/rfc4120_constants.py | 49 ++++++++++++++++++++ python/samba/tests/usage.py | 1 + 2 files changed, 50 insertions(+) create mode 100644 python/samba/tests/krb5/rfc4120_constants.py diff --git a/python/samba/tests/krb5/rfc4120_constants.py b/python/samba/tests/krb5/rfc4120_constants.py new file mode 100644 index 00000000000..e939bb75e82 --- /dev/null +++ b/python/samba/tests/krb5/rfc4120_constants.py @@ -0,0 +1,49 @@ +# Unix SMB/CIFS implementation. +# Copyright (C) 2020 Catalyst.Net Ltd +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; either version 3 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see . +# + +import samba.tests.krb5.rfc4120_pyasn1 as krb5_asn1 + +# Encryption types +AES256_CTS_HMAC_SHA1_96 = int( + krb5_asn1.EncryptionTypeValues('kRB5-ENCTYPE-AES256-CTS-HMAC-SHA1-96')) +AES128_CTS_HMAC_SHA1_96 = int( + krb5_asn1.EncryptionTypeValues('kRB5-ENCTYPE-AES128-CTS-HMAC-SHA1-96')) +ARCFOUR_HMAC_MD5 = int( + krb5_asn1.EncryptionTypeValues('kRB5-ENCTYPE-ARCFOUR-HMAC-MD5')) + +# Message types +KRB_ERROR = int(krb5_asn1.MessageTypeValues('krb-error')) +KRB_AS_REP = int(krb5_asn1.MessageTypeValues('krb-as-rep')) + +# PAData types +PADATA_ENC_TIMESTAMP = int( + krb5_asn1.PADataTypeValues('kRB5-PADATA-ENC-TIMESTAMP')) +PADATA_ETYPE_INFO2 = int( + krb5_asn1.PADataTypeValues('kRB5-PADATA-ETYPE-INFO2')) + +# Error codes +KDC_ERR_C_PRINCIPAL_UNKNOWN = 6 +KDC_ERR_PREAUTH_FAILED = 24 +KDC_ERR_PREAUTH_REQUIRED = 25 +KDC_ERR_SKEW = 37 + +# Name types +NT_UNKNOWN = int(krb5_asn1.NameTypeValues('kRB5-NT-UNKNOWN')) +NT_PRINCIPAL = int(krb5_asn1.NameTypeValues('kRB5-NT-PRINCIPAL')) +NT_SRV_INST = int(krb5_asn1.NameTypeValues('kRB5-NT-SRV-INST')) +NT_ENTERPRISE_PRINCIPAL = int(krb5_asn1.NameTypeValues( + 'kRB5-NT-ENTERPRISE-PRINCIPAL')) diff --git a/python/samba/tests/usage.py b/python/samba/tests/usage.py index cf1314ac9c6..a642940570d 100644 --- a/python/samba/tests/usage.py +++ b/python/samba/tests/usage.py @@ -89,6 +89,7 @@ EXCLUDE_USAGE = { 'python/samba/tests/krb5/xrealm_tests.py', 'python/samba/tests/krb5/as_canonicalization_tests.py', 'python/samba/tests/krb5/compatability_tests.py', + 'python/samba/tests/krb5/rfc4120_constants.py', } -- 2.35.0 From fb5c1f7c05748d670f5322c51bccff83dece258d Mon Sep 17 00:00:00 2001 From: Gary Lockyer Date: Tue, 10 Nov 2020 11:20:03 +1300 Subject: [PATCH 051/686] tests python krb5: Refactor canonicalization test constants Modify tests to use the constants defined in rfc4120_constants.py Signed-off-by: Gary Lockyer Reviewed-by: Andrew Bartlett BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817 (cherry picked from commit 97b830cbcac53fcf49bbcd272812d1ba019bac51) --- .../tests/krb5/as_canonicalization_tests.py | 30 +------------------ 1 file changed, 1 insertion(+), 29 deletions(-) diff --git a/python/samba/tests/krb5/as_canonicalization_tests.py b/python/samba/tests/krb5/as_canonicalization_tests.py index caa186bed41..303788b672e 100755 --- a/python/samba/tests/krb5/as_canonicalization_tests.py +++ b/python/samba/tests/krb5/as_canonicalization_tests.py @@ -41,6 +41,7 @@ from samba.dsdb import ( UF_NORMAL_ACCOUNT) from samba.samdb import SamDB from samba.tests import delete_force, DynamicTestCase +from samba.tests.krb5.rfc4120_constants import * global_asn1_print = False global_hexdump = False @@ -123,35 +124,6 @@ class TestData: MACHINE_NAME = "tstkrb5cnnmch" USER_NAME = "tstkrb5cnnusr" -# Encryption types -AES256_CTS_HMAC_SHA1_96 = int( - krb5_asn1.EncryptionTypeValues('kRB5-ENCTYPE-AES256-CTS-HMAC-SHA1-96')) -AES128_CTS_HMAC_SHA1_96 = int( - krb5_asn1.EncryptionTypeValues('kRB5-ENCTYPE-AES128-CTS-HMAC-SHA1-96')) -ARCFOUR_HMAC_MD5 = int( - krb5_asn1.EncryptionTypeValues('kRB5-ENCTYPE-ARCFOUR-HMAC-MD5')) - -# Message types -KRB_ERROR = int(krb5_asn1.MessageTypeValues('krb-error')) -KRB_AS_REP = int(krb5_asn1.MessageTypeValues('krb-as-rep')) - -# PAData types -PADATA_ENC_TIMESTAMP = int( - krb5_asn1.PADataTypeValues('kRB5-PADATA-ENC-TIMESTAMP')) -PADATA_ETYPE_INFO2 = int( - krb5_asn1.PADataTypeValues('kRB5-PADATA-ETYPE-INFO2')) - -# Error codes -KDC_ERR_C_PRINCIPAL_UNKNOWN = 6 -KDC_ERR_PREAUTH_REQUIRED = 25 - -# Name types -NT_UNKNOWN = int(krb5_asn1.NameTypeValues('kRB5-NT-UNKNOWN')) -NT_PRINCIPAL = int(krb5_asn1.NameTypeValues('kRB5-NT-PRINCIPAL')) -NT_SRV_INST = int(krb5_asn1.NameTypeValues('kRB5-NT-SRV-INST')) -NT_ENTERPRISE_PRINCIPAL = int(krb5_asn1.NameTypeValues('kRB5-NT-ENTERPRISE-PRINCIPAL')) - - @DynamicTestCase class KerberosASCanonicalizationTests(RawKerberosTest): -- 2.35.0 From ba60153d55c8610db6fd702518162400a9ea6d3a Mon Sep 17 00:00:00 2001 From: Gary Lockyer Date: Tue, 10 Nov 2020 11:20:58 +1300 Subject: [PATCH 052/686] tests python krb5: Refactor compatability test constants Modify tests to use the constants defined in rfc4120_constants.py Signed-off-by: Gary Lockyer Reviewed-by: Andrew Bartlett BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817 (cherry picked from commit 82a413f48b7ef71feb68fc34f7ca753d45eb8974) --- .../samba/tests/krb5/compatability_tests.py | 42 ++++++++++++------- 1 file changed, 28 insertions(+), 14 deletions(-) diff --git a/python/samba/tests/krb5/compatability_tests.py b/python/samba/tests/krb5/compatability_tests.py index 63bd5269c2b..bf561346ab3 100755 --- a/python/samba/tests/krb5/compatability_tests.py +++ b/python/samba/tests/krb5/compatability_tests.py @@ -25,10 +25,17 @@ os.environ["PYTHONUNBUFFERED"] = "1" from samba.tests.krb5.raw_testcase import RawKerberosTest import samba.tests.krb5.rfc4120_pyasn1 as krb5_asn1 +from samba.tests.krb5.rfc4120_constants import * global_asn1_print = False global_hexdump = False +HIEMDAL_ENC_AS_REP_PART_TYPE_TAG = 0x79 +# MIT uses the EncTGSRepPart tag for the EncASRepPart +MIT_ENC_AS_REP_PART_TYPE_TAG = 0x7A + +ENC_PA_REP_FLAG = 0x00010000 + class SimpleKerberosTests(RawKerberosTest): @@ -40,12 +47,12 @@ class SimpleKerberosTests(RawKerberosTest): def test_mit_EncASRepPart_tag(self): creds = self.get_user_creds() (enc, _) = self.as_req(creds) - self.assertEqual(0x7a, enc[0]) + self.assertEqual(MIT_ENC_AS_REP_PART_TYPE_TAG, enc[0]) def test_heimdal_EncASRepPart_tag(self): creds = self.get_user_creds() (enc, _) = self.as_req(creds) - self.assertEqual(0x79, enc[0]) + self.assertEqual(HIEMDAL_ENC_AS_REP_PART_TYPE_TAG, enc[0]) def test_mit_EncryptedData_kvno(self): creds = self.get_user_creds() @@ -62,37 +69,44 @@ class SimpleKerberosTests(RawKerberosTest): def test_mit_EncASRepPart_FAST_support(self): creds = self.get_user_creds() (enc, _) = self.as_req(creds) - self.assertEqual(0x7A, enc[0]) + self.assertEqual(MIT_ENC_AS_REP_PART_TYPE_TAG, enc[0]) as_rep = self.der_decode(enc, asn1Spec=krb5_asn1.EncTGSRepPart()) flags = int(as_rep['flags'], base=2) # MIT sets enc-pa-rep, flag bit 15 # RFC 6806 11. Negotiation of FAST and Detecting Modified Requests - self.assertTrue(0x00010000 & flags) + self.assertTrue(ENC_PA_REP_FLAG & flags) def test_heimdal_EncASRepPart_FAST_support(self): creds = self.get_user_creds() (enc, _) = self.as_req(creds) - self.assertEqual(0x79, enc[0]) + self.assertEqual(HIEMDAL_ENC_AS_REP_PART_TYPE_TAG, enc[0]) as_rep = self.der_decode(enc, asn1Spec=krb5_asn1.EncASRepPart()) flags = as_rep['flags'] flags = int(as_rep['flags'], base=2) # Heimdal does not set enc-pa-rep, flag bit 15 # RFC 6806 11. Negotiation of FAST and Detecting Modified Requests - self.assertFalse(0x00010000 & flags) + self.assertFalse(ENC_PA_REP_FLAG & flags) def as_req(self, creds): user = creds.get_username() realm = creds.get_realm() - cname = self.PrincipalName_create(name_type=1, names=[user]) - sname = self.PrincipalName_create(name_type=2, names=["krbtgt", realm]) + cname = self.PrincipalName_create( + name_type=NT_PRINCIPAL, + names=[user]) + sname = self.PrincipalName_create( + name_type=NT_SRV_INST, + names=["krbtgt", realm]) till = self.get_KerberosTime(offset=36000) kdc_options = krb5_asn1.KDCOptions('forwardable') padata = None - etypes = (18, 17, 23) + etypes = ( + AES256_CTS_HMAC_SHA1_96, + AES128_CTS_HMAC_SHA1_96, + ARCFOUR_HMAC_MD5) req = self.AS_REQ_create(padata=padata, kdc_options=str(kdc_options), @@ -111,14 +125,14 @@ class SimpleKerberosTests(RawKerberosTest): rep = self.send_recv_transaction(req) self.assertIsNotNone(rep) - self.assertEqual(rep['msg-type'], 30) - self.assertEqual(rep['error-code'], 25) + self.assertEqual(rep['msg-type'], KRB_ERROR) + self.assertEqual(rep['error-code'], KDC_ERR_PREAUTH_REQUIRED) rep_padata = self.der_decode( rep['e-data'], asn1Spec=krb5_asn1.METHOD_DATA()) for pa in rep_padata: - if pa['padata-type'] == 19: + if pa['padata-type'] == PADATA_ETYPE_INFO2: etype_info2 = pa['padata-value'] break @@ -136,7 +150,7 @@ class SimpleKerberosTests(RawKerberosTest): pa_ts = self.EncryptedData_create(key, enc_pa_ts_usage, pa_ts) pa_ts = self.der_encode(pa_ts, asn1Spec=krb5_asn1.EncryptedData()) - pa_ts = self.PA_DATA_create(2, pa_ts) + pa_ts = self.PA_DATA_create(PADATA_ENC_TIMESTAMP, pa_ts) kdc_options = krb5_asn1.KDCOptions('forwardable') padata = [pa_ts] @@ -159,7 +173,7 @@ class SimpleKerberosTests(RawKerberosTest): self.assertIsNotNone(rep) msg_type = rep['msg-type'] - self.assertEqual(msg_type, 11) + self.assertEqual(msg_type, KRB_AS_REP) usage = 3 enc_part = rep['enc-part'] -- 2.35.0 From 63158d3a5efc1a5053fc8eec9e9652d82e80600d Mon Sep 17 00:00:00 2001 From: Gary Lockyer Date: Tue, 10 Nov 2020 13:51:39 +1300 Subject: [PATCH 053/686] tests python krb5: raw_testcase permit RC4 salts MIT kerberos returns a salt when ARCFOUR_HMAC_MD5, this commit removes the check that a salt is not returned. A test for the difference between MIT and Heimdal will be added in the subsequent commits. Signed-off-by: Gary Lockyer Reviewed-by: Andrew Bartlett BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817 (cherry picked from commit 1bab87c50baf0fecb5d4cd09e1a9896730c6377e) --- python/samba/tests/krb5/raw_testcase.py | 1 - 1 file changed, 1 deletion(-) diff --git a/python/samba/tests/krb5/raw_testcase.py b/python/samba/tests/krb5/raw_testcase.py index 45e46e0b7ba..e67f5464e59 100644 --- a/python/samba/tests/krb5/raw_testcase.py +++ b/python/samba/tests/krb5/raw_testcase.py @@ -425,7 +425,6 @@ class RawKerberosTest(TestCase): pass if e == kcrypto.Enctype.RC4: - self.assertIsNone(salt) nthash = creds.get_nt_hash() return self.SessionKey_create(etype=e, contents=nthash, kvno=kvno) -- 2.35.0 From ae8fceda57d450aad3a4769e9e426a28d47e76a5 Mon Sep 17 00:00:00 2001 From: Gary Lockyer Date: Fri, 6 Nov 2020 09:07:04 +1300 Subject: [PATCH 054/686] tests python krb5: Convert kdc-heimdal to python Implement the tests in source4/torture/krb5/kdc-heimdal.c in python. The following tests were not re-implemented as they are client side tests for the "Orpheus Lyre" attack: TORTURE_KRB5_TEST_CHANGE_SERVER_OUT TORTURE_KRB5_TEST_CHANGE_SERVER_IN TORTURE_KRB5_TEST_CHANGE_SERVER_BOTH Signed-off-by: Gary Lockyer Reviewed-by: Andrew Bartlett BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817 (cherry picked from commit a00a1c9745033dae05eee17cfa4e2c5354a81e68) --- python/samba/tests/krb5/kdc_tests.py | 219 +++++++++++++++++++++++++++ python/samba/tests/usage.py | 1 + source4/selftest/tests.py | 1 + 3 files changed, 221 insertions(+) create mode 100755 python/samba/tests/krb5/kdc_tests.py diff --git a/python/samba/tests/krb5/kdc_tests.py b/python/samba/tests/krb5/kdc_tests.py new file mode 100755 index 00000000000..57a25448965 --- /dev/null +++ b/python/samba/tests/krb5/kdc_tests.py @@ -0,0 +1,219 @@ +#!/usr/bin/env python3 +# Unix SMB/CIFS implementation. +# Copyright (C) Stefan Metzmacher 2020 +# Copyright (C) 2020 Catalyst.Net Ltd +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; either version 3 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see . +# + +import sys +import os + +sys.path.insert(0, "bin/python") +os.environ["PYTHONUNBUFFERED"] = "1" + +from samba.tests.krb5.raw_testcase import RawKerberosTest +import samba.tests.krb5.rfc4120_pyasn1 as krb5_asn1 +from samba.tests.krb5.rfc4120_constants import * + +global_asn1_print = False +global_hexdump = False + + +class KdcTests(RawKerberosTest): + """ Port of the tests in source4/torture/krb5/kdc-heimdal.c + To python. + """ + + def setUp(self): + super(KdcTests, self).setUp() + self.do_asn1_print = global_asn1_print + self.do_hexdump = global_hexdump + + def as_req(self, creds, etypes, padata=None): + user = creds.get_username() + realm = creds.get_realm() + + cname = self.PrincipalName_create( + name_type=NT_PRINCIPAL, + names=[user]) + sname = self.PrincipalName_create( + name_type=NT_SRV_INST, + names=["krbtgt", realm]) + till = self.get_KerberosTime(offset=36000) + + kdc_options = 0 + + req = self.AS_REQ_create(padata=padata, + kdc_options=str(kdc_options), + cname=cname, + realm=realm, + sname=sname, + from_time=None, + till_time=till, + renew_time=None, + nonce=0x7fffffff, + etypes=etypes, + addresses=None, + EncAuthorizationData=None, + EncAuthorizationData_key=None, + additional_tickets=None) + rep = self.send_recv_transaction(req) + return rep + + def get_pa_data(self, creds, rep, skew=0): + rep_padata = self.der_decode( + rep['e-data'], + asn1Spec=krb5_asn1.METHOD_DATA()) + + for pa in rep_padata: + if pa['padata-type'] == PADATA_ETYPE_INFO2: + etype_info2 = pa['padata-value'] + break + + etype_info2 = self.der_decode( + etype_info2, asn1Spec=krb5_asn1.ETYPE_INFO2()) + + key = self.PasswordKey_from_etype_info2(creds, etype_info2[0]) + + (patime, pausec) = self.get_KerberosTimeWithUsec(offset=skew) + pa_ts = self.PA_ENC_TS_ENC_create(patime, pausec) + pa_ts = self.der_encode(pa_ts, asn1Spec=krb5_asn1.PA_ENC_TS_ENC()) + + enc_pa_ts_usage = 1 + pa_ts = self.EncryptedData_create(key, enc_pa_ts_usage, pa_ts) + pa_ts = self.der_encode(pa_ts, asn1Spec=krb5_asn1.EncryptedData()) + + pa_ts = self.PA_DATA_create(PADATA_ENC_TIMESTAMP, pa_ts) + + padata = [pa_ts] + return padata + + def check_pre_authenication(self, rep): + """ Check that the kdc response was pre-authentication required + """ + self.check_error_rep(rep, KDC_ERR_PREAUTH_REQUIRED) + + def check_as_reply(self, rep): + """ Check that the kdc response is an AS-REP and that the + values for: + msg-type + pvno + tkt-pvno + kvno + match the expected values + """ + + # Should have a reply, and it should an AS-REP message. + self.assertIsNotNone(rep) + self.assertEqual(rep['msg-type'], KRB_AS_REP) + + # Protocol version number should be 5 + pvno = int(rep['pvno']) + self.assertEqual(5, pvno) + + # The ticket version number should be 5 + tkt_vno = int(rep['ticket']['tkt-vno']) + self.assertEqual(5, tkt_vno) + + # Check that the kvno is not an RODC kvno + # MIT kerberos does not provide the kvno, so we treat it as optional. + # This is tested in compatability_test.py + if 'kvno' in rep['enc-part']: + kvno = int(rep['enc-part']['kvno']) + # If the high order bits are set this is an RODC kvno. + self.assertEqual(0, kvno & 0xFFFF0000) + + def check_error_rep(self, rep, expected): + """ Check that the reply is an error message, with the expected + error-code specified. + """ + self.assertIsNotNone(rep) + self.assertEqual(rep['msg-type'], KRB_ERROR) + self.assertEqual(rep['error-code'], expected) + + def test_aes256_cts_hmac_sha1_96(self): + creds = self.get_user_creds() + etype = (AES256_CTS_HMAC_SHA1_96,) + + rep = self.as_req(creds, etype) + self.check_pre_authenication(rep) + + padata = self.get_pa_data(creds, rep) + rep = self.as_req(creds, etype, padata=padata) + self.check_as_reply(rep) + + etype = rep['enc-part']['etype'] + self.assertEquals(AES256_CTS_HMAC_SHA1_96, etype) + + def test_arc4_hmac_md5(self): + creds = self.get_user_creds() + etype = (ARCFOUR_HMAC_MD5,) + + rep = self.as_req(creds, etype) + self.check_pre_authenication(rep) + + padata = self.get_pa_data(creds, rep) + rep = self.as_req(creds, etype, padata=padata) + self.check_as_reply(rep) + + etype = rep['enc-part']['etype'] + self.assertEquals(ARCFOUR_HMAC_MD5, etype) + + def test_aes_rc4(self): + creds = self.get_user_creds() + etype = (AES256_CTS_HMAC_SHA1_96, ARCFOUR_HMAC_MD5) + + rep = self.as_req(creds, etype) + self.check_pre_authenication(rep) + + padata = self.get_pa_data(creds, rep) + rep = self.as_req(creds, etype, padata=padata) + self.check_as_reply(rep) + + etype = rep['enc-part']['etype'] + self.assertEquals(AES256_CTS_HMAC_SHA1_96, etype) + + def test_clock_skew(self): + creds = self.get_user_creds() + etype = (AES256_CTS_HMAC_SHA1_96, ARCFOUR_HMAC_MD5) + + rep = self.as_req(creds, etype) + self.check_pre_authenication(rep) + + padata = self.get_pa_data(creds, rep, skew=3600) + rep = self.as_req(creds, etype, padata=padata) + + self.check_error_rep(rep, KDC_ERR_SKEW) + + def test_invalid_password(self): + creds = self.insta_creds(template=self.get_user_creds()) + creds.set_password("Not the correct password") + + etype = (AES256_CTS_HMAC_SHA1_96,) + + rep = self.as_req(creds, etype) + self.check_pre_authenication(rep) + + padata = self.get_pa_data(creds, rep) + rep = self.as_req(creds, etype, padata=padata) + + self.check_error_rep(rep, KDC_ERR_PREAUTH_FAILED) + + +if __name__ == "__main__": + global_asn1_print = True + global_hexdump = True + import unittest + unittest.main() diff --git a/python/samba/tests/usage.py b/python/samba/tests/usage.py index a642940570d..11cd405deea 100644 --- a/python/samba/tests/usage.py +++ b/python/samba/tests/usage.py @@ -90,6 +90,7 @@ EXCLUDE_USAGE = { 'python/samba/tests/krb5/as_canonicalization_tests.py', 'python/samba/tests/krb5/compatability_tests.py', 'python/samba/tests/krb5/rfc4120_constants.py', + 'python/samba/tests/krb5/kdc_tests.py', } diff --git a/source4/selftest/tests.py b/source4/selftest/tests.py index c37b9050c2b..f2cdae9342c 100755 --- a/source4/selftest/tests.py +++ b/source4/selftest/tests.py @@ -1230,6 +1230,7 @@ for env in ["rodc", "promoted_dc", "fl2000dc", "fl2008r2dc"]: planpythontestsuite("ad_dc", "samba.tests.krb5.as_canonicalization_tests") planpythontestsuite("ad_dc", "samba.tests.krb5.compatability_tests") +planpythontestsuite("ad_dc", "samba.tests.krb5.kdc_tests") for env in [ 'vampire_dc', -- 2.35.0 From a3a08241a7afcfd75533793b7890476f8524d31e Mon Sep 17 00:00:00 2001 From: Gary Lockyer Date: Tue, 10 Nov 2020 16:56:46 +1300 Subject: [PATCH 055/686] tests python krb5: refactor compatability tests Refactor to aid the adding of tests for the inclusion of a salt when ARCFOUR_HMAC_MD5 encryption selected Signed-off-by: Gary Lockyer Reviewed-by: Andrew Bartlett BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817 (cherry picked from commit d492355f293e2da400318665035b056dfaba852c) --- .../samba/tests/krb5/compatability_tests.py | 24 ++++++++++++++----- 1 file changed, 18 insertions(+), 6 deletions(-) diff --git a/python/samba/tests/krb5/compatability_tests.py b/python/samba/tests/krb5/compatability_tests.py index bf561346ab3..5990d2ce8df 100755 --- a/python/samba/tests/krb5/compatability_tests.py +++ b/python/samba/tests/krb5/compatability_tests.py @@ -87,7 +87,7 @@ class SimpleKerberosTests(RawKerberosTest): # RFC 6806 11. Negotiation of FAST and Detecting Modified Requests self.assertFalse(ENC_PA_REP_FLAG & flags) - def as_req(self, creds): + def as_pre_auth_req(self, creds, etypes): user = creds.get_username() realm = creds.get_realm() @@ -103,10 +103,6 @@ class SimpleKerberosTests(RawKerberosTest): kdc_options = krb5_asn1.KDCOptions('forwardable') padata = None - etypes = ( - AES256_CTS_HMAC_SHA1_96, - AES128_CTS_HMAC_SHA1_96, - ARCFOUR_HMAC_MD5) req = self.AS_REQ_create(padata=padata, kdc_options=str(kdc_options), @@ -123,10 +119,16 @@ class SimpleKerberosTests(RawKerberosTest): EncAuthorizationData_key=None, additional_tickets=None) rep = self.send_recv_transaction(req) - self.assertIsNotNone(rep) + return (rep, cname, sname, realm, till) + + def check_preauth_rep(self, rep): + self.assertIsNotNone(rep) self.assertEqual(rep['msg-type'], KRB_ERROR) self.assertEqual(rep['error-code'], KDC_ERR_PREAUTH_REQUIRED) + + def get_etype_info2(self, rep): + rep_padata = self.der_decode( rep['e-data'], asn1Spec=krb5_asn1.METHOD_DATA()) @@ -139,7 +141,17 @@ class SimpleKerberosTests(RawKerberosTest): etype_info2 = self.der_decode( etype_info2, asn1Spec=krb5_asn1.ETYPE_INFO2()) + return etype_info2 + def as_req(self, creds): + etypes = ( + AES256_CTS_HMAC_SHA1_96, + AES128_CTS_HMAC_SHA1_96, + ARCFOUR_HMAC_MD5) + (rep, cname, sname, realm, till) = self.as_pre_auth_req(creds, etypes) + self.check_preauth_rep(rep) + + etype_info2 = self.get_etype_info2(rep) key = self.PasswordKey_from_etype_info2(creds, etype_info2[0]) (patime, pausec) = self.get_KerberosTimeWithUsec() -- 2.35.0 From 593b9cb6f1fed3e864c26dca6a33a38a074ddb2a Mon Sep 17 00:00:00 2001 From: Gary Lockyer Date: Tue, 10 Nov 2020 16:57:11 +1300 Subject: [PATCH 056/686] tests python krb5: add arcfour salt tests MIT kerberos returns a salt when ARCFOUR_HMAC_MD5 encryption selected, Heimdal does not. Signed-off-by: Gary Lockyer Reviewed-by: Andrew Bartlett BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817 Autobuild-User(master): Andrew Bartlett Autobuild-Date(master): Thu Nov 12 22:54:22 UTC 2020 on sn-devel-184 (cherry picked from commit 2ba6d596ff0a3580eca9285fd83569bcb147ce77) --- .../samba/tests/krb5/compatability_tests.py | 20 +++++++++++++++++++ 1 file changed, 20 insertions(+) diff --git a/python/samba/tests/krb5/compatability_tests.py b/python/samba/tests/krb5/compatability_tests.py index 5990d2ce8df..e4b1453e712 100755 --- a/python/samba/tests/krb5/compatability_tests.py +++ b/python/samba/tests/krb5/compatability_tests.py @@ -87,6 +87,26 @@ class SimpleKerberosTests(RawKerberosTest): # RFC 6806 11. Negotiation of FAST and Detecting Modified Requests self.assertFalse(ENC_PA_REP_FLAG & flags) + def test_mit_arcfour_salt(self): + creds = self.get_user_creds() + etypes = (ARCFOUR_HMAC_MD5,) + (rep, *_) = self.as_pre_auth_req(creds, etypes) + self.check_preauth_rep(rep) + etype_info2 = self.get_etype_info2(rep) + if 'salt' not in etype_info2[0]: + self.fail( + "(MIT) Salt not populated for ARCFOUR_HMAC_MD5 encryption") + + def test_heimdal_arcfour_salt(self): + creds = self.get_user_creds() + etypes = (ARCFOUR_HMAC_MD5,) + (rep, *_) = self.as_pre_auth_req(creds, etypes) + self.check_preauth_rep(rep) + etype_info2 = self.get_etype_info2(rep) + if 'salt' in etype_info2[0]: + self.fail( + "(Heimdal) Salt populated for ARCFOUR_HMAC_MD5 encryption") + def as_pre_auth_req(self, creds, etypes): user = creds.get_username() realm = creds.get_realm() -- 2.35.0 From 4b75d5670e62633b4281b734c63f3da550c78319 Mon Sep 17 00:00:00 2001 From: Gary Lockyer Date: Wed, 18 Nov 2020 14:49:28 +1300 Subject: [PATCH 057/686] tests python krb5: Extra canonicalization tests Add tests that set the server name to the client name for the machine account in the kerberos AS_REQ. This replicates the TEST_AS_REQ_SELF test phase in source4/torture/krb5/kdc-canon-heimdal.c. Signed-off-by: Gary Lockyer Reviewed-by: Andrew Bartlett BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817 Autobuild-User(master): Andrew Bartlett Autobuild-Date(master): Mon Nov 30 05:21:42 UTC 2020 on sn-devel-184 (cherry picked from commit 7f7e2b0e1e17321d800de787098bb2b2c8259ecd) --- .../tests/krb5/as_canonicalization_tests.py | 74 +++++++++----- selftest/knownfail.d/kdc-enterprise | 26 +++++ selftest/knownfail_mit_kdc | 96 +++++++++++++++++++ 3 files changed, 172 insertions(+), 24 deletions(-) diff --git a/python/samba/tests/krb5/as_canonicalization_tests.py b/python/samba/tests/krb5/as_canonicalization_tests.py index 303788b672e..6ea3ff0491e 100755 --- a/python/samba/tests/krb5/as_canonicalization_tests.py +++ b/python/samba/tests/krb5/as_canonicalization_tests.py @@ -56,7 +56,8 @@ class TestOptions(Enum): NetbiosRealm = 16 UPN = 32 RemoveDollar = 64 - Last = 128 + AsReqSelf = 128 + Last = 256 def is_set(self, x): return self.value & x @@ -76,8 +77,8 @@ class TestData: def __init__(self, options, creds): self.options = options self.user_creds = creds - self.user_name = self.get_username(options, creds) - self.realm = self.get_realm(options, creds) + self.user_name = self._get_username(options, creds) + self.realm = self._get_realm(options, creds) if TestOptions.Enterprise.is_set(options): client_name_type = NT_ENTERPRISE_PRINCIPAL @@ -86,11 +87,14 @@ class TestData: self.cname = RawKerberosTest.PrincipalName_create( name_type=client_name_type, names=[self.user_name]) - self.sname = RawKerberosTest.PrincipalName_create( - name_type=NT_SRV_INST, names=["krbtgt", self.realm]) + if TestOptions.AsReqSelf.is_set(options): + self.sname = self.cname + else: + self.sname = RawKerberosTest.PrincipalName_create( + name_type=NT_SRV_INST, names=["krbtgt", self.realm]) self.canonicalize = TestOptions.Canonicalize.is_set(options) - def get_realm(self, options, creds): + def _get_realm(self, options, creds): realm = creds.get_realm() if TestOptions.NetbiosRealm.is_set(options): realm = creds.get_domain() @@ -100,7 +104,7 @@ class TestData: realm = realm.lower() return realm - def get_username(self, options, creds): + def _get_username(self, options, creds): name = creds.get_username() if TestOptions.RemoveDollar.is_set(options) and name.endswith("$"): name = name[:-1] @@ -135,6 +139,9 @@ class KerberosASCanonicalizationTests(RawKerberosTest): if ct != CredentialsType.Machine and\ TestOptions.RemoveDollar.is_set(options): return True + if ct != CredentialsType.Machine and\ + TestOptions.AsReqSelf.is_set(options): + return True return False def build_test_name(ct, options): @@ -448,26 +455,45 @@ class KerberosASCanonicalizationTests(RawKerberosTest): def check_sname(self, sname, data): nt = sname['name-type'] - self.assertEqual( - NT_SRV_INST, - nt, - "sname name-type, Options {0:08b}".format(data.options)) - ns = sname['name-string'] name = ns[0].decode('ascii') - self.assertEqual( - 'krbtgt', - name, - "sname principal, Options {0:08b}".format(data.options)) - realm = ns[1].decode('ascii') - expected = data.realm - if TestOptions.Canonicalize.is_set(data.options): - expected = data.user_creds.get_realm().upper() - self.assertEqual( - expected, - realm, - "sname realm, Options {0:08b}".format(data.options)) + if TestOptions.AsReqSelf.is_set(data.options): + expected_name_type = NT_PRINCIPAL + if not TestOptions.Canonicalize.is_set(data.options)\ + and TestOptions.Enterprise.is_set(data.options): + + expected_name_type = NT_ENTERPRISE_PRINCIPAL + + self.assertEqual( + expected_name_type, + nt, + "sname name-type, Options {0:08b}".format(data.options)) + expected = data.user_name + if TestOptions.Canonicalize.is_set(data.options): + expected = data.user_creds.get_username() + self.assertEqual( + expected, + name, + "sname principal, Options {0:08b}".format(data.options)) + else: + self.assertEqual( + NT_SRV_INST, + nt, + "sname name-type, Options {0:08b}".format(data.options)) + self.assertEqual( + 'krbtgt', + name, + "sname principal, Options {0:08b}".format(data.options)) + + realm = ns[1].decode('ascii') + expected = data.realm + if TestOptions.Canonicalize.is_set(data.options): + expected = data.user_creds.get_realm().upper() + self.assertEqual( + expected, + realm, + "sname realm, Options {0:08b}".format(data.options)) def check_srealm(self, srealm, data): realm = data.user_creds.get_realm() diff --git a/selftest/knownfail.d/kdc-enterprise b/selftest/knownfail.d/kdc-enterprise index d15d67c8af6..c9b6c98a2ee 100644 --- a/selftest/knownfail.d/kdc-enterprise +++ b/selftest/knownfail.d/kdc-enterprise @@ -35,3 +35,29 @@ samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_ samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_UserCredentials_Enterprise_UpperUserName_NetbiosRealm_UPN\( samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_UserCredentials_Enterprise_UpperUserName_UPN\( + + +^samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Enterprise_AsReqSelf\( +^samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Enterprise_NetbiosRealm_AsReqSelf\( +^samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Enterprise_NetbiosRealm_RemoveDollar_AsReqSelf\( +^samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Enterprise_NetbiosRealm_UPN_AsReqSelf\( +^samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Enterprise_NetbiosRealm_UPN_RemoveDollar_AsReqSelf\( +^samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Enterprise_RemoveDollar_AsReqSelf\( +^samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Enterprise_UPN_AsReqSelf\( +^samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Enterprise_UPN_RemoveDollar_AsReqSelf\( +^samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Enterprise_UpperRealm_NetbiosRealm_AsReqSelf\( +^samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Enterprise_UpperRealm_NetbiosRealm_RemoveDollar_AsReqSelf\( +^samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Enterprise_UpperRealm_NetbiosRealm_UPN_AsReqSelf\( +^samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Enterprise_UpperRealm_NetbiosRealm_UPN_RemoveDollar_AsReqSelf\( +^samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Enterprise_UpperRealm_UpperUserName_NetbiosRealm_AsReqSelf\( +^samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Enterprise_UpperRealm_UpperUserName_NetbiosRealm_RemoveDollar_AsReqSelf\( +^samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Enterprise_UpperRealm_UpperUserName_NetbiosRealm_UPN_AsReqSelf\( +^samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Enterprise_UpperRealm_UpperUserName_NetbiosRealm_UPN_RemoveDollar_AsReqSelf\( +^samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Enterprise_UpperUserName_AsReqSelf\( +^samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Enterprise_UpperUserName_NetbiosRealm_AsReqSelf\( +^samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Enterprise_UpperUserName_NetbiosRealm_RemoveDollar_AsReqSelf\( +^samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Enterprise_UpperUserName_NetbiosRealm_UPN_AsReqSelf\( +^samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Enterprise_UpperUserName_NetbiosRealm_UPN_RemoveDollar_AsReqSelf\( +^samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Enterprise_UpperUserName_RemoveDollar_AsReqSelf\( +^samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Enterprise_UpperUserName_UPN_AsReqSelf\( +^samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Enterprise_UpperUserName_UPN_RemoveDollar_AsReqSelf\( diff --git a/selftest/knownfail_mit_kdc b/selftest/knownfail_mit_kdc index 9953d51f21d..f1a4971430e 100644 --- a/selftest/knownfail_mit_kdc +++ b/selftest/knownfail_mit_kdc @@ -174,3 +174,99 @@ samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_ samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Enterprise_UpperRealm_UPN_RemoveDollar\( samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Enterprise_UpperRealm_UpperUserName_RemoveDollar\( samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Enterprise_UpperRealm_UpperUserName_UPN_RemoveDollar\( +^samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_AsReqSelf\( +^samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Canonicalize_AsReqSelf\( +^samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Canonicalize_Enterprise_AsReqSelf\( +^samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Canonicalize_Enterprise_NetbiosRealm_AsReqSelf\( +^samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Canonicalize_Enterprise_NetbiosRealm_RemoveDollar_AsReqSelf\( +^samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Canonicalize_Enterprise_NetbiosRealm_UPN_AsReqSelf\( +^samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Canonicalize_Enterprise_NetbiosRealm_UPN_RemoveDollar_AsReqSelf\( +^samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Canonicalize_Enterprise_RemoveDollar_AsReqSelf\( +^samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Canonicalize_Enterprise_UPN_AsReqSelf\( +^samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Canonicalize_Enterprise_UPN_RemoveDollar_AsReqSelf\( +^samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Canonicalize_Enterprise_UpperRealm_AsReqSelf\( +^samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Canonicalize_Enterprise_UpperRealm_NetbiosRealm_AsReqSelf\( +^samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Canonicalize_Enterprise_UpperRealm_NetbiosRealm_RemoveDollar_AsReqSelf\( +^samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Canonicalize_Enterprise_UpperRealm_NetbiosRealm_UPN_AsReqSelf\( +^samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Canonicalize_Enterprise_UpperRealm_NetbiosRealm_UPN_RemoveDollar_AsReqSelf\( +^samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Canonicalize_Enterprise_UpperRealm_RemoveDollar_AsReqSelf\( +^samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Canonicalize_Enterprise_UpperRealm_UPN_AsReqSelf\( +^samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Canonicalize_Enterprise_UpperRealm_UPN_RemoveDollar_AsReqSelf\( +^samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Canonicalize_Enterprise_UpperRealm_UpperUserName_AsReqSelf\( +^samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Canonicalize_Enterprise_UpperRealm_UpperUserName_NetbiosRealm_AsReqSelf\( +^samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Canonicalize_Enterprise_UpperRealm_UpperUserName_NetbiosRealm_RemoveDollar_AsReqSelf\( +^samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Canonicalize_Enterprise_UpperRealm_UpperUserName_NetbiosRealm_UPN_AsReqSelf\( +^samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Canonicalize_Enterprise_UpperRealm_UpperUserName_NetbiosRealm_UPN_RemoveDollar_AsReqSelf\( +^samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Canonicalize_Enterprise_UpperRealm_UpperUserName_RemoveDollar_AsReqSelf\( +^samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Canonicalize_Enterprise_UpperRealm_UpperUserName_UPN_AsReqSelf\( +^samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Canonicalize_Enterprise_UpperRealm_UpperUserName_UPN_RemoveDollar_AsReqSelf\( +^samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Canonicalize_Enterprise_UpperUserName_AsReqSelf\( +^samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Canonicalize_Enterprise_UpperUserName_NetbiosRealm_AsReqSelf\( +^samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Canonicalize_Enterprise_UpperUserName_NetbiosRealm_RemoveDollar_AsReqSelf\(ad_dc +^samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Canonicalize_Enterprise_UpperUserName_NetbiosRealm_UPN_AsReqSelf\( +^samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Canonicalize_Enterprise_UpperUserName_NetbiosRealm_UPN_RemoveDollar_AsReqSelf\( +^samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Canonicalize_Enterprise_UpperUserName_RemoveDollar_AsReqSelf\( +^samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Canonicalize_Enterprise_UpperUserName_UPN_AsReqSelf\( +^samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Canonicalize_Enterprise_UpperUserName_UPN_RemoveDollar_AsReqSelf\( +^samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Canonicalize_NetbiosRealm_AsReqSelf\( +^samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Canonicalize_NetbiosRealm_RemoveDollar_AsReqSelf\( +^samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Canonicalize_NetbiosRealm_UPN_AsReqSelf\( +^samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Canonicalize_NetbiosRealm_UPN_RemoveDollar_AsReqSelf\( +^samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Canonicalize_RemoveDollar_AsReqSelf\( +^samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Canonicalize_UPN_AsReqSelf\( +^samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Canonicalize_UPN_RemoveDollar_AsReqSelf\( +^samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Canonicalize_UpperRealm_AsReqSelf\( +^samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Canonicalize_UpperRealm_NetbiosRealm_AsReqSelf\( +^samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Canonicalize_UpperRealm_NetbiosRealm_RemoveDollar_AsReqSelf\( +^samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Canonicalize_UpperRealm_NetbiosRealm_UPN_AsReqSelf\( +^samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Canonicalize_UpperRealm_NetbiosRealm_UPN_RemoveDollar_AsReqSelf\( +^samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Canonicalize_UpperRealm_RemoveDollar_AsReqSelf\( +^samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Canonicalize_UpperRealm_UPN_AsReqSelf\( +^samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Canonicalize_UpperRealm_UPN_RemoveDollar_AsReqSelf\( +^samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Canonicalize_UpperRealm_UpperUserName_AsReqSelf\( +^samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Canonicalize_UpperRealm_UpperUserName_NetbiosRealm_AsReqSelf\( +^samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Canonicalize_UpperRealm_UpperUserName_NetbiosRealm_RemoveDollar_AsReqSelf\( +^samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Canonicalize_UpperRealm_UpperUserName_NetbiosRealm_UPN_AsReqSelf\( +^samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Canonicalize_UpperRealm_UpperUserName_NetbiosRealm_UPN_RemoveDollar_AsReqSelf\( +^samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Canonicalize_UpperRealm_UpperUserName_RemoveDollar_AsReqSelf\( +^samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Canonicalize_UpperRealm_UpperUserName_UPN_AsReqSelf\( +^samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Canonicalize_UpperRealm_UpperUserName_UPN_RemoveDollar_AsReqSelf\( +^samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Canonicalize_UpperUserName_AsReqSelf\( +^samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Canonicalize_UpperUserName_NetbiosRealm_AsReqSelf\( +^samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Canonicalize_UpperUserName_NetbiosRealm_RemoveDollar_AsReqSelf\( +^samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Canonicalize_UpperUserName_NetbiosRealm_UPN_AsReqSelf\( +^samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Canonicalize_UpperUserName_NetbiosRealm_UPN_RemoveDollar_AsReqSelf\( +^samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Canonicalize_UpperUserName_RemoveDollar_AsReqSelf\( +^samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Canonicalize_UpperUserName_UPN_AsReqSelf\( +^samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Canonicalize_UpperUserName_UPN_RemoveDollar_AsReqSelf\( +^samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Enterprise_UpperRealm_AsReqSelf\( +^samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Enterprise_UpperRealm_RemoveDollar_AsReqSelf\( +^samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Enterprise_UpperRealm_UPN_AsReqSelf\( +^samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Enterprise_UpperRealm_UPN_RemoveDollar_AsReqSelf\( +^samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Enterprise_UpperRealm_UpperUserName_AsReqSelf\( +^samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Enterprise_UpperRealm_UpperUserName_RemoveDollar_AsReqSelf\( +^samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Enterprise_UpperRealm_UpperUserName_UPN_AsReqSelf\( +^samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Enterprise_UpperRealm_UpperUserName_UPN_RemoveDollar_AsReqSelf\( +^samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_NetbiosRealm_AsReqSelf\( +^samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_NetbiosRealm_RemoveDollar_AsReqSelf\( +^samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_NetbiosRealm_UPN_AsReqSelf\( +^samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_NetbiosRealm_UPN_RemoveDollar_AsReqSelf\( +^samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_RemoveDollar_AsReqSelf\( +^samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_UPN_AsReqSelf\( +^samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_UPN_RemoveDollar_AsReqSelf\( +^samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_UpperRealm_NetbiosRealm_AsReqSelf\( +^samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_UpperRealm_NetbiosRealm_RemoveDollar_AsReqSelf\( +^samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_UpperRealm_NetbiosRealm_UPN_AsReqSelf\( +^samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_UpperRealm_NetbiosRealm_UPN_RemoveDollar_AsReqSelf\( +^samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_UpperRealm_UpperUserName_NetbiosRealm_AsReqSelf\( +^samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_UpperRealm_UpperUserName_NetbiosRealm_RemoveDollar_AsReqSelf\( +^samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_UpperRealm_UpperUserName_NetbiosRealm_UPN_AsReqSelf\( +^samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_UpperRealm_UpperUserName_NetbiosRealm_UPN_RemoveDollar_AsReqSelf\( +^samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_UpperUserName_AsReqSelf\( +^samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_UpperUserName_NetbiosRealm_AsReqSelf\( +^samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_UpperUserName_NetbiosRealm_RemoveDollar_AsReqSelf\( +^samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_UpperUserName_NetbiosRealm_UPN_AsReqSelf\( +^samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_UpperUserName_NetbiosRealm_UPN_RemoveDollar_AsReqSelf\( +^samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_UpperUserName_RemoveDollar_AsReqSelf\( +^samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_UpperUserName_UPN_AsReqSelf\( +^samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_UpperUserName_UPN_RemoveDollar_AsReqSelf\( -- 2.35.0 From 83faef522536e0649f2e7be008de3b2d5e407db4 Mon Sep 17 00:00:00 2001 From: Gary Lockyer Date: Thu, 10 Dec 2020 10:15:28 +1300 Subject: [PATCH 058/686] tests python krb5: Add Authorization data ad-type constants Add constants for the Authorization Data Type values. RFC 4120 7.5.4. Authorization Data Types Signed-off-by: Gary Lockyer Reviewed-by: Andrew Bartlett BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817 (cherry picked from commit d74c9dcf3aaa613abfac49288f427484468bf6e1) --- python/samba/tests/krb5/rfc4120_constants.py | 14 ++++++++++++++ 1 file changed, 14 insertions(+) diff --git a/python/samba/tests/krb5/rfc4120_constants.py b/python/samba/tests/krb5/rfc4120_constants.py index e939bb75e82..e1d0c5baa68 100644 --- a/python/samba/tests/krb5/rfc4120_constants.py +++ b/python/samba/tests/krb5/rfc4120_constants.py @@ -47,3 +47,17 @@ NT_PRINCIPAL = int(krb5_asn1.NameTypeValues('kRB5-NT-PRINCIPAL')) NT_SRV_INST = int(krb5_asn1.NameTypeValues('kRB5-NT-SRV-INST')) NT_ENTERPRISE_PRINCIPAL = int(krb5_asn1.NameTypeValues( 'kRB5-NT-ENTERPRISE-PRINCIPAL')) + +# Authorization data ad-type values + +AD_IF_RELEVANT = 1 +AD_INTENDED_FOR_SERVER = 2 +AD_INTENDED_FOR_APPLICATION_CLASS = 3 +AD_KDC_ISSUED = 4 +AD_AND_OR = 5 +AD_MANDATORY_TICKET_EXTENSIONS = 6 +AD_IN_TICKET_EXTENSIONS = 7 +AD_MANDATORY_FOR_KDC = 8 +AD_INITIAL_VERIFIED_CAS = 9 +AD_WIN2K_PAC = 128 +AD_SIGNTICKET = 512 -- 2.35.0 From 1ad8d349199d7ab5898719901dcf4cae20b51d87 Mon Sep 17 00:00:00 2001 From: Gary Lockyer Date: Mon, 30 Nov 2020 14:16:28 +1300 Subject: [PATCH 059/686] tests python krb5: add test base class Add a base class for the KDC tests to reduce the amount of code duplication in the tests. Signed-off-by: Gary Lockyer Reviewed-by: Andrew Bartlett BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817 (cherry picked from commit 0f232ed42fb2671d025643cafb19891373562e4a) --- python/samba/tests/krb5/kdc_base_test.py | 419 +++++++++++++++++++++++ 1 file changed, 419 insertions(+) create mode 100755 python/samba/tests/krb5/kdc_base_test.py diff --git a/python/samba/tests/krb5/kdc_base_test.py b/python/samba/tests/krb5/kdc_base_test.py new file mode 100755 index 00000000000..4fc7ee85ba9 --- /dev/null +++ b/python/samba/tests/krb5/kdc_base_test.py @@ -0,0 +1,419 @@ +#!/usr/bin/env python3 +# Unix SMB/CIFS implementation. +# Copyright (C) Stefan Metzmacher 2020 +# Copyright (C) 2020 Catalyst.Net Ltd +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; either version 3 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see . +# + +import sys +import os + +sys.path.insert(0, "bin/python") +os.environ["PYTHONUNBUFFERED"] = "1" +from collections import namedtuple +from ldb import SCOPE_BASE +from samba import generate_random_password +from samba.auth import system_session +from samba.credentials import Credentials +from samba.dcerpc import krb5pac +from samba.dsdb import UF_WORKSTATION_TRUST_ACCOUNT, UF_NORMAL_ACCOUNT +from samba.ndr import ndr_unpack +from samba.samdb import SamDB + +from samba.tests import delete_force +from samba.tests.krb5.raw_testcase import RawKerberosTest +import samba.tests.krb5.rfc4120_pyasn1 as krb5_asn1 +from samba.tests.krb5.rfc4120_constants import ( + AD_IF_RELEVANT, + AD_WIN2K_PAC, + KDC_ERR_PREAUTH_REQUIRED, + KRB_AS_REP, + KRB_TGS_REP, + KRB_ERROR, + PADATA_ENC_TIMESTAMP, + PADATA_ETYPE_INFO2, +) + +global_asn1_print = False +global_hexdump = False + + +class KDCBaseTest(RawKerberosTest): + """ Base class for KDC tests. + """ + + @classmethod + def setUpClass(cls): + cls.lp = cls.get_loadparm(cls) + cls.username = os.environ["USERNAME"] + cls.password = os.environ["PASSWORD"] + cls.host = os.environ["SERVER"] + + c = Credentials() + c.set_username(cls.username) + c.set_password(cls.password) + try: + realm = os.environ["REALM"] + c.set_realm(realm) + except KeyError: + pass + try: + domain = os.environ["DOMAIN"] + c.set_domain(domain) + except KeyError: + pass + + c.guess() + + cls.credentials = c + + cls.session = system_session() + cls.ldb = SamDB(url="ldap://%s" % cls.host, + session_info=cls.session, + credentials=cls.credentials, + lp=cls.lp) + # fetch the dnsHostName from the RootDse + res = cls.ldb.search( + base="", expression="", scope=SCOPE_BASE, attrs=["dnsHostName"]) + cls.dns_host_name = str(res[0]['dnsHostName']) + + def setUp(self): + super().setUp() + self.do_asn1_print = global_asn1_print + self.do_hexdump = global_hexdump + self.accounts = [] + + def tearDown(self): + # Clean up any accounts created by create_account + for dn in self.accounts: + delete_force(self.ldb, dn) + + def create_account(self, name, machine_account=False, spn=None): + '''Create an account for testing. + The dn of the created account is added to self.accounts, + which is used by tearDown to clean up the created accounts. + ''' + dn = "cn=%s,%s" % (name, self.ldb.domain_dn()) + + # remove the account if it exists, this will happen if a previous test + # run failed + delete_force(self.ldb, dn) + if machine_account: + object_class = "computer" + account_name = "%s$" % name + account_control = str(UF_WORKSTATION_TRUST_ACCOUNT) + else: + object_class = "user" + account_name = name + account_control = str(UF_NORMAL_ACCOUNT) + + password = generate_random_password(32, 32) + utf16pw = ('"%s"' % password).encode('utf-16-le') + + details = { + "dn": dn, + "objectclass": object_class, + "sAMAccountName": account_name, + "userAccountControl": account_control, + "unicodePwd": utf16pw} + if spn is not None: + details["servicePrincipalName"] = spn + self.ldb.add(details) + + creds = Credentials() + creds.guess(self.lp) + creds.set_realm(self.ldb.domain_dns_name().upper()) + creds.set_domain(self.ldb.domain_netbios_name().upper()) + creds.set_password(password) + creds.set_username(account_name) + if machine_account: + creds.set_workstation(name) + # + # Save the account name so it can be deleted in the tearDown + self.accounts.append(dn) + + return (creds, dn) + + def as_req(self, cname, sname, realm, etypes, padata=None): + '''Send a Kerberos AS_REQ, returns the undecoded response + ''' + + till = self.get_KerberosTime(offset=36000) + kdc_options = 0 + + req = self.AS_REQ_create(padata=padata, + kdc_options=str(kdc_options), + cname=cname, + realm=realm, + sname=sname, + from_time=None, + till_time=till, + renew_time=None, + nonce=0x7fffffff, + etypes=etypes, + addresses=None, + EncAuthorizationData=None, + EncAuthorizationData_key=None, + additional_tickets=None) + rep = self.send_recv_transaction(req) + return rep + + def get_as_rep_key(self, creds, rep): + '''Extract the session key from an AS-REP + ''' + rep_padata = self.der_decode( + rep['e-data'], + asn1Spec=krb5_asn1.METHOD_DATA()) + + for pa in rep_padata: + if pa['padata-type'] == PADATA_ETYPE_INFO2: + padata_value = pa['padata-value'] + break + + etype_info2 = self.der_decode( + padata_value, asn1Spec=krb5_asn1.ETYPE_INFO2()) + + key = self.PasswordKey_from_etype_info2(creds, etype_info2[0]) + return key + + def get_pa_data(self, creds, rep, skew=0): + '''generate the pa_data data element for an AS-REQ + ''' + key = self.get_as_rep_key(creds, rep) + + (patime, pausec) = self.get_KerberosTimeWithUsec(offset=skew) + padata = self.PA_ENC_TS_ENC_create(patime, pausec) + padata = self.der_encode(padata, asn1Spec=krb5_asn1.PA_ENC_TS_ENC()) + + usage = 1 + padata = self.EncryptedData_create(key, usage, padata) + padata = self.der_encode(padata, asn1Spec=krb5_asn1.EncryptedData()) + + padata = self.PA_DATA_create(PADATA_ENC_TIMESTAMP, padata) + + return [padata] + + def get_as_rep_enc_data(self, key, rep): + ''' Decrypt and Decode the encrypted data in an AS-REP + ''' + usage = 3 + enc_part = key.decrypt(usage, rep['enc-part']['cipher']) + # MIT KDC encodes both EncASRepPart and EncTGSRepPart with + # application tag 26 + try: + enc_part = self.der_decode( + enc_part, asn1Spec=krb5_asn1.EncASRepPart()) + except Exception: + enc_part = self.der_decode( + enc_part, asn1Spec=krb5_asn1.EncTGSRepPart()) + + return enc_part + + def check_pre_authenication(self, rep): + """ Check that the kdc response was pre-authentication required + """ + self.check_error_rep(rep, KDC_ERR_PREAUTH_REQUIRED) + + def check_as_reply(self, rep): + """ Check that the kdc response is an AS-REP and that the + values for: + msg-type + pvno + tkt-pvno + kvno + match the expected values + """ + + # Should have a reply, and it should an AS-REP message. + self.assertIsNotNone(rep) + self.assertEqual(rep['msg-type'], KRB_AS_REP, "rep = {%s}" % rep) + + # Protocol version number should be 5 + pvno = int(rep['pvno']) + self.assertEqual(5, pvno, "rep = {%s}" % rep) + + # The ticket version number should be 5 + tkt_vno = int(rep['ticket']['tkt-vno']) + self.assertEqual(5, tkt_vno, "rep = {%s}" % rep) + + # Check that the kvno is not an RODC kvno + # MIT kerberos does not provide the kvno, so we treat it as optional. + # This is tested in compatability_test.py + if 'kvno' in rep['enc-part']: + kvno = int(rep['enc-part']['kvno']) + # If the high order bits are set this is an RODC kvno. + self.assertEqual(0, kvno & 0xFFFF0000, "rep = {%s}" % rep) + + def check_tgs_reply(self, rep): + """ Check that the kdc response is an TGS-REP and that the + values for: + msg-type + pvno + tkt-pvno + kvno + match the expected values + """ + + # Should have a reply, and it should an TGS-REP message. + self.assertIsNotNone(rep) + self.assertEqual(rep['msg-type'], KRB_TGS_REP, "rep = {%s}" % rep) + + # Protocol version number should be 5 + pvno = int(rep['pvno']) + self.assertEqual(5, pvno, "rep = {%s}" % rep) + + # The ticket version number should be 5 + tkt_vno = int(rep['ticket']['tkt-vno']) + self.assertEqual(5, tkt_vno, "rep = {%s}" % rep) + + # Check that the kvno is not an RODC kvno + # MIT kerberos does not provide the kvno, so we treat it as optional. + # This is tested in compatability_test.py + if 'kvno' in rep['enc-part']: + kvno = int(rep['enc-part']['kvno']) + # If the high order bits are set this is an RODC kvno. + self.assertEqual(0, kvno & 0xFFFF0000, "rep = {%s}" % rep) + + def check_error_rep(self, rep, expected): + """ Check that the reply is an error message, with the expected + error-code specified. + """ + self.assertIsNotNone(rep) + self.assertEqual(rep['msg-type'], KRB_ERROR, "rep = {%s}" % rep) + self.assertEqual(rep['error-code'], expected, "rep = {%s}" % rep) + + def tgs_req(self, cname, sname, realm, ticket, key, etypes): + '''Send a TGS-REQ, returns the response and the decrypted and + decoded enc-part + ''' + + kdc_options = "0" + till = self.get_KerberosTime(offset=36000) + padata = [] + + subkey = self.RandomKey(key.etype) + subkey_usage = 9 + + (ctime, cusec) = self.get_KerberosTimeWithUsec() + + req = self.TGS_REQ_create(padata=padata, + cusec=cusec, + ctime=ctime, + ticket=ticket, + kdc_options=str(kdc_options), + cname=cname, + realm=realm, + sname=sname, + from_time=None, + till_time=till, + renew_time=None, + nonce=0x7ffffffe, + etypes=etypes, + addresses=None, + EncAuthorizationData=None, + EncAuthorizationData_key=None, + additional_tickets=None, + ticket_session_key=key, + authenticator_subkey=subkey) + rep = self.send_recv_transaction(req) + self.assertIsNotNone(rep) + + msg_type = rep['msg-type'] + enc_part = None + if msg_type == KRB_TGS_REP: + enc_part = subkey.decrypt(subkey_usage, rep['enc-part']['cipher']) + enc_part = self.der_decode( + enc_part, asn1Spec=krb5_asn1.EncTGSRepPart()) + return (rep, enc_part) + + # Named tuple to contain values of interest when the PAC is decoded. + PacData = namedtuple( + "PacData", + "account_name account_sid logon_name upn domain_name") + PAC_LOGON_INFO = 1 + PAC_CREDENTIAL_INFO = 2 + PAC_SRV_CHECKSUM = 6 + PAC_KDC_CHECKSUM = 7 + PAC_LOGON_NAME = 10 + PAC_CONSTRAINED_DELEGATION = 11 + PAC_UPN_DNS_INFO = 12 + + def get_pac_data(self, authorization_data): + '''Decode the PAC element contained in the authorization-data element + ''' + account_name = None + user_sid = None + logon_name = None + upn = None + domain_name = None + + # The PAC data will be wrapped in an AD_IF_RELEVANT element + ad_if_relevant_elements = ( + x for x in authorization_data if x['ad-type'] == AD_IF_RELEVANT) + for dt in ad_if_relevant_elements: + buf = self.der_decode( + dt['ad-data'], asn1Spec=krb5_asn1.AD_IF_RELEVANT()) + # The PAC data is further wrapped in a AD_WIN2K_PAC element + for ad in (x for x in buf if x['ad-type'] == AD_WIN2K_PAC): + pb = ndr_unpack(krb5pac.PAC_DATA, ad['ad-data']) + for pac in pb.buffers: + if pac.type == self.PAC_LOGON_INFO: + account_name = ( + pac.info.info.info3.base.account_name) + user_sid = ( + str(pac.info.info.info3.base.domain_sid) + + "-" + str(pac.info.info.info3.base.rid)) + elif pac.type == self.PAC_LOGON_NAME: + logon_name = pac.info.account_name + elif pac.type == self.PAC_UPN_DNS_INFO: + upn = pac.info.upn_name + domain_name = pac.info.dns_domain_name + + return self.PacData( + account_name, + user_sid, + logon_name, + upn, + domain_name) + + def decode_service_ticket(self, creds, ticket): + '''Decrypt and decode a service ticket + ''' + + name = creds.get_username() + if name.endswith('$'): + name = name[:-1] + realm = creds.get_realm() + salt = "%s.%s@%s" % (name, realm.lower(), realm.upper()) + + key = self.PasswordKey_create( + ticket['enc-part']['etype'], + creds.get_password(), + salt, + ticket['enc-part']['kvno']) + + enc_part = key.decrypt(2, ticket['enc-part']['cipher']) + enc_ticket_part = self.der_decode( + enc_part, asn1Spec=krb5_asn1.EncTicketPart()) + return enc_ticket_part + + def get_objectSid(self, dn): + ''' Get the objectSID for a DN + Note: performs an Ldb query. + ''' + res = self.ldb.search(dn, scope=SCOPE_BASE, attrs=["objectSID"]) + self.assertTrue(len(res) == 1, "did not get objectSid for %s" % dn) + sid = self.ldb.schema_format_value("objectSID", res[0]["objectSID"][0]) + return sid.decode('utf8') -- 2.35.0 From 815248e8e32a38bbbd826d79e4286c77c71fb0f4 Mon Sep 17 00:00:00 2001 From: Gary Lockyer Date: Mon, 30 Nov 2020 14:19:15 +1300 Subject: [PATCH 060/686] tests python krb5: initial TGS tests Initial tests on the KDC TGS Signed-off-by: Gary Lockyer Reviewed-by: Andrew Bartlett BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817 (cherry picked from commit 1ed461a142f68f5de5e21b873ebddfcf5ae0ca1e) --- python/samba/tests/krb5/kdc_base_test.py | 1 - python/samba/tests/krb5/kdc_tgs_tests.py | 210 +++++++++++++++++++ python/samba/tests/krb5/rfc4120_constants.py | 2 + python/samba/tests/usage.py | 2 + selftest/knownfail_mit_kdc | 5 + source4/selftest/tests.py | 3 + 6 files changed, 222 insertions(+), 1 deletion(-) mode change 100755 => 100644 python/samba/tests/krb5/kdc_base_test.py create mode 100755 python/samba/tests/krb5/kdc_tgs_tests.py diff --git a/python/samba/tests/krb5/kdc_base_test.py b/python/samba/tests/krb5/kdc_base_test.py old mode 100755 new mode 100644 index 4fc7ee85ba9..1a823d173e3 --- a/python/samba/tests/krb5/kdc_base_test.py +++ b/python/samba/tests/krb5/kdc_base_test.py @@ -1,4 +1,3 @@ -#!/usr/bin/env python3 # Unix SMB/CIFS implementation. # Copyright (C) Stefan Metzmacher 2020 # Copyright (C) 2020 Catalyst.Net Ltd diff --git a/python/samba/tests/krb5/kdc_tgs_tests.py b/python/samba/tests/krb5/kdc_tgs_tests.py new file mode 100755 index 00000000000..23a1d868a79 --- /dev/null +++ b/python/samba/tests/krb5/kdc_tgs_tests.py @@ -0,0 +1,210 @@ +#!/usr/bin/env python3 +# Unix SMB/CIFS implementation. +# Copyright (C) Stefan Metzmacher 2020 +# Copyright (C) 2020 Catalyst.Net Ltd +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; either version 3 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see . +# + +import sys +import os + +sys.path.insert(0, "bin/python") +os.environ["PYTHONUNBUFFERED"] = "1" + +from samba.tests.krb5.kdc_base_test import KDCBaseTest +from samba.tests.krb5.rfc4120_constants import ( + AES256_CTS_HMAC_SHA1_96, + ARCFOUR_HMAC_MD5, + KRB_ERROR, + KDC_ERR_BADMATCH, + NT_PRINCIPAL, + NT_SRV_INST, +) + +global_asn1_print = False +global_hexdump = False + + +class KdcTgsTests(KDCBaseTest): + + def setUp(self): + super().setUp() + self.do_asn1_print = global_asn1_print + self.do_hexdump = global_hexdump + + def test_tgs_req_cname_does_not_not_match_authenticator_cname(self): + ''' Try and obtain a ticket from the TGS, but supply a cname + that differs from that provided to the krbtgt + ''' + # Create the user account + user_name = "tsttktusr" + (uc, _) = self.create_account(user_name) + realm = uc.get_realm().lower() + + # Do the initial AS-REQ, should get a pre-authentication required + # response + etype = (AES256_CTS_HMAC_SHA1_96,) + cname = self.PrincipalName_create( + name_type=NT_PRINCIPAL, names=[user_name]) + sname = self.PrincipalName_create( + name_type=NT_SRV_INST, names=["krbtgt", realm]) + + rep = self.as_req(cname, sname, realm, etype) + self.check_pre_authenication(rep) + + # Do the next AS-REQ + padata = self.get_pa_data(uc, rep) + key = self.get_as_rep_key(uc, rep) + rep = self.as_req(cname, sname, realm, etype, padata=padata) + self.check_as_reply(rep) + + # Request a service ticket, but use a cname that does not match + # that in the original AS-REQ + enc_part2 = self.get_as_rep_enc_data(key, rep) + key = self.EncryptionKey_import(enc_part2['key']) + ticket = rep['ticket'] + + cname = self.PrincipalName_create( + name_type=NT_PRINCIPAL, + names=["Administrator"]) + sname = self.PrincipalName_create( + name_type=NT_PRINCIPAL, + names=["host", self.dns_host_name]) + + (rep, enc_part) = self.tgs_req(cname, sname, realm, ticket, key, etype) + + self.assertIsNone( + enc_part, + "rep = {%s}, enc_part = {%s}" % (rep, enc_part)) + self.assertEqual(KRB_ERROR, rep['msg-type'], "rep = {%s}" % rep) + self.assertEqual( + KDC_ERR_BADMATCH, + rep['error-code'], + "rep = {%s}" % rep) + + def test_ldap_service_ticket(self): + '''Get a ticket to the ldap service + ''' + # Create the user account + user_name = "tsttktusr" + (uc, _) = self.create_account(user_name) + realm = uc.get_realm().lower() + + # Do the initial AS-REQ, should get a pre-authentication required + # response + etype = (AES256_CTS_HMAC_SHA1_96,) + cname = self.PrincipalName_create( + name_type=NT_PRINCIPAL, names=[user_name]) + sname = self.PrincipalName_create( + name_type=NT_SRV_INST, names=["krbtgt", realm]) + + rep = self.as_req(cname, sname, realm, etype) + self.check_pre_authenication(rep) + + # Do the next AS-REQ + padata = self.get_pa_data(uc, rep) + key = self.get_as_rep_key(uc, rep) + rep = self.as_req(cname, sname, realm, etype, padata=padata) + self.check_as_reply(rep) + + enc_part2 = self.get_as_rep_enc_data(key, rep) + key = self.EncryptionKey_import(enc_part2['key']) + ticket = rep['ticket'] + + # Request a ticket to the ldap service + sname = self.PrincipalName_create( + name_type=NT_SRV_INST, + names=["ldap", self.dns_host_name]) + + (rep, _) = self.tgs_req( + cname, sname, uc.get_realm(), ticket, key, etype) + + self.check_tgs_reply(rep) + + def test_get_ticket_for_host_service_of_machine_account(self): + + # Create a user and machine account for the test. + # + user_name = "tsttktusr" + (uc, dn) = self.create_account(user_name) + (mc, _) = self.create_account("tsttktmac", machine_account=True) + realm = uc.get_realm().lower() + + # Do the initial AS-REQ, should get a pre-authentication required + # response + etype = (AES256_CTS_HMAC_SHA1_96, ARCFOUR_HMAC_MD5) + cname = self.PrincipalName_create( + name_type=NT_PRINCIPAL, names=[user_name]) + sname = self.PrincipalName_create( + name_type=NT_SRV_INST, names=["krbtgt", realm]) + + rep = self.as_req(cname, sname, realm, etype) + self.check_pre_authenication(rep) + + # Do the next AS-REQ + padata = self.get_pa_data(uc, rep) + key = self.get_as_rep_key(uc, rep) + rep = self.as_req(cname, sname, realm, etype, padata=padata) + self.check_as_reply(rep) + + # Request a ticket to the host service on the machine account + ticket = rep['ticket'] + enc_part2 = self.get_as_rep_enc_data(key, rep) + key = self.EncryptionKey_import(enc_part2['key']) + cname = self.PrincipalName_create( + name_type=NT_PRINCIPAL, + names=[user_name]) + sname = self.PrincipalName_create( + name_type=NT_PRINCIPAL, + names=[mc.get_username()]) + + (rep, enc_part) = self.tgs_req( + cname, sname, uc.get_realm(), ticket, key, etype) + self.check_tgs_reply(rep) + + # Check the contents of the service ticket + ticket = rep['ticket'] + enc_part = self.decode_service_ticket(mc, ticket) + + pac_data = self.get_pac_data(enc_part['authorization-data']) + sid = self.get_objectSid(dn) + upn = "%s@%s" % (uc.get_username(), realm) + self.assertEqual( + uc.get_username(), + str(pac_data.account_name), + "rep = {%s},%s" % (rep, pac_data)) + self.assertEqual( + uc.get_username(), + pac_data.logon_name, + "rep = {%s},%s" % (rep, pac_data)) + self.assertEqual( + uc.get_realm(), + pac_data.domain_name, + "rep = {%s},%s" % (rep, pac_data)) + self.assertEqual( + upn, + pac_data.upn, + "rep = {%s},%s" % (rep, pac_data)) + self.assertEqual( + sid, + pac_data.account_sid, + "rep = {%s},%s" % (rep, pac_data)) + + +if __name__ == "__main__": + global_asn1_print = True + global_hexdump = True + import unittest + unittest.main() diff --git a/python/samba/tests/krb5/rfc4120_constants.py b/python/samba/tests/krb5/rfc4120_constants.py index e1d0c5baa68..19bb6691d43 100644 --- a/python/samba/tests/krb5/rfc4120_constants.py +++ b/python/samba/tests/krb5/rfc4120_constants.py @@ -28,6 +28,7 @@ ARCFOUR_HMAC_MD5 = int( # Message types KRB_ERROR = int(krb5_asn1.MessageTypeValues('krb-error')) KRB_AS_REP = int(krb5_asn1.MessageTypeValues('krb-as-rep')) +KRB_TGS_REP = int(krb5_asn1.MessageTypeValues('krb-tgs-rep')) # PAData types PADATA_ENC_TIMESTAMP = int( @@ -39,6 +40,7 @@ PADATA_ETYPE_INFO2 = int( KDC_ERR_C_PRINCIPAL_UNKNOWN = 6 KDC_ERR_PREAUTH_FAILED = 24 KDC_ERR_PREAUTH_REQUIRED = 25 +KDC_ERR_BADMATCH = 36 KDC_ERR_SKEW = 37 # Name types diff --git a/python/samba/tests/usage.py b/python/samba/tests/usage.py index 11cd405deea..838a3148d8e 100644 --- a/python/samba/tests/usage.py +++ b/python/samba/tests/usage.py @@ -91,6 +91,8 @@ EXCLUDE_USAGE = { 'python/samba/tests/krb5/compatability_tests.py', 'python/samba/tests/krb5/rfc4120_constants.py', 'python/samba/tests/krb5/kdc_tests.py', + 'python/samba/tests/krb5/kdc_base_test.py', + 'python/samba/tests/krb5/kdc_tgs_tests.py', } diff --git a/selftest/knownfail_mit_kdc b/selftest/knownfail_mit_kdc index f1a4971430e..e64303c6b0f 100644 --- a/selftest/knownfail_mit_kdc +++ b/selftest/knownfail_mit_kdc @@ -270,3 +270,8 @@ samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_ ^samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_UpperUserName_RemoveDollar_AsReqSelf\( ^samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_UpperUserName_UPN_AsReqSelf\( ^samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_UpperUserName_UPN_RemoveDollar_AsReqSelf\( +# +# MIT currently returns an error code of 12 KRB5KDC_ERR_POLICY: KDC policy rejects request, to the +# following tests +^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_ldap_service_ticket\(ad_dc\) +^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_get_ticket_for_host_service_of_machine_account\(ad_dc\) diff --git a/source4/selftest/tests.py b/source4/selftest/tests.py index f2cdae9342c..4ce9602b53f 100755 --- a/source4/selftest/tests.py +++ b/source4/selftest/tests.py @@ -1231,6 +1231,9 @@ for env in ["rodc", "promoted_dc", "fl2000dc", "fl2008r2dc"]: planpythontestsuite("ad_dc", "samba.tests.krb5.as_canonicalization_tests") planpythontestsuite("ad_dc", "samba.tests.krb5.compatability_tests") planpythontestsuite("ad_dc", "samba.tests.krb5.kdc_tests") +planpythontestsuite( + "ad_dc", + "samba.tests.krb5.kdc_tgs_tests") for env in [ 'vampire_dc', -- 2.35.0 From 8339fd3ddd865b6d07ed4c29f5c681479a967fc1 Mon Sep 17 00:00:00 2001 From: Gary Lockyer Date: Thu, 10 Dec 2020 16:26:06 +1300 Subject: [PATCH 061/686] tests python krb5: Add key usage constants Signed-off-by: Gary Lockyer Reviewed-by: Andreas Schneider BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817 (cherry picked from commit d8ed73b75ad67da99be392b2db18fe2e1ffed87f) --- python/samba/tests/krb5/rfc4120_constants.py | 50 ++++++++++++++++++++ 1 file changed, 50 insertions(+) diff --git a/python/samba/tests/krb5/rfc4120_constants.py b/python/samba/tests/krb5/rfc4120_constants.py index 19bb6691d43..9de56578c99 100644 --- a/python/samba/tests/krb5/rfc4120_constants.py +++ b/python/samba/tests/krb5/rfc4120_constants.py @@ -63,3 +63,53 @@ AD_MANDATORY_FOR_KDC = 8 AD_INITIAL_VERIFIED_CAS = 9 AD_WIN2K_PAC = 128 AD_SIGNTICKET = 512 + +# Key usage numbers +# RFC 4120 Section 7.5.1. Key Usage Numbers +KU_PA_ENC_TIMESTAMP = 1 +''' AS-REQ PA-ENC-TIMESTAMP padata timestamp, encrypted with the + client key (section 5.2.7.2) ''' +KU_TICKET = 2 +''' AS-REP Ticket and TGS-REP Ticket (includes tgs session key or + application session key), encrypted with the service key + (section 5.3) ''' +KU_AS_REP_ENC_PART = 3 +''' AS-REP encrypted part (includes tgs session key or application + session key), encrypted with the client key (section 5.4.2) ''' +KU_TGS_REQ_AUTH_DAT_SESSION = 4 +''' TGS-REQ KDC-REQ-BODY AuthorizationData, encrypted with the tgs + session key (section 5.4.1) ''' +KU_TGS_REQ_AUTH_DAT_SUBKEY = 5 +''' TGS-REQ KDC-REQ-BODY AuthorizationData, encrypted with the tgs + authenticator subkey (section 5.4.1) ''' +KU_TGS_REQ_AUTH_CKSUM = 6 +''' TGS-REQ PA-TGS-REQ padata AP-REQ Authenticator cksum, keyed + with the tgs session key (section 5.5.1) ''' +KU_TGS_REQ_AUTH = 7 +''' TGS-REQ PA-TGS-REQ padata AP-REQ Authenticator (includes tgs + authenticator subkey), encrypted with the tgs session key + (section 5.5.1) ''' +KU_TGS_REP_ENC_PART_SESSION = 8 +''' TGS-REP encrypted part (includes application session key), + encrypted with the tgs session key (section 5.4.2) ''' +KU_TGS_REP_ENC_PART_SUB_KEY = 9 +''' TGS-REP encrypted part (includes application session key), + encrypted with the tgs authenticator subkey (section 5.4.2) ''' +KU_AP_REQ_AUTH_CKSUM = 10 +''' AP-REQ Authenticator cksum, keyed with the application session + key (section 5.5.1) ''' +KU_AP_REQ_AUTH = 11 +''' AP-REQ Authenticator (includes application authenticator + subkey), encrypted with the application session key (section 5.5.1) ''' +KU_AP_REQ_ENC_PART = 12 +''' AP-REP encrypted part (includes application session subkey), + encrypted with the application session key (section 5.5.2) ''' +KU_KRB_PRIV = 13 +''' KRB-PRIV encrypted part, encrypted with a key chosen by the + application (section 5.7.1) ''' +KU_KRB_CRED = 14 +''' KRB-CRED encrypted part, encrypted with a key chosen by the + application (section 5.8.1) ''' +KU_KRB_SAFE_CKSUM = 15 +''' KRB-SAFE cksum, keyed with a key chosen by the application + (section 5.6.1) ''' -- 2.35.0 From 7b87468f4400bd01b101445811f711d89b6abf67 Mon Sep 17 00:00:00 2001 From: Gary Lockyer Date: Thu, 10 Dec 2020 16:27:17 +1300 Subject: [PATCH 062/686] tests python krb5: use key usage constants Signed-off-by: Gary Lockyer Reviewed-by: Andreas Schneider BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817 (cherry picked from commit 03676a4a5c55ab5f4958a86cbd4d7be0f0a8a294) --- .../tests/krb5/as_canonicalization_tests.py | 5 ++--- python/samba/tests/krb5/compatability_tests.py | 7 +++---- python/samba/tests/krb5/kdc_base_test.py | 16 +++++++++------- python/samba/tests/krb5/kdc_tests.py | 3 +-- python/samba/tests/krb5/s4u_tests.py | 15 +++++++++------ python/samba/tests/krb5/simple_tests.py | 15 +++++++++------ python/samba/tests/krb5/xrealm_tests.py | 15 +++++++++------ 7 files changed, 42 insertions(+), 34 deletions(-) diff --git a/python/samba/tests/krb5/as_canonicalization_tests.py b/python/samba/tests/krb5/as_canonicalization_tests.py index 6ea3ff0491e..e89b40eab8f 100755 --- a/python/samba/tests/krb5/as_canonicalization_tests.py +++ b/python/samba/tests/krb5/as_canonicalization_tests.py @@ -367,8 +367,7 @@ class KerberosASCanonicalizationTests(RawKerberosTest): pa_ts = self.PA_ENC_TS_ENC_create(patime, pausec) pa_ts = self.der_encode(pa_ts, asn1Spec=krb5_asn1.PA_ENC_TS_ENC()) - enc_pa_ts_usage = 1 - pa_ts = self.EncryptedData_create(key, enc_pa_ts_usage, pa_ts) + pa_ts = self.EncryptedData_create(key, KU_PA_ENC_TIMESTAMP, pa_ts) pa_ts = self.der_encode(pa_ts, asn1Spec=krb5_asn1.EncryptedData()) pa_ts = self.PA_DATA_create(PADATA_ENC_TIMESTAMP, pa_ts) @@ -413,7 +412,7 @@ class KerberosASCanonicalizationTests(RawKerberosTest): self.assertEqual(msg_type, KRB_AS_REP, "Data {0}".format(str(data))) # Decrypt and decode the EncKdcRepPart - enc = key.decrypt(3, rep['enc-part']['cipher']) + enc = key.decrypt(KU_AS_REP_ENC_PART, rep['enc-part']['cipher']) if enc[0] == 0x7A: # MIT Kerberos Tags the EncASRepPart as a EncKDCRepPart # i.e. tag number 26 instead of tag number 25 diff --git a/python/samba/tests/krb5/compatability_tests.py b/python/samba/tests/krb5/compatability_tests.py index e4b1453e712..0b3701cd60d 100755 --- a/python/samba/tests/krb5/compatability_tests.py +++ b/python/samba/tests/krb5/compatability_tests.py @@ -178,8 +178,7 @@ class SimpleKerberosTests(RawKerberosTest): pa_ts = self.PA_ENC_TS_ENC_create(patime, pausec) pa_ts = self.der_encode(pa_ts, asn1Spec=krb5_asn1.PA_ENC_TS_ENC()) - enc_pa_ts_usage = 1 - pa_ts = self.EncryptedData_create(key, enc_pa_ts_usage, pa_ts) + pa_ts = self.EncryptedData_create(key, KU_PA_ENC_TIMESTAMP, pa_ts) pa_ts = self.der_encode(pa_ts, asn1Spec=krb5_asn1.EncryptedData()) pa_ts = self.PA_DATA_create(PADATA_ENC_TIMESTAMP, pa_ts) @@ -207,9 +206,9 @@ class SimpleKerberosTests(RawKerberosTest): msg_type = rep['msg-type'] self.assertEqual(msg_type, KRB_AS_REP) - usage = 3 enc_part = rep['enc-part'] - enc_as_rep_part = key.decrypt(usage, rep['enc-part']['cipher']) + enc_as_rep_part = key.decrypt( + KU_AS_REP_ENC_PART, rep['enc-part']['cipher']) return (enc_as_rep_part, enc_part) diff --git a/python/samba/tests/krb5/kdc_base_test.py b/python/samba/tests/krb5/kdc_base_test.py index 1a823d173e3..e835d389f1c 100644 --- a/python/samba/tests/krb5/kdc_base_test.py +++ b/python/samba/tests/krb5/kdc_base_test.py @@ -41,6 +41,10 @@ from samba.tests.krb5.rfc4120_constants import ( KRB_AS_REP, KRB_TGS_REP, KRB_ERROR, + KU_AS_REP_ENC_PART, + KU_PA_ENC_TIMESTAMP, + KU_TGS_REP_ENC_PART_SUB_KEY, + KU_TICKET, PADATA_ENC_TIMESTAMP, PADATA_ETYPE_INFO2, ) @@ -196,8 +200,7 @@ class KDCBaseTest(RawKerberosTest): padata = self.PA_ENC_TS_ENC_create(patime, pausec) padata = self.der_encode(padata, asn1Spec=krb5_asn1.PA_ENC_TS_ENC()) - usage = 1 - padata = self.EncryptedData_create(key, usage, padata) + padata = self.EncryptedData_create(key, KU_PA_ENC_TIMESTAMP, padata) padata = self.der_encode(padata, asn1Spec=krb5_asn1.EncryptedData()) padata = self.PA_DATA_create(PADATA_ENC_TIMESTAMP, padata) @@ -207,8 +210,7 @@ class KDCBaseTest(RawKerberosTest): def get_as_rep_enc_data(self, key, rep): ''' Decrypt and Decode the encrypted data in an AS-REP ''' - usage = 3 - enc_part = key.decrypt(usage, rep['enc-part']['cipher']) + enc_part = key.decrypt(KU_AS_REP_ENC_PART, rep['enc-part']['cipher']) # MIT KDC encodes both EncASRepPart and EncTGSRepPart with # application tag 26 try: @@ -303,7 +305,6 @@ class KDCBaseTest(RawKerberosTest): padata = [] subkey = self.RandomKey(key.etype) - subkey_usage = 9 (ctime, cusec) = self.get_KerberosTimeWithUsec() @@ -332,7 +333,8 @@ class KDCBaseTest(RawKerberosTest): msg_type = rep['msg-type'] enc_part = None if msg_type == KRB_TGS_REP: - enc_part = subkey.decrypt(subkey_usage, rep['enc-part']['cipher']) + enc_part = subkey.decrypt( + KU_TGS_REP_ENC_PART_SUB_KEY, rep['enc-part']['cipher']) enc_part = self.der_decode( enc_part, asn1Spec=krb5_asn1.EncTGSRepPart()) return (rep, enc_part) @@ -403,7 +405,7 @@ class KDCBaseTest(RawKerberosTest): salt, ticket['enc-part']['kvno']) - enc_part = key.decrypt(2, ticket['enc-part']['cipher']) + enc_part = key.decrypt(KU_TICKET, ticket['enc-part']['cipher']) enc_ticket_part = self.der_decode( enc_part, asn1Spec=krb5_asn1.EncTicketPart()) return enc_ticket_part diff --git a/python/samba/tests/krb5/kdc_tests.py b/python/samba/tests/krb5/kdc_tests.py index 57a25448965..17b9d154bd9 100755 --- a/python/samba/tests/krb5/kdc_tests.py +++ b/python/samba/tests/krb5/kdc_tests.py @@ -91,8 +91,7 @@ class KdcTests(RawKerberosTest): pa_ts = self.PA_ENC_TS_ENC_create(patime, pausec) pa_ts = self.der_encode(pa_ts, asn1Spec=krb5_asn1.PA_ENC_TS_ENC()) - enc_pa_ts_usage = 1 - pa_ts = self.EncryptedData_create(key, enc_pa_ts_usage, pa_ts) + pa_ts = self.EncryptedData_create(key, KU_PA_ENC_TIMESTAMP, pa_ts) pa_ts = self.der_encode(pa_ts, asn1Spec=krb5_asn1.EncryptedData()) pa_ts = self.PA_DATA_create(PADATA_ENC_TIMESTAMP, pa_ts) diff --git a/python/samba/tests/krb5/s4u_tests.py b/python/samba/tests/krb5/s4u_tests.py index ae38635c53b..2e1bd3fbe1f 100755 --- a/python/samba/tests/krb5/s4u_tests.py +++ b/python/samba/tests/krb5/s4u_tests.py @@ -25,6 +25,11 @@ os.environ["PYTHONUNBUFFERED"] = "1" from samba.tests import env_get_var_value from samba.tests.krb5.kcrypto import Cksumtype from samba.tests.krb5.raw_testcase import RawKerberosTest +from samba.tests.krb5.rfc4120_constants import ( + KU_PA_ENC_TIMESTAMP, + KU_AS_REP_ENC_PART, + KU_TGS_REP_ENC_PART_SUB_KEY, +) import samba.tests.krb5.rfc4120_pyasn1 as krb5_asn1 global_asn1_print = False @@ -86,8 +91,7 @@ class S4UKerberosTests(RawKerberosTest): pa_ts = self.PA_ENC_TS_ENC_create(patime, pausec) pa_ts = self.der_encode(pa_ts, asn1Spec=krb5_asn1.PA_ENC_TS_ENC()) - enc_pa_ts_usage = 1 - pa_ts = self.EncryptedData_create(key, enc_pa_ts_usage, pa_ts) + pa_ts = self.EncryptedData_create(key, KU_PA_ENC_TIMESTAMP, pa_ts) pa_ts = self.der_encode(pa_ts, asn1Spec=krb5_asn1.EncryptedData()) pa_ts = self.PA_DATA_create(2, pa_ts) @@ -115,8 +119,7 @@ class S4UKerberosTests(RawKerberosTest): msg_type = rep['msg-type'] self.assertEqual(msg_type, 11) - usage = 3 - enc_part2 = key.decrypt(usage, rep['enc-part']['cipher']) + enc_part2 = key.decrypt(KU_AS_REP_ENC_PART, rep['enc-part']['cipher']) enc_part2 = self.der_decode(enc_part2, asn1Spec=krb5_asn1.EncASRepPart()) # S4U2Self Request @@ -135,7 +138,6 @@ class S4UKerberosTests(RawKerberosTest): padata = [pa_s4u] subkey = self.RandomKey(ticket_session_key.etype) - subkey_usage = 9 (ctime, cusec) = self.get_KerberosTimeWithUsec() @@ -163,7 +165,8 @@ class S4UKerberosTests(RawKerberosTest): msg_type = rep['msg-type'] if msg_type == 13: - enc_part2 = subkey.decrypt(subkey_usage, rep['enc-part']['cipher']) + enc_part2 = subkey.decrypt( + KU_TGS_REP_ENC_PART_SUB_KEY, rep['enc-part']['cipher']) enc_part2 = self.der_decode(enc_part2, asn1Spec=krb5_asn1.EncTGSRepPart()) return msg_type diff --git a/python/samba/tests/krb5/simple_tests.py b/python/samba/tests/krb5/simple_tests.py index 236fbda1cd5..6c090af3d46 100755 --- a/python/samba/tests/krb5/simple_tests.py +++ b/python/samba/tests/krb5/simple_tests.py @@ -23,6 +23,11 @@ sys.path.insert(0, "bin/python") os.environ["PYTHONUNBUFFERED"] = "1" from samba.tests.krb5.raw_testcase import RawKerberosTest +from samba.tests.krb5.rfc4120_constants import ( + KU_AS_REP_ENC_PART, + KU_PA_ENC_TIMESTAMP, + KU_TGS_REP_ENC_PART_SUB_KEY, +) import samba.tests.krb5.rfc4120_pyasn1 as krb5_asn1 global_asn1_print = False @@ -84,8 +89,7 @@ class SimpleKerberosTests(RawKerberosTest): pa_ts = self.PA_ENC_TS_ENC_create(patime, pausec) pa_ts = self.der_encode(pa_ts, asn1Spec=krb5_asn1.PA_ENC_TS_ENC()) - enc_pa_ts_usage = 1 - pa_ts = self.EncryptedData_create(key, enc_pa_ts_usage, pa_ts) + pa_ts = self.EncryptedData_create(key, KU_PA_ENC_TIMESTAMP, pa_ts) pa_ts = self.der_encode(pa_ts, asn1Spec=krb5_asn1.EncryptedData()) pa_ts = self.PA_DATA_create(2, pa_ts) @@ -113,8 +117,7 @@ class SimpleKerberosTests(RawKerberosTest): msg_type = rep['msg-type'] self.assertEqual(msg_type, 11) - usage = 3 - enc_part2 = key.decrypt(usage, rep['enc-part']['cipher']) + enc_part2 = key.decrypt(KU_AS_REP_ENC_PART, rep['enc-part']['cipher']) # MIT KDC encodes both EncASRepPart and EncTGSRepPart with application tag 26 try: @@ -134,7 +137,6 @@ class SimpleKerberosTests(RawKerberosTest): padata = [] subkey = self.RandomKey(ticket_session_key.etype) - subkey_usage = 9 (ctime, cusec) = self.get_KerberosTimeWithUsec() @@ -163,7 +165,8 @@ class SimpleKerberosTests(RawKerberosTest): msg_type = rep['msg-type'] self.assertEqual(msg_type, 13) - enc_part2 = subkey.decrypt(subkey_usage, rep['enc-part']['cipher']) + enc_part2 = subkey.decrypt( + KU_TGS_REP_ENC_PART_SUB_KEY, rep['enc-part']['cipher']) enc_part2 = self.der_decode(enc_part2, asn1Spec=krb5_asn1.EncTGSRepPart()) return diff --git a/python/samba/tests/krb5/xrealm_tests.py b/python/samba/tests/krb5/xrealm_tests.py index 64064b8a670..b4a02bff33a 100755 --- a/python/samba/tests/krb5/xrealm_tests.py +++ b/python/samba/tests/krb5/xrealm_tests.py @@ -23,6 +23,11 @@ sys.path.insert(0, "bin/python") os.environ["PYTHONUNBUFFERED"] = "1" from samba.tests.krb5.raw_testcase import RawKerberosTest +from samba.tests.krb5.rfc4120_constants import ( + KU_PA_ENC_TIMESTAMP, + KU_AS_REP_ENC_PART, + KU_TGS_REP_ENC_PART_SUB_KEY, +) import samba.tests.krb5.rfc4120_pyasn1 as krb5_asn1 import samba.tests @@ -85,8 +90,7 @@ class XrealmKerberosTests(RawKerberosTest): pa_ts = self.PA_ENC_TS_ENC_create(patime, pausec) pa_ts = self.der_encode(pa_ts, asn1Spec=krb5_asn1.PA_ENC_TS_ENC()) - enc_pa_ts_usage = 1 - pa_ts = self.EncryptedData_create(key, enc_pa_ts_usage, pa_ts) + pa_ts = self.EncryptedData_create(key, KU_PA_ENC_TIMESTAMP, pa_ts) pa_ts = self.der_encode(pa_ts, asn1Spec=krb5_asn1.EncryptedData()) pa_ts = self.PA_DATA_create(2, pa_ts) @@ -114,8 +118,7 @@ class XrealmKerberosTests(RawKerberosTest): msg_type = rep['msg-type'] self.assertEqual(msg_type, 11) - usage = 3 - enc_part2 = key.decrypt(usage, rep['enc-part']['cipher']) + enc_part2 = key.decrypt(KU_AS_REP_ENC_PART, rep['enc-part']['cipher']) # MIT KDC encodes both EncASRepPart and EncTGSRepPart with application tag 26 try: @@ -134,7 +137,6 @@ class XrealmKerberosTests(RawKerberosTest): padata = [] subkey = self.RandomKey(ticket_session_key.etype) - subkey_usage = 9 (ctime, cusec) = self.get_KerberosTimeWithUsec() @@ -163,7 +165,8 @@ class XrealmKerberosTests(RawKerberosTest): msg_type = rep['msg-type'] self.assertEqual(msg_type, 13) - enc_part2 = subkey.decrypt(subkey_usage, rep['enc-part']['cipher']) + enc_part2 = subkey.decrypt( + KU_TGS_REP_ENC_PART_SUB_KEY, rep['enc-part']['cipher']) enc_part2 = self.der_decode(enc_part2, asn1Spec=krb5_asn1.EncTGSRepPart()) # Check the forwardable flag -- 2.35.0 From f5d9d4d490de01a496b8a7cb501c0b9c2d302428 Mon Sep 17 00:00:00 2001 From: Gary Lockyer Date: Fri, 11 Dec 2020 11:55:01 +1300 Subject: [PATCH 063/686] tests python krb5: PEP8 cleanups Fix all the PEP8 warnings in samba/tests/krb5. With the exception of rfc4120_pyasn1.py, which is generated from rfc4120.asn1. As these tests are new, it makes sense to ensure that they conform to PEP8. And set an aspirational goal for the rest of our python code. Signed-off-by: Gary Lockyer Reviewed-by: Andreas Schneider BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817 Autobuild-User(master): Gary Lockyer Autobuild-Date(master): Mon Dec 21 21:29:28 UTC 2020 on sn-devel-184 (cherry picked from commit c00d537526ca881c540ff66e703ad9c96dd1face) --- .../tests/krb5/as_canonicalization_tests.py | 54 ++- .../samba/tests/krb5/compatability_tests.py | 24 +- python/samba/tests/krb5/kcrypto.py | 67 +-- python/samba/tests/krb5/kdc_base_test.py | 4 +- python/samba/tests/krb5/kdc_tests.py | 17 +- python/samba/tests/krb5/raw_testcase.py | 403 +++++++++++------- python/samba/tests/krb5/rfc4120_constants.py | 32 +- python/samba/tests/krb5/s4u_tests.py | 19 +- python/samba/tests/krb5/simple_tests.py | 24 +- python/samba/tests/krb5/xrealm_tests.py | 26 +- 10 files changed, 410 insertions(+), 260 deletions(-) diff --git a/python/samba/tests/krb5/as_canonicalization_tests.py b/python/samba/tests/krb5/as_canonicalization_tests.py index e89b40eab8f..43f532dc483 100755 --- a/python/samba/tests/krb5/as_canonicalization_tests.py +++ b/python/samba/tests/krb5/as_canonicalization_tests.py @@ -31,8 +31,6 @@ import samba from samba.auth import system_session from samba.credentials import ( Credentials, - CLI_CRED_NTLMv2_AUTH, - CLI_CRED_NTLM_AUTH, DONT_USE_KERBEROS) from samba.dcerpc.misc import SEC_CHAN_WKSTA from samba.dsdb import ( @@ -41,7 +39,20 @@ from samba.dsdb import ( UF_NORMAL_ACCOUNT) from samba.samdb import SamDB from samba.tests import delete_force, DynamicTestCase -from samba.tests.krb5.rfc4120_constants import * +from samba.tests.krb5.rfc4120_constants import ( + AES256_CTS_HMAC_SHA1_96, + AES128_CTS_HMAC_SHA1_96, + ARCFOUR_HMAC_MD5, + KDC_ERR_PREAUTH_REQUIRED, + KRB_AS_REP, + KU_AS_REP_ENC_PART, + KRB_ERROR, + KU_PA_ENC_TIMESTAMP, + PADATA_ENC_TIMESTAMP, + NT_ENTERPRISE_PRINCIPAL, + NT_PRINCIPAL, + NT_SRV_INST, +) global_asn1_print = False global_hexdump = False @@ -49,15 +60,15 @@ global_hexdump = False @unique class TestOptions(Enum): - Canonicalize = 1 - Enterprise = 2 - UpperRealm = 4 - UpperUserName = 8 - NetbiosRealm = 16 - UPN = 32 - RemoveDollar = 64 - AsReqSelf = 128 - Last = 256 + Canonicalize = 1 + Enterprise = 2 + UpperRealm = 4 + UpperUserName = 8 + NetbiosRealm = 16 + UPN = 32 + RemoveDollar = 64 + AsReqSelf = 128 + Last = 256 def is_set(self, x): return self.value & x @@ -65,7 +76,7 @@ class TestOptions(Enum): @unique class CredentialsType(Enum): - User = 1 + User = 1 Machine = 2 def is_set(self, x): @@ -126,7 +137,8 @@ class TestData: MACHINE_NAME = "tstkrb5cnnmch" -USER_NAME = "tstkrb5cnnusr" +USER_NAME = "tstkrb5cnnusr" + @DynamicTestCase class KerberosASCanonicalizationTests(RawKerberosTest): @@ -160,21 +172,21 @@ class KerberosASCanonicalizationTests(RawKerberosTest): @classmethod def setUpClass(cls): - cls.lp = cls.get_loadparm(cls) + cls.lp = cls.get_loadparm(cls) cls.username = os.environ["USERNAME"] cls.password = os.environ["PASSWORD"] - cls.host = os.environ["SERVER"] + cls.host = os.environ["SERVER"] c = Credentials() c.set_username(cls.username) c.set_password(cls.password) try: - realm = os.environ["REALM"] + realm = os.environ["REALM"] c.set_realm(realm) except KeyError: pass try: - domain = os.environ["DOMAIN"] + domain = os.environ["DOMAIN"] c.set_domain(domain) except KeyError: pass @@ -200,7 +212,7 @@ class KerberosASCanonicalizationTests(RawKerberosTest): def setUp(self): super(KerberosASCanonicalizationTests, self).setUp() self.do_asn1_print = global_asn1_print - self.do_hexdump = global_hexdump + self.do_hexdump = global_hexdump # # Create a test user account @@ -340,7 +352,7 @@ class KerberosASCanonicalizationTests(RawKerberosTest): # # Check the protocol version, should be 5 self.assertEqual( - rep['pvno'], 5, "Data {0}".format(str(data))) + rep['pvno'], 5, "Data {0}".format(str(data))) self.assertEqual( rep['msg-type'], KRB_ERROR, "Data {0}".format(str(data))) @@ -397,7 +409,7 @@ class KerberosASCanonicalizationTests(RawKerberosTest): # # Check the protocol version, should be 5 self.assertEqual( - rep['pvno'], 5, "Data {0}".format(str(data))) + rep['pvno'], 5, "Data {0}".format(str(data))) msg_type = rep['msg-type'] # Should not have got an error. diff --git a/python/samba/tests/krb5/compatability_tests.py b/python/samba/tests/krb5/compatability_tests.py index 0b3701cd60d..5a1ef02ef80 100755 --- a/python/samba/tests/krb5/compatability_tests.py +++ b/python/samba/tests/krb5/compatability_tests.py @@ -25,7 +25,20 @@ os.environ["PYTHONUNBUFFERED"] = "1" from samba.tests.krb5.raw_testcase import RawKerberosTest import samba.tests.krb5.rfc4120_pyasn1 as krb5_asn1 -from samba.tests.krb5.rfc4120_constants import * +from samba.tests.krb5.rfc4120_constants import ( + AES128_CTS_HMAC_SHA1_96, + AES256_CTS_HMAC_SHA1_96, + ARCFOUR_HMAC_MD5, + KDC_ERR_PREAUTH_REQUIRED, + KRB_AS_REP, + KRB_ERROR, + KU_AS_REP_ENC_PART, + KU_PA_ENC_TIMESTAMP, + PADATA_ENC_TIMESTAMP, + PADATA_ETYPE_INFO2, + NT_PRINCIPAL, + NT_SRV_INST, +) global_asn1_print = False global_hexdump = False @@ -112,18 +125,17 @@ class SimpleKerberosTests(RawKerberosTest): realm = creds.get_realm() cname = self.PrincipalName_create( - name_type=NT_PRINCIPAL, - names=[user]) + name_type=NT_PRINCIPAL, + names=[user]) sname = self.PrincipalName_create( - name_type=NT_SRV_INST, - names=["krbtgt", realm]) + name_type=NT_SRV_INST, + names=["krbtgt", realm]) till = self.get_KerberosTime(offset=36000) kdc_options = krb5_asn1.KDCOptions('forwardable') padata = None - req = self.AS_REQ_create(padata=padata, kdc_options=str(kdc_options), cname=cname, diff --git a/python/samba/tests/krb5/kcrypto.py b/python/samba/tests/krb5/kcrypto.py index 2572fa5bab3..23502d7bb62 100755 --- a/python/samba/tests/krb5/kcrypto.py +++ b/python/samba/tests/krb5/kcrypto.py @@ -64,6 +64,7 @@ from samba.credentials import Credentials from samba import generate_random_bytes as get_random_bytes from samba.compat import get_string, get_bytes + class Enctype(object): DES_CRC = 1 DES_MD4 = 2 @@ -112,26 +113,30 @@ def _mac_equal(mac1, mac2): res |= x ^ y return res == 0 + def SIMPLE_HASH(string, algo_cls): hash_ctx = hashes.Hash(algo_cls(), default_backend()) hash_ctx.update(string) return hash_ctx.finalize() + def HMAC_HASH(key, string, algo_cls): hmac_ctx = hmac.HMAC(key, algo_cls(), default_backend()) hmac_ctx.update(string) return hmac_ctx.finalize() + def _nfold(str, nbytes): # Convert str to a string of length nbytes using the RFC 3961 nfold # operation. # Rotate the bytes in str to the right by nbits bits. def rotate_right(str, nbits): - nbytes, remain = (nbits//8) % len(str), nbits % 8 - return bytes([(str[i-nbytes] >> remain) | - (str[i-nbytes-1] << (8-remain) & 0xff) - for i in range(len(str))]) + nbytes, remain = (nbits // 8) % len(str), nbits % 8 + return bytes([ + (str[i - nbytes] >> remain) + | (str[i - nbytes - 1] << (8 - remain) & 0xff) + for i in range(len(str))]) # Add equal-length strings together with end-around carry. def add_ones_complement(str1, str2): @@ -139,7 +144,7 @@ def _nfold(str, nbytes): v = [a + b for a, b in zip(str1, str2)] # Propagate carry bits to the left until there aren't any left. while any(x & ~0xff for x in v): - v = [(v[i-n+1]>>8) + (v[i]&0xff) for i in range(n)] + v = [(v[i - n + 1] >> 8) + (v[i] & 0xff) for i in range(n)] return bytes([x for x in v]) # Concatenate copies of str to produce the least common multiple @@ -150,7 +155,7 @@ def _nfold(str, nbytes): slen = len(str) lcm = nbytes * slen // gcd(nbytes, slen) bigstr = b''.join((rotate_right(str, 13 * i) for i in range(lcm // slen))) - slices = (bigstr[p:p+nbytes] for p in range(0, lcm, nbytes)) + slices = (bigstr[p:p + nbytes] for p in range(0, lcm, nbytes)) return reduce(add_ones_complement, slices) @@ -275,7 +280,7 @@ class _DES3CBC(_SimplifiedEnctype): return b if bin(b & ~1).count('1') % 2 else b | 1 assert len(seed) == 7 firstbytes = [parity(b & ~1) for b in seed] - lastbyte = parity(sum((seed[i]&1) << i+1 for i in range(7))) + lastbyte = parity(sum((seed[i] & 1) << i + 1 for i in range(7))) keybytes = bytes([b for b in firstbytes + [lastbyte]]) if _is_weak_des_key(keybytes): keybytes[7] = bytes([keybytes[7] ^ 0xF0]) @@ -369,7 +374,7 @@ class _AESEnctype(_SimplifiedEnctype): if len(ciphertext) == 16: return aes_decrypt(ciphertext) # Split the ciphertext into blocks. The last block may be partial. - cblocks = [ciphertext[p:p+16] for p in range(0, len(ciphertext), 16)] + cblocks = [ciphertext[p:p + 16] for p in range(0, len(ciphertext), 16)] lastlen = len(cblocks[-1]) # CBC-decrypt all but the last two blocks. prev_cblock = bytes(16) @@ -383,7 +388,7 @@ class _AESEnctype(_SimplifiedEnctype): # will be the omitted bytes of ciphertext from the final # block. b = aes_decrypt(cblocks[-2]) - lastplaintext =_xorbytes(b[:lastlen], cblocks[-1]) + lastplaintext = _xorbytes(b[:lastlen], cblocks[-1]) omitted = b[lastlen:] # Decrypt the final cipher block plus the omitted bytes to get # the second-to-last plaintext block. @@ -433,7 +438,8 @@ class _RC4(_EnctypeProfile): cksum = HMAC_HASH(ki, confounder + plaintext, hashes.MD5) ke = HMAC_HASH(ki, cksum, hashes.MD5) - encryptor = Cipher(ciphers.ARC4(ke), None, default_backend()).encryptor() + encryptor = Cipher( + ciphers.ARC4(ke), None, default_backend()).encryptor() ctext = encryptor.update(confounder + plaintext) return cksum + ctext @@ -446,7 +452,8 @@ class _RC4(_EnctypeProfile): ki = HMAC_HASH(key.contents, cls.usage_str(keyusage), hashes.MD5) ke = HMAC_HASH(ki, cksum, hashes.MD5) - decryptor = Cipher(ciphers.ARC4(ke), None, default_backend()).decryptor() + decryptor = Cipher( + ciphers.ARC4(ke), None, default_backend()).decryptor() basic_plaintext = decryptor.update(basic_ctext) exp_cksum = HMAC_HASH(ki, basic_plaintext, hashes.MD5) @@ -636,14 +643,14 @@ def verify_checksum(cksumtype, key, keyusage, text, cksum): c.verify(key, keyusage, text, cksum) -def prfplus(key, pepper, l): - # Produce l bytes of output using the RFC 6113 PRF+ function. +def prfplus(key, pepper, ln): + # Produce ln bytes of output using the RFC 6113 PRF+ function. out = b'' count = 1 - while len(out) < l: + while len(out) < ln: out += prf(key, bytes([count]) + pepper) count += 1 - return out[:l] + return out[:ln] def cf2(enctype, key1, key2, pepper1, pepper2): @@ -653,9 +660,11 @@ def cf2(enctype, key1, key2, pepper1, pepper2): return e.random_to_key(_xorbytes(prfplus(key1, pepper1, e.seedsize), prfplus(key2, pepper2, e.seedsize))) + def h(hexstr): return bytes.fromhex(hexstr) + class KcrytoTest(TestCase): """kcrypto Test case.""" @@ -665,20 +674,21 @@ class KcrytoTest(TestCase): conf = h('94B491F481485B9A0678CD3C4EA386AD') keyusage = 2 plain = b'9 bytesss' - ctxt = h('68FB9679601F45C78857B2BF820FD6E53ECA8D42FD4B1D7024A09205ABB7CD2E' - 'C26C355D2F') + ctxt = h('68FB9679601F45C78857B2BF820FD6E53ECA8D42FD4B1D7024A09205ABB7' + 'CD2EC26C355D2F') k = Key(Enctype.AES128, kb) self.assertEqual(encrypt(k, keyusage, plain, conf), ctxt) self.assertEqual(decrypt(k, keyusage, ctxt), plain) def test_aes256_crypt(self): # AES256 encrypt and decrypt - kb = h('F1C795E9248A09338D82C3F8D5B567040B0110736845041347235B1404231398') + kb = h('F1C795E9248A09338D82C3F8D5B567040B0110736845041347235B14042313' + '98') conf = h('E45CA518B42E266AD98E165E706FFB60') keyusage = 4 plain = b'30 bytes bytes bytes bytes byt' - ctxt = h('D1137A4D634CFECE924DBC3BF6790648BD5CFF7DE0E7B99460211D0DAEF3D79A' - '295C688858F3B34B9CBD6EEBAE81DAF6B734D4D498B6714F1C1D') + ctxt = h('D1137A4D634CFECE924DBC3BF6790648BD5CFF7DE0E7B99460211D0DAEF3' + 'D79A295C688858F3B34B9CBD6EEBAE81DAF6B734D4D498B6714F1C1D') k = Key(Enctype.AES256, kb) self.assertEqual(encrypt(k, keyusage, plain, conf), ctxt) self.assertEqual(decrypt(k, keyusage, ctxt), plain) @@ -694,7 +704,8 @@ class KcrytoTest(TestCase): def test_aes256_checksum(self): # AES256 checksum - kb = h('B1AE4CD8462AFF1677053CC9279AAC30B796FB81CE21474DD3DDBCFEA4EC76D7') + kb = h('B1AE4CD8462AFF1677053CC9279AAC30B796FB81CE21474DD3DDBC' + 'FEA4EC76D7') keyusage = 4 plain = b'fourteen' cksum = h('E08739E3279E2903EC8E3836') @@ -715,7 +726,8 @@ class KcrytoTest(TestCase): string = b'X' * 64 salt = b'pass phrase equals block size' params = h('000004B0') - kb = h('89ADEE3608DB8BC71F1BFBFE459486B05618B70CBAE22092534E56C553BA4B34') + kb = h('89ADEE3608DB8BC71F1BFBFE459486B05618B70CBAE22092534E56' + 'C553BA4B34') k = string_to_key(Enctype.AES256, string, salt, params) self.assertEqual(k.contents, kb) @@ -741,7 +753,8 @@ class KcrytoTest(TestCase): def test_aes256_cf2(self): # AES256 cf2 - kb = h('4D6CA4E629785C1F01BAF55E2E548566B9617AE3A96868C337CB93B5E72B1C7B') + kb = h('4D6CA4E629785C1F01BAF55E2E548566B9617AE3A96868C337CB93B5' + 'E72B1C7B') k1 = string_to_key(Enctype.AES256, b'key1', b'key1') k2 = string_to_key(Enctype.AES256, b'key2', b'key2') k = cf2(Enctype.AES256, k1, k2, b'a', b'b') @@ -753,8 +766,8 @@ class KcrytoTest(TestCase): conf = h('94690A17B2DA3C9B') keyusage = 3 plain = b'13 bytes byte' - ctxt = h('839A17081ECBAFBCDC91B88C6955DD3C4514023CF177B77BF0D0177A16F705E8' - '49CB7781D76A316B193F8D30') + ctxt = h('839A17081ECBAFBCDC91B88C6955DD3C4514023CF177B77BF0D0177A16F7' + '05E849CB7781D76A316B193F8D30') k = Key(Enctype.DES3, kb) self.assertEqual(encrypt(k, keyusage, plain, conf), ctxt) self.assertEqual(decrypt(k, keyusage, ctxt), _zeropad(plain, 8)) @@ -790,8 +803,8 @@ class KcrytoTest(TestCase): conf = h('37245E73A45FBF72') keyusage = 4 plain = b'30 bytes bytes bytes bytes byt' - ctxt = h('95F9047C3AD75891C2E9B04B16566DC8B6EB9CE4231AFB2542EF87A7B5A0F260' - 'A99F0460508DE0CECC632D07C354124E46C5D2234EB8') + ctxt = h('95F9047C3AD75891C2E9B04B16566DC8B6EB9CE4231AFB2542EF87A7B5A0' + 'F260A99F0460508DE0CECC632D07C354124E46C5D2234EB8') k = Key(Enctype.RC4, kb) self.assertEqual(encrypt(k, keyusage, plain, conf), ctxt) self.assertEqual(decrypt(k, keyusage, ctxt), plain) diff --git a/python/samba/tests/krb5/kdc_base_test.py b/python/samba/tests/krb5/kdc_base_test.py index e835d389f1c..bef5458c881 100644 --- a/python/samba/tests/krb5/kdc_base_test.py +++ b/python/samba/tests/krb5/kdc_base_test.py @@ -374,8 +374,8 @@ class KDCBaseTest(RawKerberosTest): account_name = ( pac.info.info.info3.base.account_name) user_sid = ( - str(pac.info.info.info3.base.domain_sid) + - "-" + str(pac.info.info.info3.base.rid)) + str(pac.info.info.info3.base.domain_sid) + + "-" + str(pac.info.info.info3.base.rid)) elif pac.type == self.PAC_LOGON_NAME: logon_name = pac.info.account_name elif pac.type == self.PAC_UPN_DNS_INFO: diff --git a/python/samba/tests/krb5/kdc_tests.py b/python/samba/tests/krb5/kdc_tests.py index 17b9d154bd9..c7c53953a86 100755 --- a/python/samba/tests/krb5/kdc_tests.py +++ b/python/samba/tests/krb5/kdc_tests.py @@ -25,7 +25,20 @@ os.environ["PYTHONUNBUFFERED"] = "1" from samba.tests.krb5.raw_testcase import RawKerberosTest import samba.tests.krb5.rfc4120_pyasn1 as krb5_asn1 -from samba.tests.krb5.rfc4120_constants import * +from samba.tests.krb5.rfc4120_constants import ( + AES256_CTS_HMAC_SHA1_96, + ARCFOUR_HMAC_MD5, + KDC_ERR_PREAUTH_FAILED, + KDC_ERR_PREAUTH_REQUIRED, + KDC_ERR_SKEW, + KRB_AS_REP, + KRB_ERROR, + KU_PA_ENC_TIMESTAMP, + PADATA_ENC_TIMESTAMP, + PADATA_ETYPE_INFO2, + NT_PRINCIPAL, + NT_SRV_INST, +) global_asn1_print = False global_hexdump = False @@ -83,7 +96,7 @@ class KdcTests(RawKerberosTest): break etype_info2 = self.der_decode( - etype_info2, asn1Spec=krb5_asn1.ETYPE_INFO2()) + etype_info2, asn1Spec=krb5_asn1.ETYPE_INFO2()) key = self.PasswordKey_from_etype_info2(creds, etype_info2[0]) diff --git a/python/samba/tests/krb5/raw_testcase.py b/python/samba/tests/krb5/raw_testcase.py index e67f5464e59..82e68ee7019 100644 --- a/python/samba/tests/krb5/raw_testcase.py +++ b/python/samba/tests/krb5/raw_testcase.py @@ -35,7 +35,10 @@ from pyasn1.codec.native.decoder import decode as pyasn1_native_decode from pyasn1.codec.native.encoder import encode as pyasn1_native_encode from pyasn1.codec.ber.encoder import BitStringEncoder as BitStringEncoder -def BitStringEncoder_encodeValue32(self, value, asn1Spec, encodeFun, **options): + + +def BitStringEncoder_encodeValue32( + self, value, asn1Spec, encodeFun, **options): # # BitStrings like KDCOptions or TicketFlags should at least # be 32-Bit on the wire @@ -59,14 +62,17 @@ def BitStringEncoder_encodeValue32(self, value, asn1Spec, encodeFun, **options): padding = 0 ret = b'\x00' + substrate + (b'\x00' * padding) return ret, False, True + + BitStringEncoder.encodeValue = BitStringEncoder_encodeValue32 + def BitString_NamedValues_prettyPrint(self, scope=0): ret = "%s" % self.asBinary() bits = [] highest_bit = 32 for byte in self.asNumbers(): - for bit in [7,6,5,4,3,2,1,0]: + for bit in [7, 6, 5, 4, 3, 2, 1, 0]: mask = 1 << bit if byte & mask: val = 1 @@ -89,12 +95,21 @@ def BitString_NamedValues_prettyPrint(self, scope=0): delim = ",\n%s " % indent ret += "\n%s)" % indent return ret -krb5_asn1.TicketFlags.prettyPrintNamedValues = krb5_asn1.TicketFlagsValues.namedValues -krb5_asn1.TicketFlags.namedValues = krb5_asn1.TicketFlagsValues.namedValues -krb5_asn1.TicketFlags.prettyPrint = BitString_NamedValues_prettyPrint -krb5_asn1.KDCOptions.prettyPrintNamedValues = krb5_asn1.KDCOptionsValues.namedValues -krb5_asn1.KDCOptions.namedValues = krb5_asn1.KDCOptionsValues.namedValues -krb5_asn1.KDCOptions.prettyPrint = BitString_NamedValues_prettyPrint + + +krb5_asn1.TicketFlags.prettyPrintNamedValues =\ + krb5_asn1.TicketFlagsValues.namedValues +krb5_asn1.TicketFlags.namedValues =\ + krb5_asn1.TicketFlagsValues.namedValues +krb5_asn1.TicketFlags.prettyPrint =\ + BitString_NamedValues_prettyPrint +krb5_asn1.KDCOptions.prettyPrintNamedValues =\ + krb5_asn1.KDCOptionsValues.namedValues +krb5_asn1.KDCOptions.namedValues =\ + krb5_asn1.KDCOptionsValues.namedValues +krb5_asn1.KDCOptions.prettyPrint =\ + BitString_NamedValues_prettyPrint + def Integer_NamedValues_prettyPrint(self, scope=0): intval = int(self) @@ -104,16 +119,29 @@ def Integer_NamedValues_prettyPrint(self, scope=0): name = "<__unknown__>" ret = "%d (0x%x) %s" % (intval, intval, name) return ret -krb5_asn1.NameType.prettyPrintNamedValues = krb5_asn1.NameTypeValues.namedValues -krb5_asn1.NameType.prettyPrint = Integer_NamedValues_prettyPrint -krb5_asn1.AuthDataType.prettyPrintNamedValues = krb5_asn1.AuthDataTypeValues.namedValues -krb5_asn1.AuthDataType.prettyPrint = Integer_NamedValues_prettyPrint -krb5_asn1.PADataType.prettyPrintNamedValues = krb5_asn1.PADataTypeValues.namedValues -krb5_asn1.PADataType.prettyPrint = Integer_NamedValues_prettyPrint -krb5_asn1.EncryptionType.prettyPrintNamedValues = krb5_asn1.EncryptionTypeValues.namedValues -krb5_asn1.EncryptionType.prettyPrint = Integer_NamedValues_prettyPrint -krb5_asn1.ChecksumType.prettyPrintNamedValues = krb5_asn1.ChecksumTypeValues.namedValues -krb5_asn1.ChecksumType.prettyPrint = Integer_NamedValues_prettyPrint + + +krb5_asn1.NameType.prettyPrintNamedValues =\ + krb5_asn1.NameTypeValues.namedValues +krb5_asn1.NameType.prettyPrint =\ + Integer_NamedValues_prettyPrint +krb5_asn1.AuthDataType.prettyPrintNamedValues =\ + krb5_asn1.AuthDataTypeValues.namedValues +krb5_asn1.AuthDataType.prettyPrint =\ + Integer_NamedValues_prettyPrint +krb5_asn1.PADataType.prettyPrintNamedValues =\ + krb5_asn1.PADataTypeValues.namedValues +krb5_asn1.PADataType.prettyPrint =\ + Integer_NamedValues_prettyPrint +krb5_asn1.EncryptionType.prettyPrintNamedValues =\ + krb5_asn1.EncryptionTypeValues.namedValues +krb5_asn1.EncryptionType.prettyPrint =\ + Integer_NamedValues_prettyPrint +krb5_asn1.ChecksumType.prettyPrintNamedValues =\ + krb5_asn1.ChecksumTypeValues.namedValues +krb5_asn1.ChecksumType.prettyPrint =\ + Integer_NamedValues_prettyPrint + class Krb5EncryptionKey(object): def __init__(self, key, kvno): @@ -146,9 +174,10 @@ class Krb5EncryptionKey(object): EncryptionKey_obj = { 'keytype': self.etype, 'keyvalue': self.key.contents, - }; + } return EncryptionKey_obj + class RawKerberosTest(TestCase): """A raw Kerberos Test case.""" @@ -182,13 +211,13 @@ class RawKerberosTest(TestCase): self.s = socket.socket(self.a[0][0], self.a[0][1], self.a[0][2]) self.s.settimeout(10) self.s.connect(self.a[0][4]) - except socket.error as e: + except socket.error: self.s.close() raise - except IOError as e: + except IOError: self.s.close() raise - except Exception as e: + except Exception: raise finally: pass @@ -219,8 +248,9 @@ class RawKerberosTest(TestCase): domain = samba.tests.env_get_var_value('DOMAIN') realm = samba.tests.env_get_var_value('REALM') username = samba.tests.env_get_var_value('SERVICE_USERNAME') - password = samba.tests.env_get_var_value('SERVICE_PASSWORD', - allow_missing=allow_missing_password) + password = samba.tests.env_get_var_value( + 'SERVICE_PASSWORD', + allow_missing=allow_missing_password) c.set_domain(domain) c.set_realm(realm) c.set_username(username) @@ -246,21 +276,34 @@ class RawKerberosTest(TestCase): if hexdump is None: hexdump = self.do_hexdump if hexdump: - sys.stderr.write("%s: %d\n%s" % (name, len(blob), self.hexdump(blob))) + sys.stderr.write( + "%s: %d\n%s" % (name, len(blob), self.hexdump(blob))) - def der_decode(self, blob, asn1Spec=None, native_encode=True, asn1_print=None, hexdump=None): + def der_decode( + self, + blob, + asn1Spec=None, + native_encode=True, + asn1_print=None, + hexdump=None): if asn1Spec is not None: class_name = type(asn1Spec).__name__.split(':')[0] else: class_name = "" self.hex_dump(class_name, blob, hexdump=hexdump) - obj,_ = pyasn1_der_decode(blob, asn1Spec=asn1Spec) + obj, _ = pyasn1_der_decode(blob, asn1Spec=asn1Spec) self.asn1_dump(None, obj, asn1_print=asn1_print) if native_encode: obj = pyasn1_native_encode(obj) return obj - def der_encode(self, obj, asn1Spec=None, native_decode=True, asn1_print=None, hexdump=None): + def der_encode( + self, + obj, + asn1Spec=None, + native_decode=True, + asn1_print=None, + hexdump=None): if native_decode: obj = pyasn1_native_decode(obj, asn1Spec=asn1Spec) class_name = type(obj).__name__.split(':')[0] @@ -273,7 +316,8 @@ class RawKerberosTest(TestCase): def send_pdu(self, req, asn1_print=None, hexdump=None): try: - k5_pdu = self.der_encode(req, native_decode=False, asn1_print=asn1_print, hexdump=False) + k5_pdu = self.der_encode( + req, native_decode=False, asn1_print=asn1_print, hexdump=False) header = struct.pack('>I', len(k5_pdu)) req_pdu = header req_pdu += k5_pdu @@ -304,7 +348,7 @@ class RawKerberosTest(TestCase): self._disconnect("recv_raw: EOF") return None self.hex_dump("recv_raw", rep_pdu, hexdump=hexdump) - except socket.timeout as e: + except socket.timeout: self.s.settimeout(10) sys.stderr.write("recv_raw: TIMEOUT\n") pass @@ -322,7 +366,8 @@ class RawKerberosTest(TestCase): rep_pdu = None rep = None try: - raw_pdu = self.recv_raw(num_recv=4, hexdump=hexdump, timeout=timeout) + raw_pdu = self.recv_raw( + num_recv=4, hexdump=hexdump, timeout=timeout) if raw_pdu is None: return (None, None) header = struct.unpack(">I", raw_pdu[0:4]) @@ -332,22 +377,27 @@ class RawKerberosTest(TestCase): missing = k5_len rep_pdu = b'' while missing > 0: - raw_pdu = self.recv_raw(num_recv=missing, hexdump=hexdump, timeout=timeout) + raw_pdu = self.recv_raw( + num_recv=missing, hexdump=hexdump, timeout=timeout) self.assertGreaterEqual(len(raw_pdu), 1) rep_pdu += raw_pdu missing = k5_len - len(rep_pdu) - k5_raw = self.der_decode(rep_pdu, asn1Spec=None, native_encode=False, - asn1_print=False, hexdump=False) - pvno=k5_raw['field-0'] + k5_raw = self.der_decode( + rep_pdu, + asn1Spec=None, + native_encode=False, + asn1_print=False, + hexdump=False) + pvno = k5_raw['field-0'] self.assertEqual(pvno, 5) - msg_type=k5_raw['field-1'] - self.assertIn(msg_type, [11,13,30]) + msg_type = k5_raw['field-1'] + self.assertIn(msg_type, [11, 13, 30]) if msg_type == 11: - asn1Spec=krb5_asn1.AS_REP() + asn1Spec = krb5_asn1.AS_REP() elif msg_type == 13: - asn1Spec=krb5_asn1.TGS_REP() + asn1Spec = krb5_asn1.TGS_REP() elif msg_type == 30: - asn1Spec=krb5_asn1.KRB_ERROR() + asn1Spec = krb5_asn1.KRB_ERROR() rep = self.der_decode(rep_pdu, asn1Spec=asn1Spec, asn1_print=asn1_print, hexdump=False) finally: @@ -368,11 +418,17 @@ class RawKerberosTest(TestCase): self.assertIsNone(self.s, msg="Is connected") return - def send_recv_transaction(self, req, asn1_print=None, hexdump=None, timeout=None): + def send_recv_transaction( + self, + req, + asn1_print=None, + hexdump=None, + timeout=None): self.connect() try: self.send_pdu(req, asn1_print=asn1_print, hexdump=hexdump) - rep = self.recv_pdu(asn1_print=asn1_print, hexdump=hexdump, timeout=timeout) + rep = self.recv_pdu( + asn1_print=asn1_print, hexdump=hexdump, timeout=timeout) except Exception: self._disconnect("transaction failed") raise @@ -389,11 +445,15 @@ class RawKerberosTest(TestCase): def assertPrincipalEqual(self, princ1, princ2): self.assertEqual(princ1['name-type'], princ2['name-type']) - self.assertEqual(len(princ1['name-string']), len(princ2['name-string']), - msg="princ1=%s != princ2=%s" % (princ1, princ2)) + self.assertEqual( + len(princ1['name-string']), + len(princ2['name-string']), + msg="princ1=%s != princ2=%s" % (princ1, princ2)) for idx in range(len(princ1['name-string'])): - self.assertEqual(princ1['name-string'][idx], princ2['name-string'][idx], - msg="princ1=%s != princ2=%s" % (princ1, princ2)) + self.assertEqual( + princ1['name-string'][idx], + princ2['name-string'][idx], + msg="princ1=%s != princ2=%s" % (princ1, princ2)) return def get_KerberosTimeWithUsec(self, epoch=None, offset=None): @@ -421,7 +481,7 @@ class RawKerberosTest(TestCase): salt = None try: salt = etype_info2['salt'] - except: + except Exception: pass if e == kcrypto.Enctype.RC4: @@ -429,7 +489,8 @@ class RawKerberosTest(TestCase): return self.SessionKey_create(etype=e, contents=nthash, kvno=kvno) password = creds.get_password() - return self.PasswordKey_create(etype=e, pwd=password, salt=salt, kvno=kvno) + return self.PasswordKey_create( + etype=e, pwd=password, salt=salt, kvno=kvno) def RandomKey(self, etype): e = kcrypto._get_enctype_profile(etype) @@ -452,14 +513,14 @@ class RawKerberosTest(TestCase): 'cipher': ciphertext } if key.kvno is not None: - EncryptedData_obj['kvno'] = key.kvno + EncryptedData_obj['kvno'] = key.kvno return EncryptedData_obj def Checksum_create(self, key, usage, plaintext, ctype=None): - #Checksum ::= SEQUENCE { + # Checksum ::= SEQUENCE { # cksumtype [0] Int32, # checksum [1] OCTET STRING - #} + # } if ctype is None: ctype = key.ctype checksum = key.make_checksum(usage, plaintext, ctype=ctype) @@ -494,10 +555,10 @@ class RawKerberosTest(TestCase): return PA_DATA_obj def PA_ENC_TS_ENC_create(self, ts, usec): - #PA-ENC-TS-ENC ::= SEQUENCE { + # PA-ENC-TS-ENC ::= SEQUENCE { # patimestamp[0] KerberosTime, -- client's time # pausec[1] krb5int32 OPTIONAL - #} + # } PA_ENC_TS_ENC_obj = { 'patimestamp': ts, 'pausec': usec, @@ -520,7 +581,7 @@ class RawKerberosTest(TestCase): additional_tickets, asn1_print=None, hexdump=None): - #KDC-REQ-BODY ::= SEQUENCE { + # KDC-REQ-BODY ::= SEQUENCE { # kdc-options [0] KDCOptions, # cname [1] PrincipalName OPTIONAL # -- Used only in AS-REQ --, @@ -532,20 +593,23 @@ class RawKerberosTest(TestCase): # till [5] KerberosTime, # rtime [6] KerberosTime OPTIONAL, # nonce [7] UInt32, - # etype [8] SEQUENCE OF Int32 -- EncryptionType + # etype [8] SEQUENCE OF Int32 + # -- EncryptionType # -- in preference order --, # addresses [9] HostAddresses OPTIONAL, # enc-authorization-data [10] EncryptedData OPTIONAL # -- AuthorizationData --, # additional-tickets [11] SEQUENCE OF Ticket OPTIONAL # -- NOTE: not empty - #} + # } if EncAuthorizationData is not None: - enc_ad_plain = self.der_encode(EncAuthorizationData, - asn1Spec=krb5_asn1.AuthorizationData(), - asn1_print=asn1_print, - hexdump=hexdump) - enc_ad = self.EncryptedData_create(EncAuthorizationData_key, enc_ad_plain) + enc_ad_plain = self.der_encode( + EncAuthorizationData, + asn1Spec=krb5_asn1.AuthorizationData(), + asn1_print=asn1_print, + hexdump=hexdump) + enc_ad = self.EncryptedData_create( + EncAuthorizationData_key, enc_ad_plain) else: enc_ad = None KDC_REQ_BODY_obj = { @@ -590,14 +654,14 @@ class RawKerberosTest(TestCase): asn1Spec=None, asn1_print=None, hexdump=None): - #KDC-REQ ::= SEQUENCE { + # KDC-REQ ::= SEQUENCE { # -- NOTE: first tag is [1], not [0] # pvno [1] INTEGER (5) , # msg-type [2] INTEGER (10 -- AS -- | 12 -- TGS --), # padata [3] SEQUENCE OF PA-DATA OPTIONAL # -- NOTE: not empty --, # req-body [4] KDC-REQ-BODY - #} + # } # KDC_REQ_BODY_obj = self.KDC_REQ_BODY_create(kdc_options, cname, @@ -622,39 +686,40 @@ class RawKerberosTest(TestCase): if padata is not None: KDC_REQ_obj['padata'] = padata if asn1Spec is not None: - KDC_REQ_decoded = pyasn1_native_decode(KDC_REQ_obj, asn1Spec=asn1Spec) + KDC_REQ_decoded = pyasn1_native_decode( + KDC_REQ_obj, asn1Spec=asn1Spec) else: KDC_REQ_decoded = None return KDC_REQ_obj, KDC_REQ_decoded def AS_REQ_create(self, - padata, # optional - kdc_options, # required - cname, # optional - realm, # required - sname, # optional - from_time, # optional - till_time, # required - renew_time, # optional - nonce, # required - etypes, # required - addresses, # optional + padata, # optional + kdc_options, # required + cname, # optional + realm, # required + sname, # optional + from_time, # optional + till_time, # required + renew_time, # optional + nonce, # required + etypes, # required + addresses, # optional EncAuthorizationData, EncAuthorizationData_key, additional_tickets, native_decoded_only=True, asn1_print=None, hexdump=None): - #KDC-REQ ::= SEQUENCE { + # KDC-REQ ::= SEQUENCE { # -- NOTE: first tag is [1], not [0] # pvno [1] INTEGER (5) , # msg-type [2] INTEGER (10 -- AS -- | 12 -- TGS --), # padata [3] SEQUENCE OF PA-DATA OPTIONAL # -- NOTE: not empty --, # req-body [4] KDC-REQ-BODY - #} + # } # - #KDC-REQ-BODY ::= SEQUENCE { + # KDC-REQ-BODY ::= SEQUENCE { # kdc-options [0] KDCOptions, # cname [1] PrincipalName OPTIONAL # -- Used only in AS-REQ --, @@ -666,32 +731,34 @@ class RawKerberosTest(TestCase): # till [5] KerberosTime, # rtime [6] KerberosTime OPTIONAL, # nonce [7] UInt32, - # etype [8] SEQUENCE OF Int32 -- EncryptionType + # etype [8] SEQUENCE OF Int32 + # -- EncryptionType # -- in preference order --, # addresses [9] HostAddresses OPTIONAL, # enc-authorization-data [10] EncryptedData OPTIONAL # -- AuthorizationData --, # additional-tickets [11] SEQUENCE OF Ticket OPTIONAL # -- NOTE: not empty - #} - obj,decoded = self.KDC_REQ_create(msg_type=10, - padata=padata, - kdc_options=kdc_options, - cname=cname, - realm=realm, - sname=sname, - from_time=from_time, - till_time=till_time, - renew_time=renew_time, - nonce=nonce, - etypes=etypes, - addresses=addresses, - EncAuthorizationData=EncAuthorizationData, - EncAuthorizationData_key=EncAuthorizationData_key, - additional_tickets=additional_tickets, - asn1Spec=krb5_asn1.AS_REQ(), - asn1_print=asn1_print, - hexdump=hexdump) + # } + obj, decoded = self.KDC_REQ_create( + msg_type=10, + padata=padata, + kdc_options=kdc_options, + cname=cname, + realm=realm, + sname=sname, + from_time=from_time, + till_time=till_time, + renew_time=renew_time, + nonce=nonce, + etypes=etypes, + addresses=addresses, + EncAuthorizationData=EncAuthorizationData, + EncAuthorizationData_key=EncAuthorizationData_key, + additional_tickets=additional_tickets, + asn1Spec=krb5_asn1.AS_REQ(), + asn1_print=asn1_print, + hexdump=hexdump) if native_decoded_only: return decoded return decoded, obj @@ -703,7 +770,7 @@ class RawKerberosTest(TestCase): # ap-options [2] APOptions, # ticket [3] Ticket, # authenticator [4] EncryptedData -- Authenticator - #} + # } AP_REQ_obj = { 'pvno': 5, 'msg-type': 14, @@ -713,8 +780,9 @@ class RawKerberosTest(TestCase): } return AP_REQ_obj - def Authenticator_create(self, crealm, cname, cksum, cusec, ctime, subkey, seq_number, - authorization_data): + def Authenticator_create( + self, crealm, cname, cksum, cusec, ctime, subkey, seq_number, + authorization_data): # -- Unencrypted authenticator # Authenticator ::= [APPLICATION 2] SEQUENCE { # authenticator-vno [0] INTEGER (5), @@ -726,7 +794,7 @@ class RawKerberosTest(TestCase): # subkey [6] EncryptionKey OPTIONAL, # seq-number [7] UInt32 OPTIONAL, # authorization-data [8] AuthorizationData OPTIONAL - #} + # } Authenticator_obj = { 'authenticator-vno': 5, 'crealm': crealm, @@ -745,20 +813,20 @@ class RawKerberosTest(TestCase): return Authenticator_obj def TGS_REQ_create(self, - padata, # optional + padata, # optional cusec, ctime, ticket, - kdc_options, # required - cname, # optional - realm, # required - sname, # optional - from_time, # optional - till_time, # required - renew_time, # optional - nonce, # required - etypes, # required - addresses, # optional + kdc_options, # required + cname, # optional + realm, # required + sname, # optional + from_time, # optional + till_time, # required + renew_time, # optional + nonce, # required + etypes, # required + addresses, # optional EncAuthorizationData, EncAuthorizationData_key, additional_tickets, @@ -768,16 +836,16 @@ class RawKerberosTest(TestCase): native_decoded_only=True, asn1_print=None, hexdump=None): - #KDC-REQ ::= SEQUENCE { + # KDC-REQ ::= SEQUENCE { # -- NOTE: first tag is [1], not [0] # pvno [1] INTEGER (5) , # msg-type [2] INTEGER (10 -- AS -- | 12 -- TGS --), # padata [3] SEQUENCE OF PA-DATA OPTIONAL # -- NOTE: not empty --, # req-body [4] KDC-REQ-BODY - #} + # } # - #KDC-REQ-BODY ::= SEQUENCE { + # KDC-REQ-BODY ::= SEQUENCE { # kdc-options [0] KDCOptions, # cname [1] PrincipalName OPTIONAL # -- Used only in AS-REQ --, @@ -789,50 +857,57 @@ class RawKerberosTest(TestCase): # till [5] KerberosTime, # rtime [6] KerberosTime OPTIONAL, # nonce [7] UInt32, - # etype [8] SEQUENCE OF Int32 -- EncryptionType + # etype [8] SEQUENCE OF Int32 + # -- EncryptionType # -- in preference order --, # addresses [9] HostAddresses OPTIONAL, # enc-authorization-data [10] EncryptedData OPTIONAL # -- AuthorizationData --, # additional-tickets [11] SEQUENCE OF Ticket OPTIONAL # -- NOTE: not empty - #} + # } - req_body = self.KDC_REQ_BODY_create(kdc_options=kdc_options, - cname=None, - realm=realm, - sname=sname, - from_time=from_time, - till_time=till_time, - renew_time=renew_time, - nonce=nonce, - etypes=etypes, - addresses=addresses, - EncAuthorizationData=EncAuthorizationData, - EncAuthorizationData_key=EncAuthorizationData_key, - additional_tickets=additional_tickets) + req_body = self.KDC_REQ_BODY_create( + kdc_options=kdc_options, + cname=None, + realm=realm, + sname=sname, + from_time=from_time, + till_time=till_time, + renew_time=renew_time, + nonce=nonce, + etypes=etypes, + addresses=addresses, + EncAuthorizationData=EncAuthorizationData, + EncAuthorizationData_key=EncAuthorizationData_key, + additional_tickets=additional_tickets) req_body = self.der_encode(req_body, asn1Spec=krb5_asn1.KDC_REQ_BODY(), asn1_print=asn1_print, hexdump=hexdump) - req_body_checksum = self.Checksum_create(ticket_session_key, 6, req_body, - ctype=body_checksum_type) + req_body_checksum = self.Checksum_create( + ticket_session_key, 6, req_body, ctype=body_checksum_type) subkey_obj = None if authenticator_subkey is not None: subkey_obj = authenticator_subkey.export_obj() seq_number = random.randint(0, 0xfffffffe) - authenticator = self.Authenticator_create(crealm=realm, - cname=cname, - cksum=req_body_checksum, - cusec=cusec, - ctime=ctime, - subkey=subkey_obj, - seq_number=seq_number, - authorization_data=None) - authenticator = self.der_encode(authenticator, asn1Spec=krb5_asn1.Authenticator(), - asn1_print=asn1_print, hexdump=hexdump) + authenticator = self.Authenticator_create( + crealm=realm, + cname=cname, + cksum=req_body_checksum, + cusec=cusec, + ctime=ctime, + subkey=subkey_obj, + seq_number=seq_number, + authorization_data=None) + authenticator = self.der_encode( + authenticator, + asn1Spec=krb5_asn1.Authenticator(), + asn1_print=asn1_print, + hexdump=hexdump) - authenticator = self.EncryptedData_create(ticket_session_key, 7, authenticator) + authenticator = self.EncryptedData_create( + ticket_session_key, 7, authenticator) ap_options = krb5_asn1.APOptions('0') ap_req = self.AP_REQ_create(ap_options=str(ap_options), @@ -846,24 +921,25 @@ class RawKerberosTest(TestCase): else: padata = [pa_tgs_req] - obj,decoded = self.KDC_REQ_create(msg_type=12, - padata=padata, - kdc_options=kdc_options, - cname=None, - realm=realm, - sname=sname, - from_time=from_time, - till_time=till_time, - renew_time=renew_time, - nonce=nonce, - etypes=etypes, - addresses=addresses, - EncAuthorizationData=EncAuthorizationData, - EncAuthorizationData_key=EncAuthorizationData_key, - additional_tickets=additional_tickets, - asn1Spec=krb5_asn1.TGS_REQ(), - asn1_print=asn1_print, - hexdump=hexdump) + obj, decoded = self.KDC_REQ_create( + msg_type=12, + padata=padata, + kdc_options=kdc_options, + cname=None, + realm=realm, + sname=sname, + from_time=from_time, + till_time=till_time, + renew_time=renew_time, + nonce=nonce, + etypes=etypes, + addresses=addresses, + EncAuthorizationData=EncAuthorizationData, + EncAuthorizationData_key=EncAuthorizationData_key, + additional_tickets=additional_tickets, + asn1Spec=krb5_asn1.TGS_REQ(), + asn1_print=asn1_print, + hexdump=hexdump) if native_decoded_only: return decoded return decoded, obj @@ -888,5 +964,6 @@ class RawKerberosTest(TestCase): 'cksum': cksum, 'auth': "Kerberos", } - pa_s4u2self = self.der_encode(PA_S4U2Self_obj, asn1Spec=krb5_asn1.PA_S4U2Self()) + pa_s4u2self = self.der_encode( + PA_S4U2Self_obj, asn1Spec=krb5_asn1.PA_S4U2Self()) return self.PA_DATA_create(129, pa_s4u2self) diff --git a/python/samba/tests/krb5/rfc4120_constants.py b/python/samba/tests/krb5/rfc4120_constants.py index 9de56578c99..5bbf1229d09 100644 --- a/python/samba/tests/krb5/rfc4120_constants.py +++ b/python/samba/tests/krb5/rfc4120_constants.py @@ -38,31 +38,31 @@ PADATA_ETYPE_INFO2 = int( # Error codes KDC_ERR_C_PRINCIPAL_UNKNOWN = 6 -KDC_ERR_PREAUTH_FAILED = 24 -KDC_ERR_PREAUTH_REQUIRED = 25 -KDC_ERR_BADMATCH = 36 -KDC_ERR_SKEW = 37 +KDC_ERR_PREAUTH_FAILED = 24 +KDC_ERR_PREAUTH_REQUIRED = 25 +KDC_ERR_BADMATCH = 36 +KDC_ERR_SKEW = 37 # Name types -NT_UNKNOWN = int(krb5_asn1.NameTypeValues('kRB5-NT-UNKNOWN')) +NT_UNKNOWN = int(krb5_asn1.NameTypeValues('kRB5-NT-UNKNOWN')) NT_PRINCIPAL = int(krb5_asn1.NameTypeValues('kRB5-NT-PRINCIPAL')) -NT_SRV_INST = int(krb5_asn1.NameTypeValues('kRB5-NT-SRV-INST')) +NT_SRV_INST = int(krb5_asn1.NameTypeValues('kRB5-NT-SRV-INST')) NT_ENTERPRISE_PRINCIPAL = int(krb5_asn1.NameTypeValues( 'kRB5-NT-ENTERPRISE-PRINCIPAL')) # Authorization data ad-type values -AD_IF_RELEVANT = 1 -AD_INTENDED_FOR_SERVER = 2 +AD_IF_RELEVANT = 1 +AD_INTENDED_FOR_SERVER = 2 AD_INTENDED_FOR_APPLICATION_CLASS = 3 -AD_KDC_ISSUED = 4 -AD_AND_OR = 5 -AD_MANDATORY_TICKET_EXTENSIONS = 6 -AD_IN_TICKET_EXTENSIONS = 7 -AD_MANDATORY_FOR_KDC = 8 -AD_INITIAL_VERIFIED_CAS = 9 -AD_WIN2K_PAC = 128 -AD_SIGNTICKET = 512 +AD_KDC_ISSUED = 4 +AD_AND_OR = 5 +AD_MANDATORY_TICKET_EXTENSIONS = 6 +AD_IN_TICKET_EXTENSIONS = 7 +AD_MANDATORY_FOR_KDC = 8 +AD_INITIAL_VERIFIED_CAS = 9 +AD_WIN2K_PAC = 128 +AD_SIGNTICKET = 512 # Key usage numbers # RFC 4120 Section 7.5.1. Key Usage Numbers diff --git a/python/samba/tests/krb5/s4u_tests.py b/python/samba/tests/krb5/s4u_tests.py index 2e1bd3fbe1f..30a58d6345a 100755 --- a/python/samba/tests/krb5/s4u_tests.py +++ b/python/samba/tests/krb5/s4u_tests.py @@ -35,6 +35,7 @@ import samba.tests.krb5.rfc4120_pyasn1 as krb5_asn1 global_asn1_print = False global_hexdump = False + class S4UKerberosTests(RawKerberosTest): def setUp(self): @@ -55,7 +56,7 @@ class S4UKerberosTests(RawKerberosTest): kdc_options = krb5_asn1.KDCOptions('forwardable') padata = None - etypes=(18,17,23) + etypes = (18, 17, 23) req = self.AS_REQ_create(padata=padata, kdc_options=str(kdc_options), @@ -76,14 +77,16 @@ class S4UKerberosTests(RawKerberosTest): self.assertEqual(rep['msg-type'], 30) self.assertEqual(rep['error-code'], 25) - rep_padata = self.der_decode(rep['e-data'], asn1Spec=krb5_asn1.METHOD_DATA()) + rep_padata = self.der_decode( + rep['e-data'], asn1Spec=krb5_asn1.METHOD_DATA()) for pa in rep_padata: if pa['padata-type'] == 19: etype_info2 = pa['padata-value'] break - etype_info2 = self.der_decode(etype_info2, asn1Spec=krb5_asn1.ETYPE_INFO2()) + etype_info2 = self.der_decode( + etype_info2, asn1Spec=krb5_asn1.ETYPE_INFO2()) key = self.PasswordKey_from_etype_info2(service_creds, etype_info2[0]) @@ -120,7 +123,8 @@ class S4UKerberosTests(RawKerberosTest): self.assertEqual(msg_type, 11) enc_part2 = key.decrypt(KU_AS_REP_ENC_PART, rep['enc-part']['cipher']) - enc_part2 = self.der_decode(enc_part2, asn1Spec=krb5_asn1.EncASRepPart()) + enc_part2 = self.der_decode( + enc_part2, asn1Spec=krb5_asn1.EncASRepPart()) # S4U2Self Request sname = cname @@ -167,11 +171,13 @@ class S4UKerberosTests(RawKerberosTest): if msg_type == 13: enc_part2 = subkey.decrypt( KU_TGS_REP_ENC_PART_SUB_KEY, rep['enc-part']['cipher']) - enc_part2 = self.der_decode(enc_part2, asn1Spec=krb5_asn1.EncTGSRepPart()) + enc_part2 = self.der_decode( + enc_part2, asn1Spec=krb5_asn1.EncTGSRepPart()) return msg_type - # Using the checksum type from the tgt_session_key happens to work everywhere + # Using the checksum type from the tgt_session_key happens to work + # everywhere def test_s4u2self(self): msg_type = self._test_s4u2self() self.assertEqual(msg_type, 13) @@ -193,6 +199,7 @@ class S4UKerberosTests(RawKerberosTest): msg_type = self._test_s4u2self(pa_s4u2self_ctype=Cksumtype.CRC32) self.assertEqual(msg_type, 30) + if __name__ == "__main__": global_asn1_print = True global_hexdump = True diff --git a/python/samba/tests/krb5/simple_tests.py b/python/samba/tests/krb5/simple_tests.py index 6c090af3d46..889b91a9bf0 100755 --- a/python/samba/tests/krb5/simple_tests.py +++ b/python/samba/tests/krb5/simple_tests.py @@ -33,6 +33,7 @@ import samba.tests.krb5.rfc4120_pyasn1 as krb5_asn1 global_asn1_print = False global_hexdump = False + class SimpleKerberosTests(RawKerberosTest): def setUp(self): @@ -53,7 +54,7 @@ class SimpleKerberosTests(RawKerberosTest): kdc_options = krb5_asn1.KDCOptions('forwardable') padata = None - etypes=(18,17,23) + etypes = (18, 17, 23) req = self.AS_REQ_create(padata=padata, kdc_options=str(kdc_options), @@ -74,14 +75,16 @@ class SimpleKerberosTests(RawKerberosTest): self.assertEqual(rep['msg-type'], 30) self.assertEqual(rep['error-code'], 25) - rep_padata = self.der_decode(rep['e-data'], asn1Spec=krb5_asn1.METHOD_DATA()) + rep_padata = self.der_decode( + rep['e-data'], asn1Spec=krb5_asn1.METHOD_DATA()) for pa in rep_padata: if pa['padata-type'] == 19: etype_info2 = pa['padata-value'] break - etype_info2 = self.der_decode(etype_info2, asn1Spec=krb5_asn1.ETYPE_INFO2()) + etype_info2 = self.der_decode( + etype_info2, asn1Spec=krb5_asn1.ETYPE_INFO2()) key = self.PasswordKey_from_etype_info2(user_creds, etype_info2[0]) @@ -119,17 +122,21 @@ class SimpleKerberosTests(RawKerberosTest): enc_part2 = key.decrypt(KU_AS_REP_ENC_PART, rep['enc-part']['cipher']) - # MIT KDC encodes both EncASRepPart and EncTGSRepPart with application tag 26 + # MIT KDC encodes both EncASRepPart and EncTGSRepPart with + # application tag 26 try: - enc_part2 = self.der_decode(enc_part2, asn1Spec=krb5_asn1.EncASRepPart()) + enc_part2 = self.der_decode( + enc_part2, asn1Spec=krb5_asn1.EncASRepPart()) except Exception: - enc_part2 = self.der_decode(enc_part2, asn1Spec=krb5_asn1.EncTGSRepPart()) + enc_part2 = self.der_decode( + enc_part2, asn1Spec=krb5_asn1.EncTGSRepPart()) # TGS Request service_creds = self.get_service_creds(allow_missing_password=True) service_name = service_creds.get_username() - sname = self.PrincipalName_create(name_type=2, names=["host", service_name]) + sname = self.PrincipalName_create( + name_type=2, names=["host", service_name]) kdc_options = krb5_asn1.KDCOptions('forwardable') till = self.get_KerberosTime(offset=36000) ticket = rep['ticket'] @@ -167,7 +174,8 @@ class SimpleKerberosTests(RawKerberosTest): enc_part2 = subkey.decrypt( KU_TGS_REP_ENC_PART_SUB_KEY, rep['enc-part']['cipher']) - enc_part2 = self.der_decode(enc_part2, asn1Spec=krb5_asn1.EncTGSRepPart()) + enc_part2 = self.der_decode( + enc_part2, asn1Spec=krb5_asn1.EncTGSRepPart()) return diff --git a/python/samba/tests/krb5/xrealm_tests.py b/python/samba/tests/krb5/xrealm_tests.py index b4a02bff33a..efb953bdf7e 100755 --- a/python/samba/tests/krb5/xrealm_tests.py +++ b/python/samba/tests/krb5/xrealm_tests.py @@ -34,6 +34,7 @@ import samba.tests global_asn1_print = False global_hexdump = False + class XrealmKerberosTests(RawKerberosTest): def setUp(self): @@ -54,7 +55,7 @@ class XrealmKerberosTests(RawKerberosTest): kdc_options = krb5_asn1.KDCOptions('forwardable') padata = None - etypes=(18,17,23) + etypes = (18, 17, 23) req = self.AS_REQ_create(padata=padata, kdc_options=str(kdc_options), @@ -75,14 +76,16 @@ class XrealmKerberosTests(RawKerberosTest): self.assertEqual(rep['msg-type'], 30) self.assertEqual(rep['error-code'], 25) - rep_padata = self.der_decode(rep['e-data'], asn1Spec=krb5_asn1.METHOD_DATA()) + rep_padata = self.der_decode( + rep['e-data'], asn1Spec=krb5_asn1.METHOD_DATA()) for pa in rep_padata: if pa['padata-type'] == 19: etype_info2 = pa['padata-value'] break - etype_info2 = self.der_decode(etype_info2, asn1Spec=krb5_asn1.ETYPE_INFO2()) + etype_info2 = self.der_decode( + etype_info2, asn1Spec=krb5_asn1.ETYPE_INFO2()) key = self.PasswordKey_from_etype_info2(user_creds, etype_info2[0]) @@ -120,15 +123,19 @@ class XrealmKerberosTests(RawKerberosTest): enc_part2 = key.decrypt(KU_AS_REP_ENC_PART, rep['enc-part']['cipher']) - # MIT KDC encodes both EncASRepPart and EncTGSRepPart with application tag 26 + # MIT KDC encodes both EncASRepPart and EncTGSRepPart with + # application tag 26 try: - enc_part2 = self.der_decode(enc_part2, asn1Spec=krb5_asn1.EncASRepPart()) + enc_part2 = self.der_decode( + enc_part2, asn1Spec=krb5_asn1.EncASRepPart()) except Exception: - enc_part2 = self.der_decode(enc_part2, asn1Spec=krb5_asn1.EncTGSRepPart()) + enc_part2 = self.der_decode( + enc_part2, asn1Spec=krb5_asn1.EncTGSRepPart()) # TGS Request (for cross-realm TGT) trust_realm = samba.tests.env_get_var_value('TRUST_REALM') - sname = self.PrincipalName_create(name_type=2, names=["krbtgt", trust_realm]) + sname = self.PrincipalName_create( + name_type=2, names=["krbtgt", trust_realm]) kdc_options = krb5_asn1.KDCOptions('forwardable') till = self.get_KerberosTime(offset=36000) @@ -167,10 +174,11 @@ class XrealmKerberosTests(RawKerberosTest): enc_part2 = subkey.decrypt( KU_TGS_REP_ENC_PART_SUB_KEY, rep['enc-part']['cipher']) - enc_part2 = self.der_decode(enc_part2, asn1Spec=krb5_asn1.EncTGSRepPart()) + enc_part2 = self.der_decode( + enc_part2, asn1Spec=krb5_asn1.EncTGSRepPart()) # Check the forwardable flag - fwd_pos = len(tuple(krb5_asn1.TicketFlags('forwardable'))) -1 + fwd_pos = len(tuple(krb5_asn1.TicketFlags('forwardable'))) - 1 assert(krb5_asn1.TicketFlags(enc_part2['flags'])[fwd_pos]) return -- 2.35.0 From c387eb556527d3cdd93344f6ec2c867830a16359 Mon Sep 17 00:00:00 2001 From: Volker Lendecke Date: Fri, 16 Apr 2021 17:22:12 +0200 Subject: [PATCH 064/686] librpc: Add py_descriptor_richcmp() equality function Only a python3 version. Do we still need the python2 flavor? Signed-off-by: Volker Lendecke Reviewed-by: Jeremy Allison BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817 (cherry picked from commit 439b7ccdc1b1c91c66c1a7c83e340fa044c26377) --- source4/librpc/ndr/py_security.c | 37 ++++++++++++++++++++++++++++++++ 1 file changed, 37 insertions(+) diff --git a/source4/librpc/ndr/py_security.c b/source4/librpc/ndr/py_security.c index eb5224dc243..79a9fa5ac11 100644 --- a/source4/librpc/ndr/py_security.c +++ b/source4/librpc/ndr/py_security.c @@ -308,9 +308,46 @@ static PyMethodDef py_descriptor_extra_methods[] = { { NULL } }; +static PyObject *py_descriptor_richcmp( + PyObject *py_self, PyObject *py_other, int op) +{ + struct security_descriptor *self = pytalloc_get_ptr(py_self); + struct security_descriptor *other = pytalloc_get_ptr(py_other); + bool eq; + + if (other == NULL) { + Py_INCREF(Py_NotImplemented); + return Py_NotImplemented; + } + + eq = security_descriptor_equal(self, other); + + switch(op) { + case Py_EQ: + if (eq) { + Py_RETURN_TRUE; + } else { + Py_RETURN_FALSE; + } + break; + case Py_NE: + if (eq) { + Py_RETURN_FALSE; + } else { + Py_RETURN_TRUE; + } + break; + default: + break; + } + + return Py_NotImplemented; +} + static void py_descriptor_patch(PyTypeObject *type) { type->tp_new = py_descriptor_new; + type->tp_richcompare = py_descriptor_richcmp; PyType_AddMethods(type, py_descriptor_extra_methods); } -- 2.35.0 From 8cf85f2c70af5f99253388ea694874f0a3cb57bf Mon Sep 17 00:00:00 2001 From: Gary Lockyer Date: Wed, 17 Feb 2021 12:15:50 +1300 Subject: [PATCH 065/686] tests python krb5: MS-KILE client principal look-up Tests of [MS-KILE]: Kerberos Protocol Extensions section 3.3.5.6.1 Client Principal Lookup Signed-off-by: Gary Lockyer Reviewed-by: Andrew Bartlett Reviewed-by: Isaac Boukris BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817 Autobuild-User(master): Andrew Bartlett Autobuild-Date(master): Mon Apr 12 00:38:26 UTC 2021 on sn-devel-184 (cherry picked from commit 768d48fca9f8c7527c0d12e7acc8942b5fd36ac2) --- python/samba/tests/krb5/kdc_base_test.py | 29 +- .../ms_kile_client_principal_lookup_tests.py | 814 ++++++++++++++++++ python/samba/tests/usage.py | 1 + selftest/knownfail_heimdal_kdc | 12 + selftest/knownfail_mit_kdc | 16 + source4/selftest/tests.py | 3 + 6 files changed, 874 insertions(+), 1 deletion(-) create mode 100755 python/samba/tests/krb5/ms_kile_client_principal_lookup_tests.py diff --git a/python/samba/tests/krb5/kdc_base_test.py b/python/samba/tests/krb5/kdc_base_test.py index bef5458c881..1c7f05dda6d 100644 --- a/python/samba/tests/krb5/kdc_base_test.py +++ b/python/samba/tests/krb5/kdc_base_test.py @@ -22,6 +22,7 @@ import os sys.path.insert(0, "bin/python") os.environ["PYTHONUNBUFFERED"] = "1" from collections import namedtuple +import ldb from ldb import SCOPE_BASE from samba import generate_random_password from samba.auth import system_session @@ -103,7 +104,7 @@ class KDCBaseTest(RawKerberosTest): for dn in self.accounts: delete_force(self.ldb, dn) - def create_account(self, name, machine_account=False, spn=None): + def create_account(self, name, machine_account=False, spn=None, upn=None): '''Create an account for testing. The dn of the created account is added to self.accounts, which is used by tearDown to clean up the created accounts. @@ -133,6 +134,8 @@ class KDCBaseTest(RawKerberosTest): "unicodePwd": utf16pw} if spn is not None: details["servicePrincipalName"] = spn + if upn is not None: + details["userPrincipalName"] = upn self.ldb.add(details) creds = Credentials() @@ -418,3 +421,27 @@ class KDCBaseTest(RawKerberosTest): self.assertTrue(len(res) == 1, "did not get objectSid for %s" % dn) sid = self.ldb.schema_format_value("objectSID", res[0]["objectSID"][0]) return sid.decode('utf8') + + def add_attribute(self, dn_str, name, value): + if isinstance(value, list): + values = value + else: + values = [value] + flag = ldb.FLAG_MOD_ADD + + dn = ldb.Dn(self.ldb, dn_str) + msg = ldb.Message(dn) + msg[name] = ldb.MessageElement(values, flag, name) + self.ldb.modify(msg) + + def modify_attribute(self, dn_str, name, value): + if isinstance(value, list): + values = value + else: + values = [value] + flag = ldb.FLAG_MOD_REPLACE + + dn = ldb.Dn(self.ldb, dn_str) + msg = ldb.Message(dn) + msg[name] = ldb.MessageElement(values, flag, name) + self.ldb.modify(msg) diff --git a/python/samba/tests/krb5/ms_kile_client_principal_lookup_tests.py b/python/samba/tests/krb5/ms_kile_client_principal_lookup_tests.py new file mode 100755 index 00000000000..356a25f8e18 --- /dev/null +++ b/python/samba/tests/krb5/ms_kile_client_principal_lookup_tests.py @@ -0,0 +1,814 @@ +#!/usr/bin/env python3 +# Unix SMB/CIFS implementation. +# Copyright (C) Stefan Metzmacher 2020 +# Copyright (C) 2020 Catalyst.Net Ltd +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; either version 3 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see . +# + +import sys +import os + +sys.path.insert(0, "bin/python") +os.environ["PYTHONUNBUFFERED"] = "1" + +from samba.dsdb import UF_NORMAL_ACCOUNT, UF_DONT_REQUIRE_PREAUTH +from samba.tests.krb5.kdc_base_test import KDCBaseTest +from samba.tests.krb5.rfc4120_constants import ( + AES256_CTS_HMAC_SHA1_96, + ARCFOUR_HMAC_MD5, + NT_ENTERPRISE_PRINCIPAL, + NT_PRINCIPAL, + NT_SRV_INST, + KDC_ERR_C_PRINCIPAL_UNKNOWN, +) + +global_asn1_print = False +global_hexdump = False + + +class MS_Kile_Client_Principal_Lookup_Tests(KDCBaseTest): + ''' Tests for MS-KILE client principal look-up + See [MS-KILE]: Kerberos Protocol Extensions + secion 3.3.5.6.1 Client Principal Lookup + ''' + + def setUp(self): + super().setUp() + self.do_asn1_print = global_asn1_print + self.do_hexdump = global_hexdump + + def check_pac(self, auth_data, dn, uc, name, upn=None): + + pac_data = self.get_pac_data(auth_data) + sid = self.get_objectSid(dn) + if upn is None: + upn = "%s@%s" % (name, uc.get_realm().lower()) + if name.endswith('$'): + name = name[:-1] + + self.assertEqual( + uc.get_username(), + str(pac_data.account_name), + "pac_data = {%s}" % str(pac_data)) + self.assertEqual( + name, + pac_data.logon_name, + "pac_data = {%s}" % str(pac_data)) + self.assertEqual( + uc.get_realm(), + pac_data.domain_name, + "pac_data = {%s}" % str(pac_data)) + self.assertEqual( + upn, + pac_data.upn, + "pac_data = {%s}" % str(pac_data)) + self.assertEqual( + sid, + pac_data.account_sid, + "pac_data = {%s}" % str(pac_data)) + + def test_nt_principal_step_1(self): + ''' Step 1 + For an NT_PRINCIPAL cname with no realm or the realm matches the + DC's domain + search for an account with the + sAMAccountName matching the cname. + ''' + + # Create user and machine accounts for the test. + # + user_name = "mskileusr" + (uc, dn) = self.create_account(user_name) + realm = uc.get_realm().lower() + + mach_name = "mskilemac" + (mc, _) = self.create_account(mach_name, machine_account=True) + + # Do the initial AS-REQ, should get a pre-authentication required + # response + etype = (AES256_CTS_HMAC_SHA1_96, ARCFOUR_HMAC_MD5) + cname = self.PrincipalName_create( + name_type=NT_PRINCIPAL, names=[user_name]) + sname = self.PrincipalName_create( + name_type=NT_SRV_INST, names=["krbtgt", realm]) + + rep = self.as_req(cname, sname, realm, etype) + self.check_pre_authenication(rep) + + # Do the next AS-REQ + padata = self.get_pa_data(uc, rep) + key = self.get_as_rep_key(uc, rep) + rep = self.as_req(cname, sname, realm, etype, padata=padata) + self.check_as_reply(rep) + + # Request a ticket to the host service on the machine account + ticket = rep['ticket'] + enc_part2 = self.get_as_rep_enc_data(key, rep) + key = self.EncryptionKey_import(enc_part2['key']) + cname = self.PrincipalName_create( + name_type=NT_PRINCIPAL, + names=[user_name]) + sname = self.PrincipalName_create( + name_type=NT_PRINCIPAL, + names=[mc.get_username()]) + + (rep, enc_part) = self.tgs_req( + cname, sname, uc.get_realm(), ticket, key, etype) + self.check_tgs_reply(rep) + + # Check the contents of the pac, and the ticket + ticket = rep['ticket'] + enc_part = self.decode_service_ticket(mc, ticket) + self.check_pac(enc_part['authorization-data'], dn, uc, user_name) + # check the crealm and cname + cname = enc_part['cname'] + self.assertEqual(NT_PRINCIPAL, cname['name-type']) + self.assertEqual(user_name.encode('UTF8'), cname['name-string'][0]) + self.assertEqual(realm.upper().encode('UTF8'), enc_part['crealm']) + + def test_nt_principal_step_2(self): + ''' Step 2 + If not found + search for sAMAccountName equal to the cname + "$" + + ''' + + # Create a machine account for the test. + # + user_name = "mskilemac" + (mc, dn) = self.create_account(user_name, machine_account=True) + realm = mc.get_realm().lower() + + mach_name = "mskilemac" + (mc, _) = self.create_account(mach_name, machine_account=True) + + # Do the initial AS-REQ, should get a pre-authentication required + # response + etype = (AES256_CTS_HMAC_SHA1_96, ARCFOUR_HMAC_MD5) + cname = self.PrincipalName_create( + name_type=NT_PRINCIPAL, names=[user_name]) + sname = self.PrincipalName_create( + name_type=NT_SRV_INST, names=["krbtgt", realm]) + + rep = self.as_req(cname, sname, realm, etype) + self.check_pre_authenication(rep) + + # Do the next AS-REQ + padata = self.get_pa_data(mc, rep) + key = self.get_as_rep_key(mc, rep) + rep = self.as_req(cname, sname, realm, etype, padata=padata) + self.check_as_reply(rep) + + # Request a ticket to the host service on the machine account + ticket = rep['ticket'] + enc_part2 = self.get_as_rep_enc_data(key, rep) + key = self.EncryptionKey_import(enc_part2['key']) + cname = self.PrincipalName_create( + name_type=NT_PRINCIPAL, + names=[user_name]) + sname = self.PrincipalName_create( + name_type=NT_PRINCIPAL, + names=[mc.get_username()]) + + (rep, enc_part) = self.tgs_req( + cname, sname, mc.get_realm(), ticket, key, etype) + self.check_tgs_reply(rep) + + # Check the contents of the pac, and the ticket + ticket = rep['ticket'] + enc_part = self.decode_service_ticket(mc, ticket) + self.check_pac(enc_part['authorization-data'], dn, mc, mach_name + '$') + # check the crealm and cname + cname = enc_part['cname'] + self.assertEqual(NT_PRINCIPAL, cname['name-type']) + self.assertEqual(user_name.encode('UTF8'), cname['name-string'][0]) + self.assertEqual(realm.upper().encode('UTF8'), enc_part['crealm']) + + def test_nt_principal_step_3(self): + ''' Step 3 + + If not found + search for a matching UPN name where the UPN is set to + cname@realm or cname@DC's domain name + + ''' + # Create a user account for the test. + # + user_name = "mskileusr" + upn_name = "mskileupn" + upn = upn_name + "@" + self.credentials.get_realm().lower() + (uc, dn) = self.create_account(user_name, upn=upn) + realm = uc.get_realm().lower() + + mach_name = "mskilemac" + (mc, _) = self.create_account(mach_name, machine_account=True) + + # Do the initial AS-REQ, should get a pre-authentication required + # response + etype = (AES256_CTS_HMAC_SHA1_96, ARCFOUR_HMAC_MD5) + cname = self.PrincipalName_create( + name_type=NT_PRINCIPAL, names=[upn_name]) + sname = self.PrincipalName_create( + name_type=NT_SRV_INST, names=["krbtgt", realm]) + + rep = self.as_req(cname, sname, realm, etype) + self.check_pre_authenication(rep) + + # Do the next AS-REQ + padata = self.get_pa_data(uc, rep) + key = self.get_as_rep_key(uc, rep) + rep = self.as_req(cname, sname, realm, etype, padata=padata) + self.check_as_reply(rep) + + # Request a ticket to the host service on the machine account + ticket = rep['ticket'] + enc_part2 = self.get_as_rep_enc_data(key, rep) + key = self.EncryptionKey_import(enc_part2['key']) + cname = self.PrincipalName_create( + name_type=NT_PRINCIPAL, + names=[upn_name]) + sname = self.PrincipalName_create( + name_type=NT_PRINCIPAL, + names=[mc.get_username()]) + + (rep, enc_part) = self.tgs_req( + cname, sname, uc.get_realm(), ticket, key, etype) + self.check_tgs_reply(rep) + + # Check the contents of the service ticket + ticket = rep['ticket'] + enc_part = self.decode_service_ticket(mc, ticket) + self.check_pac(enc_part['authorization-data'], dn, uc, upn_name) + # check the crealm and cname + cname = enc_part['cname'] + self.assertEqual(NT_PRINCIPAL, cname['name-type']) + self.assertEqual(upn_name.encode('UTF8'), cname['name-string'][0]) + self.assertEqual(realm.upper().encode('UTF8'), enc_part['crealm']) + + def test_nt_principal_step_4_a(self): + ''' Step 4, no pre-authentication + If not found and no pre-authentication + search for a matching altSecurityIdentity + ''' + # Create a user account for the test. + # with an altSecurityIdentity, and with UF_DONT_REQUIRE_PREAUTH + # set. + # + # note that in this case IDL_DRSCrackNames is called with + # pmsgIn.formatOffered set to + # DS_USER_PRINCIPAL_NAME_AND_ALTSECID + # + # setting UF_DONT_REQUIRE_PREAUTH seems to be the only way + # to trigger the no pre-auth step + + user_name = "mskileusr" + alt_name = "mskilealtsec" + (uc, dn) = self.create_account(user_name) + realm = uc.get_realm().lower() + alt_sec = "Kerberos:%s@%s" % (alt_name, realm) + self.add_attribute(dn, "altSecurityIdentities", alt_sec) + self.modify_attribute( + dn, + "userAccountControl", + str(UF_NORMAL_ACCOUNT | UF_DONT_REQUIRE_PREAUTH)) + + mach_name = "mskilemac" + (mc, _) = self.create_account(mach_name, machine_account=True) + + # Do the initial AS-REQ, as we've set UF_DONT_REQUIRE_PREAUTH + # we should get a valid AS-RESP + # response + etype = (AES256_CTS_HMAC_SHA1_96, ARCFOUR_HMAC_MD5) + cname = self.PrincipalName_create( + name_type=NT_PRINCIPAL, names=[alt_name]) + sname = self.PrincipalName_create( + name_type=NT_SRV_INST, names=["krbtgt", realm]) + + rep = self.as_req(cname, sname, realm, etype) + self.check_as_reply(rep) + salt = "%s%s" % (realm.upper(), user_name) + key = self.PasswordKey_create( + rep['enc-part']['etype'], + uc.get_password(), + salt.encode('UTF8'), + rep['enc-part']['kvno']) + + # Request a ticket to the host service on the machine account + ticket = rep['ticket'] + enc_part2 = self.get_as_rep_enc_data(key, rep) + key = self.EncryptionKey_import(enc_part2['key']) + cname = self.PrincipalName_create( + name_type=NT_PRINCIPAL, names=[alt_name]) + sname = self.PrincipalName_create( + name_type=NT_PRINCIPAL, + names=[mc.get_username()]) + + (rep, enc_part) = self.tgs_req( + cname, sname, uc.get_realm(), ticket, key, etype) + self.check_tgs_reply(rep) + + # Check the contents of the service ticket + ticket = rep['ticket'] + enc_part = self.decode_service_ticket(mc, ticket) + # + # We get an empty authorization-data element in the ticket. + # i.e. no PAC + self.assertEqual([], enc_part['authorization-data']) + # check the crealm and cname + cname = enc_part['cname'] + self.assertEqual(NT_PRINCIPAL, cname['name-type']) + self.assertEqual(alt_name.encode('UTF8'), cname['name-string'][0]) + self.assertEqual(realm.upper().encode('UTF8'), enc_part['crealm']) + + def test_nt_principal_step_4_b(self): + ''' Step 4, pre-authentication + If not found and pre-authentication + search for a matching user principal name + ''' + + # Create user and machine accounts for the test. + # + user_name = "mskileusr" + alt_name = "mskilealtsec" + (uc, dn) = self.create_account(user_name) + realm = uc.get_realm().lower() + alt_sec = "Kerberos:%s@%s" % (alt_name, realm) + self.add_attribute(dn, "altSecurityIdentities", alt_sec) + + mach_name = "mskilemac" + (mc, _) = self.create_account(mach_name, machine_account=True) + + # Do the initial AS-REQ, should get a pre-authentication required + # response + etype = (AES256_CTS_HMAC_SHA1_96, ARCFOUR_HMAC_MD5) + cname = self.PrincipalName_create( + name_type=NT_PRINCIPAL, names=[alt_name]) + sname = self.PrincipalName_create( + name_type=NT_SRV_INST, names=["krbtgt", realm]) + + rep = self.as_req(cname, sname, realm, etype) + self.check_pre_authenication(rep) + + # Do the next AS-REQ + padata = self.get_pa_data(uc, rep) + key = self.get_as_rep_key(uc, rep) + # Note: although we used the alt security id for the pre-auth + # we need to use the username for the auth + cname = self.PrincipalName_create( + name_type=NT_PRINCIPAL, names=[user_name]) + rep = self.as_req(cname, sname, realm, etype, padata=padata) + self.check_as_reply(rep) + + # Request a ticket to the host service on the machine account + ticket = rep['ticket'] + enc_part2 = self.get_as_rep_enc_data(key, rep) + key = self.EncryptionKey_import(enc_part2['key']) + cname = self.PrincipalName_create( + name_type=NT_PRINCIPAL, + names=[user_name]) + sname = self.PrincipalName_create( + name_type=NT_PRINCIPAL, + names=[mc.get_username()]) + + (rep, enc_part) = self.tgs_req( + cname, sname, uc.get_realm(), ticket, key, etype) + self.check_tgs_reply(rep) + + # Check the contents of the pac, and the ticket + ticket = rep['ticket'] + enc_part = self.decode_service_ticket(mc, ticket) + self.check_pac(enc_part['authorization-data'], dn, uc, user_name) + # check the crealm and cname + cname = enc_part['cname'] + self.assertEqual(NT_PRINCIPAL, cname['name-type']) + self.assertEqual(user_name.encode('UTF8'), cname['name-string'][0]) + self.assertEqual(realm.upper().encode('UTF8'), enc_part['crealm']) + + def test_nt_principal_step_4_c(self): + ''' Step 4, pre-authentication + If not found and pre-authentication + search for a matching user principal name + + This test uses the altsecid, so the AS-REQ should fail. + ''' + + # Create user and machine accounts for the test. + # + user_name = "mskileusr" + alt_name = "mskilealtsec" + (uc, dn) = self.create_account(user_name) + realm = uc.get_realm().lower() + alt_sec = "Kerberos:%s@%s" % (alt_name, realm) + self.add_attribute(dn, "altSecurityIdentities", alt_sec) + + mach_name = "mskilemac" + (mc, _) = self.create_account(mach_name, machine_account=True) + + # Do the initial AS-REQ, should get a pre-authentication required + # response + etype = (AES256_CTS_HMAC_SHA1_96, ARCFOUR_HMAC_MD5) + cname = self.PrincipalName_create( + name_type=NT_PRINCIPAL, names=[alt_name]) + sname = self.PrincipalName_create( + name_type=NT_SRV_INST, names=["krbtgt", realm]) + + rep = self.as_req(cname, sname, realm, etype) + self.check_pre_authenication(rep) + + # Do the next AS-REQ + padata = self.get_pa_data(uc, rep) + # Use the alternate security identifier + # this should fail + cname = self.PrincipalName_create( + name_type=NT_PRINCIPAL, names=[alt_sec]) + rep = self.as_req(cname, sname, realm, etype, padata=padata) + self.check_error_rep(rep, KDC_ERR_C_PRINCIPAL_UNKNOWN) + + def test_enterprise_principal_step_1_3(self): + ''' Steps 1-3 + For an NT_ENTERPRISE_PRINCIPAL cname + search for a user principal name matching the cname + + ''' + + # Create a user account for the test. + # + user_name = "mskileusr" + upn_name = "mskileupn" + upn = upn_name + "@" + self.credentials.get_realm().lower() + (uc, dn) = self.create_account(user_name, upn=upn) + realm = uc.get_realm().lower() + + mach_name = "mskilemac" + (mc, _) = self.create_account(mach_name, machine_account=True) + + # Do the initial AS-REQ, should get a pre-authentication required + # response + etype = (AES256_CTS_HMAC_SHA1_96, ARCFOUR_HMAC_MD5) + cname = self.PrincipalName_create( + name_type=NT_ENTERPRISE_PRINCIPAL, names=[upn]) + sname = self.PrincipalName_create( + name_type=NT_SRV_INST, names=["krbtgt", realm]) + + rep = self.as_req(cname, sname, realm, etype) + self.check_pre_authenication(rep) + + # Do the next AS-REQ + padata = self.get_pa_data(uc, rep) + key = self.get_as_rep_key(uc, rep) + rep = self.as_req(cname, sname, realm, etype, padata=padata) + self.check_as_reply(rep) + + # Request a ticket to the host service on the machine account + ticket = rep['ticket'] + enc_part2 = self.get_as_rep_enc_data(key, rep) + key = self.EncryptionKey_import(enc_part2['key']) + cname = self.PrincipalName_create( + name_type=NT_ENTERPRISE_PRINCIPAL, names=[upn]) + sname = self.PrincipalName_create( + name_type=NT_PRINCIPAL, + names=[mc.get_username()]) + + (rep, enc_part) = self.tgs_req( + cname, sname, uc.get_realm(), ticket, key, etype) + self.check_tgs_reply(rep) + + # Check the contents of the pac, and the ticket + ticket = rep['ticket'] + enc_part = self.decode_service_ticket(mc, ticket) + self.check_pac( + enc_part['authorization-data'], dn, uc, upn, upn=upn) + # check the crealm and cname + cname = enc_part['cname'] + crealm = enc_part['crealm'] + self.assertEqual(NT_ENTERPRISE_PRINCIPAL, cname['name-type']) + self.assertEqual(upn.encode('UTF8'), cname['name-string'][0]) + self.assertEqual(realm.upper().encode('UTF8'), crealm) + + def test_enterprise_principal_step_4(self): + ''' Step 4 + + If that fails + search for an account where the sAMAccountName matches + the name before the @ + + ''' + + # Create a user account for the test. + # + user_name = "mskileusr" + (uc, dn) = self.create_account(user_name) + realm = uc.get_realm().lower() + ename = user_name + "@" + realm + + mach_name = "mskilemac" + (mc, _) = self.create_account(mach_name, machine_account=True) + + # Do the initial AS-REQ, should get a pre-authentication required + # response + etype = (AES256_CTS_HMAC_SHA1_96, ARCFOUR_HMAC_MD5) + cname = self.PrincipalName_create( + name_type=NT_ENTERPRISE_PRINCIPAL, names=[ename]) + sname = self.PrincipalName_create( + name_type=NT_SRV_INST, names=["krbtgt", realm]) + + rep = self.as_req(cname, sname, realm, etype) + self.check_pre_authenication(rep) + + # Do the next AS-REQ + padata = self.get_pa_data(uc, rep) + key = self.get_as_rep_key(uc, rep) + rep = self.as_req(cname, sname, realm, etype, padata=padata) + self.check_as_reply(rep) + + # Request a ticket to the host service on the machine account + ticket = rep['ticket'] + enc_part2 = self.get_as_rep_enc_data(key, rep) + key = self.EncryptionKey_import(enc_part2['key']) + cname = self.PrincipalName_create( + name_type=NT_ENTERPRISE_PRINCIPAL, names=[ename]) + sname = self.PrincipalName_create( + name_type=NT_PRINCIPAL, + names=[mc.get_username()]) + + (rep, enc_part) = self.tgs_req( + cname, sname, uc.get_realm(), ticket, key, etype) + self.check_tgs_reply(rep) + + # Check the contents of the pac, and the ticket + ticket = rep['ticket'] + enc_part = self.decode_service_ticket(mc, ticket) + self.check_pac( + enc_part['authorization-data'], dn, uc, ename, upn=ename) + # check the crealm and cname + cname = enc_part['cname'] + crealm = enc_part['crealm'] + self.assertEqual(NT_ENTERPRISE_PRINCIPAL, cname['name-type']) + self.assertEqual(ename.encode('UTF8'), cname['name-string'][0]) + self.assertEqual(realm.upper().encode('UTF8'), crealm) + + def test_enterprise_principal_step_5(self): + ''' Step 5 + + If that fails + search for an account where the sAMAccountName matches + the name before the @ with a $ appended. + + ''' + + # Create a user account for the test. + # + user_name = "mskileusr" + (uc, _) = self.create_account(user_name) + realm = uc.get_realm().lower() + + mach_name = "mskilemac" + (mc, dn) = self.create_account(mach_name, machine_account=True) + ename = mach_name + "@" + realm + uname = mach_name + "$@" + realm + + # Do the initial AS-REQ, should get a pre-authentication required + # response + etype = (AES256_CTS_HMAC_SHA1_96, ARCFOUR_HMAC_MD5) + cname = self.PrincipalName_create( + name_type=NT_ENTERPRISE_PRINCIPAL, names=[ename]) + sname = self.PrincipalName_create( + name_type=NT_SRV_INST, names=["krbtgt", realm]) + + rep = self.as_req(cname, sname, realm, etype) + self.check_pre_authenication(rep) + + # Do the next AS-REQ + padata = self.get_pa_data(mc, rep) + key = self.get_as_rep_key(mc, rep) + rep = self.as_req(cname, sname, realm, etype, padata=padata) + self.check_as_reply(rep) + + # Request a ticket to the host service on the machine account + ticket = rep['ticket'] + enc_part2 = self.get_as_rep_enc_data(key, rep) + key = self.EncryptionKey_import(enc_part2['key']) + cname = self.PrincipalName_create( + name_type=NT_ENTERPRISE_PRINCIPAL, names=[ename]) + sname = self.PrincipalName_create( + name_type=NT_PRINCIPAL, + names=[mc.get_username()]) + + (rep, enc_part) = self.tgs_req( + cname, sname, uc.get_realm(), ticket, key, etype) + self.check_tgs_reply(rep) + + # Check the contents of the pac, and the ticket + ticket = rep['ticket'] + enc_part = self.decode_service_ticket(mc, ticket) + self.check_pac( + enc_part['authorization-data'], dn, mc, ename, upn=uname) + # check the crealm and cname + cname = enc_part['cname'] + crealm = enc_part['crealm'] + self.assertEqual(NT_ENTERPRISE_PRINCIPAL, cname['name-type']) + self.assertEqual(ename.encode('UTF8'), cname['name-string'][0]) + self.assertEqual(realm.upper().encode('UTF8'), crealm) + + def test_enterprise_principal_step_6_a(self): + ''' Step 6, no pre-authentication + If not found and no pre-authentication + search for a matching altSecurityIdentity + ''' + # Create a user account for the test. + # with an altSecurityIdentity, and with UF_DONT_REQUIRE_PREAUTH + # set. + # + # note that in this case IDL_DRSCrackNames is called with + # pmsgIn.formatOffered set to + # DS_USER_PRINCIPAL_NAME_AND_ALTSECID + # + # setting UF_DONT_REQUIRE_PREAUTH seems to be the only way + # to trigger the no pre-auth step + + user_name = "mskileusr" + alt_name = "mskilealtsec" + (uc, dn) = self.create_account(user_name) + realm = uc.get_realm().lower() + alt_sec = "Kerberos:%s@%s" % (alt_name, realm) + self.add_attribute(dn, "altSecurityIdentities", alt_sec) + self.modify_attribute( + dn, + "userAccountControl", + str(UF_NORMAL_ACCOUNT | UF_DONT_REQUIRE_PREAUTH)) + ename = alt_name + "@" + realm + + mach_name = "mskilemac" + (mc, _) = self.create_account(mach_name, machine_account=True) + + # Do the initial AS-REQ, as we've set UF_DONT_REQUIRE_PREAUTH + # we should get a valid AS-RESP + # response + etype = (AES256_CTS_HMAC_SHA1_96, ARCFOUR_HMAC_MD5) + cname = self.PrincipalName_create( + name_type=NT_ENTERPRISE_PRINCIPAL, names=[ename]) + sname = self.PrincipalName_create( + name_type=NT_SRV_INST, names=["krbtgt", realm]) + + rep = self.as_req(cname, sname, realm, etype) + self.check_as_reply(rep) + salt = "%s%s" % (realm.upper(), user_name) + key = self.PasswordKey_create( + rep['enc-part']['etype'], + uc.get_password(), + salt.encode('UTF8'), + rep['enc-part']['kvno']) + + # Request a ticket to the host service on the machine account + ticket = rep['ticket'] + enc_part2 = self.get_as_rep_enc_data(key, rep) + key = self.EncryptionKey_import(enc_part2['key']) + cname = self.PrincipalName_create( + name_type=NT_ENTERPRISE_PRINCIPAL, names=[ename]) + sname = self.PrincipalName_create( + name_type=NT_PRINCIPAL, + names=[mc.get_username()]) + + (rep, enc_part) = self.tgs_req( + cname, sname, uc.get_realm(), ticket, key, etype) + self.check_tgs_reply(rep) + + # Check the contents of the service ticket + ticket = rep['ticket'] + enc_part = self.decode_service_ticket(mc, ticket) + # + # We get an empty authorization-data element in the ticket. + # i.e. no PAC + self.assertEqual([], enc_part['authorization-data']) + # check the crealm and cname + cname = enc_part['cname'] + self.assertEqual(NT_ENTERPRISE_PRINCIPAL, cname['name-type']) + self.assertEqual(ename.encode('UTF8'), cname['name-string'][0]) + self.assertEqual(realm.upper().encode('UTF8'), enc_part['crealm']) + + def test_nt_enterprise_principal_step_6_b(self): + ''' Step 4, pre-authentication + If not found and pre-authentication + search for a matching user principal name + ''' + + # Create user and machine accounts for the test. + # + user_name = "mskileusr" + alt_name = "mskilealtsec" + (uc, dn) = self.create_account(user_name) + realm = uc.get_realm().lower() + alt_sec = "Kerberos:%s@%s" % (alt_name, realm) + self.add_attribute(dn, "altSecurityIdentities", alt_sec) + ename = alt_name + "@" + realm + uname = user_name + "@" + realm + + mach_name = "mskilemac" + (mc, _) = self.create_account(mach_name, machine_account=True) + + # Do the initial AS-REQ, should get a pre-authentication required + # response + etype = (AES256_CTS_HMAC_SHA1_96, ARCFOUR_HMAC_MD5) + cname = self.PrincipalName_create( + name_type=NT_ENTERPRISE_PRINCIPAL, names=[ename]) + sname = self.PrincipalName_create( + name_type=NT_SRV_INST, names=["krbtgt", realm]) + + rep = self.as_req(cname, sname, realm, etype) + self.check_pre_authenication(rep) + + # Do the next AS-REQ + padata = self.get_pa_data(uc, rep) + key = self.get_as_rep_key(uc, rep) + # Note: although we used the alt security id for the pre-auth + # we need to use the username for the auth + cname = self.PrincipalName_create( + name_type=NT_ENTERPRISE_PRINCIPAL, names=[uname]) + rep = self.as_req(cname, sname, realm, etype, padata=padata) + self.check_as_reply(rep) + + # Request a ticket to the host service on the machine account + ticket = rep['ticket'] + enc_part2 = self.get_as_rep_enc_data(key, rep) + key = self.EncryptionKey_import(enc_part2['key']) + cname = self.PrincipalName_create( + name_type=NT_ENTERPRISE_PRINCIPAL, + names=[uname]) + sname = self.PrincipalName_create( + name_type=NT_PRINCIPAL, + names=[mc.get_username()]) + + (rep, enc_part) = self.tgs_req( + cname, sname, uc.get_realm(), ticket, key, etype) + self.check_tgs_reply(rep) + + # Check the contents of the pac, and the ticket + ticket = rep['ticket'] + enc_part = self.decode_service_ticket(mc, ticket) + self.check_pac( + enc_part['authorization-data'], dn, uc, uname, upn=uname) + # check the crealm and cname + cname = enc_part['cname'] + self.assertEqual(NT_ENTERPRISE_PRINCIPAL, cname['name-type']) + self.assertEqual(uname.encode('UTF8'), cname['name-string'][0]) + self.assertEqual(realm.upper().encode('UTF8'), enc_part['crealm']) + + def test_nt_principal_step_6_c(self): + ''' Step 4, pre-authentication + If not found and pre-authentication + search for a matching user principal name + + This test uses the altsecid, so the AS-REQ should fail. + ''' + + # Create user and machine accounts for the test. + # + user_name = "mskileusr" + alt_name = "mskilealtsec" + (uc, dn) = self.create_account(user_name) + realm = uc.get_realm().lower() + alt_sec = "Kerberos:%s@%s" % (alt_name, realm) + self.add_attribute(dn, "altSecurityIdentities", alt_sec) + ename = alt_name + "@" + realm + + mach_name = "mskilemac" + (mc, _) = self.create_account(mach_name, machine_account=True) + + # Do the initial AS-REQ, should get a pre-authentication required + # response + etype = (AES256_CTS_HMAC_SHA1_96, ARCFOUR_HMAC_MD5) + cname = self.PrincipalName_create( + name_type=NT_ENTERPRISE_PRINCIPAL, names=[ename]) + sname = self.PrincipalName_create( + name_type=NT_SRV_INST, names=["krbtgt", realm]) + + rep = self.as_req(cname, sname, realm, etype) + self.check_pre_authenication(rep) + + # Do the next AS-REQ + padata = self.get_pa_data(uc, rep) + # Use the alternate security identifier + # this should fail + cname = self.PrincipalName_create( + name_type=NT_ENTERPRISE_PRINCIPAL, names=[ename]) + rep = self.as_req(cname, sname, realm, etype, padata=padata) + self.check_error_rep(rep, KDC_ERR_C_PRINCIPAL_UNKNOWN) + + +if __name__ == "__main__": + global_asn1_print = False + global_hexdump = False + import unittest + unittest.main() diff --git a/python/samba/tests/usage.py b/python/samba/tests/usage.py index 838a3148d8e..14f7cbfd7cd 100644 --- a/python/samba/tests/usage.py +++ b/python/samba/tests/usage.py @@ -93,6 +93,7 @@ EXCLUDE_USAGE = { 'python/samba/tests/krb5/kdc_tests.py', 'python/samba/tests/krb5/kdc_base_test.py', 'python/samba/tests/krb5/kdc_tgs_tests.py', + 'python/samba/tests/krb5/ms_kile_client_principal_lookup_tests.py', } diff --git a/selftest/knownfail_heimdal_kdc b/selftest/knownfail_heimdal_kdc index 7ab56b6721b..4e6ee93ce96 100644 --- a/selftest/knownfail_heimdal_kdc +++ b/selftest/knownfail_heimdal_kdc @@ -2,3 +2,15 @@ # We expect all the MIT specific compatability tests to fail on heimdal # kerberos ^samba.tests.krb5.compatability_tests.samba.tests.krb5.compatability_tests.SimpleKerberosTests.test_mit_ +# +# Heimdal currently fails the following MS-KILE client principal lookup +# tests +^samba.tests.krb5.ms_kile_client_principal_lookup_tests.samba.tests.krb5.ms_kile_client_principal_lookup_tests.MS_Kile_Client_Principal_Lookup_Tests.test_enterprise_principal_step_1_3 +^samba.tests.krb5.ms_kile_client_principal_lookup_tests.samba.tests.krb5.ms_kile_client_principal_lookup_tests.MS_Kile_Client_Principal_Lookup_Tests.test_enterprise_principal_step_4 +^samba.tests.krb5.ms_kile_client_principal_lookup_tests.samba.tests.krb5.ms_kile_client_principal_lookup_tests.MS_Kile_Client_Principal_Lookup_Tests.test_enterprise_principal_step_5 +^samba.tests.krb5.ms_kile_client_principal_lookup_tests.samba.tests.krb5.ms_kile_client_principal_lookup_tests.MS_Kile_Client_Principal_Lookup_Tests.test_enterprise_principal_step_6_a +^samba.tests.krb5.ms_kile_client_principal_lookup_tests.samba.tests.krb5.ms_kile_client_principal_lookup_tests.MS_Kile_Client_Principal_Lookup_Tests.test_nt_enterprise_principal_step_6_b +^samba.tests.krb5.ms_kile_client_principal_lookup_tests.samba.tests.krb5.ms_kile_client_principal_lookup_tests.MS_Kile_Client_Principal_Lookup_Tests.test_nt_principal_step_4_a +^samba.tests.krb5.ms_kile_client_principal_lookup_tests.samba.tests.krb5.ms_kile_client_principal_lookup_tests.MS_Kile_Client_Principal_Lookup_Tests.test_nt_principal_step_4_b +^samba.tests.krb5.ms_kile_client_principal_lookup_tests.samba.tests.krb5.ms_kile_client_principal_lookup_tests.MS_Kile_Client_Principal_Lookup_Tests.test_nt_principal_step_4_c +^samba.tests.krb5.ms_kile_client_principal_lookup_tests.samba.tests.krb5.ms_kile_client_principal_lookup_tests.MS_Kile_Client_Principal_Lookup_Tests.test_nt_principal_step_6_c diff --git a/selftest/knownfail_mit_kdc b/selftest/knownfail_mit_kdc index e64303c6b0f..2c2a643944c 100644 --- a/selftest/knownfail_mit_kdc +++ b/selftest/knownfail_mit_kdc @@ -275,3 +275,19 @@ samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_ # following tests ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_ldap_service_ticket\(ad_dc\) ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_get_ticket_for_host_service_of_machine_account\(ad_dc\) +# +# MIT currently fails the following MS-KILE tests. +# +^samba.tests.krb5.ms_kile_client_principal_lookup_tests.samba.tests.krb5.ms_kile_client_principal_lookup_tests.MS_Kile_Client_Principal_Lookup_Tests.test_enterprise_principal_step_1_3 +^samba.tests.krb5.ms_kile_client_principal_lookup_tests.samba.tests.krb5.ms_kile_client_principal_lookup_tests.MS_Kile_Client_Principal_Lookup_Tests.test_enterprise_principal_step_4 +^samba.tests.krb5.ms_kile_client_principal_lookup_tests.samba.tests.krb5.ms_kile_client_principal_lookup_tests.MS_Kile_Client_Principal_Lookup_Tests.test_enterprise_principal_step_5 +^samba.tests.krb5.ms_kile_client_principal_lookup_tests.samba.tests.krb5.ms_kile_client_principal_lookup_tests.MS_Kile_Client_Principal_Lookup_Tests.test_enterprise_principal_step_6_a +^samba.tests.krb5.ms_kile_client_principal_lookup_tests.samba.tests.krb5.ms_kile_client_principal_lookup_tests.MS_Kile_Client_Principal_Lookup_Tests.test_nt_enterprise_principal_step_6_b +^samba.tests.krb5.ms_kile_client_principal_lookup_tests.samba.tests.krb5.ms_kile_client_principal_lookup_tests.MS_Kile_Client_Principal_Lookup_Tests.test_nt_principal_step_1 +^samba.tests.krb5.ms_kile_client_principal_lookup_tests.samba.tests.krb5.ms_kile_client_principal_lookup_tests.MS_Kile_Client_Principal_Lookup_Tests.test_nt_principal_step_2 +^samba.tests.krb5.ms_kile_client_principal_lookup_tests.samba.tests.krb5.ms_kile_client_principal_lookup_tests.MS_Kile_Client_Principal_Lookup_Tests.test_nt_principal_step_3 +^samba.tests.krb5.ms_kile_client_principal_lookup_tests.samba.tests.krb5.ms_kile_client_principal_lookup_tests.MS_Kile_Client_Principal_Lookup_Tests.test_nt_principal_step_4_a +^samba.tests.krb5.ms_kile_client_principal_lookup_tests.samba.tests.krb5.ms_kile_client_principal_lookup_tests.MS_Kile_Client_Principal_Lookup_Tests.test_nt_principal_step_4_b +^samba.tests.krb5.ms_kile_client_principal_lookup_tests.samba.tests.krb5.ms_kile_client_principal_lookup_tests.MS_Kile_Client_Principal_Lookup_Tests.test_nt_principal_step_4_c +^samba.tests.krb5.ms_kile_client_principal_lookup_tests.samba.tests.krb5.ms_kile_client_principal_lookup_tests.MS_Kile_Client_Principal_Lookup_Tests.test_nt_principal_step_6_c + diff --git a/source4/selftest/tests.py b/source4/selftest/tests.py index 4ce9602b53f..3310d47f167 100755 --- a/source4/selftest/tests.py +++ b/source4/selftest/tests.py @@ -1234,6 +1234,9 @@ planpythontestsuite("ad_dc", "samba.tests.krb5.kdc_tests") planpythontestsuite( "ad_dc", "samba.tests.krb5.kdc_tgs_tests") +planpythontestsuite( + "ad_dc", + "samba.tests.krb5.ms_kile_client_principal_lookup_tests") for env in [ 'vampire_dc', -- 2.35.0 From 869f97a09394ee001dc33b9a994296a157cf769c Mon Sep 17 00:00:00 2001 From: Joseph Sutton Date: Wed, 28 Apr 2021 10:54:05 +1200 Subject: [PATCH 066/686] auth:creds: Remove unused variable Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett Reviewed-by: Douglas Bagnall BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817 (cherry picked from commit 1ea2de561839ad948efab5112fbe4c1eae44d9ee) [jsutton@samba.org Backported to fix conflict] --- auth/credentials/pycredentials.c | 3 --- 1 file changed, 3 deletions(-) diff --git a/auth/credentials/pycredentials.c b/auth/credentials/pycredentials.c index 6fb2c807ed6..ae096e36302 100644 --- a/auth/credentials/pycredentials.c +++ b/auth/credentials/pycredentials.c @@ -446,13 +446,10 @@ static PyObject *py_creds_get_forced_sasl_mech(PyObject *self, PyObject *unused) static PyObject *py_creds_set_forced_sasl_mech(PyObject *self, PyObject *args) { char *newval; - enum credentials_obtained obt = CRED_SPECIFIED; - int _obt = obt; if (!PyArg_ParseTuple(args, "s", &newval)) { return NULL; } - obt = _obt; cli_credentials_set_forced_sasl_mech(PyCredentials_AsCliCredentials(self), newval); Py_RETURN_NONE; -- 2.35.0 From 454aa7018e827a68945c094d3dd3d4b5fb819282 Mon Sep 17 00:00:00 2001 From: Joseph Sutton Date: Wed, 28 Apr 2021 10:55:13 +1200 Subject: [PATCH 067/686] auth:creds: Fix parameter in creds.set_named_ccache() Use the passed-in value for 'obtained' rather than always using CRED_SPECIFIED. Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett Reviewed-by: Douglas Bagnall BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817 (cherry picked from commit 2d05268aa0904221c452fc650fcdfb680efc20bb) --- auth/credentials/pycredentials.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/auth/credentials/pycredentials.c b/auth/credentials/pycredentials.c index ae096e36302..a58859a70d8 100644 --- a/auth/credentials/pycredentials.c +++ b/auth/credentials/pycredentials.c @@ -584,6 +584,7 @@ static PyObject *py_creds_set_named_ccache(PyObject *self, PyObject *args) if (!PyArg_ParseTuple(args, "s|iO", &newval, &_obt, &py_lp_ctx)) return NULL; + obt = _obt; mem_ctx = talloc_new(NULL); if (mem_ctx == NULL) { @@ -599,7 +600,7 @@ static PyObject *py_creds_set_named_ccache(PyObject *self, PyObject *args) ret = cli_credentials_set_ccache(PyCredentials_AsCliCredentials(self), lp_ctx, - newval, CRED_SPECIFIED, + newval, obt, &error_string); if (ret != 0) { -- 2.35.0 From 0d1ade53014a8d4c497a9d9d7ba5e9cce695a6d0 Mon Sep 17 00:00:00 2001 From: Joseph Sutton Date: Wed, 28 Apr 2021 11:07:22 +1200 Subject: [PATCH 068/686] pygensec: Fix method documentation This changes the docstrings to use the correct method names. Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett Reviewed-by: Douglas Bagnall BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817 (cherry picked from commit 50ade4cadc766a196316fd5c5a57f8c502f0ea22) --- source4/auth/gensec/pygensec.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/source4/auth/gensec/pygensec.c b/source4/auth/gensec/pygensec.c index c9f3fd3b489..ca60d3bdc5e 100644 --- a/source4/auth/gensec/pygensec.c +++ b/source4/auth/gensec/pygensec.c @@ -634,13 +634,13 @@ static PyMethodDef py_gensec_security_methods[] = { { "start_server", (PyCFunction)py_gensec_start_server, METH_VARARGS|METH_KEYWORDS|METH_CLASS, "S.start_server(auth_ctx, settings) -> gensec" }, { "set_credentials", (PyCFunction)py_gensec_set_credentials, METH_VARARGS, - "S.start_client(credentials)" }, + "S.set_credentials(credentials)" }, { "set_target_hostname", (PyCFunction)py_gensec_set_target_hostname, METH_VARARGS, - "S.start_target_hostname(target_hostname) \n This sets the Kerberos target hostname to obtain a ticket for." }, + "S.set_target_hostname(target_hostname) \n This sets the Kerberos target hostname to obtain a ticket for." }, { "set_target_service", (PyCFunction)py_gensec_set_target_service, METH_VARARGS, - "S.start_target_service(target_service) \n This sets the Kerberos target service to obtain a ticket for. The default value is 'host'" }, + "S.set_target_service(target_service) \n This sets the Kerberos target service to obtain a ticket for. The default value is 'host'" }, { "set_target_service_description", (PyCFunction)py_gensec_set_target_service_description, METH_VARARGS, - "S.start_target_service_description(target_service_description) \n This description is set server-side and used in authentication and authorization logs. The default value is that provided to set_target_service() or None."}, + "S.set_target_service_description(target_service_description) \n This description is set server-side and used in authentication and authorization logs. The default value is that provided to set_target_service() or None."}, { "session_info", (PyCFunction)py_gensec_session_info, METH_NOARGS, "S.session_info() -> info" }, { "session_key", (PyCFunction)py_gensec_session_key, METH_NOARGS, -- 2.35.0 From 943a683d6fba455e136a629f34774e24da03ade2 Mon Sep 17 00:00:00 2001 From: Joseph Sutton Date: Thu, 15 Apr 2021 10:32:41 +1200 Subject: [PATCH 069/686] Revert "s4-test: fixed ndrdump test for top level build" This essentially reverts commit b84c0a9ed6d556eb2d3797d606edcd03f9766606, but the datapath is now in the source4 directory. Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett Reviewed-by: Douglas Bagnall BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817 (cherry picked from commit 6f144d49b5281a08bf7be550b949f4d91e8fe19b) [jsutton@samba.org Backported to fix conflict from formatting differences] --- python/samba/tests/blackbox/ndrdump.py | 7 +------ 1 file changed, 1 insertion(+), 6 deletions(-) diff --git a/python/samba/tests/blackbox/ndrdump.py b/python/samba/tests/blackbox/ndrdump.py index 7ca7b93f559..c42f64f35a1 100644 --- a/python/samba/tests/blackbox/ndrdump.py +++ b/python/samba/tests/blackbox/ndrdump.py @@ -24,12 +24,7 @@ from __future__ import print_function import os from samba.tests import BlackboxTestCase, BlackboxProcessError -for p in ["../../../../../source4/librpc/tests", "../../../../../librpc/tests"]: - data_path_dir = os.path.abspath(os.path.join(os.path.dirname(__file__), p)) - print(data_path_dir) - if os.path.exists(data_path_dir): - break - +data_path_dir = os.path.abspath(os.path.join(os.path.dirname(__file__), "../../../../../source4/librpc/tests")) class NdrDumpTests(BlackboxTestCase): """Blackbox tests for ndrdump.""" -- 2.35.0 From 05fe3678e79d8df292f19040271b59d03aab0d2e Mon Sep 17 00:00:00 2001 From: Joseph Sutton Date: Wed, 28 Apr 2021 10:57:00 +1200 Subject: [PATCH 070/686] krb5ccache.idl: Add definition for a Kerberos credentials cache Based on specifications found at https://web.mit.edu/kerberos/krb5-devel/doc/formats/ccache_file_format.html This is primarily designed for parsing and storing a single Kerberos ticket, due to the limitations of PIDL. Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett Reviewed-by: Douglas Bagnall BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817 (cherry picked from commit 74fb2cc473cea0eebf641fc4d32d706bac8aa6f2) [jsutton@samba.org Backported to fix conflicts, and added dummy function decode_ccache so that tables are properly generated] --- librpc/idl/krb5ccache.idl | 119 +++++++++++++++++++++++++++++++++++ librpc/idl/wscript_build | 2 +- librpc/wscript_build | 8 ++- source4/librpc/wscript_build | 7 +++ 4 files changed, 134 insertions(+), 2 deletions(-) create mode 100644 librpc/idl/krb5ccache.idl diff --git a/librpc/idl/krb5ccache.idl b/librpc/idl/krb5ccache.idl new file mode 100644 index 00000000000..15f1beb9aab --- /dev/null +++ b/librpc/idl/krb5ccache.idl @@ -0,0 +1,119 @@ +/* + krb5 credentials cache (version 3 or 4) + specification: https://web.mit.edu/kerberos/krb5-devel/doc/formats/ccache_file_format.html +*/ + +#include "idl_types.h" + +[ + uuid("1702b695-99ca-4f32-93e4-1e1c4d5ddb53"), + version(0.0), + pointer_default(unique), + helpstring("KRB5 credentials cache") +] +interface krb5ccache +{ + typedef struct { + uint32 name_type; + uint32 component_count; + [flag(STR_SIZE4|STR_NOTERM|STR_UTF8)] string realm; + [flag(STR_SIZE4|STR_NOTERM|STR_UTF8)] string components[component_count]; + } PRINCIPAL; + + typedef struct { + uint16 enctype; + DATA_BLOB data; + } KEYBLOCK; + + typedef struct { + uint16 addrtype; + DATA_BLOB data; + } ADDRESS; + + typedef struct { + uint32 count; + ADDRESS data[count]; + } ADDRESSES; + + typedef struct { + uint16 ad_type; + DATA_BLOB data; + } AUTHDATUM; + + typedef struct { + uint32 count; + AUTHDATUM data[count]; + } AUTHDATA; + + typedef struct { + PRINCIPAL client; + PRINCIPAL server; + KEYBLOCK keyblock; + uint32 authtime; + uint32 starttime; + uint32 endtime; + uint32 renew_till; + uint8 is_skey; + uint32 ticket_flags; + ADDRESSES addresses; + AUTHDATA authdata; + DATA_BLOB ticket; + DATA_BLOB second_ticket; + } CREDENTIAL; + + typedef struct { + [value(0)] int32 kdc_sec_offset; + [value(0)] int32 kdc_usec_offset; + } DELTATIME_TAG; + + typedef [nodiscriminant] union { + [case(1)] DELTATIME_TAG deltatime_tag; + } FIELD; + + typedef struct { + [value(1)] uint16 tag; + [subcontext(2),switch_is(tag)] FIELD field; + } V4TAG; + + typedef struct { + V4TAG tag; + /* + * We should allow for more than one tag to be properly parsed, but that + * would require manual parsing. + */ + [flag(NDR_REMAINING)] DATA_BLOB further_tags; + } V4TAGS; + + typedef struct { + [subcontext(2)] V4TAGS v4tags; + } V4HEADER; + + typedef [nodiscriminant] union { + /* + * We don't attempt to support file format versions 1 and 2 as they + * assume native CPU byte order, which makes no sense in PIDL. + */ + [case(3)] ; + [case(4)] V4HEADER v4header; + } OPTIONAL_HEADER; + + /* Public structures. */ + + typedef [flag(NDR_NOALIGN|NDR_BIG_ENDIAN|NDR_PAHEX),public] struct { + [value(5)] uint8 pvno; + [value(4)] uint8 version; + [switch_is(version)] OPTIONAL_HEADER optional_header; + PRINCIPAL principal; + CREDENTIAL cred; + [flag(NDR_REMAINING)] DATA_BLOB further_creds; + } CCACHE; + + typedef [flag(NDR_NOALIGN|NDR_BIG_ENDIAN|NDR_PAHEX),public] struct { + CREDENTIAL cred; + [flag(NDR_REMAINING)] DATA_BLOB further_creds; + } MULTIPLE_CREDENTIALS; + + [nopython] void decode_ccache( + [in] CCACHE ccache + ); +} diff --git a/librpc/idl/wscript_build b/librpc/idl/wscript_build index aa058e87133..f20558899fb 100644 --- a/librpc/idl/wscript_build +++ b/librpc/idl/wscript_build @@ -5,7 +5,7 @@ bld.SAMBA_PIDL_LIST('PIDL', misc.idl ntlmssp.idl negoex.idl schannel.idl trkwks.idl audiosrv.idl dfsblobs.idl dsbackup.idl eventlog.idl file_id.idl keysvc.idl msgsvc.idl ntsvcs.idl remact.idl security.idl smb_acl.idl unixinfo.idl wzcsvc.idl - browser.idl dfs.idl dssetup.idl frsapi.idl krb5pac.idl + browser.idl dfs.idl dssetup.idl frsapi.idl krb5pac.idl krb5ccache.idl named_pipe_auth.idl orpc.idl rot.idl spoolss.idl w32time.idl dbgidl.idl dnsserver.idl echo.idl frsrpc.idl lsa.idl nbt.idl dns.idl oxidresolver.idl samr.idl server_id.idl srvsvc.idl winreg.idl dcerpc.idl diff --git a/librpc/wscript_build b/librpc/wscript_build index b560a08a7e2..4c0c5a09988 100644 --- a/librpc/wscript_build +++ b/librpc/wscript_build @@ -375,6 +375,11 @@ bld.SAMBA_LIBRARY('ndr-krb5pac', vnum='0.0.1' ) +bld.SAMBA_SUBSYSTEM('NDR_KRB5CCACHE', + source='gen_ndr/ndr_krb5ccache.c', + deps='ndr NDR_COMPRESSION NDR_SECURITY ndr-standard asn1util' + ) + bld.SAMBA_LIBRARY('ndr-standard', source='gen_ndr/ndr_eventlog6.c', vnum='0.0.1', @@ -702,7 +707,8 @@ bld.SAMBA_LIBRARY('ndr-samba', source=[], deps='''NDR_DRSBLOBS NDR_DRSUAPI NDR_IDMAP NDR_NTLMSSP NDR_NEGOEX NDR_SCHANNEL NDR_MGMT NDR_DNSSERVER NDR_EPMAPPER NDR_XATTR NDR_UNIXINFO NDR_NAMED_PIPE_AUTH NDR_DCOM - NDR_NTPRINTING NDR_FSRVP NDR_WITNESS NDR_MDSSVC NDR_OPEN_FILES NDR_SMBXSRV''', + NDR_NTPRINTING NDR_FSRVP NDR_WITNESS NDR_MDSSVC NDR_OPEN_FILES NDR_SMBXSRV + NDR_KRB5CCACHE''', private_library=True, grouping_library=True ) diff --git a/source4/librpc/wscript_build b/source4/librpc/wscript_build index d9b7743c9d1..d452e7012dc 100644 --- a/source4/librpc/wscript_build +++ b/source4/librpc/wscript_build @@ -230,6 +230,13 @@ for env in bld.gen_python_environments(): cflags_end=gen_cflags ) + bld.SAMBA_PYTHON('python_krb5ccache', + source='../../librpc/gen_ndr/py_krb5ccache.c', + deps='NDR_KRB5CCACHE %s %s' % (pytalloc_util, pyrpc_util), + realname='samba/dcerpc/krb5ccache.so', + cflags_end=gen_cflags + ) + bld.SAMBA_PYTHON('python_netlogon', source='../../librpc/gen_ndr/py_netlogon.c', deps='RPC_NDR_NETLOGON %s %s' % (pytalloc_util, pyrpc_util), -- 2.35.0 From 083d8308cd1d1ba9481747ce984a207e9e097960 Mon Sep 17 00:00:00 2001 From: Joseph Sutton Date: Wed, 28 Apr 2021 10:58:48 +1200 Subject: [PATCH 071/686] librpc: Test parsing a Kerberos 5 credentials cache with ndrdump This is the format used by the FILE: credentials cache type. Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett Reviewed-by: Douglas Bagnall BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817 (cherry picked from commit 1f17b1edca9c1638ef404fadce3ca7a4d176de12) [jsutton@samba.org Backported to fix conflicts] --- python/samba/tests/blackbox/ndrdump.py | 37 + source3/selftest/ktest-krb5_ccache-2.txt | 1574 ++++++++++++++++++++++ source3/selftest/ktest-krb5_ccache-3.txt | 832 ++++++++++++ 3 files changed, 2443 insertions(+) create mode 100644 source3/selftest/ktest-krb5_ccache-2.txt create mode 100644 source3/selftest/ktest-krb5_ccache-3.txt diff --git a/python/samba/tests/blackbox/ndrdump.py b/python/samba/tests/blackbox/ndrdump.py index c42f64f35a1..5cc3eceb353 100644 --- a/python/samba/tests/blackbox/ndrdump.py +++ b/python/samba/tests/blackbox/ndrdump.py @@ -55,3 +55,40 @@ class NdrDumpTests(BlackboxTestCase): self.data_path("dns-decode_dns_name_packet-hex.dat")) except BlackboxProcessError as e: self.fail(e) + + def test_ndrdump_Krb5ccache(self): + expected = open(self.data_path("../../../source3/selftest/" + "ktest-krb5_ccache-2.txt")).read() + try: + # Specify -d1 to match the generated output file, because ndrdump + # only outputs some additional info if this parameter is specified, + # and the --configfile parameter gives us an empty smb.conf to avoid + # extraneous output. + actual = self.check_output( + "ndrdump krb5ccache CCACHE struct " + "--configfile /dev/null -d1 --validate " + + self.data_path("../../../source3/selftest/" + "ktest-krb5_ccache-2")) + except BlackboxProcessError as e: + self.fail(e) + # check_output will return bytes + # convert expected to bytes for python 3 + self.assertEqual(actual, expected.encode('utf-8')) + + expected = open(self.data_path("../../../source3/selftest/" + "ktest-krb5_ccache-3.txt")).read() + try: + # Specify -d1 to match the generated output file, because ndrdump + # only outputs some additional info if this parameter is specified, + # and the --configfile parameter gives us an empty smb.conf to avoid + # extraneous output. + actual = self.check_output( + "ndrdump krb5ccache CCACHE struct " + "--configfile /dev/null -d1 --validate " + + self.data_path("../../../source3/selftest/" + "ktest-krb5_ccache-3")) + except BlackboxProcessError as e: + self.fail(e) + # check_output will return bytes + # convert expected to bytes for python 3 + self.assertEqual(actual, expected.encode('utf-8')) diff --git a/source3/selftest/ktest-krb5_ccache-2.txt b/source3/selftest/ktest-krb5_ccache-2.txt new file mode 100644 index 00000000000..c86750ae585 --- /dev/null +++ b/source3/selftest/ktest-krb5_ccache-2.txt @@ -0,0 +1,1574 @@ +pull returned Success + CCACHE: struct CCACHE + pvno : 0x05 (5) + version : 0x04 (4) + optional_header : union OPTIONAL_HEADER(case 0x4) + v4header: struct V4HEADER + v4tags: struct V4TAGS + tag: struct V4TAG + tag : 0x0001 (1) + field : union FIELD(case 0x1) + deltatime_tag: struct DELTATIME_TAG + kdc_sec_offset : 0 + kdc_usec_offset : 0 + further_tags : DATA_BLOB length=0 + principal: struct PRINCIPAL + name_type : 0x00000001 (1) + component_count : 0x00000001 (1) + realm : 'KTEST.SAMBA.EXAMPLE.COM' + components: ARRAY(1) + components : 'administrator' + cred: struct CREDENTIAL + client: struct PRINCIPAL + name_type : 0x00000001 (1) + component_count : 0x00000001 (1) + realm : 'KTEST.SAMBA.EXAMPLE.COM' + components: ARRAY(1) + components : 'administrator' + server: struct PRINCIPAL + name_type : 0x00000000 (0) + component_count : 0x00000002 (2) + realm : 'KTEST.SAMBA.EXAMPLE.COM' + components: ARRAY(2) + components : 'krbtgt' + components : 'KTEST.SAMBA.EXAMPLE.COM' + keyblock: struct KEYBLOCK + enctype : 0x0017 (23) + data : DATA_BLOB length=16 +[0000] 8B 94 0B 31 51 5B F7 A7 15 E9 EE D7 D7 0C 8C 90 ...1Q[.. ........ + authtime : 0x4d994f6a (1301892970) + starttime : 0x4d994f6a (1301892970) + endtime : 0x7d440b68 (2101611368) + renew_till : 0x7d440b68 (2101611368) + is_skey : 0x00 (0) + ticket_flags : 0x40e00000 (1088421888) + addresses: struct ADDRESSES + count : 0x00000000 (0) + data: ARRAY(0) + authdata: struct AUTHDATA + count : 0x00000000 (0) + data: ARRAY(0) + ticket : DATA_BLOB length=1032 +[0000] 61 82 04 04 30 82 04 00 A0 03 02 01 05 A1 19 1B a...0... ........ +[0010] 17 4B 54 45 53 54 2E 53 41 4D 42 41 2E 45 58 41 .KTEST.S AMBA.EXA +[0020] 4D 50 4C 45 2E 43 4F 4D A2 2C 30 2A A0 03 02 01 MPLE.COM .,0*.... +[0030] 00 A1 23 30 21 1B 06 6B 72 62 74 67 74 1B 17 4B ..#0!..k rbtgt..K +[0040] 54 45 53 54 2E 53 41 4D 42 41 2E 45 58 41 4D 50 TEST.SAM BA.EXAMP +[0050] 4C 45 2E 43 4F 4D A3 82 03 AE 30 82 03 AA A0 03 LE.COM.. ..0..... +[0060] 02 01 17 A1 03 02 01 01 A2 82 03 9C 04 82 03 98 ........ ........ +[0070] 80 66 8F CF AB 24 9D C8 76 E4 28 F5 25 6B 73 B2 .f...$.. v.(.%ks. +[0080] 4B 94 ED 09 10 29 05 C4 C0 B8 B9 33 FA C4 46 AB K....).. ...3..F. +[0090] F4 B5 9E 5B 07 54 D6 58 1D B8 CA 04 41 A6 33 A6 ...[.T.X ....A.3. +[00A0] 67 9D EB 83 70 65 A9 2D 65 A5 19 8C 55 2A 0F FC g...pe.- e...U*.. +[00B0] 1B BB 7A BD 86 C0 32 06 F2 2F 0A A5 93 E7 D1 1E ..z...2. ./...... +[00C0] 16 C4 27 DD 1F A7 61 03 FF 05 81 EF 49 B7 25 A3 ..'...a. ....I.%. +[00D0] 6E EA E6 E8 15 E3 10 AF A3 F1 21 B3 D9 C0 67 2F n....... ..!...g/ +[00E0] 0C 0C B7 42 D6 9A 34 8E D4 5E 55 C2 FE 62 03 37 ...B..4. .^U..b.7 +[00F0] A5 58 9B 43 E7 26 E3 71 B2 E5 F1 91 B4 23 8F AC .X.C.&.q .....#.. +[0100] 7A 31 3C 4E B4 94 E4 81 36 98 71 3B 98 7B B7 AB z1....... +[0150] 1A 69 EE 8C 4E A4 D8 55 A5 0B 23 0F D0 89 48 C4 .i..N..U ..#...H. +[0160] 51 FE 32 FD CC F6 71 E1 95 2D CC 1D 0A 0C 8A A2 Q.2...q. .-...... +[0170] 69 58 3B 65 88 53 EC D0 2E E1 C6 CC 6B BC 09 E5 iX;e.S.. ....k... +[0180] B9 15 27 8B E4 B2 24 18 61 42 BB 8B 09 1B 8A 7B ..'...$. aB.....{ +[0190] 13 D8 51 E1 0B 79 12 48 DE A9 54 04 00 6D DD E6 ..Q..y.H ..T..m.. +[01A0] 5E 03 91 FF C7 6D 0B 7C 91 44 E1 0F C0 7E 32 34 ^....m.| .D...~24 +[01B0] 82 86 94 F7 CD 53 EC 52 38 18 AA ED FF FC 5C 01 .....S.R 8.....\. +[01C0] D2 EE 99 45 8E 5B E6 B3 46 B0 F6 3B 22 29 EC 11 ...E.[.. F..;").. +[01D0] 30 6A F6 A1 1F 9E AE 71 E3 A6 E7 3F F3 7D 2B 75 0j.....q ...?.}+u +[01E0] 70 4D 63 47 5C 18 2C 8B B1 1A 69 B6 C5 46 01 17 pMcG\.,. ..i..F.. +[01F0] 8E 64 3D 47 88 20 1C AA D7 60 32 28 11 60 EA 28 .d=G. .. .`2(.`.( +[0200] 66 99 4C B1 2A 28 96 BF 18 2A 3E F4 D6 84 E5 A0 f.L.*(.. .*>..... +[0210] F4 4E E7 F9 54 95 22 96 2A 87 01 CC 3E A7 FF 42 .N..T.". *...>..B +[0220] 6A A4 4A 3A B9 24 10 65 99 53 58 2A 4E 72 E7 1F j.J:.$.e .SX*Nr.. +[0230] 82 BC BD 3C 6C 9D 33 3A CE C6 6E 72 A2 81 B3 84 ........ +[0280] AB F0 D0 93 08 42 E5 37 19 24 4E C1 AF FC 92 A9 .....B.7 .$N..... +[0290] B1 27 B1 9A 2A 62 34 F1 DC C0 6B 83 AE C3 74 E8 .'..*b4. ..k...t. +[02A0] A3 05 DD 82 DD A3 D7 90 A8 E3 9C EB 64 16 23 06 ........ ....d.#. +[02B0] 5D FB E4 35 7C 22 29 78 E3 3B 75 92 91 0C 9D A1 ]..5|")x .;u..... +[02C0] 87 7C 2E 82 AE 49 9D 4A 50 A9 C2 D5 85 B0 16 5D .|...I.J P......] +[02D0] A2 CD B0 DD 29 3F 6F 66 C9 C1 9F 5C F0 B6 FC D2 ....)?of ...\.... +[02E0] 52 BE 7B F0 1F 26 AF 8A FC C3 A6 24 8C C0 10 06 R.{..&.. ...$.... +[02F0] 73 1E 17 9E 6E 6F 32 44 6A DF 82 5D D0 6B 74 CE s...no2D j..].kt. +[0300] 58 0B 4C 7B EB A1 13 44 B1 3E D8 F8 BA F4 4E 55 X.L{...D .>....NU +[0310] 71 3D C1 09 D9 E7 97 9A 14 5C 54 7E 57 81 5F 6B q=...... .\T~W._k +[0320] 30 BE 9A E1 98 29 47 D4 C0 8F 63 0A F8 27 1F CE 0....)G. ..c..'.. +[0330] ED D9 BB 7B 12 24 D0 34 2A 7C F0 F7 77 F4 F1 1D ...{.$.4 *|..w... +[0340] 4C 5D 75 2D 6B 0D 80 35 82 CC D8 7A 6B FA A0 55 L]u-k..5 ...zk..U +[0350] 34 CD 87 15 61 38 78 D4 69 0F AA 72 D6 AC FA 99 4...a8x. i..r.... +[0360] BC 70 39 27 A7 25 2E 1B 6F 36 01 FD E9 B4 9A 79 .p9'.%.. o6.....y +[0370] 6C 19 DD A6 8C 78 B0 40 92 60 58 F0 28 AD 08 78 l....x.@ .`X.(..x +[0380] 4A 29 06 2C 82 2B 1A E3 91 0B 5F EE D6 B8 66 47 J).,.+.. .._...fG +[0390] 31 9B A3 DF 9F 79 D7 BB 0E 2C FA 0E C9 66 84 8D 1....y.. .,...f.. +[03A0] FF BA BB 21 27 9E AD 86 84 55 8D 4C 4C 47 D9 5F ...!'... .U.LLG._ +[03B0] B2 7D 26 CA B7 49 3C 9D 1B 67 71 11 3A 8A EB EA .}&..I<. .gq.:... +[03C0] 0F 15 EB F0 1E 46 F7 A4 34 04 D7 E3 50 67 47 D3 .....F.. 4...PgG. +[03D0] 66 21 17 77 51 A7 1F 1D 84 3B 7C B1 5D 4E B8 D4 f!.wQ... .;|.]N.. +[03E0] F9 C5 75 06 AA 19 45 1C E9 06 9E AD 23 26 6B 10 ..u...E. ....#&k. +[03F0] 53 A0 36 D3 58 9F 5E 8C CB A5 F6 BC C9 30 3C BC S.6.X.^. .....0<. +[0400] AD FF 7C 92 F0 C6 9A 02 ..|..... + second_ticket : DATA_BLOB length=0 + further_creds : DATA_BLOB length=10683 +[0000] 00 00 00 01 00 00 00 01 00 00 00 17 4B 54 45 53 ........ ....KTES +[0010] 54 2E 53 41 4D 42 41 2E 45 58 41 4D 50 4C 45 2E T.SAMBA. EXAMPLE. +[0020] 43 4F 4D 00 00 00 0D 61 64 6D 69 6E 69 73 74 72 COM....a dministr +[0030] 61 74 6F 72 00 00 00 01 00 00 00 02 00 00 00 17 ator.... ........ +[0040] 4B 54 45 53 54 2E 53 41 4D 42 41 2E 45 58 41 4D KTEST.SA MBA.EXAM +[0050] 50 4C 45 2E 43 4F 4D 00 00 00 04 63 69 66 73 00 PLE.COM. ...cifs. +[0060] 00 00 0B 6C 6F 63 61 6C 6B 74 65 73 74 36 00 17 ...local ktest6.. +[0070] 00 00 00 10 00 6E A1 B2 31 6D 48 C7 90 72 3A 0C .....n.. 1mH..r:. +[0080] 4B 8B 83 8C 4D 99 4F 6A 4D 99 50 85 7D 44 0B 68 K...M.Oj M.P.}D.h +[0090] 00 00 00 00 00 40 28 00 00 00 00 00 00 00 00 00 .....@(. ........ +[00A0] 00 00 00 03 FA 61 82 03 F6 30 82 03 F2 A0 03 02 .....a.. .0...... +[00B0] 01 05 A1 19 1B 17 4B 54 45 53 54 2E 53 41 4D 42 ......KT EST.SAMB +[00C0] 41 2E 45 58 41 4D 50 4C 45 2E 43 4F 4D A2 1E 30 A.EXAMPL E.COM..0 +[00D0] 1C A0 03 02 01 01 A1 15 30 13 1B 04 63 69 66 73 ........ 0...cifs +[00E0] 1B 0B 6C 6F 63 61 6C 6B 74 65 73 74 36 A3 82 03 ..localk test6... +[00F0] AE 30 82 03 AA A0 03 02 01 17 A1 03 02 01 02 A2 .0...... ........ +[0100] 82 03 9C 04 82 03 98 C6 BB 64 A8 31 00 FC 5E 51 ........ .d.1..^Q +[0110] 3C 87 F8 34 47 3B D0 6F 6F FD 9E A6 91 12 74 2D <..4G;.o o.....t- +[0120] 44 BB AA 91 A0 2D 46 3E 9E FB FB C4 FB F1 15 FD D....-F> ........ +[0130] BB DA EE 06 A9 20 6A 38 DC 46 06 27 D9 A2 9D 2D ..... j8 .F.'...- +[0140] 1F FD 0D 7D 8A BB 0A 7C E8 47 17 BC 7B 70 E4 51 ...}...| .G..{p.Q +[0150] 6A BA 51 68 62 28 4A 1E 51 D1 0D CD 02 55 75 44 j.Qhb(J. Q....UuD +[0160] 8A B9 C2 84 F4 17 34 92 9B 31 85 9E 43 C1 0C 3A ......4. .1..C..: +[0170] B2 69 7F 20 1A 18 1F 65 4F C0 20 C9 B5 AF E1 61 .i. ...e O. ....a +[0180] 8C 90 10 63 26 A6 5D 05 3C CD 29 BB 7B 74 D5 8F ...c&.]. <.).{t.. +[0190] 2C 7F 4B E8 84 24 57 37 8A C6 F7 91 FD 22 9A A5 ,.K..$W7 .....".. +[01A0] 0D E9 4A 78 93 36 FC A8 8C 8A 27 8A C6 28 4B 7B ..Jx.6.. ..'..(K{ +[01B0] DA 11 42 BC 09 10 81 82 14 0F 9C B8 48 26 91 78 ..B..... ....H&.x +[01C0] A8 DD 97 6C 24 A1 D2 E8 85 19 B3 D3 85 4D 38 C7 ...l$... .....M8. +[01D0] 7D 49 55 8E 85 46 E1 EE 7B BA 11 62 63 53 C5 16 }IU..F.. {..bcS.. +[01E0] 4A 0C 1C 99 7C 0E FB 45 1D B4 98 58 67 7E 40 65 J...|..E ...Xg~@e +[01F0] 4B 48 E2 89 9C 8B C2 B8 39 D1 04 C0 A8 56 E8 A1 KH...... 9....V.. +[0200] 04 7A 7A C9 60 18 A0 29 E2 DC 82 4C 8F 18 CE 2F .zz.`..) ...L.../ +[0210] 14 F0 18 5B 6C FF 85 45 88 73 CB A4 55 08 FC BF ...[l..E .s..U... +[0220] C7 9F 51 0A DB 2C C1 E3 3C DD F6 F0 A3 2D F1 3B ..Q..,.. <....-.; +[0230] A0 12 1D FC 2A 67 F5 1A 7F E5 7C 6C FB 8A 18 BD ....*g.. ..|l.... +[0240] D1 5D E5 5E 68 30 AA 58 9E 10 13 E0 26 7E 7D C4 .].^h0.X ....&~}. +[0250] E1 A5 B6 86 0F 1C 0F 13 A4 5E 5E 6A ED 42 79 31 ........ .^^j.By1 +[0260] BB B3 5F 3A 3F DD CB 63 82 FB 06 AE 12 36 C9 1E .._:?..c .....6.. +[0270] 06 7D 41 82 2E D2 FA 26 EC 17 50 5E D0 DE 26 85 .}A....& ..P^..&. +[0280] 30 71 BC 45 3B DA 2E 08 8D B2 2A 3C E0 79 8F 77 0q.E;... ..*<.y.w +[0290] 4C 01 69 7A 09 C7 88 E1 D1 DC FF 78 DB 25 7B B1 L.iz.... ...x.%{. +[02A0] 3C BB 22 27 80 0D 75 96 18 B6 40 95 6D C8 AB 04 <."'..u. ..@.m... +[02B0] 05 41 A1 C4 25 71 C4 53 3A A6 9C B2 4D E6 15 2C .A..%q.S :...M.., +[02C0] B2 47 6C DA A8 7D CC A3 89 8B C9 1E 21 F5 E9 B2 .Gl..}.. ....!... +[02D0] 42 95 68 28 AF C6 37 22 BA 30 8D 53 FA 08 0D CE B.h(..7" .0.S.... +[02E0] CA 81 61 0D 84 A5 2D 75 BD 41 85 4C 88 56 72 C6 ..a...-u .A.L.Vr. +[02F0] B6 10 F8 34 CD B2 F4 5C 94 FA 80 90 82 A0 BD 68 ...4...\ .......h +[0300] EC 08 32 C3 B6 51 1E 3F 67 CB 7B EB 70 83 84 D4 ..2..Q.? g.{.p... +[0310] CB 52 55 36 61 1E 60 90 5B 6F FE 9A 62 05 CF 26 .RU6a.`. [o..b..& +[0320] 8E 65 E2 60 4B ED 63 B4 C4 E6 44 B4 2F B0 B8 07 .e.`K.c. ..D./... +[0330] FE BE 0D 50 E4 56 A4 2E 0D 25 76 0B 0F 44 09 20 ...P.V.. .%v..D. +[0340] 80 E5 C4 94 63 E0 54 46 1D AB 5E 0B 09 93 B1 30 ....c.TF ..^....0 +[0350] 31 7B 04 DC 23 43 3B DB 7D 39 67 FE 9A 1F C1 08 1{..#C;. }9g..... +[0360] AF 34 24 F6 74 E4 14 DA 34 8F 61 57 6A 7F 1D 4A .4$.t... 4.aWj..J +[0370] 88 0A 90 78 93 F1 86 54 DB 22 86 D6 69 0F DF 44 ...x...T ."..i..D +[0380] 7C D3 6B 9D 41 63 50 98 3A 97 B9 7B 4C 53 E3 85 |.k.AcP. :..{LS.. +[0390] 73 9A C9 08 A0 75 12 50 02 87 B0 CF CC 84 84 D9 s....u.P ........ +[03A0] BC FC 94 79 AF 6A A6 08 FF 19 7E E9 22 9B EC 5C ...y.j.. ..~."..\ +[03B0] C1 6B 1D A4 B4 55 32 5E 23 C3 C0 D4 8B 80 E6 67 .k...U2^ #......g +[03C0] B1 59 EB 9D 5D 9B AD C6 0E 7D E2 FE B1 24 8A B1 .Y..]... .}...$.. +[03D0] 37 1E 60 7F 83 35 48 32 F7 03 E8 12 E6 21 7C 3D 7.`..5H2 .....!|= +[03E0] 21 7F 6B 14 31 9C 1A A3 4C 2B 1C 5E EC 34 C1 2D !.k.1... L+.^.4.- +[03F0] DA 19 6C E6 6D 8D 60 D7 55 9E E6 D0 B5 07 06 72 ..l.m.`. U......r +[0400] C0 E9 4E 91 94 6B 3E 0B F1 0A 75 4D E8 CB 53 6B ..N..k>. ..uM..Sk +[0410] 34 A4 2F 96 A5 39 1A 18 6E 27 00 6D 41 B7 D8 F5 4./..9.. n'.mA... +[0420] 9A E5 01 FC 0B A8 97 56 EE 98 04 1D 98 84 5E 82 .......V ......^. +[0430] C8 E8 EC 17 D5 FA 96 00 3B E1 98 1C D8 FA 66 A0 ........ ;.....f. +[0440] DC 32 60 F6 03 46 08 3C E5 16 6F F2 8B 4D 72 9F .2`..F.< ..o..Mr. +[0450] 0F E0 A9 71 6E 7C AE AA FB A3 4D F1 A1 B6 1B 9F ...qn|.. ..M..... +[0460] 62 71 E1 2C 82 9B AE E3 07 9B 79 90 F1 C2 69 E5 bq.,.... ..y...i. +[0470] 7E CB 57 E6 C9 1C 4E A8 C7 12 EA 4F 4C 52 17 03 ~.W...N. ...OLR.. +[0480] AB D4 FD 34 60 F4 7C BE 9E 36 30 37 88 95 61 2E ...4`.|. .607..a. +[0490] CF 70 AF 22 70 DB E8 AA 6E 3D 30 F7 4D 84 D5 00 .p."p... n=0.M... +[04A0] 00 00 00 00 00 00 01 00 00 00 01 00 00 00 17 4B ........ .......K +[04B0] 54 45 53 54 2E 53 41 4D 42 41 2E 45 58 41 4D 50 TEST.SAM BA.EXAMP +[04C0] 4C 45 2E 43 4F 4D 00 00 00 0D 61 64 6D 69 6E 69 LE.COM.. ..admini +[04D0] 73 74 72 61 74 6F 72 00 00 00 01 00 00 00 02 00 strator. ........ +[04E0] 00 00 17 4B 54 45 53 54 2E 53 41 4D 42 41 2E 45 ...KTEST .SAMBA.E +[04F0] 58 41 4D 50 4C 45 2E 43 4F 4D 00 00 00 04 63 69 XAMPLE.C OM....ci +[0500] 66 73 00 00 00 0B 6C 6F 63 61 6C 6B 74 65 73 74 fs....lo calktest +[0510] 36 00 17 00 00 00 10 00 6E A1 B2 31 6D 48 C7 90 6....... n..1mH.. +[0520] 72 3A 0C 4B 8B 83 8C 4D 99 4F 6A 4D 99 50 85 7D r:.K...M .OjM.P.} +[0530] 44 0B 68 00 00 00 00 00 40 28 00 00 00 00 00 00 D.h..... @(...... +[0540] 00 00 00 00 00 00 03 FA 61 82 03 F6 30 82 03 F2 ........ a...0... +[0550] A0 03 02 01 05 A1 19 1B 17 4B 54 45 53 54 2E 53 ........ .KTEST.S +[0560] 41 4D 42 41 2E 45 58 41 4D 50 4C 45 2E 43 4F 4D AMBA.EXA MPLE.COM +[0570] A2 1E 30 1C A0 03 02 01 01 A1 15 30 13 1B 04 63 ..0..... ...0...c +[0580] 69 66 73 1B 0B 6C 6F 63 61 6C 6B 74 65 73 74 36 ifs..loc alktest6 +[0590] A3 82 03 AE 30 82 03 AA A0 03 02 01 17 A1 03 02 ....0... ........ +[05A0] 01 02 A2 82 03 9C 04 82 03 98 C6 BB 64 A8 31 00 ........ ....d.1. +[05B0] FC 5E 51 3C 87 F8 34 47 3B D0 6F 6F FD 9E A6 91 .^Q<..4G ;.oo.... +[05C0] 12 74 2D 44 BB AA 91 A0 2D 46 3E 9E FB FB C4 FB .t-D.... -F>..... +[05D0] F1 15 FD BB DA EE 06 A9 20 6A 38 DC 46 06 27 D9 ........ j8.F.'. +[05E0] A2 9D 2D 1F FD 0D 7D 8A BB 0A 7C E8 47 17 BC 7B ..-...}. ..|.G..{ +[05F0] 70 E4 51 6A BA 51 68 62 28 4A 1E 51 D1 0D CD 02 p.Qj.Qhb (J.Q.... +[0600] 55 75 44 8A B9 C2 84 F4 17 34 92 9B 31 85 9E 43 UuD..... .4..1..C +[0610] C1 0C 3A B2 69 7F 20 1A 18 1F 65 4F C0 20 C9 B5 ..:.i. . ..eO. .. +[0620] AF E1 61 8C 90 10 63 26 A6 5D 05 3C CD 29 BB 7B ..a...c& .].<.).{ +[0630] 74 D5 8F 2C 7F 4B E8 84 24 57 37 8A C6 F7 91 FD t..,.K.. $W7..... +[0640] 22 9A A5 0D E9 4A 78 93 36 FC A8 8C 8A 27 8A C6 "....Jx. 6....'.. +[0650] 28 4B 7B DA 11 42 BC 09 10 81 82 14 0F 9C B8 48 (K{..B.. .......H +[0660] 26 91 78 A8 DD 97 6C 24 A1 D2 E8 85 19 B3 D3 85 &.x...l$ ........ +[0670] 4D 38 C7 7D 49 55 8E 85 46 E1 EE 7B BA 11 62 63 M8.}IU.. F..{..bc +[0680] 53 C5 16 4A 0C 1C 99 7C 0E FB 45 1D B4 98 58 67 S..J...| ..E...Xg +[0690] 7E 40 65 4B 48 E2 89 9C 8B C2 B8 39 D1 04 C0 A8 ~@eKH... ...9.... +[06A0] 56 E8 A1 04 7A 7A C9 60 18 A0 29 E2 DC 82 4C 8F V...zz.` ..)...L. +[06B0] 18 CE 2F 14 F0 18 5B 6C FF 85 45 88 73 CB A4 55 ../...[l ..E.s..U +[06C0] 08 FC BF C7 9F 51 0A DB 2C C1 E3 3C DD F6 F0 A3 .....Q.. ,..<.... +[06D0] 2D F1 3B A0 12 1D FC 2A 67 F5 1A 7F E5 7C 6C FB -.;....* g....|l. +[06E0] 8A 18 BD D1 5D E5 5E 68 30 AA 58 9E 10 13 E0 26 ....].^h 0.X....& +[06F0] 7E 7D C4 E1 A5 B6 86 0F 1C 0F 13 A4 5E 5E 6A ED ~}...... ....^^j. +[0700] 42 79 31 BB B3 5F 3A 3F DD CB 63 82 FB 06 AE 12 By1.._:? ..c..... +[0710] 36 C9 1E 06 7D 41 82 2E D2 FA 26 EC 17 50 5E D0 6...}A.. ..&..P^. +[0720] DE 26 85 30 71 BC 45 3B DA 2E 08 8D B2 2A 3C E0 .&.0q.E; .....*<. +[0730] 79 8F 77 4C 01 69 7A 09 C7 88 E1 D1 DC FF 78 DB y.wL.iz. ......x. +[0740] 25 7B B1 3C BB 22 27 80 0D 75 96 18 B6 40 95 6D %{.<."'. .u...@.m +[0750] C8 AB 04 05 41 A1 C4 25 71 C4 53 3A A6 9C B2 4D ....A..% q.S:...M +[0760] E6 15 2C B2 47 6C DA A8 7D CC A3 89 8B C9 1E 21 ..,.Gl.. }......! +[0770] F5 E9 B2 42 95 68 28 AF C6 37 22 BA 30 8D 53 FA ...B.h(. .7".0.S. +[0780] 08 0D CE CA 81 61 0D 84 A5 2D 75 BD 41 85 4C 88 .....a.. .-u.A.L. +[0790] 56 72 C6 B6 10 F8 34 CD B2 F4 5C 94 FA 80 90 82 Vr....4. ..\..... +[07A0] A0 BD 68 EC 08 32 C3 B6 51 1E 3F 67 CB 7B EB 70 ..h..2.. Q.?g.{.p +[07B0] 83 84 D4 CB 52 55 36 61 1E 60 90 5B 6F FE 9A 62 ....RU6a .`.[o..b +[07C0] 05 CF 26 8E 65 E2 60 4B ED 63 B4 C4 E6 44 B4 2F ..&.e.`K .c...D./ +[07D0] B0 B8 07 FE BE 0D 50 E4 56 A4 2E 0D 25 76 0B 0F ......P. V...%v.. +[07E0] 44 09 20 80 E5 C4 94 63 E0 54 46 1D AB 5E 0B 09 D. ....c .TF..^.. +[07F0] 93 B1 30 31 7B 04 DC 23 43 3B DB 7D 39 67 FE 9A ..01{..# C;.}9g.. +[0800] 1F C1 08 AF 34 24 F6 74 E4 14 DA 34 8F 61 57 6A ....4$.t ...4.aWj +[0810] 7F 1D 4A 88 0A 90 78 93 F1 86 54 DB 22 86 D6 69 ..J...x. ..T."..i +[0820] 0F DF 44 7C D3 6B 9D 41 63 50 98 3A 97 B9 7B 4C ..D|.k.A cP.:..{L +[0830] 53 E3 85 73 9A C9 08 A0 75 12 50 02 87 B0 CF CC S..s.... u.P..... +[0840] 84 84 D9 BC FC 94 79 AF 6A A6 08 FF 19 7E E9 22 ......y. j....~." +[0850] 9B EC 5C C1 6B 1D A4 B4 55 32 5E 23 C3 C0 D4 8B ..\.k... U2^#.... +[0860] 80 E6 67 B1 59 EB 9D 5D 9B AD C6 0E 7D E2 FE B1 ..g.Y..] ....}... +[0870] 24 8A B1 37 1E 60 7F 83 35 48 32 F7 03 E8 12 E6 $..7.`.. 5H2..... +[0880] 21 7C 3D 21 7F 6B 14 31 9C 1A A3 4C 2B 1C 5E EC !|=!.k.1 ...L+.^. +[0890] 34 C1 2D DA 19 6C E6 6D 8D 60 D7 55 9E E6 D0 B5 4.-..l.m .`.U.... +[08A0] 07 06 72 C0 E9 4E 91 94 6B 3E 0B F1 0A 75 4D E8 ..r..N.. k>...uM. +[08B0] CB 53 6B 34 A4 2F 96 A5 39 1A 18 6E 27 00 6D 41 .Sk4./.. 9..n'.mA +[08C0] B7 D8 F5 9A E5 01 FC 0B A8 97 56 EE 98 04 1D 98 ........ ..V..... +[08D0] 84 5E 82 C8 E8 EC 17 D5 FA 96 00 3B E1 98 1C D8 .^...... ...;.... +[08E0] FA 66 A0 DC 32 60 F6 03 46 08 3C E5 16 6F F2 8B .f..2`.. F.<..o.. +[08F0] 4D 72 9F 0F E0 A9 71 6E 7C AE AA FB A3 4D F1 A1 Mr....qn |....M.. +[0900] B6 1B 9F 62 71 E1 2C 82 9B AE E3 07 9B 79 90 F1 ...bq.,. .....y.. +[0910] C2 69 E5 7E CB 57 E6 C9 1C 4E A8 C7 12 EA 4F 4C .i.~.W.. .N....OL +[0920] 52 17 03 AB D4 FD 34 60 F4 7C BE 9E 36 30 37 88 R.....4` .|..607. +[0930] 95 61 2E CF 70 AF 22 70 DB E8 AA 6E 3D 30 F7 4D .a..p."p ...n=0.M +[0940] 84 D5 00 00 00 00 00 00 00 01 00 00 00 01 00 00 ........ ........ +[0950] 00 17 4B 54 45 53 54 2E 53 41 4D 42 41 2E 45 58 ..KTEST. SAMBA.EX +[0960] 41 4D 50 4C 45 2E 43 4F 4D 00 00 00 0D 61 64 6D AMPLE.CO M....adm +[0970] 69 6E 69 73 74 72 61 74 6F 72 00 00 00 01 00 00 inistrat or...... +[0980] 00 02 00 00 00 17 4B 54 45 53 54 2E 53 41 4D 42 ......KT EST.SAMB +[0990] 41 2E 45 58 41 4D 50 4C 45 2E 43 4F 4D 00 00 00 A.EXAMPL E.COM... +[09A0] 04 63 69 66 73 00 00 00 0B 6C 6F 63 61 6C 6B 74 .cifs... .localkt +[09B0] 65 73 74 36 00 17 00 00 00 10 00 6E A1 B2 31 6D est6.... ...n..1m +[09C0] 48 C7 90 72 3A 0C 4B 8B 83 8C 4D 99 4F 6A 4D 99 H..r:.K. ..M.OjM. +[09D0] 50 85 7D 44 0B 68 00 00 00 00 00 40 28 00 00 00 P.}D.h.. ...@(... +[09E0] 00 00 00 00 00 00 00 00 00 03 FA 61 82 03 F6 30 ........ ...a...0 +[09F0] 82 03 F2 A0 03 02 01 05 A1 19 1B 17 4B 54 45 53 ........ ....KTES +[0A00] 54 2E 53 41 4D 42 41 2E 45 58 41 4D 50 4C 45 2E T.SAMBA. EXAMPLE. +[0A10] 43 4F 4D A2 1E 30 1C A0 03 02 01 01 A1 15 30 13 COM..0.. ......0. +[0A20] 1B 04 63 69 66 73 1B 0B 6C 6F 63 61 6C 6B 74 65 ..cifs.. localkte +[0A30] 73 74 36 A3 82 03 AE 30 82 03 AA A0 03 02 01 17 st6....0 ........ +[0A40] A1 03 02 01 02 A2 82 03 9C 04 82 03 98 C6 BB 64 ........ .......d +[0A50] A8 31 00 FC 5E 51 3C 87 F8 34 47 3B D0 6F 6F FD .1..^Q<. .4G;.oo. +[0A60] 9E A6 91 12 74 2D 44 BB AA 91 A0 2D 46 3E 9E FB ....t-D. ...-F>.. +[0A70] FB C4 FB F1 15 FD BB DA EE 06 A9 20 6A 38 DC 46 ........ ... j8.F +[0A80] 06 27 D9 A2 9D 2D 1F FD 0D 7D 8A BB 0A 7C E8 47 .'...-.. .}...|.G +[0A90] 17 BC 7B 70 E4 51 6A BA 51 68 62 28 4A 1E 51 D1 ..{p.Qj. Qhb(J.Q. +[0AA0] 0D CD 02 55 75 44 8A B9 C2 84 F4 17 34 92 9B 31 ...UuD.. ....4..1 +[0AB0] 85 9E 43 C1 0C 3A B2 69 7F 20 1A 18 1F 65 4F C0 ..C..:.i . ...eO. +[0AC0] 20 C9 B5 AF E1 61 8C 90 10 63 26 A6 5D 05 3C CD ....a.. .c&.].<. +[0AD0] 29 BB 7B 74 D5 8F 2C 7F 4B E8 84 24 57 37 8A C6 ).{t..,. K..$W7.. +[0AE0] F7 91 FD 22 9A A5 0D E9 4A 78 93 36 FC A8 8C 8A ...".... Jx.6.... +[0AF0] 27 8A C6 28 4B 7B DA 11 42 BC 09 10 81 82 14 0F '..(K{.. B....... +[0B00] 9C B8 48 26 91 78 A8 DD 97 6C 24 A1 D2 E8 85 19 ..H&.x.. .l$..... +[0B10] B3 D3 85 4D 38 C7 7D 49 55 8E 85 46 E1 EE 7B BA ...M8.}I U..F..{. +[0B20] 11 62 63 53 C5 16 4A 0C 1C 99 7C 0E FB 45 1D B4 .bcS..J. ..|..E.. +[0B30] 98 58 67 7E 40 65 4B 48 E2 89 9C 8B C2 B8 39 D1 .Xg~@eKH ......9. +[0B40] 04 C0 A8 56 E8 A1 04 7A 7A C9 60 18 A0 29 E2 DC ...V...z z.`..).. +[0B50] 82 4C 8F 18 CE 2F 14 F0 18 5B 6C FF 85 45 88 73 .L.../.. .[l..E.s +[0B60] CB A4 55 08 FC BF C7 9F 51 0A DB 2C C1 E3 3C DD ..U..... Q..,..<. +[0B70] F6 F0 A3 2D F1 3B A0 12 1D FC 2A 67 F5 1A 7F E5 ...-.;.. ..*g.... +[0B80] 7C 6C FB 8A 18 BD D1 5D E5 5E 68 30 AA 58 9E 10 |l.....] .^h0.X.. +[0B90] 13 E0 26 7E 7D C4 E1 A5 B6 86 0F 1C 0F 13 A4 5E ..&~}... .......^ +[0BA0] 5E 6A ED 42 79 31 BB B3 5F 3A 3F DD CB 63 82 FB ^j.By1.. _:?..c.. +[0BB0] 06 AE 12 36 C9 1E 06 7D 41 82 2E D2 FA 26 EC 17 ...6...} A....&.. +[0BC0] 50 5E D0 DE 26 85 30 71 BC 45 3B DA 2E 08 8D B2 P^..&.0q .E;..... +[0BD0] 2A 3C E0 79 8F 77 4C 01 69 7A 09 C7 88 E1 D1 DC *<.y.wL. iz...... +[0BE0] FF 78 DB 25 7B B1 3C BB 22 27 80 0D 75 96 18 B6 .x.%{.<. "'..u... +[0BF0] 40 95 6D C8 AB 04 05 41 A1 C4 25 71 C4 53 3A A6 @.m....A ..%q.S:. +[0C00] 9C B2 4D E6 15 2C B2 47 6C DA A8 7D CC A3 89 8B ..M..,.G l..}.... +[0C10] C9 1E 21 F5 E9 B2 42 95 68 28 AF C6 37 22 BA 30 ..!...B. h(..7".0 +[0C20] 8D 53 FA 08 0D CE CA 81 61 0D 84 A5 2D 75 BD 41 .S...... a...-u.A +[0C30] 85 4C 88 56 72 C6 B6 10 F8 34 CD B2 F4 5C 94 FA .L.Vr... .4...\.. +[0C40] 80 90 82 A0 BD 68 EC 08 32 C3 B6 51 1E 3F 67 CB .....h.. 2..Q.?g. +[0C50] 7B EB 70 83 84 D4 CB 52 55 36 61 1E 60 90 5B 6F {.p....R U6a.`.[o +[0C60] FE 9A 62 05 CF 26 8E 65 E2 60 4B ED 63 B4 C4 E6 ..b..&.e .`K.c... +[0C70] 44 B4 2F B0 B8 07 FE BE 0D 50 E4 56 A4 2E 0D 25 D./..... .P.V...% +[0C80] 76 0B 0F 44 09 20 80 E5 C4 94 63 E0 54 46 1D AB v..D. .. ..c.TF.. +[0C90] 5E 0B 09 93 B1 30 31 7B 04 DC 23 43 3B DB 7D 39 ^....01{ ..#C;.}9 +[0CA0] 67 FE 9A 1F C1 08 AF 34 24 F6 74 E4 14 DA 34 8F g......4 $.t...4. +[0CB0] 61 57 6A 7F 1D 4A 88 0A 90 78 93 F1 86 54 DB 22 aWj..J.. .x...T." +[0CC0] 86 D6 69 0F DF 44 7C D3 6B 9D 41 63 50 98 3A 97 ..i..D|. k.AcP.:. +[0CD0] B9 7B 4C 53 E3 85 73 9A C9 08 A0 75 12 50 02 87 .{LS..s. ...u.P.. +[0CE0] B0 CF CC 84 84 D9 BC FC 94 79 AF 6A A6 08 FF 19 ........ .y.j.... +[0CF0] 7E E9 22 9B EC 5C C1 6B 1D A4 B4 55 32 5E 23 C3 ~."..\.k ...U2^#. +[0D00] C0 D4 8B 80 E6 67 B1 59 EB 9D 5D 9B AD C6 0E 7D .....g.Y ..]....} +[0D10] E2 FE B1 24 8A B1 37 1E 60 7F 83 35 48 32 F7 03 ...$..7. `..5H2.. +[0D20] E8 12 E6 21 7C 3D 21 7F 6B 14 31 9C 1A A3 4C 2B ...!|=!. k.1...L+ +[0D30] 1C 5E EC 34 C1 2D DA 19 6C E6 6D 8D 60 D7 55 9E .^.4.-.. l.m.`.U. +[0D40] E6 D0 B5 07 06 72 C0 E9 4E 91 94 6B 3E 0B F1 0A .....r.. N..k>... +[0D50] 75 4D E8 CB 53 6B 34 A4 2F 96 A5 39 1A 18 6E 27 uM..Sk4. /..9..n' +[0D60] 00 6D 41 B7 D8 F5 9A E5 01 FC 0B A8 97 56 EE 98 .mA..... .....V.. +[0D70] 04 1D 98 84 5E 82 C8 E8 EC 17 D5 FA 96 00 3B E1 ....^... ......;. +[0D80] 98 1C D8 FA 66 A0 DC 32 60 F6 03 46 08 3C E5 16 ....f..2 `..F.<.. +[0D90] 6F F2 8B 4D 72 9F 0F E0 A9 71 6E 7C AE AA FB A3 o..Mr... .qn|.... +[0DA0] 4D F1 A1 B6 1B 9F 62 71 E1 2C 82 9B AE E3 07 9B M.....bq .,...... +[0DB0] 79 90 F1 C2 69 E5 7E CB 57 E6 C9 1C 4E A8 C7 12 y...i.~. W...N... +[0DC0] EA 4F 4C 52 17 03 AB D4 FD 34 60 F4 7C BE 9E 36 .OLR.... .4`.|..6 +[0DD0] 30 37 88 95 61 2E CF 70 AF 22 70 DB E8 AA 6E 3D 07..a..p ."p...n= +[0DE0] 30 F7 4D 84 D5 00 00 00 00 00 00 00 01 00 00 00 0.M..... ........ +[0DF0] 01 00 00 00 17 4B 54 45 53 54 2E 53 41 4D 42 41 .....KTE ST.SAMBA +[0E00] 2E 45 58 41 4D 50 4C 45 2E 43 4F 4D 00 00 00 0D .EXAMPLE .COM.... +[0E10] 61 64 6D 69 6E 69 73 74 72 61 74 6F 72 00 00 00 administ rator... +[0E20] 01 00 00 00 02 00 00 00 17 4B 54 45 53 54 2E 53 ........ .KTEST.S +[0E30] 41 4D 42 41 2E 45 58 41 4D 50 4C 45 2E 43 4F 4D AMBA.EXA MPLE.COM +[0E40] 00 00 00 04 63 69 66 73 00 00 00 0B 4C 4F 43 41 ....cifs ....LOCA +[0E50] 4C 4B 54 45 53 54 36 00 17 00 00 00 10 1D C8 5E LKTEST6. .......^ +[0E60] 46 48 82 F9 29 DB C6 A6 F1 72 6D 8D E9 4D 99 4F FH..)... .rm..M.O +[0E70] 6A 4D 99 85 09 7D 44 0B 68 00 00 00 00 00 40 28 jM...}D. h.....@( +[0E80] 00 00 00 00 00 00 00 00 00 00 00 00 03 FA 61 82 ........ ......a. +[0E90] 03 F6 30 82 03 F2 A0 03 02 01 05 A1 19 1B 17 4B ..0..... .......K +[0EA0] 54 45 53 54 2E 53 41 4D 42 41 2E 45 58 41 4D 50 TEST.SAM BA.EXAMP +[0EB0] 4C 45 2E 43 4F 4D A2 1E 30 1C A0 03 02 01 01 A1 LE.COM.. 0....... +[0EC0] 15 30 13 1B 04 63 69 66 73 1B 0B 4C 4F 43 41 4C .0...cif s..LOCAL +[0ED0] 4B 54 45 53 54 36 A3 82 03 AE 30 82 03 AA A0 03 KTEST6.. ..0..... +[0EE0] 02 01 17 A1 03 02 01 02 A2 82 03 9C 04 82 03 98 ........ ........ +[0EF0] 66 D8 19 46 FA CB 73 2D CF 88 FD 4A EE 07 48 DA f..F..s- ...J..H. +[0F00] 0E BC 58 30 43 40 A4 9C 00 0F 3B 17 C1 2D F5 9C ..X0C@.. ..;..-.. +[0F10] 3E D9 2F 1D CA 01 9B D7 2E EC D7 70 ED 8B 8B 1B >./..... ...p.... +[0F20] 5E F2 4E EE DD 0F C0 8D 61 E5 D7 0A 56 00 32 B1 ^.N..... a...V.2. +[0F30] DB 91 37 29 0F 2F 85 EE A8 43 BA A5 B8 D4 19 74 ..7)./.. .C.....t +[0F40] 33 F0 69 52 E1 58 98 83 D6 16 0B 44 A9 63 9B D4 3.iR.X.. ...D.c.. +[0F50] 4E 6E A7 3E CD 9A 96 4D C4 96 F5 07 6D 29 B6 ED Nn.>...M ....m).. +[0F60] 2A 62 3D 53 22 33 D1 95 E9 DF 74 4C 2A E2 29 AF *b=S"3.. ..tL*.). +[0F70] 5B 69 B0 48 2D AD 94 FD A5 1D 54 D8 E2 5E C1 68 [i.H-... ..T..^.h +[0F80] 6F BA 02 01 79 C3 C9 97 0B 76 66 45 E2 3B 10 17 o...y... .vfE.;.. +[0F90] 95 40 46 E4 85 B9 87 BB CF CF 19 8C 3A C0 EA 38 .@F..... ....:..8 +[0FA0] 3B B9 E9 4B 05 89 E5 27 8C 62 95 BC 0D 65 F0 D2 ;..K...' .b...e.. +[0FB0] C0 5E BC 65 01 D5 0B CB 17 31 0F 06 49 4F A2 4A .^.e.... .1..IO.J +[0FC0] 70 77 DB BD 92 5B 37 5C EC 06 DF C5 E2 31 C8 40 pw...[7\ .....1.@ +[0FD0] 09 11 68 14 E7 7D CE 54 4F 52 61 31 2C 1C 53 52 ..h..}.T ORa1,.SR +[0FE0] DB BE D8 95 39 EE 7D C6 CE C8 22 95 92 97 97 3D ....9.}. .."....= +[0FF0] 5E 66 0F AD DC C2 4E 2E 2B 9F 63 20 30 DF B7 C1 ^f....N. +.c 0... +[1000] D4 65 AA 6F 2D 10 24 07 20 8D 88 6E 4B 09 04 31 .e.o-.$. ..nK..1 +[1010] B6 A3 EB F7 37 32 0E 0C 73 C6 F6 B8 4D D9 0C 4C ....72.. s...M..L +[1020] 5B EC 10 6A 51 19 EA 3F FF 46 E7 73 16 A7 1F 33 [..jQ..? .F.s...3 +[1030] 98 7C 9B AD 5A 23 A9 40 7C 0F DF EE 0F AA C7 E8 .|..Z#.@ |....... +[1040] 63 07 98 3A 4A 0D 18 62 01 21 B2 AE A5 69 B0 C1 c..:J..b .!...i.. +[1050] 15 51 BA 97 D2 C5 42 5B C5 30 38 18 A9 48 AB D7 .Q....B[ .08..H.. +[1060] FC A1 BC 9F 71 E7 EA 18 54 42 DA D6 A4 FC C1 DC ....q... TB...... +[1070] F3 12 30 62 AC 98 E1 7D 2B 34 1E 52 4C 26 67 32 ..0b...} +4.RL&g2 +[1080] D9 44 1A 08 27 0E DA D0 FC 84 66 35 81 D6 EB 98 .D..'... ..f5.... +[1090] 46 6F 1E 47 E0 14 31 BE 47 80 65 AA 0B 20 D6 33 Fo.G..1. G.e.. .3 +[10A0] 36 3B 0D 40 2F 5A 2E 0E 01 BE 00 EB 33 3E 4B 32 6;.@/Z.. ....3>K2 +[10B0] 91 F4 22 96 E5 5F D4 D5 92 94 CC 5B 59 6A 3E D2 ..".._.. ...[Yj>. +[10C0] FB A0 4F 99 C4 07 8B 6F 2B 14 37 CD 37 44 C0 1F ..O....o +.7.7D.. +[10D0] 80 9C 43 46 F2 5E F4 FE D3 39 70 61 BE 72 5B 3A ..CF.^.. .9pa.r[: +[10E0] 8F 37 95 78 1E AB D9 E7 E9 DA FC 47 09 81 A0 0D .7.x.... ...G.... +[10F0] 62 E1 F9 34 36 D1 DB E6 98 D8 F4 3E 77 5A 4D E2 b..46... ...>wZM. +[1100] 5F 20 70 3D 3D 5B 34 D9 FD A8 31 F7 D9 59 F7 A3 _ p==[4. ..1..Y.. +[1110] F0 66 F7 D9 AD 1C CD D5 85 33 A0 87 22 31 D4 F3 .f...... .3.."1.. +[1120] 67 80 68 20 A2 90 72 7A 6F 64 FD 68 82 9E 91 B8 g.h ..rz od.h.... +[1130] E3 F7 6D 6C 38 74 F0 96 A2 F6 25 D7 92 58 14 60 ..ml8t.. ..%..X.` +[1140] 9F AE 01 4C 0C 09 67 3E 35 67 71 1E 2A 86 21 D3 ...L..g> 5gq.*.!. +[1150] 60 61 98 16 94 67 0B 52 76 63 93 BD A3 3B A9 F0 `a...g.R vc...;.. +[1160] A2 6A B7 E6 0F 35 64 DA 6A EA 20 A6 3D 94 71 59 .j...5d. j. .=.qY +[1170] 5E CB B2 D3 F9 4D FE 1B 4B D8 64 C8 3B 7A A8 E6 ^....M.. K.d.;z.. +[1180] D2 D5 76 71 26 D4 5C DA 1A 55 17 F2 16 C9 2F 77 ..vq&.\. .U..../w +[1190] DB 95 19 48 A5 AC D0 C3 31 9C 0A CC 1B 44 11 6B ...H.... 1....D.k +[11A0] 7C 88 7A 5D CF 6E 12 DA EF C5 C7 34 1D F4 CC EA |.z].n.. ...4.... +[11B0] 37 24 4B B3 0F C1 A3 F2 29 A0 D8 93 39 C6 16 57 7$K..... )...9..W +[11C0] D5 BF 57 BF 6C 7E F7 90 E0 EB A3 8B 07 56 9C EC ..W.l~.. .....V.. +[11D0] 15 3E 21 DA A5 7C 00 3C F9 D2 A7 1C 6F 16 25 31 .>!..|.< ....o.%1 +[11E0] C5 28 A7 EA F3 47 31 50 DD E1 ED 0A 93 DB 85 CC .(...G1P ........ +[11F0] 6B 4B 2C 7F E8 F8 2D A9 6D 1D 0A 87 F2 10 8C 82 kK,...-. m....... +[1200] 2F 9B D4 9B 92 8C 77 40 50 42 1E 42 C4 0A 4F E3 /.....w@ PB.B..O. +[1210] 6C 6C DC 81 C4 1E BB F0 7D CF 3C 73 22 5B C3 1A ll...... }..x K....%J. +[1240] 1E 6C 8F 01 D6 59 D7 CF 2E A0 CC 98 F6 75 28 2F .l...Y.. .....u(/ +[1250] F7 2A 70 28 A9 45 1F 75 C2 4E 62 ED D8 C4 A0 8D .*p(.E.u .Nb..... +[1260] 55 B2 84 1C A4 CE 87 EF 24 EE BC CE 40 09 EB 05 U....... $...@... +[1270] 0B D1 14 31 50 32 2F B6 A8 97 17 4B A7 95 01 50 ...1P2/. ...K...P +[1280] 6E 0E 23 49 9C 72 21 91 00 00 00 00 00 00 00 01 n.#I.r!. ........ +[1290] 00 00 00 01 00 00 00 17 4B 54 45 53 54 2E 53 41 ........ KTEST.SA +[12A0] 4D 42 41 2E 45 58 41 4D 50 4C 45 2E 43 4F 4D 00 MBA.EXAM PLE.COM. +[12B0] 00 00 0D 61 64 6D 69 6E 69 73 74 72 61 74 6F 72 ...admin istrator +[12C0] 00 00 00 01 00 00 00 02 00 00 00 17 4B 54 45 53 ........ ....KTES +[12D0] 54 2E 53 41 4D 42 41 2E 45 58 41 4D 50 4C 45 2E T.SAMBA. EXAMPLE. +[12E0] 43 4F 4D 00 00 00 04 63 69 66 73 00 00 00 0B 4C COM....c ifs....L +[12F0] 4F 43 41 4C 4B 54 45 53 54 36 00 17 00 00 00 10 OCALKTES T6...... +[1300] 1D C8 5E 46 48 82 F9 29 DB C6 A6 F1 72 6D 8D E9 ..^FH..) ....rm.. +[1310] 4D 99 4F 6A 4D 99 85 09 7D 44 0B 68 00 00 00 00 M.OjM... }D.h.... +[1320] 00 40 28 00 00 00 00 00 00 00 00 00 00 00 00 03 .@(..... ........ +[1330] FA 61 82 03 F6 30 82 03 F2 A0 03 02 01 05 A1 19 .a...0.. ........ +[1340] 1B 17 4B 54 45 53 54 2E 53 41 4D 42 41 2E 45 58 ..KTEST. SAMBA.EX +[1350] 41 4D 50 4C 45 2E 43 4F 4D A2 1E 30 1C A0 03 02 AMPLE.CO M..0.... +[1360] 01 01 A1 15 30 13 1B 04 63 69 66 73 1B 0B 4C 4F ....0... cifs..LO +[1370] 43 41 4C 4B 54 45 53 54 36 A3 82 03 AE 30 82 03 CALKTEST 6....0.. +[1380] AA A0 03 02 01 17 A1 03 02 01 02 A2 82 03 9C 04 ........ ........ +[1390] 82 03 98 66 D8 19 46 FA CB 73 2D CF 88 FD 4A EE ...f..F. .s-...J. +[13A0] 07 48 DA 0E BC 58 30 43 40 A4 9C 00 0F 3B 17 C1 .H...X0C @....;.. +[13B0] 2D F5 9C 3E D9 2F 1D CA 01 9B D7 2E EC D7 70 ED -..>./.. ......p. +[13C0] 8B 8B 1B 5E F2 4E EE DD 0F C0 8D 61 E5 D7 0A 56 ...^.N.. ...a...V +[13D0] 00 32 B1 DB 91 37 29 0F 2F 85 EE A8 43 BA A5 B8 .2...7). /...C... +[13E0] D4 19 74 33 F0 69 52 E1 58 98 83 D6 16 0B 44 A9 ..t3.iR. X.....D. +[13F0] 63 9B D4 4E 6E A7 3E CD 9A 96 4D C4 96 F5 07 6D c..Nn.>. ..M....m +[1400] 29 B6 ED 2A 62 3D 53 22 33 D1 95 E9 DF 74 4C 2A )..*b=S" 3....tL* +[1410] E2 29 AF 5B 69 B0 48 2D AD 94 FD A5 1D 54 D8 E2 .).[i.H- .....T.. +[1420] 5E C1 68 6F BA 02 01 79 C3 C9 97 0B 76 66 45 E2 ^.ho...y ....vfE. +[1430] 3B 10 17 95 40 46 E4 85 B9 87 BB CF CF 19 8C 3A ;...@F.. .......: +[1440] C0 EA 38 3B B9 E9 4B 05 89 E5 27 8C 62 95 BC 0D ..8;..K. ..'.b... +[1450] 65 F0 D2 C0 5E BC 65 01 D5 0B CB 17 31 0F 06 49 e...^.e. ....1..I +[1460] 4F A2 4A 70 77 DB BD 92 5B 37 5C EC 06 DF C5 E2 O.Jpw... [7\..... +[1470] 31 C8 40 09 11 68 14 E7 7D CE 54 4F 52 61 31 2C 1.@..h.. }.TORa1, +[1480] 1C 53 52 DB BE D8 95 39 EE 7D C6 CE C8 22 95 92 .SR....9 .}...".. +[1490] 97 97 3D 5E 66 0F AD DC C2 4E 2E 2B 9F 63 20 30 ..=^f... .N.+.c 0 +[14A0] DF B7 C1 D4 65 AA 6F 2D 10 24 07 20 8D 88 6E 4B ....e.o- .$. ..nK +[14B0] 09 04 31 B6 A3 EB F7 37 32 0E 0C 73 C6 F6 B8 4D ..1....7 2..s...M +[14C0] D9 0C 4C 5B EC 10 6A 51 19 EA 3F FF 46 E7 73 16 ..L[..jQ ..?.F.s. +[14D0] A7 1F 33 98 7C 9B AD 5A 23 A9 40 7C 0F DF EE 0F ..3.|..Z #.@|.... +[14E0] AA C7 E8 63 07 98 3A 4A 0D 18 62 01 21 B2 AE A5 ...c..:J ..b.!... +[14F0] 69 B0 C1 15 51 BA 97 D2 C5 42 5B C5 30 38 18 A9 i...Q... .B[.08.. +[1500] 48 AB D7 FC A1 BC 9F 71 E7 EA 18 54 42 DA D6 A4 H......q ...TB... +[1510] FC C1 DC F3 12 30 62 AC 98 E1 7D 2B 34 1E 52 4C .....0b. ..}+4.RL +[1520] 26 67 32 D9 44 1A 08 27 0E DA D0 FC 84 66 35 81 &g2.D..' .....f5. +[1530] D6 EB 98 46 6F 1E 47 E0 14 31 BE 47 80 65 AA 0B ...Fo.G. .1.G.e.. +[1540] 20 D6 33 36 3B 0D 40 2F 5A 2E 0E 01 BE 00 EB 33 .36;.@/ Z......3 +[1550] 3E 4B 32 91 F4 22 96 E5 5F D4 D5 92 94 CC 5B 59 >K2..".. _.....[Y +[1560] 6A 3E D2 FB A0 4F 99 C4 07 8B 6F 2B 14 37 CD 37 j>...O.. ..o+.7.7 +[1570] 44 C0 1F 80 9C 43 46 F2 5E F4 FE D3 39 70 61 BE D....CF. ^...9pa. +[1580] 72 5B 3A 8F 37 95 78 1E AB D9 E7 E9 DA FC 47 09 r[:.7.x. ......G. +[1590] 81 A0 0D 62 E1 F9 34 36 D1 DB E6 98 D8 F4 3E 77 ...b..46 ......>w +[15A0] 5A 4D E2 5F 20 70 3D 3D 5B 34 D9 FD A8 31 F7 D9 ZM._ p== [4...1.. +[15B0] 59 F7 A3 F0 66 F7 D9 AD 1C CD D5 85 33 A0 87 22 Y...f... ....3.." +[15C0] 31 D4 F3 67 80 68 20 A2 90 72 7A 6F 64 FD 68 82 1..g.h . .rzod.h. +[15D0] 9E 91 B8 E3 F7 6D 6C 38 74 F0 96 A2 F6 25 D7 92 .....ml8 t....%.. +[15E0] 58 14 60 9F AE 01 4C 0C 09 67 3E 35 67 71 1E 2A X.`...L. .g>5gq.* +[15F0] 86 21 D3 60 61 98 16 94 67 0B 52 76 63 93 BD A3 .!.`a... g.Rvc... +[1600] 3B A9 F0 A2 6A B7 E6 0F 35 64 DA 6A EA 20 A6 3D ;...j... 5d.j. .= +[1610] 94 71 59 5E CB B2 D3 F9 4D FE 1B 4B D8 64 C8 3B .qY^.... M..K.d.; +[1620] 7A A8 E6 D2 D5 76 71 26 D4 5C DA 1A 55 17 F2 16 z....vq& .\..U... +[1630] C9 2F 77 DB 95 19 48 A5 AC D0 C3 31 9C 0A CC 1B ./w...H. ...1.... +[1640] 44 11 6B 7C 88 7A 5D CF 6E 12 DA EF C5 C7 34 1D D.k|.z]. n.....4. +[1650] F4 CC EA 37 24 4B B3 0F C1 A3 F2 29 A0 D8 93 39 ...7$K.. ...)...9 +[1660] C6 16 57 D5 BF 57 BF 6C 7E F7 90 E0 EB A3 8B 07 ..W..W.l ~....... +[1670] 56 9C EC 15 3E 21 DA A5 7C 00 3C F9 D2 A7 1C 6F V...>!.. |.<....o +[1680] 16 25 31 C5 28 A7 EA F3 47 31 50 DD E1 ED 0A 93 .%1.(... G1P..... +[1690] DB 85 CC 6B 4B 2C 7F E8 F8 2D A9 6D 1D 0A 87 F2 ...kK,.. .-.m.... +[16A0] 10 8C 82 2F 9B D4 9B 92 8C 77 40 50 42 1E 42 C4 .../.... .w@PB.B. +[16B0] 0A 4F E3 6C 6C DC 81 C4 1E BB F0 7D CF 3C 73 22 .O.ll... ...}..xK.... +[16E0] 25 4A 92 1E 6C 8F 01 D6 59 D7 CF 2E A0 CC 98 F6 %J..l... Y....... +[16F0] 75 28 2F F7 2A 70 28 A9 45 1F 75 C2 4E 62 ED D8 u(/.*p(. E.u.Nb.. +[1700] C4 A0 8D 55 B2 84 1C A4 CE 87 EF 24 EE BC CE 40 ...U.... ...$...@ +[1710] 09 EB 05 0B D1 14 31 50 32 2F B6 A8 97 17 4B A7 ......1P 2/....K. +[1720] 95 01 50 6E 0E 23 49 9C 72 21 91 00 00 00 00 00 ..Pn.#I. r!...... +[1730] 00 00 01 00 00 00 01 00 00 00 17 4B 54 45 53 54 ........ ...KTEST +[1740] 2E 53 41 4D 42 41 2E 45 58 41 4D 50 4C 45 2E 43 .SAMBA.E XAMPLE.C +[1750] 4F 4D 00 00 00 0D 61 64 6D 69 6E 69 73 74 72 61 OM....ad ministra +[1760] 74 6F 72 00 00 00 01 00 00 00 02 00 00 00 17 4B tor..... .......K +[1770] 54 45 53 54 2E 53 41 4D 42 41 2E 45 58 41 4D 50 TEST.SAM BA.EXAMP +[1780] 4C 45 2E 43 4F 4D 00 00 00 04 63 69 66 73 00 00 LE.COM.. ..cifs.. +[1790] 00 0B 4C 4F 43 41 4C 4B 54 45 53 54 36 00 17 00 ..LOCALK TEST6... +[17A0] 00 00 10 1D C8 5E 46 48 82 F9 29 DB C6 A6 F1 72 .....^FH ..)....r +[17B0] 6D 8D E9 4D 99 4F 6A 4D 99 85 09 7D 44 0B 68 00 m..M.OjM ...}D.h. +[17C0] 00 00 00 00 40 28 00 00 00 00 00 00 00 00 00 00 ....@(.. ........ +[17D0] 00 00 03 FA 61 82 03 F6 30 82 03 F2 A0 03 02 01 ....a... 0....... +[17E0] 05 A1 19 1B 17 4B 54 45 53 54 2E 53 41 4D 42 41 .....KTE ST.SAMBA +[17F0] 2E 45 58 41 4D 50 4C 45 2E 43 4F 4D A2 1E 30 1C .EXAMPLE .COM..0. +[1800] A0 03 02 01 01 A1 15 30 13 1B 04 63 69 66 73 1B .......0 ...cifs. +[1810] 0B 4C 4F 43 41 4C 4B 54 45 53 54 36 A3 82 03 AE .LOCALKT EST6.... +[1820] 30 82 03 AA A0 03 02 01 17 A1 03 02 01 02 A2 82 0....... ........ +[1830] 03 9C 04 82 03 98 66 D8 19 46 FA CB 73 2D CF 88 ......f. .F..s-.. +[1840] FD 4A EE 07 48 DA 0E BC 58 30 43 40 A4 9C 00 0F .J..H... X0C@.... +[1850] 3B 17 C1 2D F5 9C 3E D9 2F 1D CA 01 9B D7 2E EC ;..-..>. /....... +[1860] D7 70 ED 8B 8B 1B 5E F2 4E EE DD 0F C0 8D 61 E5 .p....^. N.....a. +[1870] D7 0A 56 00 32 B1 DB 91 37 29 0F 2F 85 EE A8 43 ..V.2... 7)./...C +[1880] BA A5 B8 D4 19 74 33 F0 69 52 E1 58 98 83 D6 16 .....t3. iR.X.... +[1890] 0B 44 A9 63 9B D4 4E 6E A7 3E CD 9A 96 4D C4 96 .D.c..Nn .>...M.. +[18A0] F5 07 6D 29 B6 ED 2A 62 3D 53 22 33 D1 95 E9 DF ..m)..*b =S"3.... +[18B0] 74 4C 2A E2 29 AF 5B 69 B0 48 2D AD 94 FD A5 1D tL*.).[i .H-..... +[18C0] 54 D8 E2 5E C1 68 6F BA 02 01 79 C3 C9 97 0B 76 T..^.ho. ..y....v +[18D0] 66 45 E2 3B 10 17 95 40 46 E4 85 B9 87 BB CF CF fE.;...@ F....... +[18E0] 19 8C 3A C0 EA 38 3B B9 E9 4B 05 89 E5 27 8C 62 ..:..8;. .K...'.b +[18F0] 95 BC 0D 65 F0 D2 C0 5E BC 65 01 D5 0B CB 17 31 ...e...^ .e.....1 +[1900] 0F 06 49 4F A2 4A 70 77 DB BD 92 5B 37 5C EC 06 ..IO.Jpw ...[7\.. +[1910] DF C5 E2 31 C8 40 09 11 68 14 E7 7D CE 54 4F 52 ...1.@.. h..}.TOR +[1920] 61 31 2C 1C 53 52 DB BE D8 95 39 EE 7D C6 CE C8 a1,.SR.. ..9.}... +[1930] 22 95 92 97 97 3D 5E 66 0F AD DC C2 4E 2E 2B 9F "....=^f ....N.+. +[1940] 63 20 30 DF B7 C1 D4 65 AA 6F 2D 10 24 07 20 8D c 0....e .o-.$. . +[1950] 88 6E 4B 09 04 31 B6 A3 EB F7 37 32 0E 0C 73 C6 .nK..1.. ..72..s. +[1960] F6 B8 4D D9 0C 4C 5B EC 10 6A 51 19 EA 3F FF 46 ..M..L[. .jQ..?.F +[1970] E7 73 16 A7 1F 33 98 7C 9B AD 5A 23 A9 40 7C 0F .s...3.| ..Z#.@|. +[1980] DF EE 0F AA C7 E8 63 07 98 3A 4A 0D 18 62 01 21 ......c. .:J..b.! +[1990] B2 AE A5 69 B0 C1 15 51 BA 97 D2 C5 42 5B C5 30 ...i...Q ....B[.0 +[19A0] 38 18 A9 48 AB D7 FC A1 BC 9F 71 E7 EA 18 54 42 8..H.... ..q...TB +[19B0] DA D6 A4 FC C1 DC F3 12 30 62 AC 98 E1 7D 2B 34 ........ 0b...}+4 +[19C0] 1E 52 4C 26 67 32 D9 44 1A 08 27 0E DA D0 FC 84 .RL&g2.D ..'..... +[19D0] 66 35 81 D6 EB 98 46 6F 1E 47 E0 14 31 BE 47 80 f5....Fo .G..1.G. +[19E0] 65 AA 0B 20 D6 33 36 3B 0D 40 2F 5A 2E 0E 01 BE e.. .36; .@/Z.... +[19F0] 00 EB 33 3E 4B 32 91 F4 22 96 E5 5F D4 D5 92 94 ..3>K2.. ".._.... +[1A00] CC 5B 59 6A 3E D2 FB A0 4F 99 C4 07 8B 6F 2B 14 .[Yj>... O....o+. +[1A10] 37 CD 37 44 C0 1F 80 9C 43 46 F2 5E F4 FE D3 39 7.7D.... CF.^...9 +[1A20] 70 61 BE 72 5B 3A 8F 37 95 78 1E AB D9 E7 E9 DA pa.r[:.7 .x...... +[1A30] FC 47 09 81 A0 0D 62 E1 F9 34 36 D1 DB E6 98 D8 .G....b. .46..... +[1A40] F4 3E 77 5A 4D E2 5F 20 70 3D 3D 5B 34 D9 FD A8 .>wZM._ p==[4... +[1A50] 31 F7 D9 59 F7 A3 F0 66 F7 D9 AD 1C CD D5 85 33 1..Y...f .......3 +[1A60] A0 87 22 31 D4 F3 67 80 68 20 A2 90 72 7A 6F 64 .."1..g. h ..rzod +[1A70] FD 68 82 9E 91 B8 E3 F7 6D 6C 38 74 F0 96 A2 F6 .h...... ml8t.... +[1A80] 25 D7 92 58 14 60 9F AE 01 4C 0C 09 67 3E 35 67 %..X.`.. .L..g>5g +[1A90] 71 1E 2A 86 21 D3 60 61 98 16 94 67 0B 52 76 63 q.*.!.`a ...g.Rvc +[1AA0] 93 BD A3 3B A9 F0 A2 6A B7 E6 0F 35 64 DA 6A EA ...;...j ...5d.j. +[1AB0] 20 A6 3D 94 71 59 5E CB B2 D3 F9 4D FE 1B 4B D8 .=.qY^. ...M..K. +[1AC0] 64 C8 3B 7A A8 E6 D2 D5 76 71 26 D4 5C DA 1A 55 d.;z.... vq&.\..U +[1AD0] 17 F2 16 C9 2F 77 DB 95 19 48 A5 AC D0 C3 31 9C ..../w.. .H....1. +[1AE0] 0A CC 1B 44 11 6B 7C 88 7A 5D CF 6E 12 DA EF C5 ...D.k|. z].n.... +[1AF0] C7 34 1D F4 CC EA 37 24 4B B3 0F C1 A3 F2 29 A0 .4....7$ K.....). +[1B00] D8 93 39 C6 16 57 D5 BF 57 BF 6C 7E F7 90 E0 EB ..9..W.. W.l~.... +[1B10] A3 8B 07 56 9C EC 15 3E 21 DA A5 7C 00 3C F9 D2 ...V...> !..|.<.. +[1B20] A7 1C 6F 16 25 31 C5 28 A7 EA F3 47 31 50 DD E1 ..o.%1.( ...G1P.. +[1B30] ED 0A 93 DB 85 CC 6B 4B 2C 7F E8 F8 2D A9 6D 1D ......kK ,...-.m. +[1B40] 0A 87 F2 10 8C 82 2F 9B D4 9B 92 8C 77 40 50 42 ....../. ....w@PB +[1B50] 1E 42 C4 0A 4F E3 6C 6C DC 81 C4 1E BB F0 7D CF .B..O.ll ......}. +[1B60] 3C 73 22 5B C3 1A 97 35 EE 3A CD 6D F3 68 A3 C5 .xK. +[1B80] 18 9F A5 25 4A 92 1E 6C 8F 01 D6 59 D7 CF 2E A0 ...%J..l ...Y.... +[1B90] CC 98 F6 75 28 2F F7 2A 70 28 A9 45 1F 75 C2 4E ...u(/.* p(.E.u.N +[1BA0] 62 ED D8 C4 A0 8D 55 B2 84 1C A4 CE 87 EF 24 EE b.....U. ......$. +[1BB0] BC CE 40 09 EB 05 0B D1 14 31 50 32 2F B6 A8 97 ..@..... .1P2/... +[1BC0] 17 4B A7 95 01 50 6E 0E 23 49 9C 72 21 91 00 00 .K...Pn. #I.r!... +[1BD0] 00 00 00 00 00 01 00 00 00 01 00 00 00 17 4B 54 ........ ......KT +[1BE0] 45 53 54 2E 53 41 4D 42 41 2E 45 58 41 4D 50 4C EST.SAMB A.EXAMPL +[1BF0] 45 2E 43 4F 4D 00 00 00 0D 61 64 6D 69 6E 69 73 E.COM... .adminis +[1C00] 74 72 61 74 6F 72 00 00 00 01 00 00 00 02 00 00 trator.. ........ +[1C10] 00 17 4B 54 45 53 54 2E 53 41 4D 42 41 2E 45 58 ..KTEST. SAMBA.EX +[1C20] 41 4D 50 4C 45 2E 43 4F 4D 00 00 00 04 63 69 66 AMPLE.CO M....cif +[1C30] 73 00 00 00 0B 4C 4F 43 41 4C 4B 54 45 53 54 36 s....LOC ALKTEST6 +[1C40] 00 17 00 00 00 10 1D C8 5E 46 48 82 F9 29 DB C6 ........ ^FH..).. +[1C50] A6 F1 72 6D 8D E9 4D 99 4F 6A 4D 99 85 09 7D 44 ..rm..M. OjM...}D +[1C60] 0B 68 00 00 00 00 00 40 28 00 00 00 00 00 00 00 .h.....@ (....... +[1C70] 00 00 00 00 00 03 FA 61 82 03 F6 30 82 03 F2 A0 .......a ...0.... +[1C80] 03 02 01 05 A1 19 1B 17 4B 54 45 53 54 2E 53 41 ........ KTEST.SA +[1C90] 4D 42 41 2E 45 58 41 4D 50 4C 45 2E 43 4F 4D A2 MBA.EXAM PLE.COM. +[1CA0] 1E 30 1C A0 03 02 01 01 A1 15 30 13 1B 04 63 69 .0...... ..0...ci +[1CB0] 66 73 1B 0B 4C 4F 43 41 4C 4B 54 45 53 54 36 A3 fs..LOCA LKTEST6. +[1CC0] 82 03 AE 30 82 03 AA A0 03 02 01 17 A1 03 02 01 ...0.... ........ +[1CD0] 02 A2 82 03 9C 04 82 03 98 66 D8 19 46 FA CB 73 ........ .f..F..s +[1CE0] 2D CF 88 FD 4A EE 07 48 DA 0E BC 58 30 43 40 A4 -...J..H ...X0C@. +[1CF0] 9C 00 0F 3B 17 C1 2D F5 9C 3E D9 2F 1D CA 01 9B ...;..-. .>./.... +[1D00] D7 2E EC D7 70 ED 8B 8B 1B 5E F2 4E EE DD 0F C0 ....p... .^.N.... +[1D10] 8D 61 E5 D7 0A 56 00 32 B1 DB 91 37 29 0F 2F 85 .a...V.2 ...7)./. +[1D20] EE A8 43 BA A5 B8 D4 19 74 33 F0 69 52 E1 58 98 ..C..... t3.iR.X. +[1D30] 83 D6 16 0B 44 A9 63 9B D4 4E 6E A7 3E CD 9A 96 ....D.c. .Nn.>... +[1D40] 4D C4 96 F5 07 6D 29 B6 ED 2A 62 3D 53 22 33 D1 M....m). .*b=S"3. +[1D50] 95 E9 DF 74 4C 2A E2 29 AF 5B 69 B0 48 2D AD 94 ...tL*.) .[i.H-.. +[1D60] FD A5 1D 54 D8 E2 5E C1 68 6F BA 02 01 79 C3 C9 ...T..^. ho...y.. +[1D70] 97 0B 76 66 45 E2 3B 10 17 95 40 46 E4 85 B9 87 ..vfE.;. ..@F.... +[1D80] BB CF CF 19 8C 3A C0 EA 38 3B B9 E9 4B 05 89 E5 .....:.. 8;..K... +[1D90] 27 8C 62 95 BC 0D 65 F0 D2 C0 5E BC 65 01 D5 0B '.b...e. ..^.e... +[1DA0] CB 17 31 0F 06 49 4F A2 4A 70 77 DB BD 92 5B 37 ..1..IO. Jpw...[7 +[1DB0] 5C EC 06 DF C5 E2 31 C8 40 09 11 68 14 E7 7D CE \.....1. @..h..}. +[1DC0] 54 4F 52 61 31 2C 1C 53 52 DB BE D8 95 39 EE 7D TORa1,.S R....9.} +[1DD0] C6 CE C8 22 95 92 97 97 3D 5E 66 0F AD DC C2 4E ...".... =^f....N +[1DE0] 2E 2B 9F 63 20 30 DF B7 C1 D4 65 AA 6F 2D 10 24 .+.c 0.. ..e.o-.$ +[1DF0] 07 20 8D 88 6E 4B 09 04 31 B6 A3 EB F7 37 32 0E . ..nK.. 1....72. +[1E00] 0C 73 C6 F6 B8 4D D9 0C 4C 5B EC 10 6A 51 19 EA .s...M.. L[..jQ.. +[1E10] 3F FF 46 E7 73 16 A7 1F 33 98 7C 9B AD 5A 23 A9 ?.F.s... 3.|..Z#. +[1E20] 40 7C 0F DF EE 0F AA C7 E8 63 07 98 3A 4A 0D 18 @|...... .c..:J.. +[1E30] 62 01 21 B2 AE A5 69 B0 C1 15 51 BA 97 D2 C5 42 b.!...i. ..Q....B +[1E40] 5B C5 30 38 18 A9 48 AB D7 FC A1 BC 9F 71 E7 EA [.08..H. .....q.. +[1E50] 18 54 42 DA D6 A4 FC C1 DC F3 12 30 62 AC 98 E1 .TB..... ...0b... +[1E60] 7D 2B 34 1E 52 4C 26 67 32 D9 44 1A 08 27 0E DA }+4.RL&g 2.D..'.. +[1E70] D0 FC 84 66 35 81 D6 EB 98 46 6F 1E 47 E0 14 31 ...f5... .Fo.G..1 +[1E80] BE 47 80 65 AA 0B 20 D6 33 36 3B 0D 40 2F 5A 2E .G.e.. . 36;.@/Z. +[1E90] 0E 01 BE 00 EB 33 3E 4B 32 91 F4 22 96 E5 5F D4 .....3>K 2..".._. +[1EA0] D5 92 94 CC 5B 59 6A 3E D2 FB A0 4F 99 C4 07 8B ....[Yj> ...O.... +[1EB0] 6F 2B 14 37 CD 37 44 C0 1F 80 9C 43 46 F2 5E F4 o+.7.7D. ...CF.^. +[1EC0] FE D3 39 70 61 BE 72 5B 3A 8F 37 95 78 1E AB D9 ..9pa.r[ :.7.x... +[1ED0] E7 E9 DA FC 47 09 81 A0 0D 62 E1 F9 34 36 D1 DB ....G... .b..46.. +[1EE0] E6 98 D8 F4 3E 77 5A 4D E2 5F 20 70 3D 3D 5B 34 ....>wZM ._ p==[4 +[1EF0] D9 FD A8 31 F7 D9 59 F7 A3 F0 66 F7 D9 AD 1C CD ...1..Y. ..f..... +[1F00] D5 85 33 A0 87 22 31 D4 F3 67 80 68 20 A2 90 72 ..3.."1. .g.h ..r +[1F10] 7A 6F 64 FD 68 82 9E 91 B8 E3 F7 6D 6C 38 74 F0 zod.h... ...ml8t. +[1F20] 96 A2 F6 25 D7 92 58 14 60 9F AE 01 4C 0C 09 67 ...%..X. `...L..g +[1F30] 3E 35 67 71 1E 2A 86 21 D3 60 61 98 16 94 67 0B >5gq.*.! .`a...g. +[1F40] 52 76 63 93 BD A3 3B A9 F0 A2 6A B7 E6 0F 35 64 Rvc...;. ..j...5d +[1F50] DA 6A EA 20 A6 3D 94 71 59 5E CB B2 D3 F9 4D FE .j. .=.q Y^....M. +[1F60] 1B 4B D8 64 C8 3B 7A A8 E6 D2 D5 76 71 26 D4 5C .K.d.;z. ...vq&.\ +[1F70] DA 1A 55 17 F2 16 C9 2F 77 DB 95 19 48 A5 AC D0 ..U..../ w...H... +[1F80] C3 31 9C 0A CC 1B 44 11 6B 7C 88 7A 5D CF 6E 12 .1....D. k|.z].n. +[1F90] DA EF C5 C7 34 1D F4 CC EA 37 24 4B B3 0F C1 A3 ....4... .7$K.... +[1FA0] F2 29 A0 D8 93 39 C6 16 57 D5 BF 57 BF 6C 7E F7 .)...9.. W..W.l~. +[1FB0] 90 E0 EB A3 8B 07 56 9C EC 15 3E 21 DA A5 7C 00 ......V. ..>!..|. +[1FC0] 3C F9 D2 A7 1C 6F 16 25 31 C5 28 A7 EA F3 47 31 <....o.% 1.(...G1 +[1FD0] 50 DD E1 ED 0A 93 DB 85 CC 6B 4B 2C 7F E8 F8 2D P....... .kK,...- +[1FE0] A9 6D 1D 0A 87 F2 10 8C 82 2F 9B D4 9B 92 8C 77 .m...... ./.....w +[1FF0] 40 50 42 1E 42 C4 0A 4F E3 6C 6C DC 81 C4 1E BB @PB.B..O .ll..... +[2000] F0 7D CF 3C 73 22 5B C3 1A 97 35 EE 3A CD 6D F3 .}.. +[2020] 78 4B BF 18 9F A5 25 4A 92 1E 6C 8F 01 D6 59 D7 xK....%J ..l...Y. +[2030] CF 2E A0 CC 98 F6 75 28 2F F7 2A 70 28 A9 45 1F ......u( /.*p(.E. +[2040] 75 C2 4E 62 ED D8 C4 A0 8D 55 B2 84 1C A4 CE 87 u.Nb.... .U...... +[2050] EF 24 EE BC CE 40 09 EB 05 0B D1 14 31 50 32 2F .$...@.. ....1P2/ +[2060] B6 A8 97 17 4B A7 95 01 50 6E 0E 23 49 9C 72 21 ....K... Pn.#I.r! +[2070] 91 00 00 00 00 00 00 00 01 00 00 00 01 00 00 00 ........ ........ +[2080] 17 4B 54 45 53 54 2E 53 41 4D 42 41 2E 45 58 41 .KTEST.S AMBA.EXA +[2090] 4D 50 4C 45 2E 43 4F 4D 00 00 00 0D 61 64 6D 69 MPLE.COM ....admi +[20A0] 6E 69 73 74 72 61 74 6F 72 00 00 00 01 00 00 00 nistrato r....... +[20B0] 02 00 00 00 17 4B 54 45 53 54 2E 53 41 4D 42 41 .....KTE ST.SAMBA +[20C0] 2E 45 58 41 4D 50 4C 45 2E 43 4F 4D 00 00 00 04 .EXAMPLE .COM.... +[20D0] 68 6F 73 74 00 00 00 0B 6C 6F 63 61 6C 6B 74 65 host.... localkte +[20E0] 73 74 36 00 17 00 00 00 10 72 47 04 38 B6 E6 F0 st6..... .rG.8... +[20F0] 44 9E 9F 27 66 E1 69 9C 9A 4D 99 4F 6A 4D 99 90 D..'f.i. .M.OjM.. +[2100] F5 7D 44 0B 68 00 00 00 00 00 40 28 00 00 00 00 .}D.h... ..@(.... +[2110] 00 00 00 00 00 00 00 00 03 FA 61 82 03 F6 30 82 ........ ..a...0. +[2120] 03 F2 A0 03 02 01 05 A1 19 1B 17 4B 54 45 53 54 ........ ...KTEST +[2130] 2E 53 41 4D 42 41 2E 45 58 41 4D 50 4C 45 2E 43 .SAMBA.E XAMPLE.C +[2140] 4F 4D A2 1E 30 1C A0 03 02 01 01 A1 15 30 13 1B OM..0... .....0.. +[2150] 04 68 6F 73 74 1B 0B 6C 6F 63 61 6C 6B 74 65 73 .host..l ocalktes +[2160] 74 36 A3 82 03 AE 30 82 03 AA A0 03 02 01 17 A1 t6....0. ........ +[2170] 03 02 01 02 A2 82 03 9C 04 82 03 98 58 95 95 EB ........ ....X... +[2180] CB 8F 68 D4 77 43 0F 3B 44 B4 15 DA 40 6D FD E9 ..h.wC.; D...@m.. +[2190] 85 D3 2F CD B5 1E 96 CD F6 E9 67 91 36 08 9E B4 ../..... ..g.6... +[21A0] B3 47 70 7A B3 4E 82 5A 4F 8E 4B F5 8D 04 E4 5C .Gpz.N.Z O.K....\ +[21B0] C4 D8 0C AF 08 25 F9 C1 64 B2 3A 35 26 E9 B2 72 .....%.. d.:5&..r +[21C0] 66 B5 E9 81 FC BE 12 1B CC 8A A5 82 31 F6 7F C3 f....... ....1... +[21D0] 5A 19 A3 31 F2 99 14 1E 64 E4 41 E8 C7 C3 F3 DF Z..1.... d.A..... +[21E0] F5 65 7D B0 9F DC 5D 25 1D 1A A8 EA AA 88 6D F4 .e}...]% ......m. +[21F0] 7C 25 9F 53 F6 A6 8F B1 24 AF 98 FE 53 7B 35 3C |%.S.... $...S{5< +[2200] DB EC 7F 09 74 E9 C4 8D 20 B4 47 08 0E 32 B8 C9 ....t... .G..2.. +[2210] 45 27 12 F9 8E F5 D6 C2 DD 1A 96 0E 68 5F 39 65 E'...... ....h_9e +[2220] 72 C7 BD 8E 04 0E 13 E1 03 27 AC 50 80 76 E6 7A r....... .'.P.v.z +[2230] 8E F4 C2 72 4F 68 B3 34 00 A9 54 41 DA FD 96 94 ...rOh.4 ..TA.... +[2240] 29 A1 59 15 2F DB 6C 94 85 49 C5 D0 6D 48 B0 C4 ).Y./.l. .I..mH.. +[2250] 65 D0 95 1D DB 3D 25 D0 75 50 D4 CF FA 2F 71 57 e....=%. uP.../qW +[2260] BD 6C 1C 59 E1 C3 5B C7 24 95 FF B0 20 EF 6A DB .l.Y..[. $... .j. +[2270] 79 87 67 91 94 E9 16 E2 BB 74 7A 08 E1 6A 36 5F y.g..... .tz..j6_ +[2280] DF 11 AB 35 9B 3E 32 48 83 89 41 4E 06 BF F9 BB ...5.>2H ..AN.... +[2290] EC E4 D7 6D 77 C4 55 22 DF F7 91 4D CB C5 01 A5 ...mw.U" ...M.... +[22A0] BA 2D 1E 92 76 04 E8 02 2F 5E AF 1C B3 B7 A6 FB .-..v... /^...... +[22B0] 3A 9F D9 7C 6D DA B4 8F 31 00 A5 30 F2 76 72 9B :..|m... 1..0.vr. +[22C0] 62 97 E0 56 E5 E4 C7 6B 8B FC 84 75 57 66 6E D7 b..V...k ...uWfn. +[22D0] B7 41 6F 61 F4 5B 0F 87 68 F6 54 02 26 1B 1F B7 .Aoa.[.. h.T.&... +[22E0] 60 D6 E7 FA 4F C7 DB 35 58 EC 13 21 D4 C6 A1 27 `...O..5 X..!...' +[22F0] BA E7 82 DF 29 FB 9D 5D E8 35 28 C9 9C 4E D7 BE ....)..] .5(..N.. +[2300] 2F 6D F1 E8 0B 5A 74 C9 93 9F AD 42 24 4B B7 3B /m...Zt. ...B$K.; +[2310] 38 2A 11 CF F0 BD 85 40 48 D8 9D E7 6B 65 70 42 8*.....@ H...kepB +[2320] 60 DA 9B 65 CB C8 C5 D7 40 3A 12 DC 64 AF 82 54 `..e.... @:..d..T +[2330] 34 05 38 4F C6 FB 38 E2 73 A9 89 B7 FC 33 15 85 4.8O..8. s....3.. +[2340] 9E CA E9 E0 89 18 18 84 02 65 B4 74 5B D4 A1 6F ........ .e.t[..o +[2350] 5F 79 20 CB D7 36 C8 6D 5B 1E 5E 0C 82 16 9F CC _y ..6.m [.^..... +[2360] 5A 1E 57 C1 B6 94 51 87 A1 3D 12 D4 8B FE 0F 93 Z.W...Q. .=...... +[2370] ED 53 A3 F4 88 3C 35 05 89 FE AF 0B 36 62 E3 2F .S...<5. ....6b./ +[2380] 5C 4A 0E 07 67 39 A3 8E C0 45 07 7F 73 32 BC DE \J..g9.. .E..s2.. +[2390] 2D 00 8B 47 79 3D 1C A1 90 AE B6 8F 83 B2 1B 31 -..Gy=.. .......1 +[23A0] EE E4 F2 C5 C1 4A E2 4A 2F 28 F0 AA 19 43 6A 14 .....J.J /(...Cj. +[23B0] B1 42 61 90 34 2E EE 3D 16 9F 5D 9F 7A A2 01 7A .Ba.4..= ..].z..z +[23C0] 4B 96 FA 4D C9 85 1A 75 27 B7 6B FD 4D 7D 9C 65 K..M...u '.k.M}.e +[23D0] 97 DB 05 CC 76 68 EA 05 5D 5D BB BD 51 4B 5B F2 ....vh.. ]]..QK[. +[23E0] 48 59 BD 1E AD 56 D4 69 A5 75 CD ED EC B1 3E AB HY...V.i .u....>. +[23F0] FA B7 F8 8D 4F BE 95 63 38 1C 4C 70 26 C4 3A 21 ....O..c 8.Lp&.:! +[2400] 80 61 05 3A D4 E2 28 2C 85 01 5A DA FC 10 60 F3 .a.:..(, ..Z...`. +[2410] 74 0C FD DB 2F 5B 25 4B 14 E4 7D 8A DB 85 12 D2 t.../[%K ..}..... +[2420] D7 69 CD B5 B1 93 CE E5 E6 4D 57 D3 C2 D3 2E A0 .i...... .MW..... +[2430] 08 37 09 CD 19 99 09 FA 33 68 4A E0 92 46 21 0C .7...... 3hJ..F!. +[2440] 99 9F DA 05 15 20 8B 3D 7C 7B CA D6 81 AC AA 83 ..... .= |{...... +[2450] 48 C8 24 4C C8 FC A5 14 2C BC 49 1A 1C 49 61 1D H.$L.... ,.I..Ia. +[2460] 24 86 42 B1 37 6A C8 3A AC 18 CC C0 50 84 12 48 $.B.7j.: ....P..H +[2470] 8B 29 0A 49 26 A4 E2 B9 E5 96 E7 37 C3 DE 4C 23 .).I&... ...7..L# +[2480] D2 D4 62 14 8F 1E 72 39 CF 03 BC A3 00 C7 63 51 ..b...r9 ......cQ +[2490] A9 6B E4 3E B2 65 A1 A2 BB EC 06 41 85 50 22 02 .k.>.e.. ...A.P". +[24A0] 46 2F 72 2B 32 1A A4 2D 85 94 02 47 69 8D AD 6D F/r+2..- ...Gi..m +[24B0] 66 AB D4 E4 29 C8 C7 DA F4 18 31 2A DF 50 6A 05 f...)... ..1*.Pj. +[24C0] D6 47 26 C4 F9 87 0F 35 24 6E 72 D6 23 7D 3A 94 .G&....5 $nr.#}:. +[24D0] 14 8D E8 57 AA BA D7 CF A9 2D E7 4C 10 7C D8 0D ...W.... .-.L.|.. +[24E0] 51 30 1F E1 FB E5 E2 6C EE AA 65 2F D8 22 05 67 Q0.....l ..e/.".g +[24F0] 87 4D 4D D2 11 3D B4 1E AA 20 3F 76 E3 94 93 6D .MM..=.. . ?v...m +[2500] AC 10 05 AF 09 BD 67 86 C5 83 93 D6 1C D3 81 D9 ......g. ........ +[2510] B1 3B E1 76 00 00 00 00 00 00 00 01 00 00 00 01 .;.v.... ........ +[2520] 00 00 00 17 4B 54 45 53 54 2E 53 41 4D 42 41 2E ....KTES T.SAMBA. +[2530] 45 58 41 4D 50 4C 45 2E 43 4F 4D 00 00 00 0D 61 EXAMPLE. COM....a +[2540] 64 6D 69 6E 69 73 74 72 61 74 6F 72 00 00 00 01 dministr ator.... +[2550] 00 00 00 02 00 00 00 17 4B 54 45 53 54 2E 53 41 ........ KTEST.SA +[2560] 4D 42 41 2E 45 58 41 4D 50 4C 45 2E 43 4F 4D 00 MBA.EXAM PLE.COM. +[2570] 00 00 04 68 6F 73 74 00 00 00 0B 4C 4F 43 41 4C ...host. ...LOCAL +[2580] 4B 54 45 53 54 36 00 17 00 00 00 10 55 6E 3E FC KTEST6.. ....Un>. +[2590] E2 F4 40 51 19 E6 6E EB 23 4C 48 8E 4D 99 4F 6A ..@Q..n. #LH.M.Oj +[25A0] 4D 99 90 FC 7D 44 0B 68 00 00 00 00 00 40 28 00 M...}D.h .....@(. +[25B0] 00 00 00 00 00 00 00 00 00 00 00 03 FA 61 82 03 ........ .....a.. +[25C0] F6 30 82 03 F2 A0 03 02 01 05 A1 19 1B 17 4B 54 .0...... ......KT +[25D0] 45 53 54 2E 53 41 4D 42 41 2E 45 58 41 4D 50 4C EST.SAMB A.EXAMPL +[25E0] 45 2E 43 4F 4D A2 1E 30 1C A0 03 02 01 01 A1 15 E.COM..0 ........ +[25F0] 30 13 1B 04 68 6F 73 74 1B 0B 4C 4F 43 41 4C 4B 0...host ..LOCALK +[2600] 54 45 53 54 36 A3 82 03 AE 30 82 03 AA A0 03 02 TEST6... .0...... +[2610] 01 17 A1 03 02 01 02 A2 82 03 9C 04 82 03 98 6E ........ .......n +[2620] 87 B7 7B 3A 7E EF 4A 1B 29 C9 E3 C4 1F 42 4F 0E ..{:~.J. )....BO. +[2630] C8 AC AC 4E A2 77 1D DA 93 37 F1 AF DA A3 75 2D ...N.w.. .7....u- +[2640] 12 8B 40 34 23 0E 8E A9 90 58 46 42 42 39 31 D6 ..@4#... .XFBB91. +[2650] 03 9E 5D 81 D9 E8 F6 08 2B D9 96 88 8A 2F F1 CC ..]..... +..../.. +[2660] F2 EA 9E 9A 4B 31 B6 04 2D 3D 4C 7F 92 DE 3B 04 ....K1.. -=L...;. +[2670] 19 EE 28 D0 83 81 C3 46 CD 74 23 4C 14 34 DE 62 ..(....F .t#L.4.b +[2680] 0A AC E5 12 16 75 E9 A8 4B 32 78 CC 8D AE A2 E5 .....u.. K2x..... +[2690] 6D E8 09 70 76 52 F5 E5 18 F7 E7 91 15 6A 69 AB m..pvR.. .....ji. +[26A0] B8 62 DD 80 F5 28 6D DF ED 10 DA AC FB 92 27 CF .b...(m. ......'. +[26B0] 98 B5 77 9D A5 96 E6 9A CC B9 C3 91 78 22 35 9C ..w..... ....x"5. +[26C0] A1 13 A3 20 28 D1 16 E5 3E 4A 85 1E 12 0B CA 4D ... (... >J.....M +[26D0] C6 C8 03 C8 28 2C D8 29 5D 9A 76 4A 92 13 43 56 ....(,.) ].vJ..CV +[26E0] AF F7 C1 71 25 72 5C 38 75 1C 07 F1 5E 86 05 72 ...q%r\8 u...^..r +[26F0] 6F 69 95 42 B6 F2 DA A9 91 06 9F B9 54 20 33 A5 oi.B.... ....T 3. +[2700] 31 60 3B 54 DC 3A 95 34 96 26 07 52 6B 0E 1D 3B 1`;T.:.4 .&.Rk..; +[2710] D9 F8 48 20 AC CD 05 3B 99 F8 EE DB 83 28 CD C7 ..H ...; .....(.. +[2720] 2F 45 00 7E 2F 0A 65 7A D1 9E 95 4B EE C3 34 93 /E.~/.ez ...K..4. +[2730] A8 C7 DF 03 8B 14 D0 FC CE 56 90 AC EE 93 C5 D3 ........ .V...... +[2740] F7 12 24 69 0B 20 8D A2 65 87 55 26 2A F9 9A 88 ..$i. .. e.U&*... +[2750] D7 0D 86 61 D6 92 B6 FE E5 D1 66 F9 1F 9D F4 04 ...a.... ..f..... +[2760] 48 A6 39 BC 54 20 EA 10 21 E9 6D 30 46 1D C2 1C H.9.T .. !.m0F... +[2770] A4 E8 B4 63 85 37 27 25 80 52 41 60 C7 A1 32 21 ...c.7'% .RA`..2! +[2780] 43 90 02 E6 5F 5A E9 4E AF F9 B5 13 BD 42 BD A3 C..._Z.N .....B.. +[2790] A5 4D 10 45 83 4D 92 18 1F C9 CF FB 84 29 89 23 .M.E.M.. .....).# +[27A0] AC 71 4B 89 1B 52 E5 06 8C 3E 7C 88 CB D3 B3 CF .qK..R.. .>|..... +[27B0] B9 7A 67 D6 24 F4 AC 00 A6 AD 91 30 9A 95 53 F1 .zg.$... ...0..S. +[27C0] 48 06 A6 39 DB CF DC 9D C9 55 76 26 5E C1 DB 5D H..9.... .Uv&^..] +[27D0] B3 5B 3E AE 1A A0 10 BA 82 21 83 44 02 E0 99 33 .[>..... .!.D...3 +[27E0] 40 BA 29 9E 28 E5 73 4C 23 94 A2 4F BF 07 ED 4F @.).(.sL #..O...O +[27F0] 7C 45 9B 30 C8 41 6B 0A 55 13 6E F5 AD 7A 0C B2 |E.0.Ak. U.n..z.. +[2800] EA FF D0 06 13 4D F3 24 82 7F F6 51 2F 4A 4F 0D .....M.$ ...Q/JO. +[2810] 37 F8 14 6B E9 E4 82 BB 3A 75 63 63 12 E8 78 6F 7..k.... :ucc..xo +[2820] 6F FC 6C D3 4B A6 F1 CC 2A F1 7D EB 82 26 2F D0 o.l.K... *.}..&/. +[2830] A1 8B 3E 9A 71 D7 91 D3 08 E6 FD 62 1B 84 13 2D ..>.q... ...b...- +[2840] 8E A0 A0 C3 85 78 2F 0D F8 E7 10 FC CB 05 A7 B9 .....x/. ........ +[2850] 9A 33 90 B5 9B 26 E3 23 98 B0 91 4B EB 32 37 D6 .3...&.# ...K.27. +[2860] F4 ED 61 08 D8 75 CC 03 83 2C 3C CF 21 63 9C F6 ..a..u.. .,<.!c.. +[2870] AF 5B 4F 12 07 74 17 CD 98 BB E7 5E C7 17 2D C4 .[O..t.. ...^..-. +[2880] 87 A4 74 6D 5E CE DB A3 01 B9 AD 20 73 38 78 22 ..tm^... ... s8x" +[2890] 3D 45 F5 51 77 C6 47 63 45 61 81 D9 FF 31 90 C4 =E.Qw.Gc Ea...1.. +[28A0] 6F 5A F8 FE 6A 56 5B D4 EE EC 49 C7 A7 51 AE 5C oZ..jV[. ..I..Q.\ +[28B0] 85 53 70 3D 1A 49 83 59 CF 65 58 B3 48 7E 04 9E .Sp=.I.Y .eX.H~.. +[28C0] C7 64 8A 05 73 E3 DC 1A 65 5D 4F 41 01 56 73 90 .d..s... e]OA.Vs. +[28D0] 61 F3 84 1F FF CF 46 B2 06 46 56 97 93 B9 DB 32 a.....F. .FV....2 +[28E0] 2A 64 8A 48 02 05 84 E9 FA 76 8B 94 96 89 A0 73 *d.H.... .v.....s +[28F0] 20 75 4D 52 1D 23 13 D1 83 D7 5D 59 23 6A 87 C1 uMR.#.. ..]Y#j.. +[2900] 09 3E 01 3A 28 65 42 8C 35 F1 91 EA 6A 1F 83 0D .>.:(eB. 5...j... +[2910] 8F 57 69 81 D4 A2 D2 EA 0C BF AF 95 A3 F4 90 15 .Wi..... ........ +[2920] 61 34 F2 6C 8B D0 DA B5 1E 43 AC CE C7 8A 1B 2B a4.l.... .C.....+ +[2930] 29 2B 89 1C C5 53 C8 04 F7 1E 46 72 F3 A8 CE F7 )+...S.. ..Fr.... +[2940] 59 76 55 E7 53 1C A2 9F D8 23 F7 EA 71 B0 74 83 YvU.S... .#..q.t. +[2950] 71 95 3E DC A6 FA 2D A4 42 13 93 8B 2B FA A2 70 q.>...-. B...+..p +[2960] 25 21 2D F6 E1 26 56 DF 58 79 25 16 E8 C9 03 EC %!-..&V. Xy%..... +[2970] 72 5F 35 CF 59 6B E1 AD 85 85 7B AB 78 F2 0D AC r_5.Yk.. ..{.x... +[2980] AB 89 F2 DA 85 E7 DE 09 77 99 EC 7C F3 97 1F 71 ........ w..|...q +[2990] 3C DB 09 44 7A 3C 69 E5 03 B0 6D 4D 3B 6B 4C D5 <..Dz....... +[0150] 1A 69 EE 8C 4E A4 D8 55 A5 0B 23 0F D0 89 48 C4 .i..N..U ..#...H. +[0160] 51 FE 32 FD CC F6 71 E1 95 2D CC 1D 0A 0C 8A A2 Q.2...q. .-...... +[0170] 69 58 3B 65 88 53 EC D0 2E E1 C6 CC 6B BC 09 E5 iX;e.S.. ....k... +[0180] B9 15 27 8B E4 B2 24 18 61 42 BB 8B 09 1B 8A 7B ..'...$. aB.....{ +[0190] 13 D8 51 E1 0B 79 12 48 DE A9 54 04 00 6D DD E6 ..Q..y.H ..T..m.. +[01A0] 5E 03 91 FF C7 6D 0B 7C 91 44 E1 0F C0 7E 32 34 ^....m.| .D...~24 +[01B0] 82 86 94 F7 CD 53 EC 52 38 18 AA ED FF FC 5C 01 .....S.R 8.....\. +[01C0] D2 EE 99 45 8E 5B E6 B3 46 B0 F6 3B 22 29 EC 11 ...E.[.. F..;").. +[01D0] 30 6A F6 A1 1F 9E AE 71 E3 A6 E7 3F F3 7D 2B 75 0j.....q ...?.}+u +[01E0] 70 4D 63 47 5C 18 2C 8B B1 1A 69 B6 C5 46 01 17 pMcG\.,. ..i..F.. +[01F0] 8E 64 3D 47 88 20 1C AA D7 60 32 28 11 60 EA 28 .d=G. .. .`2(.`.( +[0200] 66 99 4C B1 2A 28 96 BF 18 2A 3E F4 D6 84 E5 A0 f.L.*(.. .*>..... +[0210] F4 4E E7 F9 54 95 22 96 2A 87 01 CC 3E A7 FF 42 .N..T.". *...>..B +[0220] 6A A4 4A 3A B9 24 10 65 99 53 58 2A 4E 72 E7 1F j.J:.$.e .SX*Nr.. +[0230] 82 BC BD 3C 6C 9D 33 3A CE C6 6E 72 A2 81 B3 84 ........ +[0280] AB F0 D0 93 08 42 E5 37 19 24 4E C1 AF FC 92 A9 .....B.7 .$N..... +[0290] B1 27 B1 9A 2A 62 34 F1 DC C0 6B 83 AE C3 74 E8 .'..*b4. ..k...t. +[02A0] A3 05 DD 82 DD A3 D7 90 A8 E3 9C EB 64 16 23 06 ........ ....d.#. +[02B0] 5D FB E4 35 7C 22 29 78 E3 3B 75 92 91 0C 9D A1 ]..5|")x .;u..... +[02C0] 87 7C 2E 82 AE 49 9D 4A 50 A9 C2 D5 85 B0 16 5D .|...I.J P......] +[02D0] A2 CD B0 DD 29 3F 6F 66 C9 C1 9F 5C F0 B6 FC D2 ....)?of ...\.... +[02E0] 52 BE 7B F0 1F 26 AF 8A FC C3 A6 24 8C C0 10 06 R.{..&.. ...$.... +[02F0] 73 1E 17 9E 6E 6F 32 44 6A DF 82 5D D0 6B 74 CE s...no2D j..].kt. +[0300] 58 0B 4C 7B EB A1 13 44 B1 3E D8 F8 BA F4 4E 55 X.L{...D .>....NU +[0310] 71 3D C1 09 D9 E7 97 9A 14 5C 54 7E 57 81 5F 6B q=...... .\T~W._k +[0320] 30 BE 9A E1 98 29 47 D4 C0 8F 63 0A F8 27 1F CE 0....)G. ..c..'.. +[0330] ED D9 BB 7B 12 24 D0 34 2A 7C F0 F7 77 F4 F1 1D ...{.$.4 *|..w... +[0340] 4C 5D 75 2D 6B 0D 80 35 82 CC D8 7A 6B FA A0 55 L]u-k..5 ...zk..U +[0350] 34 CD 87 15 61 38 78 D4 69 0F AA 72 D6 AC FA 99 4...a8x. i..r.... +[0360] BC 70 39 27 A7 25 2E 1B 6F 36 01 FD E9 B4 9A 79 .p9'.%.. o6.....y +[0370] 6C 19 DD A6 8C 78 B0 40 92 60 58 F0 28 AD 08 78 l....x.@ .`X.(..x +[0380] 4A 29 06 2C 82 2B 1A E3 91 0B 5F EE D6 B8 66 47 J).,.+.. .._...fG +[0390] 31 9B A3 DF 9F 79 D7 BB 0E 2C FA 0E C9 66 84 8D 1....y.. .,...f.. +[03A0] FF BA BB 21 27 9E AD 86 84 55 8D 4C 4C 47 D9 5F ...!'... .U.LLG._ +[03B0] B2 7D 26 CA B7 49 3C 9D 1B 67 71 11 3A 8A EB EA .}&..I<. .gq.:... +[03C0] 0F 15 EB F0 1E 46 F7 A4 34 04 D7 E3 50 67 47 D3 .....F.. 4...PgG. +[03D0] 66 21 17 77 51 A7 1F 1D 84 3B 7C B1 5D 4E B8 D4 f!.wQ... .;|.]N.. +[03E0] F9 C5 75 06 AA 19 45 1C E9 06 9E AD 23 26 6B 10 ..u...E. ....#&k. +[03F0] 53 A0 36 D3 58 9F 5E 8C CB A5 F6 BC C9 30 3C BC S.6.X.^. .....0<. +[0400] AD FF 7C 92 F0 C6 9A 02 ..|..... + second_ticket : DATA_BLOB length=0 + further_creds : DATA_BLOB length=10683 +[0000] 00 00 00 01 00 00 00 01 00 00 00 17 4B 54 45 53 ........ ....KTES +[0010] 54 2E 53 41 4D 42 41 2E 45 58 41 4D 50 4C 45 2E T.SAMBA. EXAMPLE. +[0020] 43 4F 4D 00 00 00 0D 61 64 6D 69 6E 69 73 74 72 COM....a dministr +[0030] 61 74 6F 72 00 00 00 01 00 00 00 02 00 00 00 17 ator.... ........ +[0040] 4B 54 45 53 54 2E 53 41 4D 42 41 2E 45 58 41 4D KTEST.SA MBA.EXAM +[0050] 50 4C 45 2E 43 4F 4D 00 00 00 04 63 69 66 73 00 PLE.COM. ...cifs. +[0060] 00 00 0B 6C 6F 63 61 6C 6B 74 65 73 74 36 00 17 ...local ktest6.. +[0070] 00 00 00 10 00 6E A1 B2 31 6D 48 C7 90 72 3A 0C .....n.. 1mH..r:. +[0080] 4B 8B 83 8C 4D 99 4F 6A 4D 99 50 85 7D 44 0B 68 K...M.Oj M.P.}D.h +[0090] 00 00 00 00 00 40 28 00 00 00 00 00 00 00 00 00 .....@(. ........ +[00A0] 00 00 00 03 FA 61 82 03 F6 30 82 03 F2 A0 03 02 .....a.. .0...... +[00B0] 01 05 A1 19 1B 17 4B 54 45 53 54 2E 53 41 4D 42 ......KT EST.SAMB +[00C0] 41 2E 45 58 41 4D 50 4C 45 2E 43 4F 4D A2 1E 30 A.EXAMPL E.COM..0 +[00D0] 1C A0 03 02 01 01 A1 15 30 13 1B 04 63 69 66 73 ........ 0...cifs +[00E0] 1B 0B 6C 6F 63 61 6C 6B 74 65 73 74 36 A3 82 03 ..localk test6... +[00F0] AE 30 82 03 AA A0 03 02 01 17 A1 03 02 01 02 A2 .0...... ........ +[0100] 82 03 9C 04 82 03 98 C6 BB 64 A8 31 00 FC 5E 51 ........ .d.1..^Q +[0110] 3C 87 F8 34 47 3B D0 6F 6F FD 9E A6 91 12 74 2D <..4G;.o o.....t- +[0120] 44 BB AA 91 A0 2D 46 3E 9E FB FB C4 FB F1 15 FD D....-F> ........ +[0130] BB DA EE 06 A9 20 6A 38 DC 46 06 27 D9 A2 9D 2D ..... j8 .F.'...- +[0140] 1F FD 0D 7D 8A BB 0A 7C E8 47 17 BC 7B 70 E4 51 ...}...| .G..{p.Q +[0150] 6A BA 51 68 62 28 4A 1E 51 D1 0D CD 02 55 75 44 j.Qhb(J. Q....UuD +[0160] 8A B9 C2 84 F4 17 34 92 9B 31 85 9E 43 C1 0C 3A ......4. .1..C..: +[0170] B2 69 7F 20 1A 18 1F 65 4F C0 20 C9 B5 AF E1 61 .i. ...e O. ....a +[0180] 8C 90 10 63 26 A6 5D 05 3C CD 29 BB 7B 74 D5 8F ...c&.]. <.).{t.. +[0190] 2C 7F 4B E8 84 24 57 37 8A C6 F7 91 FD 22 9A A5 ,.K..$W7 .....".. +[01A0] 0D E9 4A 78 93 36 FC A8 8C 8A 27 8A C6 28 4B 7B ..Jx.6.. ..'..(K{ +[01B0] DA 11 42 BC 09 10 81 82 14 0F 9C B8 48 26 91 78 ..B..... ....H&.x +[01C0] A8 DD 97 6C 24 A1 D2 E8 85 19 B3 D3 85 4D 38 C7 ...l$... .....M8. +[01D0] 7D 49 55 8E 85 46 E1 EE 7B BA 11 62 63 53 C5 16 }IU..F.. {..bcS.. +[01E0] 4A 0C 1C 99 7C 0E FB 45 1D B4 98 58 67 7E 40 65 J...|..E ...Xg~@e +[01F0] 4B 48 E2 89 9C 8B C2 B8 39 D1 04 C0 A8 56 E8 A1 KH...... 9....V.. +[0200] 04 7A 7A C9 60 18 A0 29 E2 DC 82 4C 8F 18 CE 2F .zz.`..) ...L.../ +[0210] 14 F0 18 5B 6C FF 85 45 88 73 CB A4 55 08 FC BF ...[l..E .s..U... +[0220] C7 9F 51 0A DB 2C C1 E3 3C DD F6 F0 A3 2D F1 3B ..Q..,.. <....-.; +[0230] A0 12 1D FC 2A 67 F5 1A 7F E5 7C 6C FB 8A 18 BD ....*g.. ..|l.... +[0240] D1 5D E5 5E 68 30 AA 58 9E 10 13 E0 26 7E 7D C4 .].^h0.X ....&~}. +[0250] E1 A5 B6 86 0F 1C 0F 13 A4 5E 5E 6A ED 42 79 31 ........ .^^j.By1 +[0260] BB B3 5F 3A 3F DD CB 63 82 FB 06 AE 12 36 C9 1E .._:?..c .....6.. +[0270] 06 7D 41 82 2E D2 FA 26 EC 17 50 5E D0 DE 26 85 .}A....& ..P^..&. +[0280] 30 71 BC 45 3B DA 2E 08 8D B2 2A 3C E0 79 8F 77 0q.E;... ..*<.y.w +[0290] 4C 01 69 7A 09 C7 88 E1 D1 DC FF 78 DB 25 7B B1 L.iz.... ...x.%{. +[02A0] 3C BB 22 27 80 0D 75 96 18 B6 40 95 6D C8 AB 04 <."'..u. ..@.m... +[02B0] 05 41 A1 C4 25 71 C4 53 3A A6 9C B2 4D E6 15 2C .A..%q.S :...M.., +[02C0] B2 47 6C DA A8 7D CC A3 89 8B C9 1E 21 F5 E9 B2 .Gl..}.. ....!... +[02D0] 42 95 68 28 AF C6 37 22 BA 30 8D 53 FA 08 0D CE B.h(..7" .0.S.... +[02E0] CA 81 61 0D 84 A5 2D 75 BD 41 85 4C 88 56 72 C6 ..a...-u .A.L.Vr. +[02F0] B6 10 F8 34 CD B2 F4 5C 94 FA 80 90 82 A0 BD 68 ...4...\ .......h +[0300] EC 08 32 C3 B6 51 1E 3F 67 CB 7B EB 70 83 84 D4 ..2..Q.? g.{.p... +[0310] CB 52 55 36 61 1E 60 90 5B 6F FE 9A 62 05 CF 26 .RU6a.`. [o..b..& +[0320] 8E 65 E2 60 4B ED 63 B4 C4 E6 44 B4 2F B0 B8 07 .e.`K.c. ..D./... +[0330] FE BE 0D 50 E4 56 A4 2E 0D 25 76 0B 0F 44 09 20 ...P.V.. .%v..D. +[0340] 80 E5 C4 94 63 E0 54 46 1D AB 5E 0B 09 93 B1 30 ....c.TF ..^....0 +[0350] 31 7B 04 DC 23 43 3B DB 7D 39 67 FE 9A 1F C1 08 1{..#C;. }9g..... +[0360] AF 34 24 F6 74 E4 14 DA 34 8F 61 57 6A 7F 1D 4A .4$.t... 4.aWj..J +[0370] 88 0A 90 78 93 F1 86 54 DB 22 86 D6 69 0F DF 44 ...x...T ."..i..D +[0380] 7C D3 6B 9D 41 63 50 98 3A 97 B9 7B 4C 53 E3 85 |.k.AcP. :..{LS.. +[0390] 73 9A C9 08 A0 75 12 50 02 87 B0 CF CC 84 84 D9 s....u.P ........ +[03A0] BC FC 94 79 AF 6A A6 08 FF 19 7E E9 22 9B EC 5C ...y.j.. ..~."..\ +[03B0] C1 6B 1D A4 B4 55 32 5E 23 C3 C0 D4 8B 80 E6 67 .k...U2^ #......g +[03C0] B1 59 EB 9D 5D 9B AD C6 0E 7D E2 FE B1 24 8A B1 .Y..]... .}...$.. +[03D0] 37 1E 60 7F 83 35 48 32 F7 03 E8 12 E6 21 7C 3D 7.`..5H2 .....!|= +[03E0] 21 7F 6B 14 31 9C 1A A3 4C 2B 1C 5E EC 34 C1 2D !.k.1... L+.^.4.- +[03F0] DA 19 6C E6 6D 8D 60 D7 55 9E E6 D0 B5 07 06 72 ..l.m.`. U......r +[0400] C0 E9 4E 91 94 6B 3E 0B F1 0A 75 4D E8 CB 53 6B ..N..k>. ..uM..Sk +[0410] 34 A4 2F 96 A5 39 1A 18 6E 27 00 6D 41 B7 D8 F5 4./..9.. n'.mA... +[0420] 9A E5 01 FC 0B A8 97 56 EE 98 04 1D 98 84 5E 82 .......V ......^. +[0430] C8 E8 EC 17 D5 FA 96 00 3B E1 98 1C D8 FA 66 A0 ........ ;.....f. +[0440] DC 32 60 F6 03 46 08 3C E5 16 6F F2 8B 4D 72 9F .2`..F.< ..o..Mr. +[0450] 0F E0 A9 71 6E 7C AE AA FB A3 4D F1 A1 B6 1B 9F ...qn|.. ..M..... +[0460] 62 71 E1 2C 82 9B AE E3 07 9B 79 90 F1 C2 69 E5 bq.,.... ..y...i. +[0470] 7E CB 57 E6 C9 1C 4E A8 C7 12 EA 4F 4C 52 17 03 ~.W...N. ...OLR.. +[0480] AB D4 FD 34 60 F4 7C BE 9E 36 30 37 88 95 61 2E ...4`.|. .607..a. +[0490] CF 70 AF 22 70 DB E8 AA 6E 3D 30 F7 4D 84 D5 00 .p."p... n=0.M... +[04A0] 00 00 00 00 00 00 01 00 00 00 01 00 00 00 17 4B ........ .......K +[04B0] 54 45 53 54 2E 53 41 4D 42 41 2E 45 58 41 4D 50 TEST.SAM BA.EXAMP +[04C0] 4C 45 2E 43 4F 4D 00 00 00 0D 61 64 6D 69 6E 69 LE.COM.. ..admini +[04D0] 73 74 72 61 74 6F 72 00 00 00 01 00 00 00 02 00 strator. ........ +[04E0] 00 00 17 4B 54 45 53 54 2E 53 41 4D 42 41 2E 45 ...KTEST .SAMBA.E +[04F0] 58 41 4D 50 4C 45 2E 43 4F 4D 00 00 00 04 63 69 XAMPLE.C OM....ci +[0500] 66 73 00 00 00 0B 6C 6F 63 61 6C 6B 74 65 73 74 fs....lo calktest +[0510] 36 00 17 00 00 00 10 00 6E A1 B2 31 6D 48 C7 90 6....... n..1mH.. +[0520] 72 3A 0C 4B 8B 83 8C 4D 99 4F 6A 4D 99 50 85 7D r:.K...M .OjM.P.} +[0530] 44 0B 68 00 00 00 00 00 40 28 00 00 00 00 00 00 D.h..... @(...... +[0540] 00 00 00 00 00 00 03 FA 61 82 03 F6 30 82 03 F2 ........ a...0... +[0550] A0 03 02 01 05 A1 19 1B 17 4B 54 45 53 54 2E 53 ........ .KTEST.S +[0560] 41 4D 42 41 2E 45 58 41 4D 50 4C 45 2E 43 4F 4D AMBA.EXA MPLE.COM +[0570] A2 1E 30 1C A0 03 02 01 01 A1 15 30 13 1B 04 63 ..0..... ...0...c +[0580] 69 66 73 1B 0B 6C 6F 63 61 6C 6B 74 65 73 74 36 ifs..loc alktest6 +[0590] A3 82 03 AE 30 82 03 AA A0 03 02 01 17 A1 03 02 ....0... ........ +[05A0] 01 02 A2 82 03 9C 04 82 03 98 C6 BB 64 A8 31 00 ........ ....d.1. +[05B0] FC 5E 51 3C 87 F8 34 47 3B D0 6F 6F FD 9E A6 91 .^Q<..4G ;.oo.... +[05C0] 12 74 2D 44 BB AA 91 A0 2D 46 3E 9E FB FB C4 FB .t-D.... -F>..... +[05D0] F1 15 FD BB DA EE 06 A9 20 6A 38 DC 46 06 27 D9 ........ j8.F.'. +[05E0] A2 9D 2D 1F FD 0D 7D 8A BB 0A 7C E8 47 17 BC 7B ..-...}. ..|.G..{ +[05F0] 70 E4 51 6A BA 51 68 62 28 4A 1E 51 D1 0D CD 02 p.Qj.Qhb (J.Q.... +[0600] 55 75 44 8A B9 C2 84 F4 17 34 92 9B 31 85 9E 43 UuD..... .4..1..C +[0610] C1 0C 3A B2 69 7F 20 1A 18 1F 65 4F C0 20 C9 B5 ..:.i. . ..eO. .. +[0620] AF E1 61 8C 90 10 63 26 A6 5D 05 3C CD 29 BB 7B ..a...c& .].<.).{ +[0630] 74 D5 8F 2C 7F 4B E8 84 24 57 37 8A C6 F7 91 FD t..,.K.. $W7..... +[0640] 22 9A A5 0D E9 4A 78 93 36 FC A8 8C 8A 27 8A C6 "....Jx. 6....'.. +[0650] 28 4B 7B DA 11 42 BC 09 10 81 82 14 0F 9C B8 48 (K{..B.. .......H +[0660] 26 91 78 A8 DD 97 6C 24 A1 D2 E8 85 19 B3 D3 85 &.x...l$ ........ +[0670] 4D 38 C7 7D 49 55 8E 85 46 E1 EE 7B BA 11 62 63 M8.}IU.. F..{..bc +[0680] 53 C5 16 4A 0C 1C 99 7C 0E FB 45 1D B4 98 58 67 S..J...| ..E...Xg +[0690] 7E 40 65 4B 48 E2 89 9C 8B C2 B8 39 D1 04 C0 A8 ~@eKH... ...9.... +[06A0] 56 E8 A1 04 7A 7A C9 60 18 A0 29 E2 DC 82 4C 8F V...zz.` ..)...L. +[06B0] 18 CE 2F 14 F0 18 5B 6C FF 85 45 88 73 CB A4 55 ../...[l ..E.s..U +[06C0] 08 FC BF C7 9F 51 0A DB 2C C1 E3 3C DD F6 F0 A3 .....Q.. ,..<.... +[06D0] 2D F1 3B A0 12 1D FC 2A 67 F5 1A 7F E5 7C 6C FB -.;....* g....|l. +[06E0] 8A 18 BD D1 5D E5 5E 68 30 AA 58 9E 10 13 E0 26 ....].^h 0.X....& +[06F0] 7E 7D C4 E1 A5 B6 86 0F 1C 0F 13 A4 5E 5E 6A ED ~}...... ....^^j. +[0700] 42 79 31 BB B3 5F 3A 3F DD CB 63 82 FB 06 AE 12 By1.._:? ..c..... +[0710] 36 C9 1E 06 7D 41 82 2E D2 FA 26 EC 17 50 5E D0 6...}A.. ..&..P^. +[0720] DE 26 85 30 71 BC 45 3B DA 2E 08 8D B2 2A 3C E0 .&.0q.E; .....*<. +[0730] 79 8F 77 4C 01 69 7A 09 C7 88 E1 D1 DC FF 78 DB y.wL.iz. ......x. +[0740] 25 7B B1 3C BB 22 27 80 0D 75 96 18 B6 40 95 6D %{.<."'. .u...@.m +[0750] C8 AB 04 05 41 A1 C4 25 71 C4 53 3A A6 9C B2 4D ....A..% q.S:...M +[0760] E6 15 2C B2 47 6C DA A8 7D CC A3 89 8B C9 1E 21 ..,.Gl.. }......! +[0770] F5 E9 B2 42 95 68 28 AF C6 37 22 BA 30 8D 53 FA ...B.h(. .7".0.S. +[0780] 08 0D CE CA 81 61 0D 84 A5 2D 75 BD 41 85 4C 88 .....a.. .-u.A.L. +[0790] 56 72 C6 B6 10 F8 34 CD B2 F4 5C 94 FA 80 90 82 Vr....4. ..\..... +[07A0] A0 BD 68 EC 08 32 C3 B6 51 1E 3F 67 CB 7B EB 70 ..h..2.. Q.?g.{.p +[07B0] 83 84 D4 CB 52 55 36 61 1E 60 90 5B 6F FE 9A 62 ....RU6a .`.[o..b +[07C0] 05 CF 26 8E 65 E2 60 4B ED 63 B4 C4 E6 44 B4 2F ..&.e.`K .c...D./ +[07D0] B0 B8 07 FE BE 0D 50 E4 56 A4 2E 0D 25 76 0B 0F ......P. V...%v.. +[07E0] 44 09 20 80 E5 C4 94 63 E0 54 46 1D AB 5E 0B 09 D. ....c .TF..^.. +[07F0] 93 B1 30 31 7B 04 DC 23 43 3B DB 7D 39 67 FE 9A ..01{..# C;.}9g.. +[0800] 1F C1 08 AF 34 24 F6 74 E4 14 DA 34 8F 61 57 6A ....4$.t ...4.aWj +[0810] 7F 1D 4A 88 0A 90 78 93 F1 86 54 DB 22 86 D6 69 ..J...x. ..T."..i +[0820] 0F DF 44 7C D3 6B 9D 41 63 50 98 3A 97 B9 7B 4C ..D|.k.A cP.:..{L +[0830] 53 E3 85 73 9A C9 08 A0 75 12 50 02 87 B0 CF CC S..s.... u.P..... +[0840] 84 84 D9 BC FC 94 79 AF 6A A6 08 FF 19 7E E9 22 ......y. j....~." +[0850] 9B EC 5C C1 6B 1D A4 B4 55 32 5E 23 C3 C0 D4 8B ..\.k... U2^#.... +[0860] 80 E6 67 B1 59 EB 9D 5D 9B AD C6 0E 7D E2 FE B1 ..g.Y..] ....}... +[0870] 24 8A B1 37 1E 60 7F 83 35 48 32 F7 03 E8 12 E6 $..7.`.. 5H2..... +[0880] 21 7C 3D 21 7F 6B 14 31 9C 1A A3 4C 2B 1C 5E EC !|=!.k.1 ...L+.^. +[0890] 34 C1 2D DA 19 6C E6 6D 8D 60 D7 55 9E E6 D0 B5 4.-..l.m .`.U.... +[08A0] 07 06 72 C0 E9 4E 91 94 6B 3E 0B F1 0A 75 4D E8 ..r..N.. k>...uM. +[08B0] CB 53 6B 34 A4 2F 96 A5 39 1A 18 6E 27 00 6D 41 .Sk4./.. 9..n'.mA +[08C0] B7 D8 F5 9A E5 01 FC 0B A8 97 56 EE 98 04 1D 98 ........ ..V..... +[08D0] 84 5E 82 C8 E8 EC 17 D5 FA 96 00 3B E1 98 1C D8 .^...... ...;.... +[08E0] FA 66 A0 DC 32 60 F6 03 46 08 3C E5 16 6F F2 8B .f..2`.. F.<..o.. +[08F0] 4D 72 9F 0F E0 A9 71 6E 7C AE AA FB A3 4D F1 A1 Mr....qn |....M.. +[0900] B6 1B 9F 62 71 E1 2C 82 9B AE E3 07 9B 79 90 F1 ...bq.,. .....y.. +[0910] C2 69 E5 7E CB 57 E6 C9 1C 4E A8 C7 12 EA 4F 4C .i.~.W.. .N....OL +[0920] 52 17 03 AB D4 FD 34 60 F4 7C BE 9E 36 30 37 88 R.....4` .|..607. +[0930] 95 61 2E CF 70 AF 22 70 DB E8 AA 6E 3D 30 F7 4D .a..p."p ...n=0.M +[0940] 84 D5 00 00 00 00 00 00 00 01 00 00 00 01 00 00 ........ ........ +[0950] 00 17 4B 54 45 53 54 2E 53 41 4D 42 41 2E 45 58 ..KTEST. SAMBA.EX +[0960] 41 4D 50 4C 45 2E 43 4F 4D 00 00 00 0D 61 64 6D AMPLE.CO M....adm +[0970] 69 6E 69 73 74 72 61 74 6F 72 00 00 00 01 00 00 inistrat or...... +[0980] 00 02 00 00 00 17 4B 54 45 53 54 2E 53 41 4D 42 ......KT EST.SAMB +[0990] 41 2E 45 58 41 4D 50 4C 45 2E 43 4F 4D 00 00 00 A.EXAMPL E.COM... +[09A0] 04 63 69 66 73 00 00 00 0B 6C 6F 63 61 6C 6B 74 .cifs... .localkt +[09B0] 65 73 74 36 00 17 00 00 00 10 00 6E A1 B2 31 6D est6.... ...n..1m +[09C0] 48 C7 90 72 3A 0C 4B 8B 83 8C 4D 99 4F 6A 4D 99 H..r:.K. ..M.OjM. +[09D0] 50 85 7D 44 0B 68 00 00 00 00 00 40 28 00 00 00 P.}D.h.. ...@(... +[09E0] 00 00 00 00 00 00 00 00 00 03 FA 61 82 03 F6 30 ........ ...a...0 +[09F0] 82 03 F2 A0 03 02 01 05 A1 19 1B 17 4B 54 45 53 ........ ....KTES +[0A00] 54 2E 53 41 4D 42 41 2E 45 58 41 4D 50 4C 45 2E T.SAMBA. EXAMPLE. +[0A10] 43 4F 4D A2 1E 30 1C A0 03 02 01 01 A1 15 30 13 COM..0.. ......0. +[0A20] 1B 04 63 69 66 73 1B 0B 6C 6F 63 61 6C 6B 74 65 ..cifs.. localkte +[0A30] 73 74 36 A3 82 03 AE 30 82 03 AA A0 03 02 01 17 st6....0 ........ +[0A40] A1 03 02 01 02 A2 82 03 9C 04 82 03 98 C6 BB 64 ........ .......d +[0A50] A8 31 00 FC 5E 51 3C 87 F8 34 47 3B D0 6F 6F FD .1..^Q<. .4G;.oo. +[0A60] 9E A6 91 12 74 2D 44 BB AA 91 A0 2D 46 3E 9E FB ....t-D. ...-F>.. +[0A70] FB C4 FB F1 15 FD BB DA EE 06 A9 20 6A 38 DC 46 ........ ... j8.F +[0A80] 06 27 D9 A2 9D 2D 1F FD 0D 7D 8A BB 0A 7C E8 47 .'...-.. .}...|.G +[0A90] 17 BC 7B 70 E4 51 6A BA 51 68 62 28 4A 1E 51 D1 ..{p.Qj. Qhb(J.Q. +[0AA0] 0D CD 02 55 75 44 8A B9 C2 84 F4 17 34 92 9B 31 ...UuD.. ....4..1 +[0AB0] 85 9E 43 C1 0C 3A B2 69 7F 20 1A 18 1F 65 4F C0 ..C..:.i . ...eO. +[0AC0] 20 C9 B5 AF E1 61 8C 90 10 63 26 A6 5D 05 3C CD ....a.. .c&.].<. +[0AD0] 29 BB 7B 74 D5 8F 2C 7F 4B E8 84 24 57 37 8A C6 ).{t..,. K..$W7.. +[0AE0] F7 91 FD 22 9A A5 0D E9 4A 78 93 36 FC A8 8C 8A ...".... Jx.6.... +[0AF0] 27 8A C6 28 4B 7B DA 11 42 BC 09 10 81 82 14 0F '..(K{.. B....... +[0B00] 9C B8 48 26 91 78 A8 DD 97 6C 24 A1 D2 E8 85 19 ..H&.x.. .l$..... +[0B10] B3 D3 85 4D 38 C7 7D 49 55 8E 85 46 E1 EE 7B BA ...M8.}I U..F..{. +[0B20] 11 62 63 53 C5 16 4A 0C 1C 99 7C 0E FB 45 1D B4 .bcS..J. ..|..E.. +[0B30] 98 58 67 7E 40 65 4B 48 E2 89 9C 8B C2 B8 39 D1 .Xg~@eKH ......9. +[0B40] 04 C0 A8 56 E8 A1 04 7A 7A C9 60 18 A0 29 E2 DC ...V...z z.`..).. +[0B50] 82 4C 8F 18 CE 2F 14 F0 18 5B 6C FF 85 45 88 73 .L.../.. .[l..E.s +[0B60] CB A4 55 08 FC BF C7 9F 51 0A DB 2C C1 E3 3C DD ..U..... Q..,..<. +[0B70] F6 F0 A3 2D F1 3B A0 12 1D FC 2A 67 F5 1A 7F E5 ...-.;.. ..*g.... +[0B80] 7C 6C FB 8A 18 BD D1 5D E5 5E 68 30 AA 58 9E 10 |l.....] .^h0.X.. +[0B90] 13 E0 26 7E 7D C4 E1 A5 B6 86 0F 1C 0F 13 A4 5E ..&~}... .......^ +[0BA0] 5E 6A ED 42 79 31 BB B3 5F 3A 3F DD CB 63 82 FB ^j.By1.. _:?..c.. +[0BB0] 06 AE 12 36 C9 1E 06 7D 41 82 2E D2 FA 26 EC 17 ...6...} A....&.. +[0BC0] 50 5E D0 DE 26 85 30 71 BC 45 3B DA 2E 08 8D B2 P^..&.0q .E;..... +[0BD0] 2A 3C E0 79 8F 77 4C 01 69 7A 09 C7 88 E1 D1 DC *<.y.wL. iz...... +[0BE0] FF 78 DB 25 7B B1 3C BB 22 27 80 0D 75 96 18 B6 .x.%{.<. "'..u... +[0BF0] 40 95 6D C8 AB 04 05 41 A1 C4 25 71 C4 53 3A A6 @.m....A ..%q.S:. +[0C00] 9C B2 4D E6 15 2C B2 47 6C DA A8 7D CC A3 89 8B ..M..,.G l..}.... +[0C10] C9 1E 21 F5 E9 B2 42 95 68 28 AF C6 37 22 BA 30 ..!...B. h(..7".0 +[0C20] 8D 53 FA 08 0D CE CA 81 61 0D 84 A5 2D 75 BD 41 .S...... a...-u.A +[0C30] 85 4C 88 56 72 C6 B6 10 F8 34 CD B2 F4 5C 94 FA .L.Vr... .4...\.. +[0C40] 80 90 82 A0 BD 68 EC 08 32 C3 B6 51 1E 3F 67 CB .....h.. 2..Q.?g. +[0C50] 7B EB 70 83 84 D4 CB 52 55 36 61 1E 60 90 5B 6F {.p....R U6a.`.[o +[0C60] FE 9A 62 05 CF 26 8E 65 E2 60 4B ED 63 B4 C4 E6 ..b..&.e .`K.c... +[0C70] 44 B4 2F B0 B8 07 FE BE 0D 50 E4 56 A4 2E 0D 25 D./..... .P.V...% +[0C80] 76 0B 0F 44 09 20 80 E5 C4 94 63 E0 54 46 1D AB v..D. .. ..c.TF.. +[0C90] 5E 0B 09 93 B1 30 31 7B 04 DC 23 43 3B DB 7D 39 ^....01{ ..#C;.}9 +[0CA0] 67 FE 9A 1F C1 08 AF 34 24 F6 74 E4 14 DA 34 8F g......4 $.t...4. +[0CB0] 61 57 6A 7F 1D 4A 88 0A 90 78 93 F1 86 54 DB 22 aWj..J.. .x...T." +[0CC0] 86 D6 69 0F DF 44 7C D3 6B 9D 41 63 50 98 3A 97 ..i..D|. k.AcP.:. +[0CD0] B9 7B 4C 53 E3 85 73 9A C9 08 A0 75 12 50 02 87 .{LS..s. ...u.P.. +[0CE0] B0 CF CC 84 84 D9 BC FC 94 79 AF 6A A6 08 FF 19 ........ .y.j.... +[0CF0] 7E E9 22 9B EC 5C C1 6B 1D A4 B4 55 32 5E 23 C3 ~."..\.k ...U2^#. +[0D00] C0 D4 8B 80 E6 67 B1 59 EB 9D 5D 9B AD C6 0E 7D .....g.Y ..]....} +[0D10] E2 FE B1 24 8A B1 37 1E 60 7F 83 35 48 32 F7 03 ...$..7. `..5H2.. +[0D20] E8 12 E6 21 7C 3D 21 7F 6B 14 31 9C 1A A3 4C 2B ...!|=!. k.1...L+ +[0D30] 1C 5E EC 34 C1 2D DA 19 6C E6 6D 8D 60 D7 55 9E .^.4.-.. l.m.`.U. +[0D40] E6 D0 B5 07 06 72 C0 E9 4E 91 94 6B 3E 0B F1 0A .....r.. N..k>... +[0D50] 75 4D E8 CB 53 6B 34 A4 2F 96 A5 39 1A 18 6E 27 uM..Sk4. /..9..n' +[0D60] 00 6D 41 B7 D8 F5 9A E5 01 FC 0B A8 97 56 EE 98 .mA..... .....V.. +[0D70] 04 1D 98 84 5E 82 C8 E8 EC 17 D5 FA 96 00 3B E1 ....^... ......;. +[0D80] 98 1C D8 FA 66 A0 DC 32 60 F6 03 46 08 3C E5 16 ....f..2 `..F.<.. +[0D90] 6F F2 8B 4D 72 9F 0F E0 A9 71 6E 7C AE AA FB A3 o..Mr... .qn|.... +[0DA0] 4D F1 A1 B6 1B 9F 62 71 E1 2C 82 9B AE E3 07 9B M.....bq .,...... +[0DB0] 79 90 F1 C2 69 E5 7E CB 57 E6 C9 1C 4E A8 C7 12 y...i.~. W...N... +[0DC0] EA 4F 4C 52 17 03 AB D4 FD 34 60 F4 7C BE 9E 36 .OLR.... .4`.|..6 +[0DD0] 30 37 88 95 61 2E CF 70 AF 22 70 DB E8 AA 6E 3D 07..a..p ."p...n= +[0DE0] 30 F7 4D 84 D5 00 00 00 00 00 00 00 01 00 00 00 0.M..... ........ +[0DF0] 01 00 00 00 17 4B 54 45 53 54 2E 53 41 4D 42 41 .....KTE ST.SAMBA +[0E00] 2E 45 58 41 4D 50 4C 45 2E 43 4F 4D 00 00 00 0D .EXAMPLE .COM.... +[0E10] 61 64 6D 69 6E 69 73 74 72 61 74 6F 72 00 00 00 administ rator... +[0E20] 01 00 00 00 02 00 00 00 17 4B 54 45 53 54 2E 53 ........ .KTEST.S +[0E30] 41 4D 42 41 2E 45 58 41 4D 50 4C 45 2E 43 4F 4D AMBA.EXA MPLE.COM +[0E40] 00 00 00 04 63 69 66 73 00 00 00 0B 4C 4F 43 41 ....cifs ....LOCA +[0E50] 4C 4B 54 45 53 54 36 00 17 00 00 00 10 1D C8 5E LKTEST6. .......^ +[0E60] 46 48 82 F9 29 DB C6 A6 F1 72 6D 8D E9 4D 99 4F FH..)... .rm..M.O +[0E70] 6A 4D 99 85 09 7D 44 0B 68 00 00 00 00 00 40 28 jM...}D. h.....@( +[0E80] 00 00 00 00 00 00 00 00 00 00 00 00 03 FA 61 82 ........ ......a. +[0E90] 03 F6 30 82 03 F2 A0 03 02 01 05 A1 19 1B 17 4B ..0..... .......K +[0EA0] 54 45 53 54 2E 53 41 4D 42 41 2E 45 58 41 4D 50 TEST.SAM BA.EXAMP +[0EB0] 4C 45 2E 43 4F 4D A2 1E 30 1C A0 03 02 01 01 A1 LE.COM.. 0....... +[0EC0] 15 30 13 1B 04 63 69 66 73 1B 0B 4C 4F 43 41 4C .0...cif s..LOCAL +[0ED0] 4B 54 45 53 54 36 A3 82 03 AE 30 82 03 AA A0 03 KTEST6.. ..0..... +[0EE0] 02 01 17 A1 03 02 01 02 A2 82 03 9C 04 82 03 98 ........ ........ +[0EF0] 66 D8 19 46 FA CB 73 2D CF 88 FD 4A EE 07 48 DA f..F..s- ...J..H. +[0F00] 0E BC 58 30 43 40 A4 9C 00 0F 3B 17 C1 2D F5 9C ..X0C@.. ..;..-.. +[0F10] 3E D9 2F 1D CA 01 9B D7 2E EC D7 70 ED 8B 8B 1B >./..... ...p.... +[0F20] 5E F2 4E EE DD 0F C0 8D 61 E5 D7 0A 56 00 32 B1 ^.N..... a...V.2. +[0F30] DB 91 37 29 0F 2F 85 EE A8 43 BA A5 B8 D4 19 74 ..7)./.. .C.....t +[0F40] 33 F0 69 52 E1 58 98 83 D6 16 0B 44 A9 63 9B D4 3.iR.X.. ...D.c.. +[0F50] 4E 6E A7 3E CD 9A 96 4D C4 96 F5 07 6D 29 B6 ED Nn.>...M ....m).. +[0F60] 2A 62 3D 53 22 33 D1 95 E9 DF 74 4C 2A E2 29 AF *b=S"3.. ..tL*.). +[0F70] 5B 69 B0 48 2D AD 94 FD A5 1D 54 D8 E2 5E C1 68 [i.H-... ..T..^.h +[0F80] 6F BA 02 01 79 C3 C9 97 0B 76 66 45 E2 3B 10 17 o...y... .vfE.;.. +[0F90] 95 40 46 E4 85 B9 87 BB CF CF 19 8C 3A C0 EA 38 .@F..... ....:..8 +[0FA0] 3B B9 E9 4B 05 89 E5 27 8C 62 95 BC 0D 65 F0 D2 ;..K...' .b...e.. +[0FB0] C0 5E BC 65 01 D5 0B CB 17 31 0F 06 49 4F A2 4A .^.e.... .1..IO.J +[0FC0] 70 77 DB BD 92 5B 37 5C EC 06 DF C5 E2 31 C8 40 pw...[7\ .....1.@ +[0FD0] 09 11 68 14 E7 7D CE 54 4F 52 61 31 2C 1C 53 52 ..h..}.T ORa1,.SR +[0FE0] DB BE D8 95 39 EE 7D C6 CE C8 22 95 92 97 97 3D ....9.}. .."....= +[0FF0] 5E 66 0F AD DC C2 4E 2E 2B 9F 63 20 30 DF B7 C1 ^f....N. +.c 0... +[1000] D4 65 AA 6F 2D 10 24 07 20 8D 88 6E 4B 09 04 31 .e.o-.$. ..nK..1 +[1010] B6 A3 EB F7 37 32 0E 0C 73 C6 F6 B8 4D D9 0C 4C ....72.. s...M..L +[1020] 5B EC 10 6A 51 19 EA 3F FF 46 E7 73 16 A7 1F 33 [..jQ..? .F.s...3 +[1030] 98 7C 9B AD 5A 23 A9 40 7C 0F DF EE 0F AA C7 E8 .|..Z#.@ |....... +[1040] 63 07 98 3A 4A 0D 18 62 01 21 B2 AE A5 69 B0 C1 c..:J..b .!...i.. +[1050] 15 51 BA 97 D2 C5 42 5B C5 30 38 18 A9 48 AB D7 .Q....B[ .08..H.. +[1060] FC A1 BC 9F 71 E7 EA 18 54 42 DA D6 A4 FC C1 DC ....q... TB...... +[1070] F3 12 30 62 AC 98 E1 7D 2B 34 1E 52 4C 26 67 32 ..0b...} +4.RL&g2 +[1080] D9 44 1A 08 27 0E DA D0 FC 84 66 35 81 D6 EB 98 .D..'... ..f5.... +[1090] 46 6F 1E 47 E0 14 31 BE 47 80 65 AA 0B 20 D6 33 Fo.G..1. G.e.. .3 +[10A0] 36 3B 0D 40 2F 5A 2E 0E 01 BE 00 EB 33 3E 4B 32 6;.@/Z.. ....3>K2 +[10B0] 91 F4 22 96 E5 5F D4 D5 92 94 CC 5B 59 6A 3E D2 ..".._.. ...[Yj>. +[10C0] FB A0 4F 99 C4 07 8B 6F 2B 14 37 CD 37 44 C0 1F ..O....o +.7.7D.. +[10D0] 80 9C 43 46 F2 5E F4 FE D3 39 70 61 BE 72 5B 3A ..CF.^.. .9pa.r[: +[10E0] 8F 37 95 78 1E AB D9 E7 E9 DA FC 47 09 81 A0 0D .7.x.... ...G.... +[10F0] 62 E1 F9 34 36 D1 DB E6 98 D8 F4 3E 77 5A 4D E2 b..46... ...>wZM. +[1100] 5F 20 70 3D 3D 5B 34 D9 FD A8 31 F7 D9 59 F7 A3 _ p==[4. ..1..Y.. +[1110] F0 66 F7 D9 AD 1C CD D5 85 33 A0 87 22 31 D4 F3 .f...... .3.."1.. +[1120] 67 80 68 20 A2 90 72 7A 6F 64 FD 68 82 9E 91 B8 g.h ..rz od.h.... +[1130] E3 F7 6D 6C 38 74 F0 96 A2 F6 25 D7 92 58 14 60 ..ml8t.. ..%..X.` +[1140] 9F AE 01 4C 0C 09 67 3E 35 67 71 1E 2A 86 21 D3 ...L..g> 5gq.*.!. +[1150] 60 61 98 16 94 67 0B 52 76 63 93 BD A3 3B A9 F0 `a...g.R vc...;.. +[1160] A2 6A B7 E6 0F 35 64 DA 6A EA 20 A6 3D 94 71 59 .j...5d. j. .=.qY +[1170] 5E CB B2 D3 F9 4D FE 1B 4B D8 64 C8 3B 7A A8 E6 ^....M.. K.d.;z.. +[1180] D2 D5 76 71 26 D4 5C DA 1A 55 17 F2 16 C9 2F 77 ..vq&.\. .U..../w +[1190] DB 95 19 48 A5 AC D0 C3 31 9C 0A CC 1B 44 11 6B ...H.... 1....D.k +[11A0] 7C 88 7A 5D CF 6E 12 DA EF C5 C7 34 1D F4 CC EA |.z].n.. ...4.... +[11B0] 37 24 4B B3 0F C1 A3 F2 29 A0 D8 93 39 C6 16 57 7$K..... )...9..W +[11C0] D5 BF 57 BF 6C 7E F7 90 E0 EB A3 8B 07 56 9C EC ..W.l~.. .....V.. +[11D0] 15 3E 21 DA A5 7C 00 3C F9 D2 A7 1C 6F 16 25 31 .>!..|.< ....o.%1 +[11E0] C5 28 A7 EA F3 47 31 50 DD E1 ED 0A 93 DB 85 CC .(...G1P ........ +[11F0] 6B 4B 2C 7F E8 F8 2D A9 6D 1D 0A 87 F2 10 8C 82 kK,...-. m....... +[1200] 2F 9B D4 9B 92 8C 77 40 50 42 1E 42 C4 0A 4F E3 /.....w@ PB.B..O. +[1210] 6C 6C DC 81 C4 1E BB F0 7D CF 3C 73 22 5B C3 1A ll...... }..x K....%J. +[1240] 1E 6C 8F 01 D6 59 D7 CF 2E A0 CC 98 F6 75 28 2F .l...Y.. .....u(/ +[1250] F7 2A 70 28 A9 45 1F 75 C2 4E 62 ED D8 C4 A0 8D .*p(.E.u .Nb..... +[1260] 55 B2 84 1C A4 CE 87 EF 24 EE BC CE 40 09 EB 05 U....... $...@... +[1270] 0B D1 14 31 50 32 2F B6 A8 97 17 4B A7 95 01 50 ...1P2/. ...K...P +[1280] 6E 0E 23 49 9C 72 21 91 00 00 00 00 00 00 00 01 n.#I.r!. ........ +[1290] 00 00 00 01 00 00 00 17 4B 54 45 53 54 2E 53 41 ........ KTEST.SA +[12A0] 4D 42 41 2E 45 58 41 4D 50 4C 45 2E 43 4F 4D 00 MBA.EXAM PLE.COM. +[12B0] 00 00 0D 61 64 6D 69 6E 69 73 74 72 61 74 6F 72 ...admin istrator +[12C0] 00 00 00 01 00 00 00 02 00 00 00 17 4B 54 45 53 ........ ....KTES +[12D0] 54 2E 53 41 4D 42 41 2E 45 58 41 4D 50 4C 45 2E T.SAMBA. EXAMPLE. +[12E0] 43 4F 4D 00 00 00 04 63 69 66 73 00 00 00 0B 4C COM....c ifs....L +[12F0] 4F 43 41 4C 4B 54 45 53 54 36 00 17 00 00 00 10 OCALKTES T6...... +[1300] 1D C8 5E 46 48 82 F9 29 DB C6 A6 F1 72 6D 8D E9 ..^FH..) ....rm.. +[1310] 4D 99 4F 6A 4D 99 85 09 7D 44 0B 68 00 00 00 00 M.OjM... }D.h.... +[1320] 00 40 28 00 00 00 00 00 00 00 00 00 00 00 00 03 .@(..... ........ +[1330] FA 61 82 03 F6 30 82 03 F2 A0 03 02 01 05 A1 19 .a...0.. ........ +[1340] 1B 17 4B 54 45 53 54 2E 53 41 4D 42 41 2E 45 58 ..KTEST. SAMBA.EX +[1350] 41 4D 50 4C 45 2E 43 4F 4D A2 1E 30 1C A0 03 02 AMPLE.CO M..0.... +[1360] 01 01 A1 15 30 13 1B 04 63 69 66 73 1B 0B 4C 4F ....0... cifs..LO +[1370] 43 41 4C 4B 54 45 53 54 36 A3 82 03 AE 30 82 03 CALKTEST 6....0.. +[1380] AA A0 03 02 01 17 A1 03 02 01 02 A2 82 03 9C 04 ........ ........ +[1390] 82 03 98 66 D8 19 46 FA CB 73 2D CF 88 FD 4A EE ...f..F. .s-...J. +[13A0] 07 48 DA 0E BC 58 30 43 40 A4 9C 00 0F 3B 17 C1 .H...X0C @....;.. +[13B0] 2D F5 9C 3E D9 2F 1D CA 01 9B D7 2E EC D7 70 ED -..>./.. ......p. +[13C0] 8B 8B 1B 5E F2 4E EE DD 0F C0 8D 61 E5 D7 0A 56 ...^.N.. ...a...V +[13D0] 00 32 B1 DB 91 37 29 0F 2F 85 EE A8 43 BA A5 B8 .2...7). /...C... +[13E0] D4 19 74 33 F0 69 52 E1 58 98 83 D6 16 0B 44 A9 ..t3.iR. X.....D. +[13F0] 63 9B D4 4E 6E A7 3E CD 9A 96 4D C4 96 F5 07 6D c..Nn.>. ..M....m +[1400] 29 B6 ED 2A 62 3D 53 22 33 D1 95 E9 DF 74 4C 2A )..*b=S" 3....tL* +[1410] E2 29 AF 5B 69 B0 48 2D AD 94 FD A5 1D 54 D8 E2 .).[i.H- .....T.. +[1420] 5E C1 68 6F BA 02 01 79 C3 C9 97 0B 76 66 45 E2 ^.ho...y ....vfE. +[1430] 3B 10 17 95 40 46 E4 85 B9 87 BB CF CF 19 8C 3A ;...@F.. .......: +[1440] C0 EA 38 3B B9 E9 4B 05 89 E5 27 8C 62 95 BC 0D ..8;..K. ..'.b... +[1450] 65 F0 D2 C0 5E BC 65 01 D5 0B CB 17 31 0F 06 49 e...^.e. ....1..I +[1460] 4F A2 4A 70 77 DB BD 92 5B 37 5C EC 06 DF C5 E2 O.Jpw... [7\..... +[1470] 31 C8 40 09 11 68 14 E7 7D CE 54 4F 52 61 31 2C 1.@..h.. }.TORa1, +[1480] 1C 53 52 DB BE D8 95 39 EE 7D C6 CE C8 22 95 92 .SR....9 .}...".. +[1490] 97 97 3D 5E 66 0F AD DC C2 4E 2E 2B 9F 63 20 30 ..=^f... .N.+.c 0 +[14A0] DF B7 C1 D4 65 AA 6F 2D 10 24 07 20 8D 88 6E 4B ....e.o- .$. ..nK +[14B0] 09 04 31 B6 A3 EB F7 37 32 0E 0C 73 C6 F6 B8 4D ..1....7 2..s...M +[14C0] D9 0C 4C 5B EC 10 6A 51 19 EA 3F FF 46 E7 73 16 ..L[..jQ ..?.F.s. +[14D0] A7 1F 33 98 7C 9B AD 5A 23 A9 40 7C 0F DF EE 0F ..3.|..Z #.@|.... +[14E0] AA C7 E8 63 07 98 3A 4A 0D 18 62 01 21 B2 AE A5 ...c..:J ..b.!... +[14F0] 69 B0 C1 15 51 BA 97 D2 C5 42 5B C5 30 38 18 A9 i...Q... .B[.08.. +[1500] 48 AB D7 FC A1 BC 9F 71 E7 EA 18 54 42 DA D6 A4 H......q ...TB... +[1510] FC C1 DC F3 12 30 62 AC 98 E1 7D 2B 34 1E 52 4C .....0b. ..}+4.RL +[1520] 26 67 32 D9 44 1A 08 27 0E DA D0 FC 84 66 35 81 &g2.D..' .....f5. +[1530] D6 EB 98 46 6F 1E 47 E0 14 31 BE 47 80 65 AA 0B ...Fo.G. .1.G.e.. +[1540] 20 D6 33 36 3B 0D 40 2F 5A 2E 0E 01 BE 00 EB 33 .36;.@/ Z......3 +[1550] 3E 4B 32 91 F4 22 96 E5 5F D4 D5 92 94 CC 5B 59 >K2..".. _.....[Y +[1560] 6A 3E D2 FB A0 4F 99 C4 07 8B 6F 2B 14 37 CD 37 j>...O.. ..o+.7.7 +[1570] 44 C0 1F 80 9C 43 46 F2 5E F4 FE D3 39 70 61 BE D....CF. ^...9pa. +[1580] 72 5B 3A 8F 37 95 78 1E AB D9 E7 E9 DA FC 47 09 r[:.7.x. ......G. +[1590] 81 A0 0D 62 E1 F9 34 36 D1 DB E6 98 D8 F4 3E 77 ...b..46 ......>w +[15A0] 5A 4D E2 5F 20 70 3D 3D 5B 34 D9 FD A8 31 F7 D9 ZM._ p== [4...1.. +[15B0] 59 F7 A3 F0 66 F7 D9 AD 1C CD D5 85 33 A0 87 22 Y...f... ....3.." +[15C0] 31 D4 F3 67 80 68 20 A2 90 72 7A 6F 64 FD 68 82 1..g.h . .rzod.h. +[15D0] 9E 91 B8 E3 F7 6D 6C 38 74 F0 96 A2 F6 25 D7 92 .....ml8 t....%.. +[15E0] 58 14 60 9F AE 01 4C 0C 09 67 3E 35 67 71 1E 2A X.`...L. .g>5gq.* +[15F0] 86 21 D3 60 61 98 16 94 67 0B 52 76 63 93 BD A3 .!.`a... g.Rvc... +[1600] 3B A9 F0 A2 6A B7 E6 0F 35 64 DA 6A EA 20 A6 3D ;...j... 5d.j. .= +[1610] 94 71 59 5E CB B2 D3 F9 4D FE 1B 4B D8 64 C8 3B .qY^.... M..K.d.; +[1620] 7A A8 E6 D2 D5 76 71 26 D4 5C DA 1A 55 17 F2 16 z....vq& .\..U... +[1630] C9 2F 77 DB 95 19 48 A5 AC D0 C3 31 9C 0A CC 1B ./w...H. ...1.... +[1640] 44 11 6B 7C 88 7A 5D CF 6E 12 DA EF C5 C7 34 1D D.k|.z]. n.....4. +[1650] F4 CC EA 37 24 4B B3 0F C1 A3 F2 29 A0 D8 93 39 ...7$K.. ...)...9 +[1660] C6 16 57 D5 BF 57 BF 6C 7E F7 90 E0 EB A3 8B 07 ..W..W.l ~....... +[1670] 56 9C EC 15 3E 21 DA A5 7C 00 3C F9 D2 A7 1C 6F V...>!.. |.<....o +[1680] 16 25 31 C5 28 A7 EA F3 47 31 50 DD E1 ED 0A 93 .%1.(... G1P..... +[1690] DB 85 CC 6B 4B 2C 7F E8 F8 2D A9 6D 1D 0A 87 F2 ...kK,.. .-.m.... +[16A0] 10 8C 82 2F 9B D4 9B 92 8C 77 40 50 42 1E 42 C4 .../.... .w@PB.B. +[16B0] 0A 4F E3 6C 6C DC 81 C4 1E BB F0 7D CF 3C 73 22 .O.ll... ...}..xK.... +[16E0] 25 4A 92 1E 6C 8F 01 D6 59 D7 CF 2E A0 CC 98 F6 %J..l... Y....... +[16F0] 75 28 2F F7 2A 70 28 A9 45 1F 75 C2 4E 62 ED D8 u(/.*p(. E.u.Nb.. +[1700] C4 A0 8D 55 B2 84 1C A4 CE 87 EF 24 EE BC CE 40 ...U.... ...$...@ +[1710] 09 EB 05 0B D1 14 31 50 32 2F B6 A8 97 17 4B A7 ......1P 2/....K. +[1720] 95 01 50 6E 0E 23 49 9C 72 21 91 00 00 00 00 00 ..Pn.#I. r!...... +[1730] 00 00 01 00 00 00 01 00 00 00 17 4B 54 45 53 54 ........ ...KTEST +[1740] 2E 53 41 4D 42 41 2E 45 58 41 4D 50 4C 45 2E 43 .SAMBA.E XAMPLE.C +[1750] 4F 4D 00 00 00 0D 61 64 6D 69 6E 69 73 74 72 61 OM....ad ministra +[1760] 74 6F 72 00 00 00 01 00 00 00 02 00 00 00 17 4B tor..... .......K +[1770] 54 45 53 54 2E 53 41 4D 42 41 2E 45 58 41 4D 50 TEST.SAM BA.EXAMP +[1780] 4C 45 2E 43 4F 4D 00 00 00 04 63 69 66 73 00 00 LE.COM.. ..cifs.. +[1790] 00 0B 4C 4F 43 41 4C 4B 54 45 53 54 36 00 17 00 ..LOCALK TEST6... +[17A0] 00 00 10 1D C8 5E 46 48 82 F9 29 DB C6 A6 F1 72 .....^FH ..)....r +[17B0] 6D 8D E9 4D 99 4F 6A 4D 99 85 09 7D 44 0B 68 00 m..M.OjM ...}D.h. +[17C0] 00 00 00 00 40 28 00 00 00 00 00 00 00 00 00 00 ....@(.. ........ +[17D0] 00 00 03 FA 61 82 03 F6 30 82 03 F2 A0 03 02 01 ....a... 0....... +[17E0] 05 A1 19 1B 17 4B 54 45 53 54 2E 53 41 4D 42 41 .....KTE ST.SAMBA +[17F0] 2E 45 58 41 4D 50 4C 45 2E 43 4F 4D A2 1E 30 1C .EXAMPLE .COM..0. +[1800] A0 03 02 01 01 A1 15 30 13 1B 04 63 69 66 73 1B .......0 ...cifs. +[1810] 0B 4C 4F 43 41 4C 4B 54 45 53 54 36 A3 82 03 AE .LOCALKT EST6.... +[1820] 30 82 03 AA A0 03 02 01 17 A1 03 02 01 02 A2 82 0....... ........ +[1830] 03 9C 04 82 03 98 66 D8 19 46 FA CB 73 2D CF 88 ......f. .F..s-.. +[1840] FD 4A EE 07 48 DA 0E BC 58 30 43 40 A4 9C 00 0F .J..H... X0C@.... +[1850] 3B 17 C1 2D F5 9C 3E D9 2F 1D CA 01 9B D7 2E EC ;..-..>. /....... +[1860] D7 70 ED 8B 8B 1B 5E F2 4E EE DD 0F C0 8D 61 E5 .p....^. N.....a. +[1870] D7 0A 56 00 32 B1 DB 91 37 29 0F 2F 85 EE A8 43 ..V.2... 7)./...C +[1880] BA A5 B8 D4 19 74 33 F0 69 52 E1 58 98 83 D6 16 .....t3. iR.X.... +[1890] 0B 44 A9 63 9B D4 4E 6E A7 3E CD 9A 96 4D C4 96 .D.c..Nn .>...M.. +[18A0] F5 07 6D 29 B6 ED 2A 62 3D 53 22 33 D1 95 E9 DF ..m)..*b =S"3.... +[18B0] 74 4C 2A E2 29 AF 5B 69 B0 48 2D AD 94 FD A5 1D tL*.).[i .H-..... +[18C0] 54 D8 E2 5E C1 68 6F BA 02 01 79 C3 C9 97 0B 76 T..^.ho. ..y....v +[18D0] 66 45 E2 3B 10 17 95 40 46 E4 85 B9 87 BB CF CF fE.;...@ F....... +[18E0] 19 8C 3A C0 EA 38 3B B9 E9 4B 05 89 E5 27 8C 62 ..:..8;. .K...'.b +[18F0] 95 BC 0D 65 F0 D2 C0 5E BC 65 01 D5 0B CB 17 31 ...e...^ .e.....1 +[1900] 0F 06 49 4F A2 4A 70 77 DB BD 92 5B 37 5C EC 06 ..IO.Jpw ...[7\.. +[1910] DF C5 E2 31 C8 40 09 11 68 14 E7 7D CE 54 4F 52 ...1.@.. h..}.TOR +[1920] 61 31 2C 1C 53 52 DB BE D8 95 39 EE 7D C6 CE C8 a1,.SR.. ..9.}... +[1930] 22 95 92 97 97 3D 5E 66 0F AD DC C2 4E 2E 2B 9F "....=^f ....N.+. +[1940] 63 20 30 DF B7 C1 D4 65 AA 6F 2D 10 24 07 20 8D c 0....e .o-.$. . +[1950] 88 6E 4B 09 04 31 B6 A3 EB F7 37 32 0E 0C 73 C6 .nK..1.. ..72..s. +[1960] F6 B8 4D D9 0C 4C 5B EC 10 6A 51 19 EA 3F FF 46 ..M..L[. .jQ..?.F +[1970] E7 73 16 A7 1F 33 98 7C 9B AD 5A 23 A9 40 7C 0F .s...3.| ..Z#.@|. +[1980] DF EE 0F AA C7 E8 63 07 98 3A 4A 0D 18 62 01 21 ......c. .:J..b.! +[1990] B2 AE A5 69 B0 C1 15 51 BA 97 D2 C5 42 5B C5 30 ...i...Q ....B[.0 +[19A0] 38 18 A9 48 AB D7 FC A1 BC 9F 71 E7 EA 18 54 42 8..H.... ..q...TB +[19B0] DA D6 A4 FC C1 DC F3 12 30 62 AC 98 E1 7D 2B 34 ........ 0b...}+4 +[19C0] 1E 52 4C 26 67 32 D9 44 1A 08 27 0E DA D0 FC 84 .RL&g2.D ..'..... +[19D0] 66 35 81 D6 EB 98 46 6F 1E 47 E0 14 31 BE 47 80 f5....Fo .G..1.G. +[19E0] 65 AA 0B 20 D6 33 36 3B 0D 40 2F 5A 2E 0E 01 BE e.. .36; .@/Z.... +[19F0] 00 EB 33 3E 4B 32 91 F4 22 96 E5 5F D4 D5 92 94 ..3>K2.. ".._.... +[1A00] CC 5B 59 6A 3E D2 FB A0 4F 99 C4 07 8B 6F 2B 14 .[Yj>... O....o+. +[1A10] 37 CD 37 44 C0 1F 80 9C 43 46 F2 5E F4 FE D3 39 7.7D.... CF.^...9 +[1A20] 70 61 BE 72 5B 3A 8F 37 95 78 1E AB D9 E7 E9 DA pa.r[:.7 .x...... +[1A30] FC 47 09 81 A0 0D 62 E1 F9 34 36 D1 DB E6 98 D8 .G....b. .46..... +[1A40] F4 3E 77 5A 4D E2 5F 20 70 3D 3D 5B 34 D9 FD A8 .>wZM._ p==[4... +[1A50] 31 F7 D9 59 F7 A3 F0 66 F7 D9 AD 1C CD D5 85 33 1..Y...f .......3 +[1A60] A0 87 22 31 D4 F3 67 80 68 20 A2 90 72 7A 6F 64 .."1..g. h ..rzod +[1A70] FD 68 82 9E 91 B8 E3 F7 6D 6C 38 74 F0 96 A2 F6 .h...... ml8t.... +[1A80] 25 D7 92 58 14 60 9F AE 01 4C 0C 09 67 3E 35 67 %..X.`.. .L..g>5g +[1A90] 71 1E 2A 86 21 D3 60 61 98 16 94 67 0B 52 76 63 q.*.!.`a ...g.Rvc +[1AA0] 93 BD A3 3B A9 F0 A2 6A B7 E6 0F 35 64 DA 6A EA ...;...j ...5d.j. +[1AB0] 20 A6 3D 94 71 59 5E CB B2 D3 F9 4D FE 1B 4B D8 .=.qY^. ...M..K. +[1AC0] 64 C8 3B 7A A8 E6 D2 D5 76 71 26 D4 5C DA 1A 55 d.;z.... vq&.\..U +[1AD0] 17 F2 16 C9 2F 77 DB 95 19 48 A5 AC D0 C3 31 9C ..../w.. .H....1. +[1AE0] 0A CC 1B 44 11 6B 7C 88 7A 5D CF 6E 12 DA EF C5 ...D.k|. z].n.... +[1AF0] C7 34 1D F4 CC EA 37 24 4B B3 0F C1 A3 F2 29 A0 .4....7$ K.....). +[1B00] D8 93 39 C6 16 57 D5 BF 57 BF 6C 7E F7 90 E0 EB ..9..W.. W.l~.... +[1B10] A3 8B 07 56 9C EC 15 3E 21 DA A5 7C 00 3C F9 D2 ...V...> !..|.<.. +[1B20] A7 1C 6F 16 25 31 C5 28 A7 EA F3 47 31 50 DD E1 ..o.%1.( ...G1P.. +[1B30] ED 0A 93 DB 85 CC 6B 4B 2C 7F E8 F8 2D A9 6D 1D ......kK ,...-.m. +[1B40] 0A 87 F2 10 8C 82 2F 9B D4 9B 92 8C 77 40 50 42 ....../. ....w@PB +[1B50] 1E 42 C4 0A 4F E3 6C 6C DC 81 C4 1E BB F0 7D CF .B..O.ll ......}. +[1B60] 3C 73 22 5B C3 1A 97 35 EE 3A CD 6D F3 68 A3 C5 .xK. +[1B80] 18 9F A5 25 4A 92 1E 6C 8F 01 D6 59 D7 CF 2E A0 ...%J..l ...Y.... +[1B90] CC 98 F6 75 28 2F F7 2A 70 28 A9 45 1F 75 C2 4E ...u(/.* p(.E.u.N +[1BA0] 62 ED D8 C4 A0 8D 55 B2 84 1C A4 CE 87 EF 24 EE b.....U. ......$. +[1BB0] BC CE 40 09 EB 05 0B D1 14 31 50 32 2F B6 A8 97 ..@..... .1P2/... +[1BC0] 17 4B A7 95 01 50 6E 0E 23 49 9C 72 21 91 00 00 .K...Pn. #I.r!... +[1BD0] 00 00 00 00 00 01 00 00 00 01 00 00 00 17 4B 54 ........ ......KT +[1BE0] 45 53 54 2E 53 41 4D 42 41 2E 45 58 41 4D 50 4C EST.SAMB A.EXAMPL +[1BF0] 45 2E 43 4F 4D 00 00 00 0D 61 64 6D 69 6E 69 73 E.COM... .adminis +[1C00] 74 72 61 74 6F 72 00 00 00 01 00 00 00 02 00 00 trator.. ........ +[1C10] 00 17 4B 54 45 53 54 2E 53 41 4D 42 41 2E 45 58 ..KTEST. SAMBA.EX +[1C20] 41 4D 50 4C 45 2E 43 4F 4D 00 00 00 04 63 69 66 AMPLE.CO M....cif +[1C30] 73 00 00 00 0B 4C 4F 43 41 4C 4B 54 45 53 54 36 s....LOC ALKTEST6 +[1C40] 00 17 00 00 00 10 1D C8 5E 46 48 82 F9 29 DB C6 ........ ^FH..).. +[1C50] A6 F1 72 6D 8D E9 4D 99 4F 6A 4D 99 85 09 7D 44 ..rm..M. OjM...}D +[1C60] 0B 68 00 00 00 00 00 40 28 00 00 00 00 00 00 00 .h.....@ (....... +[1C70] 00 00 00 00 00 03 FA 61 82 03 F6 30 82 03 F2 A0 .......a ...0.... +[1C80] 03 02 01 05 A1 19 1B 17 4B 54 45 53 54 2E 53 41 ........ KTEST.SA +[1C90] 4D 42 41 2E 45 58 41 4D 50 4C 45 2E 43 4F 4D A2 MBA.EXAM PLE.COM. +[1CA0] 1E 30 1C A0 03 02 01 01 A1 15 30 13 1B 04 63 69 .0...... ..0...ci +[1CB0] 66 73 1B 0B 4C 4F 43 41 4C 4B 54 45 53 54 36 A3 fs..LOCA LKTEST6. +[1CC0] 82 03 AE 30 82 03 AA A0 03 02 01 17 A1 03 02 01 ...0.... ........ +[1CD0] 02 A2 82 03 9C 04 82 03 98 66 D8 19 46 FA CB 73 ........ .f..F..s +[1CE0] 2D CF 88 FD 4A EE 07 48 DA 0E BC 58 30 43 40 A4 -...J..H ...X0C@. +[1CF0] 9C 00 0F 3B 17 C1 2D F5 9C 3E D9 2F 1D CA 01 9B ...;..-. .>./.... +[1D00] D7 2E EC D7 70 ED 8B 8B 1B 5E F2 4E EE DD 0F C0 ....p... .^.N.... +[1D10] 8D 61 E5 D7 0A 56 00 32 B1 DB 91 37 29 0F 2F 85 .a...V.2 ...7)./. +[1D20] EE A8 43 BA A5 B8 D4 19 74 33 F0 69 52 E1 58 98 ..C..... t3.iR.X. +[1D30] 83 D6 16 0B 44 A9 63 9B D4 4E 6E A7 3E CD 9A 96 ....D.c. .Nn.>... +[1D40] 4D C4 96 F5 07 6D 29 B6 ED 2A 62 3D 53 22 33 D1 M....m). .*b=S"3. +[1D50] 95 E9 DF 74 4C 2A E2 29 AF 5B 69 B0 48 2D AD 94 ...tL*.) .[i.H-.. +[1D60] FD A5 1D 54 D8 E2 5E C1 68 6F BA 02 01 79 C3 C9 ...T..^. ho...y.. +[1D70] 97 0B 76 66 45 E2 3B 10 17 95 40 46 E4 85 B9 87 ..vfE.;. ..@F.... +[1D80] BB CF CF 19 8C 3A C0 EA 38 3B B9 E9 4B 05 89 E5 .....:.. 8;..K... +[1D90] 27 8C 62 95 BC 0D 65 F0 D2 C0 5E BC 65 01 D5 0B '.b...e. ..^.e... +[1DA0] CB 17 31 0F 06 49 4F A2 4A 70 77 DB BD 92 5B 37 ..1..IO. Jpw...[7 +[1DB0] 5C EC 06 DF C5 E2 31 C8 40 09 11 68 14 E7 7D CE \.....1. @..h..}. +[1DC0] 54 4F 52 61 31 2C 1C 53 52 DB BE D8 95 39 EE 7D TORa1,.S R....9.} +[1DD0] C6 CE C8 22 95 92 97 97 3D 5E 66 0F AD DC C2 4E ...".... =^f....N +[1DE0] 2E 2B 9F 63 20 30 DF B7 C1 D4 65 AA 6F 2D 10 24 .+.c 0.. ..e.o-.$ +[1DF0] 07 20 8D 88 6E 4B 09 04 31 B6 A3 EB F7 37 32 0E . ..nK.. 1....72. +[1E00] 0C 73 C6 F6 B8 4D D9 0C 4C 5B EC 10 6A 51 19 EA .s...M.. L[..jQ.. +[1E10] 3F FF 46 E7 73 16 A7 1F 33 98 7C 9B AD 5A 23 A9 ?.F.s... 3.|..Z#. +[1E20] 40 7C 0F DF EE 0F AA C7 E8 63 07 98 3A 4A 0D 18 @|...... .c..:J.. +[1E30] 62 01 21 B2 AE A5 69 B0 C1 15 51 BA 97 D2 C5 42 b.!...i. ..Q....B +[1E40] 5B C5 30 38 18 A9 48 AB D7 FC A1 BC 9F 71 E7 EA [.08..H. .....q.. +[1E50] 18 54 42 DA D6 A4 FC C1 DC F3 12 30 62 AC 98 E1 .TB..... ...0b... +[1E60] 7D 2B 34 1E 52 4C 26 67 32 D9 44 1A 08 27 0E DA }+4.RL&g 2.D..'.. +[1E70] D0 FC 84 66 35 81 D6 EB 98 46 6F 1E 47 E0 14 31 ...f5... .Fo.G..1 +[1E80] BE 47 80 65 AA 0B 20 D6 33 36 3B 0D 40 2F 5A 2E .G.e.. . 36;.@/Z. +[1E90] 0E 01 BE 00 EB 33 3E 4B 32 91 F4 22 96 E5 5F D4 .....3>K 2..".._. +[1EA0] D5 92 94 CC 5B 59 6A 3E D2 FB A0 4F 99 C4 07 8B ....[Yj> ...O.... +[1EB0] 6F 2B 14 37 CD 37 44 C0 1F 80 9C 43 46 F2 5E F4 o+.7.7D. ...CF.^. +[1EC0] FE D3 39 70 61 BE 72 5B 3A 8F 37 95 78 1E AB D9 ..9pa.r[ :.7.x... +[1ED0] E7 E9 DA FC 47 09 81 A0 0D 62 E1 F9 34 36 D1 DB ....G... .b..46.. +[1EE0] E6 98 D8 F4 3E 77 5A 4D E2 5F 20 70 3D 3D 5B 34 ....>wZM ._ p==[4 +[1EF0] D9 FD A8 31 F7 D9 59 F7 A3 F0 66 F7 D9 AD 1C CD ...1..Y. ..f..... +[1F00] D5 85 33 A0 87 22 31 D4 F3 67 80 68 20 A2 90 72 ..3.."1. .g.h ..r +[1F10] 7A 6F 64 FD 68 82 9E 91 B8 E3 F7 6D 6C 38 74 F0 zod.h... ...ml8t. +[1F20] 96 A2 F6 25 D7 92 58 14 60 9F AE 01 4C 0C 09 67 ...%..X. `...L..g +[1F30] 3E 35 67 71 1E 2A 86 21 D3 60 61 98 16 94 67 0B >5gq.*.! .`a...g. +[1F40] 52 76 63 93 BD A3 3B A9 F0 A2 6A B7 E6 0F 35 64 Rvc...;. ..j...5d +[1F50] DA 6A EA 20 A6 3D 94 71 59 5E CB B2 D3 F9 4D FE .j. .=.q Y^....M. +[1F60] 1B 4B D8 64 C8 3B 7A A8 E6 D2 D5 76 71 26 D4 5C .K.d.;z. ...vq&.\ +[1F70] DA 1A 55 17 F2 16 C9 2F 77 DB 95 19 48 A5 AC D0 ..U..../ w...H... +[1F80] C3 31 9C 0A CC 1B 44 11 6B 7C 88 7A 5D CF 6E 12 .1....D. k|.z].n. +[1F90] DA EF C5 C7 34 1D F4 CC EA 37 24 4B B3 0F C1 A3 ....4... .7$K.... +[1FA0] F2 29 A0 D8 93 39 C6 16 57 D5 BF 57 BF 6C 7E F7 .)...9.. W..W.l~. +[1FB0] 90 E0 EB A3 8B 07 56 9C EC 15 3E 21 DA A5 7C 00 ......V. ..>!..|. +[1FC0] 3C F9 D2 A7 1C 6F 16 25 31 C5 28 A7 EA F3 47 31 <....o.% 1.(...G1 +[1FD0] 50 DD E1 ED 0A 93 DB 85 CC 6B 4B 2C 7F E8 F8 2D P....... .kK,...- +[1FE0] A9 6D 1D 0A 87 F2 10 8C 82 2F 9B D4 9B 92 8C 77 .m...... ./.....w +[1FF0] 40 50 42 1E 42 C4 0A 4F E3 6C 6C DC 81 C4 1E BB @PB.B..O .ll..... +[2000] F0 7D CF 3C 73 22 5B C3 1A 97 35 EE 3A CD 6D F3 .}.. +[2020] 78 4B BF 18 9F A5 25 4A 92 1E 6C 8F 01 D6 59 D7 xK....%J ..l...Y. +[2030] CF 2E A0 CC 98 F6 75 28 2F F7 2A 70 28 A9 45 1F ......u( /.*p(.E. +[2040] 75 C2 4E 62 ED D8 C4 A0 8D 55 B2 84 1C A4 CE 87 u.Nb.... .U...... +[2050] EF 24 EE BC CE 40 09 EB 05 0B D1 14 31 50 32 2F .$...@.. ....1P2/ +[2060] B6 A8 97 17 4B A7 95 01 50 6E 0E 23 49 9C 72 21 ....K... Pn.#I.r! +[2070] 91 00 00 00 00 00 00 00 01 00 00 00 01 00 00 00 ........ ........ +[2080] 17 4B 54 45 53 54 2E 53 41 4D 42 41 2E 45 58 41 .KTEST.S AMBA.EXA +[2090] 4D 50 4C 45 2E 43 4F 4D 00 00 00 0D 61 64 6D 69 MPLE.COM ....admi +[20A0] 6E 69 73 74 72 61 74 6F 72 00 00 00 01 00 00 00 nistrato r....... +[20B0] 02 00 00 00 17 4B 54 45 53 54 2E 53 41 4D 42 41 .....KTE ST.SAMBA +[20C0] 2E 45 58 41 4D 50 4C 45 2E 43 4F 4D 00 00 00 04 .EXAMPLE .COM.... +[20D0] 68 6F 73 74 00 00 00 0B 6C 6F 63 61 6C 6B 74 65 host.... localkte +[20E0] 73 74 36 00 17 00 00 00 10 72 47 04 38 B6 E6 F0 st6..... .rG.8... +[20F0] 44 9E 9F 27 66 E1 69 9C 9A 4D 99 4F 6A 4D 99 90 D..'f.i. .M.OjM.. +[2100] F5 7D 44 0B 68 00 00 00 00 00 40 28 00 00 00 00 .}D.h... ..@(.... +[2110] 00 00 00 00 00 00 00 00 03 FA 61 82 03 F6 30 82 ........ ..a...0. +[2120] 03 F2 A0 03 02 01 05 A1 19 1B 17 4B 54 45 53 54 ........ ...KTEST +[2130] 2E 53 41 4D 42 41 2E 45 58 41 4D 50 4C 45 2E 43 .SAMBA.E XAMPLE.C +[2140] 4F 4D A2 1E 30 1C A0 03 02 01 01 A1 15 30 13 1B OM..0... .....0.. +[2150] 04 68 6F 73 74 1B 0B 6C 6F 63 61 6C 6B 74 65 73 .host..l ocalktes +[2160] 74 36 A3 82 03 AE 30 82 03 AA A0 03 02 01 17 A1 t6....0. ........ +[2170] 03 02 01 02 A2 82 03 9C 04 82 03 98 58 95 95 EB ........ ....X... +[2180] CB 8F 68 D4 77 43 0F 3B 44 B4 15 DA 40 6D FD E9 ..h.wC.; D...@m.. +[2190] 85 D3 2F CD B5 1E 96 CD F6 E9 67 91 36 08 9E B4 ../..... ..g.6... +[21A0] B3 47 70 7A B3 4E 82 5A 4F 8E 4B F5 8D 04 E4 5C .Gpz.N.Z O.K....\ +[21B0] C4 D8 0C AF 08 25 F9 C1 64 B2 3A 35 26 E9 B2 72 .....%.. d.:5&..r +[21C0] 66 B5 E9 81 FC BE 12 1B CC 8A A5 82 31 F6 7F C3 f....... ....1... +[21D0] 5A 19 A3 31 F2 99 14 1E 64 E4 41 E8 C7 C3 F3 DF Z..1.... d.A..... +[21E0] F5 65 7D B0 9F DC 5D 25 1D 1A A8 EA AA 88 6D F4 .e}...]% ......m. +[21F0] 7C 25 9F 53 F6 A6 8F B1 24 AF 98 FE 53 7B 35 3C |%.S.... $...S{5< +[2200] DB EC 7F 09 74 E9 C4 8D 20 B4 47 08 0E 32 B8 C9 ....t... .G..2.. +[2210] 45 27 12 F9 8E F5 D6 C2 DD 1A 96 0E 68 5F 39 65 E'...... ....h_9e +[2220] 72 C7 BD 8E 04 0E 13 E1 03 27 AC 50 80 76 E6 7A r....... .'.P.v.z +[2230] 8E F4 C2 72 4F 68 B3 34 00 A9 54 41 DA FD 96 94 ...rOh.4 ..TA.... +[2240] 29 A1 59 15 2F DB 6C 94 85 49 C5 D0 6D 48 B0 C4 ).Y./.l. .I..mH.. +[2250] 65 D0 95 1D DB 3D 25 D0 75 50 D4 CF FA 2F 71 57 e....=%. uP.../qW +[2260] BD 6C 1C 59 E1 C3 5B C7 24 95 FF B0 20 EF 6A DB .l.Y..[. $... .j. +[2270] 79 87 67 91 94 E9 16 E2 BB 74 7A 08 E1 6A 36 5F y.g..... .tz..j6_ +[2280] DF 11 AB 35 9B 3E 32 48 83 89 41 4E 06 BF F9 BB ...5.>2H ..AN.... +[2290] EC E4 D7 6D 77 C4 55 22 DF F7 91 4D CB C5 01 A5 ...mw.U" ...M.... +[22A0] BA 2D 1E 92 76 04 E8 02 2F 5E AF 1C B3 B7 A6 FB .-..v... /^...... +[22B0] 3A 9F D9 7C 6D DA B4 8F 31 00 A5 30 F2 76 72 9B :..|m... 1..0.vr. +[22C0] 62 97 E0 56 E5 E4 C7 6B 8B FC 84 75 57 66 6E D7 b..V...k ...uWfn. +[22D0] B7 41 6F 61 F4 5B 0F 87 68 F6 54 02 26 1B 1F B7 .Aoa.[.. h.T.&... +[22E0] 60 D6 E7 FA 4F C7 DB 35 58 EC 13 21 D4 C6 A1 27 `...O..5 X..!...' +[22F0] BA E7 82 DF 29 FB 9D 5D E8 35 28 C9 9C 4E D7 BE ....)..] .5(..N.. +[2300] 2F 6D F1 E8 0B 5A 74 C9 93 9F AD 42 24 4B B7 3B /m...Zt. ...B$K.; +[2310] 38 2A 11 CF F0 BD 85 40 48 D8 9D E7 6B 65 70 42 8*.....@ H...kepB +[2320] 60 DA 9B 65 CB C8 C5 D7 40 3A 12 DC 64 AF 82 54 `..e.... @:..d..T +[2330] 34 05 38 4F C6 FB 38 E2 73 A9 89 B7 FC 33 15 85 4.8O..8. s....3.. +[2340] 9E CA E9 E0 89 18 18 84 02 65 B4 74 5B D4 A1 6F ........ .e.t[..o +[2350] 5F 79 20 CB D7 36 C8 6D 5B 1E 5E 0C 82 16 9F CC _y ..6.m [.^..... +[2360] 5A 1E 57 C1 B6 94 51 87 A1 3D 12 D4 8B FE 0F 93 Z.W...Q. .=...... +[2370] ED 53 A3 F4 88 3C 35 05 89 FE AF 0B 36 62 E3 2F .S...<5. ....6b./ +[2380] 5C 4A 0E 07 67 39 A3 8E C0 45 07 7F 73 32 BC DE \J..g9.. .E..s2.. +[2390] 2D 00 8B 47 79 3D 1C A1 90 AE B6 8F 83 B2 1B 31 -..Gy=.. .......1 +[23A0] EE E4 F2 C5 C1 4A E2 4A 2F 28 F0 AA 19 43 6A 14 .....J.J /(...Cj. +[23B0] B1 42 61 90 34 2E EE 3D 16 9F 5D 9F 7A A2 01 7A .Ba.4..= ..].z..z +[23C0] 4B 96 FA 4D C9 85 1A 75 27 B7 6B FD 4D 7D 9C 65 K..M...u '.k.M}.e +[23D0] 97 DB 05 CC 76 68 EA 05 5D 5D BB BD 51 4B 5B F2 ....vh.. ]]..QK[. +[23E0] 48 59 BD 1E AD 56 D4 69 A5 75 CD ED EC B1 3E AB HY...V.i .u....>. +[23F0] FA B7 F8 8D 4F BE 95 63 38 1C 4C 70 26 C4 3A 21 ....O..c 8.Lp&.:! +[2400] 80 61 05 3A D4 E2 28 2C 85 01 5A DA FC 10 60 F3 .a.:..(, ..Z...`. +[2410] 74 0C FD DB 2F 5B 25 4B 14 E4 7D 8A DB 85 12 D2 t.../[%K ..}..... +[2420] D7 69 CD B5 B1 93 CE E5 E6 4D 57 D3 C2 D3 2E A0 .i...... .MW..... +[2430] 08 37 09 CD 19 99 09 FA 33 68 4A E0 92 46 21 0C .7...... 3hJ..F!. +[2440] 99 9F DA 05 15 20 8B 3D 7C 7B CA D6 81 AC AA 83 ..... .= |{...... +[2450] 48 C8 24 4C C8 FC A5 14 2C BC 49 1A 1C 49 61 1D H.$L.... ,.I..Ia. +[2460] 24 86 42 B1 37 6A C8 3A AC 18 CC C0 50 84 12 48 $.B.7j.: ....P..H +[2470] 8B 29 0A 49 26 A4 E2 B9 E5 96 E7 37 C3 DE 4C 23 .).I&... ...7..L# +[2480] D2 D4 62 14 8F 1E 72 39 CF 03 BC A3 00 C7 63 51 ..b...r9 ......cQ +[2490] A9 6B E4 3E B2 65 A1 A2 BB EC 06 41 85 50 22 02 .k.>.e.. ...A.P". +[24A0] 46 2F 72 2B 32 1A A4 2D 85 94 02 47 69 8D AD 6D F/r+2..- ...Gi..m +[24B0] 66 AB D4 E4 29 C8 C7 DA F4 18 31 2A DF 50 6A 05 f...)... ..1*.Pj. +[24C0] D6 47 26 C4 F9 87 0F 35 24 6E 72 D6 23 7D 3A 94 .G&....5 $nr.#}:. +[24D0] 14 8D E8 57 AA BA D7 CF A9 2D E7 4C 10 7C D8 0D ...W.... .-.L.|.. +[24E0] 51 30 1F E1 FB E5 E2 6C EE AA 65 2F D8 22 05 67 Q0.....l ..e/.".g +[24F0] 87 4D 4D D2 11 3D B4 1E AA 20 3F 76 E3 94 93 6D .MM..=.. . ?v...m +[2500] AC 10 05 AF 09 BD 67 86 C5 83 93 D6 1C D3 81 D9 ......g. ........ +[2510] B1 3B E1 76 00 00 00 00 00 00 00 01 00 00 00 01 .;.v.... ........ +[2520] 00 00 00 17 4B 54 45 53 54 2E 53 41 4D 42 41 2E ....KTES T.SAMBA. +[2530] 45 58 41 4D 50 4C 45 2E 43 4F 4D 00 00 00 0D 61 EXAMPLE. COM....a +[2540] 64 6D 69 6E 69 73 74 72 61 74 6F 72 00 00 00 01 dministr ator.... +[2550] 00 00 00 02 00 00 00 17 4B 54 45 53 54 2E 53 41 ........ KTEST.SA +[2560] 4D 42 41 2E 45 58 41 4D 50 4C 45 2E 43 4F 4D 00 MBA.EXAM PLE.COM. +[2570] 00 00 04 68 6F 73 74 00 00 00 0B 4C 4F 43 41 4C ...host. ...LOCAL +[2580] 4B 54 45 53 54 36 00 17 00 00 00 10 55 6E 3E FC KTEST6.. ....Un>. +[2590] E2 F4 40 51 19 E6 6E EB 23 4C 48 8E 4D 99 4F 6A ..@Q..n. #LH.M.Oj +[25A0] 4D 99 90 FC 7D 44 0B 68 00 00 00 00 00 40 28 00 M...}D.h .....@(. +[25B0] 00 00 00 00 00 00 00 00 00 00 00 03 FA 61 82 03 ........ .....a.. +[25C0] F6 30 82 03 F2 A0 03 02 01 05 A1 19 1B 17 4B 54 .0...... ......KT +[25D0] 45 53 54 2E 53 41 4D 42 41 2E 45 58 41 4D 50 4C EST.SAMB A.EXAMPL +[25E0] 45 2E 43 4F 4D A2 1E 30 1C A0 03 02 01 01 A1 15 E.COM..0 ........ +[25F0] 30 13 1B 04 68 6F 73 74 1B 0B 4C 4F 43 41 4C 4B 0...host ..LOCALK +[2600] 54 45 53 54 36 A3 82 03 AE 30 82 03 AA A0 03 02 TEST6... .0...... +[2610] 01 17 A1 03 02 01 02 A2 82 03 9C 04 82 03 98 6E ........ .......n +[2620] 87 B7 7B 3A 7E EF 4A 1B 29 C9 E3 C4 1F 42 4F 0E ..{:~.J. )....BO. +[2630] C8 AC AC 4E A2 77 1D DA 93 37 F1 AF DA A3 75 2D ...N.w.. .7....u- +[2640] 12 8B 40 34 23 0E 8E A9 90 58 46 42 42 39 31 D6 ..@4#... .XFBB91. +[2650] 03 9E 5D 81 D9 E8 F6 08 2B D9 96 88 8A 2F F1 CC ..]..... +..../.. +[2660] F2 EA 9E 9A 4B 31 B6 04 2D 3D 4C 7F 92 DE 3B 04 ....K1.. -=L...;. +[2670] 19 EE 28 D0 83 81 C3 46 CD 74 23 4C 14 34 DE 62 ..(....F .t#L.4.b +[2680] 0A AC E5 12 16 75 E9 A8 4B 32 78 CC 8D AE A2 E5 .....u.. K2x..... +[2690] 6D E8 09 70 76 52 F5 E5 18 F7 E7 91 15 6A 69 AB m..pvR.. .....ji. +[26A0] B8 62 DD 80 F5 28 6D DF ED 10 DA AC FB 92 27 CF .b...(m. ......'. +[26B0] 98 B5 77 9D A5 96 E6 9A CC B9 C3 91 78 22 35 9C ..w..... ....x"5. +[26C0] A1 13 A3 20 28 D1 16 E5 3E 4A 85 1E 12 0B CA 4D ... (... >J.....M +[26D0] C6 C8 03 C8 28 2C D8 29 5D 9A 76 4A 92 13 43 56 ....(,.) ].vJ..CV +[26E0] AF F7 C1 71 25 72 5C 38 75 1C 07 F1 5E 86 05 72 ...q%r\8 u...^..r +[26F0] 6F 69 95 42 B6 F2 DA A9 91 06 9F B9 54 20 33 A5 oi.B.... ....T 3. +[2700] 31 60 3B 54 DC 3A 95 34 96 26 07 52 6B 0E 1D 3B 1`;T.:.4 .&.Rk..; +[2710] D9 F8 48 20 AC CD 05 3B 99 F8 EE DB 83 28 CD C7 ..H ...; .....(.. +[2720] 2F 45 00 7E 2F 0A 65 7A D1 9E 95 4B EE C3 34 93 /E.~/.ez ...K..4. +[2730] A8 C7 DF 03 8B 14 D0 FC CE 56 90 AC EE 93 C5 D3 ........ .V...... +[2740] F7 12 24 69 0B 20 8D A2 65 87 55 26 2A F9 9A 88 ..$i. .. e.U&*... +[2750] D7 0D 86 61 D6 92 B6 FE E5 D1 66 F9 1F 9D F4 04 ...a.... ..f..... +[2760] 48 A6 39 BC 54 20 EA 10 21 E9 6D 30 46 1D C2 1C H.9.T .. !.m0F... +[2770] A4 E8 B4 63 85 37 27 25 80 52 41 60 C7 A1 32 21 ...c.7'% .RA`..2! +[2780] 43 90 02 E6 5F 5A E9 4E AF F9 B5 13 BD 42 BD A3 C..._Z.N .....B.. +[2790] A5 4D 10 45 83 4D 92 18 1F C9 CF FB 84 29 89 23 .M.E.M.. .....).# +[27A0] AC 71 4B 89 1B 52 E5 06 8C 3E 7C 88 CB D3 B3 CF .qK..R.. .>|..... +[27B0] B9 7A 67 D6 24 F4 AC 00 A6 AD 91 30 9A 95 53 F1 .zg.$... ...0..S. +[27C0] 48 06 A6 39 DB CF DC 9D C9 55 76 26 5E C1 DB 5D H..9.... .Uv&^..] +[27D0] B3 5B 3E AE 1A A0 10 BA 82 21 83 44 02 E0 99 33 .[>..... .!.D...3 +[27E0] 40 BA 29 9E 28 E5 73 4C 23 94 A2 4F BF 07 ED 4F @.).(.sL #..O...O +[27F0] 7C 45 9B 30 C8 41 6B 0A 55 13 6E F5 AD 7A 0C B2 |E.0.Ak. U.n..z.. +[2800] EA FF D0 06 13 4D F3 24 82 7F F6 51 2F 4A 4F 0D .....M.$ ...Q/JO. +[2810] 37 F8 14 6B E9 E4 82 BB 3A 75 63 63 12 E8 78 6F 7..k.... :ucc..xo +[2820] 6F FC 6C D3 4B A6 F1 CC 2A F1 7D EB 82 26 2F D0 o.l.K... *.}..&/. +[2830] A1 8B 3E 9A 71 D7 91 D3 08 E6 FD 62 1B 84 13 2D ..>.q... ...b...- +[2840] 8E A0 A0 C3 85 78 2F 0D F8 E7 10 FC CB 05 A7 B9 .....x/. ........ +[2850] 9A 33 90 B5 9B 26 E3 23 98 B0 91 4B EB 32 37 D6 .3...&.# ...K.27. +[2860] F4 ED 61 08 D8 75 CC 03 83 2C 3C CF 21 63 9C F6 ..a..u.. .,<.!c.. +[2870] AF 5B 4F 12 07 74 17 CD 98 BB E7 5E C7 17 2D C4 .[O..t.. ...^..-. +[2880] 87 A4 74 6D 5E CE DB A3 01 B9 AD 20 73 38 78 22 ..tm^... ... s8x" +[2890] 3D 45 F5 51 77 C6 47 63 45 61 81 D9 FF 31 90 C4 =E.Qw.Gc Ea...1.. +[28A0] 6F 5A F8 FE 6A 56 5B D4 EE EC 49 C7 A7 51 AE 5C oZ..jV[. ..I..Q.\ +[28B0] 85 53 70 3D 1A 49 83 59 CF 65 58 B3 48 7E 04 9E .Sp=.I.Y .eX.H~.. +[28C0] C7 64 8A 05 73 E3 DC 1A 65 5D 4F 41 01 56 73 90 .d..s... e]OA.Vs. +[28D0] 61 F3 84 1F FF CF 46 B2 06 46 56 97 93 B9 DB 32 a.....F. .FV....2 +[28E0] 2A 64 8A 48 02 05 84 E9 FA 76 8B 94 96 89 A0 73 *d.H.... .v.....s +[28F0] 20 75 4D 52 1D 23 13 D1 83 D7 5D 59 23 6A 87 C1 uMR.#.. ..]Y#j.. +[2900] 09 3E 01 3A 28 65 42 8C 35 F1 91 EA 6A 1F 83 0D .>.:(eB. 5...j... +[2910] 8F 57 69 81 D4 A2 D2 EA 0C BF AF 95 A3 F4 90 15 .Wi..... ........ +[2920] 61 34 F2 6C 8B D0 DA B5 1E 43 AC CE C7 8A 1B 2B a4.l.... .C.....+ +[2930] 29 2B 89 1C C5 53 C8 04 F7 1E 46 72 F3 A8 CE F7 )+...S.. ..Fr.... +[2940] 59 76 55 E7 53 1C A2 9F D8 23 F7 EA 71 B0 74 83 YvU.S... .#..q.t. +[2950] 71 95 3E DC A6 FA 2D A4 42 13 93 8B 2B FA A2 70 q.>...-. B...+..p +[2960] 25 21 2D F6 E1 26 56 DF 58 79 25 16 E8 C9 03 EC %!-..&V. Xy%..... +[2970] 72 5F 35 CF 59 6B E1 AD 85 85 7B AB 78 F2 0D AC r_5.Yk.. ..{.x... +[2980] AB 89 F2 DA 85 E7 DE 09 77 99 EC 7C F3 97 1F 71 ........ w..|...q +[2990] 3C DB 09 44 7A 3C 69 E5 03 B0 6D 4D 3B 6B 4C D5 <..Dz.B].]} +[00E0] 0B 1F C3 88 2A 93 40 F9 E9 18 7D 3F 73 DA AC 1F ....*.@. ..}?s... +[00F0] E7 7B C3 B8 14 56 C3 63 86 5B AF C9 C3 21 9F 94 .{...V.c .[...!.. +[0100] B4 67 06 60 7F 56 2D F4 C7 22 CD B4 1C 14 B7 5B .g.`.V-. .".....[ +[0110] 26 67 9D 18 28 B5 5D C2 FC 13 B6 CA 9F AB CD 32 &g..(.]. .......2 +[0120] 71 D5 51 5F A2 11 5A 5D 4A B3 3B 1D D1 6B 4F 7D q.Q_..Z] J.;..kO} +[0130] E9 54 F0 B4 AC 80 DE 27 80 C5 64 3C 0B 22 79 1C .T.....' ..d<."y. +[0140] 9E D1 58 A1 3E 20 5A 9F E3 34 49 D8 16 C6 6B 2D ..X.> Z. .4I...k- +[0150] 36 0E E2 C2 3F 44 DE 63 32 DB EB 78 50 A2 6F 37 6...?D.c 2..xP.o7 +[0160] 05 2B 13 D4 31 07 D4 2A C0 53 B1 30 39 79 C3 D8 .+..1..* .S.09y.. +[0170] C4 4C 30 97 E8 F9 DA ED 10 B0 D0 21 71 8B 56 F3 .L0..... ...!q.V. +[0180] 0F 3A 2D 26 A2 3D AD 70 27 82 95 59 0A D7 7D 4E .:-&.=.p '..Y..}N +[0190] 2D 76 96 4D 94 70 2A BB 26 3B 7E FC E1 59 5A 55 -v.M.p*. &;~..YZU +[01A0] 04 A2 DA 27 AD 46 70 45 43 C0 FB C1 42 7F F0 CB ...'.FpE C...B... +[01B0] 21 D2 CD 54 35 7C 60 13 EE BB BB 60 6B 91 2B BE !..T5|`. ...`k.+. +[01C0] 91 8A CF 49 29 F8 60 D1 AB A5 51 B5 5E 4B B2 3A ...I).`. ..Q.^K.: +[01D0] F4 56 3A 89 2D 88 D0 73 08 A6 FB D8 6E B3 B1 4E .V:.-..s ....n..N +[01E0] D8 90 27 58 D2 53 40 B2 A0 3C 40 4D E9 21 C6 83 ..'X.S@. .<@M.!.. +[01F0] FC 15 14 F0 8C 08 46 C5 29 14 E3 84 CC 2C 56 C9 ......F. )....,V. +[0200] 20 53 45 34 D0 BE E0 CC F7 F1 15 D4 D4 B1 3C 43 SE4.... .......BT.Ba +[03A0] C5 22 B7 AE 51 76 8F 12 83 7F E1 9F 97 D8 31 38 ."..Qv.. ......18 +[03B0] A6 B9 11 B4 E1 BA 19 5B E4 A5 A3 6F 4B B3 03 93 .......[ ...oK... +[03C0] 4C D6 1E 08 FC 94 D1 C5 7C AA 95 EB 9C 7A C2 57 L....... |....z.W +[03D0] 60 CA 17 FF 8E 66 80 76 CB 35 46 26 C3 BD CA 83 `....f.v .5F&.... +[03E0] F0 04 08 0D 4C 5D B2 E4 7C 1C 82 28 D7 2C 42 B1 ....L].. |..(.,B. +[03F0] 36 72 60 5E 26 4A 79 D0 41 94 3C 2C 65 0E 32 18 6r`^&Jy. A.<,e.2. +[0400] B8 56 26 9D D3 84 78 BB .V&...x. + second_ticket : DATA_BLOB length=0 + further_creds : DATA_BLOB length=4748 +[0000] 00 00 00 01 00 00 00 01 00 00 00 17 4B 54 45 53 ........ ....KTES +[0010] 54 2E 53 41 4D 42 41 2E 45 58 41 4D 50 4C 45 2E T.SAMBA. EXAMPLE. +[0020] 43 4F 4D 00 00 00 0D 61 64 6D 69 6E 69 73 74 72 COM....a dministr +[0030] 61 74 6F 72 00 00 00 01 00 00 00 02 00 00 00 17 ator.... ........ +[0040] 4B 54 45 53 54 2E 53 41 4D 42 41 2E 45 58 41 4D KTEST.SA MBA.EXAM +[0050] 50 4C 45 2E 43 4F 4D 00 00 00 04 68 6F 73 74 00 PLE.COM. ...host. +[0060] 00 00 0B 6C 6F 63 61 6C 6B 74 65 73 74 36 00 17 ...local ktest6.. +[0070] 00 00 00 10 EA 0D 3A 24 41 21 F7 7D 7D A3 C5 BB ......:$ A!.}}... +[0080] A4 88 F6 17 4D 9B 90 45 4D 9B 90 52 7D 46 4C 43 ....M..E M..R}FLC +[0090] 00 00 00 00 00 40 28 00 00 00 00 00 00 00 00 00 .....@(. ........ +[00A0] 00 00 00 03 FA 61 82 03 F6 30 82 03 F2 A0 03 02 .....a.. .0...... +[00B0] 01 05 A1 19 1B 17 4B 54 45 53 54 2E 53 41 4D 42 ......KT EST.SAMB +[00C0] 41 2E 45 58 41 4D 50 4C 45 2E 43 4F 4D A2 1E 30 A.EXAMPL E.COM..0 +[00D0] 1C A0 03 02 01 01 A1 15 30 13 1B 04 68 6F 73 74 ........ 0...host +[00E0] 1B 0B 6C 6F 63 61 6C 6B 74 65 73 74 36 A3 82 03 ..localk test6... +[00F0] AE 30 82 03 AA A0 03 02 01 17 A1 03 02 01 03 A2 .0...... ........ +[0100] 82 03 9C 04 82 03 98 44 8B C4 7D BA 9F FE 59 F6 .......D ..}...Y. +[0110] C1 DF 62 89 02 A4 55 54 AB D6 D6 2E 8B 5E 35 3D ..b...UT .....^5= +[0120] D9 46 9D 8B 49 93 A6 66 5F 1A 8B 81 AD 09 19 E9 .F..I..f _....... +[0130] 59 CE 58 18 50 63 4A A6 7D 6F 71 21 51 4A 41 C2 Y.X.PcJ. }oq!QJA. +[0140] A1 FE B0 D5 0A 3D 38 9F E5 3B 72 A2 7A 59 22 A4 .....=8. .;r.zY". +[0150] B7 1C A3 8D DB EA 5D A5 E2 D3 1D AE 42 D0 7F 75 ......]. ....B..u +[0160] B5 E9 ED B5 04 7B 67 1E 28 90 7D 3D 1A 3E F6 62 .....{g. (.}=.>.b +[0170] D0 A1 56 89 28 76 5C 19 1A FD 66 E5 F2 86 E7 58 ..V.(v\. ..f....X +[0180] 93 31 90 C5 CD F8 71 96 56 21 15 13 F0 EA C2 CC .1....q. V!...... +[0190] 48 4C B4 50 EF F9 81 44 29 8A 75 C4 31 75 D1 BA HL.P...D ).u.1u.. +[01A0] E2 0B 05 B2 E0 EA 64 3A 11 45 84 3D 69 55 FF E6 ......d: .E.=iU.. +[01B0] 32 7E C9 CA C4 28 E8 40 B6 5E F9 26 0F 09 12 1F 2~...(.@ .^.&.... +[01C0] 1F D4 9C 9A 50 E8 B7 6D F8 4F 55 6E 2A D4 AC 6A ....P..m .OUn*..j +[01D0] 79 D1 C2 2A 88 99 F8 39 75 36 F1 2D C7 89 0A C6 y..*...9 u6.-.... +[01E0] B4 C7 A1 7B F1 BF 22 87 A4 B2 93 22 54 A1 72 25 ...{..". ..."T.r% +[01F0] AF 67 FE 20 D5 C8 29 47 28 FF 51 FB F9 4E 2C 17 .g. ..)G (.Q..N,. +[0200] 10 BE 2E 13 8B 18 BE 3C A3 BE 50 49 A7 65 DD 2E .......< ..PI.e.. +[0210] CC EB D6 0F 47 4E DB 7E 08 D5 F0 37 79 36 8F 24 ....GN.~ ...7y6.$ +[0220] 34 28 86 89 EC A3 84 7F 44 4E 37 03 B5 D8 89 1C 4(...... DN7..... +[0230] C7 AA AC 42 70 5F 96 73 35 8B 83 D1 16 24 27 C1 ...Bp_.s 5....$'. +[0240] EC 0E AE 83 59 5A C2 EB C1 91 B6 3D BB 8D 21 49 ....YZ.. ...=..!I +[0250] 63 41 3C 91 1D E9 01 C2 4F A9 E4 42 C1 FD 54 E3 cA<..... O..B..T. +[0260] 7B 3B DF 24 3D 98 E9 84 F8 1D 8D CE 4D 85 AC 8A {;.$=... ....M... +[0270] 12 15 48 C4 DA 1B 3C B8 FC A3 0B AF E2 4D 71 E9 ..H...<. .....Mq. +[0280] 0A 28 53 DC 4E 6C 23 2C 73 26 50 FE 37 03 BF D1 .(S.Nl#, s&P.7... +[0290] 5F 8A 39 4F 04 2E 4A CE 3C 90 11 0C DA 84 5C C3 _.9O..J. <.....\. +[02A0] F8 BE C7 74 ED F4 CF 7E B2 AE 9B 47 D6 2A 1D 93 ...t...~ ...G.*.. +[02B0] 3F A8 8B 51 E9 A3 A0 59 55 DB E3 52 67 E3 DE FF ?..Q...Y U..Rg... +[02C0] B1 56 74 A0 87 21 99 23 8C 8E D1 92 A6 3D 93 D6 .Vt..!.# .....=.. +[02D0] 4D 5B 84 2B B1 8D DD E4 F7 01 A6 6C 4A DF 3C 6E M[.+.... ...lJ....+... +[0330] 4B 6D 22 B3 41 DE 85 35 2D 19 09 E5 68 8E 1F 98 Km".A..5 -...h... +[0340] 1B F2 73 F2 D4 91 08 89 42 0C 05 8B 42 77 6B CC ..s..... B...Bwk. +[0350] 18 78 43 1A 73 C2 7C E7 C2 23 28 56 F7 A0 19 B3 .xC.s.|. .#(V.... +[0360] 99 A6 25 4F C3 5E 70 EC 78 BB 30 15 36 77 B3 A6 ..%O.^p. x.0.6w.. +[0370] 89 98 B6 A0 85 CC 8F E7 41 40 B5 E0 89 93 25 04 ........ A@....%. +[0380] B8 1D 0B 06 31 1D C7 30 52 E1 64 29 8C 64 B9 89 ....1..0 R.d).d.. +[0390] 1F 86 5A AD 74 15 1C C8 AF 37 7B 27 E0 C0 DB 73 ..Z.t... .7{'...s +[03A0] 30 72 65 D3 C0 A5 07 61 E9 0C 07 A1 27 18 8F 50 0re....a ....'..P +[03B0] DB CE FB 4C DD 75 98 F2 28 D2 76 FF F2 41 9F D5 ...L.u.. (.v..A.. +[03C0] 74 22 8A 03 73 B1 A8 B3 B8 80 93 E5 E2 CD 4B F2 t"..s... ......K. +[03D0] 6B 99 DF 5B 5B C7 22 69 81 2A 8A CD 2A F9 9D 08 k..[[."i .*..*... +[03E0] B8 B0 40 77 D3 43 8B AF 40 DD 0C CB 45 E3 88 CB ..@w.C.. @...E... +[03F0] 06 AA 63 38 EB DD 72 89 03 0E DC 3E 97 3F 16 D4 ..c8..r. ...>.?.. +[0400] 1A 21 40 D8 30 BD B0 B4 04 C2 7A 22 43 15 A2 D8 .!@.0... ..z"C... +[0410] 2F 08 28 3B 63 26 AA B3 1C B6 FC E4 0B 2A CD 0E /.(;c&.. .....*.. +[0420] A8 7C E8 11 33 03 D3 C5 6C 35 6A 5D 3C 5A 80 1A .|..3... l5j];J +[0680] 60 25 3D 11 E4 F9 16 02 3E 55 8F CE D2 E9 95 E7 `%=..... >U...... +[0690] B1 C4 8F C4 0B 3E 3C 14 15 28 1A 21 49 15 CE 8E .....><. .(.!I... +[06A0] 91 5E 98 71 00 1F 29 D3 12 C8 D0 11 4F E7 14 E3 .^.q..). ....O... +[06B0] 72 1B 61 6D 7B 8A 00 A6 5E 01 01 50 C2 CF 1A A9 r.am{... ^..P.... +[06C0] 34 8C BA 33 9E 62 C5 69 97 6A 24 3D E0 C6 3F C6 4..3.b.i .j$=..?. +[06D0] F4 36 B1 80 D6 5C 44 19 5B 65 C7 CA 47 DE 4B 65 .6...\D. [e..G.Ke +[06E0] 41 29 9F F8 EA E8 E0 3B E2 C6 98 9D 58 A4 6C 62 A).....; ....X.lb +[06F0] EF 25 12 C9 0E 97 CE 9D F0 D8 08 AD 13 73 A6 82 .%...... .....s.. +[0700] C5 54 23 F4 A4 CB 91 35 91 BD 10 B4 04 DD 55 7E .T#....5 ......U~ +[0710] C9 DE AE CB B0 8F C0 D8 28 AE BD 78 64 91 6C AB ........ (..xd.l. +[0720] CA 36 EA 0E 0E 97 DC 40 ED 26 1D 09 17 28 30 D3 .6.....@ .&...(0. +[0730] 78 DC F7 D2 9C 78 DA 6F 6F 57 00 B3 FD 8E 75 A1 x....x.o oW....u. +[0740] 56 98 5C 4B D8 61 A6 0A 89 27 CD 11 BF 7F 79 53 V.\K.a.. .'....yS +[0750] D9 50 9A 8D EC DD DB BB B8 23 27 0D 20 5B 53 51 .P...... .#'. [SQ +[0760] 07 C4 26 31 3B D4 DF ED 3C 40 B4 1C 8B 46 E2 A6 ..&1;... <@...F.. +[0770] B7 0F 97 D2 B3 1D 19 FD 13 60 7B 38 E6 37 0C 59 ........ .`{8.7.Y +[0780] B0 A8 47 5D 32 A5 0C 57 76 EF 2C ED 40 9F BF 4B ..G]2..W v.,.@..K +[0790] 43 99 3C 68 C4 DE 84 9C A1 36 8C CA CB 2A 08 36 C..%p.4 ...>..-. +[0930] 72 8E DA 4D 2D 55 EC 49 66 5E 01 96 E4 C1 0C 23 r..M-U.I f^.....# +[0940] 57 91 00 00 00 00 00 00 00 01 00 00 00 01 00 00 W....... ........ +[0950] 00 17 4B 54 45 53 54 2E 53 41 4D 42 41 2E 45 58 ..KTEST. SAMBA.EX +[0960] 41 4D 50 4C 45 2E 43 4F 4D 00 00 00 0D 61 64 6D AMPLE.CO M....adm +[0970] 69 6E 69 73 74 72 61 74 6F 72 00 00 00 01 00 00 inistrat or...... +[0980] 00 02 00 00 00 17 4B 54 45 53 54 2E 53 41 4D 42 ......KT EST.SAMB +[0990] 41 2E 45 58 41 4D 50 4C 45 2E 43 4F 4D 00 00 00 A.EXAMPL E.COM... +[09A0] 04 68 6F 73 74 00 00 00 0B 4C 4F 43 41 4C 4B 54 .host... .LOCALKT +[09B0] 45 53 54 36 00 17 00 00 00 10 9D AE 06 BE 29 E0 EST6.... ......). +[09C0] F7 9A 46 97 29 E0 69 8E 5A F0 4D 9B 90 45 4D 9B ..F.).i. Z.M..EM. +[09D0] 90 61 7D 46 4C 43 00 00 00 00 00 40 28 00 00 00 .a}FLC.. ...@(... +[09E0] 00 00 00 00 00 00 00 00 00 03 FA 61 82 03 F6 30 ........ ...a...0 +[09F0] 82 03 F2 A0 03 02 01 05 A1 19 1B 17 4B 54 45 53 ........ ....KTES +[0A00] 54 2E 53 41 4D 42 41 2E 45 58 41 4D 50 4C 45 2E T.SAMBA. EXAMPLE. +[0A10] 43 4F 4D A2 1E 30 1C A0 03 02 01 01 A1 15 30 13 COM..0.. ......0. +[0A20] 1B 04 68 6F 73 74 1B 0B 4C 4F 43 41 4C 4B 54 45 ..host.. LOCALKTE +[0A30] 53 54 36 A3 82 03 AE 30 82 03 AA A0 03 02 01 17 ST6....0 ........ +[0A40] A1 03 02 01 03 A2 82 03 9C 04 82 03 98 B9 C5 6E ........ .......n +[0A50] 77 F9 59 6D 19 F0 A6 56 2F 14 B3 9A A3 17 06 A6 w.Ym...V /....... +[0A60] AD F5 92 38 6A 1E EA 3D 53 BF 5E 95 13 FF 5D BB ...8j..= S.^...]. +[0A70] 43 4F 51 AE FB 12 3B 06 67 36 91 B9 E0 C4 C4 F3 COQ...;. g6...... +[0A80] 45 A0 48 E6 DC 49 E8 EA 6F 55 D2 3F 79 57 54 FF E.H..I.. oU.?yWT. +[0A90] 10 8D 89 4A A4 E2 B2 80 FD EE 36 C5 D5 4C D0 97 ...J.... ..6..L.. +[0AA0] B3 EC 96 8B E8 5A 05 F0 13 39 8B 1B B3 C4 32 2A .....Z.. .9....2* +[0AB0] 9B BB EF 06 C4 1C 53 2F 0A F6 A8 C6 BE 09 57 26 ......S/ ......W& +[0AC0] B9 39 7B 7B 50 13 2D 6C 52 FF C4 B5 83 28 A8 47 .9{{P.-l R....(.G +[0AD0] 5A CD 1C DD A7 65 FD 8A 84 2A 10 E7 44 E6 83 E7 Z....e.. .*..D... +[0AE0] E7 AA B8 E5 0A 8B 7E E1 87 7B 3D C4 9F 68 BD 19 ......~. .{=..h.. +[0AF0] 2B 59 5E 5A 45 0D B5 71 CC A6 C7 03 3C B3 17 D3 +Y^ZE..q ....<... +[0B00] AF 99 F6 A2 52 A0 99 F7 39 56 B4 33 B4 C5 F4 CC ....R... 9V.3.... +[0B10] 74 34 4C 00 76 26 10 D1 3A 87 6E 6A 52 9B 7A BF t4L.v&.. :.njR.z. +[0B20] 4E 59 36 32 C5 41 29 CF E1 BF 14 E0 54 BF 4A 25 NY62.A). ....T.J% +[0B30] 1F 0B 6E 9A 8C 0E 5D 47 A9 64 1B A4 9D 99 A9 09 ..n...]G .d...... +[0B40] 39 14 E7 41 22 98 8C 62 CC E2 B5 91 8E C1 31 EB 9..A"..b ......1. +[0B50] B2 70 A6 3B 86 FC DD 19 0B 3F 5D C9 B5 1A 95 73 .p.;.... .?]....s +[0B60] EB 97 89 BE 14 87 85 17 BE 40 F6 80 14 23 4D 66 ........ .@...#Mf +[0B70] E4 B0 E5 51 46 34 DA 1C C8 CB FF C6 84 A3 DF D2 ...QF4.. ........ +[0B80] DC 00 AF 7B 27 C8 78 44 CB 6E 7B CC 5C 94 1E 7A ...{'.xD .n{.\..z +[0B90] 95 29 19 F4 14 BE 5C 23 C3 B9 A4 2C 5D 4D F3 61 .)....\# ...,]M.a +[0BA0] 63 1F D4 FE 37 EE 44 14 06 B7 14 50 B6 74 37 75 c...7.D. ...P.t7u +[0BB0] 2C AB 06 F0 93 F9 93 34 75 63 44 7E 12 48 D1 F1 ,......4 ucD~.H.. +[0BC0] 06 55 14 11 B9 23 43 CE 01 16 3E 6B A3 BD 23 55 .U...#C. ..>k..#U +[0BD0] DE 48 5D AF E1 2B 89 E8 E7 C2 E2 34 25 A2 09 4A .H]..+.. ...4%..J +[0BE0] 1F BE 05 AA DE 4B 08 65 27 4C 9B C7 54 96 C2 FB .....K.e 'L..T... +[0BF0] E2 CE 53 4A 32 93 8D 0B 44 77 8C D3 65 54 F9 0E ..SJ2... Dw..eT.. +[0C00] 7F 74 1E FE 3D 74 83 0F 2F E7 9F BC A2 B0 2B 25 .t..=t.. /.....+% +[0C10] BB D2 6F A8 49 C1 3E 9E B5 93 67 74 39 A4 FE 84 ..o.I.>. ..gt9... +[0C20] 4C 45 5F 30 74 E0 CA 5F F6 46 EC 89 B5 2D C8 14 LE_0t.._ .F...-.. +[0C30] 69 76 BC 93 15 F4 60 30 5F AB EB 02 DD 12 4C 62 iv....`0 _.....Lb +[0C40] F9 73 F7 01 E1 7F 2A 6F 09 05 BF 3A 3A 7E 69 A3 .s....*o ...::~i. +[0C50] 7B FC 20 2B D6 CE C0 74 4F BB 29 E4 BE CE 04 9D {. +...t O.)..... +[0C60] 24 D4 98 4A ED 94 A8 81 CD 26 A0 63 EA 09 57 42 $..J.... .&.c..WB +[0C70] 26 B7 B5 4E B5 CB 45 35 A7 84 D8 74 CA C3 9F FF &..N..E5 ...t.... +[0C80] C8 1E 2A 75 34 01 C5 A7 B4 9D 6F A3 E1 BB 2B F8 ..*u4... ..o...+. +[0C90] F0 21 D6 77 57 74 2E 80 DB 76 53 01 86 33 17 32 .!.wWt.. .vS..3.2 +[0CA0] 2E 16 E1 8D 89 3A B2 67 ED A3 ED 39 82 87 26 A6 .....:.g ...9..&. +[0CB0] DB CE 59 84 E4 0A A6 CA 7E 07 98 F7 02 91 6E 56 ..Y..... ~.....nV +[0CC0] 9F 60 03 D3 88 B0 FF EB 20 CA 9E 5B 37 26 67 00 .`...... ..[7&g. +[0CD0] CC BD 9D 53 15 31 53 14 FD 9C E1 28 08 CB C4 0B ...S.1S. ...(.... +[0CE0] E3 50 D9 DB 0C E2 E4 F9 44 50 E9 28 6E 01 96 AA .P...... DP.(n... +[0CF0] C1 D2 4E B2 DE 38 A2 F8 94 32 79 AE 49 64 FB 57 ..N..8.. .2y.Id.W +[0D00] 50 F6 73 E8 98 43 C6 DD 67 3C 91 AC 97 C9 2E 8C P.s..C.. g<...... +[0D10] 06 59 A1 FC 49 EC 2F BF 6F 64 21 63 ED C8 6C CE .Y..I./. od!c..l. +[0D20] 37 28 7B 80 7F 5F 85 F6 98 93 C0 66 A8 D6 F1 2C 7({.._.. ...f..., +[0D30] D8 01 68 B1 C8 EA 82 0D 5B 9B 35 4F 3D B3 47 19 ..h..... [.5O=.G. +[0D40] 54 7A C6 9F AD D7 54 CF B0 DB 3E 18 BA 2A 39 08 Tz....T. ..>..*9. +[0D50] 0C C4 98 4B 43 DE 53 68 25 B1 83 93 1D E1 6C BF ...KC.Sh %.....l. +[0D60] F5 B4 A9 83 17 34 64 8C 2F 91 80 97 4A 48 EC 90 .....4d. /...JH.. +[0D70] BB FA 92 2C 01 80 E4 99 91 0E 67 88 D5 75 AB 7C ...,.... ..g..u.| +[0D80] 98 59 98 45 C9 11 A9 8C 02 98 91 DE AB A0 FF 45 .Y.E.... .......E +[0D90] 11 66 6F C5 DE 61 6D C6 DB C9 CA A3 A0 2B B1 73 .fo..am. .....+.s +[0DA0] 05 85 37 BF AB CA 43 7A 6F 38 C8 BE ED CE 12 49 ..7...Cz o8.....I +[0DB0] 93 C7 7C 1A 33 60 52 7A 67 67 AA 60 57 7E C8 FF ..|.3`Rz gg.`W~.. +[0DC0] DF 91 91 18 45 74 C0 9E 36 19 BC 42 F9 46 CC 84 ....Et.. 6..B.F.. +[0DD0] 09 2E 8C 59 1A E3 65 51 F4 87 6F 4C 3E 29 38 E6 ...Y..eQ ..oL>)8. +[0DE0] 77 E8 A9 B7 FA 00 00 00 00 00 00 00 01 00 00 00 w....... ........ +[0DF0] 01 00 00 00 17 4B 54 45 53 54 2E 53 41 4D 42 41 .....KTE ST.SAMBA +[0E00] 2E 45 58 41 4D 50 4C 45 2E 43 4F 4D 00 00 00 0D .EXAMPLE .COM.... +[0E10] 61 64 6D 69 6E 69 73 74 72 61 74 6F 72 00 00 00 administ rator... +[0E20] 01 00 00 00 02 00 00 00 17 4B 54 45 53 54 2E 53 ........ .KTEST.S +[0E30] 41 4D 42 41 2E 45 58 41 4D 50 4C 45 2E 43 4F 4D AMBA.EXA MPLE.COM +[0E40] 00 00 00 04 63 69 66 73 00 00 00 0B 4C 4F 43 41 ....cifs ....LOCA +[0E50] 4C 4B 54 45 53 54 36 00 17 00 00 00 10 01 78 D0 LKTEST6. ......x. +[0E60] 3B 9B FF F0 88 86 4B 3B FE 41 A9 6B 00 4D 9B 90 ;.....K; .A.k.M.. +[0E70] 45 4D 9B 90 6B 7D 46 4C 43 00 00 00 00 00 40 28 EM..k}FL C.....@( +[0E80] 00 00 00 00 00 00 00 00 00 00 00 00 03 FA 61 82 ........ ......a. +[0E90] 03 F6 30 82 03 F2 A0 03 02 01 05 A1 19 1B 17 4B ..0..... .......K +[0EA0] 54 45 53 54 2E 53 41 4D 42 41 2E 45 58 41 4D 50 TEST.SAM BA.EXAMP +[0EB0] 4C 45 2E 43 4F 4D A2 1E 30 1C A0 03 02 01 01 A1 LE.COM.. 0....... +[0EC0] 15 30 13 1B 04 63 69 66 73 1B 0B 4C 4F 43 41 4C .0...cif s..LOCAL +[0ED0] 4B 54 45 53 54 36 A3 82 03 AE 30 82 03 AA A0 03 KTEST6.. ..0..... +[0EE0] 02 01 17 A1 03 02 01 03 A2 82 03 9C 04 82 03 98 ........ ........ +[0EF0] CA EA 4D 46 2D D1 E9 58 5D 25 8D 9F DF EA C9 01 ..MF-..X ]%...... +[0F00] B6 08 27 CD 14 85 02 DC 20 C6 51 AA F9 6A B1 CE ..'..... .Q..j.. +[0F10] F5 77 84 BF 9A AC 6B A7 B2 F2 1F 60 BF CB C6 FC .w....k. ...`.... +[0F20] C7 14 B7 41 1C A8 C9 70 7B 86 BC 8E 70 2B 65 4B ...A...p {...p+eK +[0F30] DC F5 B9 23 F8 08 BF 96 C9 A8 77 F4 54 67 25 F8 ...#.... ..w.Tg%. +[0F40] 0F A8 C5 D6 D1 BB 46 5E A0 7E D2 98 9C CD AF E0 ......F^ .~...... +[0F50] 82 62 ED 39 D2 FB F2 E8 9B 1B EE E5 B4 1B C9 0A .b.9.... ........ +[0F60] 86 27 52 6E 11 8B D7 AD B4 54 F9 C6 69 8D E0 F1 .'Rn.... .T..i... +[0F70] CD 63 1C 89 7C 8F B6 A0 71 53 A6 DA B1 66 D2 9D .c..|... qS...f.. +[0F80] D3 4C A8 FB C6 9D 81 74 10 8E 84 D2 3D D8 1C BE .L.....t ....=... +[0F90] BB 3F F7 BF 91 3E 89 66 43 A1 E0 90 1B 1A 97 FF .?...>.f C....... +[0FA0] EF CC 35 75 14 62 4F 67 3A 29 F4 F9 C5 2E BE C5 ..5u.bOg :)...... +[0FB0] C2 2B A8 35 22 D9 92 31 1D 49 2A A5 19 AA 08 0F .+.5"..1 .I*..... +[0FC0] A8 22 0B 68 D2 A2 D7 07 7B 37 1E A3 AC 9B 4F 0A .".h.... {7....O. +[0FD0] A4 FA 7F 37 6F 3E 35 79 4E 00 4B B6 28 A3 6A E4 ...7o>5y N.K.(.j. +[0FE0] 0C 95 53 BA E8 41 07 DA BE E9 08 B9 51 24 91 49 ..S..A.. ....Q$.I +[0FF0] 78 5D 44 12 BC 85 63 81 B8 E0 88 D5 95 0C D3 A8 x]D...c. ........ +[1000] 1D 32 4B E4 A0 C8 A7 7D 3C 97 EE D8 59 AC 3A 21 .2K....} <...Y.:! +[1010] 09 F2 7A CC D0 4A F3 50 10 DC FC 26 BB C2 6A 8E ..z..J.P ...&..j. +[1020] 8B 14 2B 2D 50 2E B3 1E 9B D2 69 56 22 F2 48 BD ..+-P... ..iV".H. +[1030] E9 2E 2F 28 DE 77 67 5F 68 AA 29 05 4B 36 58 40 ../(.wg_ h.).K6X@ +[1040] E5 54 11 C5 4D 68 96 49 9D 53 37 87 5F D2 3A 9B .T..Mh.I .S7._.:. +[1050] E9 8E 79 BE AE 11 B4 6B AB FD DB 8A F5 A0 9B 29 ..y....k .......) +[1060] D9 F5 ED CA FA 3F FE 35 FC F4 69 7E E4 D0 44 29 .....?.5 ..i~..D) +[1070] 48 FF 82 61 26 FC D3 E2 10 EE 14 F7 4A E3 CD F2 H..a&... ....J... +[1080] 8B BC 8B 43 64 2C DE 40 6E BB E1 56 C0 B6 2C D0 ...Cd,.@ n..V..,. +[1090] E5 1E E9 B3 FB 38 48 66 ED AF D2 25 D1 35 5C C6 .....8Hf ...%.5\. +[10A0] F0 4D 36 19 0B EC 33 07 34 D0 27 8D 14 DC 01 45 .M6...3. 4.'....E +[10B0] DE F8 73 A6 A0 F4 C1 91 9D BD 05 E3 70 25 E1 10 ..s..... ....p%.. +[10C0] 44 F6 4B 46 F7 24 84 BF 20 96 AD 6A 96 94 81 58 D.KF.$.. ..j...X +[10D0] 80 95 06 92 F5 7F 17 39 3B 32 47 B2 C5 CE 7B 73 .......9 ;2G...{s +[10E0] CF 53 AE FA D1 9A 60 5A 98 EC 8C FA BD C0 CE 8D .S....`Z ........ +[10F0] C5 27 E6 17 1A 4D 47 D8 3F 5D A9 7C FB 2C B3 05 .'...MG. ?].|.,.. +[1100] 0C 69 20 48 99 80 11 DC 48 AB A7 EA 5B 98 C1 15 .i H.... H...[... +[1110] 27 AE FA 3E 1E 1E E0 E1 F8 32 C0 54 13 D6 30 34 '..>.... .2.T..04 +[1120] 71 98 26 61 6C 1C C4 C7 4E C4 A6 7E FE A8 B8 89 q.&al... N..~.... +[1130] 2A 70 3C 19 58 8D 57 45 55 83 0A C2 B5 F7 89 0E *p<.X.WE U....... +[1140] 7B 7A 17 0C CF 6E 08 A5 F7 21 4A 62 81 4F 49 CA {z...n.. .!Jb.OI. +[1150] E2 ED C2 B4 C7 33 5C BC A1 A0 DE 4E 09 37 BE 24 .....3\. ...N.7.$ +[1160] 62 22 94 55 75 AA 53 DE E0 74 5A B0 B8 E9 BF 2B b".Uu.S. .tZ....+ +[1170] 12 65 2F 90 6B 84 ED 11 AD F7 CE 19 A1 96 E4 1E .e/.k... ........ +[1180] 8C EA C8 81 1B 47 4F 5F B1 5D A5 8B E3 0D 5A 80 .....GO_ .]....Z. +[1190] 89 EC 4B D9 CE ED E8 67 7F 96 FC 1B EF 65 C2 68 ..K....g .....e.h +[11A0] 40 F7 20 36 83 58 62 F4 CA 02 F4 5C 0D 46 B1 CB @. 6.Xb. ...\.F.. +[11B0] 50 D2 D8 3D B7 9A 96 48 8C CF EB E6 8C F4 B2 B4 P..=...H ........ +[11C0] 47 C9 34 C9 DC 14 F1 33 1B 6F 9E 65 27 D7 9D 46 G.4....3 .o.e'..F +[11D0] 1E 91 FF 2E FB 8E 97 5D 17 8F 48 54 7C 3C A0 11 .......] ..HT|<.. +[11E0] 9C AA 77 E9 79 DE 26 D1 F0 7C EA 24 73 BE EC 60 ..w.y.&. .|.$s..` +[11F0] B4 EE BD ED 0D 0A AB 74 60 6E 46 C0 35 5B 65 1A .......t `nF.5[e. +[1200] A4 4A 5C 22 AC B9 CD B7 56 06 88 09 FC 48 68 55 .J\".... V....HhU +[1210] B7 5E 39 72 DF 8A 4C CD 79 74 B0 84 0B 78 DA B2 .^9r..L. yt...x.. +[1220] 55 F8 06 0B 5C 27 06 B3 CA 10 65 6B 04 A3 64 11 U...\'.. ..ek..d. +[1230] 04 09 DC DF 67 00 70 B1 16 DF 24 E9 27 85 11 91 ....g.p. ..$.'... +[1240] 31 CB 92 95 50 18 91 08 C2 A1 A3 76 C7 1A FC 64 1...P... ...v...d +[1250] 9E 2C 3A E7 30 F4 16 0D A0 56 C0 BC D2 FE 2D A0 .,:.0... .V....-. +[1260] 20 A4 E2 82 AD F0 C5 12 71 09 23 E1 66 52 53 D0 ....... q.#.fRS. +[1270] 89 30 E7 BE B7 C2 89 F2 1C 7A F6 8E D7 28 F0 A4 .0...... .z...(.. +[1280] 33 46 7C A2 79 66 DE 26 00 00 00 00 3F|.yf.& .... +push returned Success +pull returned Success + CCACHE: struct CCACHE + pvno : 0x05 (5) + version : 0x04 (4) + optional_header : union OPTIONAL_HEADER(case 0x4) + v4header: struct V4HEADER + v4tags: struct V4TAGS + tag: struct V4TAG + tag : 0x0001 (1) + field : union FIELD(case 0x1) + deltatime_tag: struct DELTATIME_TAG + kdc_sec_offset : 0 + kdc_usec_offset : 0 + further_tags : DATA_BLOB length=0 + principal: struct PRINCIPAL + name_type : 0x00000001 (1) + component_count : 0x00000001 (1) + realm : 'KTEST.SAMBA.EXAMPLE.COM' + components: ARRAY(1) + components : 'administrator' + cred: struct CREDENTIAL + client: struct PRINCIPAL + name_type : 0x00000001 (1) + component_count : 0x00000001 (1) + realm : 'KTEST.SAMBA.EXAMPLE.COM' + components: ARRAY(1) + components : 'administrator' + server: struct PRINCIPAL + name_type : 0x00000000 (0) + component_count : 0x00000002 (2) + realm : 'KTEST.SAMBA.EXAMPLE.COM' + components: ARRAY(2) + components : 'krbtgt' + components : 'KTEST.SAMBA.EXAMPLE.COM' + keyblock: struct KEYBLOCK + enctype : 0x0017 (23) + data : DATA_BLOB length=16 +[0000] E5 E4 15 C8 A8 0F 4D 95 F9 1B E3 B9 98 CA A1 7F ......M. ........ + authtime : 0x4d9b9045 (1302040645) + starttime : 0x4d9b9045 (1302040645) + endtime : 0x7d464c43 (2101759043) + renew_till : 0x7d464c43 (2101759043) + is_skey : 0x00 (0) + ticket_flags : 0x40e00000 (1088421888) + addresses: struct ADDRESSES + count : 0x00000000 (0) + data: ARRAY(0) + authdata: struct AUTHDATA + count : 0x00000000 (0) + data: ARRAY(0) + ticket : DATA_BLOB length=1032 +[0000] 61 82 04 04 30 82 04 00 A0 03 02 01 05 A1 19 1B a...0... ........ +[0010] 17 4B 54 45 53 54 2E 53 41 4D 42 41 2E 45 58 41 .KTEST.S AMBA.EXA +[0020] 4D 50 4C 45 2E 43 4F 4D A2 2C 30 2A A0 03 02 01 MPLE.COM .,0*.... +[0030] 00 A1 23 30 21 1B 06 6B 72 62 74 67 74 1B 17 4B ..#0!..k rbtgt..K +[0040] 54 45 53 54 2E 53 41 4D 42 41 2E 45 58 41 4D 50 TEST.SAM BA.EXAMP +[0050] 4C 45 2E 43 4F 4D A3 82 03 AE 30 82 03 AA A0 03 LE.COM.. ..0..... +[0060] 02 01 17 A1 03 02 01 01 A2 82 03 9C 04 82 03 98 ........ ........ +[0070] 01 40 48 A6 B8 F0 DA 43 54 A5 18 CF B0 15 CB 68 .@H....C T......h +[0080] 9F A0 69 44 87 A9 FF 06 25 B9 29 48 59 64 26 48 ..iD.... %.)HYd&H +[0090] 96 7C 46 6A 79 E5 F0 77 DB 46 6C 20 A1 59 D9 F8 .|Fjy..w .Fl .Y.. +[00A0] 6A 8A 2D B5 D9 EF A4 54 DE 19 20 C0 7B 93 D4 3D j.-....T .. .{..= +[00B0] ED 72 35 AF 9D 87 75 9E 44 01 A4 6C D9 EA 94 A3 .r5...u. D..l.... +[00C0] 18 C6 42 75 E3 0A 0C 76 9A AE 75 BC A3 02 91 BC ..Bu...v ..u..... +[00D0] 2D BB 3C 23 73 A6 1A A7 8A 3E 85 42 5D 1F 5D 7D -.<#s... .>.B].]} +[00E0] 0B 1F C3 88 2A 93 40 F9 E9 18 7D 3F 73 DA AC 1F ....*.@. ..}?s... +[00F0] E7 7B C3 B8 14 56 C3 63 86 5B AF C9 C3 21 9F 94 .{...V.c .[...!.. +[0100] B4 67 06 60 7F 56 2D F4 C7 22 CD B4 1C 14 B7 5B .g.`.V-. .".....[ +[0110] 26 67 9D 18 28 B5 5D C2 FC 13 B6 CA 9F AB CD 32 &g..(.]. .......2 +[0120] 71 D5 51 5F A2 11 5A 5D 4A B3 3B 1D D1 6B 4F 7D q.Q_..Z] J.;..kO} +[0130] E9 54 F0 B4 AC 80 DE 27 80 C5 64 3C 0B 22 79 1C .T.....' ..d<."y. +[0140] 9E D1 58 A1 3E 20 5A 9F E3 34 49 D8 16 C6 6B 2D ..X.> Z. .4I...k- +[0150] 36 0E E2 C2 3F 44 DE 63 32 DB EB 78 50 A2 6F 37 6...?D.c 2..xP.o7 +[0160] 05 2B 13 D4 31 07 D4 2A C0 53 B1 30 39 79 C3 D8 .+..1..* .S.09y.. +[0170] C4 4C 30 97 E8 F9 DA ED 10 B0 D0 21 71 8B 56 F3 .L0..... ...!q.V. +[0180] 0F 3A 2D 26 A2 3D AD 70 27 82 95 59 0A D7 7D 4E .:-&.=.p '..Y..}N +[0190] 2D 76 96 4D 94 70 2A BB 26 3B 7E FC E1 59 5A 55 -v.M.p*. &;~..YZU +[01A0] 04 A2 DA 27 AD 46 70 45 43 C0 FB C1 42 7F F0 CB ...'.FpE C...B... +[01B0] 21 D2 CD 54 35 7C 60 13 EE BB BB 60 6B 91 2B BE !..T5|`. ...`k.+. +[01C0] 91 8A CF 49 29 F8 60 D1 AB A5 51 B5 5E 4B B2 3A ...I).`. ..Q.^K.: +[01D0] F4 56 3A 89 2D 88 D0 73 08 A6 FB D8 6E B3 B1 4E .V:.-..s ....n..N +[01E0] D8 90 27 58 D2 53 40 B2 A0 3C 40 4D E9 21 C6 83 ..'X.S@. .<@M.!.. +[01F0] FC 15 14 F0 8C 08 46 C5 29 14 E3 84 CC 2C 56 C9 ......F. )....,V. +[0200] 20 53 45 34 D0 BE E0 CC F7 F1 15 D4 D4 B1 3C 43 SE4.... .......BT.Ba +[03A0] C5 22 B7 AE 51 76 8F 12 83 7F E1 9F 97 D8 31 38 ."..Qv.. ......18 +[03B0] A6 B9 11 B4 E1 BA 19 5B E4 A5 A3 6F 4B B3 03 93 .......[ ...oK... +[03C0] 4C D6 1E 08 FC 94 D1 C5 7C AA 95 EB 9C 7A C2 57 L....... |....z.W +[03D0] 60 CA 17 FF 8E 66 80 76 CB 35 46 26 C3 BD CA 83 `....f.v .5F&.... +[03E0] F0 04 08 0D 4C 5D B2 E4 7C 1C 82 28 D7 2C 42 B1 ....L].. |..(.,B. +[03F0] 36 72 60 5E 26 4A 79 D0 41 94 3C 2C 65 0E 32 18 6r`^&Jy. A.<,e.2. +[0400] B8 56 26 9D D3 84 78 BB .V&...x. + second_ticket : DATA_BLOB length=0 + further_creds : DATA_BLOB length=4748 +[0000] 00 00 00 01 00 00 00 01 00 00 00 17 4B 54 45 53 ........ ....KTES +[0010] 54 2E 53 41 4D 42 41 2E 45 58 41 4D 50 4C 45 2E T.SAMBA. EXAMPLE. +[0020] 43 4F 4D 00 00 00 0D 61 64 6D 69 6E 69 73 74 72 COM....a dministr +[0030] 61 74 6F 72 00 00 00 01 00 00 00 02 00 00 00 17 ator.... ........ +[0040] 4B 54 45 53 54 2E 53 41 4D 42 41 2E 45 58 41 4D KTEST.SA MBA.EXAM +[0050] 50 4C 45 2E 43 4F 4D 00 00 00 04 68 6F 73 74 00 PLE.COM. ...host. +[0060] 00 00 0B 6C 6F 63 61 6C 6B 74 65 73 74 36 00 17 ...local ktest6.. +[0070] 00 00 00 10 EA 0D 3A 24 41 21 F7 7D 7D A3 C5 BB ......:$ A!.}}... +[0080] A4 88 F6 17 4D 9B 90 45 4D 9B 90 52 7D 46 4C 43 ....M..E M..R}FLC +[0090] 00 00 00 00 00 40 28 00 00 00 00 00 00 00 00 00 .....@(. ........ +[00A0] 00 00 00 03 FA 61 82 03 F6 30 82 03 F2 A0 03 02 .....a.. .0...... +[00B0] 01 05 A1 19 1B 17 4B 54 45 53 54 2E 53 41 4D 42 ......KT EST.SAMB +[00C0] 41 2E 45 58 41 4D 50 4C 45 2E 43 4F 4D A2 1E 30 A.EXAMPL E.COM..0 +[00D0] 1C A0 03 02 01 01 A1 15 30 13 1B 04 68 6F 73 74 ........ 0...host +[00E0] 1B 0B 6C 6F 63 61 6C 6B 74 65 73 74 36 A3 82 03 ..localk test6... +[00F0] AE 30 82 03 AA A0 03 02 01 17 A1 03 02 01 03 A2 .0...... ........ +[0100] 82 03 9C 04 82 03 98 44 8B C4 7D BA 9F FE 59 F6 .......D ..}...Y. +[0110] C1 DF 62 89 02 A4 55 54 AB D6 D6 2E 8B 5E 35 3D ..b...UT .....^5= +[0120] D9 46 9D 8B 49 93 A6 66 5F 1A 8B 81 AD 09 19 E9 .F..I..f _....... +[0130] 59 CE 58 18 50 63 4A A6 7D 6F 71 21 51 4A 41 C2 Y.X.PcJ. }oq!QJA. +[0140] A1 FE B0 D5 0A 3D 38 9F E5 3B 72 A2 7A 59 22 A4 .....=8. .;r.zY". +[0150] B7 1C A3 8D DB EA 5D A5 E2 D3 1D AE 42 D0 7F 75 ......]. ....B..u +[0160] B5 E9 ED B5 04 7B 67 1E 28 90 7D 3D 1A 3E F6 62 .....{g. (.}=.>.b +[0170] D0 A1 56 89 28 76 5C 19 1A FD 66 E5 F2 86 E7 58 ..V.(v\. ..f....X +[0180] 93 31 90 C5 CD F8 71 96 56 21 15 13 F0 EA C2 CC .1....q. V!...... +[0190] 48 4C B4 50 EF F9 81 44 29 8A 75 C4 31 75 D1 BA HL.P...D ).u.1u.. +[01A0] E2 0B 05 B2 E0 EA 64 3A 11 45 84 3D 69 55 FF E6 ......d: .E.=iU.. +[01B0] 32 7E C9 CA C4 28 E8 40 B6 5E F9 26 0F 09 12 1F 2~...(.@ .^.&.... +[01C0] 1F D4 9C 9A 50 E8 B7 6D F8 4F 55 6E 2A D4 AC 6A ....P..m .OUn*..j +[01D0] 79 D1 C2 2A 88 99 F8 39 75 36 F1 2D C7 89 0A C6 y..*...9 u6.-.... +[01E0] B4 C7 A1 7B F1 BF 22 87 A4 B2 93 22 54 A1 72 25 ...{..". ..."T.r% +[01F0] AF 67 FE 20 D5 C8 29 47 28 FF 51 FB F9 4E 2C 17 .g. ..)G (.Q..N,. +[0200] 10 BE 2E 13 8B 18 BE 3C A3 BE 50 49 A7 65 DD 2E .......< ..PI.e.. +[0210] CC EB D6 0F 47 4E DB 7E 08 D5 F0 37 79 36 8F 24 ....GN.~ ...7y6.$ +[0220] 34 28 86 89 EC A3 84 7F 44 4E 37 03 B5 D8 89 1C 4(...... DN7..... +[0230] C7 AA AC 42 70 5F 96 73 35 8B 83 D1 16 24 27 C1 ...Bp_.s 5....$'. +[0240] EC 0E AE 83 59 5A C2 EB C1 91 B6 3D BB 8D 21 49 ....YZ.. ...=..!I +[0250] 63 41 3C 91 1D E9 01 C2 4F A9 E4 42 C1 FD 54 E3 cA<..... O..B..T. +[0260] 7B 3B DF 24 3D 98 E9 84 F8 1D 8D CE 4D 85 AC 8A {;.$=... ....M... +[0270] 12 15 48 C4 DA 1B 3C B8 FC A3 0B AF E2 4D 71 E9 ..H...<. .....Mq. +[0280] 0A 28 53 DC 4E 6C 23 2C 73 26 50 FE 37 03 BF D1 .(S.Nl#, s&P.7... +[0290] 5F 8A 39 4F 04 2E 4A CE 3C 90 11 0C DA 84 5C C3 _.9O..J. <.....\. +[02A0] F8 BE C7 74 ED F4 CF 7E B2 AE 9B 47 D6 2A 1D 93 ...t...~ ...G.*.. +[02B0] 3F A8 8B 51 E9 A3 A0 59 55 DB E3 52 67 E3 DE FF ?..Q...Y U..Rg... +[02C0] B1 56 74 A0 87 21 99 23 8C 8E D1 92 A6 3D 93 D6 .Vt..!.# .....=.. +[02D0] 4D 5B 84 2B B1 8D DD E4 F7 01 A6 6C 4A DF 3C 6E M[.+.... ...lJ....+... +[0330] 4B 6D 22 B3 41 DE 85 35 2D 19 09 E5 68 8E 1F 98 Km".A..5 -...h... +[0340] 1B F2 73 F2 D4 91 08 89 42 0C 05 8B 42 77 6B CC ..s..... B...Bwk. +[0350] 18 78 43 1A 73 C2 7C E7 C2 23 28 56 F7 A0 19 B3 .xC.s.|. .#(V.... +[0360] 99 A6 25 4F C3 5E 70 EC 78 BB 30 15 36 77 B3 A6 ..%O.^p. x.0.6w.. +[0370] 89 98 B6 A0 85 CC 8F E7 41 40 B5 E0 89 93 25 04 ........ A@....%. +[0380] B8 1D 0B 06 31 1D C7 30 52 E1 64 29 8C 64 B9 89 ....1..0 R.d).d.. +[0390] 1F 86 5A AD 74 15 1C C8 AF 37 7B 27 E0 C0 DB 73 ..Z.t... .7{'...s +[03A0] 30 72 65 D3 C0 A5 07 61 E9 0C 07 A1 27 18 8F 50 0re....a ....'..P +[03B0] DB CE FB 4C DD 75 98 F2 28 D2 76 FF F2 41 9F D5 ...L.u.. (.v..A.. +[03C0] 74 22 8A 03 73 B1 A8 B3 B8 80 93 E5 E2 CD 4B F2 t"..s... ......K. +[03D0] 6B 99 DF 5B 5B C7 22 69 81 2A 8A CD 2A F9 9D 08 k..[[."i .*..*... +[03E0] B8 B0 40 77 D3 43 8B AF 40 DD 0C CB 45 E3 88 CB ..@w.C.. @...E... +[03F0] 06 AA 63 38 EB DD 72 89 03 0E DC 3E 97 3F 16 D4 ..c8..r. ...>.?.. +[0400] 1A 21 40 D8 30 BD B0 B4 04 C2 7A 22 43 15 A2 D8 .!@.0... ..z"C... +[0410] 2F 08 28 3B 63 26 AA B3 1C B6 FC E4 0B 2A CD 0E /.(;c&.. .....*.. +[0420] A8 7C E8 11 33 03 D3 C5 6C 35 6A 5D 3C 5A 80 1A .|..3... l5j];J +[0680] 60 25 3D 11 E4 F9 16 02 3E 55 8F CE D2 E9 95 E7 `%=..... >U...... +[0690] B1 C4 8F C4 0B 3E 3C 14 15 28 1A 21 49 15 CE 8E .....><. .(.!I... +[06A0] 91 5E 98 71 00 1F 29 D3 12 C8 D0 11 4F E7 14 E3 .^.q..). ....O... +[06B0] 72 1B 61 6D 7B 8A 00 A6 5E 01 01 50 C2 CF 1A A9 r.am{... ^..P.... +[06C0] 34 8C BA 33 9E 62 C5 69 97 6A 24 3D E0 C6 3F C6 4..3.b.i .j$=..?. +[06D0] F4 36 B1 80 D6 5C 44 19 5B 65 C7 CA 47 DE 4B 65 .6...\D. [e..G.Ke +[06E0] 41 29 9F F8 EA E8 E0 3B E2 C6 98 9D 58 A4 6C 62 A).....; ....X.lb +[06F0] EF 25 12 C9 0E 97 CE 9D F0 D8 08 AD 13 73 A6 82 .%...... .....s.. +[0700] C5 54 23 F4 A4 CB 91 35 91 BD 10 B4 04 DD 55 7E .T#....5 ......U~ +[0710] C9 DE AE CB B0 8F C0 D8 28 AE BD 78 64 91 6C AB ........ (..xd.l. +[0720] CA 36 EA 0E 0E 97 DC 40 ED 26 1D 09 17 28 30 D3 .6.....@ .&...(0. +[0730] 78 DC F7 D2 9C 78 DA 6F 6F 57 00 B3 FD 8E 75 A1 x....x.o oW....u. +[0740] 56 98 5C 4B D8 61 A6 0A 89 27 CD 11 BF 7F 79 53 V.\K.a.. .'....yS +[0750] D9 50 9A 8D EC DD DB BB B8 23 27 0D 20 5B 53 51 .P...... .#'. [SQ +[0760] 07 C4 26 31 3B D4 DF ED 3C 40 B4 1C 8B 46 E2 A6 ..&1;... <@...F.. +[0770] B7 0F 97 D2 B3 1D 19 FD 13 60 7B 38 E6 37 0C 59 ........ .`{8.7.Y +[0780] B0 A8 47 5D 32 A5 0C 57 76 EF 2C ED 40 9F BF 4B ..G]2..W v.,.@..K +[0790] 43 99 3C 68 C4 DE 84 9C A1 36 8C CA CB 2A 08 36 C..%p.4 ...>..-. +[0930] 72 8E DA 4D 2D 55 EC 49 66 5E 01 96 E4 C1 0C 23 r..M-U.I f^.....# +[0940] 57 91 00 00 00 00 00 00 00 01 00 00 00 01 00 00 W....... ........ +[0950] 00 17 4B 54 45 53 54 2E 53 41 4D 42 41 2E 45 58 ..KTEST. SAMBA.EX +[0960] 41 4D 50 4C 45 2E 43 4F 4D 00 00 00 0D 61 64 6D AMPLE.CO M....adm +[0970] 69 6E 69 73 74 72 61 74 6F 72 00 00 00 01 00 00 inistrat or...... +[0980] 00 02 00 00 00 17 4B 54 45 53 54 2E 53 41 4D 42 ......KT EST.SAMB +[0990] 41 2E 45 58 41 4D 50 4C 45 2E 43 4F 4D 00 00 00 A.EXAMPL E.COM... +[09A0] 04 68 6F 73 74 00 00 00 0B 4C 4F 43 41 4C 4B 54 .host... .LOCALKT +[09B0] 45 53 54 36 00 17 00 00 00 10 9D AE 06 BE 29 E0 EST6.... ......). +[09C0] F7 9A 46 97 29 E0 69 8E 5A F0 4D 9B 90 45 4D 9B ..F.).i. Z.M..EM. +[09D0] 90 61 7D 46 4C 43 00 00 00 00 00 40 28 00 00 00 .a}FLC.. ...@(... +[09E0] 00 00 00 00 00 00 00 00 00 03 FA 61 82 03 F6 30 ........ ...a...0 +[09F0] 82 03 F2 A0 03 02 01 05 A1 19 1B 17 4B 54 45 53 ........ ....KTES +[0A00] 54 2E 53 41 4D 42 41 2E 45 58 41 4D 50 4C 45 2E T.SAMBA. EXAMPLE. +[0A10] 43 4F 4D A2 1E 30 1C A0 03 02 01 01 A1 15 30 13 COM..0.. ......0. +[0A20] 1B 04 68 6F 73 74 1B 0B 4C 4F 43 41 4C 4B 54 45 ..host.. LOCALKTE +[0A30] 53 54 36 A3 82 03 AE 30 82 03 AA A0 03 02 01 17 ST6....0 ........ +[0A40] A1 03 02 01 03 A2 82 03 9C 04 82 03 98 B9 C5 6E ........ .......n +[0A50] 77 F9 59 6D 19 F0 A6 56 2F 14 B3 9A A3 17 06 A6 w.Ym...V /....... +[0A60] AD F5 92 38 6A 1E EA 3D 53 BF 5E 95 13 FF 5D BB ...8j..= S.^...]. +[0A70] 43 4F 51 AE FB 12 3B 06 67 36 91 B9 E0 C4 C4 F3 COQ...;. g6...... +[0A80] 45 A0 48 E6 DC 49 E8 EA 6F 55 D2 3F 79 57 54 FF E.H..I.. oU.?yWT. +[0A90] 10 8D 89 4A A4 E2 B2 80 FD EE 36 C5 D5 4C D0 97 ...J.... ..6..L.. +[0AA0] B3 EC 96 8B E8 5A 05 F0 13 39 8B 1B B3 C4 32 2A .....Z.. .9....2* +[0AB0] 9B BB EF 06 C4 1C 53 2F 0A F6 A8 C6 BE 09 57 26 ......S/ ......W& +[0AC0] B9 39 7B 7B 50 13 2D 6C 52 FF C4 B5 83 28 A8 47 .9{{P.-l R....(.G +[0AD0] 5A CD 1C DD A7 65 FD 8A 84 2A 10 E7 44 E6 83 E7 Z....e.. .*..D... +[0AE0] E7 AA B8 E5 0A 8B 7E E1 87 7B 3D C4 9F 68 BD 19 ......~. .{=..h.. +[0AF0] 2B 59 5E 5A 45 0D B5 71 CC A6 C7 03 3C B3 17 D3 +Y^ZE..q ....<... +[0B00] AF 99 F6 A2 52 A0 99 F7 39 56 B4 33 B4 C5 F4 CC ....R... 9V.3.... +[0B10] 74 34 4C 00 76 26 10 D1 3A 87 6E 6A 52 9B 7A BF t4L.v&.. :.njR.z. +[0B20] 4E 59 36 32 C5 41 29 CF E1 BF 14 E0 54 BF 4A 25 NY62.A). ....T.J% +[0B30] 1F 0B 6E 9A 8C 0E 5D 47 A9 64 1B A4 9D 99 A9 09 ..n...]G .d...... +[0B40] 39 14 E7 41 22 98 8C 62 CC E2 B5 91 8E C1 31 EB 9..A"..b ......1. +[0B50] B2 70 A6 3B 86 FC DD 19 0B 3F 5D C9 B5 1A 95 73 .p.;.... .?]....s +[0B60] EB 97 89 BE 14 87 85 17 BE 40 F6 80 14 23 4D 66 ........ .@...#Mf +[0B70] E4 B0 E5 51 46 34 DA 1C C8 CB FF C6 84 A3 DF D2 ...QF4.. ........ +[0B80] DC 00 AF 7B 27 C8 78 44 CB 6E 7B CC 5C 94 1E 7A ...{'.xD .n{.\..z +[0B90] 95 29 19 F4 14 BE 5C 23 C3 B9 A4 2C 5D 4D F3 61 .)....\# ...,]M.a +[0BA0] 63 1F D4 FE 37 EE 44 14 06 B7 14 50 B6 74 37 75 c...7.D. ...P.t7u +[0BB0] 2C AB 06 F0 93 F9 93 34 75 63 44 7E 12 48 D1 F1 ,......4 ucD~.H.. +[0BC0] 06 55 14 11 B9 23 43 CE 01 16 3E 6B A3 BD 23 55 .U...#C. ..>k..#U +[0BD0] DE 48 5D AF E1 2B 89 E8 E7 C2 E2 34 25 A2 09 4A .H]..+.. ...4%..J +[0BE0] 1F BE 05 AA DE 4B 08 65 27 4C 9B C7 54 96 C2 FB .....K.e 'L..T... +[0BF0] E2 CE 53 4A 32 93 8D 0B 44 77 8C D3 65 54 F9 0E ..SJ2... Dw..eT.. +[0C00] 7F 74 1E FE 3D 74 83 0F 2F E7 9F BC A2 B0 2B 25 .t..=t.. /.....+% +[0C10] BB D2 6F A8 49 C1 3E 9E B5 93 67 74 39 A4 FE 84 ..o.I.>. ..gt9... +[0C20] 4C 45 5F 30 74 E0 CA 5F F6 46 EC 89 B5 2D C8 14 LE_0t.._ .F...-.. +[0C30] 69 76 BC 93 15 F4 60 30 5F AB EB 02 DD 12 4C 62 iv....`0 _.....Lb +[0C40] F9 73 F7 01 E1 7F 2A 6F 09 05 BF 3A 3A 7E 69 A3 .s....*o ...::~i. +[0C50] 7B FC 20 2B D6 CE C0 74 4F BB 29 E4 BE CE 04 9D {. +...t O.)..... +[0C60] 24 D4 98 4A ED 94 A8 81 CD 26 A0 63 EA 09 57 42 $..J.... .&.c..WB +[0C70] 26 B7 B5 4E B5 CB 45 35 A7 84 D8 74 CA C3 9F FF &..N..E5 ...t.... +[0C80] C8 1E 2A 75 34 01 C5 A7 B4 9D 6F A3 E1 BB 2B F8 ..*u4... ..o...+. +[0C90] F0 21 D6 77 57 74 2E 80 DB 76 53 01 86 33 17 32 .!.wWt.. .vS..3.2 +[0CA0] 2E 16 E1 8D 89 3A B2 67 ED A3 ED 39 82 87 26 A6 .....:.g ...9..&. +[0CB0] DB CE 59 84 E4 0A A6 CA 7E 07 98 F7 02 91 6E 56 ..Y..... ~.....nV +[0CC0] 9F 60 03 D3 88 B0 FF EB 20 CA 9E 5B 37 26 67 00 .`...... ..[7&g. +[0CD0] CC BD 9D 53 15 31 53 14 FD 9C E1 28 08 CB C4 0B ...S.1S. ...(.... +[0CE0] E3 50 D9 DB 0C E2 E4 F9 44 50 E9 28 6E 01 96 AA .P...... DP.(n... +[0CF0] C1 D2 4E B2 DE 38 A2 F8 94 32 79 AE 49 64 FB 57 ..N..8.. .2y.Id.W +[0D00] 50 F6 73 E8 98 43 C6 DD 67 3C 91 AC 97 C9 2E 8C P.s..C.. g<...... +[0D10] 06 59 A1 FC 49 EC 2F BF 6F 64 21 63 ED C8 6C CE .Y..I./. od!c..l. +[0D20] 37 28 7B 80 7F 5F 85 F6 98 93 C0 66 A8 D6 F1 2C 7({.._.. ...f..., +[0D30] D8 01 68 B1 C8 EA 82 0D 5B 9B 35 4F 3D B3 47 19 ..h..... [.5O=.G. +[0D40] 54 7A C6 9F AD D7 54 CF B0 DB 3E 18 BA 2A 39 08 Tz....T. ..>..*9. +[0D50] 0C C4 98 4B 43 DE 53 68 25 B1 83 93 1D E1 6C BF ...KC.Sh %.....l. +[0D60] F5 B4 A9 83 17 34 64 8C 2F 91 80 97 4A 48 EC 90 .....4d. /...JH.. +[0D70] BB FA 92 2C 01 80 E4 99 91 0E 67 88 D5 75 AB 7C ...,.... ..g..u.| +[0D80] 98 59 98 45 C9 11 A9 8C 02 98 91 DE AB A0 FF 45 .Y.E.... .......E +[0D90] 11 66 6F C5 DE 61 6D C6 DB C9 CA A3 A0 2B B1 73 .fo..am. .....+.s +[0DA0] 05 85 37 BF AB CA 43 7A 6F 38 C8 BE ED CE 12 49 ..7...Cz o8.....I +[0DB0] 93 C7 7C 1A 33 60 52 7A 67 67 AA 60 57 7E C8 FF ..|.3`Rz gg.`W~.. +[0DC0] DF 91 91 18 45 74 C0 9E 36 19 BC 42 F9 46 CC 84 ....Et.. 6..B.F.. +[0DD0] 09 2E 8C 59 1A E3 65 51 F4 87 6F 4C 3E 29 38 E6 ...Y..eQ ..oL>)8. +[0DE0] 77 E8 A9 B7 FA 00 00 00 00 00 00 00 01 00 00 00 w....... ........ +[0DF0] 01 00 00 00 17 4B 54 45 53 54 2E 53 41 4D 42 41 .....KTE ST.SAMBA +[0E00] 2E 45 58 41 4D 50 4C 45 2E 43 4F 4D 00 00 00 0D .EXAMPLE .COM.... +[0E10] 61 64 6D 69 6E 69 73 74 72 61 74 6F 72 00 00 00 administ rator... +[0E20] 01 00 00 00 02 00 00 00 17 4B 54 45 53 54 2E 53 ........ .KTEST.S +[0E30] 41 4D 42 41 2E 45 58 41 4D 50 4C 45 2E 43 4F 4D AMBA.EXA MPLE.COM +[0E40] 00 00 00 04 63 69 66 73 00 00 00 0B 4C 4F 43 41 ....cifs ....LOCA +[0E50] 4C 4B 54 45 53 54 36 00 17 00 00 00 10 01 78 D0 LKTEST6. ......x. +[0E60] 3B 9B FF F0 88 86 4B 3B FE 41 A9 6B 00 4D 9B 90 ;.....K; .A.k.M.. +[0E70] 45 4D 9B 90 6B 7D 46 4C 43 00 00 00 00 00 40 28 EM..k}FL C.....@( +[0E80] 00 00 00 00 00 00 00 00 00 00 00 00 03 FA 61 82 ........ ......a. +[0E90] 03 F6 30 82 03 F2 A0 03 02 01 05 A1 19 1B 17 4B ..0..... .......K +[0EA0] 54 45 53 54 2E 53 41 4D 42 41 2E 45 58 41 4D 50 TEST.SAM BA.EXAMP +[0EB0] 4C 45 2E 43 4F 4D A2 1E 30 1C A0 03 02 01 01 A1 LE.COM.. 0....... +[0EC0] 15 30 13 1B 04 63 69 66 73 1B 0B 4C 4F 43 41 4C .0...cif s..LOCAL +[0ED0] 4B 54 45 53 54 36 A3 82 03 AE 30 82 03 AA A0 03 KTEST6.. ..0..... +[0EE0] 02 01 17 A1 03 02 01 03 A2 82 03 9C 04 82 03 98 ........ ........ +[0EF0] CA EA 4D 46 2D D1 E9 58 5D 25 8D 9F DF EA C9 01 ..MF-..X ]%...... +[0F00] B6 08 27 CD 14 85 02 DC 20 C6 51 AA F9 6A B1 CE ..'..... .Q..j.. +[0F10] F5 77 84 BF 9A AC 6B A7 B2 F2 1F 60 BF CB C6 FC .w....k. ...`.... +[0F20] C7 14 B7 41 1C A8 C9 70 7B 86 BC 8E 70 2B 65 4B ...A...p {...p+eK +[0F30] DC F5 B9 23 F8 08 BF 96 C9 A8 77 F4 54 67 25 F8 ...#.... ..w.Tg%. +[0F40] 0F A8 C5 D6 D1 BB 46 5E A0 7E D2 98 9C CD AF E0 ......F^ .~...... +[0F50] 82 62 ED 39 D2 FB F2 E8 9B 1B EE E5 B4 1B C9 0A .b.9.... ........ +[0F60] 86 27 52 6E 11 8B D7 AD B4 54 F9 C6 69 8D E0 F1 .'Rn.... .T..i... +[0F70] CD 63 1C 89 7C 8F B6 A0 71 53 A6 DA B1 66 D2 9D .c..|... qS...f.. +[0F80] D3 4C A8 FB C6 9D 81 74 10 8E 84 D2 3D D8 1C BE .L.....t ....=... +[0F90] BB 3F F7 BF 91 3E 89 66 43 A1 E0 90 1B 1A 97 FF .?...>.f C....... +[0FA0] EF CC 35 75 14 62 4F 67 3A 29 F4 F9 C5 2E BE C5 ..5u.bOg :)...... +[0FB0] C2 2B A8 35 22 D9 92 31 1D 49 2A A5 19 AA 08 0F .+.5"..1 .I*..... +[0FC0] A8 22 0B 68 D2 A2 D7 07 7B 37 1E A3 AC 9B 4F 0A .".h.... {7....O. +[0FD0] A4 FA 7F 37 6F 3E 35 79 4E 00 4B B6 28 A3 6A E4 ...7o>5y N.K.(.j. +[0FE0] 0C 95 53 BA E8 41 07 DA BE E9 08 B9 51 24 91 49 ..S..A.. ....Q$.I +[0FF0] 78 5D 44 12 BC 85 63 81 B8 E0 88 D5 95 0C D3 A8 x]D...c. ........ +[1000] 1D 32 4B E4 A0 C8 A7 7D 3C 97 EE D8 59 AC 3A 21 .2K....} <...Y.:! +[1010] 09 F2 7A CC D0 4A F3 50 10 DC FC 26 BB C2 6A 8E ..z..J.P ...&..j. +[1020] 8B 14 2B 2D 50 2E B3 1E 9B D2 69 56 22 F2 48 BD ..+-P... ..iV".H. +[1030] E9 2E 2F 28 DE 77 67 5F 68 AA 29 05 4B 36 58 40 ../(.wg_ h.).K6X@ +[1040] E5 54 11 C5 4D 68 96 49 9D 53 37 87 5F D2 3A 9B .T..Mh.I .S7._.:. +[1050] E9 8E 79 BE AE 11 B4 6B AB FD DB 8A F5 A0 9B 29 ..y....k .......) +[1060] D9 F5 ED CA FA 3F FE 35 FC F4 69 7E E4 D0 44 29 .....?.5 ..i~..D) +[1070] 48 FF 82 61 26 FC D3 E2 10 EE 14 F7 4A E3 CD F2 H..a&... ....J... +[1080] 8B BC 8B 43 64 2C DE 40 6E BB E1 56 C0 B6 2C D0 ...Cd,.@ n..V..,. +[1090] E5 1E E9 B3 FB 38 48 66 ED AF D2 25 D1 35 5C C6 .....8Hf ...%.5\. +[10A0] F0 4D 36 19 0B EC 33 07 34 D0 27 8D 14 DC 01 45 .M6...3. 4.'....E +[10B0] DE F8 73 A6 A0 F4 C1 91 9D BD 05 E3 70 25 E1 10 ..s..... ....p%.. +[10C0] 44 F6 4B 46 F7 24 84 BF 20 96 AD 6A 96 94 81 58 D.KF.$.. ..j...X +[10D0] 80 95 06 92 F5 7F 17 39 3B 32 47 B2 C5 CE 7B 73 .......9 ;2G...{s +[10E0] CF 53 AE FA D1 9A 60 5A 98 EC 8C FA BD C0 CE 8D .S....`Z ........ +[10F0] C5 27 E6 17 1A 4D 47 D8 3F 5D A9 7C FB 2C B3 05 .'...MG. ?].|.,.. +[1100] 0C 69 20 48 99 80 11 DC 48 AB A7 EA 5B 98 C1 15 .i H.... H...[... +[1110] 27 AE FA 3E 1E 1E E0 E1 F8 32 C0 54 13 D6 30 34 '..>.... .2.T..04 +[1120] 71 98 26 61 6C 1C C4 C7 4E C4 A6 7E FE A8 B8 89 q.&al... N..~.... +[1130] 2A 70 3C 19 58 8D 57 45 55 83 0A C2 B5 F7 89 0E *p<.X.WE U....... +[1140] 7B 7A 17 0C CF 6E 08 A5 F7 21 4A 62 81 4F 49 CA {z...n.. .!Jb.OI. +[1150] E2 ED C2 B4 C7 33 5C BC A1 A0 DE 4E 09 37 BE 24 .....3\. ...N.7.$ +[1160] 62 22 94 55 75 AA 53 DE E0 74 5A B0 B8 E9 BF 2B b".Uu.S. .tZ....+ +[1170] 12 65 2F 90 6B 84 ED 11 AD F7 CE 19 A1 96 E4 1E .e/.k... ........ +[1180] 8C EA C8 81 1B 47 4F 5F B1 5D A5 8B E3 0D 5A 80 .....GO_ .]....Z. +[1190] 89 EC 4B D9 CE ED E8 67 7F 96 FC 1B EF 65 C2 68 ..K....g .....e.h +[11A0] 40 F7 20 36 83 58 62 F4 CA 02 F4 5C 0D 46 B1 CB @. 6.Xb. ...\.F.. +[11B0] 50 D2 D8 3D B7 9A 96 48 8C CF EB E6 8C F4 B2 B4 P..=...H ........ +[11C0] 47 C9 34 C9 DC 14 F1 33 1B 6F 9E 65 27 D7 9D 46 G.4....3 .o.e'..F +[11D0] 1E 91 FF 2E FB 8E 97 5D 17 8F 48 54 7C 3C A0 11 .......] ..HT|<.. +[11E0] 9C AA 77 E9 79 DE 26 D1 F0 7C EA 24 73 BE EC 60 ..w.y.&. .|.$s..` +[11F0] B4 EE BD ED 0D 0A AB 74 60 6E 46 C0 35 5B 65 1A .......t `nF.5[e. +[1200] A4 4A 5C 22 AC B9 CD B7 56 06 88 09 FC 48 68 55 .J\".... V....HhU +[1210] B7 5E 39 72 DF 8A 4C CD 79 74 B0 84 0B 78 DA B2 .^9r..L. yt...x.. +[1220] 55 F8 06 0B 5C 27 06 B3 CA 10 65 6B 04 A3 64 11 U...\'.. ..ek..d. +[1230] 04 09 DC DF 67 00 70 B1 16 DF 24 E9 27 85 11 91 ....g.p. ..$.'... +[1240] 31 CB 92 95 50 18 91 08 C2 A1 A3 76 C7 1A FC 64 1...P... ...v...d +[1250] 9E 2C 3A E7 30 F4 16 0D A0 56 C0 BC D2 FE 2D A0 .,:.0... .V....-. +[1260] 20 A4 E2 82 AD F0 C5 12 71 09 23 E1 66 52 53 D0 ....... q.#.fRS. +[1270] 89 30 E7 BE B7 C2 89 F2 1C 7A F6 8E D7 28 F0 A4 .0...... .z...(.. +[1280] 33 46 7C A2 79 66 DE 26 00 00 00 00 3F|.yf.& .... +dump OK -- 2.35.0 From fbeb10e5927c1cf95279799e0061d791a90cc011 Mon Sep 17 00:00:00 2001 From: Joseph Sutton Date: Wed, 28 Apr 2021 11:02:47 +1200 Subject: [PATCH 072/686] krb5: Add Python functions to create a credentials cache containing a service ticket This is a FILE: format credentials cache readable by the MIT/Heimdal Kerberos libraries. This allows us to glue the Python ASN1 Kerberos system to the MIT/Heimdal one. Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett Reviewed-by: Douglas Bagnall BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817 (cherry picked from commit 2d88a6ff3dbcf650b09ef9c8c37170ca6663b533) --- python/samba/tests/krb5/kdc_base_test.py | 167 ++++++++++++++++++++++- 1 file changed, 163 insertions(+), 4 deletions(-) diff --git a/python/samba/tests/krb5/kdc_base_test.py b/python/samba/tests/krb5/kdc_base_test.py index 1c7f05dda6d..d8193ae9cdc 100644 --- a/python/samba/tests/krb5/kdc_base_test.py +++ b/python/samba/tests/krb5/kdc_base_test.py @@ -1,6 +1,6 @@ # Unix SMB/CIFS implementation. # Copyright (C) Stefan Metzmacher 2020 -# Copyright (C) 2020 Catalyst.Net Ltd +# Copyright (C) 2020-2021 Catalyst.Net Ltd # # This program is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by @@ -18,6 +18,8 @@ import sys import os +from datetime import datetime +import tempfile sys.path.insert(0, "bin/python") os.environ["PYTHONUNBUFFERED"] = "1" @@ -26,10 +28,10 @@ import ldb from ldb import SCOPE_BASE from samba import generate_random_password from samba.auth import system_session -from samba.credentials import Credentials -from samba.dcerpc import krb5pac +from samba.credentials import Credentials, SPECIFIED, MUST_USE_KERBEROS +from samba.dcerpc import krb5pac, krb5ccache from samba.dsdb import UF_WORKSTATION_TRUST_ACCOUNT, UF_NORMAL_ACCOUNT -from samba.ndr import ndr_unpack +from samba.ndr import ndr_pack, ndr_unpack from samba.samdb import SamDB from samba.tests import delete_force @@ -38,6 +40,8 @@ import samba.tests.krb5.rfc4120_pyasn1 as krb5_asn1 from samba.tests.krb5.rfc4120_constants import ( AD_IF_RELEVANT, AD_WIN2K_PAC, + AES256_CTS_HMAC_SHA1_96, + ARCFOUR_HMAC_MD5, KDC_ERR_PREAUTH_REQUIRED, KRB_AS_REP, KRB_TGS_REP, @@ -46,6 +50,8 @@ from samba.tests.krb5.rfc4120_constants import ( KU_PA_ENC_TIMESTAMP, KU_TGS_REP_ENC_PART_SUB_KEY, KU_TICKET, + NT_PRINCIPAL, + NT_SRV_HST, PADATA_ENC_TIMESTAMP, PADATA_ETYPE_INFO2, ) @@ -445,3 +451,156 @@ class KDCBaseTest(RawKerberosTest): msg = ldb.Message(dn) msg[name] = ldb.MessageElement(values, flag, name) self.ldb.modify(msg) + + def create_ccache(self, cname, ticket, enc_part): + """ Lay out a version 4 on-disk credentials cache, to be read using the + FILE: protocol. + """ + + field = krb5ccache.DELTATIME_TAG() + field.kdc_sec_offset = 0 + field.kdc_usec_offset = 0 + + v4tag = krb5ccache.V4TAG() + v4tag.tag = 1 + v4tag.field = field + + v4tags = krb5ccache.V4TAGS() + v4tags.tag = v4tag + v4tags.further_tags = b'' + + optional_header = krb5ccache.V4HEADER() + optional_header.v4tags = v4tags + + cname_string = cname['name-string'] + + cprincipal = krb5ccache.PRINCIPAL() + cprincipal.name_type = cname['name-type'] + cprincipal.component_count = len(cname_string) + cprincipal.realm = ticket['realm'] + cprincipal.components = cname_string + + sname = ticket['sname'] + sname_string = sname['name-string'] + + sprincipal = krb5ccache.PRINCIPAL() + sprincipal.name_type = sname['name-type'] + sprincipal.component_count = len(sname_string) + sprincipal.realm = ticket['realm'] + sprincipal.components = sname_string + + key = self.EncryptionKey_import(enc_part['key']) + + key_data = key.export_obj() + keyblock = krb5ccache.KEYBLOCK() + keyblock.enctype = key_data['keytype'] + keyblock.data = key_data['keyvalue'] + + addresses = krb5ccache.ADDRESSES() + addresses.count = 0 + addresses.data = [] + + authdata = krb5ccache.AUTHDATA() + authdata.count = 0 + authdata.data = [] + + # Re-encode the ticket, since it was decoded by another layer. + ticket_data = self.der_encode(ticket, asn1Spec=krb5_asn1.Ticket()) + + authtime = enc_part['authtime'] + try: + starttime = enc_part['starttime'] + except KeyError: + starttime = authtime + endtime = enc_part['endtime'] + + cred = krb5ccache.CREDENTIAL() + cred.client = cprincipal + cred.server = sprincipal + cred.keyblock = keyblock + cred.authtime = int(datetime.strptime(authtime.decode(), + "%Y%m%d%H%M%SZ").timestamp()) + cred.starttime = int(datetime.strptime(starttime.decode(), + "%Y%m%d%H%M%SZ").timestamp()) + cred.endtime = int(datetime.strptime(endtime.decode(), + "%Y%m%d%H%M%SZ").timestamp()) + cred.renew_till = cred.endtime + cred.is_skey = 0 + cred.ticket_flags = int(enc_part['flags'], 2) + cred.addresses = addresses + cred.authdata = authdata + cred.ticket = ticket_data + cred.second_ticket = b'' + + ccache = krb5ccache.CCACHE() + ccache.pvno = 5 + ccache.version = 4 + ccache.optional_header = optional_header + ccache.principal = cprincipal + ccache.cred = cred + + # Serialise the credentials cache structure. + result = ndr_pack(ccache) + + # Create a temporary file and write the credentials. + cachefile = tempfile.NamedTemporaryFile(dir=self.tempdir, delete=False) + cachefile.write(result) + cachefile.close() + + return cachefile + + def create_ccache_with_user(self, user_credentials, mach_name, + service="host"): + # Obtain a service ticket authorising the user and place it into a + # newly created credentials cache file. + + user_name = user_credentials.get_username() + realm = user_credentials.get_realm() + + # Do the initial AS-REQ, should get a pre-authentication required + # response + etype = (AES256_CTS_HMAC_SHA1_96, ARCFOUR_HMAC_MD5) + cname = self.PrincipalName_create(name_type=NT_PRINCIPAL, + names=[user_name]) + sname = self.PrincipalName_create(name_type=NT_SRV_HST, + names=["krbtgt", realm]) + + rep = self.as_req(cname, sname, realm, etype) + self.check_pre_authenication(rep) + + # Do the next AS-REQ + padata = self.get_pa_data(user_credentials, rep) + key = self.get_as_rep_key(user_credentials, rep) + rep = self.as_req(cname, sname, realm, etype, padata=padata) + self.check_as_reply(rep) + + # Request a ticket to the host service on the machine account + ticket = rep['ticket'] + enc_part = self.get_as_rep_enc_data(key, rep) + key = self.EncryptionKey_import(enc_part['key']) + cname = self.PrincipalName_create(name_type=NT_PRINCIPAL, + names=[user_name]) + sname = self.PrincipalName_create(name_type=NT_SRV_HST, + names=[service, mach_name]) + + (rep, enc_part) = self.tgs_req( + cname, sname, realm, ticket, key, etype) + self.check_tgs_reply(rep) + key = self.EncryptionKey_import(enc_part['key']) + + # Check the contents of the pac, and the ticket + ticket = rep['ticket'] + + # Write the ticket into a credentials cache file that can be ingested + # by the main credentials code. + cachefile = self.create_ccache(cname, ticket, enc_part) + + # Create a credentials object to reference the credentials cache. + creds = Credentials() + creds.set_kerberos_state(MUST_USE_KERBEROS) + creds.set_username(user_name, SPECIFIED) + creds.set_realm(realm) + creds.set_named_ccache(cachefile.name, SPECIFIED, self.lp) + + # Return the credentials along with the cache file. + return (creds, cachefile) -- 2.35.0 From 3565a9401d014583d85dad756738d56958195dd4 Mon Sep 17 00:00:00 2001 From: Joseph Sutton Date: Wed, 28 Apr 2021 11:06:33 +1200 Subject: [PATCH 073/686] python: Add credentials cache test Test that we can use a credentials cache with a user's service ticket obtained with our Python code to connect to a service using the normal credentials system backed on to MIT/Heimdal Kerberos 5 libraries. This will allow us to validate the output of the MIT/Heimdal libraries in the future. Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett Reviewed-by: Douglas Bagnall BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817 (cherry picked from commit c15f26ec40860782b22e862f9bdf665745387718) --- python/samba/tests/krb5/raw_testcase.py | 8 +- python/samba/tests/krb5/rfc4120_constants.py | 1 + python/samba/tests/krb5/test_ccache.py | 127 +++++++++++++++++++ python/samba/tests/usage.py | 1 + source4/selftest/tests.py | 2 + 5 files changed, 135 insertions(+), 4 deletions(-) create mode 100755 python/samba/tests/krb5/test_ccache.py diff --git a/python/samba/tests/krb5/raw_testcase.py b/python/samba/tests/krb5/raw_testcase.py index 82e68ee7019..27ab89ecf99 100644 --- a/python/samba/tests/krb5/raw_testcase.py +++ b/python/samba/tests/krb5/raw_testcase.py @@ -25,7 +25,7 @@ import random import samba.tests from samba.credentials import Credentials -from samba.tests import TestCase +from samba.tests import TestCaseInTempDir import samba.tests.krb5.rfc4120_pyasn1 as krb5_asn1 import samba.tests.krb5.kcrypto as kcrypto @@ -178,11 +178,11 @@ class Krb5EncryptionKey(object): return EncryptionKey_obj -class RawKerberosTest(TestCase): +class RawKerberosTest(TestCaseInTempDir): """A raw Kerberos Test case.""" def setUp(self): - super(RawKerberosTest, self).setUp() + super().setUp() self.do_asn1_print = False self.do_hexdump = False @@ -192,7 +192,7 @@ class RawKerberosTest(TestCase): def tearDown(self): self._disconnect("tearDown") - super(TestCase, self).tearDown() + super().tearDown() def _disconnect(self, reason): if self.s is None: diff --git a/python/samba/tests/krb5/rfc4120_constants.py b/python/samba/tests/krb5/rfc4120_constants.py index 5bbf1229d09..702f6084217 100644 --- a/python/samba/tests/krb5/rfc4120_constants.py +++ b/python/samba/tests/krb5/rfc4120_constants.py @@ -46,6 +46,7 @@ KDC_ERR_SKEW = 37 # Name types NT_UNKNOWN = int(krb5_asn1.NameTypeValues('kRB5-NT-UNKNOWN')) NT_PRINCIPAL = int(krb5_asn1.NameTypeValues('kRB5-NT-PRINCIPAL')) +NT_SRV_HST = int(krb5_asn1.NameTypeValues('kRB5-NT-SRV-HST')) NT_SRV_INST = int(krb5_asn1.NameTypeValues('kRB5-NT-SRV-INST')) NT_ENTERPRISE_PRINCIPAL = int(krb5_asn1.NameTypeValues( 'kRB5-NT-ENTERPRISE-PRINCIPAL')) diff --git a/python/samba/tests/krb5/test_ccache.py b/python/samba/tests/krb5/test_ccache.py new file mode 100755 index 00000000000..e0998a4c43f --- /dev/null +++ b/python/samba/tests/krb5/test_ccache.py @@ -0,0 +1,127 @@ +#!/usr/bin/env python3 +# Unix SMB/CIFS implementation. +# Copyright (C) Stefan Metzmacher 2020 +# Copyright (C) 2021 Catalyst.Net Ltd +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; either version 3 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see . +# + +import sys +import os + +from ldb import SCOPE_SUBTREE +from samba import gensec +from samba.auth import AuthContext +from samba.dcerpc import security +from samba.ndr import ndr_unpack + +from samba.tests.krb5.kdc_base_test import KDCBaseTest + +sys.path.insert(0, "bin/python") +os.environ["PYTHONUNBUFFERED"] = "1" + +global_asn1_print = False +global_hexdump = False + + +class CcacheTests(KDCBaseTest): + """Test for authentication using Kerberos credentials stored in a + credentials cache file. + """ + + def test_ccache(self): + # Create a user account and a machine account, along with a Kerberos + # credentials cache file where the service ticket authenticating the + # user are stored. + + user_name = "ccacheusr" + mach_name = "ccachemac" + + # Create the user account. + (user_credentials, _) = self.create_account(user_name) + + # Create the machine account. + (mach_credentials, _) = self.create_account(mach_name, + machine_account=True) + + # Talk to the KDC to obtain the service ticket, which gets placed into + # the cache. The machine account name has to match the name in the + # ticket, to ensure that the krbtgt ticket doesn't also need to be + # stored. + (creds, cachefile) = self.create_ccache_with_user(user_credentials, + mach_name) + + # Authenticate in-process to the machine account using the user's + # cached credentials. + + settings = {} + settings["lp_ctx"] = self.lp + settings["target_hostname"] = mach_name + + gensec_client = gensec.Security.start_client(settings) + gensec_client.set_credentials(creds) + gensec_client.want_feature(gensec.FEATURE_SEAL) + gensec_client.start_mech_by_sasl_name("GSSAPI") + + auth_context = AuthContext(lp_ctx=self.lp, ldb=self.ldb, methods=[]) + + gensec_server = gensec.Security.start_server(settings, auth_context) + gensec_server.set_credentials(mach_credentials) + + gensec_server.start_mech_by_sasl_name("GSSAPI") + + client_finished = False + server_finished = False + server_to_client = b'' + + # Operate as both the client and the server to verify the user's + # credentials. + while not client_finished or not server_finished: + if not client_finished: + print("running client gensec_update") + (client_finished, client_to_server) = gensec_client.update( + server_to_client) + if not server_finished: + print("running server gensec_update") + (server_finished, server_to_client) = gensec_server.update( + client_to_server) + + # Ensure that the first SID contained within the obtained security + # token is the SID of the user we created. + + # Retrieve the user account's SID. + ldb_res = self.ldb.search(scope=SCOPE_SUBTREE, + expression="(sAMAccountName=%s)" % user_name, + attrs=["objectSid"]) + self.assertEqual(1, len(ldb_res)) + sid = ndr_unpack(security.dom_sid, ldb_res[0]["objectSid"][0]) + + # Retrieve the SIDs from the security token. + session = gensec_server.session_info() + token = session.security_token + token_sids = token.sids + self.assertGreater(len(token_sids), 0) + + # Ensure that they match. + self.assertEqual(sid, token_sids[0]) + + # Remove the cached credentials file. + os.remove(cachefile.name) + + +if __name__ == "__main__": + global_asn1_print = True + global_hexdump = True + import unittest + unittest.main() diff --git a/python/samba/tests/usage.py b/python/samba/tests/usage.py index 14f7cbfd7cd..f97b30d68df 100644 --- a/python/samba/tests/usage.py +++ b/python/samba/tests/usage.py @@ -93,6 +93,7 @@ EXCLUDE_USAGE = { 'python/samba/tests/krb5/kdc_tests.py', 'python/samba/tests/krb5/kdc_base_test.py', 'python/samba/tests/krb5/kdc_tgs_tests.py', + 'python/samba/tests/krb5/test_ccache.py', 'python/samba/tests/krb5/ms_kile_client_principal_lookup_tests.py', } diff --git a/source4/selftest/tests.py b/source4/selftest/tests.py index 3310d47f167..c2fe31bdb4d 100755 --- a/source4/selftest/tests.py +++ b/source4/selftest/tests.py @@ -723,6 +723,8 @@ planoldpythontestsuite("ad_dc_default:local", "samba.tests.krb5.s4u_tests", planoldpythontestsuite("fl2008r2dc:local", "samba.tests.krb5.xrealm_tests") +planoldpythontestsuite("ad_dc_default", "samba.tests.krb5.test_ccache") + for env in ["ad_dc", smbv1_disabled_testenv]: planoldpythontestsuite(env, "samba.tests.smb", extra_args=['-U"$USERNAME%$PASSWORD"'], py3_compatible=True) planoldpythontestsuite(env + ":local", "samba.tests.ntacls_backup", -- 2.35.0 From d86e26ba2ae8f1d142c46c6b7b5f5220200a7924 Mon Sep 17 00:00:00 2001 From: Joseph Sutton Date: Thu, 29 Apr 2021 20:58:11 +1200 Subject: [PATCH 074/686] python: Add LDAP credentials cache test Test that we can use a credentials cache with a user's service ticket obtained with our Python code to connect to a service through LDAP. Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett Reviewed-by: Douglas Bagnall BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817 (cherry picked from commit 7663b5c37fa3413f7c67c018107322494e4a6fd9) --- python/samba/tests/krb5/test_ldap.py | 94 ++++++++++++++++++++++++++++ python/samba/tests/usage.py | 1 + source4/selftest/tests.py | 1 + 3 files changed, 96 insertions(+) create mode 100755 python/samba/tests/krb5/test_ldap.py diff --git a/python/samba/tests/krb5/test_ldap.py b/python/samba/tests/krb5/test_ldap.py new file mode 100755 index 00000000000..6a4bf52d77f --- /dev/null +++ b/python/samba/tests/krb5/test_ldap.py @@ -0,0 +1,94 @@ +#!/usr/bin/env python3 +# Unix SMB/CIFS implementation. +# Copyright (C) Stefan Metzmacher 2020 +# Copyright (C) 2021 Catalyst.Net Ltd +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; either version 3 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see . +# + +import sys +import os + +from ldb import SCOPE_BASE, SCOPE_SUBTREE +from samba.dcerpc import security +from samba.ndr import ndr_unpack +from samba.samdb import SamDB + +from samba.tests.krb5.kdc_base_test import KDCBaseTest + +sys.path.insert(0, "bin/python") +os.environ["PYTHONUNBUFFERED"] = "1" + +global_asn1_print = False +global_hexdump = False + + +class LdapTests(KDCBaseTest): + """Test for LDAP authentication using Kerberos credentials stored in a + credentials cache file. + """ + + def test_ldap(self): + # Create a user account and a machine account, along with a Kerberos + # credentials cache file where the service ticket authenticating the + # user are stored. + + user_name = "ldapusr" + mach_name = self.dns_host_name + service = "ldap" + + # Create the user account. + (user_credentials, _) = self.create_account(user_name) + + # Talk to the KDC to obtain the service ticket, which gets placed into + # the cache. The machine account name has to match the name in the + # ticket, to ensure that the krbtgt ticket doesn't also need to be + # stored. + (creds, cachefile) = self.create_ccache_with_user(user_credentials, + mach_name, + service) + + # Authenticate in-process to the machine account using the user's + # cached credentials. + + # Retrieve the user account's SID. + ldb_res = self.ldb.search(scope=SCOPE_SUBTREE, + expression="(sAMAccountName=%s)" % user_name, + attrs=["objectSid"]) + self.assertEqual(1, len(ldb_res)) + sid = ndr_unpack(security.dom_sid, ldb_res[0]["objectSid"][0]) + + # Connect to the machine account and retrieve the user SID. + ldb_as_user = SamDB(url="ldap://%s" % mach_name, + credentials=creds, + lp=self.lp) + ldb_res = ldb_as_user.search('', + scope=SCOPE_BASE, + attrs=["tokenGroups"]) + self.assertEqual(1, len(ldb_res)) + + token_sid = ndr_unpack(security.dom_sid, ldb_res[0]["tokenGroups"][0]) + + # Ensure that they match. + self.assertEqual(sid, token_sid) + + # Remove the cached credentials file. + os.remove(cachefile.name) + + +if __name__ == "__main__": + global_asn1_print = True + global_hexdump = True + import unittest + unittest.main() diff --git a/python/samba/tests/usage.py b/python/samba/tests/usage.py index f97b30d68df..919c800dee8 100644 --- a/python/samba/tests/usage.py +++ b/python/samba/tests/usage.py @@ -94,6 +94,7 @@ EXCLUDE_USAGE = { 'python/samba/tests/krb5/kdc_base_test.py', 'python/samba/tests/krb5/kdc_tgs_tests.py', 'python/samba/tests/krb5/test_ccache.py', + 'python/samba/tests/krb5/test_ldap.py', 'python/samba/tests/krb5/ms_kile_client_principal_lookup_tests.py', } diff --git a/source4/selftest/tests.py b/source4/selftest/tests.py index c2fe31bdb4d..883212cc65e 100755 --- a/source4/selftest/tests.py +++ b/source4/selftest/tests.py @@ -724,6 +724,7 @@ planoldpythontestsuite("ad_dc_default:local", "samba.tests.krb5.s4u_tests", planoldpythontestsuite("fl2008r2dc:local", "samba.tests.krb5.xrealm_tests") planoldpythontestsuite("ad_dc_default", "samba.tests.krb5.test_ccache") +planoldpythontestsuite("ad_dc_default", "samba.tests.krb5.test_ldap") for env in ["ad_dc", smbv1_disabled_testenv]: planoldpythontestsuite(env, "samba.tests.smb", extra_args=['-U"$USERNAME%$PASSWORD"'], py3_compatible=True) -- 2.35.0 From bf7feda6824135852e00f010220dcddfe1fe16c2 Mon Sep 17 00:00:00 2001 From: Joseph Sutton Date: Thu, 29 Apr 2021 21:04:25 +1200 Subject: [PATCH 075/686] python: Add RPC credentials cache test Test that we can use a credentials cache with a user's service ticket obtained with our Python code to connect to a service through RPC. Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett Reviewed-by: Douglas Bagnall BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817 (cherry picked from commit 072451a033da07c0cdaa005dd1020ef1c7951e99) --- python/samba/tests/krb5/test_rpc.py | 77 +++++++++++++++++++++++++++++ python/samba/tests/usage.py | 1 + source4/selftest/tests.py | 1 + 3 files changed, 79 insertions(+) create mode 100755 python/samba/tests/krb5/test_rpc.py diff --git a/python/samba/tests/krb5/test_rpc.py b/python/samba/tests/krb5/test_rpc.py new file mode 100755 index 00000000000..da1c4eb88ac --- /dev/null +++ b/python/samba/tests/krb5/test_rpc.py @@ -0,0 +1,77 @@ +#!/usr/bin/env python3 +# Unix SMB/CIFS implementation. +# Copyright (C) Stefan Metzmacher 2020 +# Copyright (C) 2021 Catalyst.Net Ltd +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; either version 3 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see . +# + +import sys +import os + +from samba.dcerpc import lsa + +from samba.tests.krb5.kdc_base_test import KDCBaseTest + +sys.path.insert(0, "bin/python") +os.environ["PYTHONUNBUFFERED"] = "1" + +global_asn1_print = False +global_hexdump = False + + +class RpcTests(KDCBaseTest): + """Test for RPC authentication using Kerberos credentials stored in a + credentials cache file. + """ + + def test_rpc(self): + # Create a user account and a machine account, along with a Kerberos + # credentials cache file where the service ticket authenticating the + # user are stored. + + user_name = "rpcusr" + mach_name = self.dns_host_name + service = "cifs" + + # Create the user account. + (user_credentials, _) = self.create_account(user_name) + + # Talk to the KDC to obtain the service ticket, which gets placed into + # the cache. The machine account name has to match the name in the + # ticket, to ensure that the krbtgt ticket doesn't also need to be + # stored. + (creds, cachefile) = self.create_ccache_with_user(user_credentials, + mach_name, + service) + + # Authenticate in-process to the machine account using the user's + # cached credentials. + + binding_str = "ncacn_np:%s[\\pipe\\lsarpc]" % mach_name + conn = lsa.lsarpc(binding_str, self.lp, creds) + + (account_name, _) = conn.GetUserName(None, None, None) + + self.assertEqual(user_name, account_name.string) + + # Remove the cached credentials file. + os.remove(cachefile.name) + + +if __name__ == "__main__": + global_asn1_print = True + global_hexdump = True + import unittest + unittest.main() diff --git a/python/samba/tests/usage.py b/python/samba/tests/usage.py index 919c800dee8..c0f8736a4e5 100644 --- a/python/samba/tests/usage.py +++ b/python/samba/tests/usage.py @@ -95,6 +95,7 @@ EXCLUDE_USAGE = { 'python/samba/tests/krb5/kdc_tgs_tests.py', 'python/samba/tests/krb5/test_ccache.py', 'python/samba/tests/krb5/test_ldap.py', + 'python/samba/tests/krb5/test_rpc.py', 'python/samba/tests/krb5/ms_kile_client_principal_lookup_tests.py', } diff --git a/source4/selftest/tests.py b/source4/selftest/tests.py index 883212cc65e..84a78860d1d 100755 --- a/source4/selftest/tests.py +++ b/source4/selftest/tests.py @@ -725,6 +725,7 @@ planoldpythontestsuite("fl2008r2dc:local", "samba.tests.krb5.xrealm_tests") planoldpythontestsuite("ad_dc_default", "samba.tests.krb5.test_ccache") planoldpythontestsuite("ad_dc_default", "samba.tests.krb5.test_ldap") +planoldpythontestsuite("ad_dc_default", "samba.tests.krb5.test_rpc") for env in ["ad_dc", smbv1_disabled_testenv]: planoldpythontestsuite(env, "samba.tests.smb", extra_args=['-U"$USERNAME%$PASSWORD"'], py3_compatible=True) -- 2.35.0 From 5a7283f28e9fc5f747d014ab0055ce1e7e268f1d Mon Sep 17 00:00:00 2001 From: Joseph Sutton Date: Mon, 3 May 2021 15:55:01 +1200 Subject: [PATCH 076/686] libsmb: Remove overflow check Pointer overflow is undefined, so this check does not accomplish anything. Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett Reviewed-by: Douglas Bagnall BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817 (cherry picked from commit db5b34c7682e36630908356cf674fddd18d8fa1f) --- source3/libsmb/clifsinfo.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/source3/libsmb/clifsinfo.c b/source3/libsmb/clifsinfo.c index 09c0d9535f1..cc9f7382d49 100644 --- a/source3/libsmb/clifsinfo.c +++ b/source3/libsmb/clifsinfo.c @@ -650,7 +650,7 @@ static void cli_posix_whoami_done(struct tevent_req *subreq) * parsing network packets in C. */ - if (num_rdata < 40 || rdata + num_rdata < rdata) { + if (num_rdata < 40) { tevent_req_nterror(req, NT_STATUS_INVALID_NETWORK_RESPONSE); return; } -- 2.35.0 From b5c34b7d50c26b3e7b24d65412ccd09a4af44688 Mon Sep 17 00:00:00 2001 From: Joseph Sutton Date: Mon, 3 May 2021 16:16:51 +1200 Subject: [PATCH 077/686] libsmb: Avoid undefined behaviour when parsing whoami state If num_gids is such that the gids array would overflow the rdata buffer, 'p + 8' could produce a result pointing outside the buffer, and thus result in undefined behaviour. To avoid this, we check num_gids against the size of the buffer beforehand. Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett Reviewed-by: Douglas Bagnall BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817 (cherry picked from commit 9d8aeed33d8edf7a5dc96dbe35e4e164e2baeeeb) --- source3/libsmb/clifsinfo.c | 12 +++++++----- 1 file changed, 7 insertions(+), 5 deletions(-) diff --git a/source3/libsmb/clifsinfo.c b/source3/libsmb/clifsinfo.c index cc9f7382d49..aca559d153b 100644 --- a/source3/libsmb/clifsinfo.c +++ b/source3/libsmb/clifsinfo.c @@ -661,6 +661,13 @@ static void cli_posix_whoami_done(struct tevent_req *subreq) state->num_gids = IVAL(rdata, 24); state->num_sids = IVAL(rdata, 28); + /* Ensure the gid array doesn't overflow */ + if (state->num_gids > (num_rdata - 40) / sizeof(uint64_t)) { + tevent_req_nterror(req, + NT_STATUS_INVALID_NETWORK_RESPONSE); + return; + } + state->gids = talloc_array(state, uint64_t, state->num_gids); if (tevent_req_nomem(state->gids, req)) { return; @@ -673,11 +680,6 @@ static void cli_posix_whoami_done(struct tevent_req *subreq) p = rdata + 40; for (i = 0; i < state->num_gids; i++) { - if (p + 8 > rdata + num_rdata) { - tevent_req_nterror(req, - NT_STATUS_INVALID_NETWORK_RESPONSE); - return; - } state->gids[i] = BVAL(p, 0); p += 8; } -- 2.35.0 From 83553a7e823409f87ccbab589d2dcb17f2c4d837 Mon Sep 17 00:00:00 2001 From: Joseph Sutton Date: Mon, 3 May 2021 16:22:43 +1200 Subject: [PATCH 078/686] libsmb: Check to see that whoami is not receiving more data than it requested Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett Reviewed-by: Douglas Bagnall BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817 (cherry picked from commit 9e414233c84d2f2fa4a9415be9ee975eca8b9bfd) --- source3/libsmb/clifsinfo.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/source3/libsmb/clifsinfo.c b/source3/libsmb/clifsinfo.c index aca559d153b..6f3c07a8a7e 100644 --- a/source3/libsmb/clifsinfo.c +++ b/source3/libsmb/clifsinfo.c @@ -570,6 +570,8 @@ struct posix_whoami_state { static void cli_posix_whoami_done(struct tevent_req *subreq); +static const uint32_t posix_whoami_max_rdata = 62*1024; + struct tevent_req *cli_posix_whoami_send(TALLOC_CTX *mem_ctx, struct tevent_context *ev, struct cli_state *cli) @@ -586,7 +588,7 @@ struct tevent_req *cli_posix_whoami_send(TALLOC_CTX *mem_ctx, SSVAL(state->setup, 0, TRANSACT2_QFSINFO); SSVAL(state->param, 0, SMB_QUERY_POSIX_WHOAMI); - state->max_rdata = 62*1024; + state->max_rdata = posix_whoami_max_rdata; subreq = cli_trans_send(state, /* mem ctx. */ ev, /* event ctx. */ @@ -650,7 +652,7 @@ static void cli_posix_whoami_done(struct tevent_req *subreq) * parsing network packets in C. */ - if (num_rdata < 40) { + if (num_rdata < 40 || num_rdata > posix_whoami_max_rdata) { tevent_req_nterror(req, NT_STATUS_INVALID_NETWORK_RESPONSE); return; } -- 2.35.0 From 4c7cbf43c72e9f73bdcb0da15f2de7528f6a7290 Mon Sep 17 00:00:00 2001 From: Joseph Sutton Date: Mon, 3 May 2021 16:24:42 +1200 Subject: [PATCH 079/686] libsmb: Ensure that whoami parses all the data provided to it Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett Reviewed-by: Douglas Bagnall BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817 (cherry picked from commit 9b96ebea5c6966b096cf1100a0895a9c41f2aa1d) --- source3/libsmb/clifsinfo.c | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/source3/libsmb/clifsinfo.c b/source3/libsmb/clifsinfo.c index 6f3c07a8a7e..f09428bdbcb 100644 --- a/source3/libsmb/clifsinfo.c +++ b/source3/libsmb/clifsinfo.c @@ -714,6 +714,13 @@ static void cli_posix_whoami_done(struct tevent_req *subreq) p += sid_size; num_rdata -= sid_size; } + + if (num_rdata != 0) { + tevent_req_nterror(req, + NT_STATUS_INVALID_NETWORK_RESPONSE); + return; + } + tevent_req_done(req); } -- 2.35.0 From 25eb2dc504e9a77a8b00dc1425484515f4dc7e03 Mon Sep 17 00:00:00 2001 From: Joseph Sutton Date: Fri, 30 Apr 2021 12:49:24 +1200 Subject: [PATCH 080/686] pylibsmb: Add posix_whoami() Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett Reviewed-by: Douglas Bagnall BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817 BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817 [abartlet@samba.org backport from commit 482559436f12a85adb3409433aac3ab06baa82b1 as the 4.13 backport doesn't have ealier pylibsmb changes including 752a8f870de2bb087802a1287d7fb6c7624ac631 (s3:pylibsmb: remove unused SECINFO_DEFAULT_FLAGS)] --- source3/libsmb/pylibsmb.c | 138 +++++++++++++++++++++++++++++++++++++- 1 file changed, 137 insertions(+), 1 deletion(-) diff --git a/source3/libsmb/pylibsmb.c b/source3/libsmb/pylibsmb.c index b63101b85a0..7f5a07eac8a 100644 --- a/source3/libsmb/pylibsmb.c +++ b/source3/libsmb/pylibsmb.c @@ -42,6 +42,8 @@ SECINFO_DACL | SECINFO_PROTECTED_DACL | SECINFO_UNPROTECTED_DACL | \ SECINFO_SACL | SECINFO_PROTECTED_SACL | SECINFO_UNPROTECTED_SACL) +static PyTypeObject *dom_sid_Type = NULL; + static PyTypeObject *get_pytype(const char *module, const char *type) { PyObject *mod; @@ -1357,6 +1359,123 @@ static PyObject *py_smb_mkdir(struct py_cli_state *self, PyObject *args) Py_RETURN_NONE; } +/* + * Does a whoami call + */ +static PyObject *py_smb_posix_whoami(struct py_cli_state *self, + PyObject *Py_UNUSED(ignored)) +{ + TALLOC_CTX *frame = talloc_stackframe(); + NTSTATUS status; + struct tevent_req *req = NULL; + uint64_t uid; + uint64_t gid; + uint32_t num_gids; + uint64_t *gids = NULL; + uint32_t num_sids; + struct dom_sid *sids = NULL; + bool guest; + PyObject *py_gids = NULL; + PyObject *py_sids = NULL; + PyObject *py_guest = NULL; + PyObject *py_ret = NULL; + Py_ssize_t i; + + req = cli_posix_whoami_send(frame, self->ev, self->cli); + if (!py_tevent_req_wait_exc(self, req)) { + goto fail; + } + status = cli_posix_whoami_recv(req, + frame, + &uid, + &gid, + &num_gids, + &gids, + &num_sids, + &sids, + &guest); + if (!NT_STATUS_IS_OK(status)) { + PyErr_SetNTSTATUS(status); + goto fail; + } + if (num_gids > PY_SSIZE_T_MAX) { + PyErr_SetString(PyExc_OverflowError, "posix_whoami: Too many GIDs"); + goto fail; + } + if (num_sids > PY_SSIZE_T_MAX) { + PyErr_SetString(PyExc_OverflowError, "posix_whoami: Too many SIDs"); + goto fail; + } + + py_gids = PyList_New(num_gids); + if (!py_gids) { + goto fail; + } + for (i = 0; i < num_gids; ++i) { + int ret; + PyObject *py_item = PyLong_FromUnsignedLongLong(gids[i]); + if (!py_item) { + goto fail2; + } + + ret = PyList_SetItem(py_gids, i, py_item); + if (ret) { + goto fail2; + } + } + py_sids = PyList_New(num_sids); + if (!py_sids) { + goto fail2; + } + for (i = 0; i < num_sids; ++i) { + int ret; + struct dom_sid *sid; + PyObject *py_item; + + sid = dom_sid_dup(frame, &sids[i]); + if (!sid) { + PyErr_NoMemory(); + goto fail3; + } + + py_item = pytalloc_steal(dom_sid_Type, sid); + if (!py_item) { + PyErr_NoMemory(); + goto fail3; + } + + ret = PyList_SetItem(py_sids, i, py_item); + if (ret) { + goto fail3; + } + } + + py_guest = guest ? Py_True : Py_False; + + py_ret = Py_BuildValue("KKNNO", + uid, + gid, + py_gids, + py_sids, + py_guest); + if (!py_ret) { + goto fail3; + } + + TALLOC_FREE(frame); + return py_ret; + +fail3: + Py_CLEAR(py_sids); + +fail2: + Py_CLEAR(py_gids); + +fail: + TALLOC_FREE(frame); + return NULL; +} + /* * Checks existence of a directory */ @@ -1612,6 +1731,8 @@ static PyMethodDef py_cli_state_methods[] = { "unlink(path) -> None\n\n \t\tDelete a file." }, { "mkdir", (PyCFunction)py_smb_mkdir, METH_VARARGS, "mkdir(path) -> None\n\n \t\tCreate a directory." }, + { "posix_whoami", (PyCFunction)py_smb_posix_whoami, METH_NOARGS, + "posix_whoami() -> (uid, gid, gids, sids, guest)" }, { "rmdir", (PyCFunction)py_smb_rmdir, METH_VARARGS, "rmdir(path) -> None\n\n \t\tDelete a directory." }, { "chkpath", (PyCFunction)py_smb_chkpath, METH_VARARGS, @@ -1664,16 +1785,31 @@ static struct PyModuleDef moduledef = { MODULE_INIT_FUNC(libsmb_samba_internal) { PyObject *m = NULL; + PyObject *mod = NULL; talloc_stackframe(); + if (PyType_Ready(&py_cli_state_type) < 0) { + return NULL; + } + m = PyModule_Create(&moduledef); if (m == NULL) { return m; } - if (PyType_Ready(&py_cli_state_type) < 0) { + + /* Import dom_sid type from dcerpc.security */ + mod = PyImport_ImportModule("samba.dcerpc.security"); + if (mod == NULL) { return NULL; } + + dom_sid_Type = (PyTypeObject *)PyObject_GetAttrString(mod, "dom_sid"); + if (dom_sid_Type == NULL) { + Py_DECREF(mod); + return NULL; + } + Py_INCREF(&py_cli_state_type); PyModule_AddObject(m, "Conn", (PyObject *)&py_cli_state_type); -- 2.35.0 From 68cf99acbfcada69cbe71b482b48b312e0c29d47 Mon Sep 17 00:00:00 2001 From: Joseph Sutton Date: Fri, 30 Apr 2021 08:58:11 +1200 Subject: [PATCH 081/686] python: Add SMB credentials cache test Test that we can use a credentials cache with a user's service ticket obtained with our Python code to connect to a service through SMB. Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett Reviewed-by: Douglas Bagnall BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817 (cherry picked from commit 78a0b57b51642df07deed8aeb6e39e608fafda60) --- python/samba/tests/krb5/test_smb.py | 108 ++++++++++++++++++++++++++++ python/samba/tests/usage.py | 1 + source4/selftest/tests.py | 1 + 3 files changed, 110 insertions(+) create mode 100755 python/samba/tests/krb5/test_smb.py diff --git a/python/samba/tests/krb5/test_smb.py b/python/samba/tests/krb5/test_smb.py new file mode 100755 index 00000000000..0262a37ebb5 --- /dev/null +++ b/python/samba/tests/krb5/test_smb.py @@ -0,0 +1,108 @@ +#!/usr/bin/env python3 +# Unix SMB/CIFS implementation. +# Copyright (C) Stefan Metzmacher 2020 +# Copyright (C) 2021 Catalyst.Net Ltd +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; either version 3 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see . +# + +import sys +import os + +from ldb import SCOPE_SUBTREE +from samba.dcerpc import security +from samba.ndr import ndr_unpack +from samba.samba3 import libsmb_samba_internal as libsmb +from samba.samba3 import param as s3param + +from samba.tests.krb5.kdc_base_test import KDCBaseTest + +sys.path.insert(0, "bin/python") +os.environ["PYTHONUNBUFFERED"] = "1" + +global_asn1_print = False +global_hexdump = False + + +class SmbTests(KDCBaseTest): + """Test for SMB authentication using Kerberos credentials stored in a + credentials cache file. + """ + + def test_smb(self): + # Create a user account and a machine account, along with a Kerberos + # credentials cache file where the service ticket authenticating the + # user are stored. + + user_name = "smbusr" + mach_name = self.dns_host_name + service = "cifs" + share = "tmp" + + # Create the user account. + (user_credentials, _) = self.create_account(user_name) + + # Talk to the KDC to obtain the service ticket, which gets placed into + # the cache. The machine account name has to match the name in the + # ticket, to ensure that the krbtgt ticket doesn't also need to be + # stored. + (creds, cachefile) = self.create_ccache_with_user(user_credentials, + mach_name, + service) + + # Set the Kerberos 5 credentials cache environment variable. This is + # required because the codepath that gets run (gse_krb5) looks for it + # in here and not in the credentials object. + krb5_ccname = os.environ.get("KRB5CCNAME", "") + self.addCleanup(os.environ.__setitem__, "KRB5CCNAME", krb5_ccname) + os.environ["KRB5CCNAME"] = "FILE:" + cachefile.name + + # Authenticate in-process to the machine account using the user's + # cached credentials. + + # Retrieve the user account's SID. + ldb_res = self.ldb.search(scope=SCOPE_SUBTREE, + expression="(sAMAccountName=%s)" % user_name, + attrs=["objectSid"]) + self.assertEqual(1, len(ldb_res)) + sid = ndr_unpack(security.dom_sid, ldb_res[0]["objectSid"][0]) + + # Connect to a share and retrieve the user SID. + s3_lp = s3param.get_context() + s3_lp.load(self.lp.configfile) + + min_protocol = s3_lp.get("client min protocol") + self.addCleanup(s3_lp.set, "client min protocol", min_protocol) + s3_lp.set("client min protocol", "NT1") + + max_protocol = s3_lp.get("client max protocol") + self.addCleanup(s3_lp.set, "client max protocol", max_protocol) + s3_lp.set("client max protocol", "NT1") + + conn = libsmb.Conn(mach_name, share, lp=s3_lp, creds=creds) + + (uid, gid, gids, sids, guest) = conn.posix_whoami() + + # Ensure that they match. + self.assertEqual(sid, sids[0]) + + # Remove the cached credentials file. + os.remove(cachefile.name) + + +if __name__ == "__main__": + global_asn1_print = True + global_hexdump = True + import unittest + unittest.main() diff --git a/python/samba/tests/usage.py b/python/samba/tests/usage.py index c0f8736a4e5..ad13012c9bb 100644 --- a/python/samba/tests/usage.py +++ b/python/samba/tests/usage.py @@ -96,6 +96,7 @@ EXCLUDE_USAGE = { 'python/samba/tests/krb5/test_ccache.py', 'python/samba/tests/krb5/test_ldap.py', 'python/samba/tests/krb5/test_rpc.py', + 'python/samba/tests/krb5/test_smb.py', 'python/samba/tests/krb5/ms_kile_client_principal_lookup_tests.py', } diff --git a/source4/selftest/tests.py b/source4/selftest/tests.py index 84a78860d1d..68a51813e4f 100755 --- a/source4/selftest/tests.py +++ b/source4/selftest/tests.py @@ -726,6 +726,7 @@ planoldpythontestsuite("fl2008r2dc:local", "samba.tests.krb5.xrealm_tests") planoldpythontestsuite("ad_dc_default", "samba.tests.krb5.test_ccache") planoldpythontestsuite("ad_dc_default", "samba.tests.krb5.test_ldap") planoldpythontestsuite("ad_dc_default", "samba.tests.krb5.test_rpc") +planoldpythontestsuite("ad_dc_smb1", "samba.tests.krb5.test_smb") for env in ["ad_dc", smbv1_disabled_testenv]: planoldpythontestsuite(env, "samba.tests.smb", extra_args=['-U"$USERNAME%$PASSWORD"'], py3_compatible=True) -- 2.35.0 From 69e722470907ca5c9580e40d631a5953014141f0 Mon Sep 17 00:00:00 2001 From: Joseph Sutton Date: Mon, 3 May 2021 14:42:10 +1200 Subject: [PATCH 082/686] python: Ensure reference counts are properly incremented Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett Reviewed-by: Douglas Bagnall BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817 (cherry picked from commit 290c1dc0975867a71c02e911708323d1f38b6f96) --- lib/talloc/pytalloc.c | 4 ++-- libgpo/pygpo.c | 2 +- source4/auth/gensec/pygensec.c | 4 ++-- source4/librpc/ndr/py_security.c | 2 +- source4/ntvfs/posix/python/pyposix_eadb.c | 2 +- source4/ntvfs/posix/python/pyxattr_native.c | 4 ++-- source4/ntvfs/posix/python/pyxattr_tdb.c | 2 +- 7 files changed, 10 insertions(+), 10 deletions(-) diff --git a/lib/talloc/pytalloc.c b/lib/talloc/pytalloc.c index 95dbb297a46..e583c05ea6f 100644 --- a/lib/talloc/pytalloc.c +++ b/lib/talloc/pytalloc.c @@ -43,14 +43,14 @@ static PyObject *pytalloc_report_full(PyObject *self, PyObject *args) } else { talloc_report_full(pytalloc_get_mem_ctx(py_obj), stdout); } - return Py_None; + Py_RETURN_NONE; } /* enable null tracking */ static PyObject *pytalloc_enable_null_tracking(PyObject *self) { talloc_enable_null_tracking(); - return Py_None; + Py_RETURN_NONE; } /* return the number of talloc blocks */ diff --git a/libgpo/pygpo.c b/libgpo/pygpo.c index b8dfcd5572f..4cfd5720065 100644 --- a/libgpo/pygpo.c +++ b/libgpo/pygpo.c @@ -40,7 +40,7 @@ static PyObject* GPO_get_##ATTR(PyObject *self, void *closure) \ if (gpo_ptr->ATTR) \ return PyStr_FromString(gpo_ptr->ATTR); \ else \ - return Py_None; \ + Py_RETURN_NONE; \ } GPO_getter(ds_path) GPO_getter(file_sys_path) diff --git a/source4/auth/gensec/pygensec.c b/source4/auth/gensec/pygensec.c index ca60d3bdc5e..9ede11c9d8d 100644 --- a/source4/auth/gensec/pygensec.c +++ b/source4/auth/gensec/pygensec.c @@ -414,9 +414,9 @@ static PyObject *py_gensec_have_feature(PyObject *self, PyObject *args) return NULL; if (gensec_have_feature(security, feature)) { - return Py_True; + Py_RETURN_TRUE; } - return Py_False; + Py_RETURN_FALSE; } static PyObject *py_gensec_set_max_update_size(PyObject *self, PyObject *args) diff --git a/source4/librpc/ndr/py_security.c b/source4/librpc/ndr/py_security.c index 79a9fa5ac11..37c6a57e00e 100644 --- a/source4/librpc/ndr/py_security.c +++ b/source4/librpc/ndr/py_security.c @@ -341,7 +341,7 @@ static PyObject *py_descriptor_richcmp( break; } - return Py_NotImplemented; + Py_RETURN_NOTIMPLEMENTED; } static void py_descriptor_patch(PyTypeObject *type) diff --git a/source4/ntvfs/posix/python/pyposix_eadb.c b/source4/ntvfs/posix/python/pyposix_eadb.c index 646498225b3..18e240420a4 100644 --- a/source4/ntvfs/posix/python/pyposix_eadb.c +++ b/source4/ntvfs/posix/python/pyposix_eadb.c @@ -31,7 +31,7 @@ static PyObject *py_is_xattr_supported(PyObject *self) { - return Py_True; + Py_RETURN_TRUE; } static PyObject *py_wrap_setxattr(PyObject *self, PyObject *args) diff --git a/source4/ntvfs/posix/python/pyxattr_native.c b/source4/ntvfs/posix/python/pyxattr_native.c index b1fa2a208e5..6af48348a4b 100644 --- a/source4/ntvfs/posix/python/pyxattr_native.c +++ b/source4/ntvfs/posix/python/pyxattr_native.c @@ -28,9 +28,9 @@ static PyObject *py_is_xattr_supported(PyObject *self) { #if !defined(HAVE_XATTR_SUPPORT) - return Py_False; + Py_RETURN_FALSE; #else - return Py_True; + Py_RETURN_TRUE; #endif } diff --git a/source4/ntvfs/posix/python/pyxattr_tdb.c b/source4/ntvfs/posix/python/pyxattr_tdb.c index f9a1fa5fd80..9e4e73a4049 100644 --- a/source4/ntvfs/posix/python/pyxattr_tdb.c +++ b/source4/ntvfs/posix/python/pyxattr_tdb.c @@ -35,7 +35,7 @@ static PyObject *py_is_xattr_supported(PyObject *self) { - return Py_True; + Py_RETURN_TRUE; } static PyObject *py_wrap_setxattr(PyObject *self, PyObject *args) -- 2.35.0 From 27ee247457d4146dd8fd0cb84078dbf56640cb55 Mon Sep 17 00:00:00 2001 From: Joseph Sutton Date: Mon, 3 May 2021 14:43:04 +1200 Subject: [PATCH 083/686] python: Fix erroneous increments of reference counts Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett Reviewed-by: Douglas Bagnall BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817 (cherry picked from commit 66695f0f94775c4db24fb625fe78ff44d964b5ad) --- source3/passdb/py_passdb.c | 4 ---- 1 file changed, 4 deletions(-) diff --git a/source3/passdb/py_passdb.c b/source3/passdb/py_passdb.c index 40e3a4e13aa..0b5c720215c 100644 --- a/source3/passdb/py_passdb.c +++ b/source3/passdb/py_passdb.c @@ -1915,8 +1915,6 @@ static PyObject *py_pdb_enum_group_mapping(PyObject *self, PyObject *args) PyObject *py_gmap_list, *py_group_map; int i; - Py_INCREF(Py_None); - if (!PyArg_ParseTuple(args, "|O!ii:enum_group_mapping", dom_sid_Type, &py_domain_sid, &lsa_sidtype_value, &unix_only)) { talloc_free(frame); @@ -2604,8 +2602,6 @@ static PyObject *py_pdb_search_aliases(PyObject *self, PyObject *args) PyObject *py_domain_sid = Py_None; struct dom_sid *domain_sid = NULL; - Py_INCREF(Py_None); - if (!PyArg_ParseTuple(args, "|O!:search_aliases", dom_sid_Type, &py_domain_sid)) { talloc_free(frame); return NULL; -- 2.35.0 From 860c6a987a9de6cc7c4aa08113591aea53654a76 Mon Sep 17 00:00:00 2001 From: Joseph Sutton Date: Mon, 10 May 2021 16:43:03 +1200 Subject: [PATCH 084/686] python: Fix ticket timestamp conversion when local timezone is not UTC Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett Reviewed-by: Douglas Bagnall BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817 (cherry picked from commit b9006f33343ba8bb82ef8ffe1fd90c780961b41e) --- python/samba/tests/krb5/kdc_base_test.py | 23 +++++++++++++++++++---- 1 file changed, 19 insertions(+), 4 deletions(-) diff --git a/python/samba/tests/krb5/kdc_base_test.py b/python/samba/tests/krb5/kdc_base_test.py index d8193ae9cdc..e345f739e1c 100644 --- a/python/samba/tests/krb5/kdc_base_test.py +++ b/python/samba/tests/krb5/kdc_base_test.py @@ -18,7 +18,7 @@ import sys import os -from datetime import datetime +from datetime import datetime, timezone import tempfile sys.path.insert(0, "bin/python") @@ -519,11 +519,26 @@ class KDCBaseTest(RawKerberosTest): cred.server = sprincipal cred.keyblock = keyblock cred.authtime = int(datetime.strptime(authtime.decode(), - "%Y%m%d%H%M%SZ").timestamp()) + "%Y%m%d%H%M%SZ") + .replace(tzinfo=timezone.utc).timestamp()) cred.starttime = int(datetime.strptime(starttime.decode(), - "%Y%m%d%H%M%SZ").timestamp()) + "%Y%m%d%H%M%SZ") + .replace(tzinfo=timezone.utc).timestamp()) cred.endtime = int(datetime.strptime(endtime.decode(), - "%Y%m%d%H%M%SZ").timestamp()) + "%Y%m%d%H%M%SZ") + .replace(tzinfo=timezone.utc).timestamp()) + + # Account for clock skew of up to five minutes. + self.assertLess(cred.authtime - 5*60, + datetime.now(timezone.utc).timestamp(), + "Ticket not yet valid - clocks may be out of sync.") + self.assertLess(cred.starttime - 5*60, + datetime.now(timezone.utc).timestamp(), + "Ticket not yet valid - clocks may be out of sync.") + self.assertGreater(cred.endtime - 60*60, + datetime.now(timezone.utc).timestamp(), + "Ticket already expired/about to expire - clocks may be out of sync.") + cred.renew_till = cred.endtime cred.is_skey = 0 cred.ticket_flags = int(enc_part['flags'], 2) -- 2.35.0 From d893d8142acaedcf654e681b2f1fcbcc0c2c2afa Mon Sep 17 00:00:00 2001 From: Joseph Sutton Date: Mon, 10 May 2021 15:06:06 +1200 Subject: [PATCH 085/686] python: Make credentials cache test run against Windows Windows, unlike Samba, requires the service principal name to be set when requesting a ticket to that service. Additionally, default_realm from the libdefaults section of krb5.conf should be set so that the correct realm is used. Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett Reviewed-by: Douglas Bagnall BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817 Autobuild-User(master): Jeremy Allison Autobuild-Date(master): Wed May 19 02:22:01 UTC 2021 on sn-devel-184 (cherry picked from commit 7791acb074b84ec7b571a81f15b56d33e2214ce9) --- python/samba/tests/krb5/test_ccache.py | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/python/samba/tests/krb5/test_ccache.py b/python/samba/tests/krb5/test_ccache.py index e0998a4c43f..32c9e3cce6b 100755 --- a/python/samba/tests/krb5/test_ccache.py +++ b/python/samba/tests/krb5/test_ccache.py @@ -47,13 +47,16 @@ class CcacheTests(KDCBaseTest): user_name = "ccacheusr" mach_name = "ccachemac" + service = "host" # Create the user account. (user_credentials, _) = self.create_account(user_name) # Create the machine account. (mach_credentials, _) = self.create_account(mach_name, - machine_account=True) + machine_account=True, + spn="%s/%s" % (service, + mach_name)) # Talk to the KDC to obtain the service ticket, which gets placed into # the cache. The machine account name has to match the name in the -- 2.35.0 From 22c724f23728f844c8248480802604a55006cb2e Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Thu, 9 Apr 2020 21:04:44 +0200 Subject: [PATCH 086/686] auth/credentials: allow credentials.Credentials to act as base class In tests it's useful to add more details. Signed-off-by: Stefan Metzmacher Reviewed-by: Andrew Bartlett BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817 (cherry picked from commit 1f413b2b2977687884781ca2399dadf6611ab461) --- auth/credentials/pycredentials.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/auth/credentials/pycredentials.c b/auth/credentials/pycredentials.c index a58859a70d8..b4239730818 100644 --- a/auth/credentials/pycredentials.c +++ b/auth/credentials/pycredentials.c @@ -849,7 +849,7 @@ static struct PyModuleDef moduledef = { PyTypeObject PyCredentials = { .tp_name = "credentials.Credentials", .tp_new = py_creds_new, - .tp_flags = Py_TPFLAGS_DEFAULT, + .tp_flags = Py_TPFLAGS_DEFAULT | Py_TPFLAGS_BASETYPE, .tp_methods = py_creds_methods, }; -- 2.35.0 From 602b6609db0606fc90b61a9d3e3c3ab446ab49bf Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Wed, 15 Apr 2020 16:50:55 +0200 Subject: [PATCH 087/686] Rename python/samba/tests/krb5/{rfc4120_pyasn1_regen.sh => pyasn1_regen.sh} This is a clearer name for the script Signed-off-by: Stefan Metzmacher Reviewed-by: Andrew Bartlett BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817 (cherry picked from commit fef08add9ec324fb0c3902e96c2a91c07646d499) --- python/samba/tests/krb5/pyasn1_regen.sh | 41 +++++++++++++++++++ .../samba/tests/krb5/rfc4120_pyasn1_regen.sh | 41 ------------------- 2 files changed, 41 insertions(+), 41 deletions(-) create mode 100755 python/samba/tests/krb5/pyasn1_regen.sh delete mode 100755 python/samba/tests/krb5/rfc4120_pyasn1_regen.sh diff --git a/python/samba/tests/krb5/pyasn1_regen.sh b/python/samba/tests/krb5/pyasn1_regen.sh new file mode 100755 index 00000000000..2e3995688f2 --- /dev/null +++ b/python/samba/tests/krb5/pyasn1_regen.sh @@ -0,0 +1,41 @@ +#!/bin/bash +# + +# +# I used https://github.com/kimgr/asn1ate.git +# to generate pyasn1 bindings for rfc4120.asn1 +# + +PATH_TO_ASN1ATE_CHECKOUT=$1 +PATH_TO_ASN1_INPUT_FILE=$2 + +set -u +set -e + +usage() { + echo "usage: $0 PATH_TO_ASN1ATE_CHECKOUT PATH_TO_ASN1_INPUT_FILE > PATH_TO_PYASN1_OUTPUT_FILE" +} + +test -n "${PATH_TO_ASN1ATE_CHECKOUT}" || { + usage + exit 1 +} +test -n "${PATH_TO_ASN1_INPUT_FILE}" || { + usage + exit 1 +} +test -d "${PATH_TO_ASN1ATE_CHECKOUT}" || { + usage + exit 1 +} +test -f "${PATH_TO_ASN1_INPUT_FILE}" || { + usage + exit 1 +} + +PATH_TO_PYASN1GEN_PY="${PATH_TO_ASN1ATE_CHECKOUT}/asn1ate/pyasn1gen.py" + +PYTHONPATH="${PATH_TO_ASN1ATE_CHECKOUT}:${PYTHONPATH-}" +export PYTHONPATH + +python3 "${PATH_TO_PYASN1GEN_PY}" "${PATH_TO_ASN1_INPUT_FILE}" diff --git a/python/samba/tests/krb5/rfc4120_pyasn1_regen.sh b/python/samba/tests/krb5/rfc4120_pyasn1_regen.sh deleted file mode 100755 index 2e3995688f2..00000000000 --- a/python/samba/tests/krb5/rfc4120_pyasn1_regen.sh +++ /dev/null @@ -1,41 +0,0 @@ -#!/bin/bash -# - -# -# I used https://github.com/kimgr/asn1ate.git -# to generate pyasn1 bindings for rfc4120.asn1 -# - -PATH_TO_ASN1ATE_CHECKOUT=$1 -PATH_TO_ASN1_INPUT_FILE=$2 - -set -u -set -e - -usage() { - echo "usage: $0 PATH_TO_ASN1ATE_CHECKOUT PATH_TO_ASN1_INPUT_FILE > PATH_TO_PYASN1_OUTPUT_FILE" -} - -test -n "${PATH_TO_ASN1ATE_CHECKOUT}" || { - usage - exit 1 -} -test -n "${PATH_TO_ASN1_INPUT_FILE}" || { - usage - exit 1 -} -test -d "${PATH_TO_ASN1ATE_CHECKOUT}" || { - usage - exit 1 -} -test -f "${PATH_TO_ASN1_INPUT_FILE}" || { - usage - exit 1 -} - -PATH_TO_PYASN1GEN_PY="${PATH_TO_ASN1ATE_CHECKOUT}/asn1ate/pyasn1gen.py" - -PYTHONPATH="${PATH_TO_ASN1ATE_CHECKOUT}:${PYTHONPATH-}" -export PYTHONPATH - -python3 "${PATH_TO_PYASN1GEN_PY}" "${PATH_TO_ASN1_INPUT_FILE}" -- 2.35.0 From d0857fadc7d5655ad05b48101efebe9a38f7b1b2 Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Thu, 9 Apr 2020 11:10:11 +0200 Subject: [PATCH 088/686] tests/krb5/rfc4120.asn1: Improve definitions to allow expanded testing Update and re-generate the ASN.1 to allow an improved testsuite. Signed-off-by: Stefan Metzmacher Reviewed-by: Andrew Bartlett BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817 (cherry picked from commit d4492a8aaaf70cbe81af7e6703b4ea9fc1f24162) --- python/samba/tests/krb5/rfc4120.asn1 | 70 ++++++++++- python/samba/tests/krb5/rfc4120_pyasn1.py | 134 +++++++++++++++++++++- 2 files changed, 199 insertions(+), 5 deletions(-) diff --git a/python/samba/tests/krb5/rfc4120.asn1 b/python/samba/tests/krb5/rfc4120.asn1 index 654f9788ca7..d81d06ad6f7 100644 --- a/python/samba/tests/krb5/rfc4120.asn1 +++ b/python/samba/tests/krb5/rfc4120.asn1 @@ -386,14 +386,14 @@ PA-ENC-TS-ENC ::= SEQUENCE { } ETYPE-INFO-ENTRY ::= SEQUENCE { - etype [0] Int32, + etype [0] EncryptionType, --Int32 EncryptionType -- salt [1] OCTET STRING OPTIONAL } ETYPE-INFO ::= SEQUENCE OF ETYPE-INFO-ENTRY ETYPE-INFO2-ENTRY ::= SEQUENCE { - etype [0] Int32, + etype [0] EncryptionType, --Int32 EncryptionType -- salt [1] KerberosString OPTIONAL, s2kparams [2] OCTET STRING OPTIONAL } @@ -425,9 +425,48 @@ PA-S4U2Self ::= SEQUENCE { auth [3] KerberosString } +-- +-- +-- MS-KILE Start +KERB-ERROR-DATA ::= SEQUENCE { + data-type [1] KerbErrorDataType, + data-value [2] OCTET STRING OPTIONAL +} +KerbErrorDataType ::= INTEGER +KERB-PA-PAC-REQUEST ::= SEQUENCE { + include-pac[0] BOOLEAN --If TRUE, and no pac present, include PAC. + --If FALSE, and PAC present, remove PAC +} + +KERB-LOCAL ::= OCTET STRING -- Implementation-specific data which MUST be + -- ignored if Kerberos client is not local. + +KERB-AD-RESTRICTION-ENTRY ::= SEQUENCE { + restriction-type [0] Int32, + restriction [1] OCTET STRING -- LSAP_TOKEN_INFO_INTEGRITY structure +} + +PA-SUPPORTED-ENCTYPES ::= Int32 -- Supported Encryption Types Bit Field -- + +PACOptionFlags ::= KerberosFlags -- Claims (0) + -- Branch Aware (1) + -- Forward to Full DC (2) + -- Resource Based Constrained Delegation (3) +PA-PAC-OPTIONS ::= SEQUENCE { + options [0] PACOptionFlags +} +-- Note: KerberosFlags ::= BIT STRING (SIZE (32..MAX)) +-- minimum number of bits shall be sent, but no fewer than 32 + +KERB-KEY-LIST-REQ ::= SEQUENCE OF EncryptionType -- Int32 encryption type -- +KERB-KEY-LIST-REP ::= SEQUENCE OF EncryptionKey + +-- MS-KILE End +-- +-- -- -- @@ -504,6 +543,15 @@ KDCOptionsSequence ::= SEQUENCE { dummy [0] KDCOptionsValues } +APOptionsValues ::= BIT STRING { -- KerberosFlags + reserved(0), + use-session-key(1), + mutual-required(2) +} +APOptionsSequence ::= SEQUENCE { + dummy [0] APOptionsValues +} + MessageTypeValues ::= INTEGER { krb-as-req(10), -- Request for initial authentication krb-as-rep(11), -- Response to KRB_AS_REQ request @@ -669,4 +717,22 @@ EncryptionTypeSequence ::= SEQUENCE { dummy [0] EncryptionTypeValues } +KerbErrorDataTypeValues ::= INTEGER { + kERB-AP-ERR-TYPE-SKEW-RECOVERY(2), + kERB-ERR-TYPE-EXTENDED(3) +} +KerbErrorDataTypeSequence ::= SEQUENCE { + dummy [0] KerbErrorDataTypeValues +} + +PACOptionFlagsValues ::= BIT STRING { -- KerberosFlags + claims(0), + branch-aware(1), + forward-to-full-dc(2), + resource-based-constrained-delegation(3) +} +PACOptionFlagsSequence ::= SEQUENCE { + dummy [0] PACOptionFlagsValues +} + END diff --git a/python/samba/tests/krb5/rfc4120_pyasn1.py b/python/samba/tests/krb5/rfc4120_pyasn1.py index 1d89f94adf1..56fe02a68f0 100644 --- a/python/samba/tests/krb5/rfc4120_pyasn1.py +++ b/python/samba/tests/krb5/rfc4120_pyasn1.py @@ -1,5 +1,5 @@ # Auto-generated by asn1ate v.0.6.1.dev0 from rfc4120.asn1 -# (last modified on 2020-11-06 11:30:42.476808) +# (last modified on 2021-06-16 08:54:13.969508) # KerberosV5Spec2 from pyasn1.type import univ, char, namedtype, namedval, tag, constraint, useful @@ -175,6 +175,26 @@ AP_REQ.componentType = namedtype.NamedTypes( ) +class APOptionsValues(univ.BitString): + pass + + +APOptionsValues.namedValues = namedval.NamedValues( + ('reserved', 0), + ('use-session-key', 1), + ('mutual-required', 2) +) + + +class APOptionsSequence(univ.Sequence): + pass + + +APOptionsSequence.componentType = namedtype.NamedTypes( + namedtype.NamedType('dummy', APOptionsValues().subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 0))) +) + + class PADataType(Int32): pass @@ -384,7 +404,7 @@ class ETYPE_INFO_ENTRY(univ.Sequence): ETYPE_INFO_ENTRY.componentType = namedtype.NamedTypes( - namedtype.NamedType('etype', Int32().subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 0))), + namedtype.NamedType('etype', EncryptionType().subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 0))), namedtype.OptionalNamedType('salt', univ.OctetString().subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 1))) ) @@ -401,7 +421,7 @@ class ETYPE_INFO2_ENTRY(univ.Sequence): ETYPE_INFO2_ENTRY.componentType = namedtype.NamedTypes( - namedtype.NamedType('etype', Int32().subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 0))), + namedtype.NamedType('etype', EncryptionType().subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 0))), namedtype.OptionalNamedType('salt', KerberosString().subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 1))), namedtype.OptionalNamedType('s2kparams', univ.OctetString().subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 2))) ) @@ -636,6 +656,57 @@ KDCOptionsSequence.componentType = namedtype.NamedTypes( ) +class KERB_AD_RESTRICTION_ENTRY(univ.Sequence): + pass + + +KERB_AD_RESTRICTION_ENTRY.componentType = namedtype.NamedTypes( + namedtype.NamedType('restriction-type', Int32().subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 0))), + namedtype.NamedType('restriction', univ.OctetString().subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 1))) +) + + +class KerbErrorDataType(univ.Integer): + pass + + +class KERB_ERROR_DATA(univ.Sequence): + pass + + +KERB_ERROR_DATA.componentType = namedtype.NamedTypes( + namedtype.NamedType('data-type', KerbErrorDataType().subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 1))), + namedtype.OptionalNamedType('data-value', univ.OctetString().subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 2))) +) + + +class KERB_KEY_LIST_REP(univ.SequenceOf): + pass + + +KERB_KEY_LIST_REP.componentType = EncryptionKey() + + +class KERB_KEY_LIST_REQ(univ.SequenceOf): + pass + + +KERB_KEY_LIST_REQ.componentType = EncryptionType() + + +class KERB_LOCAL(univ.OctetString): + pass + + +class KERB_PA_PAC_REQUEST(univ.Sequence): + pass + + +KERB_PA_PAC_REQUEST.componentType = namedtype.NamedTypes( + namedtype.NamedType('include-pac', univ.Boolean().subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 0))) +) + + class KRB_CRED(univ.Sequence): pass @@ -710,6 +781,25 @@ KRB_SAFE.componentType = namedtype.NamedTypes( ) +class KerbErrorDataTypeValues(univ.Integer): + pass + + +KerbErrorDataTypeValues.namedValues = namedval.NamedValues( + ('kERB-AP-ERR-TYPE-SKEW-RECOVERY', 2), + ('kERB-ERR-TYPE-EXTENDED', 3) +) + + +class KerbErrorDataTypeSequence(univ.Sequence): + pass + + +KerbErrorDataTypeSequence.componentType = namedtype.NamedTypes( + namedtype.NamedType('dummy', KerbErrorDataTypeValues().subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 0))) +) + + class MessageTypeValues(univ.Integer): pass @@ -781,6 +871,19 @@ PA_ENC_TS_ENC.componentType = namedtype.NamedTypes( ) +class PACOptionFlags(KerberosFlags): + pass + + +class PA_PAC_OPTIONS(univ.Sequence): + pass + + +PA_PAC_OPTIONS.componentType = namedtype.NamedTypes( + namedtype.NamedType('options', PACOptionFlags().subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 0))) +) + + class PA_S4U2Self(univ.Sequence): pass @@ -793,6 +896,31 @@ PA_S4U2Self.componentType = namedtype.NamedTypes( ) +class PA_SUPPORTED_ENCTYPES(Int32): + pass + + +class PACOptionFlagsValues(univ.BitString): + pass + + +PACOptionFlagsValues.namedValues = namedval.NamedValues( + ('claims', 0), + ('branch-aware', 1), + ('forward-to-full-dc', 2), + ('resource-based-constrained-delegation', 3) +) + + +class PACOptionFlagsSequence(univ.Sequence): + pass + + +PACOptionFlagsSequence.componentType = namedtype.NamedTypes( + namedtype.NamedType('dummy', PACOptionFlagsValues().subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 0))) +) + + class PADataTypeValues(univ.Integer): pass -- 2.35.0 From 58bf44ba84c35cbd52d901dc3844798191cfad39 Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Thu, 9 Apr 2020 10:55:28 +0200 Subject: [PATCH 089/686] tests/krb5/raw_testcase.py: Add get_{client,server,krbtgt}_creds() These helpful functions allow us to build the various credentials that we will use in validating the KDC responses in this test. Signed-off-by: Stefan Metzmacher Reviewed-by: Andrew Bartlett BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817 (cherry picked from commit c3222870b92db7f867557c2896b7bf39915d469a) --- python/samba/tests/krb5/raw_testcase.py | 199 +++++++++++++++++++++--- python/samba/tests/krb5/simple_tests.py | 6 +- 2 files changed, 183 insertions(+), 22 deletions(-) diff --git a/python/samba/tests/krb5/raw_testcase.py b/python/samba/tests/krb5/raw_testcase.py index 27ab89ecf99..b28939f0388 100644 --- a/python/samba/tests/krb5/raw_testcase.py +++ b/python/samba/tests/krb5/raw_testcase.py @@ -22,10 +22,12 @@ import struct import time import datetime import random +import binascii import samba.tests from samba.credentials import Credentials from samba.tests import TestCaseInTempDir +from samba.dcerpc import security import samba.tests.krb5.rfc4120_pyasn1 as krb5_asn1 import samba.tests.krb5.kcrypto as kcrypto @@ -177,6 +179,81 @@ class Krb5EncryptionKey(object): } return EncryptionKey_obj +class KerberosCredentials(Credentials): + def __init__(self): + super(KerberosCredentials, self).__init__() + all_enc_types = 0 + all_enc_types |= security.KERB_ENCTYPE_RC4_HMAC_MD5 + all_enc_types |= security.KERB_ENCTYPE_AES128_CTS_HMAC_SHA1_96 + all_enc_types |= security.KERB_ENCTYPE_AES256_CTS_HMAC_SHA1_96 + + self.as_supported_enctypes = all_enc_types + self.tgs_supported_enctypes = all_enc_types + self.ap_supported_enctypes = all_enc_types + + self.kvno = None + self.forced_keys = {} + + self.forced_salt = None + return + + def set_as_supported_enctypes(self, value): + self.as_supported_enctypes = int(value) + return + + def set_tgs_supported_enctypes(self, value): + self.tgs_supported_enctypes = int(value) + return + + def set_ap_supported_enctypes(self, value): + self.ap_supported_enctypes = int(value) + return + + def _get_krb5_etypes(self, supported_enctypes): + etypes = () + + if supported_enctypes & security.KERB_ENCTYPE_AES256_CTS_HMAC_SHA1_96: + etypes += (kcrypto.Enctype.AES256,) + if supported_enctypes & security.KERB_ENCTYPE_AES128_CTS_HMAC_SHA1_96: + etypes += (kcrypto.Enctype.AES128,) + if supported_enctypes & security.KERB_ENCTYPE_RC4_HMAC_MD5: + etypes += (kcrypto.Enctype.RC4,) + + return etypes + + def get_as_krb5_etypes(self): + return self._get_krb5_etypes(self.as_supported_enctypes) + + def get_tgs_krb5_etypes(self): + return self._get_krb5_etypes(self.tgs_supported_enctypes) + + def get_ap_krb5_etypes(self): + return self._get_krb5_etypes(self.ap_supported_enctypes) + + def set_kvno(self, kvno): + self.kvno = kvno + + def get_kvno(self): + return self.kvno + + def set_forced_key(self, etype, hexkey): + etype = int(etype) + contents = binascii.a2b_hex(hexkey) + key = kcrypto.Key(etype, contents) + self.forced_keys[etype] = Krb5EncryptionKey(key, self.kvno) + + def get_forced_key(self, etype): + etype = int(etype) + if etype in self.forced_keys: + return self.forced_keys[etype] + return None + + def set_forced_salt(self, salt): + self.forced_salt = bytes(salt) + return + + def get_forced_salt(self): + return self.forced_salt class RawKerberosTest(TestCaseInTempDir): """A raw Kerberos Test case.""" @@ -229,33 +306,113 @@ class RawKerberosTest(TestCaseInTempDir): sys.stderr.write("connected[%s]\n" % self.host) return - def get_user_creds(self): - c = Credentials() + def _get_krb5_creds(self, prefix, + default_username=None, + allow_missing_password=False, + require_strongest_key=False): + c = KerberosCredentials() c.guess() - domain = samba.tests.env_get_var_value('DOMAIN') - realm = samba.tests.env_get_var_value('REALM') - username = samba.tests.env_get_var_value('USERNAME') - password = samba.tests.env_get_var_value('PASSWORD') - c.set_domain(domain) - c.set_realm(realm) - c.set_username(username) - c.set_password(password) - return c - def get_service_creds(self, allow_missing_password=False): - c = Credentials() - c.guess() - domain = samba.tests.env_get_var_value('DOMAIN') - realm = samba.tests.env_get_var_value('REALM') - username = samba.tests.env_get_var_value('SERVICE_USERNAME') - password = samba.tests.env_get_var_value( - 'SERVICE_PASSWORD', - allow_missing=allow_missing_password) + def env_get_var(varname, prefix, fallback_default=True, allow_missing=False): + val = None + if prefix is not None: + allow_missing_prefix = allow_missing + if fallback_default: + allow_missing_prefix = True + val = samba.tests.env_get_var_value('%s_%s' % (prefix, varname), + allow_missing=allow_missing_prefix) + else: + fallback_default = True + if val is None and fallback_default: + val = samba.tests.env_get_var_value(varname, + allow_missing=allow_missing) + return val + + domain = env_get_var('DOMAIN', prefix) + realm = env_get_var('REALM', prefix) + allow_missing_username = False + if default_username is not None: + allow_missing_username = True + username = env_get_var('USERNAME', prefix, + fallback_default=False, + allow_missing=allow_missing_username) + if username is None: + username = default_username + password = env_get_var('PASSWORD', prefix, + fallback_default=False, + allow_missing=allow_missing_password) c.set_domain(domain) c.set_realm(realm) c.set_username(username) if password is not None: c.set_password(password) + as_supported_enctypes = env_get_var('AS_SUPPORTED_ENCTYPES', + prefix, allow_missing=True) + if as_supported_enctypes is not None: + c.set_as_supported_enctypes(as_supported_enctypes) + tgs_supported_enctypes = env_get_var('TGS_SUPPORTED_ENCTYPES', + prefix, allow_missing=True) + if tgs_supported_enctypes is not None: + c.set_tgs_supported_enctypes(tgs_supported_enctypes) + ap_supported_enctypes = env_get_var('AP_SUPPORTED_ENCTYPES', + prefix, allow_missing=True) + if ap_supported_enctypes is not None: + c.set_ap_supported_enctypes(ap_supported_enctypes) + + if require_strongest_key: + kvno_allow_missing = False + if password is None: + aes256_allow_missing = False + else: + aes256_allow_missing = True + else: + kvno_allow_missing = True + aes256_allow_missing = True + kvno = env_get_var('KVNO', prefix, + fallback_default=False, + allow_missing=kvno_allow_missing) + if kvno is not None: + c.set_kvno(kvno) + aes256_key = env_get_var('AES256_KEY_HEX', prefix, + fallback_default=False, + allow_missing=aes256_allow_missing) + if aes256_key is not None: + c.set_forced_key(kcrypto.Enctype.AES256, aes256_key) + aes128_key = env_get_var('AES128_KEY_HEX', prefix, + fallback_default=False, allow_missing=True) + if aes128_key is not None: + c.set_forced_key(kcrypto.Enctype.AES128, aes128_key) + rc4_key = env_get_var('RC4_KEY_HEX', prefix, + fallback_default=False, allow_missing=True) + if rc4_key is not None: + c.set_forced_key(kcrypto.Enctype.RC4, rc4_key) + return c + + def get_user_creds(self, allow_missing_password=False): + c = self._get_krb5_creds(prefix=None, + allow_missing_password=allow_missing_password) + return c + + def get_service_creds(self, allow_missing_password=False): + c = self._get_krb5_creds(prefix='SERVICE', + allow_missing_password=allow_missing_password) + return c + + def get_client_creds(self, allow_missing_password=False): + c = self._get_krb5_creds(prefix='CLIENT', + allow_missing_password=allow_missing_password) + return c + + def get_server_creds(self, allow_missing_password=False): + c = self._get_krb5_creds(prefix='SERVER', + allow_missing_password=allow_missing_password) + return c + + def get_krbtgt_creds(self, require_strongest_key=False): + c = self._get_krb5_creds(prefix='KRBTGT', + default_username='krbtgt', + allow_missing_password=True, + require_strongest_key=require_strongest_key) return c def get_anon_creds(self): @@ -473,6 +630,8 @@ class RawKerberosTest(TestCaseInTempDir): return Krb5EncryptionKey(key, kvno) def PasswordKey_create(self, etype=None, pwd=None, salt=None, kvno=None): + self.assertIsNotNone(pwd) + self.assertIsNotNone(salt) key = kcrypto.string_to_key(etype, pwd, salt) return Krb5EncryptionKey(key, kvno) diff --git a/python/samba/tests/krb5/simple_tests.py b/python/samba/tests/krb5/simple_tests.py index 889b91a9bf0..2da76a3cf5e 100755 --- a/python/samba/tests/krb5/simple_tests.py +++ b/python/samba/tests/krb5/simple_tests.py @@ -44,10 +44,12 @@ class SimpleKerberosTests(RawKerberosTest): def test_simple(self): user_creds = self.get_user_creds() user = user_creds.get_username() - realm = user_creds.get_realm() + krbtgt_creds = self.get_krbtgt_creds() + krbtgt_account = krbtgt_creds.get_username() + realm = krbtgt_creds.get_realm() cname = self.PrincipalName_create(name_type=1, names=[user]) - sname = self.PrincipalName_create(name_type=2, names=["krbtgt", realm]) + sname = self.PrincipalName_create(name_type=2, names=[krbtgt_account, realm]) till = self.get_KerberosTime(offset=36000) -- 2.35.0 From a4a1e701405a7f80fe21eba6367ad2010af58922 Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Thu, 9 Apr 2020 22:28:32 +0200 Subject: [PATCH 090/686] tests/krb5/raw_testcase.py: introduce STRICT_CHECKING=0 in order to relax the checks in future We should write tests as strict as possible in order to let them run against Windows servers. But at the same time we want to allow tests to be useful for Samba too... Signed-off-by: Stefan Metzmacher Reviewed-by: Andrew Bartlett BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817 (cherry picked from commit dff611976d6a067614e37add99edae214815a68b) --- python/samba/tests/krb5/raw_testcase.py | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/python/samba/tests/krb5/raw_testcase.py b/python/samba/tests/krb5/raw_testcase.py index b28939f0388..333aab70c8e 100644 --- a/python/samba/tests/krb5/raw_testcase.py +++ b/python/samba/tests/krb5/raw_testcase.py @@ -263,6 +263,11 @@ class RawKerberosTest(TestCaseInTempDir): self.do_asn1_print = False self.do_hexdump = False + strict_checking = samba.tests.env_get_var_value('STRICT_CHECKING', allow_missing=True) + if strict_checking is None: + strict_checking = '1' + self.strict_checking = bool(int(strict_checking)) + self.host = samba.tests.env_get_var_value('SERVER') self.s = None -- 2.35.0 From b1d9a4f26bb35190d5affef0ee472bad45d7e6d8 Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Wed, 15 Apr 2020 13:49:52 +0200 Subject: [PATCH 091/686] tests/krb5/raw_testcase.py: add assertElement*() These helper functions make writing subsequent Kerberos test clearer. Signed-off-by: Stefan Metzmacher Reviewed-by: Andrew Bartlett BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817 (cherry picked from commit 61e1b179812e48797146584998afc5bd0168beae) --- python/samba/tests/krb5/raw_testcase.py | 54 +++++++++++++++++++++++++ 1 file changed, 54 insertions(+) diff --git a/python/samba/tests/krb5/raw_testcase.py b/python/samba/tests/krb5/raw_testcase.py index 333aab70c8e..eb294a75a95 100644 --- a/python/samba/tests/krb5/raw_testcase.py +++ b/python/samba/tests/krb5/raw_testcase.py @@ -605,6 +605,36 @@ class RawKerberosTest(TestCaseInTempDir): self.assertIsNotNone(value) return + def getElementValue(self, obj, elem): + v = None + try: + v = obj[elem] + except KeyError: + pass + return v + + def assertElementMissing(self, obj, elem): + v = self.getElementValue(obj, elem) + self.assertIsNone(v) + return + + def assertElementPresent(self, obj, elem): + v = self.getElementValue(obj, elem) + self.assertIsNotNone(v) + return + + def assertElementEqual(self, obj, elem, value): + v = self.getElementValue(obj, elem) + self.assertIsNotNone(v) + self.assertEqual(v, value) + return + + def assertElementEqualUTF8(self, obj, elem, value): + v = self.getElementValue(obj, elem) + self.assertIsNotNone(v) + self.assertEqual(v, bytes(value, 'utf8')) + return + def assertPrincipalEqual(self, princ1, princ2): self.assertEqual(princ1['name-type'], princ2['name-type']) self.assertEqual( @@ -618,6 +648,30 @@ class RawKerberosTest(TestCaseInTempDir): msg="princ1=%s != princ2=%s" % (princ1, princ2)) return + def assertElementEqualPrincipal(self, obj, elem, value): + v = self.getElementValue(obj, elem) + self.assertIsNotNone(v) + v = pyasn1_native_decode(v, asn1Spec=krb5_asn1.PrincipalName()) + self.assertPrincipalEqual(v, value) + return + + def assertElementKVNO(self, obj, elem, value): + v = self.getElementValue(obj, elem) + if value == "autodetect": + value = v + if value is not None: + self.assertIsNotNone(v) + # The value on the wire should never be 0 + self.assertNotEqual(v, 0) + # value == 0 means we don't know the kvno + # but enforce at any value != 0 is present + value = int(value) + if value != 0: + self.assertEqual(v, value) + else: + self.assertIsNone(v) + return + def get_KerberosTimeWithUsec(self, epoch=None, offset=None): if epoch is None: epoch = time.time() -- 2.35.0 From 2978bcb0d7a9ceba11333efe76cdab972185685d Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Wed, 15 Apr 2020 17:50:00 +0200 Subject: [PATCH 092/686] tests/krb5/raw_testcase.py: Allow prettyPrint of more RFC-defined values By setting krb5_asn1.APOptions.prettyPrint = BitString_NamedValues_prettyPrint we allow the BitString_NamedValues_prettyPrint() routine to show more named values. Signed-off-by: Stefan Metzmacher Reviewed-by: Andrew Bartlett BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817 (cherry picked from commit 34e079ce9a232a765fb3a2b25441434df35df54c) --- python/samba/tests/krb5/raw_testcase.py | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/python/samba/tests/krb5/raw_testcase.py b/python/samba/tests/krb5/raw_testcase.py index eb294a75a95..29745fa4089 100644 --- a/python/samba/tests/krb5/raw_testcase.py +++ b/python/samba/tests/krb5/raw_testcase.py @@ -111,6 +111,12 @@ krb5_asn1.KDCOptions.namedValues =\ krb5_asn1.KDCOptionsValues.namedValues krb5_asn1.KDCOptions.prettyPrint =\ BitString_NamedValues_prettyPrint +krb5_asn1.APOptions.prettyPrintNamedValues =\ + krb5_asn1.APOptionsValues.namedValues +krb5_asn1.APOptions.namedValues =\ + krb5_asn1.APOptionsValues.namedValues +krb5_asn1.APOptions.prettyPrint =\ + BitString_NamedValues_prettyPrint def Integer_NamedValues_prettyPrint(self, scope=0): -- 2.35.0 From dbc99add823060860a6be838ddb5108d663248bd Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Wed, 15 Apr 2020 17:57:37 +0200 Subject: [PATCH 093/686] tests/krb5/raw_testcase.py: Allow prettyPrint of more MS-KILE-defined values By setting krb5_asn1.APOptions.prettyPrint = BitString_NamedValues_prettyPrint we allow the BitString_NamedValues_prettyPrint() routine to show more named values. Signed-off-by: Stefan Metzmacher Reviewed-by: Andrew Bartlett BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817 (cherry picked from commit 3abb3b41368666535a216a98c3e7d15a5d498f7e) --- python/samba/tests/krb5/raw_testcase.py | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/python/samba/tests/krb5/raw_testcase.py b/python/samba/tests/krb5/raw_testcase.py index 29745fa4089..1ef15db9f8c 100644 --- a/python/samba/tests/krb5/raw_testcase.py +++ b/python/samba/tests/krb5/raw_testcase.py @@ -117,6 +117,12 @@ krb5_asn1.APOptions.namedValues =\ krb5_asn1.APOptionsValues.namedValues krb5_asn1.APOptions.prettyPrint =\ BitString_NamedValues_prettyPrint +krb5_asn1.PACOptionFlags.prettyPrintNamedValues =\ + krb5_asn1.PACOptionFlagsValues.namedValues +krb5_asn1.PACOptionFlags.namedValues =\ + krb5_asn1.PACOptionFlagsValues.namedValues +krb5_asn1.PACOptionFlags.prettyPrint =\ + BitString_NamedValues_prettyPrint def Integer_NamedValues_prettyPrint(self, scope=0): @@ -149,6 +155,10 @@ krb5_asn1.ChecksumType.prettyPrintNamedValues =\ krb5_asn1.ChecksumTypeValues.namedValues krb5_asn1.ChecksumType.prettyPrint =\ Integer_NamedValues_prettyPrint +krb5_asn1.KerbErrorDataType.prettyPrintNamedValues =\ + krb5_asn1.KerbErrorDataTypeValues.namedValues +krb5_asn1.KerbErrorDataType.prettyPrint =\ + Integer_NamedValues_prettyPrint class Krb5EncryptionKey(object): -- 2.35.0 From a95fb0c1d8c88f0a13a64f41748c8ca27035eedb Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Tue, 21 Apr 2020 14:45:01 +0200 Subject: [PATCH 094/686] tests/krb5/raw_testcase.py: split KDC_REQ_BODY_create() from KDC_REQ_create() This allows us to reuse body in future and calculate checksums on it. Signed-off-by: Stefan Metzmacher Reviewed-by: Andrew Bartlett BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817 (cherry picked from commit b03fcfeb6c005936818ce50d511e9f9cc75aa9fb) --- python/samba/tests/krb5/raw_testcase.py | 81 +++++++------------------ 1 file changed, 23 insertions(+), 58 deletions(-) diff --git a/python/samba/tests/krb5/raw_testcase.py b/python/samba/tests/krb5/raw_testcase.py index 1ef15db9f8c..71a4753717f 100644 --- a/python/samba/tests/krb5/raw_testcase.py +++ b/python/samba/tests/krb5/raw_testcase.py @@ -872,19 +872,7 @@ class RawKerberosTest(TestCaseInTempDir): def KDC_REQ_create(self, msg_type, padata, - kdc_options, - cname, - realm, - sname, - from_time, - till_time, - renew_time, - nonce, - etypes, - addresses, - EncAuthorizationData, - EncAuthorizationData_key, - additional_tickets, + req_body, asn1Spec=None, asn1_print=None, hexdump=None): @@ -897,25 +885,10 @@ class RawKerberosTest(TestCaseInTempDir): # req-body [4] KDC-REQ-BODY # } # - KDC_REQ_BODY_obj = self.KDC_REQ_BODY_create(kdc_options, - cname, - realm, - sname, - from_time, - till_time, - renew_time, - nonce, - etypes, - addresses, - EncAuthorizationData, - EncAuthorizationData_key, - additional_tickets, - asn1_print=asn1_print, - hexdump=hexdump) KDC_REQ_obj = { 'pvno': 5, 'msg-type': msg_type, - 'req-body': KDC_REQ_BODY_obj, + 'req-body': req_body, } if padata is not None: KDC_REQ_obj['padata'] = padata @@ -974,22 +947,26 @@ class RawKerberosTest(TestCaseInTempDir): # additional-tickets [11] SEQUENCE OF Ticket OPTIONAL # -- NOTE: not empty # } + KDC_REQ_BODY_obj = self.KDC_REQ_BODY_create( + kdc_options, + cname, + realm, + sname, + from_time, + till_time, + renew_time, + nonce, + etypes, + addresses, + EncAuthorizationData, + EncAuthorizationData_key, + additional_tickets, + asn1_print=asn1_print, + hexdump=hexdump) obj, decoded = self.KDC_REQ_create( msg_type=10, padata=padata, - kdc_options=kdc_options, - cname=cname, - realm=realm, - sname=sname, - from_time=from_time, - till_time=till_time, - renew_time=renew_time, - nonce=nonce, - etypes=etypes, - addresses=addresses, - EncAuthorizationData=EncAuthorizationData, - EncAuthorizationData_key=EncAuthorizationData_key, - additional_tickets=additional_tickets, + req_body=KDC_REQ_BODY_obj, asn1Spec=krb5_asn1.AS_REQ(), asn1_print=asn1_print, hexdump=hexdump) @@ -1115,11 +1092,11 @@ class RawKerberosTest(TestCaseInTempDir): EncAuthorizationData=EncAuthorizationData, EncAuthorizationData_key=EncAuthorizationData_key, additional_tickets=additional_tickets) - req_body = self.der_encode(req_body, asn1Spec=krb5_asn1.KDC_REQ_BODY(), - asn1_print=asn1_print, hexdump=hexdump) + req_body_blob = self.der_encode(req_body, asn1Spec=krb5_asn1.KDC_REQ_BODY(), + asn1_print=asn1_print, hexdump=hexdump) req_body_checksum = self.Checksum_create( - ticket_session_key, 6, req_body, ctype=body_checksum_type) + ticket_session_key, 6, req_body_blob, ctype=body_checksum_type) subkey_obj = None if authenticator_subkey is not None: @@ -1158,19 +1135,7 @@ class RawKerberosTest(TestCaseInTempDir): obj, decoded = self.KDC_REQ_create( msg_type=12, padata=padata, - kdc_options=kdc_options, - cname=None, - realm=realm, - sname=sname, - from_time=from_time, - till_time=till_time, - renew_time=renew_time, - nonce=nonce, - etypes=etypes, - addresses=addresses, - EncAuthorizationData=EncAuthorizationData, - EncAuthorizationData_key=EncAuthorizationData_key, - additional_tickets=additional_tickets, + req_body=req_body, asn1Spec=krb5_asn1.TGS_REQ(), asn1_print=asn1_print, hexdump=hexdump) -- 2.35.0 From f762b6f908967debd7627d926e1bdf03222949f1 Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Thu, 16 Apr 2020 10:43:54 +0200 Subject: [PATCH 095/686] tests/krb5/raw_testcase.py: add KERB_PA_PAC_REQUEST_create() This allows building the pre-authentication data that encodes the request for the KDC (or more likely a request not to include) the KRB5 PAC in the resulting ticket. Signed-off-by: Stefan Metzmacher Reviewed-by: Andrew Bartlett BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817 (cherry picked from commit ee2ac2b8ccafe3e6d560d893a4135a28e393914d) --- python/samba/tests/krb5/raw_testcase.py | 15 +++++++++++++++ 1 file changed, 15 insertions(+) diff --git a/python/samba/tests/krb5/raw_testcase.py b/python/samba/tests/krb5/raw_testcase.py index 71a4753717f..f341911ef53 100644 --- a/python/samba/tests/krb5/raw_testcase.py +++ b/python/samba/tests/krb5/raw_testcase.py @@ -799,6 +799,21 @@ class RawKerberosTest(TestCaseInTempDir): } return PA_ENC_TS_ENC_obj + def KERB_PA_PAC_REQUEST_create(self, include_pac, pa_data_create=True): + #KERB-PA-PAC-REQUEST ::= SEQUENCE { + # include-pac[0] BOOLEAN --If TRUE, and no pac present, include PAC. + # --If FALSE, and PAC present, remove PAC + #} + KERB_PA_PAC_REQUEST_obj = { + 'include-pac': include_pac, + } + if not pa_data_create: + return KERB_PA_PAC_REQUEST_obj + pa_pac = self.der_encode(KERB_PA_PAC_REQUEST_obj, + asn1Spec=krb5_asn1.KERB_PA_PAC_REQUEST()) + pa_data = self.PA_DATA_create(128, pa_pac) # PA-PAC-REQUEST + return pa_data + def KDC_REQ_BODY_create(self, kdc_options, cname, -- 2.35.0 From 367a8dfc58b225963496b2bd7caebe51d1b87f0c Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Mon, 20 Apr 2020 20:02:52 +0200 Subject: [PATCH 096/686] tests/krb5/raw_testcase.py: add methods to iterate over etype permutations It's often useful to run tests over a lot of input parameter permutations. Signed-off-by: Stefan Metzmacher Reviewed-by: Andrew Bartlett BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817 (cherry picked from commit e3905035847a5268c1a65366830cc739280ae437) --- python/samba/tests/krb5/raw_testcase.py | 58 +++++++++++++++++++++++++ 1 file changed, 58 insertions(+) diff --git a/python/samba/tests/krb5/raw_testcase.py b/python/samba/tests/krb5/raw_testcase.py index f341911ef53..a002a442d03 100644 --- a/python/samba/tests/krb5/raw_testcase.py +++ b/python/samba/tests/krb5/raw_testcase.py @@ -23,6 +23,7 @@ import time import datetime import random import binascii +import itertools import samba.tests from samba.credentials import Credentials @@ -274,6 +275,63 @@ class KerberosCredentials(Credentials): class RawKerberosTest(TestCaseInTempDir): """A raw Kerberos Test case.""" + etypes_to_test = ( + { "value": -1111, "name": "dummy", }, + { "value": kcrypto.Enctype.AES256, "name": "aes128", }, + { "value": kcrypto.Enctype.AES128, "name": "aes256", }, + { "value": kcrypto.Enctype.RC4, "name": "rc4", }, + ) + + setup_etype_test_permutations_done = False + + @classmethod + def setup_etype_test_permutations(cls): + if cls.setup_etype_test_permutations_done: + return + + res = [] + + num_idxs = len(cls.etypes_to_test) + permutations = [] + for num in range(1, num_idxs+1): + chunk = list(itertools.permutations(range(num_idxs), num)) + for e in chunk: + el = list(e) + permutations.append(el) + + for p in permutations: + name = None + etypes = () + for idx in p: + n = cls.etypes_to_test[idx]["name"] + if name is None: + name = n + else: + name += "_%s" % n + etypes += (cls.etypes_to_test[idx]["value"],) + + r = { "name": name, "etypes": etypes, } + res.append(r) + + cls.etype_test_permutations = res + cls.setup_etype_test_permutations_done = True + return + + @classmethod + def etype_test_permutation_name_idx(cls): + cls.setup_etype_test_permutations() + res = [] + idx = 0 + for e in cls.etype_test_permutations: + r = (e['name'], idx) + idx += 1 + res.append(r) + return res + + def etype_test_permutation_by_idx(self, idx): + e = self.etype_test_permutations[idx] + return (e['name'], e['etypes']) + def setUp(self): super().setUp() self.do_asn1_print = False -- 2.35.0 From 0fb4ebc400c96c3bbaae1cd95509341dc79b70b7 Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Thu, 16 Apr 2020 17:13:35 +0200 Subject: [PATCH 097/686] tests/krb5/raw_testcase.py: Add TicketDecryptionKey_from_creds() This will allow building test_as_req_enc_timestamp() It also introduces ways to specify keys in hex formated environment variables ${PREFIX}_{AES256,AES128,RC4}_KEY_HEX. Signed-off-by: Stefan Metzmacher Reviewed-by: Andrew Bartlett BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817 (cherry picked from commit 69ce2a6408f78d41eb865b89726021ad7643b065) --- python/samba/tests/krb5/raw_testcase.py | 29 +++++++++++++++++++++++++ 1 file changed, 29 insertions(+) diff --git a/python/samba/tests/krb5/raw_testcase.py b/python/samba/tests/krb5/raw_testcase.py index a002a442d03..7d0dc9c9609 100644 --- a/python/samba/tests/krb5/raw_testcase.py +++ b/python/samba/tests/krb5/raw_testcase.py @@ -784,6 +784,35 @@ class RawKerberosTest(TestCaseInTempDir): return self.PasswordKey_create( etype=e, pwd=password, salt=salt, kvno=kvno) + def TicketDecryptionKey_from_creds(self, creds, etype=None): + + if etype is None: + etypes = creds.get_tgs_krb5_etypes() + etype = etypes[0] + + forced_key = creds.get_forced_key(etype) + if forced_key is not None: + return forced_key + + kvno = creds.get_kvno() + + fail_msg = ("%s has no fixed key for etype[%s] kvno[%s] " + "nor a password specified, " % ( + creds.get_username(), etype, kvno)) + + if etype == kcrypto.Enctype.RC4: + nthash = creds.get_nt_hash() + self.assertIsNotNone(nthash, msg=fail_msg) + return self.SessionKey_create(etype=etype, contents=nthash, kvno=kvno) + + password = creds.get_password() + self.assertIsNotNone(password, msg=fail_msg) + salt = creds.get_forced_salt() + if salt is None: + salt = bytes("%s%s" % (creds.get_realm(), creds.get_username()), + encoding='utf-8') + return self.PasswordKey_create(etype=etype, pwd=password, salt=salt, kvno=kvno) + def RandomKey(self, etype): e = kcrypto._get_enctype_profile(etype) contents = samba.generate_random_bytes(e.keysize) -- 2.35.0 From 3d9fcffb4f92fdc22c33b66bd17142fca3733d50 Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Tue, 21 Apr 2020 11:07:45 +0200 Subject: [PATCH 098/686] tests/krb5/raw_testcase.py: introduce a _generic_kdc_exchange() infrastructure This will allow us to write tests, which will all cross check almost every aspect of the KDC response (including encrypted parts). Signed-off-by: Stefan Metzmacher Reviewed-by: Andrew Bartlett BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817 (cherry picked from commit 6e2f2adc8e825634780077e24a9e437bdc68155a) --- python/samba/tests/krb5/raw_testcase.py | 634 +++++++++++++++++++ python/samba/tests/krb5/rfc4120_constants.py | 11 + 2 files changed, 645 insertions(+) diff --git a/python/samba/tests/krb5/raw_testcase.py b/python/samba/tests/krb5/raw_testcase.py index 7d0dc9c9609..8c8926b0ad2 100644 --- a/python/samba/tests/krb5/raw_testcase.py +++ b/python/samba/tests/krb5/raw_testcase.py @@ -30,6 +30,27 @@ from samba.credentials import Credentials from samba.tests import TestCaseInTempDir from samba.dcerpc import security import samba.tests.krb5.rfc4120_pyasn1 as krb5_asn1 +from samba.tests.krb5.rfc4120_constants import ( + KDC_ERR_ETYPE_NOSUPP, + KDC_ERR_PREAUTH_REQUIRED, + KRB_AS_REP, + KRB_AS_REQ, + KRB_ERROR, + KRB_TGS_REP, + KRB_TGS_REQ, + KU_AS_REP_ENC_PART, + KU_TGS_REP_ENC_PART_SESSION, + KU_TGS_REP_ENC_PART_SUB_KEY, + KU_TGS_REQ_AUTH, + KU_TGS_REQ_AUTH_CKSUM, + KU_TICKET, + PADATA_ENC_TIMESTAMP, + PADATA_ETYPE_INFO, + PADATA_ETYPE_INFO2, + PADATA_KDC_REQ, + PADATA_PK_AS_REQ, + PADATA_PK_AS_REP_19 +) import samba.tests.krb5.kcrypto as kcrypto from pyasn1.codec.der.decoder import decode as pyasn1_der_decode @@ -272,6 +293,24 @@ class KerberosCredentials(Credentials): def get_forced_salt(self): return self.forced_salt +class KerberosTicketCreds(object): + def __init__(self, ticket, session_key, + crealm=None, cname=None, + srealm=None, sname=None, + decryption_key=None, + ticket_private=None, + encpart_private=None): + self.ticket = ticket + self.session_key = session_key + self.crealm = crealm + self.cname = cname + self.srealm = srealm + self.sname = sname + self.decryption_key = decryption_key + self.ticket_private = ticket_private + self.encpart_private = encpart_private + return + class RawKerberosTest(TestCaseInTempDir): """A raw Kerberos Test case.""" @@ -758,6 +797,12 @@ class RawKerberosTest(TestCaseInTempDir): (s, _) = self.get_KerberosTimeWithUsec(epoch=epoch, offset=offset) return s + def get_Nonce(self): + nonce_min=0x7f000000 + nonce_max=0x7fffffff + v = random.randint(nonce_min, nonce_max) + return v + def SessionKey_create(self, etype, contents, kvno=None): key = kcrypto.Key(etype, contents) return Krb5EncryptionKey(key, kvno) @@ -1268,3 +1313,592 @@ class RawKerberosTest(TestCaseInTempDir): pa_s4u2self = self.der_encode( PA_S4U2Self_obj, asn1Spec=krb5_asn1.PA_S4U2Self()) return self.PA_DATA_create(129, pa_s4u2self) + + def _generic_kdc_exchange(self, + kdc_exchange_dict, # required + kdc_options=None, # required + cname=None, # optional + realm=None, # required + sname=None, # optional + from_time=None, # optional + till_time=None, # required + renew_time=None, # optional + nonce=None, # required + etypes=None, # required + addresses=None, # optional + EncAuthorizationData=None, # optional + EncAuthorizationData_key=None, # optional + additional_tickets=None): # optional + + check_error_fn = kdc_exchange_dict['check_error_fn'] + check_rep_fn = kdc_exchange_dict['check_rep_fn'] + generate_padata_fn = kdc_exchange_dict['generate_padata_fn'] + callback_dict = kdc_exchange_dict['callback_dict'] + req_msg_type = kdc_exchange_dict['req_msg_type'] + req_asn1Spec = kdc_exchange_dict['req_asn1Spec'] + rep_msg_type = kdc_exchange_dict['rep_msg_type'] + + if till_time is None: + till_time = self.get_KerberosTime(offset=36000) + if nonce is None: + nonce = self.get_Nonce() + + req_body = self.KDC_REQ_BODY_create(kdc_options=kdc_options, + cname=cname, + realm=realm, + sname=sname, + from_time=from_time, + till_time=till_time, + renew_time=renew_time, + nonce=nonce, + etypes=etypes, + addresses=addresses, + EncAuthorizationData=EncAuthorizationData, + EncAuthorizationData_key=EncAuthorizationData_key, + additional_tickets=additional_tickets) + if generate_padata_fn is not None: + # This can alter req_body... + padata, req_body = generate_padata_fn(kdc_exchange_dict, + callback_dict, + req_body) + else: + padata = None + + kdc_exchange_dict['req_padata'] = padata + kdc_exchange_dict['req_body'] = req_body + + req_obj,req_decoded = self.KDC_REQ_create(msg_type=req_msg_type, + padata=padata, + req_body=req_body, + asn1Spec=req_asn1Spec()) + + rep = self.send_recv_transaction(req_decoded) + self.assertIsNotNone(rep) + + msg_type = self.getElementValue(rep, 'msg-type') + self.assertIsNotNone(msg_type) + + allowed_msg_types = () + if check_error_fn is not None: + allowed_msg_types = (KRB_ERROR,) + if check_rep_fn is not None: + allowed_msg_types += (rep_msg_type,) + self.assertIn(msg_type, allowed_msg_types) + + if msg_type == KRB_ERROR: + return check_error_fn(kdc_exchange_dict, + callback_dict, + rep) + + return check_rep_fn(kdc_exchange_dict, callback_dict, rep) + + def as_exchange_dict(self, + expected_crealm=None, + expected_cname=None, + expected_srealm=None, + expected_sname=None, + ticket_decryption_key=None, + generate_padata_fn=None, + check_error_fn=None, + check_rep_fn=None, + check_padata_fn=None, + check_kdc_private_fn=None, + callback_dict=dict(), + expected_error_mode=None, + client_as_etypes=None, + expected_salt=None): + kdc_exchange_dict = { + 'req_msg_type': KRB_AS_REQ, + 'req_asn1Spec': krb5_asn1.AS_REQ, + 'rep_msg_type': KRB_AS_REP, + 'rep_asn1Spec': krb5_asn1.AS_REP, + 'rep_encpart_asn1Spec': krb5_asn1.EncASRepPart, + 'expected_crealm': expected_crealm, + 'expected_cname': expected_cname, + 'expected_srealm': expected_srealm, + 'expected_sname': expected_sname, + 'ticket_decryption_key': ticket_decryption_key, + 'generate_padata_fn': generate_padata_fn, + 'check_error_fn': check_error_fn, + 'check_rep_fn': check_rep_fn, + 'check_padata_fn': check_padata_fn, + 'check_kdc_private_fn': check_kdc_private_fn, + 'callback_dict': callback_dict, + 'expected_error_mode': expected_error_mode, + 'client_as_etypes': client_as_etypes, + 'expected_salt': expected_salt, + } + return kdc_exchange_dict + + def tgs_exchange_dict(self, + expected_crealm=None, + expected_cname=None, + expected_srealm=None, + expected_sname=None, + ticket_decryption_key=None, + generate_padata_fn=None, + check_error_fn=None, + check_rep_fn=None, + check_padata_fn=None, + check_kdc_private_fn=None, + callback_dict=dict(), + tgt=None, + authenticator_subkey=None, + body_checksum_type=None): + kdc_exchange_dict = { + 'req_msg_type': KRB_TGS_REQ, + 'req_asn1Spec': krb5_asn1.TGS_REQ, + 'rep_msg_type': KRB_TGS_REP, + 'rep_asn1Spec': krb5_asn1.TGS_REP, + 'rep_encpart_asn1Spec': krb5_asn1.EncTGSRepPart, + 'expected_crealm': expected_crealm, + 'expected_cname': expected_cname, + 'expected_srealm': expected_srealm, + 'expected_sname': expected_sname, + 'ticket_decryption_key': ticket_decryption_key, + 'generate_padata_fn': generate_padata_fn, + 'check_error_fn': check_error_fn, + 'check_rep_fn': check_rep_fn, + 'check_padata_fn': check_padata_fn, + 'check_kdc_private_fn': check_kdc_private_fn, + 'callback_dict': callback_dict, + 'tgt': tgt, + 'body_checksum_type': body_checksum_type, + 'authenticator_subkey': authenticator_subkey, + } + return kdc_exchange_dict + + def generic_check_kdc_rep(self, + kdc_exchange_dict, + callback_dict, + rep): + + expected_crealm = kdc_exchange_dict['expected_crealm'] + expected_cname = kdc_exchange_dict['expected_cname'] + expected_srealm = kdc_exchange_dict['expected_srealm'] + expected_sname = kdc_exchange_dict['expected_sname'] + ticket_decryption_key = kdc_exchange_dict['ticket_decryption_key'] + check_padata_fn = kdc_exchange_dict['check_padata_fn'] + check_kdc_private_fn = kdc_exchange_dict['check_kdc_private_fn'] + rep_encpart_asn1Spec = kdc_exchange_dict['rep_encpart_asn1Spec'] + msg_type = kdc_exchange_dict['rep_msg_type'] + + self.assertElementEqual(rep, 'msg-type', msg_type) # AS-REP | TGS-REP + padata = self.getElementValue(rep, 'padata') + self.assertElementEqualUTF8(rep, 'crealm', expected_crealm) + self.assertElementEqualPrincipal(rep, 'cname', expected_cname) + self.assertElementPresent(rep, 'ticket') + ticket = self.getElementValue(rep, 'ticket') + ticket_encpart = None + ticket_cipher = None + if ticket is not None: # Never None, but gives indentation + self.assertElementPresent(ticket, 'tkt-vno') + self.assertElementEqualUTF8(ticket, 'realm', expected_srealm) + self.assertElementEqualPrincipal(ticket, 'sname', expected_sname) + self.assertElementPresent(ticket, 'enc-part') + ticket_encpart = self.getElementValue(ticket, 'enc-part') + if ticket_encpart is not None: # Never None, but gives indentation + self.assertElementPresent(ticket_encpart, 'etype') + # 0 means present, with any value != 0 + self.assertElementKVNO(ticket_encpart, 'kvno', 0) + self.assertElementPresent(ticket_encpart, 'cipher') + ticket_cipher = self.getElementValue(ticket_encpart, 'cipher') + self.assertElementPresent(rep, 'enc-part') + encpart = self.getElementValue(rep, 'enc-part') + encpart_cipher = None + if encpart is not None: # Never None, but gives indentation + self.assertElementPresent(encpart, 'etype') + self.assertElementKVNO(ticket_encpart, 'kvno', 'autodetect') + self.assertElementPresent(encpart, 'cipher') + encpart_cipher = self.getElementValue(encpart, 'cipher') + + encpart_decryption_key = None + if check_padata_fn is not None: + # See if get the decryption key from the preauth phase + encpart_decryption_key,encpart_decryption_usage = \ + check_padata_fn(kdc_exchange_dict, callback_dict, + rep, padata) + + ticket_private = None + if ticket_decryption_key is not None: + self.assertElementEqual(ticket_encpart, 'etype', ticket_decryption_key.etype) + self.assertElementKVNO(ticket_encpart, 'kvno', ticket_decryption_key.kvno) + ticket_decpart = ticket_decryption_key.decrypt(KU_TICKET, ticket_cipher) + ticket_private = self.der_decode(ticket_decpart, asn1Spec=krb5_asn1.EncTicketPart()) + + encpart_private = None + if encpart_decryption_key is not None: + self.assertElementEqual(encpart, 'etype', encpart_decryption_key.etype) + self.assertElementKVNO(encpart, 'kvno', encpart_decryption_key.kvno) + rep_decpart = encpart_decryption_key.decrypt(encpart_decryption_usage, encpart_cipher) + encpart_private = self.der_decode(rep_decpart, asn1Spec=rep_encpart_asn1Spec()) + + if check_kdc_private_fn is not None: + check_kdc_private_fn(kdc_exchange_dict, callback_dict, + rep, ticket_private, encpart_private) + + return rep + + def generic_check_kdc_private(self, + kdc_exchange_dict, + callback_dict, + rep, + ticket_private, + encpart_private): + + expected_crealm = kdc_exchange_dict['expected_crealm'] + expected_cname = kdc_exchange_dict['expected_cname'] + expected_srealm = kdc_exchange_dict['expected_srealm'] + expected_sname = kdc_exchange_dict['expected_sname'] + ticket_decryption_key = kdc_exchange_dict['ticket_decryption_key'] + + ticket = self.getElementValue(rep, 'ticket') + + ticket_session_key = None + if ticket_private is not None: + self.assertElementPresent(ticket_private, 'flags') + self.assertElementPresent(ticket_private, 'key') + ticket_key = self.getElementValue(ticket_private, 'key') + if ticket_key is not None: # Never None, but gives indentation + self.assertElementPresent(ticket_key, 'keytype') + self.assertElementPresent(ticket_key, 'keyvalue') + ticket_session_key = self.EncryptionKey_import(ticket_key) + self.assertElementEqualUTF8(ticket_private, 'crealm', expected_crealm) + self.assertElementEqualPrincipal(ticket_private, 'cname', expected_cname) + self.assertElementPresent(ticket_private, 'transited') + self.assertElementPresent(ticket_private, 'authtime') + if self.strict_checking: + self.assertElementPresent(ticket_private, 'starttime') + self.assertElementPresent(ticket_private, 'endtime') + # TODO self.assertElementPresent(ticket_private, 'renew-till') + # TODO self.assertElementMissing(ticket_private, 'caddr') + self.assertElementPresent(ticket_private, 'authorization-data') + + encpart_session_key = None + if encpart_private is not None: + self.assertElementPresent(encpart_private, 'key') + encpart_key = self.getElementValue(encpart_private, 'key') + if encpart_key is not None: # Never None, but gives indentation + self.assertElementPresent(encpart_key, 'keytype') + self.assertElementPresent(encpart_key, 'keyvalue') + encpart_session_key = self.EncryptionKey_import(encpart_key) + self.assertElementPresent(encpart_private, 'last-req') + self.assertElementPresent(encpart_private, 'nonce') + # TODO self.assertElementPresent(encpart_private, 'key-expiration') + self.assertElementPresent(encpart_private, 'flags') + self.assertElementPresent(encpart_private, 'authtime') + if self.strict_checking: + self.assertElementPresent(encpart_private, 'starttime') + self.assertElementPresent(encpart_private, 'endtime') + # TODO self.assertElementPresent(encpart_private, 'renew-till') + self.assertElementEqualUTF8(encpart_private, 'srealm', expected_srealm) + self.assertElementEqualPrincipal(encpart_private, 'sname', expected_sname) + # TODO self.assertElementMissing(encpart_private, 'caddr') + + if ticket_session_key is not None and encpart_session_key is not None: + self.assertEqual(ticket_session_key.etype, encpart_session_key.etype) + self.assertEqual(ticket_session_key.key.contents, encpart_session_key.key.contents) + if encpart_session_key is not None: + session_key = encpart_session_key + else: + session_key = ticket_session_key + ticket_creds = KerberosTicketCreds(ticket, + session_key, + crealm=expected_crealm, + cname=expected_cname, + srealm=expected_srealm, + sname=expected_sname, + decryption_key=ticket_decryption_key, + ticket_private=ticket_private, + encpart_private=encpart_private) + + kdc_exchange_dict['rep_ticket_creds'] = ticket_creds + return + + def generic_check_as_error(self, + kdc_exchange_dict, + callback_dict, + rep): + + expected_crealm = kdc_exchange_dict['expected_crealm'] + expected_cname = kdc_exchange_dict['expected_cname'] + expected_srealm = kdc_exchange_dict['expected_srealm'] + expected_sname = kdc_exchange_dict['expected_sname'] + expected_salt = kdc_exchange_dict['expected_salt'] + client_as_etypes = kdc_exchange_dict['client_as_etypes'] + expected_error_mode = kdc_exchange_dict['expected_error_mode'] + req_body = kdc_exchange_dict['req_body'] + proposed_etypes = req_body['etype'] + + kdc_exchange_dict['preauth_etype_info2'] = None + + expect_etype_info2 = () + expect_etype_info = False + unexpect_etype_info = True + expected_aes_type = 0 + expected_rc4_type = 0 + if kcrypto.Enctype.RC4 in proposed_etypes: + expect_etype_info = True + for etype in proposed_etypes: + if etype in (kcrypto.Enctype.AES256,kcrypto.Enctype.AES128): + expect_etype_info = False + if etype not in client_as_etypes: + continue + if etype in (kcrypto.Enctype.AES256,kcrypto.Enctype.AES128): + if etype > expected_aes_type: + expected_aes_type = etype + if etype in (kcrypto.Enctype.RC4,): + unexpect_etype_info = False + if etype > expected_rc4_type: + expected_rc4_type = etype + + if expected_aes_type != 0: + expect_etype_info2 += (expected_aes_type,) + if expected_rc4_type != 0: + expect_etype_info2 += (expected_rc4_type,) + + expected_error = KDC_ERR_ETYPE_NOSUPP + expected_patypes = () + if expect_etype_info: + self.assertGreater(len(expect_etype_info2), 0) + expected_patypes += (PADATA_ETYPE_INFO,) + if len(expect_etype_info2) != 0: + expected_error = KDC_ERR_PREAUTH_REQUIRED + expected_patypes += (PADATA_ETYPE_INFO2,) + + expected_patypes += (PADATA_ENC_TIMESTAMP,) + expected_patypes += (PADATA_PK_AS_REQ,) + expected_patypes += (PADATA_PK_AS_REP_19,) + + self.assertElementEqual(rep, 'msg-type', KRB_ERROR) + self.assertElementEqual(rep, 'error-code', expected_error) + self.assertElementMissing(rep, 'ctime') + self.assertElementMissing(rep, 'cusec') + self.assertElementPresent(rep, 'stime') + self.assertElementPresent(rep, 'susec') + # error-code checked above + if self.strict_checking: + self.assertElementMissing(rep, 'crealm') + self.assertElementMissing(rep, 'cname') + self.assertElementEqualUTF8(rep, 'realm', expected_srealm) + self.assertElementEqualPrincipal(rep, 'sname', expected_sname) + if self.strict_checking: + self.assertElementMissing(rep, 'e-text') + if expected_error_mode != KDC_ERR_PREAUTH_REQUIRED: + self.assertElementMissing(rep, 'e-data') + return + edata = self.getElementValue(rep, 'e-data') + if self.strict_checking: + self.assertIsNotNone(edata) + if edata is not None: + rep_padata = self.der_decode(edata, asn1Spec=krb5_asn1.METHOD_DATA()) + self.assertGreater(len(rep_padata), 0) + else: + rep_padata = [] + + if self.strict_checking: + for i in range(0, len(expected_patypes)): + self.assertElementEqual(rep_padata[i], 'padata-type', expected_patypes[i]) + self.assertEqual(len(rep_padata), len(expected_patypes)) + + etype_info2 = None + etype_info = None + enc_timestamp = None + pk_as_req = None + pk_as_rep19 = None + for pa in rep_padata: + patype = self.getElementValue(pa, 'padata-type') + pavalue = self.getElementValue(pa, 'padata-value') + if patype == PADATA_ETYPE_INFO2: + self.assertIsNone(etype_info2) + etype_info2 = self.der_decode(pavalue, asn1Spec=krb5_asn1.ETYPE_INFO2()) + continue + if patype == PADATA_ETYPE_INFO: + self.assertIsNone(etype_info) + etype_info = self.der_decode(pavalue, asn1Spec=krb5_asn1.ETYPE_INFO()) + continue + if patype == PADATA_ENC_TIMESTAMP: + self.assertIsNone(enc_timestamp) + enc_timestamp = pavalue + self.assertEqual(len(enc_timestamp), 0) + continue + if patype == PADATA_PK_AS_REQ: + self.assertIsNone(pk_as_req) + pk_as_req = pavalue + self.assertEqual(len(pk_as_req), 0) + continue + if patype == PADATA_PK_AS_REP_19: + self.assertIsNone(pk_as_rep19) + pk_as_rep19 = pavalue + self.assertEqual(len(pk_as_rep19), 0) + continue + + if expected_error == KDC_ERR_ETYPE_NOSUPP: + self.assertIsNone(etype_info2) + self.assertIsNone(etype_info) + if self.strict_checking: + self.assertIsNotNone(enc_timestamp) + self.assertIsNotNone(pk_as_req) + self.assertIsNotNone(pk_as_rep19) + return + + self.assertIsNotNone(etype_info2) + if expect_etype_info: + self.assertIsNotNone(etype_info) + else: + if self.strict_checking: + self.assertIsNone(etype_info) + if unexpect_etype_info: + self.assertIsNone(etype_info) + + self.assertGreaterEqual(len(etype_info2), 1) + self.assertLessEqual(len(etype_info2), len(expect_etype_info2)) + if self.strict_checking: + self.assertEqual(len(etype_info2), len(expect_etype_info2)) + for i in range(0, len(etype_info2)): + e = self.getElementValue(etype_info2[i], 'etype') + self.assertEqual(e, expect_etype_info2[i]) + salt = self.getElementValue(etype_info2[i], 'salt') + if e == kcrypto.Enctype.RC4: + self.assertIsNone(salt) + else: + self.assertIsNotNone(salt) + if expected_salt is not None: + self.assertEqual(salt, expected_salt) + s2kparams = self.getElementValue(etype_info2[i], 's2kparams') + if self.strict_checking: + self.assertIsNone(s2kparams) + if etype_info is not None: + self.assertEqual(len(etype_info), 1) + e = self.getElementValue(etype_info[0], 'etype') + self.assertEqual(e, kcrypto.Enctype.RC4) + self.assertEqual(e, expect_etype_info2[0]) + salt = self.getElementValue(etype_info[0], 'salt') + if self.strict_checking: + self.assertIsNotNone(salt) + self.assertEqual(len(salt), 0) + + self.assertIsNotNone(enc_timestamp) + self.assertIsNotNone(pk_as_req) + self.assertIsNotNone(pk_as_rep19) + + kdc_exchange_dict['preauth_etype_info2'] = etype_info2 + return + + def generate_simple_tgs_padata(self, + kdc_exchange_dict, + callback_dict, + req_body): + tgt = kdc_exchange_dict['tgt'] + authenticator_subkey = kdc_exchange_dict['authenticator_subkey'] + body_checksum_type = kdc_exchange_dict['body_checksum_type'] + + req_body_blob = self.der_encode(req_body, asn1Spec=krb5_asn1.KDC_REQ_BODY()) + + req_body_checksum = self.Checksum_create(tgt.session_key, + KU_TGS_REQ_AUTH_CKSUM, + req_body_blob, + ctype=body_checksum_type) + + subkey_obj = None + if authenticator_subkey is not None: + subkey_obj = authenticator_subkey.export_obj() + seq_number = random.randint(0, 0xfffffffe) + (ctime, cusec) = self.get_KerberosTimeWithUsec() + authenticator_obj = self.Authenticator_create(crealm=tgt.crealm, + cname=tgt.cname, + cksum=req_body_checksum, + cusec=cusec, + ctime=ctime, + subkey=subkey_obj, + seq_number=seq_number, + authorization_data=None) + authenticator_blob = self.der_encode(authenticator_obj, asn1Spec=krb5_asn1.Authenticator()) + + authenticator = self.EncryptedData_create(tgt.session_key, + KU_TGS_REQ_AUTH, + authenticator_blob) + + ap_options = krb5_asn1.APOptions('0') + ap_req_obj = self.AP_REQ_create(ap_options=str(ap_options), + ticket=tgt.ticket, + authenticator=authenticator) + ap_req = self.der_encode(ap_req_obj, asn1Spec=krb5_asn1.AP_REQ()) + pa_tgs_req = self.PA_DATA_create(PADATA_KDC_REQ, ap_req) + padata = [pa_tgs_req] + + return padata, req_body + + def check_simple_tgs_padata(self, + kdc_exchange_dict, + callback_dict, + rep, + padata): + tgt = kdc_exchange_dict['tgt'] + authenticator_subkey = kdc_exchange_dict['authenticator_subkey'] + if authenticator_subkey is not None: + subkey = authenticator_subkey + subkey_usage = KU_TGS_REP_ENC_PART_SUB_KEY + else: + subkey = tgt.session_key + subkey_usage = KU_TGS_REP_ENC_PART_SESSION + + return subkey, subkey_usage + + def _test_as_exchange(self, + cname, + realm, + sname, + till, + client_as_etypes, + expected_error_mode, + expected_crealm, + expected_cname, + expected_srealm, + expected_sname, + expected_salt, + etypes, + padata, + kdc_options, + preauth_key=None, + ticket_decryption_key=None): + + def _generate_padata_copy(_kdc_exchange_dict, + _callback_dict, + req_body): + return padata, req_body + + def _check_padata_preauth_key(_kdc_exchange_dict, + _callback_dict, + rep, + padata): + as_rep_usage = KU_AS_REP_ENC_PART + return preauth_key, as_rep_usage + + kdc_exchange_dict = self.as_exchange_dict( + expected_crealm=expected_crealm, + expected_cname=expected_cname, + expected_srealm=expected_srealm, + expected_sname=expected_sname, + ticket_decryption_key=ticket_decryption_key, + generate_padata_fn=_generate_padata_copy, + check_error_fn=self.generic_check_as_error, + check_rep_fn=self.generic_check_kdc_rep, + check_padata_fn=_check_padata_preauth_key, + check_kdc_private_fn=self.generic_check_kdc_private, + expected_error_mode=expected_error_mode, + client_as_etypes=client_as_etypes, + expected_salt=expected_salt) + + rep = self._generic_kdc_exchange(kdc_exchange_dict, + kdc_options=str(kdc_options), + cname=cname, + realm=realm, + sname=sname, + till_time=till, + etypes=etypes) + + if expected_error_mode == 0: # AS-REP + return rep + + return kdc_exchange_dict['preauth_etype_info2'] diff --git a/python/samba/tests/krb5/rfc4120_constants.py b/python/samba/tests/krb5/rfc4120_constants.py index 702f6084217..a4c5e079b66 100644 --- a/python/samba/tests/krb5/rfc4120_constants.py +++ b/python/samba/tests/krb5/rfc4120_constants.py @@ -28,16 +28,27 @@ ARCFOUR_HMAC_MD5 = int( # Message types KRB_ERROR = int(krb5_asn1.MessageTypeValues('krb-error')) KRB_AS_REP = int(krb5_asn1.MessageTypeValues('krb-as-rep')) +KRB_AS_REQ = int(krb5_asn1.MessageTypeValues('krb-as-req')) KRB_TGS_REP = int(krb5_asn1.MessageTypeValues('krb-tgs-rep')) +KRB_TGS_REQ = int(krb5_asn1.MessageTypeValues('krb-tgs-req')) # PAData types PADATA_ENC_TIMESTAMP = int( krb5_asn1.PADataTypeValues('kRB5-PADATA-ENC-TIMESTAMP')) +PADATA_ETYPE_INFO = int( + krb5_asn1.PADataTypeValues('kRB5-PADATA-ETYPE-INFO')) PADATA_ETYPE_INFO2 = int( krb5_asn1.PADataTypeValues('kRB5-PADATA-ETYPE-INFO2')) +PADATA_KDC_REQ = int( + krb5_asn1.PADataTypeValues('kRB5-PADATA-KDC-REQ')) +PADATA_PK_AS_REQ = int( + krb5_asn1.PADataTypeValues('kRB5-PADATA-PK-AS-REQ')) +PADATA_PK_AS_REP_19 = int( + krb5_asn1.PADataTypeValues('kRB5-PADATA-PK-AS-REP-19')) # Error codes KDC_ERR_C_PRINCIPAL_UNKNOWN = 6 +KDC_ERR_ETYPE_NOSUPP = 14 KDC_ERR_PREAUTH_FAILED = 24 KDC_ERR_PREAUTH_REQUIRED = 25 KDC_ERR_BADMATCH = 36 -- 2.35.0 From a85e907f652c30fb9d12c538b0b0b8739b64dc2e Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Tue, 21 Apr 2020 11:07:45 +0200 Subject: [PATCH 099/686] tests/krb5/as_req_tests.py: add new tests to cover more of the AS-REQ protocol Example commands: Windows 2012R2: SERVER=172.31.9.188 STRICT_CHECKING=1 DOMAIN=W2012R2-L6 REALM=W2012R2-L6.BASE CLIENT_USERNAME=ldaptestuser CLIENT_PASSWORD=a1B2c3D4 CLIENT_AS_SUPPORTED_ENCTYPES=28 python/samba/tests/krb5/as_req_tests.py AsReqKerberosTests SERVER=172.31.9.188 STRICT_CHECKING=1 DOMAIN=W2012R2-L6 REALM=W2012R2-L6.BASE CLIENT_USERNAME=administrator CLIENT_PASSWORD=A1b2C3d4 CLIENT_AS_SUPPORTED_ENCTYPES=4 python/samba/tests/krb5/as_req_tests.py AsReqKerberosTests Windows 2008R2: SERVER=172.31.9.133 STRICT_CHECKING=1 DOMAIN=W4EDOM-L4 REALM=W4EDOM-L4.BASE CLIENT_USERNAME=cifsmount CLIENT_PASSWORD=A1b2C3d4-08 CLIENT_AS_SUPPORTED_ENCTYPES=28 python/samba/tests/krb5/as_req_tests.py AsReqKerberosTests SERVER=172.31.9.133 STRICT_CHECKING=1 DOMAIN=W4EDOM-L4 REALM=W4EDOM-L4.BASE CLIENT_USERNAME=administrator CLIENT_PASSWORD=A1b2C3d4 CLIENT_AS_SUPPORTED_ENCTYPES=4 python/samba/tests/krb5/as_req_tests.py AsReqKerberosTests Samba 4.14: SERVER=172.31.9.163 STRICT_CHECKING=0 DOMAIN=W4EDOM-L4 REALM=W4EDOM-L4.BASE CLIENT_USERNAME=cifsmount CLIENT_PASSWORD=A1b2C3d4-08 CLIENT_AS_SUPPORTED_ENCTYPES=28 python/samba/tests/krb5/as_req_tests.py AsReqKerberosTests SERVER=172.31.9.163 STRICT_CHECKING=0 DOMAIN=W4EDOM-L4 REALM=W4EDOM-L4.BASE CLIENT_USERNAME=administrator CLIENT_PASSWORD=A1b2C3d4 CLIENT_AS_SUPPORTED_ENCTYPES=4 python/samba/tests/krb5/as_req_tests.py AsReqKerberosTests Signed-off-by: Stefan Metzmacher Reviewed-by: Andrew Bartlett BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817 (cherry picked from commit 01d86954d217e38be333aa1ce7db1d3d9059cd4c) --- python/samba/tests/krb5/as_req_tests.py | 121 ++++++++++++++++++++++++ python/samba/tests/usage.py | 1 + 2 files changed, 122 insertions(+) create mode 100755 python/samba/tests/krb5/as_req_tests.py diff --git a/python/samba/tests/krb5/as_req_tests.py b/python/samba/tests/krb5/as_req_tests.py new file mode 100755 index 00000000000..3ad37c6bdf2 --- /dev/null +++ b/python/samba/tests/krb5/as_req_tests.py @@ -0,0 +1,121 @@ +#!/usr/bin/env python3 +# Unix SMB/CIFS implementation. +# Copyright (C) Stefan Metzmacher 2020 +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; either version 3 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see . +# + +import sys +import os + +sys.path.insert(0, "bin/python") +os.environ["PYTHONUNBUFFERED"] = "1" + +from samba.tests import DynamicTestCase +from samba.tests.krb5.raw_testcase import RawKerberosTest +import samba.tests.krb5.rfc4120_pyasn1 as krb5_asn1 +from samba.tests.krb5.rfc4120_constants import ( + KDC_ERR_PREAUTH_REQUIRED, + NT_PRINCIPAL, + NT_SRV_INST +) + +global_asn1_print = False +global_hexdump = False + +@DynamicTestCase +class AsReqKerberosTests(RawKerberosTest): + + @classmethod + def setUpDynamicTestCases(cls): + for (name, idx) in cls.etype_test_permutation_name_idx(): + for pac in [None, True, False]: + tname = "%s_pac_%s" % (name, pac) + targs = (idx, pac) + cls.generate_dynamic_test("test_as_req_no_preauth", tname, *targs) + return + + def setUp(self): + super(AsReqKerberosTests, self).setUp() + self.do_asn1_print = global_asn1_print + self.do_hexdump = global_hexdump + + def _test_as_req_nopreauth(self, + initial_etypes, + initial_padata=None, + initial_kdc_options=None): + client_creds = self.get_client_creds() + client_account = client_creds.get_username() + client_as_etypes = client_creds.get_as_krb5_etypes() + krbtgt_creds = self.get_krbtgt_creds() + krbtgt_account = krbtgt_creds.get_username() + realm = krbtgt_creds.get_realm() + + cname = self.PrincipalName_create(name_type=NT_PRINCIPAL, + names=[client_account]) + sname = self.PrincipalName_create(name_type=NT_SRV_INST, + names=[krbtgt_account, realm]) + + expected_error_mode = KDC_ERR_PREAUTH_REQUIRED + expected_crealm = realm + expected_cname = cname + expected_srealm = realm + expected_sname = sname + expected_salt = client_creds.get_forced_salt() + + def _generate_padata_copy(_kdc_exchange_dict, + _callback_dict, + req_body): + return initial_padata, req_body + + kdc_exchange_dict = self.as_exchange_dict( + expected_crealm=expected_crealm, + expected_cname=expected_cname, + expected_srealm=expected_srealm, + expected_sname=expected_sname, + generate_padata_fn=_generate_padata_copy, + check_error_fn=self.generic_check_as_error, + check_rep_fn=self.generic_check_kdc_rep, + expected_error_mode=expected_error_mode, + client_as_etypes=client_as_etypes, + expected_salt=expected_salt) + + rep = self._generic_kdc_exchange(kdc_exchange_dict, + kdc_options=str(initial_kdc_options), + cname=cname, + realm=realm, + sname=sname, + etypes=initial_etypes) + + return kdc_exchange_dict['preauth_etype_info2'] + + def _test_as_req_no_preauth_with_args(self, etype_idx, pac): + name, etypes = self.etype_test_permutation_by_idx(etype_idx) + if pac is None: + padata = None + else: + pa_pac = self.KERB_PA_PAC_REQUEST_create(pac) + padata = [pa_pac] + return self._test_as_req_nopreauth( + initial_padata=padata, + initial_etypes=etypes, + initial_kdc_options=krb5_asn1.KDCOptions('forwardable')) + + +if __name__ == "__main__": + global_asn1_print = True + global_hexdump = True + import unittest + unittest.main() + diff --git a/python/samba/tests/usage.py b/python/samba/tests/usage.py index ad13012c9bb..db46705cdb4 100644 --- a/python/samba/tests/usage.py +++ b/python/samba/tests/usage.py @@ -98,6 +98,7 @@ EXCLUDE_USAGE = { 'python/samba/tests/krb5/test_rpc.py', 'python/samba/tests/krb5/test_smb.py', 'python/samba/tests/krb5/ms_kile_client_principal_lookup_tests.py', + 'python/samba/tests/krb5/as_req_tests.py', } -- 2.35.0 From 6a77cea1ebe29e44001bf8fc243fdbb555087946 Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Tue, 21 Apr 2020 11:07:45 +0200 Subject: [PATCH 100/686] selftest: run new as_req_tests against fl2008r2dc and fl2003dc There are a lot of things we should improve in our KDC in order to work like a Windows KDC. Signed-off-by: Stefan Metzmacher Reviewed-by: Andrew Bartlett BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817 (cherry picked from commit d91665d33130aed11fa82d8d2796ab1627e04dc4) [jsutton@samba.org Fixed conflict from 0dbb923881a66b1e6b499b5b59103aea58ae0be6 not being applied] --- .../knownfail.d/samba.tests.krb5.as_req_tests | 276 +++++++++++++ selftest/knownfail_mit_kdc | 389 +++++++++++++++++- selftest/selftest.pl | 1 + selftest/target/Samba4.pm | 6 +- source4/selftest/tests.py | 10 + 5 files changed, 680 insertions(+), 2 deletions(-) create mode 100644 selftest/knownfail.d/samba.tests.krb5.as_req_tests diff --git a/selftest/knownfail.d/samba.tests.krb5.as_req_tests b/selftest/knownfail.d/samba.tests.krb5.as_req_tests new file mode 100644 index 00000000000..390d6cd0ab6 --- /dev/null +++ b/selftest/knownfail.d/samba.tests.krb5.as_req_tests @@ -0,0 +1,276 @@ +^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_aes256_aes128_dummy_pac_False.fl2008r2dc +^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_aes256_aes128_dummy_pac_None.fl2008r2dc +^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_aes256_aes128_dummy_pac_True.fl2008r2dc +^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_aes256_aes128_dummy_rc4_pac_False.fl2008r2dc +^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_aes256_aes128_dummy_rc4_pac_None.fl2008r2dc +^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_aes256_aes128_dummy_rc4_pac_True.fl2008r2dc +^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_aes256_aes128_pac_False.fl2008r2dc +^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_aes256_aes128_pac_None.fl2008r2dc +^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_aes256_aes128_pac_True.fl2008r2dc +^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_aes256_aes128_rc4_dummy_pac_False.fl2008r2dc +^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_aes256_aes128_rc4_dummy_pac_None.fl2008r2dc +^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_aes256_aes128_rc4_dummy_pac_True.fl2008r2dc +^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_aes256_aes128_rc4_pac_False.fl2008r2dc +^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_aes256_aes128_rc4_pac_None.fl2008r2dc +^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_aes256_aes128_rc4_pac_True.fl2008r2dc +^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_aes256_dummy_aes128_pac_False.fl2008r2dc +^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_aes256_dummy_aes128_pac_None.fl2008r2dc +^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_aes256_dummy_aes128_pac_True.fl2008r2dc +^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_aes256_dummy_aes128_rc4_pac_False.fl2008r2dc +^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_aes256_dummy_aes128_rc4_pac_None.fl2008r2dc +^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_aes256_dummy_aes128_rc4_pac_True.fl2008r2dc +^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_aes256_dummy_rc4_aes128_pac_False.fl2008r2dc +^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_aes256_dummy_rc4_aes128_pac_None.fl2008r2dc +^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_aes256_dummy_rc4_aes128_pac_True.fl2008r2dc +^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_aes256_rc4_aes128_dummy_pac_False.fl2008r2dc +^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_aes256_rc4_aes128_dummy_pac_None.fl2008r2dc +^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_aes256_rc4_aes128_dummy_pac_True.fl2008r2dc +^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_aes256_rc4_aes128_pac_False.fl2008r2dc +^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_aes256_rc4_aes128_pac_None.fl2008r2dc +^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_aes256_rc4_aes128_pac_True.fl2008r2dc +^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_aes256_rc4_dummy_aes128_pac_False.fl2008r2dc +^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_aes256_rc4_dummy_aes128_pac_None.fl2008r2dc +^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_aes256_rc4_dummy_aes128_pac_True.fl2008r2dc +^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_dummy_aes256_aes128_pac_False.fl2008r2dc +^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_dummy_aes256_aes128_pac_None.fl2008r2dc +^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_dummy_aes256_aes128_pac_True.fl2008r2dc +^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_dummy_aes256_aes128_rc4_pac_False.fl2008r2dc +^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_dummy_aes256_aes128_rc4_pac_None.fl2008r2dc +^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_dummy_aes256_aes128_rc4_pac_True.fl2008r2dc +^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_dummy_aes256_rc4_aes128_pac_False.fl2008r2dc +^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_dummy_aes256_rc4_aes128_pac_None.fl2008r2dc +^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_dummy_aes256_rc4_aes128_pac_True.fl2008r2dc +^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_dummy_rc4_aes128_aes256_pac_False.fl2008r2dc +^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_dummy_rc4_aes128_aes256_pac_None.fl2008r2dc +^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_dummy_rc4_aes128_aes256_pac_True.fl2008r2dc +^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_dummy_rc4_aes128_pac_False.fl2008r2dc +^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_dummy_rc4_aes128_pac_None.fl2008r2dc +^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_dummy_rc4_aes128_pac_True.fl2008r2dc +^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_dummy_rc4_aes256_aes128_pac_False.fl2008r2dc +^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_dummy_rc4_aes256_aes128_pac_None.fl2008r2dc +^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_dummy_rc4_aes256_aes128_pac_True.fl2008r2dc +^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_dummy_rc4_aes256_pac_False.fl2008r2dc +^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_dummy_rc4_aes256_pac_None.fl2008r2dc +^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_dummy_rc4_aes256_pac_True.fl2008r2dc +^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_rc4_aes128_aes256_dummy_pac_False.fl2008r2dc +^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_rc4_aes128_aes256_dummy_pac_None.fl2008r2dc +^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_rc4_aes128_aes256_dummy_pac_True.fl2008r2dc +^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_rc4_aes128_aes256_pac_False.fl2008r2dc +^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_rc4_aes128_aes256_pac_None.fl2008r2dc +^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_rc4_aes128_aes256_pac_True.fl2008r2dc +^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_rc4_aes128_dummy_aes256_pac_False.fl2008r2dc +^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_rc4_aes128_dummy_aes256_pac_None.fl2008r2dc +^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_rc4_aes128_dummy_aes256_pac_True.fl2008r2dc +^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_rc4_aes128_dummy_pac_False.fl2008r2dc +^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_rc4_aes128_dummy_pac_None.fl2008r2dc +^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_rc4_aes128_dummy_pac_True.fl2008r2dc +^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_rc4_aes128_pac_False.fl2008r2dc +^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_rc4_aes128_pac_None.fl2008r2dc +^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_rc4_aes128_pac_True.fl2008r2dc +^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_rc4_aes256_aes128_dummy_pac_False.fl2008r2dc +^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_rc4_aes256_aes128_dummy_pac_None.fl2008r2dc +^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_rc4_aes256_aes128_dummy_pac_True.fl2008r2dc +^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_rc4_aes256_aes128_pac_False.fl2008r2dc +^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_rc4_aes256_aes128_pac_None.fl2008r2dc +^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_rc4_aes256_aes128_pac_True.fl2008r2dc +^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_rc4_aes256_dummy_aes128_pac_False.fl2008r2dc +^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_rc4_aes256_dummy_aes128_pac_None.fl2008r2dc +^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_rc4_aes256_dummy_aes128_pac_True.fl2008r2dc +^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_rc4_aes256_dummy_pac_False.fl2008r2dc +^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_rc4_aes256_dummy_pac_None.fl2008r2dc +^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_rc4_aes256_dummy_pac_True.fl2008r2dc +^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_rc4_aes256_pac_False.fl2008r2dc +^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_rc4_aes256_pac_None.fl2008r2dc +^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_rc4_aes256_pac_True.fl2008r2dc +^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_rc4_dummy_aes128_aes256_pac_False.fl2008r2dc +^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_rc4_dummy_aes128_aes256_pac_None.fl2008r2dc +^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_rc4_dummy_aes128_aes256_pac_True.fl2008r2dc +^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_rc4_dummy_aes128_pac_False.fl2008r2dc +^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_rc4_dummy_aes128_pac_None.fl2008r2dc +^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_rc4_dummy_aes128_pac_True.fl2008r2dc +^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_rc4_dummy_aes256_aes128_pac_False.fl2008r2dc +^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_rc4_dummy_aes256_aes128_pac_None.fl2008r2dc +^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_rc4_dummy_aes256_aes128_pac_True.fl2008r2dc +^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_rc4_dummy_aes256_pac_False.fl2008r2dc +^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_rc4_dummy_aes256_pac_None.fl2008r2dc +^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_rc4_dummy_aes256_pac_True.fl2008r2dc +^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_aes128_aes256_dummy_pac_False.fl2003dc +^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_aes128_aes256_dummy_pac_None.fl2003dc +^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_aes128_aes256_dummy_pac_True.fl2003dc +^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_aes128_aes256_dummy_rc4_pac_False.fl2003dc +^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_aes128_aes256_dummy_rc4_pac_None.fl2003dc +^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_aes128_aes256_dummy_rc4_pac_True.fl2003dc +^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_aes128_aes256_pac_False.fl2003dc +^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_aes128_aes256_pac_None.fl2003dc +^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_aes128_aes256_pac_True.fl2003dc +^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_aes128_aes256_rc4_dummy_pac_False.fl2003dc +^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_aes128_aes256_rc4_dummy_pac_None.fl2003dc +^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_aes128_aes256_rc4_dummy_pac_True.fl2003dc +^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_aes128_aes256_rc4_pac_False.fl2003dc +^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_aes128_aes256_rc4_pac_None.fl2003dc +^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_aes128_aes256_rc4_pac_True.fl2003dc +^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_aes128_dummy_aes256_pac_False.fl2003dc +^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_aes128_dummy_aes256_pac_None.fl2003dc +^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_aes128_dummy_aes256_pac_True.fl2003dc +^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_aes128_dummy_aes256_rc4_pac_False.fl2003dc +^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_aes128_dummy_aes256_rc4_pac_None.fl2003dc +^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_aes128_dummy_aes256_rc4_pac_True.fl2003dc +^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_aes128_dummy_pac_False.fl2003dc +^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_aes128_dummy_pac_None.fl2003dc +^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_aes128_dummy_pac_True.fl2003dc +^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_aes128_dummy_rc4_aes256_pac_False.fl2003dc +^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_aes128_dummy_rc4_aes256_pac_None.fl2003dc +^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_aes128_dummy_rc4_aes256_pac_True.fl2003dc +^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_aes128_dummy_rc4_pac_False.fl2003dc +^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_aes128_dummy_rc4_pac_None.fl2003dc +^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_aes128_dummy_rc4_pac_True.fl2003dc +^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_aes128_pac_False.fl2003dc +^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_aes128_pac_None.fl2003dc +^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_aes128_pac_True.fl2003dc +^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_aes128_rc4_aes256_dummy_pac_False.fl2003dc +^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_aes128_rc4_aes256_dummy_pac_None.fl2003dc +^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_aes128_rc4_aes256_dummy_pac_True.fl2003dc +^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_aes128_rc4_aes256_pac_False.fl2003dc +^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_aes128_rc4_aes256_pac_None.fl2003dc +^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_aes128_rc4_aes256_pac_True.fl2003dc +^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_aes128_rc4_dummy_aes256_pac_False.fl2003dc +^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_aes128_rc4_dummy_aes256_pac_None.fl2003dc +^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_aes128_rc4_dummy_aes256_pac_True.fl2003dc +^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_aes128_rc4_dummy_pac_False.fl2003dc +^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_aes128_rc4_dummy_pac_None.fl2003dc +^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_aes128_rc4_dummy_pac_True.fl2003dc +^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_aes128_rc4_pac_False.fl2003dc +^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_aes128_rc4_pac_None.fl2003dc +^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_aes128_rc4_pac_True.fl2003dc +^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_aes256_aes128_dummy_pac_False.fl2003dc +^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_aes256_aes128_dummy_pac_None.fl2003dc +^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_aes256_aes128_dummy_pac_True.fl2003dc +^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_aes256_aes128_dummy_rc4_pac_False.fl2003dc +^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_aes256_aes128_dummy_rc4_pac_None.fl2003dc +^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_aes256_aes128_dummy_rc4_pac_True.fl2003dc +^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_aes256_aes128_pac_False.fl2003dc +^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_aes256_aes128_pac_None.fl2003dc +^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_aes256_aes128_pac_True.fl2003dc +^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_aes256_aes128_rc4_dummy_pac_False.fl2003dc +^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_aes256_aes128_rc4_dummy_pac_None.fl2003dc +^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_aes256_aes128_rc4_dummy_pac_True.fl2003dc +^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_aes256_aes128_rc4_pac_False.fl2003dc +^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_aes256_aes128_rc4_pac_None.fl2003dc +^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_aes256_aes128_rc4_pac_True.fl2003dc +^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_aes256_dummy_aes128_pac_False.fl2003dc +^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_aes256_dummy_aes128_pac_None.fl2003dc +^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_aes256_dummy_aes128_pac_True.fl2003dc +^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_aes256_dummy_aes128_rc4_pac_False.fl2003dc +^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_aes256_dummy_aes128_rc4_pac_None.fl2003dc +^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_aes256_dummy_aes128_rc4_pac_True.fl2003dc +^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_aes256_dummy_pac_False.fl2003dc +^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_aes256_dummy_pac_None.fl2003dc +^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_aes256_dummy_pac_True.fl2003dc +^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_aes256_dummy_rc4_aes128_pac_False.fl2003dc +^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_aes256_dummy_rc4_aes128_pac_None.fl2003dc +^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_aes256_dummy_rc4_aes128_pac_True.fl2003dc +^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_aes256_dummy_rc4_pac_False.fl2003dc +^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_aes256_dummy_rc4_pac_None.fl2003dc +^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_aes256_dummy_rc4_pac_True.fl2003dc +^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_aes256_pac_False.fl2003dc +^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_aes256_pac_None.fl2003dc +^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_aes256_pac_True.fl2003dc +^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_aes256_rc4_aes128_dummy_pac_False.fl2003dc +^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_aes256_rc4_aes128_dummy_pac_None.fl2003dc +^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_aes256_rc4_aes128_dummy_pac_True.fl2003dc +^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_aes256_rc4_aes128_pac_False.fl2003dc +^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_aes256_rc4_aes128_pac_None.fl2003dc +^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_aes256_rc4_aes128_pac_True.fl2003dc +^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_aes256_rc4_dummy_aes128_pac_False.fl2003dc +^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_aes256_rc4_dummy_aes128_pac_None.fl2003dc +^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_aes256_rc4_dummy_aes128_pac_True.fl2003dc +^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_aes256_rc4_dummy_pac_False.fl2003dc +^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_aes256_rc4_dummy_pac_None.fl2003dc +^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_aes256_rc4_dummy_pac_True.fl2003dc +^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_aes256_rc4_pac_False.fl2003dc +^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_aes256_rc4_pac_None.fl2003dc +^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_aes256_rc4_pac_True.fl2003dc +^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_dummy_aes128_aes256_pac_False.fl2003dc +^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_dummy_aes128_aes256_pac_None.fl2003dc +^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_dummy_aes128_aes256_pac_True.fl2003dc +^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_dummy_aes128_aes256_rc4_pac_False.fl2003dc +^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_dummy_aes128_aes256_rc4_pac_None.fl2003dc +^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_dummy_aes128_aes256_rc4_pac_True.fl2003dc +^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_dummy_aes128_pac_False.fl2003dc +^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_dummy_aes128_pac_None.fl2003dc +^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_dummy_aes128_pac_True.fl2003dc +^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_dummy_aes128_rc4_aes256_pac_False.fl2003dc +^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_dummy_aes128_rc4_aes256_pac_None.fl2003dc +^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_dummy_aes128_rc4_aes256_pac_True.fl2003dc +^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_dummy_aes128_rc4_pac_False.fl2003dc +^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_dummy_aes128_rc4_pac_None.fl2003dc +^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_dummy_aes128_rc4_pac_True.fl2003dc +^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_dummy_aes256_aes128_pac_False.fl2003dc +^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_dummy_aes256_aes128_pac_None.fl2003dc +^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_dummy_aes256_aes128_pac_True.fl2003dc +^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_dummy_aes256_aes128_rc4_pac_False.fl2003dc +^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_dummy_aes256_aes128_rc4_pac_None.fl2003dc +^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_dummy_aes256_aes128_rc4_pac_True.fl2003dc +^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_dummy_aes256_pac_False.fl2003dc +^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_dummy_aes256_pac_None.fl2003dc +^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_dummy_aes256_pac_True.fl2003dc +^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_dummy_aes256_rc4_aes128_pac_False.fl2003dc +^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_dummy_aes256_rc4_aes128_pac_None.fl2003dc +^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_dummy_aes256_rc4_aes128_pac_True.fl2003dc +^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_dummy_aes256_rc4_pac_False.fl2003dc +^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_dummy_aes256_rc4_pac_None.fl2003dc +^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_dummy_aes256_rc4_pac_True.fl2003dc +^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_dummy_rc4_aes128_aes256_pac_False.fl2003dc +^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_dummy_rc4_aes128_aes256_pac_None.fl2003dc +^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_dummy_rc4_aes128_aes256_pac_True.fl2003dc +^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_dummy_rc4_aes128_pac_False.fl2003dc +^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_dummy_rc4_aes128_pac_None.fl2003dc +^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_dummy_rc4_aes128_pac_True.fl2003dc +^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_dummy_rc4_aes256_aes128_pac_False.fl2003dc +^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_dummy_rc4_aes256_aes128_pac_None.fl2003dc +^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_dummy_rc4_aes256_aes128_pac_True.fl2003dc +^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_dummy_rc4_aes256_pac_False.fl2003dc +^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_dummy_rc4_aes256_pac_None.fl2003dc +^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_dummy_rc4_aes256_pac_True.fl2003dc +^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_rc4_aes128_aes256_dummy_pac_False.fl2003dc +^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_rc4_aes128_aes256_dummy_pac_None.fl2003dc +^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_rc4_aes128_aes256_dummy_pac_True.fl2003dc +^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_rc4_aes128_aes256_pac_False.fl2003dc +^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_rc4_aes128_aes256_pac_None.fl2003dc +^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_rc4_aes128_aes256_pac_True.fl2003dc +^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_rc4_aes128_dummy_aes256_pac_False.fl2003dc +^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_rc4_aes128_dummy_aes256_pac_None.fl2003dc +^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_rc4_aes128_dummy_aes256_pac_True.fl2003dc +^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_rc4_aes128_dummy_pac_False.fl2003dc +^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_rc4_aes128_dummy_pac_None.fl2003dc +^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_rc4_aes128_dummy_pac_True.fl2003dc +^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_rc4_aes128_pac_False.fl2003dc +^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_rc4_aes128_pac_None.fl2003dc +^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_rc4_aes128_pac_True.fl2003dc +^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_rc4_aes256_aes128_dummy_pac_False.fl2003dc +^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_rc4_aes256_aes128_dummy_pac_None.fl2003dc +^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_rc4_aes256_aes128_dummy_pac_True.fl2003dc +^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_rc4_aes256_aes128_pac_False.fl2003dc +^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_rc4_aes256_aes128_pac_None.fl2003dc +^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_rc4_aes256_aes128_pac_True.fl2003dc +^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_rc4_aes256_dummy_aes128_pac_False.fl2003dc +^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_rc4_aes256_dummy_aes128_pac_None.fl2003dc +^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_rc4_aes256_dummy_aes128_pac_True.fl2003dc +^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_rc4_aes256_dummy_pac_False.fl2003dc +^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_rc4_aes256_dummy_pac_None.fl2003dc +^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_rc4_aes256_dummy_pac_True.fl2003dc +^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_rc4_aes256_pac_False.fl2003dc +^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_rc4_aes256_pac_None.fl2003dc +^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_rc4_aes256_pac_True.fl2003dc +^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_rc4_dummy_aes128_aes256_pac_False.fl2003dc +^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_rc4_dummy_aes128_aes256_pac_None.fl2003dc +^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_rc4_dummy_aes128_aes256_pac_True.fl2003dc +^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_rc4_dummy_aes128_pac_False.fl2003dc +^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_rc4_dummy_aes128_pac_None.fl2003dc +^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_rc4_dummy_aes128_pac_True.fl2003dc +^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_rc4_dummy_aes256_aes128_pac_False.fl2003dc +^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_rc4_dummy_aes256_aes128_pac_None.fl2003dc +^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_rc4_dummy_aes256_aes128_pac_True.fl2003dc +^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_rc4_dummy_aes256_pac_False.fl2003dc +^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_rc4_dummy_aes256_pac_None.fl2003dc +^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_rc4_dummy_aes256_pac_True.fl2003dc diff --git a/selftest/knownfail_mit_kdc b/selftest/knownfail_mit_kdc index 2c2a643944c..b610929a8dd 100644 --- a/selftest/knownfail_mit_kdc +++ b/selftest/knownfail_mit_kdc @@ -290,4 +290,391 @@ samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_ ^samba.tests.krb5.ms_kile_client_principal_lookup_tests.samba.tests.krb5.ms_kile_client_principal_lookup_tests.MS_Kile_Client_Principal_Lookup_Tests.test_nt_principal_step_4_b ^samba.tests.krb5.ms_kile_client_principal_lookup_tests.samba.tests.krb5.ms_kile_client_principal_lookup_tests.MS_Kile_Client_Principal_Lookup_Tests.test_nt_principal_step_4_c ^samba.tests.krb5.ms_kile_client_principal_lookup_tests.samba.tests.krb5.ms_kile_client_principal_lookup_tests.MS_Kile_Client_Principal_Lookup_Tests.test_nt_principal_step_6_c - +# +# MIT currently fails some as_req_no_preauth tests. +# +^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_aes128_aes256.fl2008r2dc +^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_aes128_aes256_dummy_pac_False.fl2003dc +^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_aes128_aes256_dummy_pac_False.fl2008r2dc +^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_aes128_aes256_dummy_pac_None.fl2003dc +^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_aes128_aes256_dummy_pac_None.fl2008r2dc +^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_aes128_aes256_dummy_pac_True.fl2003dc +^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_aes128_aes256_dummy_pac_True.fl2008r2dc +^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_aes128_aes256_dummy_rc4_pac_False +^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_aes128_aes256_dummy_rc4_pac_False.fl2003dc +^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_aes128_aes256_dummy_rc4_pac_None.fl2003dc +^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_aes128_aes256_dummy_rc4_pac_None.fl2008r2dc +^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_aes128_aes256_dummy_rc4_pac_True.fl2003dc +^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_aes128_aes256_dummy_rc4_pac_True.fl2008r2dc +^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_aes128_aes256_pac_False.fl2003dc +^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_aes128_aes256_pac_False.fl2008r2dc +^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_aes128_aes256_pac_None.fl2003dc +^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_aes128_aes256_pac_None.fl2008r2dc +^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_aes128_aes256_pac_True.fl2003dc +^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_aes128_aes256_pac_True.fl2008r2dc +^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_aes128_aes256_rc4_dummy_pac_False.fl2003dc +^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_aes128_aes256_rc4_dummy_pac_False.fl2008r2dc +^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_aes128_aes256_rc4_dummy_pac_None.fl2003dc +^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_aes128_aes256_rc4_dummy_pac_None.fl2008r2dc +^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_aes128_aes256_rc4_dummy_pac_True.fl2003dc +^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_aes128_aes256_rc4_dummy_pac_True.fl2008r2dc +^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_aes128_aes256_rc4_pac_False.fl2003dc +^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_aes128_aes256_rc4_pac_False.fl2008r2dc +^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_aes128_aes256_rc4_pac_None.fl2003dc +^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_aes128_aes256_rc4_pac_None.fl2008r2dc +^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_aes128_aes256_rc4_pac_True.fl2003dc +^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_aes128_aes256_rc4_pac_True.fl2008r2dc +^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_aes128_dummy_aes256_pac_False.fl2003dc +^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_aes128_dummy_aes256_pac_False.fl2008r2dc +^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_aes128_dummy_aes256_pac_None.fl2003dc +^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_aes128_dummy_aes256_pac_None.fl2008r2dc +^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_aes128_dummy_aes256_pac_True.fl2003dc +^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_aes128_dummy_aes256_pac_True.fl2008r2dc +^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_aes128_dummy_aes256_rc4_pac_False.fl2003dc +^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_aes128_dummy_aes256_rc4_pac_False.fl2008r2dc +^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_aes128_dummy_aes256_rc4_pac_None.fl2003dc +^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_aes128_dummy_aes256_rc4_pac_None.fl2008r2dc +^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_aes128_dummy_aes256_rc4_pac_True.fl2003dc +^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_aes128_dummy_aes256_rc4_pac_True.fl2008r2dc +^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_aes128_dummy_pac_False.fl2003dc +^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_aes128_dummy_pac_False.fl2008r2dc +^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_aes128_dummy_pac_None.fl2003dc +^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_aes128_dummy_pac_None.fl2008r2dc +^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_aes128_dummy_pac_True.fl2003dc +^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_aes128_dummy_pac_True.fl2008r2dc +^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_aes128_dummy_rc4_aes256_pac_False.fl2003dc +^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_aes128_dummy_rc4_aes256_pac_False.fl2008r2dc +^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_aes128_dummy_rc4_aes256_pac_None.fl2003dc +^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_aes128_dummy_rc4_aes256_pac_None.fl2008r2dc +^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_aes128_dummy_rc4_aes256_pac_True.fl2003dc +^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_aes128_dummy_rc4_aes256_pac_True.fl2008r2dc +^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_aes128_dummy_rc4_pac_False.fl2003dc +^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_aes128_dummy_rc4_pac_False.fl2008r2dc +^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_aes128_dummy_rc4_pac_None.fl2003dc +^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_aes128_dummy_rc4_pac_None.fl2008r2dc +^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_aes128_dummy_rc4_pac_True.fl2003dc +^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_aes128_dummy_rc4_pac_True.fl2008r2dc +^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_aes128_pac_False.fl2003dc +^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_aes128_pac_False.fl2008r2dc +^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_aes128_pac_None.fl2003dc +^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_aes128_pac_None.fl2008r2dc +^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_aes128_pac_True.fl2003dc +^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_aes128_pac_True.fl2008r2dc +^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_aes128_rc4.fl2003dc +^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_aes128_rc4_aes256_dummy_pac_False.fl2003dc +^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_aes128_rc4_aes256_dummy_pac_False.fl2008r2dc +^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_aes128_rc4_aes256_dummy_pac_None.fl2003dc +^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_aes128_rc4_aes256_dummy_pac_None.fl2008r2dc +^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_aes128_rc4_aes256_dummy_pac_True.fl2003dc +^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_aes128_rc4_aes256_dummy_pac_True.fl2008r2dc +^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_aes128_rc4_aes256_pac_False.fl2003dc +^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_aes128_rc4_aes256_pac_False.fl2008r2dc +^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_aes128_rc4_aes256_pac_None.fl2003dc +^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_aes128_rc4_aes256_pac_None.fl2008r2dc +^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_aes128_rc4_aes256_pac_True.fl2003dc +^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_aes128_rc4_aes256_pac_True.fl2008r2dc +^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_aes128_rc4_dummy_aes256_pac_False.fl2003dc +^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_aes128_rc4_dummy_aes256_pac_False.fl2008r2dc +^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_aes128_rc4_dummy_aes256_pac_None.fl2003dc +^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_aes128_rc4_dummy_aes256_pac_None.fl2008r2dc +^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_aes128_rc4_dummy_aes256_pac_True.fl2003dc +^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_aes128_rc4_dummy_aes256_pac_True.fl2008r2dc +^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_aes128_rc4_dummy_pac_False.fl2003dc +^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_aes128_rc4_dummy_pac_False.fl2008r2dc +^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_aes128_rc4_dummy_pac_None.fl2003dc +^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_aes128_rc4_dummy_pac_None.fl2008r2dc +^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_aes128_rc4_dummy_pac_True.fl2003dc +^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_aes128_rc4_dummy_pac_True.fl2008r2dc +^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_aes128_rc4_pac_False.fl2003dc +^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_aes128_rc4_pac_False.fl2008r2dc +^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_aes128_rc4_pac_None.fl2003dc +^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_aes128_rc4_pac_None.fl2008r2dc +^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_aes128_rc4_pac_True.fl2003dc +^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_aes128_rc4_pac_True.fl2008r2dc +^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_aes256_aes128_dummy_pac_False.fl2003dc +^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_aes256_aes128_dummy_pac_False.fl2008r2dc +^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_aes256_aes128_dummy_pac_None.fl2003dc +^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_aes256_aes128_dummy_pac_None.fl2008r2dc +^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_aes256_aes128_dummy_pac_True.fl2003dc +^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_aes256_aes128_dummy_pac_True.fl2008r2dc +^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_aes256_aes128_dummy_rc4_pac_False.fl2003dc +^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_aes256_aes128_dummy_rc4_pac_False.fl2008r2dc +^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_aes256_aes128_dummy_rc4_pac_None.fl2003dc +^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_aes256_aes128_dummy_rc4_pac_None.fl2008r2dc +^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_aes256_aes128_dummy_rc4_pac_True.fl2003dc +^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_aes256_aes128_dummy_rc4_pac_True.fl2008r2dc +^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_aes256_aes128_pac_False.fl2003dc +^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_aes256_aes128_pac_False.fl2008r2dc +^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_aes256_aes128_pac_None.fl2003dc +^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_aes256_aes128_pac_None.fl2008r2dc +^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_aes256_aes128_pac_True.fl2003dc +^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_aes256_aes128_pac_True.fl2008r2dc +^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_aes256_aes128_rc4.fl2003dc +^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_aes256_aes128_rc4_dummy_pac_False.fl2003dc +^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_aes256_aes128_rc4_dummy_pac_False.fl2008r2dc +^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_aes256_aes128_rc4_dummy_pac_None.fl2003dc +^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_aes256_aes128_rc4_dummy_pac_None.fl2008r2dc +^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_aes256_aes128_rc4_dummy_pac_True.fl2003dc +^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_aes256_aes128_rc4_dummy_pac_True.fl2008r2dc +^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_aes256_aes128_rc4_pac_False.fl2003dc +^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_aes256_aes128_rc4_pac_False.fl2008r2dc +^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_aes256_aes128_rc4_pac_None.fl2003dc +^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_aes256_aes128_rc4_pac_None.fl2008r2dc +^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_aes256_aes128_rc4_pac_True.fl2003dc +^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_aes256_aes128_rc4_pac_True.fl2008r2dc +^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_aes256_dummy_aes128_pac_False.fl2003dc +^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_aes256_dummy_aes128_pac_False.fl2008r2dc +^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_aes256_dummy_aes128_pac_None.fl2003dc +^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_aes256_dummy_aes128_pac_None.fl2008r2dc +^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_aes256_dummy_aes128_pac_True.fl2003dc +^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_aes256_dummy_aes128_pac_True.fl2008r2dc +^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_aes256_dummy_aes128_rc4_pac_False.fl2003dc +^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_aes256_dummy_aes128_rc4_pac_False.fl2008r2dc +^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_aes256_dummy_aes128_rc4_pac_None.fl2003dc +^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_aes256_dummy_aes128_rc4_pac_None.fl2008r2dc +^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_aes256_dummy_aes128_rc4_pac_True.fl2003dc +^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_aes256_dummy_aes128_rc4_pac_True.fl2008r2dc +^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_aes256_dummy_pac_False.fl2003dc +^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_aes256_dummy_pac_False.fl2008r2dc +^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_aes256_dummy_pac_None.fl2003dc +^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_aes256_dummy_pac_None.fl2008r2dc +^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_aes256_dummy_pac_True.fl2003dc +^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_aes256_dummy_pac_True.fl2008r2dc +^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_aes256_dummy_rc4_aes128_pac_False.fl2003dc +^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_aes256_dummy_rc4_aes128_pac_False.fl2008r2dc +^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_aes256_dummy_rc4_aes128_pac_None.fl2003dc +^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_aes256_dummy_rc4_aes128_pac_None.fl2008r2dc +^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_aes256_dummy_rc4_aes128_pac_True.fl2003dc +^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_aes256_dummy_rc4_aes128_pac_True.fl2008r2dc +^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_aes256_dummy_rc4_pac_False.fl2003dc +^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_aes256_dummy_rc4_pac_False.fl2008r2dc +^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_aes256_dummy_rc4_pac_None.fl2003dc +^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_aes256_dummy_rc4_pac_None.fl2008r2dc +^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_aes256_dummy_rc4_pac_True.fl2003dc +^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_aes256_dummy_rc4_pac_True.fl2008r2dc +^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_aes256_pac_False.fl2003dc +^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_aes256_pac_False.fl2008r2dc +^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_aes256_pac_None.fl2003dc +^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_aes256_pac_None.fl2008r2dc +^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_aes256_pac_True.fl2003dc +^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_aes256_pac_True.fl2008r2dc +^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_aes256_rc4_aes128_dummy_pac_False.fl2003dc +^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_aes256_rc4_aes128_dummy_pac_False.fl2008r2dc +^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_aes256_rc4_aes128_dummy_pac_None.fl2003dc +^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_aes256_rc4_aes128_dummy_pac_None.fl2008r2dc +^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_aes256_rc4_aes128_dummy_pac_True.fl2003dc +^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_aes256_rc4_aes128_dummy_pac_True.fl2008r2dc +^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_aes256_rc4_aes128_pac_False.fl2003dc +^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_aes256_rc4_aes128_pac_False.fl2008r2dc +^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_aes256_rc4_aes128_pac_None.fl2003dc +^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_aes256_rc4_aes128_pac_None.fl2008r2dc +^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_aes256_rc4_aes128_pac_True.fl2003dc +^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_aes256_rc4_aes128_pac_True.fl2008r2dc +^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_aes256_rc4_dummy_aes128_pac_False.fl2003dc +^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_aes256_rc4_dummy_aes128_pac_False.fl2008r2dc +^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_aes256_rc4_dummy_aes128_pac_None.fl2003dc +^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_aes256_rc4_dummy_aes128_pac_None.fl2008r2dc +^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_aes256_rc4_dummy_aes128_pac_True.fl2003dc +^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_aes256_rc4_dummy_aes128_pac_True.fl2008r2dc +^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_aes256_rc4_dummy_pac_False.fl2003dc +^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_aes256_rc4_dummy_pac_False.fl2008r2dc +^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_aes256_rc4_dummy_pac_None.fl2003dc +^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_aes256_rc4_dummy_pac_None.fl2008r2dc +^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_aes256_rc4_dummy_pac_True.fl2003dc +^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_aes256_rc4_dummy_pac_True.fl2008r2dc +^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_aes256_rc4_pac_False.fl2003dc +^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_aes256_rc4_pac_False.fl2008r2dc +^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_aes256_rc4_pac_None.fl2003dc +^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_aes256_rc4_pac_None.fl2008r2dc +^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_aes256_rc4_pac_True.fl2003dc +^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_aes256_rc4_pac_True.fl2008r2dc +^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_dummy_aes128_aes256_pac_False.fl2003dc +^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_dummy_aes128_aes256_pac_False.fl2008r2dc +^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_dummy_aes128_aes256_pac_None.fl2003dc +^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_dummy_aes128_aes256_pac_None.fl2008r2dc +^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_dummy_aes128_aes256_pac_True.fl2003dc +^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_dummy_aes128_aes256_pac_True.fl2008r2dc +^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_dummy_aes128_aes256_rc4_pac_False.fl2003dc +^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_dummy_aes128_aes256_rc4_pac_False.fl2008r2dc +^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_dummy_aes128_aes256_rc4_pac_None.fl2003dc +^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_dummy_aes128_aes256_rc4_pac_None.fl2008r2dc +^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_dummy_aes128_aes256_rc4_pac_True.fl2003dc +^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_dummy_aes128_aes256_rc4_pac_True.fl2008r2dc +^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_dummy_aes128_pac_False.fl2003dc +^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_dummy_aes128_pac_False.fl2008r2dc +^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_dummy_aes128_pac_None.fl2003dc +^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_dummy_aes128_pac_None.fl2008r2dc +^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_dummy_aes128_pac_True.fl2003dc +^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_dummy_aes128_pac_True.fl2008r2dc +^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_dummy_aes128_rc4_aes256_pac_False.fl2003dc +^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_dummy_aes128_rc4_aes256_pac_False.fl2008r2dc +^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_dummy_aes128_rc4_aes256_pac_None.fl2003dc +^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_dummy_aes128_rc4_aes256_pac_None.fl2008r2dc +^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_dummy_aes128_rc4_aes256_pac_True.fl2003dc +^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_dummy_aes128_rc4_aes256_pac_True.fl2008r2dc +^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_dummy_aes128_rc4_pac_False.fl2003dc +^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_dummy_aes128_rc4_pac_False.fl2008r2dc +^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_dummy_aes128_rc4_pac_None.fl2003dc +^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_dummy_aes128_rc4_pac_None.fl2008r2dc +^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_dummy_aes128_rc4_pac_True.fl2003dc +^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_dummy_aes128_rc4_pac_True.fl2008r2dc +^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_dummy_aes256_aes128_pac_False.fl2003dc +^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_dummy_aes256_aes128_pac_False.fl2008r2dc +^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_dummy_aes256_aes128_pac_None.fl2003dc +^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_dummy_aes256_aes128_pac_None.fl2008r2dc +^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_dummy_aes256_aes128_pac_True.fl2003dc +^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_dummy_aes256_aes128_pac_True.fl2008r2dc +^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_dummy_aes256_aes128_rc4_pac_False.fl2003dc +^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_dummy_aes256_aes128_rc4_pac_False.fl2008r2dc +^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_dummy_aes256_aes128_rc4_pac_None.fl2003dc +^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_dummy_aes256_aes128_rc4_pac_None.fl2008r2dc +^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_dummy_aes256_aes128_rc4_pac_True.fl2003dc +^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_dummy_aes256_aes128_rc4_pac_True.fl2008r2dc +^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_dummy_aes256_pac_False.fl2003dc +^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_dummy_aes256_pac_False.fl2008r2dc +^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_dummy_aes256_pac_None.fl2003dc +^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_dummy_aes256_pac_None.fl2008r2dc +^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_dummy_aes256_pac_True.fl2003dc +^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_dummy_aes256_pac_True.fl2008r2dc +^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_dummy_aes256_rc4_aes128_pac_False.fl2003dc +^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_dummy_aes256_rc4_aes128_pac_False.fl2008r2dc +^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_dummy_aes256_rc4_aes128_pac_None.fl2003dc +^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_dummy_aes256_rc4_aes128_pac_None.fl2008r2dc +^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_dummy_aes256_rc4_aes128_pac_True.fl2003dc +^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_dummy_aes256_rc4_aes128_pac_True.fl2008r2dc +^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_dummy_aes256_rc4_pac_False.fl2003dc +^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_dummy_aes256_rc4_pac_False.fl2008r2dc +^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_dummy_aes256_rc4_pac_None.fl2003dc +^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_dummy_aes256_rc4_pac_None.fl2008r2dc +^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_dummy_aes256_rc4_pac_True.fl2003dc +^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_dummy_aes256_rc4_pac_True.fl2008r2dc +^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_dummy_rc4_aes128_aes256_pac_False.fl2003dc +^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_dummy_rc4_aes128_aes256_pac_False.fl2008r2dc +^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_dummy_rc4_aes128_aes256_pac_None.fl2003dc +^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_dummy_rc4_aes128_aes256_pac_None.fl2008r2dc +^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_dummy_rc4_aes128_aes256_pac_True.fl2003dc +^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_dummy_rc4_aes128_aes256_pac_True.fl2008r2dc +^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_dummy_rc4_aes128_pac_False.fl2003dc +^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_dummy_rc4_aes128_pac_False.fl2008r2dc +^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_dummy_rc4_aes128_pac_None.fl2003dc +^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_dummy_rc4_aes128_pac_None.fl2008r2dc +^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_dummy_rc4_aes128_pac_True.fl2003dc +^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_dummy_rc4_aes128_pac_True.fl2008r2dc +^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_dummy_rc4_aes256_aes128_pac_False.fl2003dc +^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_dummy_rc4_aes256_aes128_pac_False.fl2008r2dc +^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_dummy_rc4_aes256_aes128_pac_None.fl2003dc +^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_dummy_rc4_aes256_aes128_pac_None.fl2008r2dc +^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_dummy_rc4_aes256_aes128_pac_True.fl2003dc +^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_dummy_rc4_aes256_aes128_pac_True.fl2008r2dc +^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_dummy_rc4_aes256_pac_False.fl2003dc +^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_dummy_rc4_aes256_pac_False.fl2008r2dc +^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_dummy_rc4_aes256_pac_None.fl2003dc +^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_dummy_rc4_aes256_pac_None.fl2008r2dc +^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_dummy_rc4_aes256_pac_True.fl2003dc +^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_dummy_rc4_aes256_pac_True.fl2008r2dc +^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_dummy_rc4_pac_False.fl2003dc +^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_dummy_rc4_pac_False.fl2008r2dc +^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_dummy_rc4_pac_None.fl2003dc +^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_dummy_rc4_pac_None.fl2008r2dc +^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_dummy_rc4_pac_True.fl2003dc +^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_dummy_rc4_pac_True.fl2008r2dc +^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_rc4.fl2003dc +^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_rc4.fl2008r2dc +^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_rc4_aes128.fl2003dc +^samba.tests.krb5.as_