summaryrefslogtreecommitdiffstats
path: root/source4/torture/auth
diff options
context:
space:
mode:
authorAndrew Bartlett <abartlet@samba.org>2008-08-28 16:28:47 +1000
committerAndrew Bartlett <abartlet@samba.org>2008-08-28 16:28:47 +1000
commitc79dff2e9b7c0c07ae5845ddc3b2c06f7996dfd1 (patch)
tree614106b34aaf64c7ba91308d2bf69331dd7338f5 /source4/torture/auth
parent0b16d70f3941712ed7889d57ecbc45fe0fa68916 (diff)
downloadsamba-c79dff2e9b7c0c07ae5845ddc3b2c06f7996dfd1.tar.gz
samba-c79dff2e9b7c0c07ae5845ddc3b2c06f7996dfd1.tar.xz
samba-c79dff2e9b7c0c07ae5845ddc3b2c06f7996dfd1.zip
Heimdal provides Kerberos PAC parsing routines. Use them.
This uses Heimdal's PAC parsing code in the: - LOCAL-PAC test - gensec_gssapi server - KDC (where is was already used, the support code refactored from here) In addition, the service and KDC checksums are recorded in the struct auth_serversupplied_info, allowing them to be extracted for validation across NETLOGON. Andrew Bartlett (This used to be commit 418b440a7b8cdb53035045f3981d47b078be6c1e)
Diffstat (limited to 'source4/torture/auth')
-rw-r--r--source4/torture/auth/pac.c69
1 files changed, 66 insertions, 3 deletions
diff --git a/source4/torture/auth/pac.c b/source4/torture/auth/pac.c
index 4e51c66950..42901f1eff 100644
--- a/source4/torture/auth/pac.c
+++ b/source4/torture/auth/pac.c
@@ -139,7 +139,7 @@ static bool torture_pac_self_check(struct torture_context *tctx)
dump_data(10,tmp_blob.data,tmp_blob.length);
- /* Now check that we can read it back */
+ /* Now check that we can read it back (using full decode and validate) */
nt_status = kerberos_decode_pac(mem_ctx,
lp_iconv_convenience(tctx->lp_ctx),
&pac_data,
@@ -163,7 +163,31 @@ static bool torture_pac_self_check(struct torture_context *tctx)
nt_errstr(nt_status)));
}
- /* Now check that we can read it back */
+ /* Now check we can read it back (using Heimdal's pac parsing) */
+ nt_status = kerberos_pac_blob_to_server_info(mem_ctx,
+ lp_iconv_convenience(tctx->lp_ctx),
+ tmp_blob,
+ smb_krb5_context->krb5_context,
+ &server_info_out);
+
+ if (!dom_sid_equal(server_info->account_sid,
+ server_info_out->account_sid)) {
+ krb5_free_keyblock_contents(smb_krb5_context->krb5_context,
+ &krbtgt_keyblock);
+ krb5_free_keyblock_contents(smb_krb5_context->krb5_context,
+ &server_keyblock);
+ krb5_free_principal(smb_krb5_context->krb5_context,
+ client_principal);
+
+ torture_fail(tctx,
+ talloc_asprintf(tctx,
+ "(self test) PAC Decode resulted in *different* domain SID: %s != %s",
+ dom_sid_string(mem_ctx, server_info->account_sid),
+ dom_sid_string(mem_ctx, server_info_out->account_sid)));
+ }
+ talloc_free(server_info_out);
+
+ /* Now check that we can read it back (yet again) */
nt_status = kerberos_pac_logon_info(mem_ctx,
lp_iconv_convenience(tctx->lp_ctx),
&logon_info,
@@ -196,6 +220,7 @@ static bool torture_pac_self_check(struct torture_context *tctx)
krb5_free_principal(smb_krb5_context->krb5_context,
client_principal);
+ /* And make a server info from the samba-parsed PAC */
validation.sam3 = &logon_info->info3;
nt_status = make_server_info_netlogon_validation(mem_ctx,
"",
@@ -403,7 +428,45 @@ static bool torture_pac_saved_check(struct torture_context *tctx)
nt_errstr(nt_status)));
}
- /* Parse the PAC again, for the logon info this time */
+ /* Now check we can read it back (using Heimdal's pac parsing) */
+ nt_status = kerberos_pac_blob_to_server_info(mem_ctx,
+ lp_iconv_convenience(tctx->lp_ctx),
+ tmp_blob,
+ smb_krb5_context->krb5_context,
+ &server_info_out);
+
+ if (!NT_STATUS_IS_OK(nt_status)) {
+ krb5_free_keyblock_contents(smb_krb5_context->krb5_context,
+ krbtgt_keyblock_p);
+ krb5_free_keyblock_contents(smb_krb5_context->krb5_context,
+ &server_keyblock);
+ krb5_free_principal(smb_krb5_context->krb5_context, client_principal);
+
+ torture_fail(tctx, talloc_asprintf(tctx,
+ "(saved test) Heimdal PAC decoding failed: %s",
+ nt_errstr(nt_status)));
+ }
+
+ if (!pac_file &&
+ !dom_sid_equal(dom_sid_parse_talloc(mem_ctx,
+ "S-1-5-21-3048156945-3961193616-3706469200-1005"),
+ server_info_out->account_sid)) {
+ krb5_free_keyblock_contents(smb_krb5_context->krb5_context,
+ krbtgt_keyblock_p);
+ krb5_free_keyblock_contents(smb_krb5_context->krb5_context,
+ &server_keyblock);
+ krb5_free_principal(smb_krb5_context->krb5_context, client_principal);
+
+ torture_fail(tctx,
+ talloc_asprintf(tctx,
+ "(saved test) Heimdal PAC Decode resulted in *different* domain SID: %s != %s",
+ "S-1-5-21-3048156945-3961193616-3706469200-1005",
+ dom_sid_string(mem_ctx, server_info_out->account_sid)));
+ }
+
+ talloc_free(server_info_out);
+
+ /* Parse the PAC again, for the logon info this time (using Samba4's parsing) */
nt_status = kerberos_pac_logon_info(mem_ctx,
lp_iconv_convenience(tctx->lp_ctx),
&logon_info,