def test_pac_groups(self):
if creds.get_kerberos_state() == DONT_USE_KERBEROS:
self.skipTest("Kerberos disabled, skipping PAC test")
settings = {}
settings["lp_ctx"] = lp
settings["target_hostname"] = lp.get("netbios name")
gensec_client = gensec.Security.start_client(settings)
gensec_client.set_credentials(creds)
gensec_client.want_feature(gensec.FEATURE_SEAL)
gensec_client.start_mech_by_sasl_name("GSSAPI")
auth_context = AuthContext(lp_ctx=lp, ldb=self.ldb, methods=[])
gensec_server = gensec.Security.start_server(settings, auth_context)
machine_creds = Credentials()
machine_creds.guess(lp)
machine_creds.set_machine_account(lp)
gensec_server.set_credentials(machine_creds)
gensec_server.want_feature(gensec.FEATURE_SEAL)
gensec_server.start_mech_by_sasl_name("GSSAPI")
client_finished = False
server_finished = False
server_to_client = ""
# Run the actual call loop.
while client_finished == False and server_finished == False:
if not client_finished:
print "running client gensec_update"
(client_finished,
client_to_server) = gensec_client.update(server_to_client)
if not server_finished:
print "running server gensec_update"
(server_finished,
server_to_client) = gensec_server.update(client_to_server)
session = gensec_server.session_info()
token = session.security_token
pac_sids = []
for s in token.sids:
pac_sids.append(str(s))
sidset1 = set(pac_sids)
sidset2 = set(self.user_sids)
if len(sidset1.difference(sidset2)):
print("token sids don't match")
print("difference : %s" % sidset1.difference(sidset2))
self.fail(
msg="calculated groups don't match against user PAC tokenGroups"
)
def test_ccache(self):
# Create a user account and a machine account, along with a Kerberos
# credentials cache file where the service ticket authenticating the
# user are stored.
user_name = "ccacheusr"
mach_name = "ccachemac"
service = "host"
# Create the user account.
(user_credentials, _) = self.create_account(user_name)
# Create the machine account.
(mach_credentials,
_) = self.create_account(mach_name,
machine_account=True,
spn="%s/%s" % (service, mach_name))
# Talk to the KDC to obtain the service ticket, which gets placed into
# the cache. The machine account name has to match the name in the
# ticket, to ensure that the krbtgt ticket doesn't also need to be
# stored.
(creds,
cachefile) = self.create_ccache_with_user(user_credentials, mach_name)
# Authenticate in-process to the machine account using the user's
# cached credentials.
settings = {}
settings["lp_ctx"] = self.lp
settings["target_hostname"] = mach_name
gensec_client = gensec.Security.start_client(settings)
gensec_client.set_credentials(creds)
gensec_client.want_feature(gensec.FEATURE_SEAL)
gensec_client.start_mech_by_sasl_name("GSSAPI")
auth_context = AuthContext(lp_ctx=self.lp, ldb=self.ldb, methods=[])
gensec_server = gensec.Security.start_server(settings, auth_context)
gensec_server.set_credentials(mach_credentials)
gensec_server.start_mech_by_sasl_name("GSSAPI")
client_finished = False
server_finished = False
server_to_client = b''
# Operate as both the client and the server to verify the user's
# credentials.
while not client_finished or not server_finished:
if not client_finished:
print("running client gensec_update")
(client_finished,
client_to_server) = gensec_client.update(server_to_client)
if not server_finished:
print("running server gensec_update")
(server_finished,
server_to_client) = gensec_server.update(client_to_server)
# Ensure that the first SID contained within the obtained security
# token is the SID of the user we created.
# Retrieve the user account's SID.
ldb_res = self.ldb.search(scope=SCOPE_SUBTREE,
expression="(sAMAccountName=%s)" % user_name,
attrs=["objectSid"])
self.assertEqual(1, len(ldb_res))
sid = ndr_unpack(security.dom_sid, ldb_res[0]["objectSid"][0])
# Retrieve the SIDs from the security token.
session = gensec_server.session_info()
token = session.security_token
token_sids = token.sids
self.assertGreater(len(token_sids), 0)
# Ensure that they match.
self.assertEqual(sid, token_sids[0])
# Remove the cached credentials file.
os.remove(cachefile.name)
def _run_ccache_test(self,
rename=False,
include_pac=True,
expect_anon=False,
allow_error=False):
# Create a user account and a machine account, along with a Kerberos
# credentials cache file where the service ticket authenticating the
# user are stored.
mach_name = "ccachemac"
service = "host"
samdb = self.get_samdb()
# Create the user account.
user_credentials = self.get_cached_creds(
account_type=self.AccountType.USER, use_cache=False)
user_name = user_credentials.get_username()
# Create the machine account.
(mach_credentials,
_) = self.create_account(samdb,
mach_name,
account_type=self.AccountType.COMPUTER,
spn="%s/%s" % (service, mach_name))
# Talk to the KDC to obtain the service ticket, which gets placed into
# the cache. The machine account name has to match the name in the
# ticket, to ensure that the krbtgt ticket doesn't also need to be
# stored.
(creds, cachefile) = self.create_ccache_with_user(user_credentials,
mach_credentials,
pac=include_pac)
# Remove the cached credentials file.
self.addCleanup(os.remove, cachefile.name)
# Retrieve the user account's SID.
ldb_res = samdb.search(scope=SCOPE_SUBTREE,
expression="(sAMAccountName=%s)" % user_name,
attrs=["objectSid"])
self.assertEqual(1, len(ldb_res))
sid = ndr_unpack(security.dom_sid, ldb_res[0]["objectSid"][0])
if rename:
# Rename the account.
new_name = self.get_new_username()
msg = ldb.Message(user_credentials.get_dn())
msg['sAMAccountName'] = ldb.MessageElement(new_name,
ldb.FLAG_MOD_REPLACE,
'sAMAccountName')
samdb.modify(msg)
# Authenticate in-process to the machine account using the user's
# cached credentials.
lp = self.get_lp()
lp.set('server role', 'active directory domain controller')
settings = {}
settings["lp_ctx"] = lp
settings["target_hostname"] = mach_name
gensec_client = gensec.Security.start_client(settings)
gensec_client.set_credentials(creds)
gensec_client.want_feature(gensec.FEATURE_SEAL)
gensec_client.start_mech_by_sasl_name("GSSAPI")
auth_context = AuthContext(lp_ctx=lp, ldb=samdb, methods=[])
gensec_server = gensec.Security.start_server(settings, auth_context)
gensec_server.set_credentials(mach_credentials)
gensec_server.start_mech_by_sasl_name("GSSAPI")
client_finished = False
server_finished = False
server_to_client = b''
# Operate as both the client and the server to verify the user's
# credentials.
while not client_finished or not server_finished:
if not client_finished:
print("running client gensec_update")
(client_finished,
client_to_server) = gensec_client.update(server_to_client)
if not server_finished:
print("running server gensec_update")
(server_finished,
server_to_client) = gensec_server.update(client_to_server)
# Ensure that the first SID contained within the obtained security
# token is the SID of the user we created.
# Retrieve the SIDs from the security token.
try:
session = gensec_server.session_info()
except NTSTATUSError as e:
if not allow_error:
self.fail()
enum, _ = e.args
self.assertEqual(NT_STATUS_NO_IMPERSONATION_TOKEN, enum)
return
token = session.security_token
token_sids = token.sids
self.assertGreater(len(token_sids), 0)
# Ensure that they match.
self.assertEqual(sid, token_sids[0])