diff options
author | Andrew Bartlett <abartlet@samba.org> | 2008-08-28 16:28:47 +1000 |
---|---|---|
committer | Andrew Bartlett <abartlet@samba.org> | 2008-08-28 16:28:47 +1000 |
commit | c79dff2e9b7c0c07ae5845ddc3b2c06f7996dfd1 (patch) | |
tree | 614106b34aaf64c7ba91308d2bf69331dd7338f5 /source4/torture/auth | |
parent | 0b16d70f3941712ed7889d57ecbc45fe0fa68916 (diff) | |
download | samba-c79dff2e9b7c0c07ae5845ddc3b2c06f7996dfd1.tar.gz samba-c79dff2e9b7c0c07ae5845ddc3b2c06f7996dfd1.tar.xz samba-c79dff2e9b7c0c07ae5845ddc3b2c06f7996dfd1.zip |
Heimdal provides Kerberos PAC parsing routines. Use them.
This uses Heimdal's PAC parsing code in the:
- LOCAL-PAC test
- gensec_gssapi server
- KDC (where is was already used, the support code refactored from here)
In addition, the service and KDC checksums are recorded in the struct
auth_serversupplied_info, allowing them to be extracted for validation
across NETLOGON.
Andrew Bartlett
(This used to be commit 418b440a7b8cdb53035045f3981d47b078be6c1e)
Diffstat (limited to 'source4/torture/auth')
-rw-r--r-- | source4/torture/auth/pac.c | 69 |
1 files changed, 66 insertions, 3 deletions
diff --git a/source4/torture/auth/pac.c b/source4/torture/auth/pac.c index 4e51c66950..42901f1eff 100644 --- a/source4/torture/auth/pac.c +++ b/source4/torture/auth/pac.c @@ -139,7 +139,7 @@ static bool torture_pac_self_check(struct torture_context *tctx) dump_data(10,tmp_blob.data,tmp_blob.length); - /* Now check that we can read it back */ + /* Now check that we can read it back (using full decode and validate) */ nt_status = kerberos_decode_pac(mem_ctx, lp_iconv_convenience(tctx->lp_ctx), &pac_data, @@ -163,7 +163,31 @@ static bool torture_pac_self_check(struct torture_context *tctx) nt_errstr(nt_status))); } - /* Now check that we can read it back */ + /* Now check we can read it back (using Heimdal's pac parsing) */ + nt_status = kerberos_pac_blob_to_server_info(mem_ctx, + lp_iconv_convenience(tctx->lp_ctx), + tmp_blob, + smb_krb5_context->krb5_context, + &server_info_out); + + if (!dom_sid_equal(server_info->account_sid, + server_info_out->account_sid)) { + krb5_free_keyblock_contents(smb_krb5_context->krb5_context, + &krbtgt_keyblock); + krb5_free_keyblock_contents(smb_krb5_context->krb5_context, + &server_keyblock); + krb5_free_principal(smb_krb5_context->krb5_context, + client_principal); + + torture_fail(tctx, + talloc_asprintf(tctx, + "(self test) PAC Decode resulted in *different* domain SID: %s != %s", + dom_sid_string(mem_ctx, server_info->account_sid), + dom_sid_string(mem_ctx, server_info_out->account_sid))); + } + talloc_free(server_info_out); + + /* Now check that we can read it back (yet again) */ nt_status = kerberos_pac_logon_info(mem_ctx, lp_iconv_convenience(tctx->lp_ctx), &logon_info, @@ -196,6 +220,7 @@ static bool torture_pac_self_check(struct torture_context *tctx) krb5_free_principal(smb_krb5_context->krb5_context, client_principal); + /* And make a server info from the samba-parsed PAC */ validation.sam3 = &logon_info->info3; nt_status = make_server_info_netlogon_validation(mem_ctx, "", @@ -403,7 +428,45 @@ static bool torture_pac_saved_check(struct torture_context *tctx) nt_errstr(nt_status))); } - /* Parse the PAC again, for the logon info this time */ + /* Now check we can read it back (using Heimdal's pac parsing) */ + nt_status = kerberos_pac_blob_to_server_info(mem_ctx, + lp_iconv_convenience(tctx->lp_ctx), + tmp_blob, + smb_krb5_context->krb5_context, + &server_info_out); + + if (!NT_STATUS_IS_OK(nt_status)) { + krb5_free_keyblock_contents(smb_krb5_context->krb5_context, + krbtgt_keyblock_p); + krb5_free_keyblock_contents(smb_krb5_context->krb5_context, + &server_keyblock); + krb5_free_principal(smb_krb5_context->krb5_context, client_principal); + + torture_fail(tctx, talloc_asprintf(tctx, + "(saved test) Heimdal PAC decoding failed: %s", + nt_errstr(nt_status))); + } + + if (!pac_file && + !dom_sid_equal(dom_sid_parse_talloc(mem_ctx, + "S-1-5-21-3048156945-3961193616-3706469200-1005"), + server_info_out->account_sid)) { + krb5_free_keyblock_contents(smb_krb5_context->krb5_context, + krbtgt_keyblock_p); + krb5_free_keyblock_contents(smb_krb5_context->krb5_context, + &server_keyblock); + krb5_free_principal(smb_krb5_context->krb5_context, client_principal); + + torture_fail(tctx, + talloc_asprintf(tctx, + "(saved test) Heimdal PAC Decode resulted in *different* domain SID: %s != %s", + "S-1-5-21-3048156945-3961193616-3706469200-1005", + dom_sid_string(mem_ctx, server_info_out->account_sid))); + } + + talloc_free(server_info_out); + + /* Parse the PAC again, for the logon info this time (using Samba4's parsing) */ nt_status = kerberos_pac_logon_info(mem_ctx, lp_iconv_convenience(tctx->lp_ctx), &logon_info, |