The Samba-Bugzilla – Attachment 16973 Details for
Bug 14725
[SECURITY] Andrew's Kerberos Concerns (November 9 2021)
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
Combined patchset for 4.10 v13 (CVE-2020-25717 CVE-2020-25721 CVE-2020-25718 CVE-2020-25719 CVE-2020-25722)
security-2021-11-v4.10-v13-bug14725.patches.txt (text/plain), 4.99 MB, created by
Jennifer Sutton
on 2021-11-09 04:04:33 UTC
(
hide
)
Description:
Combined patchset for 4.10 v13 (CVE-2020-25717 CVE-2020-25721 CVE-2020-25718 CVE-2020-25719 CVE-2020-25722)
Filename:
MIME Type:
Creator:
Jennifer Sutton
Created:
2021-11-09 04:04:33 UTC
Size:
4.99 MB
patch
obsolete
>From 7157d920e843522403bf4cfb1936c09135c1f854 Mon Sep 17 00:00:00 2001 >From: Stefan Metzmacher <metze@samba.org> >Date: Mon, 20 Apr 2020 20:00:51 +0200 >Subject: [PATCH 001/686] python/tests: add DynamicTestCase > setUpDynamicTestCases() infrastructure > >This can be used in order to run a sepcific test (coded just once) >with an autogenerated set of arguments. > >BUG: https://bugzilla.samba.org/show_bug.cgi?id=14531 > >Pair-Programmed-With: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> > >Signed-off-by: Stefan Metzmacher <metze@samba.org> >Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> >(cherry picked from commit 80347deb544b38be6c6814e5d1b82e48ebe83fd1) >--- > python/samba/tests/__init__.py | 27 +++++++++++++++++++++++++++ > 1 file changed, 27 insertions(+) > >diff --git a/python/samba/tests/__init__.py b/python/samba/tests/__init__.py >index ef0fdabbfa2..13d42779262 100644 >--- a/python/samba/tests/__init__.py >+++ b/python/samba/tests/__init__.py >@@ -62,10 +62,37 @@ BINDIR = os.path.abspath(os.path.join(os.path.dirname(__file__), > > HEXDUMP_FILTER = bytearray([x if ((len(repr(chr(x))) == 3) and (x < 127)) else ord('.') for x in range(256)]) > >+def DynamicTestCase(cls): >+ cls.setUpDynamicTestCases() >+ return cls > > class TestCase(unittest.TestCase): > """A Samba test case.""" > >+ @classmethod >+ def generate_dynamic_test(cls, fnname, suffix, *args): >+ """ >+ fnname is something like "test_dynamic_sum" >+ suffix is something like "1plus2" >+ argstr could be (1, 2) >+ >+ This would generate a test case called >+ "test_dynamic_sum_1plus2(self)" that >+ calls >+ self._test_dynamic_sum_with_args(1, 2) >+ """ >+ def fn(self): >+ getattr(self, "_%s_with_args" % fnname)(*args) >+ setattr(cls, "%s_%s" % (fnname, suffix), fn) >+ >+ @classmethod >+ def setUpDynamicTestCases(cls): >+ """This can be implemented in order to call cls.generate_dynamic_test() >+ In order to implement autogenerated testcase permutations. >+ """ >+ msg = "%s needs setUpDynamicTestCases() if @DynamicTestCase is used!" % (cls) >+ raise Exception(msg) >+ > def setUp(self): > super(TestCase, self).setUp() > test_debug_level = os.getenv("TEST_DEBUG_LEVEL") >-- >2.25.1 > > >From 1d414e2a5f4da66265c635eb6bf69e386568f4d2 Mon Sep 17 00:00:00 2001 >From: Noel Power <noel.power@suse.com> >Date: Wed, 15 May 2019 10:30:29 +0100 >Subject: [PATCH 002/686] lib/ldb: Fix incorrect return type for (setter) func > type > >BUG: https://bugzilla.samba.org/show_bug.cgi?id=13948 > >Signed-off-by: Noel Power <noel.power@suse.com> >Reviewed-by: Andreas Schneider <asn@samba.org> >(cherry picked from commit 27d99eefe7676669343b9040f550480df6554a6e) >--- > lib/ldb/pyldb.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > >diff --git a/lib/ldb/pyldb.c b/lib/ldb/pyldb.c >index b2cac8a3497..794b2184941 100644 >--- a/lib/ldb/pyldb.c >+++ b/lib/ldb/pyldb.c >@@ -199,7 +199,7 @@ static PyObject *py_ldb_control_get_critical(PyLdbControlObject *self) > return PyBool_FromLong(self->data->critical); > } > >-static PyObject *py_ldb_control_set_critical(PyLdbControlObject *self, PyObject *value, void *closure) >+static int py_ldb_control_set_critical(PyLdbControlObject *self, PyObject *value, void *closure) > { > if (PyObject_IsTrue(value)) { > self->data->critical = true; >-- >2.25.1 > > >From 1f7fe0155f289e04fea00054e13d141c705c4a90 Mon Sep 17 00:00:00 2001 >From: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> >Date: Sun, 17 Mar 2019 14:47:40 +1300 >Subject: [PATCH 003/686] tests: ensure that most python scripts have usage > text > >When a script is run with the wrong arguments, it should at least say >something like this: > > Usage: samba-foo [OPTIONS] > >For many samba scripts, especially without a server environment, having >no arguments is the wrong arguments. > >Here we look for every executable file with '#![...]python[3]' on the >first line, and exclude certain files and directories that have excuses >to fail the test. For example, many selftest scripts are stream-oriented >and will hang forever waiting for stdin, which is not an error. Some >test modules are designed so they can be optionally run from the command >line, but this option is typically only used by the developer who is >writing them. > >Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> >Reviewed-by: Andrew Bartlett <abartlet@samba.org> >(cherry picked from commit 538ffe1960a8640875759ca194cc4cc9fae2c5bc) > >[jsutton@samba.org Backported to fix conflict in > source4/selftest/tests.py] >--- > python/samba/tests/usage.py | 205 ++++++++++++++++++++++++++++++++++++ > selftest/knownfail.d/usage | 28 +++++ > source4/selftest/tests.py | 2 + > 3 files changed, 235 insertions(+) > create mode 100644 python/samba/tests/usage.py > create mode 100644 selftest/knownfail.d/usage > >diff --git a/python/samba/tests/usage.py b/python/samba/tests/usage.py >new file mode 100644 >index 00000000000..30c083076ff >--- /dev/null >+++ b/python/samba/tests/usage.py >@@ -0,0 +1,205 @@ >+# Unix SMB/CIFS implementation. >+# Copyright © Douglas Bagnall <douglas.bagnall@catalyst.net.nz> >+# >+# This program is free software; you can redistribute it and/or modify >+# it under the terms of the GNU General Public License as published by >+# the Free Software Foundation; either version 3 of the License, or >+# (at your option) any later version. >+# >+# This program is distributed in the hope that it will be useful, >+# but WITHOUT ANY WARRANTY; without even the implied warranty of >+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the >+# GNU General Public License for more details. >+# >+# You should have received a copy of the GNU General Public License >+# along with this program. If not, see <http://www.gnu.org/licenses/>. >+ >+import os >+import sys >+import subprocess >+from samba.tests import TestCase >+from unittest import TestSuite >+import re >+import stat >+ >+if 'SRCDIR_ABS' in os.environ: >+ BASEDIR = os.environ['SRCDIR_ABS'] >+else: >+ BASEDIR = os.path.abspath(os.path.join(os.path.dirname(__file__), >+ '../../..')) >+ >+TEST_DIRS = [ >+ "bootstrap", >+ "testdata", >+ "ctdb", >+ "dfs_server", >+ "pidl", >+ "auth", >+ "packaging", >+ "python", >+ "include", >+ "nsswitch", >+ "libcli", >+ "coverity", >+ "release-scripts", >+ "testprogs", >+ "bin", >+ "source3", >+ "docs-xml", >+ "buildtools", >+ "file_server", >+ "dynconfig", >+ "source4", >+ "tests", >+ "libds", >+ "selftest", >+ "lib", >+ "script", >+ "traffic", >+ "testsuite", >+ "libgpo", >+ "wintest", >+ "librpc", >+] >+ >+ >+EXCLUDE_USAGE = { >+ 'script/autobuild.py', # defaults to mount /memdisk/ >+ 'script/bisect-test.py', >+ 'ctdb/utils/etcd/ctdb_etcd_lock', >+ 'selftest/filter-subunit', >+ 'selftest/format-subunit', >+ 'bin/gen_output.py', # too much output! >+ 'source4/scripting/bin/gen_output.py', >+ 'lib/ldb/tests/python/index.py', >+ 'lib/ldb/tests/python/api.py', >+ 'source4/selftest/tests.py', >+ 'buildtools/bin/waf', >+ 'selftest/tap2subunit', >+ 'script/show_test_time', >+ 'source4/scripting/bin/subunitrun', >+ 'source3/selftest/tests.py', >+ 'selftest/tests.py', >+ 'python/samba/subunit/run.py', >+ 'bin/python/samba/subunit/run.py', >+ 'python/samba/tests/dcerpc/raw_protocol.py' >+} >+ >+ >+EXCLUDE_DIRS = { >+ 'source3/script/tests', >+ 'python/examples', >+ 'source4/dsdb/tests/python', >+ 'bin/ab', >+ 'bin/python/samba/tests', >+ 'bin/python/samba/tests/dcerpc', >+} >+ >+ >+def _init_git_file_finder(): >+ """Generate a function that quickly answers the question: >+ 'is this a git file?' >+ """ >+ git_file_cache = set() >+ p = subprocess.run(['git', >+ '-C', BASEDIR, >+ 'ls-files', >+ '-z'], >+ stdout=subprocess.PIPE) >+ if p.returncode == 0: >+ for fn in p.stdout.split(b'\0'): >+ git_file_cache.add(os.path.join(BASEDIR, fn.decode('utf-8'))) >+ return git_file_cache.__contains__ >+ >+ >+is_git_file = _init_git_file_finder() >+ >+ >+def python_script_iterator(d=BASEDIR, _cache={}): >+ """Generate an iterator over executable Python scripts. By default it >+ walks the entire source tree. >+ """ >+ if d not in _cache: >+ cache = {} >+ _cache[d] = cache >+ pyshebang = re.compile(br'#!.+python').match >+ safename = re.compile(r'\W+').sub >+ for subdir in TEST_DIRS: >+ sd = os.path.join(d, subdir) >+ for root, dirs, files in os.walk(sd, followlinks=False): >+ for fn in files: >+ if fn.endswith('~'): >+ continue >+ if fn.endswith('.inst'): >+ continue >+ ffn = os.path.join(root, fn) >+ if not (subdir == 'bin' or is_git_file(ffn)): >+ continue >+ >+ try: >+ s = os.stat(ffn) >+ except FileNotFoundError: >+ continue >+ if not s.st_mode & stat.S_IXUSR: >+ continue >+ try: >+ f = open(ffn, 'rb') >+ except OSError as e: >+ print("could not open %s: %s" % (ffn, e)) >+ continue >+ line = f.read(40) >+ f.close() >+ if not pyshebang(line): >+ continue >+ name = safename('_', fn) >+ while name in cache: >+ name += '_' >+ cache[name] = ffn >+ >+ return _cache[d].items() >+ >+ >+class PythonScriptUsageTests(TestCase): >+ """Python scripts run without arguments should print a usage string, >+ not fail with a traceback. >+ """ >+ >+ @classmethod >+ def initialise(cls): >+ for name, filename in python_script_iterator(): >+ # We add the actual tests after the class definition so we >+ # can give individual names to them, so we can have a >+ # knownfail list. >+ fn = filename.replace(BASEDIR, '').lstrip('/') >+ >+ if fn in EXCLUDE_USAGE: >+ print("skipping %s (EXCLUDE_USAGE)" % filename) >+ continue >+ >+ if os.path.dirname(fn) in EXCLUDE_DIRS: >+ print("skipping %s (EXCLUDE_DIRS)" % filename) >+ continue >+ >+ def _f(self, filename=filename): >+ print(filename) >+ try: >+ p = subprocess.Popen(['python3', filename], >+ stderr=subprocess.PIPE, >+ stdout=subprocess.PIPE) >+ out, err = p.communicate(timeout=5) >+ except OSError as e: >+ self.fail("Error: %s" % e) >+ except subprocess.SubprocessError as e: >+ self.fail("Subprocess error: %s" % e) >+ >+ err = err.decode('utf-8') >+ out = out.decode('utf-8') >+ self.assertNotIn('Traceback', err) >+ >+ self.assertIn('usage', out.lower() + err.lower(), >+ 'stdout:\n%s\nstderr:\n%s' % (out, err)) >+ >+ setattr(cls, 'test_%s' % name, _f) >+ >+ >+PythonScriptUsageTests.initialise() >diff --git a/selftest/knownfail.d/usage b/selftest/knownfail.d/usage >new file mode 100644 >index 00000000000..3c526f32f22 >--- /dev/null >+++ b/selftest/knownfail.d/usage >@@ -0,0 +1,28 @@ >+samba.tests.usage.samba.tests.usage.PythonScriptUsageTests.test_chgtdcpass.none. >+samba.tests.usage.samba.tests.usage.PythonScriptUsageTests.test_compare_cc_results_py.none. >+samba.tests.usage.samba.tests.usage.PythonScriptUsageTests.test_demodirsync_py.none. >+samba.tests.usage.samba.tests.usage.PythonScriptUsageTests.test_dns_hub_py.none. >+samba.tests.usage.samba.tests.usage.PythonScriptUsageTests.test_findprovisionusnranges.none. >+samba.tests.usage.samba.tests.usage.PythonScriptUsageTests.test_get_descriptors.none. >+samba.tests.usage.samba.tests.usage.PythonScriptUsageTests.test_mymachinepw.none. >+samba.tests.usage.samba.tests.usage.PythonScriptUsageTests.test_rebuildextendeddn.none. >+samba.tests.usage.samba.tests.usage.PythonScriptUsageTests.test_renamedc.none. >+samba.tests.usage.samba.tests.usage.PythonScriptUsageTests.test_repl_cleartext_pwd_py.none. >+samba.tests.usage.samba.tests.usage.PythonScriptUsageTests.test_rodcdns.none. >+samba.tests.usage.samba.tests.usage.PythonScriptUsageTests.test_samba_dnsupdate.none. >+samba.tests.usage.samba.tests.usage.PythonScriptUsageTests.test_samba_dnsupdate_.none. >+samba.tests.usage.samba.tests.usage.PythonScriptUsageTests.test_sambadowngradedatabase.none. >+samba.tests.usage.samba.tests.usage.PythonScriptUsageTests.test_samba_gpupdate.none. >+samba.tests.usage.samba.tests.usage.PythonScriptUsageTests.test_samba_gpupdate_.none. >+samba.tests.usage.samba.tests.usage.PythonScriptUsageTests.test_samba_kcc.none. >+samba.tests.usage.samba.tests.usage.PythonScriptUsageTests.test_samba_kcc_.none. >+samba.tests.usage.samba.tests.usage.PythonScriptUsageTests.test_samba_spnupdate.none. >+samba.tests.usage.samba.tests.usage.PythonScriptUsageTests.test_samba_spnupdate_.none. >+samba.tests.usage.samba.tests.usage.PythonScriptUsageTests.test_samba_upgradedns.none. >+samba.tests.usage.samba.tests.usage.PythonScriptUsageTests.test_samba_upgradedns_.none. >+samba.tests.usage.samba.tests.usage.PythonScriptUsageTests.test_samba_upgradeprovision.none. >+samba.tests.usage.samba.tests.usage.PythonScriptUsageTests.test_samba_upgradeprovision_.none. >+samba.tests.usage.samba.tests.usage.PythonScriptUsageTests.test_smbstatus.none. >+samba.tests.usage.samba.tests.usage.PythonScriptUsageTests.test_test_s3_py.none. >+samba.tests.usage.samba.tests.usage.PythonScriptUsageTests.test_test_s4_howto_py.none. >+samba.tests.usage.samba.tests.usage.PythonScriptUsageTests.test_traffic_learner.none. >diff --git a/source4/selftest/tests.py b/source4/selftest/tests.py >index 8cf54841e86..1561f068ca1 100755 >--- a/source4/selftest/tests.py >+++ b/source4/selftest/tests.py >@@ -1333,3 +1333,5 @@ planoldpythontestsuite("proclimitdc:local", > 'SOCKET_WRAPPER_DEFAULT_IFACE': 11}, > name="samba.tests.process_limits", > py3_compatible=True) >+ >+planoldpythontestsuite("none", "samba.tests.usage") >-- >2.25.1 > > >From 2a00441070b72b19934332241d4eca4db37209d2 Mon Sep 17 00:00:00 2001 >From: Michael Hanselmann <public@hansmi.ch> >Date: Fri, 12 Apr 2019 00:46:37 +0200 >Subject: [PATCH 004/686] ldb: Avoid read beyond buffer > >Calling the "ldb_parse_tree" function with a filter consisting of >exactly a single space (" ") would trigger a read beyond the input >buffer. A unittest is included. > >BUG: https://bugzilla.samba.org/show_bug.cgi?id=13900 > >Signed-off-by: Michael Hanselmann <public@hansmi.ch> >Reviewed-by: Andrew Bartlett <abartlet@samba.org> >Reviewed-by: Tim Beale <timbeale@catalyst.net.nz> >(cherry picked from commit 7f48fbcf7bad06a6df7812bb4fd3b0fca8edb4ea) > >[jsutton@samba.org Adapted to fix conflicts in lib/ldb/wscript] >--- > lib/ldb/common/ldb_parse.c | 6 +-- > lib/ldb/tests/ldb_parse_test.c | 93 ++++++++++++++++++++++++++++++++++ > lib/ldb/wscript | 8 ++- > 3 files changed, 103 insertions(+), 4 deletions(-) > create mode 100644 lib/ldb/tests/ldb_parse_test.c > >diff --git a/lib/ldb/common/ldb_parse.c b/lib/ldb/common/ldb_parse.c >index db420091311..452c5830ed5 100644 >--- a/lib/ldb/common/ldb_parse.c >+++ b/lib/ldb/common/ldb_parse.c >@@ -328,7 +328,7 @@ static enum ldb_parse_op ldb_parse_filtertype(TALLOC_CTX *mem_ctx, char **type, > > if (*p == '=') { > filter = LDB_OP_EQUALITY; >- } else if (*(p + 1) == '=') { >+ } else if (*p != '\0' && *(p + 1) == '=') { > switch (*p) { > case '<': > filter = LDB_OP_LESS; >@@ -679,12 +679,12 @@ static struct ldb_parse_tree *ldb_parse_filter(TALLOC_CTX *mem_ctx, const char * > */ > struct ldb_parse_tree *ldb_parse_tree(TALLOC_CTX *mem_ctx, const char *s) > { >+ while (s && isspace((unsigned char)*s)) s++; >+ > if (s == NULL || *s == 0) { > s = "(|(objectClass=*)(distinguishedName=*))"; > } > >- while (isspace((unsigned char)*s)) s++; >- > if (*s == '(') { > return ldb_parse_filter(mem_ctx, &s); > } >diff --git a/lib/ldb/tests/ldb_parse_test.c b/lib/ldb/tests/ldb_parse_test.c >new file mode 100644 >index 00000000000..a739d7795d1 >--- /dev/null >+++ b/lib/ldb/tests/ldb_parse_test.c >@@ -0,0 +1,93 @@ >+/* >+ * Tests exercising the ldb parse operations. >+ * >+ * Copyright (C) Catalyst.NET Ltd 2017 >+ * Copyright (C) Michael Hanselmann 2019 >+ * >+ * This program is free software; you can redistribute it and/or modify >+ * it under the terms of the GNU General Public License as published by >+ * the Free Software Foundation; either version 3 of the License, or >+ * (at your option) any later version. >+ * >+ * This program is distributed in the hope that it will be useful, >+ * but WITHOUT ANY WARRANTY; without even the implied warranty of >+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the >+ * GNU General Public License for more details. >+ * >+ * You should have received a copy of the GNU General Public License >+ * along with this program. If not, see <http://www.gnu.org/licenses/>. >+ * >+ */ >+ >+#include <stdarg.h> >+#include <stddef.h> >+#include <stdint.h> >+#include <setjmp.h> >+#include <cmocka.h> >+ >+#include "../include/ldb.h" >+ >+struct test_ctx >+{ >+}; >+ >+static int setup(void **state) >+{ >+ struct test_ctx *ctx; >+ >+ ctx = talloc_zero(NULL, struct test_ctx); >+ assert_non_null(ctx); >+ >+ *state = ctx; >+ >+ return 0; >+} >+ >+static int teardown(void **state) >+{ >+ struct test_ctx *ctx = >+ talloc_get_type_abort(*state, struct test_ctx); >+ >+ talloc_free(ctx); >+ >+ return 0; >+} >+ >+static void test_roundtrip(TALLOC_CTX *mem_ctx, const char *filter, const char *expected) >+{ >+ struct ldb_parse_tree *tree; >+ char *serialized; >+ >+ assert_non_null(filter); >+ assert_non_null(expected); >+ >+ tree = ldb_parse_tree(mem_ctx, filter); >+ assert_non_null(tree); >+ >+ serialized = ldb_filter_from_tree(mem_ctx, tree); >+ assert_non_null(serialized); >+ >+ assert_string_equal(serialized, expected); >+} >+ >+static void test_parse_filtertype(void **state) >+{ >+ struct test_ctx *ctx = >+ talloc_get_type_abort(*state, struct test_ctx); >+ >+ test_roundtrip(ctx, "", "(|(objectClass=*)(distinguishedName=*))"); >+ test_roundtrip(ctx, "a=value", "(a=value)"); >+ test_roundtrip(ctx, "(|(foo=bar)(baz=hello))", "(|(foo=bar)(baz=hello))"); >+ test_roundtrip(ctx, " ", "(|(objectClass=*)(distinguishedName=*))"); >+} >+ >+int main(int argc, const char **argv) >+{ >+ const struct CMUnitTest tests[] = { >+ cmocka_unit_test_setup_teardown(test_parse_filtertype, setup, teardown), >+ }; >+ >+ cmocka_set_message_output(CM_OUTPUT_SUBUNIT); >+ >+ return cmocka_run_group_tests(tests, NULL, NULL); >+} >diff --git a/lib/ldb/wscript b/lib/ldb/wscript >index 58240222d5f..2197a304e94 100644 >--- a/lib/ldb/wscript >+++ b/lib/ldb/wscript >@@ -516,6 +516,11 @@ def build(bld): > deps='cmocka ldb', > install=False) > >+ bld.SAMBA_BINARY('ldb_parse_test', >+ source='tests/ldb_parse_test.c', >+ deps='cmocka ldb ldb_tdb_err_map', >+ install=False) >+ > if bld.CONFIG_SET('HAVE_LMDB'): > bld.SAMBA_BINARY('ldb_mdb_mod_op_test', > source='tests/ldb_mod_op_test.c', >@@ -584,7 +589,8 @@ def test(ctx): > # fit > 4G of data into the DB), it would fill up the disk on > # many of our test instances > 'ldb_mdb_kv_ops_test', >- 'ldb_match_test'] >+ 'ldb_match_test', >+ 'ldb_parse_test'] > > for test_exe in test_exes: > cmd = os.path.join(Context.g_module.out, test_exe) >-- >2.25.1 > > >From 372d300a4c2fe23e4aa9e3623064ba4be44c22f7 Mon Sep 17 00:00:00 2001 >From: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> >Date: Tue, 8 Dec 2020 21:32:09 +1300 >Subject: [PATCH 005/686] CVE-2021-20277 ldb/attrib_handlers casefold: stay in > bounds > >For a string that had N spaces at the beginning, we would >try to move N bytes beyond the end of the string. > >BUG: https://bugzilla.samba.org/show_bug.cgi?id=14655 > >Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> >Reviewed-by: Andrew Bartlett <abartlet@samba.org> >(cherry picked from commit 1fe8c790b2294fd10fe9c9c6254ecf2b6c00b709) >--- > lib/ldb/common/attrib_handlers.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > >diff --git a/lib/ldb/common/attrib_handlers.c b/lib/ldb/common/attrib_handlers.c >index 4b94d392cc6..409b8c62025 100644 >--- a/lib/ldb/common/attrib_handlers.c >+++ b/lib/ldb/common/attrib_handlers.c >@@ -76,7 +76,7 @@ int ldb_handler_fold(struct ldb_context *ldb, void *mem_ctx, > > /* remove leading spaces if any */ > if (*s == ' ') { >- for (t = s; *s == ' '; s++) ; >+ for (t = s; *s == ' '; s++, l--) ; > > /* remove leading spaces by moving down the string */ > memmove(t, s, l); >-- >2.25.1 > > >From a1d9a82afd9792e4c0f48bbb5805f0dba668c273 Mon Sep 17 00:00:00 2001 >From: Noel Power <noel.power@suse.com> >Date: Tue, 22 Jan 2019 18:26:23 +0000 >Subject: [PATCH 006/686] Decrement references to python objects passed to > Py_BuildValue > >Py_BuildValue when processing format 'O' will > 'Pass a Python object untouched (except for its reference count, > which is incremented by one' > >Basically this means if you are using a new reference to a PyObject >to pass to BuildValue (to be used with the 'O' format) the reference >*isn't* stolen so you really do need to DECREF it in order to ensure >it gets cleaned up. > >Signed-off-by: Noel Power <noel.power@suse.com> >Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> >(cherry picked from commit a8e10a12493fdb6b8347b14e157aeb619cf2d2da) >--- > auth/credentials/pycredentials.c | 7 ++++--- > lib/ldb/pyldb.c | 15 +++++++++++---- > source3/libsmb/pylibsmb.c | 7 +++++-- > source4/dns_server/pydns.c | 6 +++++- > 4 files changed, 25 insertions(+), 10 deletions(-) > >diff --git a/auth/credentials/pycredentials.c b/auth/credentials/pycredentials.c >index 7f9bc38af8e..6fb2c807ed6 100644 >--- a/auth/credentials/pycredentials.c >+++ b/auth/credentials/pycredentials.c >@@ -75,9 +75,10 @@ static PyObject *py_creds_get_ntlm_username_domain(PyObject *self, PyObject *unu > PyObject *ret = NULL; > cli_credentials_get_ntlm_username_domain(PyCredentials_AsCliCredentials(self), > frame, &user, &domain); >- ret = Py_BuildValue("(OO)", >- PyString_FromStringOrNULL(user), >- PyString_FromStringOrNULL(domain)); >+ ret = Py_BuildValue("(ss)", >+ user, >+ domain); >+ > TALLOC_FREE(frame); > return ret; > } >diff --git a/lib/ldb/pyldb.c b/lib/ldb/pyldb.c >index 794b2184941..9dd5c2019b6 100644 >--- a/lib/ldb/pyldb.c >+++ b/lib/ldb/pyldb.c >@@ -1673,9 +1673,13 @@ static PyObject *ldb_ldif_to_pyobject(struct ldb_ldif *ldif) > Py_RETURN_NONE; > } else { > /* We don't want this attached to the 'ldb' any more */ >- return Py_BuildValue(discard_const_p(char, "(iO)"), >- ldif->changetype, >- PyLdbMessage_FromMessage(ldif->msg)); >+ PyObject *obj = PyLdbMessage_FromMessage(ldif->msg); >+ PyObject *result = >+ Py_BuildValue(discard_const_p(char, "(iO)"), >+ ldif->changetype, >+ obj); >+ Py_CLEAR(obj); >+ return result; > } > } > >@@ -3427,12 +3431,15 @@ static PyObject *py_ldb_msg_items(PyLdbMessageObject *self) > Py_ssize_t i, j = 0; > PyObject *l = PyList_New(msg->num_elements + (msg->dn == NULL?0:1)); > if (msg->dn != NULL) { >- PyList_SetItem(l, 0, Py_BuildValue("(sO)", "dn", pyldb_Dn_FromDn(msg->dn))); >+ PyObject *obj = pyldb_Dn_FromDn(msg->dn); >+ PyList_SetItem(l, 0, Py_BuildValue("(sO)", "dn", obj)); >+ Py_CLEAR(obj); > j++; > } > for (i = 0; i < msg->num_elements; i++, j++) { > PyObject *py_el = PyLdbMessageElement_FromMessageElement(&msg->elements[i], msg->elements); > PyObject *value = Py_BuildValue("(sO)", msg->elements[i].name, py_el); >+ Py_CLEAR(py_el); > PyList_SetItem(l, j, value); > } > return l; >diff --git a/source3/libsmb/pylibsmb.c b/source3/libsmb/pylibsmb.c >index b4903a9b8c5..b63101b85a0 100644 >--- a/source3/libsmb/pylibsmb.c >+++ b/source3/libsmb/pylibsmb.c >@@ -1124,13 +1124,14 @@ static NTSTATUS list_helper(const char *mntpoint, struct file_info *finfo, > { > PyObject *result = (PyObject *)state; > PyObject *file = NULL; >+ PyObject *size = NULL; > int ret; > > /* suppress '.' and '..' in the results we return */ > if (ISDOT(finfo->name) || ISDOTDOT(finfo->name)) { > return NT_STATUS_OK; > } >- >+ size = PyLong_FromUnsignedLongLong(finfo->size); > /* > * Build a dictionary representing the file info. > * Note: Windows does not always return short_name (so it may be None) >@@ -1139,10 +1140,12 @@ static NTSTATUS list_helper(const char *mntpoint, struct file_info *finfo, > "name", finfo->name, > "attrib", (int)finfo->mode, > "short_name", finfo->short_name, >- "size", PyLong_FromUnsignedLongLong(finfo->size), >+ "size", size, > "mtime", > convert_timespec_to_time_t(finfo->mtime_ts)); > >+ Py_CLEAR(size); >+ > if (file == NULL) { > return NT_STATUS_NO_MEMORY; > } >diff --git a/source4/dns_server/pydns.c b/source4/dns_server/pydns.c >index a4441ddef56..16d22dfe4b8 100644 >--- a/source4/dns_server/pydns.c >+++ b/source4/dns_server/pydns.c >@@ -100,6 +100,7 @@ static PyObject *py_dsdb_dns_lookup(PyObject *self, > struct ldb_context *samdb; > PyObject *py_ldb, *ret, *pydn; > PyObject *py_dns_partition = NULL; >+ PyObject *result = NULL; > char *dns_name; > TALLOC_CTX *frame; > NTSTATUS status; >@@ -156,7 +157,10 @@ static PyObject *py_dsdb_dns_lookup(PyObject *self, > ret = py_dnsp_DnssrvRpcRecord_get_list(records, num_records); > pydn = pyldb_Dn_FromDn(dn); > talloc_free(frame); >- return Py_BuildValue("(OO)", pydn, ret); >+ result = Py_BuildValue("(OO)", pydn, ret); >+ Py_CLEAR(ret); >+ Py_CLEAR(pydn); >+ return result; > } > > static PyObject *py_dsdb_dns_extract(PyObject *self, PyObject *args) >-- >2.25.1 > > >From 14134c1fa16f342b2626806769a054908ffdd0e0 Mon Sep 17 00:00:00 2001 >From: Noel Power <noel.power@suse.com> >Date: Fri, 25 Jan 2019 12:02:50 +0000 >Subject: [PATCH 007/686] Examine result of SetList (and prevent sending NULL > to PyList_SetItem) > >Signed-off-by: Noel Power <noel.power@suse.com> >Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> >(cherry picked from commit 1be9b0cf1bc95715e83c27eabecbd4fa2022530b) >--- > lib/ldb/pyldb.c | 30 +++++++++++++++++++++++++++--- > 1 file changed, 27 insertions(+), 3 deletions(-) > >diff --git a/lib/ldb/pyldb.c b/lib/ldb/pyldb.c >index 9dd5c2019b6..56614a850df 100644 >--- a/lib/ldb/pyldb.c >+++ b/lib/ldb/pyldb.c >@@ -3430,17 +3430,41 @@ static PyObject *py_ldb_msg_items(PyLdbMessageObject *self) > struct ldb_message *msg = pyldb_Message_AsMessage(self); > Py_ssize_t i, j = 0; > PyObject *l = PyList_New(msg->num_elements + (msg->dn == NULL?0:1)); >+ if (l == NULL) { >+ return PyErr_NoMemory(); >+ } > if (msg->dn != NULL) { >+ PyObject *value = NULL; > PyObject *obj = pyldb_Dn_FromDn(msg->dn); >- PyList_SetItem(l, 0, Py_BuildValue("(sO)", "dn", obj)); >+ int res = 0; >+ value = Py_BuildValue("(sO)", "dn", obj); > Py_CLEAR(obj); >+ if (value == NULL) { >+ Py_CLEAR(l); >+ return NULL; >+ } >+ res = PyList_SetItem(l, 0, value); >+ if (res == -1) { >+ Py_CLEAR(l); >+ return NULL; >+ } > j++; > } > for (i = 0; i < msg->num_elements; i++, j++) { >+ PyObject *value = NULL; > PyObject *py_el = PyLdbMessageElement_FromMessageElement(&msg->elements[i], msg->elements); >- PyObject *value = Py_BuildValue("(sO)", msg->elements[i].name, py_el); >+ int res = 0; > Py_CLEAR(py_el); >- PyList_SetItem(l, j, value); >+ value = Py_BuildValue("(sO)", msg->elements[i].name, py_el); >+ if (value == NULL ) { >+ Py_CLEAR(l); >+ return NULL; >+ } >+ res = PyList_SetItem(l, 0, value); >+ if (res == -1) { >+ Py_CLEAR(l); >+ return NULL; >+ } > } > return l; > } >-- >2.25.1 > > >From 129a3656ece39f157afebcd1b2b65307eca3a657 Mon Sep 17 00:00:00 2001 >From: Noel Power <noel.power@suse.com> >Date: Thu, 2 May 2019 19:51:05 +0100 >Subject: [PATCH 008/686] lib/ldb: squash 'cast between incompatible function > types' warning > >To avoid warning above produced by using >-Wcast-function-type we; > > + ensure PyCFunctions of type METH_NOARGS defined dummy arg > + ensure PyCFunctions of type METH_KEYWORDS use PY_DISCARD_FUNC_SIG > macro > >Signed-off-by: Noel Power <noel.power@suse.com> >Reviewed-by: Andreas Schneider <asn@samba.org> >(cherry picked from commit 51f146de5adbb5a58a528e168e7fe9faa4477880) >--- > lib/ldb/pyldb.c | 139 ++++++++++++++++++++++++++++++++---------------- > 1 file changed, 94 insertions(+), 45 deletions(-) > >diff --git a/lib/ldb/pyldb.c b/lib/ldb/pyldb.c >index 56614a850df..92a4e206feb 100644 >--- a/lib/ldb/pyldb.c >+++ b/lib/ldb/pyldb.c >@@ -34,6 +34,9 @@ > #include "pyldb.h" > #include "dlinklist.h" > >+/* discard signature of 'func' in favour of 'target_sig' */ >+#define PY_DISCARD_FUNC_SIG(target_sig, func) (target_sig)(void(*)(void))func >+ > struct py_ldb_search_iterator_reply; > > typedef struct { >@@ -189,12 +192,14 @@ static PyObject *wrap_text(const char *type, PyObject *wrapped) > return inst; > } > >-static PyObject *py_ldb_control_get_oid(PyLdbControlObject *self) >+static PyObject *py_ldb_control_get_oid(PyLdbControlObject *self, >+ PyObject *Py_UNUSED(ignored)) > { > return PyStr_FromString(self->data->oid); > } > >-static PyObject *py_ldb_control_get_critical(PyLdbControlObject *self) >+static PyObject *py_ldb_control_get_critical(PyLdbControlObject *self, >+ PyObject *Py_UNUSED(ignored)) > { > return PyBool_FromLong(self->data->critical); > } >@@ -487,27 +492,32 @@ static struct ldb_result *PyLdbResult_AsResult(TALLOC_CTX *mem_ctx, > return res; > } > >-static PyObject *py_ldb_dn_validate(PyLdbDnObject *self) >+static PyObject *py_ldb_dn_validate(PyLdbDnObject *self, >+ PyObject *Py_UNUSED(ignored)) > { > return PyBool_FromLong(ldb_dn_validate(self->dn)); > } > >-static PyObject *py_ldb_dn_is_valid(PyLdbDnObject *self) >+static PyObject *py_ldb_dn_is_valid(PyLdbDnObject *self, >+ PyObject *Py_UNUSED(ignored)) > { > return PyBool_FromLong(ldb_dn_is_valid(self->dn)); > } > >-static PyObject *py_ldb_dn_is_special(PyLdbDnObject *self) >+static PyObject *py_ldb_dn_is_special(PyLdbDnObject *self, >+ PyObject *Py_UNUSED(ignored)) > { > return PyBool_FromLong(ldb_dn_is_special(self->dn)); > } > >-static PyObject *py_ldb_dn_is_null(PyLdbDnObject *self) >+static PyObject *py_ldb_dn_is_null(PyLdbDnObject *self, >+ PyObject *Py_UNUSED(ignored)) > { > return PyBool_FromLong(ldb_dn_is_null(self->dn)); > } > >-static PyObject *py_ldb_dn_get_casefold(PyLdbDnObject *self) >+static PyObject *py_ldb_dn_get_casefold(PyLdbDnObject *self, >+ PyObject *Py_UNUSED(ignored)) > { > return PyStr_FromString(ldb_dn_get_casefold(self->dn)); > } >@@ -517,12 +527,14 @@ static PyObject *py_ldb_dn_get_linearized(PyLdbDnObject *self) > return PyStr_FromString(ldb_dn_get_linearized(self->dn)); > } > >-static PyObject *py_ldb_dn_canonical_str(PyLdbDnObject *self) >+static PyObject *py_ldb_dn_canonical_str(PyLdbDnObject *self, >+ PyObject *Py_UNUSED(ignored)) > { > return PyStr_FromString(ldb_dn_canonical_string(self->dn, self->dn)); > } > >-static PyObject *py_ldb_dn_canonical_ex_str(PyLdbDnObject *self) >+static PyObject *py_ldb_dn_canonical_ex_str(PyLdbDnObject *self, >+ PyObject *Py_UNUSED(ignored)) > { > return PyStr_FromString(ldb_dn_canonical_ex_string(self->dn, self->dn)); > } >@@ -618,7 +630,8 @@ static PyObject *py_ldb_dn_richcmp(PyObject *dn1, PyObject *dn2, int op) > return richcmp(ret, op); > } > >-static PyObject *py_ldb_dn_get_parent(PyLdbDnObject *self) >+static PyObject *py_ldb_dn_get_parent(PyLdbDnObject *self, >+ PyObject *Py_UNUSED(ignored)) > { > struct ldb_dn *dn = pyldb_Dn_AsDn((PyObject *)self); > struct ldb_dn *parent; >@@ -760,7 +773,8 @@ static PyObject *py_ldb_dn_set_component(PyLdbDnObject *self, PyObject *args) > Py_RETURN_NONE; > } > >-static PyObject *py_ldb_dn_get_rdn_name(PyLdbDnObject *self) >+static PyObject *py_ldb_dn_get_rdn_name(PyLdbDnObject *self, >+ PyObject *Py_UNUSED(ignored)) > { > struct ldb_dn *dn; > const char *name; >@@ -775,7 +789,8 @@ static PyObject *py_ldb_dn_get_rdn_name(PyLdbDnObject *self) > return PyStr_FromString(name); > } > >-static PyObject *py_ldb_dn_get_rdn_value(PyLdbDnObject *self) >+static PyObject *py_ldb_dn_get_rdn_value(PyLdbDnObject *self, >+ PyObject *Py_UNUSED(ignored)) > { > struct ldb_dn *dn; > const struct ldb_val *val; >@@ -803,7 +818,9 @@ static PyMethodDef py_ldb_dn_methods[] = { > "Check whether this is a null DN." }, > { "get_casefold", (PyCFunction)py_ldb_dn_get_casefold, METH_NOARGS, > NULL }, >- { "get_linearized", (PyCFunction)py_ldb_dn_get_linearized, METH_NOARGS, >+ { "get_linearized", PY_DISCARD_FUNC_SIG(PyCFunction, >+ py_ldb_dn_get_linearized), >+ METH_NOARGS, > NULL }, > { "canonical_str", (PyCFunction)py_ldb_dn_canonical_str, METH_NOARGS, > "S.canonical_str() -> string\n" >@@ -813,7 +830,9 @@ static PyMethodDef py_ldb_dn_methods[] = { > { "canonical_ex_str", (PyCFunction)py_ldb_dn_canonical_ex_str, METH_NOARGS, > "S.canonical_ex_str() -> string\n" > "Canonical version of this DN (like a posix path, with terminating newline)." }, >- { "extended_str", (PyCFunction)py_ldb_dn_extended_str, METH_VARARGS | METH_KEYWORDS, >+ { "extended_str", PY_DISCARD_FUNC_SIG(PyCFunction, >+ py_ldb_dn_extended_str), >+ METH_VARARGS | METH_KEYWORDS, > "S.extended_str(mode=1) -> string\n" > "Extended version of this DN" }, > { "parent", (PyCFunction)py_ldb_dn_get_parent, METH_NOARGS, >@@ -1027,7 +1046,8 @@ static PyObject *py_ldb_set_modules_dir(PyTypeObject *self, PyObject *args) > Py_RETURN_NONE; > } > >-static PyObject *py_ldb_transaction_start(PyLdbObject *self) >+static PyObject *py_ldb_transaction_start(PyLdbObject *self, >+ PyObject *Py_UNUSED(ignored)) > { > struct ldb_context *ldb_ctx = pyldb_Ldb_AsLdbContext(self); > int ldb_err; >@@ -1036,7 +1056,8 @@ static PyObject *py_ldb_transaction_start(PyLdbObject *self) > Py_RETURN_NONE; > } > >-static PyObject *py_ldb_transaction_commit(PyLdbObject *self) >+static PyObject *py_ldb_transaction_commit(PyLdbObject *self, >+ PyObject *Py_UNUSED(ignored)) > { > struct ldb_context *ldb_ctx = pyldb_Ldb_AsLdbContext(self); > int ldb_err; >@@ -1045,7 +1066,8 @@ static PyObject *py_ldb_transaction_commit(PyLdbObject *self) > Py_RETURN_NONE; > } > >-static PyObject *py_ldb_transaction_prepare_commit(PyLdbObject *self) >+static PyObject *py_ldb_transaction_prepare_commit(PyLdbObject *self, >+ PyObject *Py_UNUSED(ignored)) > { > struct ldb_context *ldb_ctx = pyldb_Ldb_AsLdbContext(self); > int ldb_err; >@@ -1054,7 +1076,8 @@ static PyObject *py_ldb_transaction_prepare_commit(PyLdbObject *self) > Py_RETURN_NONE; > } > >-static PyObject *py_ldb_transaction_cancel(PyLdbObject *self) >+static PyObject *py_ldb_transaction_cancel(PyLdbObject *self, >+ PyObject *Py_UNUSED(ignored)) > { > struct ldb_context *ldb_ctx = pyldb_Ldb_AsLdbContext(self); > int ldb_err; >@@ -1063,7 +1086,8 @@ static PyObject *py_ldb_transaction_cancel(PyLdbObject *self) > Py_RETURN_NONE; > } > >-static PyObject *py_ldb_setup_wellknown_attributes(PyLdbObject *self) >+static PyObject *py_ldb_setup_wellknown_attributes(PyLdbObject *self, >+ PyObject *Py_UNUSED(ignored)) > { > struct ldb_context *ldb_ctx = pyldb_Ldb_AsLdbContext(self); > int ldb_err; >@@ -1077,7 +1101,8 @@ static PyObject *py_ldb_repr(PyLdbObject *self) > return PyStr_FromString("<ldb connection>"); > } > >-static PyObject *py_ldb_get_root_basedn(PyLdbObject *self) >+static PyObject *py_ldb_get_root_basedn(PyLdbObject *self, >+ PyObject *Py_UNUSED(ignored)) > { > struct ldb_dn *dn = ldb_get_root_basedn(pyldb_Ldb_AsLdbContext(self)); > if (dn == NULL) >@@ -1086,7 +1111,8 @@ static PyObject *py_ldb_get_root_basedn(PyLdbObject *self) > } > > >-static PyObject *py_ldb_get_schema_basedn(PyLdbObject *self) >+static PyObject *py_ldb_get_schema_basedn(PyLdbObject *self, >+ PyObject *Py_UNUSED(ignored)) > { > struct ldb_dn *dn = ldb_get_schema_basedn(pyldb_Ldb_AsLdbContext(self)); > if (dn == NULL) >@@ -1094,7 +1120,8 @@ static PyObject *py_ldb_get_schema_basedn(PyLdbObject *self) > return py_ldb_dn_copy(dn); > } > >-static PyObject *py_ldb_get_config_basedn(PyLdbObject *self) >+static PyObject *py_ldb_get_config_basedn(PyLdbObject *self, >+ PyObject *Py_UNUSED(ignored)) > { > struct ldb_dn *dn = ldb_get_config_basedn(pyldb_Ldb_AsLdbContext(self)); > if (dn == NULL) >@@ -1102,7 +1129,8 @@ static PyObject *py_ldb_get_config_basedn(PyLdbObject *self) > return py_ldb_dn_copy(dn); > } > >-static PyObject *py_ldb_get_default_basedn(PyLdbObject *self) >+static PyObject *py_ldb_get_default_basedn(PyLdbObject *self, >+ PyObject *Py_UNUSED(ignored)) > { > struct ldb_dn *dn = ldb_get_default_basedn(pyldb_Ldb_AsLdbContext(self)); > if (dn == NULL) >@@ -2195,7 +2223,8 @@ static PyObject *py_ldb_set_opaque(PyLdbObject *self, PyObject *args) > Py_RETURN_NONE; > } > >-static PyObject *py_ldb_modules(PyLdbObject *self) >+static PyObject *py_ldb_modules(PyLdbObject *self, >+ PyObject *Py_UNUSED(ignored)) > { > struct ldb_context *ldb = pyldb_Ldb_AsLdbContext(self); > PyObject *ret = PyList_New(0); >@@ -2234,7 +2263,8 @@ static const struct ldb_dn_extended_syntax test_dn_syntax = { > .write_hex_fn = ldb_handler_copy, > }; > >-static PyObject *py_ldb_register_test_extensions(PyLdbObject *self) >+static PyObject *py_ldb_register_test_extensions(PyLdbObject *self, >+ PyObject *Py_UNUSED(ignored)) > { > struct ldb_context *ldb = pyldb_Ldb_AsLdbContext(self); > int ret; >@@ -2280,22 +2310,28 @@ static PyMethodDef py_ldb_methods[] = { > NULL }, > { "get_config_basedn", (PyCFunction)py_ldb_get_config_basedn, METH_NOARGS, > NULL }, >- { "connect", (PyCFunction)py_ldb_connect, METH_VARARGS|METH_KEYWORDS, >+ { "connect", PY_DISCARD_FUNC_SIG(PyCFunction, py_ldb_connect), >+ METH_VARARGS|METH_KEYWORDS, > "S.connect(url, flags=0, options=None) -> None\n" > "Connect to a LDB URL." }, >- { "modify", (PyCFunction)py_ldb_modify, METH_VARARGS|METH_KEYWORDS, >+ { "modify", PY_DISCARD_FUNC_SIG(PyCFunction, py_ldb_modify), >+ METH_VARARGS|METH_KEYWORDS, > "S.modify(message, controls=None, validate=False) -> None\n" > "Modify an entry." }, >- { "add", (PyCFunction)py_ldb_add, METH_VARARGS|METH_KEYWORDS, >+ { "add", PY_DISCARD_FUNC_SIG(PyCFunction, py_ldb_add), >+ METH_VARARGS|METH_KEYWORDS, > "S.add(message, controls=None) -> None\n" > "Add an entry." }, >- { "delete", (PyCFunction)py_ldb_delete, METH_VARARGS|METH_KEYWORDS, >+ { "delete", PY_DISCARD_FUNC_SIG(PyCFunction, py_ldb_delete), >+ METH_VARARGS|METH_KEYWORDS, > "S.delete(dn, controls=None) -> None\n" > "Remove an entry." }, >- { "rename", (PyCFunction)py_ldb_rename, METH_VARARGS|METH_KEYWORDS, >+ { "rename", PY_DISCARD_FUNC_SIG(PyCFunction, py_ldb_rename), >+ METH_VARARGS|METH_KEYWORDS, > "S.rename(old_dn, new_dn, controls=None) -> None\n" > "Rename an entry." }, >- { "search", (PyCFunction)py_ldb_search, METH_VARARGS|METH_KEYWORDS, >+ { "search", PY_DISCARD_FUNC_SIG(PyCFunction, py_ldb_search), >+ METH_VARARGS|METH_KEYWORDS, > "S.search(base=None, scope=None, expression=None, attrs=None, controls=None) -> result\n" > "Search in a database.\n" > "\n" >@@ -2306,7 +2342,9 @@ static PyMethodDef py_ldb_methods[] = { > ":param controls: Optional list of controls\n" > ":return: ldb.Result object\n" > }, >- { "search_iterator", (PyCFunction)py_ldb_search_iterator, METH_VARARGS|METH_KEYWORDS, >+ { "search_iterator", PY_DISCARD_FUNC_SIG(PyCFunction, >+ py_ldb_search_iterator), >+ METH_VARARGS|METH_KEYWORDS, > "S.search_iterator(base=None, scope=None, expression=None, attrs=None, controls=None, timeout=None) -> iterator\n" > "Search in a database.\n" > "\n" >@@ -2623,7 +2661,8 @@ static PyObject *py_ldb_search_iterator_next(PyLdbSearchIteratorObject *self) > return py_ret; > } > >-static PyObject *py_ldb_search_iterator_result(PyLdbSearchIteratorObject *self) >+static PyObject *py_ldb_search_iterator_result(PyLdbSearchIteratorObject *self, >+ PyObject *Py_UNUSED(ignored)) > { > PyObject *py_ret = NULL; > >@@ -2657,7 +2696,8 @@ static PyObject *py_ldb_search_iterator_result(PyLdbSearchIteratorObject *self) > return py_ret; > } > >-static PyObject *py_ldb_search_iterator_abandon(PyLdbSearchIteratorObject *self) >+static PyObject *py_ldb_search_iterator_abandon(PyLdbSearchIteratorObject *self, >+ PyObject *Py_UNUSED(ignored)) > { > if (self->state.req == NULL) { > PyErr_SetString(PyExc_RuntimeError, >@@ -2707,19 +2747,22 @@ static PyObject *py_ldb_module_str(PyLdbModuleObject *self) > return PyStr_FromString(pyldb_Module_AsModule(self)->ops->name); > } > >-static PyObject *py_ldb_module_start_transaction(PyLdbModuleObject *self) >+static PyObject *py_ldb_module_start_transaction(PyLdbModuleObject *self, >+ PyObject *Py_UNUSED(ignored)) > { > pyldb_Module_AsModule(self)->ops->start_transaction(pyldb_Module_AsModule(self)); > Py_RETURN_NONE; > } > >-static PyObject *py_ldb_module_end_transaction(PyLdbModuleObject *self) >+static PyObject *py_ldb_module_end_transaction(PyLdbModuleObject *self, >+ PyObject *Py_UNUSED(ignored)) > { > pyldb_Module_AsModule(self)->ops->end_transaction(pyldb_Module_AsModule(self)); > Py_RETURN_NONE; > } > >-static PyObject *py_ldb_module_del_transaction(PyLdbModuleObject *self) >+static PyObject *py_ldb_module_del_transaction(PyLdbModuleObject *self, >+ PyObject *Py_UNUSED(ignored)) > { > pyldb_Module_AsModule(self)->ops->del_transaction(pyldb_Module_AsModule(self)); > Py_RETURN_NONE; >@@ -2859,7 +2902,8 @@ static PyObject *py_ldb_module_rename(PyLdbModuleObject *self, PyObject *args) > } > > static PyMethodDef py_ldb_module_methods[] = { >- { "search", (PyCFunction)py_ldb_module_search, METH_VARARGS|METH_KEYWORDS, NULL }, >+ { "search", PY_DISCARD_FUNC_SIG(PyCFunction, py_ldb_module_search), >+ METH_VARARGS|METH_KEYWORDS, NULL }, > { "add", (PyCFunction)py_ldb_module_add, METH_VARARGS, NULL }, > { "modify", (PyCFunction)py_ldb_module_modify, METH_VARARGS, NULL }, > { "rename", (PyCFunction)py_ldb_module_rename, METH_VARARGS, NULL }, >@@ -3345,7 +3389,8 @@ static PyObject *py_ldb_msg_remove_attr(PyLdbMessageObject *self, PyObject *args > Py_RETURN_NONE; > } > >-static PyObject *py_ldb_msg_keys(PyLdbMessageObject *self) >+static PyObject *py_ldb_msg_keys(PyLdbMessageObject *self, >+ PyObject *Py_UNUSED(ignored)) > { > struct ldb_message *msg = pyldb_Message_AsMessage(self); > Py_ssize_t i, j = 0; >@@ -3425,7 +3470,8 @@ static PyObject *py_ldb_msg_get(PyLdbMessageObject *self, PyObject *args, PyObje > return PyObject_FromLdbValue(&el->values[idx]); > } > >-static PyObject *py_ldb_msg_items(PyLdbMessageObject *self) >+static PyObject *py_ldb_msg_items(PyLdbMessageObject *self, >+ PyObject *Py_UNUSED(ignored)) > { > struct ldb_message *msg = pyldb_Message_AsMessage(self); > Py_ssize_t i, j = 0; >@@ -3469,7 +3515,8 @@ static PyObject *py_ldb_msg_items(PyLdbMessageObject *self) > return l; > } > >-static PyObject *py_ldb_msg_elements(PyLdbMessageObject *self) >+static PyObject *py_ldb_msg_elements(PyLdbMessageObject *self, >+ PyObject *Py_UNUSED(ignored)) > { > struct ldb_message *msg = pyldb_Message_AsMessage(self); > Py_ssize_t i = 0; >@@ -3525,13 +3572,14 @@ static PyMethodDef py_ldb_msg_methods[] = { > "Message.from_dict(ldb, dict, mod_flag=FLAG_MOD_REPLACE) -> ldb.Message\n" > "Class method to create ldb.Message object from Dictionary.\n" > "mod_flag is one of FLAG_MOD_ADD, FLAG_MOD_REPLACE or FLAG_MOD_DELETE."}, >- { "keys", (PyCFunction)py_ldb_msg_keys, METH_NOARGS, >+ { "keys", (PyCFunction)py_ldb_msg_keys, METH_NOARGS, > "S.keys() -> list\n\n" > "Return sequence of all attribute names." }, > { "remove", (PyCFunction)py_ldb_msg_remove_attr, METH_VARARGS, > "S.remove(name)\n\n" > "Remove all entries for attributes with the specified name."}, >- { "get", (PyCFunction)py_ldb_msg_get, METH_VARARGS | METH_KEYWORDS, >+ { "get", PY_DISCARD_FUNC_SIG(PyCFunction, py_ldb_msg_get), >+ METH_VARARGS | METH_KEYWORDS, > "msg.get(name,default=None,idx=None) -> string\n" > "idx is the index into the values array\n" > "if idx is None, then a list is returned\n" >@@ -3549,7 +3597,7 @@ static PyObject *py_ldb_msg_iter(PyLdbMessageObject *self) > { > PyObject *list, *iter; > >- list = py_ldb_msg_keys(self); >+ list = py_ldb_msg_keys(self, NULL); > iter = PyObject_GetIter(list); > Py_DECREF(list); > return iter; >@@ -4202,7 +4250,8 @@ static PyMethodDef py_ldb_global_methods[] = { > { "valid_attr_name", py_valid_attr_name, METH_VARARGS, > "S.valid_attr_name(name) -> bool\n\nn" > "Check whether the supplied name is a valid attribute name." }, >- { "open", (PyCFunction)py_ldb_new, METH_VARARGS|METH_KEYWORDS, >+ { "open", PY_DISCARD_FUNC_SIG(PyCFunction,py_ldb_new), >+ METH_VARARGS|METH_KEYWORDS, > "S.open() -> Ldb\n\n" > "Open a new LDB context." }, > { "binary_encode", py_binary_encode, METH_VARARGS, >-- >2.25.1 > > >From bf97046b8e4b975f478abbba3cedf459cdafa312 Mon Sep 17 00:00:00 2001 >From: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> >Date: Fri, 5 Mar 2021 15:47:56 +1300 >Subject: [PATCH 009/686] ldb: add tests for ldb_wildcard_compare >MIME-Version: 1.0 >Content-Type: text/plain; charset=UTF-8 >Content-Transfer-Encoding: 8bit > >BUG: https://bugzilla.samba.org/show_bug.cgi?id=14044 > >Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> >Reviewed-by: Björn Jacke <bjacke@samba.org> >Reviewed-by: Andrew Bartlett <abartlet@samba.org> >(cherry picked from commit 33a95a1e75b85e9795c4490b78ead2162e2a1f47) >--- > lib/ldb/tests/ldb_match_test.c | 134 ++++++++++++++++++++++++++++++--- > 1 file changed, 124 insertions(+), 10 deletions(-) > >diff --git a/lib/ldb/tests/ldb_match_test.c b/lib/ldb/tests/ldb_match_test.c >index e09f50c86ba..3028aed072c 100644 >--- a/lib/ldb/tests/ldb_match_test.c >+++ b/lib/ldb/tests/ldb_match_test.c >@@ -91,6 +91,33 @@ static int teardown(void **state) > return 0; > } > >+static void escape_string(uint8_t *buf, size_t buflen, >+ const uint8_t *s, size_t len) >+{ >+ size_t i; >+ size_t j = 0; >+ for (i = 0; i < len; i++) { >+ if (j == buflen - 1) { >+ goto fin; >+ } >+ if (s[i] >= 0x20) { >+ buf[j] = s[i]; >+ j++; >+ } else { >+ if (j >= buflen - 4) { >+ goto fin; >+ } >+ /* utf-8 control char representation */ >+ buf[j] = 0xE2; >+ buf[j + 1] = 0x90; >+ buf[j + 2] = 0x80 + s[i]; >+ j+= 3; >+ } >+ } >+fin: >+ buf[j] = 0; >+} >+ > > /* > * The wild card pattern "attribute=*" is parsed as an LDB_OP_PRESENT operation >@@ -122,23 +149,110 @@ static void test_wildcard_match_star(void **state) > * Test basic wild card matching > * > */ >+struct wildcard_test { >+ uint8_t *val; >+ size_t val_size; >+ const char *search; >+ bool should_match; >+ bool fold; >+}; >+ >+/* >+ * Q: Why this macro rather than plain struct values? >+ * A: So we can get the size of the const char[] value while it is still a >+ * true array, not a pointer. >+ * >+ * Q: but why not just use strlen? >+ * A: so values can contain '\0', which we supposedly allow. >+ */ >+ >+#define TEST_ENTRY(val, search, should_match, fold) \ >+ { \ >+ (uint8_t*)discard_const(val), \ >+ sizeof(val) - 1, \ >+ search, \ >+ should_match, \ >+ fold \ >+ } >+ > static void test_wildcard_match(void **state) > { > struct ldbtest_ctx *ctx = *state; >- bool matched = false; >- >- uint8_t value[] = "The value.......end"; >- struct ldb_val val = { >- .data = value, >- .length = (sizeof(value)) >+ size_t failed = 0; >+ size_t i; >+ struct wildcard_test tests[] = { >+ TEST_ENTRY("The value.......end", "*end", true, true), >+ TEST_ENTRY("The value.......end", "*fend", false, true), >+ TEST_ENTRY("The value.......end", "*eel", false, true), >+ TEST_ENTRY("The value.......end", "*d", true, true), >+ TEST_ENTRY("The value.......end", "*D*", true, true), >+ TEST_ENTRY("The value.......end", "*e*d*", true, true), >+ TEST_ENTRY("end", "*e*d*", true, true), >+ TEST_ENTRY("end", " *e*d*", true, true), >+ TEST_ENTRY("1.0.0.0.0.0.0.0aaaaaaaaaaaa", "*aaaaa", true, true), >+ TEST_ENTRY("1.0..0.0.0.0.0.0.0aAaaaAAAAAAA", "*a", true, true), >+ TEST_ENTRY("1.0.0.0.0.0.0.0.0.0.0aaaa", "*aaaaa", false, true), >+ TEST_ENTRY("1.0.0.0.0.0.0.0.0.0.0", "*0.0", true, true), >+ TEST_ENTRY("1.0.0.0.0.0.0.0.0.0.0", "*0.0.0", true, true), >+ TEST_ENTRY("1.0.0.0.0.0.0.0.0.0", "1*0*0*0*0*0*0*0*0*0", true, >+ true), >+ TEST_ENTRY("1.0.0.0.0.0.0.0.0", "1*0*0*0*0*0*0*0*0*0", false, >+ true), >+ TEST_ENTRY("1.0.0.0.000.0.0.0.0", "1*0*0*0*0*0*0*0*0*0", true, >+ true), >+ TEST_ENTRY("1\n0\r0\t000.0.0.0.0", "1*0*0*0*0*0*0*0*0", true, >+ true), >+ /* >+ * We allow NUL bytes in non-casefolding syntaxes. >+ */ >+ TEST_ENTRY("1\x00 x", "1*x", true, false), >+ TEST_ENTRY("1\x00 x", "*x", true, false), >+ TEST_ENTRY("1\x00 x", "*x*", true, false), >+ TEST_ENTRY("1\x00 x", "* *", true, false), >+ TEST_ENTRY("1\x00 x", "1*", true, false), >+ TEST_ENTRY("1\x00 b* x", "1*b*", true, false), >+ TEST_ENTRY("1.0..0.0.0.0.0.0.0aAaaaAAAAAAA", "*a", false, false), > }; >- struct ldb_parse_tree *tree = ldb_parse_tree(ctx, "objectClass=*end"); >- assert_non_null(tree); > >- ldb_wildcard_compare(ctx->ldb, tree, val, &matched); >- assert_true(matched); >+ for (i = 0; i < ARRAY_SIZE(tests); i++) { >+ bool matched; >+ int ret; >+ struct ldb_val val = { >+ .data = (uint8_t *)tests[i].val, >+ .length = tests[i].val_size >+ }; >+ const char *attr = tests[i].fold ? "objectclass" : "birthLocation"; >+ const char *s = talloc_asprintf(ctx, "%s=%s", >+ attr, tests[i].search); >+ struct ldb_parse_tree *tree = ldb_parse_tree(ctx, s); >+ assert_non_null(tree); >+ ret = ldb_wildcard_compare(ctx->ldb, tree, val, &matched); >+ if (ret != LDB_SUCCESS) { >+ uint8_t buf[100]; >+ escape_string(buf, sizeof(buf), >+ tests[i].val, tests[i].val_size); >+ print_error("%zu val: «%s», search «%s» FAILED with %d\n", >+ i, buf, tests[i].search, ret); >+ failed++; >+ } >+ if (matched != tests[i].should_match) { >+ uint8_t buf[100]; >+ escape_string(buf, sizeof(buf), >+ tests[i].val, tests[i].val_size); >+ print_error("%zu val: «%s», search «%s» should %s\n", >+ i, buf, tests[i].search, >+ matched ? "not match" : "match"); >+ failed++; >+ } >+ } >+ if (failed != 0) { >+ fail_msg("wrong results for %zu/%zu wildcard searches\n", >+ failed, ARRAY_SIZE(tests)); >+ } > } > >+#undef TEST_ENTRY >+ > > /* > * ldb_handler_copy and ldb_val_dup over allocate by one and add a trailing '\0' >-- >2.25.1 > > >From 6649b2c2c134dda674709d5cb8fc0890cc76ffdf Mon Sep 17 00:00:00 2001 >From: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> >Date: Fri, 5 Mar 2021 20:13:01 +1300 >Subject: [PATCH 010/686] CVE-2021-20277 ldb tests: ldb_match tests with extra > spaces > >BUG: https://bugzilla.samba.org/show_bug.cgi?id=14655 > >Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> >Reviewed-by: Andrew Bartlett <abartlet@samba.org> >(cherry picked from commit ea4bd2c437fbb5801fb82e2a038d9cdb5abea4c0) >--- > lib/ldb/tests/ldb_match_test.c | 8 +++++++- > 1 file changed, 7 insertions(+), 1 deletion(-) > >diff --git a/lib/ldb/tests/ldb_match_test.c b/lib/ldb/tests/ldb_match_test.c >index 3028aed072c..ba6ea56be15 100644 >--- a/lib/ldb/tests/ldb_match_test.c >+++ b/lib/ldb/tests/ldb_match_test.c >@@ -181,6 +181,8 @@ static void test_wildcard_match(void **state) > size_t failed = 0; > size_t i; > struct wildcard_test tests[] = { >+ TEST_ENTRY(" 1 0", "1*0*", true, true), >+ TEST_ENTRY(" 1 0", "1 *0", true, true), > TEST_ENTRY("The value.......end", "*end", true, true), > TEST_ENTRY("The value.......end", "*fend", false, true), > TEST_ENTRY("The value.......end", "*eel", false, true), >@@ -203,8 +205,12 @@ static void test_wildcard_match(void **state) > TEST_ENTRY("1\n0\r0\t000.0.0.0.0", "1*0*0*0*0*0*0*0*0", true, > true), > /* >- * We allow NUL bytes in non-casefolding syntaxes. >+ * We allow NUL bytes and redundant spaces in non-casefolding >+ * syntaxes. > */ >+ TEST_ENTRY(" 1 0", "*1 0", true, false), >+ TEST_ENTRY(" 1 0", "*1 0", true, false), >+ TEST_ENTRY("1 0", "*1 0", false, false), > TEST_ENTRY("1\x00 x", "1*x", true, false), > TEST_ENTRY("1\x00 x", "*x", true, false), > TEST_ENTRY("1\x00 x", "*x*", true, false), >-- >2.25.1 > > >From 4e0166bb9c41981d01307540cc845472244fc237 Mon Sep 17 00:00:00 2001 >From: Joe Guo <joeg@catalyst.net.nz> >Date: Thu, 7 Mar 2019 12:34:15 +1300 >Subject: [PATCH 011/686] subunit/run.py: make iso8601 UTC usage python 2/3 > compatible > >In `iso8601/iso8601.py`: > > if sys.version_info >= (3, 2, 0): > UTC = datetime.timezone.utc > ... > else: > class Utc(datetime.tzinfo): > ... > > UTC = Utc() > >The class `Utc` is only available for python < 3.2.0. >Use `UTC` instance instead, which is python 2/3 compatible. > >Signed-off-by: Joe Guo <joeg@catalyst.net.nz> >Reviewed-by: Andrew Bartlett <abartlet@samba.org> >Reviewed-by: Noel Power <npower@samba.org> >(cherry picked from commit 02c7b8c03d4970421a5170e44c57cbc3cda82827) >--- > python/samba/subunit/run.py | 6 +++--- > 1 file changed, 3 insertions(+), 3 deletions(-) > >diff --git a/python/samba/subunit/run.py b/python/samba/subunit/run.py >index 8f32d46ef49..89ca8a8050b 100755 >--- a/python/samba/subunit/run.py >+++ b/python/samba/subunit/run.py >@@ -24,7 +24,7 @@ > $ python -m samba.subunit.run mylib.tests.test_suite > """ > >-from iso8601.iso8601 import Utc >+from iso8601.iso8601 import UTC > > import datetime > import os >@@ -184,7 +184,7 @@ class TestProtocolClient(unittest.TestResult): > > ":param datetime: A datetime.datetime object. > """ >- time = a_datetime.astimezone(Utc()) >+ time = a_datetime.astimezone(UTC) > self._stream.write("time: %04d-%02d-%02d %02d:%02d:%02d.%06dZ\n" % ( > time.year, time.month, time.day, time.hour, time.minute, > time.second, time.microsecond)) >@@ -458,7 +458,7 @@ class AutoTimingTestResultDecorator(HookedTestResultDecorator): > time = self._time > if time is not None: > return >- time = datetime.datetime.utcnow().replace(tzinfo=Utc()) >+ time = datetime.datetime.utcnow().replace(tzinfo=UTC) > self.decorated.time(time) > > @property >-- >2.25.1 > > >From 4d872b97aac79402d7959bbca864cd36be9409ae Mon Sep 17 00:00:00 2001 >From: Stefan Metzmacher <metze@samba.org> >Date: Tue, 26 Feb 2019 14:01:10 +0100 >Subject: [PATCH 012/686] selftest:Samba4: add fl2008dc as alias to ad_dc_ntvfs > >Using aliases it will be possible to split the large amount >of tests which use ad_dc_ntvfs into multiple autobuild/ci >tasks/jobs later. > >Signed-off-by: Stefan Metzmacher <metze@samba.org> >Reviewed-by: Andreas Schneider <asn@samba.org> >(cherry picked from commit 62eeab8f6cb6d9c85353738a2da073e0a16bd418) > >[jsutton@samba.org Adapted to fix conflicts and remove autobuild.py > changes] >--- > selftest/target/Samba4.pm | 17 +++++++++++++++++ > 1 file changed, 17 insertions(+) > >diff --git a/selftest/target/Samba4.pm b/selftest/target/Samba4.pm >index a7a6c4c9587..b4c89a5a4bb 100755 >--- a/selftest/target/Samba4.pm >+++ b/selftest/target/Samba4.pm >@@ -2371,9 +2371,26 @@ sub check_env($$) > labdc => ["backupfromdc"], > proclimitdc => [], > >+ # aliases in order to split autbuild tasks >+ fl2008dc => ["ad_dc_ntvfs"], >+ > none => [], > ); > >+sub return_alias_env >+{ >+ my ($self, $path, $env) = @_; >+ >+ # just an alias >+ return $env; >+} >+ >+sub setup_fl2008dc >+{ >+ my ($self, $path, $dep_env) = @_; >+ return $self->return_alias_env($path, $dep_env) >+} >+ > sub setup_s4member > { > my ($self, $path, $dc_vars) = @_; >-- >2.25.1 > > >From 7133e36647b3d6a51f68b55d9f8cdb9aa89b6da4 Mon Sep 17 00:00:00 2001 >From: Stefan Metzmacher <metze@samba.org> >Date: Tue, 26 Feb 2019 14:03:29 +0100 >Subject: [PATCH 013/686] selftest:Samba4: add ad_dc_default alias to > ad_dc_ntvfs > >This will allow us to run really most tests in an isolated >autobuild/ci task later. > >This will apply to tests, which may not rely on the ntvfs backend, so >the ad_dc_default alias can point to another environment in future. > >Signed-off-by: Stefan Metzmacher <metze@samba.org> >Reviewed-by: Andreas Schneider <asn@samba.org> >(cherry picked from commit c217a15a2c3c6b6c171d28a57f9b0248dacaec53) > >[jsutton@samba.org Adapted to fix conflicts and remove autobuild.py > changes] >--- > selftest/target/Samba4.pm | 7 +++++++ > 1 file changed, 7 insertions(+) > >diff --git a/selftest/target/Samba4.pm b/selftest/target/Samba4.pm >index b4c89a5a4bb..2fbd5e24928 100755 >--- a/selftest/target/Samba4.pm >+++ b/selftest/target/Samba4.pm >@@ -2373,6 +2373,7 @@ sub check_env($$) > > # aliases in order to split autbuild tasks > fl2008dc => ["ad_dc_ntvfs"], >+ ad_dc_default => ["ad_dc_ntvfs"], > > none => [], > ); >@@ -2391,6 +2392,12 @@ sub setup_fl2008dc > return $self->return_alias_env($path, $dep_env) > } > >+sub setup_ad_dc_default >+{ >+ my ($self, $path, $dep_env) = @_; >+ return $self->return_alias_env($path, $dep_env) >+} >+ > sub setup_s4member > { > my ($self, $path, $dc_vars) = @_; >-- >2.25.1 > > >From c839dceddcc0f16632b3c1e268efffb624708777 Mon Sep 17 00:00:00 2001 >From: Michael Hanselmann <public@hansmi.ch> >Date: Thu, 4 Apr 2019 00:04:23 +0200 >Subject: [PATCH 014/686] ndrdump: Remove local variables for pipes > >There's no need for the local variables as the NDR call structure >pointer is kept around anyway. > >Signed-off-by: Michael Hanselmann <public@hansmi.ch> >Reviewed-by: Andrew Bartlett <abartlet@samba.org> >(cherry picked from commit 10dd15010bddb929128b3585f1280ae1eb7b6b99) >--- > librpc/tools/ndrdump.c | 12 ++++-------- > 1 file changed, 4 insertions(+), 8 deletions(-) > >diff --git a/librpc/tools/ndrdump.c b/librpc/tools/ndrdump.c >index e26d3719429..b7eae70833e 100644 >--- a/librpc/tools/ndrdump.c >+++ b/librpc/tools/ndrdump.c >@@ -229,8 +229,6 @@ static void ndr_print_dummy(struct ndr_print *ndr, const char *format, ...) > POPT_COMMON_VERSION > { NULL } > }; >- const struct ndr_interface_call_pipes *in_pipes = NULL; >- const struct ndr_interface_call_pipes *out_pipes = NULL; > uint32_t highest_ofs; > struct dcerpc_sec_verification_trailer *sec_vt = NULL; > >@@ -319,11 +317,9 @@ static void ndr_print_dummy(struct ndr_print *ndr, const char *format, ...) > if (strcmp(inout, "in") == 0 || > strcmp(inout, "request") == 0) { > flags = NDR_IN; >- in_pipes = &f->in_pipes; > } else if (strcmp(inout, "out") == 0 || > strcmp(inout, "response") == 0) { > flags = NDR_OUT; >- out_pipes = &f->out_pipes; > } else { > printf("Bad inout value '%s'\n", inout); > exit(1); >@@ -445,8 +441,8 @@ static void ndr_print_dummy(struct ndr_print *ndr, const char *format, ...) > } > TALLOC_FREE(sec_vt); > >- if (out_pipes) { >- status = ndrdump_pull_and_print_pipes(function, ndr_pull, ndr_print, out_pipes); >+ if (flags & NDR_OUT) { >+ status = ndrdump_pull_and_print_pipes(function, ndr_pull, ndr_print, &f->out_pipes); > if (!NT_STATUS_IS_OK(status)) { > printf("dump FAILED\n"); > exit(1); >@@ -483,8 +479,8 @@ static void ndr_print_dummy(struct ndr_print *ndr, const char *format, ...) > exit(1); > } > >- if (in_pipes) { >- status = ndrdump_pull_and_print_pipes(function, ndr_pull, ndr_print, in_pipes); >+ if (flags & NDR_IN) { >+ status = ndrdump_pull_and_print_pipes(function, ndr_pull, ndr_print, &f->in_pipes); > if (!NT_STATUS_IS_OK(status)) { > printf("dump FAILED\n"); > exit(1); >-- >2.25.1 > > >From 601afa324cd55f2c12cb28ca7dbc1a6f9a67e090 Mon Sep 17 00:00:00 2001 >From: Andrew Bartlett <abartlet@samba.org> >Date: Fri, 12 Apr 2019 15:10:35 +1200 >Subject: [PATCH 015/686] ndrdump: change behaviour of flags to operate as > flags > >These are called flags because that is what they become to the ndr_pull function, >but to avoid total confusion treat them as flags generally even if the values are >always exclusive (at the moment). > >Signed-off-by: Andrew Bartlett <abartlet@samba.org> >Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> >(cherry picked from commit c9e6331afc1ee0e85a9582c6682ff95885135792) >--- > librpc/tools/ndrdump.c | 8 ++++---- > 1 file changed, 4 insertions(+), 4 deletions(-) > >diff --git a/librpc/tools/ndrdump.c b/librpc/tools/ndrdump.c >index b7eae70833e..ef7f9c66139 100644 >--- a/librpc/tools/ndrdump.c >+++ b/librpc/tools/ndrdump.c >@@ -201,7 +201,7 @@ static void ndr_print_dummy(struct ndr_print *ndr, const char *format, ...) > struct ndr_pull *ndr_pull; > struct ndr_print *ndr_print; > TALLOC_CTX *mem_ctx; >- int flags; >+ int flags = 0; > poptContext pc; > NTSTATUS status; > enum ndr_err_code ndr_err; >@@ -316,10 +316,10 @@ static void ndr_print_dummy(struct ndr_print *ndr, const char *format, ...) > > if (strcmp(inout, "in") == 0 || > strcmp(inout, "request") == 0) { >- flags = NDR_IN; >+ flags |= NDR_IN; > } else if (strcmp(inout, "out") == 0 || > strcmp(inout, "response") == 0) { >- flags = NDR_OUT; >+ flags |= NDR_OUT; > } else { > printf("Bad inout value '%s'\n", inout); > exit(1); >@@ -340,7 +340,7 @@ static void ndr_print_dummy(struct ndr_print *ndr, const char *format, ...) > } > > if (ctx_filename) { >- if (flags == NDR_IN) { >+ if (flags & NDR_IN) { > printf("Context file can only be used for \"out\" packages\n"); > exit(1); > } >-- >2.25.1 > > >From 36ff31e285f22e430c9c54c848c6b90db82402d6 Mon Sep 17 00:00:00 2001 >From: Gary Lockyer <gary@catalyst.net.nz> >Date: Tue, 4 Jun 2019 14:01:49 +1200 >Subject: [PATCH 016/686] tests blackbox ndrdump: Add test for struct printing > >Add test for the dumping of a public structure with ndrdump. This >removes the need to define decode_* functions in the idl. > >Signed-off-by: Gary Lockyer <gary@catalyst.net.nz> >Reviewed-by: Andrew Bartlett <abartlet@samba.org> >(cherry picked from commit 0e771f0ed6cb900e6eccc3a4205120ae8c0f7ee2) >--- > python/samba/tests/blackbox/ndrdump.py | 12 ++++++++++-- > selftest/knownfail.d/ndrdump | 1 + > 2 files changed, 11 insertions(+), 2 deletions(-) > create mode 100644 selftest/knownfail.d/ndrdump > >diff --git a/python/samba/tests/blackbox/ndrdump.py b/python/samba/tests/blackbox/ndrdump.py >index 350d576bc81..7ca7b93f559 100644 >--- a/python/samba/tests/blackbox/ndrdump.py >+++ b/python/samba/tests/blackbox/ndrdump.py >@@ -22,7 +22,7 @@ from __future__ import print_function > """Blackbox tests for ndrdump.""" > > import os >-from samba.tests import BlackboxTestCase >+from samba.tests import BlackboxTestCase, BlackboxProcessError > > for p in ["../../../../../source4/librpc/tests", "../../../../../librpc/tests"]: > data_path_dir = os.path.abspath(os.path.join(os.path.dirname(__file__), p)) >@@ -49,6 +49,14 @@ class NdrDumpTests(BlackboxTestCase): > def test_ndrdump_with_validate(self): > self.check_run("ndrdump --validate samr samr_CreateUser in %s" % (self.data_path("samr-CreateUser-in.dat"))) > >- def test_ndrdump_with_hex(self): >+ def test_ndrdump_with_hex_decode_function(self): > self.check_run("ndrdump dns decode_dns_name_packet in --hex-input %s" % > self.data_path("dns-decode_dns_name_packet-hex.dat")) >+ >+ def test_ndrdump_with_hex_struct_name(self): >+ try: >+ self.check_run( >+ "ndrdump dns dns_name_packet struct --hex-input %s" % >+ self.data_path("dns-decode_dns_name_packet-hex.dat")) >+ except BlackboxProcessError as e: >+ self.fail(e) >diff --git a/selftest/knownfail.d/ndrdump b/selftest/knownfail.d/ndrdump >new file mode 100644 >index 00000000000..9f7335f5d0b >--- /dev/null >+++ b/selftest/knownfail.d/ndrdump >@@ -0,0 +1 @@ >+^samba.tests.blackbox.ndrdump.samba.tests.blackbox.ndrdump.NdrDumpTests.test_ndrdump_with_hex_struct_name\(none\) >-- >2.25.1 > > >From 224c964cd6ac4c49d2ec04041ac0472729b5a87e Mon Sep 17 00:00:00 2001 >From: Gary Lockyer <gary@catalyst.net.nz> >Date: Wed, 5 Jun 2019 08:43:33 +1200 >Subject: [PATCH 017/686] pidl: Allow ndrdump to print public structures > >Generate code to allow ndrdump to operate on public structures. > >Signed-off-by: Gary Lockyer <gary@catalyst.net.nz> >Reviewed-by: Andrew Bartlett <abartlet@samba.org> >Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org> >(cherry picked from commit 5d67e87d1c4504593f5da712f00de85371f8942f) >--- > librpc/ndr/libndr.h | 10 ++++++ > pidl/lib/Parse/Pidl/Samba4/NDR/Parser.pm | 41 +++++++++++++++++++++++- > 2 files changed, 50 insertions(+), 1 deletion(-) > >diff --git a/librpc/ndr/libndr.h b/librpc/ndr/libndr.h >index 8a15fccfe09..8ece7374b9a 100644 >--- a/librpc/ndr/libndr.h >+++ b/librpc/ndr/libndr.h >@@ -455,6 +455,14 @@ struct ndr_interface_call { > struct ndr_interface_call_pipes out_pipes; > }; > >+struct ndr_interface_public_struct { >+ const char *name; >+ size_t struct_size; >+ ndr_push_flags_fn_t ndr_push; >+ ndr_pull_flags_fn_t ndr_pull; >+ ndr_print_function_t ndr_print; >+}; >+ > struct ndr_interface_string_array { > uint32_t count; > const char * const *names; >@@ -466,6 +474,8 @@ struct ndr_interface_table { > const char *helpstring; > uint32_t num_calls; > const struct ndr_interface_call *calls; >+ uint32_t num_public_structs; >+ const struct ndr_interface_public_struct *public_structs; > const struct ndr_interface_string_array *endpoints; > const struct ndr_interface_string_array *authservices; > }; >diff --git a/pidl/lib/Parse/Pidl/Samba4/NDR/Parser.pm b/pidl/lib/Parse/Pidl/Samba4/NDR/Parser.pm >index 432e52f89c4..2fc4327faf4 100644 >--- a/pidl/lib/Parse/Pidl/Samba4/NDR/Parser.pm >+++ b/pidl/lib/Parse/Pidl/Samba4/NDR/Parser.pm >@@ -1833,6 +1833,9 @@ sub ParseStructNdrSize($$$$) > sub DeclStruct($$$$) > { > my ($e,$t,$name,$varname) = @_; >+ if ($t eq "base") { >+ return "struct $name $varname"; >+ } > return ($t ne "pull"?"const ":"") . "struct $name *$varname"; > } > >@@ -2175,6 +2178,9 @@ sub ParseUnionPull($$$$) > sub DeclUnion($$$$) > { > my ($e,$t,$name,$varname) = @_; >+ if ($t eq "base") { >+ return "union $name $varname"; >+ } > return ($t ne "pull"?"const ":"") . "union $name *$varname"; > } > >@@ -2752,21 +2758,52 @@ sub FunctionCallEntry($$) > return 1; > } > >+sub StructEntry($$) >+{ >+ my ($self, $d) = @_; >+ my $type_decl = $typefamily{$d->{TYPE}}->{DECL}->($d, "base", $d->{NAME}, ""); >+ >+ $self->pidl("\t{"); >+ $self->pidl("\t\t.name = \"$d->{NAME}\","); >+ $self->pidl("\t\t.struct_size = sizeof($type_decl),"); >+ $self->pidl("\t\t.ndr_push = (ndr_push_flags_fn_t) ndr_push_$d->{NAME},"); >+ $self->pidl("\t\t.ndr_pull = (ndr_pull_flags_fn_t) ndr_pull_$d->{NAME},"); >+ $self->pidl("\t\t.ndr_print = (ndr_print_function_t) ndr_print_$d->{NAME},"); >+ $self->pidl("\t},"); >+ return 1; >+} >+ > ##################################################################### > # produce a function call table > sub FunctionTable($$) > { > my($self,$interface) = @_; > my $count = 0; >+ my $count_public_structs = 0; > my $uname = uc $interface->{NAME}; > >- return if ($#{$interface->{FUNCTIONS}}+1 == 0); >+ foreach my $d (@{$interface->{TYPES}}) { >+ next unless (has_property($d, "public")); >+ $count_public_structs += 1; >+ } >+ return if ($#{$interface->{FUNCTIONS}}+1 == 0 and >+ $count_public_structs == 0); > return unless defined ($interface->{PROPERTIES}->{uuid}); > > foreach my $d (@{$interface->{INHERITED_FUNCTIONS}},@{$interface->{FUNCTIONS}}) { > $self->FunctionCallPipes($d); > } > >+ $self->pidl("static const struct ndr_interface_public_struct $interface->{NAME}\_public_structs[] = {"); >+ >+ foreach my $d (@{$interface->{TYPES}}) { >+ next unless (has_property($d, "public")); >+ $self->StructEntry($d) >+ } >+ $self->pidl("\t{ .name = NULL }"); >+ $self->pidl("};"); >+ $self->pidl(""); >+ > $self->pidl("static const struct ndr_interface_call $interface->{NAME}\_calls[] = {"); > > foreach my $d (@{$interface->{INHERITED_FUNCTIONS}},@{$interface->{FUNCTIONS}}) { >@@ -2807,6 +2844,8 @@ sub FunctionTable($$) > $self->pidl("\t.helpstring\t= NDR_$uname\_HELPSTRING,"); > $self->pidl("\t.num_calls\t= $count,"); > $self->pidl("\t.calls\t\t= $interface->{NAME}\_calls,"); >+ $self->pidl("\t.num_public_structs\t= $count_public_structs,"); >+ $self->pidl("\t.public_structs\t\t= $interface->{NAME}\_public_structs,"); > $self->pidl("\t.endpoints\t= &$interface->{NAME}\_endpoints,"); > $self->pidl("\t.authservices\t= &$interface->{NAME}\_authservices"); > $self->pidl("};"); >-- >2.25.1 > > >From 920b85eb4735af78bc32e6b10dd869cdcdcec529 Mon Sep 17 00:00:00 2001 >From: Gary Lockyer <gary@catalyst.net.nz> >Date: Wed, 5 Jun 2019 08:44:09 +1200 >Subject: [PATCH 018/686] ndrdump: print public structures > >Add a struct option to ndrdump that will allow it to print public >structures. > i.e. binn/ndrdump dns dns_name_packet struct data.file > >Signed-off-by: Gary Lockyer <gary@catalyst.net.nz> >Reviewed-by: Andrew Bartlett <abartlet@samba.org> >Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org> >Signed-off-by: Andrew Bartlett <abartlet@samba.org> >(cherry picked from commit 3bf05fbfd7106f46b35ee027f57be4c6af72f22e) >--- > librpc/tools/ndrdump.1.xml | 15 +++--- > librpc/tools/ndrdump.c | 98 +++++++++++++++++++++++++++++------- > selftest/knownfail.d/ndrdump | 1 - > 3 files changed, 88 insertions(+), 26 deletions(-) > delete mode 100644 selftest/knownfail.d/ndrdump > >diff --git a/librpc/tools/ndrdump.1.xml b/librpc/tools/ndrdump.1.xml >index e148eee0f03..fa6d763d18f 100644 >--- a/librpc/tools/ndrdump.1.xml >+++ b/librpc/tools/ndrdump.1.xml >@@ -21,8 +21,8 @@ > <command>ndrdump</command> > <arg choice="opt">-c context</arg> > <arg choice="req">pipe</arg> >- <arg choice="req">function</arg> >- <arg choice="req">in|out</arg> >+ <arg choice="req">format</arg> >+ <arg choice="req">in|out|struct</arg> > <arg choice="req">filename</arg> > </cmdsynopsis> > <cmdsynopsis> >@@ -38,15 +38,18 @@ > <title>DESCRIPTION</title> > > <para>ndrdump tries to parse the specified <replaceable>filename</replaceable> >- using Samba's parser for the specified pipe and function. The >+ using Samba's parser for the specified pipe and format. The > third argument should be >- either <emphasis>in</emphasis> or <emphasis>out</emphasis>, depending >- on whether the data should be parsed as a request or a reply.</para> >+ either <emphasis>in</emphasis>, <emphasis>out</emphasis> >+ or <emphasis>struct</emphasis>depending >+ on whether the data should be parsed as a request, reply or a >+ public structure.</para> > > <para>Running ndrdump without arguments will list the pipes for which > parsers are available.</para> > >- <para>Running ndrdump with one argument will list the functions that >+ <para>Running ndrdump with one argument will list the functions and >+ public structures that > Samba can parse for the specified pipe.</para> > > <para>The primary function of ndrdump is debugging Samba's internal >diff --git a/librpc/tools/ndrdump.c b/librpc/tools/ndrdump.c >index ef7f9c66139..bd4f277607b 100644 >--- a/librpc/tools/ndrdump.c >+++ b/librpc/tools/ndrdump.c >@@ -48,6 +48,35 @@ static const struct ndr_interface_call *find_function( > return &p->calls[i]; > } > >+/* >+ * Find a public structure on the pipe and return it as if it were >+ * a function (as the rest of ndrdump is based around functions) >+ */ >+static const struct ndr_interface_call *find_struct( >+ const struct ndr_interface_table *p, >+ const char *struct_name, >+ struct ndr_interface_call *out_buffer) >+{ >+ int i; >+ for (i=0;i<p->num_public_structs;i++) { >+ if (strcmp(p->public_structs[i].name, struct_name) == 0) { >+ break; >+ } >+ } >+ if (i == p->num_public_structs) { >+ printf("Public structure '%s' not found\n", struct_name); >+ exit(1); >+ } >+ *out_buffer = (struct ndr_interface_call) { >+ .name = p->public_structs[i].name, >+ .struct_size = p->public_structs[i].struct_size, >+ .ndr_pull = p->public_structs[i].ndr_pull, >+ .ndr_push = p->public_structs[i].ndr_push, >+ .ndr_print = p->public_structs[i].ndr_print >+ }; >+ return out_buffer; >+} >+ > _NORETURN_ static void show_pipes(void) > { > const struct ndr_interface_list *l; >@@ -71,6 +100,10 @@ _NORETURN_ static void show_functions(const struct ndr_interface_table *p) > for (i=0;i<p->num_calls;i++) { > printf("\t0x%02x (%2d) %s\n", i, i, p->calls[i].name); > } >+ printf("known public structures on '%s' are:\n", p->name); >+ for (i=0;i<p->num_public_structs;i++) { >+ printf("\t%s\n", p->public_structs[i].name); >+ } > exit(1); > } > >@@ -194,7 +227,21 @@ static void ndr_print_dummy(struct ndr_print *ndr, const char *format, ...) > { > const struct ndr_interface_table *p = NULL; > const struct ndr_interface_call *f; >- const char *pipe_name, *function, *inout, *filename; >+ struct ndr_interface_call f_buffer; >+ const char *pipe_name = NULL; >+ const char *filename = NULL; >+ /* >+ * The format type: >+ * in: a request >+ * out: a response >+ * struct: a public structure >+ */ >+ const char *type = NULL; >+ /* >+ * Format is either the name of the decoding function or the >+ * name of a public structure >+ */ >+ const char *format = NULL; > uint8_t *data; > size_t size; > DATA_BLOB blob; >@@ -244,7 +291,7 @@ static void ndr_print_dummy(struct ndr_print *ndr, const char *format, ...) > pc = poptGetContext("ndrdump", argc, argv, long_options, 0); > > poptSetOtherOptionHelp( >- pc, "<pipe|uuid> <function> <inout> [<filename>]"); >+ pc, "<pipe|uuid> <format> <in|out|struct> [<filename>]"); > > while ((opt = poptGetNextOpt(pc)) != -1) { > switch (opt) { >@@ -302,29 +349,34 @@ static void ndr_print_dummy(struct ndr_print *ndr, const char *format, ...) > exit(1); > } > >- function = poptGetArg(pc); >- inout = poptGetArg(pc); >+ format = poptGetArg(pc); >+ type = poptGetArg(pc); > filename = poptGetArg(pc); > >- if (!function || !inout) { >+ if (!format || !type) { > poptPrintUsage(pc, stderr, 0); > show_functions(p); > exit(1); > } > >- f = find_function(p, function); >- >- if (strcmp(inout, "in") == 0 || >- strcmp(inout, "request") == 0) { >- flags |= NDR_IN; >- } else if (strcmp(inout, "out") == 0 || >- strcmp(inout, "response") == 0) { >- flags |= NDR_OUT; >+ if (strcmp(type, "struct") == 0) { >+ flags = 0; /* neither NDR_IN nor NDR_OUT */ >+ f = find_struct(p, format, &f_buffer); > } else { >- printf("Bad inout value '%s'\n", inout); >- exit(1); >+ f = find_function(p, format); >+ if (strcmp(type, "in") == 0 || >+ strcmp(type, "request") == 0) { >+ flags |= NDR_IN; >+ } else if (strcmp(type, "out") == 0 || >+ strcmp(type, "response") == 0) { >+ flags |= NDR_OUT; >+ } else { >+ printf("Bad type value '%s'\n", type); >+ exit(1); >+ } > } > >+ > mem_ctx = talloc_init("ndrdump"); > > st = talloc_zero_size(mem_ctx, f->struct_size); >@@ -442,7 +494,10 @@ static void ndr_print_dummy(struct ndr_print *ndr, const char *format, ...) > TALLOC_FREE(sec_vt); > > if (flags & NDR_OUT) { >- status = ndrdump_pull_and_print_pipes(function, ndr_pull, ndr_print, &f->out_pipes); >+ status = ndrdump_pull_and_print_pipes(format, >+ ndr_pull, >+ ndr_print, >+ &f->out_pipes); > if (!NT_STATUS_IS_OK(status)) { > printf("dump FAILED\n"); > exit(1); >@@ -472,7 +527,7 @@ static void ndr_print_dummy(struct ndr_print *ndr, const char *format, ...) > ndrdump_data(blob.data, blob.length, dumpdata); > } > >- f->ndr_print(ndr_print, function, flags, st); >+ f->ndr_print(ndr_print, format, flags, st); > > if (!NT_STATUS_IS_OK(status)) { > printf("dump FAILED\n"); >@@ -480,7 +535,10 @@ static void ndr_print_dummy(struct ndr_print *ndr, const char *format, ...) > } > > if (flags & NDR_IN) { >- status = ndrdump_pull_and_print_pipes(function, ndr_pull, ndr_print, &f->in_pipes); >+ status = ndrdump_pull_and_print_pipes(format, >+ ndr_pull, >+ ndr_print, >+ &f->in_pipes); > if (!NT_STATUS_IS_OK(status)) { > printf("dump FAILED\n"); > exit(1); >@@ -554,7 +612,9 @@ static void ndr_print_dummy(struct ndr_print *ndr, const char *format, ...) > ndr_v_print = talloc_zero(mem_ctx, struct ndr_print); > ndr_v_print->print = ndr_print_debug_helper; > ndr_v_print->depth = 1; >- f->ndr_print(ndr_v_print, function, flags, v_st); >+ f->ndr_print(ndr_v_print, >+ format, >+ flags, v_st); > > if (blob.length != v_blob.length) { > printf("WARNING! orig bytes:%llu validated pushed bytes:%llu\n", >diff --git a/selftest/knownfail.d/ndrdump b/selftest/knownfail.d/ndrdump >deleted file mode 100644 >index 9f7335f5d0b..00000000000 >--- a/selftest/knownfail.d/ndrdump >+++ /dev/null >@@ -1 +0,0 @@ >-^samba.tests.blackbox.ndrdump.samba.tests.blackbox.ndrdump.NdrDumpTests.test_ndrdump_with_hex_struct_name\(none\) >-- >2.25.1 > > >From 4a8eeffaf9e1a01e340d0c80070ad49b4a26022c Mon Sep 17 00:00:00 2001 >From: Isaac Boukris <iboukris@gmail.com> >Date: Sat, 15 Feb 2020 18:33:33 +0100 >Subject: [PATCH 019/686] python/tests/krb5: add crypto.py from greghudson/pyk5 > as kcrypto.py > >This is crypto.py of commit f0612aa908062fb239d1c3873595e7204ae1691d >from https://github.com/greghudson/pyk5.git > >This will be used in order to do raw protocol testing against >[MS-KILE] KDCs. > >Pair-Programmed-With: Stefan Metzmacher <metze@samba.org> > >Signed-off-by: Isaac Boukris <iboukris@samba.org> >Signed-off-by: Stefan Metzmacher <metze@samba.org> >Reviewed-by: Stefan Metzmacher <metze@samba.org> >(cherry picked from commit 679bb52c957dafcec96ff37f87d8c3496996b909) >--- > python/samba/tests/krb5/kcrypto.py | 713 +++++++++++++++++++++++++++++ > python/samba/tests/source.py | 6 + > python/samba/tests/usage.py | 4 +- > 3 files changed, 722 insertions(+), 1 deletion(-) > create mode 100644 python/samba/tests/krb5/kcrypto.py > >diff --git a/python/samba/tests/krb5/kcrypto.py b/python/samba/tests/krb5/kcrypto.py >new file mode 100644 >index 00000000000..18c0f71c24c >--- /dev/null >+++ b/python/samba/tests/krb5/kcrypto.py >@@ -0,0 +1,713 @@ >+# Copyright (C) 2013 by the Massachusetts Institute of Technology. >+# All rights reserved. >+# >+# Redistribution and use in source and binary forms, with or without >+# modification, are permitted provided that the following conditions >+# are met: >+# >+# * Redistributions of source code must retain the above copyright >+# notice, this list of conditions and the following disclaimer. >+# >+# * Redistributions in binary form must reproduce the above copyright >+# notice, this list of conditions and the following disclaimer in >+# the documentation and/or other materials provided with the >+# distribution. >+# >+# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS >+# "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT >+# LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS >+# FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE >+# COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, >+# INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES >+# (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR >+# SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) >+# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, >+# STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) >+# ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED >+# OF THE POSSIBILITY OF SUCH DAMAGE. >+ >+# XXX current status: >+# * Done and tested >+# - AES encryption, checksum, string2key, prf >+# - cf2 (needed for FAST) >+# * Still to do: >+# - DES enctypes and cksumtypes >+# - RC4 exported enctype (if we need it for anything) >+# - Unkeyed checksums >+# - Special RC4, raw DES/DES3 operations for GSSAPI >+# * Difficult or low priority: >+# - Camellia not supported by PyCrypto >+# - Cipher state only needed for kcmd suite >+# - Nonstandard enctypes and cksumtypes like des-hmac-sha1 >+ >+from math import gcd >+from functools import reduce >+from struct import pack, unpack >+from Crypto.Cipher import AES, DES3, ARC4 >+from Crypto.Hash import HMAC, MD4, MD5, SHA >+from Crypto.Protocol.KDF import PBKDF2 >+from Crypto.Random import get_random_bytes >+ >+ >+class Enctype(object): >+ DES_CRC = 1 >+ DES_MD4 = 2 >+ DES_MD5 = 3 >+ DES3 = 16 >+ AES128 = 17 >+ AES256 = 18 >+ RC4 = 23 >+ >+ >+class Cksumtype(object): >+ CRC32 = 1 >+ MD4 = 2 >+ MD4_DES = 3 >+ MD5 = 7 >+ MD5_DES = 8 >+ SHA1 = 9 >+ SHA1_DES3 = 12 >+ SHA1_AES128 = 15 >+ SHA1_AES256 = 16 >+ HMAC_MD5 = -138 >+ >+ >+class InvalidChecksum(ValueError): >+ pass >+ >+ >+def _zeropad(s, padsize): >+ # Return s padded with 0 bytes to a multiple of padsize. >+ padlen = (padsize - (len(s) % padsize)) % padsize >+ return s + bytes(padlen) >+ >+ >+def _xorbytes(b1, b2): >+ # xor two strings together and return the resulting string. >+ assert len(b1) == len(b2) >+ return bytes([x ^ y for x, y in zip(b1, b2)]) >+ >+ >+def _mac_equal(mac1, mac2): >+ # Constant-time comparison function. (We can't use HMAC.verify >+ # since we use truncated macs.) >+ assert len(mac1) == len(mac2) >+ res = 0 >+ for x, y in zip(mac1, mac2): >+ res |= x ^ y >+ return res == 0 >+ >+ >+def _nfold(str, nbytes): >+ # Convert str to a string of length nbytes using the RFC 3961 nfold >+ # operation. >+ >+ # Rotate the bytes in str to the right by nbits bits. >+ def rotate_right(str, nbits): >+ nbytes, remain = (nbits//8) % len(str), nbits % 8 >+ return bytes([(str[i-nbytes] >> remain) | >+ (str[i-nbytes-1] << (8-remain) & 0xff) >+ for i in range(len(str))]) >+ >+ # Add equal-length strings together with end-around carry. >+ def add_ones_complement(str1, str2): >+ n = len(str1) >+ v = [a + b for a, b in zip(str1, str2)] >+ # Propagate carry bits to the left until there aren't any left. >+ while any(x & ~0xff for x in v): >+ v = [(v[i-n+1]>>8) + (v[i]&0xff) for i in range(n)] >+ return bytes([x for x in v]) >+ >+ # Concatenate copies of str to produce the least common multiple >+ # of len(str) and nbytes, rotating each copy of str to the right >+ # by 13 bits times its list position. Decompose the concatenation >+ # into slices of length nbytes, and add them together as >+ # big-endian ones' complement integers. >+ slen = len(str) >+ lcm = nbytes * slen // gcd(nbytes, slen) >+ bigstr = b''.join((rotate_right(str, 13 * i) for i in range(lcm // slen))) >+ slices = (bigstr[p:p+nbytes] for p in range(0, lcm, nbytes)) >+ return reduce(add_ones_complement, slices) >+ >+ >+def _is_weak_des_key(keybytes): >+ return keybytes in (b'\x01\x01\x01\x01\x01\x01\x01\x01', >+ b'\xFE\xFE\xFE\xFE\xFE\xFE\xFE\xFE', >+ b'\x1F\x1F\x1F\x1F\x0E\x0E\x0E\x0E', >+ b'\xE0\xE0\xE0\xE0\xF1\xF1\xF1\xF1', >+ b'\x01\xFE\x01\xFE\x01\xFE\x01\xFE', >+ b'\xFE\x01\xFE\x01\xFE\x01\xFE\x01', >+ b'\x1F\xE0\x1F\xE0\x0E\xF1\x0E\xF1', >+ b'\xE0\x1F\xE0\x1F\xF1\x0E\xF1\x0E', >+ b'\x01\xE0\x01\xE0\x01\xF1\x01\xF1', >+ b'\xE0\x01\xE0\x01\xF1\x01\xF1\x01', >+ b'\x1F\xFE\x1F\xFE\x0E\xFE\x0E\xFE', >+ b'\xFE\x1F\xFE\x1F\xFE\x0E\xFE\x0E', >+ b'\x01\x1F\x01\x1F\x01\x0E\x01\x0E', >+ b'\x1F\x01\x1F\x01\x0E\x01\x0E\x01', >+ b'\xE0\xFE\xE0\xFE\xF1\xFE\xF1\xFE', >+ b'\xFE\xE0\xFE\xE0\xFE\xF1\xFE\xF1') >+ >+ >+class _EnctypeProfile(object): >+ # Base class for enctype profiles. Usable enctype classes must define: >+ # * enctype: enctype number >+ # * keysize: protocol size of key in bytes >+ # * seedsize: random_to_key input size in bytes >+ # * random_to_key (if the keyspace is not dense) >+ # * string_to_key >+ # * encrypt >+ # * decrypt >+ # * prf >+ >+ @classmethod >+ def random_to_key(cls, seed): >+ if len(seed) != cls.seedsize: >+ raise ValueError('Wrong seed length') >+ return Key(cls.enctype, seed) >+ >+ >+class _SimplifiedEnctype(_EnctypeProfile): >+ # Base class for enctypes using the RFC 3961 simplified profile. >+ # Defines the encrypt, decrypt, and prf methods. Subclasses must >+ # define: >+ # * blocksize: Underlying cipher block size in bytes >+ # * padsize: Underlying cipher padding multiple (1 or blocksize) >+ # * macsize: Size of integrity MAC in bytes >+ # * hashmod: PyCrypto hash module for underlying hash function >+ # * basic_encrypt, basic_decrypt: Underlying CBC/CTS cipher >+ >+ @classmethod >+ def derive(cls, key, constant): >+ # RFC 3961 only says to n-fold the constant only if it is >+ # shorter than the cipher block size. But all Unix >+ # implementations n-fold constants if their length is larger >+ # than the block size as well, and n-folding when the length >+ # is equal to the block size is a no-op. >+ plaintext = _nfold(constant, cls.blocksize) >+ rndseed = b'' >+ while len(rndseed) < cls.seedsize: >+ ciphertext = cls.basic_encrypt(key, plaintext) >+ rndseed += ciphertext >+ plaintext = ciphertext >+ return cls.random_to_key(rndseed[0:cls.seedsize]) >+ >+ @classmethod >+ def encrypt(cls, key, keyusage, plaintext, confounder): >+ ki = cls.derive(key, pack('>iB', keyusage, 0x55)) >+ ke = cls.derive(key, pack('>iB', keyusage, 0xAA)) >+ if confounder is None: >+ confounder = get_random_bytes(cls.blocksize) >+ basic_plaintext = confounder + _zeropad(plaintext, cls.padsize) >+ hmac = HMAC.new(ki.contents, basic_plaintext, cls.hashmod).digest() >+ return cls.basic_encrypt(ke, basic_plaintext) + hmac[:cls.macsize] >+ >+ @classmethod >+ def decrypt(cls, key, keyusage, ciphertext): >+ ki = cls.derive(key, pack('>iB', keyusage, 0x55)) >+ ke = cls.derive(key, pack('>iB', keyusage, 0xAA)) >+ if len(ciphertext) < cls.blocksize + cls.macsize: >+ raise ValueError('ciphertext too short') >+ basic_ctext, mac = ciphertext[:-cls.macsize], ciphertext[-cls.macsize:] >+ if len(basic_ctext) % cls.padsize != 0: >+ raise ValueError('ciphertext does not meet padding requirement') >+ basic_plaintext = cls.basic_decrypt(ke, basic_ctext) >+ hmac = HMAC.new(ki.contents, basic_plaintext, cls.hashmod).digest() >+ expmac = hmac[:cls.macsize] >+ if not _mac_equal(mac, expmac): >+ raise InvalidChecksum('ciphertext integrity failure') >+ # Discard the confounder. >+ return basic_plaintext[cls.blocksize:] >+ >+ @classmethod >+ def prf(cls, key, string): >+ # Hash the input. RFC 3961 says to truncate to the padding >+ # size, but implementations truncate to the block size. >+ hashval = cls.hashmod.new(string).digest() >+ truncated = hashval[:-(len(hashval) % cls.blocksize)] >+ # Encrypt the hash with a derived key. >+ kp = cls.derive(key, b'prf') >+ return cls.basic_encrypt(kp, truncated) >+ >+ >+class _DES3CBC(_SimplifiedEnctype): >+ enctype = Enctype.DES3 >+ keysize = 24 >+ seedsize = 21 >+ blocksize = 8 >+ padsize = 8 >+ macsize = 20 >+ hashmod = SHA >+ >+ @classmethod >+ def random_to_key(cls, seed): >+ # XXX Maybe reframe as _DESEnctype.random_to_key and use that >+ # way from DES3 random-to-key when DES is implemented, since >+ # MIT does this instead of the RFC 3961 random-to-key. >+ def expand(seed): >+ def parity(b): >+ # Return b with the low-order bit set to yield odd parity. >+ b &= ~1 >+ return b if bin(b & ~1).count('1') % 2 else b | 1 >+ assert len(seed) == 7 >+ firstbytes = [parity(b & ~1) for b in seed] >+ lastbyte = parity(sum((seed[i]&1) << i+1 for i in range(7))) >+ keybytes = bytes([b for b in firstbytes + [lastbyte]]) >+ if _is_weak_des_key(keybytes): >+ keybytes[7] = bytes([keybytes[7] ^ 0xF0]) >+ return keybytes >+ >+ if len(seed) != 21: >+ raise ValueError('Wrong seed length') >+ k1, k2, k3 = expand(seed[:7]), expand(seed[7:14]), expand(seed[14:]) >+ return Key(cls.enctype, k1 + k2 + k3) >+ >+ @classmethod >+ def string_to_key(cls, string, salt, params): >+ if params is not None and params != b'': >+ raise ValueError('Invalid DES3 string-to-key parameters') >+ k = cls.random_to_key(_nfold(string + salt, 21)) >+ return cls.derive(k, b'kerberos') >+ >+ @classmethod >+ def basic_encrypt(cls, key, plaintext): >+ assert len(plaintext) % 8 == 0 >+ des3 = DES3.new(key.contents, AES.MODE_CBC, bytes(8)) >+ return des3.encrypt(plaintext) >+ >+ @classmethod >+ def basic_decrypt(cls, key, ciphertext): >+ assert len(ciphertext) % 8 == 0 >+ des3 = DES3.new(key.contents, AES.MODE_CBC, bytes(8)) >+ return des3.decrypt(ciphertext) >+ >+ >+class _AESEnctype(_SimplifiedEnctype): >+ # Base class for aes128-cts and aes256-cts. >+ blocksize = 16 >+ padsize = 1 >+ macsize = 12 >+ hashmod = SHA >+ >+ @classmethod >+ def string_to_key(cls, string, salt, params): >+ (iterations,) = unpack('>L', params or b'\x00\x00\x10\x00') >+ prf = lambda p, s: HMAC.new(p, s, SHA).digest() >+ seed = PBKDF2(string, salt, cls.seedsize, iterations, prf) >+ tkey = cls.random_to_key(seed) >+ return cls.derive(tkey, b'kerberos') >+ >+ @classmethod >+ def basic_encrypt(cls, key, plaintext): >+ assert len(plaintext) >= 16 >+ aes = AES.new(key.contents, AES.MODE_CBC, bytes(16)) >+ ctext = aes.encrypt(_zeropad(plaintext, 16)) >+ if len(plaintext) > 16: >+ # Swap the last two ciphertext blocks and truncate the >+ # final block to match the plaintext length. >+ lastlen = len(plaintext) % 16 or 16 >+ ctext = ctext[:-32] + ctext[-16:] + ctext[-32:-16][:lastlen] >+ return ctext >+ >+ @classmethod >+ def basic_decrypt(cls, key, ciphertext): >+ assert len(ciphertext) >= 16 >+ aes = AES.new(key.contents, AES.MODE_ECB) >+ if len(ciphertext) == 16: >+ return aes.decrypt(ciphertext) >+ # Split the ciphertext into blocks. The last block may be partial. >+ cblocks = [ciphertext[p:p+16] for p in range(0, len(ciphertext), 16)] >+ lastlen = len(cblocks[-1]) >+ # CBC-decrypt all but the last two blocks. >+ prev_cblock = bytes(16) >+ plaintext = b'' >+ for b in cblocks[:-2]: >+ plaintext += _xorbytes(aes.decrypt(b), prev_cblock) >+ prev_cblock = b >+ # Decrypt the second-to-last cipher block. The left side of >+ # the decrypted block will be the final block of plaintext >+ # xor'd with the final partial cipher block; the right side >+ # will be the omitted bytes of ciphertext from the final >+ # block. >+ b = aes.decrypt(cblocks[-2]) >+ lastplaintext =_xorbytes(b[:lastlen], cblocks[-1]) >+ omitted = b[lastlen:] >+ # Decrypt the final cipher block plus the omitted bytes to get >+ # the second-to-last plaintext block. >+ plaintext += _xorbytes(aes.decrypt(cblocks[-1] + omitted), prev_cblock) >+ return plaintext + lastplaintext >+ >+ >+class _AES128CTS(_AESEnctype): >+ enctype = Enctype.AES128 >+ keysize = 16 >+ seedsize = 16 >+ >+ >+class _AES256CTS(_AESEnctype): >+ enctype = Enctype.AES256 >+ keysize = 32 >+ seedsize = 32 >+ >+ >+class _RC4(_EnctypeProfile): >+ enctype = Enctype.RC4 >+ keysize = 16 >+ seedsize = 16 >+ >+ @staticmethod >+ def usage_str(keyusage): >+ # Return a four-byte string for an RFC 3961 keyusage, using >+ # the RFC 4757 rules. Per the errata, do not map 9 to 8. >+ table = {3: 8, 23: 13} >+ msusage = table[keyusage] if keyusage in table else keyusage >+ return pack('<i', msusage) >+ >+ @classmethod >+ def string_to_key(cls, string, salt, params): >+ utf16string = string.decode('UTF-8').encode('UTF-16LE') >+ return Key(cls.enctype, MD4.new(utf16string).digest()) >+ >+ @classmethod >+ def encrypt(cls, key, keyusage, plaintext, confounder): >+ if confounder is None: >+ confounder = get_random_bytes(8) >+ ki = HMAC.new(key.contents, cls.usage_str(keyusage), MD5).digest() >+ cksum = HMAC.new(ki, confounder + plaintext, MD5).digest() >+ ke = HMAC.new(ki, cksum, MD5).digest() >+ return cksum + ARC4.new(ke).encrypt(confounder + plaintext) >+ >+ @classmethod >+ def decrypt(cls, key, keyusage, ciphertext): >+ if len(ciphertext) < 24: >+ raise ValueError('ciphertext too short') >+ cksum, basic_ctext = ciphertext[:16], ciphertext[16:] >+ ki = HMAC.new(key.contents, cls.usage_str(keyusage), MD5).digest() >+ ke = HMAC.new(ki, cksum, MD5).digest() >+ basic_plaintext = ARC4.new(ke).decrypt(basic_ctext) >+ exp_cksum = HMAC.new(ki, basic_plaintext, MD5).digest() >+ ok = _mac_equal(cksum, exp_cksum) >+ if not ok and keyusage == 9: >+ # Try again with usage 8, due to RFC 4757 errata. >+ ki = HMAC.new(key.contents, pack('<i', 8), MD5).digest() >+ exp_cksum = HMAC.new(ki, basic_plaintext, MD5).digest() >+ ok = _mac_equal(cksum, exp_cksum) >+ if not ok: >+ raise InvalidChecksum('ciphertext integrity failure') >+ # Discard the confounder. >+ return basic_plaintext[8:] >+ >+ @classmethod >+ def prf(cls, key, string): >+ return HMAC.new(key.contents, string, SHA).digest() >+ >+ >+class _ChecksumProfile(object): >+ # Base class for checksum profiles. Usable checksum classes must >+ # define: >+ # * checksum >+ # * verify (if verification is not just checksum-and-compare) >+ @classmethod >+ def verify(cls, key, keyusage, text, cksum): >+ expected = cls.checksum(key, keyusage, text) >+ if not _mac_equal(cksum, expected): >+ raise InvalidChecksum('checksum verification failure') >+ >+ >+class _SimplifiedChecksum(_ChecksumProfile): >+ # Base class for checksums using the RFC 3961 simplified profile. >+ # Defines the checksum and verify methods. Subclasses must >+ # define: >+ # * macsize: Size of checksum in bytes >+ # * enc: Profile of associated enctype >+ >+ @classmethod >+ def checksum(cls, key, keyusage, text): >+ kc = cls.enc.derive(key, pack('>iB', keyusage, 0x99)) >+ hmac = HMAC.new(kc.contents, text, cls.enc.hashmod).digest() >+ return hmac[:cls.macsize] >+ >+ @classmethod >+ def verify(cls, key, keyusage, text, cksum): >+ if key.enctype != cls.enc.enctype: >+ raise ValueError('Wrong key type for checksum') >+ super(_SimplifiedChecksum, cls).verify(key, keyusage, text, cksum) >+ >+ >+class _SHA1AES128(_SimplifiedChecksum): >+ macsize = 12 >+ enc = _AES128CTS >+ >+ >+class _SHA1AES256(_SimplifiedChecksum): >+ macsize = 12 >+ enc = _AES256CTS >+ >+ >+class _SHA1DES3(_SimplifiedChecksum): >+ macsize = 20 >+ enc = _DES3CBC >+ >+ >+class _HMACMD5(_ChecksumProfile): >+ @classmethod >+ def checksum(cls, key, keyusage, text): >+ ksign = HMAC.new(key.contents, b'signaturekey\0', MD5).digest() >+ md5hash = MD5.new(_RC4.usage_str(keyusage) + text).digest() >+ return HMAC.new(ksign, md5hash, MD5).digest() >+ >+ @classmethod >+ def verify(cls, key, keyusage, text, cksum): >+ if key.enctype != Enctype.RC4: >+ raise ValueError('Wrong key type for checksum') >+ super(_HMACMD5, cls).verify(key, keyusage, text, cksum) >+ >+ >+_enctype_table = { >+ Enctype.DES3: _DES3CBC, >+ Enctype.AES128: _AES128CTS, >+ Enctype.AES256: _AES256CTS, >+ Enctype.RC4: _RC4 >+} >+ >+ >+_checksum_table = { >+ Cksumtype.SHA1_DES3: _SHA1DES3, >+ Cksumtype.SHA1_AES128: _SHA1AES128, >+ Cksumtype.SHA1_AES256: _SHA1AES256, >+ Cksumtype.HMAC_MD5: _HMACMD5 >+} >+ >+ >+def _get_enctype_profile(enctype): >+ if enctype not in _enctype_table: >+ raise ValueError('Invalid enctype %d' % enctype) >+ return _enctype_table[enctype] >+ >+ >+def _get_checksum_profile(cksumtype): >+ if cksumtype not in _checksum_table: >+ raise ValueError('Invalid cksumtype %d' % cksumtype) >+ return _checksum_table[cksumtype] >+ >+ >+class Key(object): >+ def __init__(self, enctype, contents): >+ e = _get_enctype_profile(enctype) >+ if len(contents) != e.keysize: >+ raise ValueError('Wrong key length') >+ self.enctype = enctype >+ self.contents = contents >+ >+ >+def seedsize(enctype): >+ e = _get_enctype_profile(enctype) >+ return e.seedsize >+ >+ >+def random_to_key(enctype, seed): >+ e = _get_enctype_profile(enctype) >+ if len(seed) != e.seedsize: >+ raise ValueError('Wrong crypto seed length') >+ return e.random_to_key(seed) >+ >+ >+def string_to_key(enctype, string, salt, params=None): >+ e = _get_enctype_profile(enctype) >+ return e.string_to_key(string, salt, params) >+ >+ >+def encrypt(key, keyusage, plaintext, confounder=None): >+ e = _get_enctype_profile(key.enctype) >+ return e.encrypt(key, keyusage, plaintext, confounder) >+ >+ >+def decrypt(key, keyusage, ciphertext): >+ # Throw InvalidChecksum on checksum failure. Throw ValueError on >+ # invalid key enctype or malformed ciphertext. >+ e = _get_enctype_profile(key.enctype) >+ return e.decrypt(key, keyusage, ciphertext) >+ >+ >+def prf(key, string): >+ e = _get_enctype_profile(key.enctype) >+ return e.prf(key, string) >+ >+ >+def make_checksum(cksumtype, key, keyusage, text): >+ c = _get_checksum_profile(cksumtype) >+ return c.checksum(key, keyusage, text) >+ >+ >+def verify_checksum(cksumtype, key, keyusage, text, cksum): >+ # Throw InvalidChecksum exception on checksum failure. Throw >+ # ValueError on invalid cksumtype, invalid key enctype, or >+ # malformed checksum. >+ c = _get_checksum_profile(cksumtype) >+ c.verify(key, keyusage, text, cksum) >+ >+ >+def prfplus(key, pepper, l): >+ # Produce l bytes of output using the RFC 6113 PRF+ function. >+ out = b'' >+ count = 1 >+ while len(out) < l: >+ out += prf(key, bytes([count]) + pepper) >+ count += 1 >+ return out[:l] >+ >+ >+def cf2(enctype, key1, key2, pepper1, pepper2): >+ # Combine two keys and two pepper strings to produce a result key >+ # of type enctype, using the RFC 6113 KRB-FX-CF2 function. >+ e = _get_enctype_profile(enctype) >+ return e.random_to_key(_xorbytes(prfplus(key1, pepper1, e.seedsize), >+ prfplus(key2, pepper2, e.seedsize))) >+ >+ >+if __name__ == '__main__': >+ def h(hexstr): >+ return bytes.fromhex(hexstr) >+ >+ # AES128 encrypt and decrypt >+ kb = h('9062430C8CDA3388922E6D6A509F5B7A') >+ conf = h('94B491F481485B9A0678CD3C4EA386AD') >+ keyusage = 2 >+ plain = b'9 bytesss' >+ ctxt = h('68FB9679601F45C78857B2BF820FD6E53ECA8D42FD4B1D7024A09205ABB7CD2E' >+ 'C26C355D2F') >+ k = Key(Enctype.AES128, kb) >+ assert(encrypt(k, keyusage, plain, conf) == ctxt) >+ assert(decrypt(k, keyusage, ctxt) == plain) >+ >+ # AES256 encrypt and decrypt >+ kb = h('F1C795E9248A09338D82C3F8D5B567040B0110736845041347235B1404231398') >+ conf = h('E45CA518B42E266AD98E165E706FFB60') >+ keyusage = 4 >+ plain = b'30 bytes bytes bytes bytes byt' >+ ctxt = h('D1137A4D634CFECE924DBC3BF6790648BD5CFF7DE0E7B99460211D0DAEF3D79A' >+ '295C688858F3B34B9CBD6EEBAE81DAF6B734D4D498B6714F1C1D') >+ k = Key(Enctype.AES256, kb) >+ assert(encrypt(k, keyusage, plain, conf) == ctxt) >+ assert(decrypt(k, keyusage, ctxt) == plain) >+ >+ # AES128 checksum >+ kb = h('9062430C8CDA3388922E6D6A509F5B7A') >+ keyusage = 3 >+ plain = b'eight nine ten eleven twelve thirteen' >+ cksum = h('01A4B088D45628F6946614E3') >+ k = Key(Enctype.AES128, kb) >+ verify_checksum(Cksumtype.SHA1_AES128, k, keyusage, plain, cksum) >+ >+ # AES256 checksum >+ kb = h('B1AE4CD8462AFF1677053CC9279AAC30B796FB81CE21474DD3DDBCFEA4EC76D7') >+ keyusage = 4 >+ plain = b'fourteen' >+ cksum = h('E08739E3279E2903EC8E3836') >+ k = Key(Enctype.AES256, kb) >+ verify_checksum(Cksumtype.SHA1_AES256, k, keyusage, plain, cksum) >+ >+ # AES128 string-to-key >+ string = b'password' >+ salt = b'ATHENA.MIT.EDUraeburn' >+ params = h('00000002') >+ kb = h('C651BF29E2300AC27FA469D693BDDA13') >+ k = string_to_key(Enctype.AES128, string, salt, params) >+ assert(k.contents == kb) >+ >+ # AES256 string-to-key >+ string = b'X' * 64 >+ salt = b'pass phrase equals block size' >+ params = h('000004B0') >+ kb = h('89ADEE3608DB8BC71F1BFBFE459486B05618B70CBAE22092534E56C553BA4B34') >+ k = string_to_key(Enctype.AES256, string, salt, params) >+ assert(k.contents == kb) >+ >+ # AES128 prf >+ kb = h('77B39A37A868920F2A51F9DD150C5717') >+ k = string_to_key(Enctype.AES128, b'key1', b'key1') >+ assert(prf(k, b'\x01\x61') == kb) >+ >+ # AES256 prf >+ kb = h('0D674DD0F9A6806525A4D92E828BD15A') >+ k = string_to_key(Enctype.AES256, b'key2', b'key2') >+ assert(prf(k, b'\x02\x62') == kb) >+ >+ # AES128 cf2 >+ kb = h('97DF97E4B798B29EB31ED7280287A92A') >+ k1 = string_to_key(Enctype.AES128, b'key1', b'key1') >+ k2 = string_to_key(Enctype.AES128, b'key2', b'key2') >+ k = cf2(Enctype.AES128, k1, k2, b'a', b'b') >+ assert(k.contents == kb) >+ >+ # AES256 cf2 >+ kb = h('4D6CA4E629785C1F01BAF55E2E548566B9617AE3A96868C337CB93B5E72B1C7B') >+ k1 = string_to_key(Enctype.AES256, b'key1', b'key1') >+ k2 = string_to_key(Enctype.AES256, b'key2', b'key2') >+ k = cf2(Enctype.AES256, k1, k2, b'a', b'b') >+ assert(k.contents == kb) >+ >+ # DES3 encrypt and decrypt >+ kb = h('0DD52094E0F41CECCB5BE510A764B35176E3981332F1E598') >+ conf = h('94690A17B2DA3C9B') >+ keyusage = 3 >+ plain = b'13 bytes byte' >+ ctxt = h('839A17081ECBAFBCDC91B88C6955DD3C4514023CF177B77BF0D0177A16F705E8' >+ '49CB7781D76A316B193F8D30') >+ k = Key(Enctype.DES3, kb) >+ assert(encrypt(k, keyusage, plain, conf) == ctxt) >+ assert(decrypt(k, keyusage, ctxt) == _zeropad(plain, 8)) >+ >+ # DES3 string-to-key >+ string = b'password' >+ salt = b'ATHENA.MIT.EDUraeburn' >+ kb = h('850BB51358548CD05E86768C313E3BFEF7511937DCF72C3E') >+ k = string_to_key(Enctype.DES3, string, salt) >+ assert(k.contents == kb) >+ >+ # DES3 checksum >+ kb = h('7A25DF8992296DCEDA0E135BC4046E2375B3C14C98FBC162') >+ keyusage = 2 >+ plain = b'six seven' >+ cksum = h('0EEFC9C3E049AABC1BA5C401677D9AB699082BB4') >+ k = Key(Enctype.DES3, kb) >+ verify_checksum(Cksumtype.SHA1_DES3, k, keyusage, plain, cksum) >+ >+ # DES3 cf2 >+ kb = h('E58F9EB643862C13AD38E529313462A7F73E62834FE54A01') >+ k1 = string_to_key(Enctype.DES3, b'key1', b'key1') >+ k2 = string_to_key(Enctype.DES3, b'key2', b'key2') >+ k = cf2(Enctype.DES3, k1, k2, b'a', b'b') >+ assert(k.contents == kb) >+ >+ # RC4 encrypt and decrypt >+ kb = h('68F263DB3FCE15D031C9EAB02D67107A') >+ conf = h('37245E73A45FBF72') >+ keyusage = 4 >+ plain = b'30 bytes bytes bytes bytes byt' >+ ctxt = h('95F9047C3AD75891C2E9B04B16566DC8B6EB9CE4231AFB2542EF87A7B5A0F260' >+ 'A99F0460508DE0CECC632D07C354124E46C5D2234EB8') >+ k = Key(Enctype.RC4, kb) >+ assert(encrypt(k, keyusage, plain, conf) == ctxt) >+ assert(decrypt(k, keyusage, ctxt) == plain) >+ >+ # RC4 string-to-key >+ string = b'foo' >+ kb = h('AC8E657F83DF82BEEA5D43BDAF7800CC') >+ k = string_to_key(Enctype.RC4, string, None) >+ assert(k.contents == kb) >+ >+ # RC4 checksum >+ kb = h('F7D3A155AF5E238A0B7A871A96BA2AB2') >+ keyusage = 6 >+ plain = b'seventeen eighteen nineteen twenty' >+ cksum = h('EB38CC97E2230F59DA4117DC5859D7EC') >+ k = Key(Enctype.RC4, kb) >+ verify_checksum(Cksumtype.HMAC_MD5, k, keyusage, plain, cksum) >+ >+ # RC4 cf2 >+ kb = h('24D7F6B6BAE4E5C00D2082C5EBAB3672') >+ k1 = string_to_key(Enctype.RC4, b'key1', b'key1') >+ k2 = string_to_key(Enctype.RC4, b'key2', b'key2') >+ k = cf2(Enctype.RC4, k1, k2, b'a', b'b') >+ assert(k.contents == kb) >diff --git a/python/samba/tests/source.py b/python/samba/tests/source.py >index 4bb652c4204..b7608b1bab3 100644 >--- a/python/samba/tests/source.py >+++ b/python/samba/tests/source.py >@@ -90,6 +90,9 @@ class TestSource(TestCase): > if "wafsamba" in fname: > # FIXME: No copyright headers in wafsamba > continue >+ if fname.endswith("python/samba/tests/krb5/kcrypto.py"): >+ # Imported from MIT testing repo >+ continue > match = copyright_re.search(text) > if not match: > incorrect.append((fname, 'no copyright line found\n')) >@@ -132,6 +135,9 @@ class TestSource(TestCase): > # Imported from subunit/testtools, which are dual > # Apache2/BSD-3. > continue >+ if fname.endswith("python/samba/tests/krb5/kcrypto.py"): >+ # Imported from MIT testing repo >+ continue > if not gpl_re.search(text): > incorrect.append(fname) > >diff --git a/python/samba/tests/usage.py b/python/samba/tests/usage.py >index 30c083076ff..cebc54461b9 100644 >--- a/python/samba/tests/usage.py >+++ b/python/samba/tests/usage.py >@@ -82,7 +82,8 @@ EXCLUDE_USAGE = { > 'selftest/tests.py', > 'python/samba/subunit/run.py', > 'bin/python/samba/subunit/run.py', >- 'python/samba/tests/dcerpc/raw_protocol.py' >+ 'python/samba/tests/dcerpc/raw_protocol.py', >+ 'python/samba/tests/krb5/kcrypto.py', > } > > >@@ -93,6 +94,7 @@ EXCLUDE_DIRS = { > 'bin/ab', > 'bin/python/samba/tests', > 'bin/python/samba/tests/dcerpc', >+ 'bin/python/samba/tests/krb5', > } > > >-- >2.25.1 > > >From 1e463ef49a352d92486c0018e7b77b9009cb9988 Mon Sep 17 00:00:00 2001 >From: Stefan Metzmacher <metze@samba.org> >Date: Fri, 20 Mar 2020 12:47:39 +0100 >Subject: [PATCH 020/686] python/tests/krb5: convert kcrypto.py to > python3-cryptography and a few Samba helpers > >Signed-off-by: Stefan Metzmacher <metze@samba.org> >Reviewed-by: Isaac Boukris <iboukris@samba.org> >(cherry picked from commit 8bdd37997686d4ca60584bdfda78440be8432405) >--- > python/samba/tests/krb5/kcrypto.py | 460 +++++++++++++++++------------ > 1 file changed, 273 insertions(+), 187 deletions(-) > mode change 100644 => 100755 python/samba/tests/krb5/kcrypto.py > >diff --git a/python/samba/tests/krb5/kcrypto.py b/python/samba/tests/krb5/kcrypto.py >old mode 100644 >new mode 100755 >index 18c0f71c24c..0907d881b68 >--- a/python/samba/tests/krb5/kcrypto.py >+++ b/python/samba/tests/krb5/kcrypto.py >@@ -1,3 +1,5 @@ >+#!/usr/bin/env python3 >+# > # Copyright (C) 2013 by the Massachusetts Institute of Technology. > # All rights reserved. > # >@@ -40,14 +42,26 @@ > # - Cipher state only needed for kcmd suite > # - Nonstandard enctypes and cksumtypes like des-hmac-sha1 > >+import sys >+import os >+ >+sys.path.insert(0, "bin/python") >+os.environ["PYTHONUNBUFFERED"] = "1" >+ > from math import gcd > from functools import reduce > from struct import pack, unpack >-from Crypto.Cipher import AES, DES3, ARC4 >-from Crypto.Hash import HMAC, MD4, MD5, SHA >-from Crypto.Protocol.KDF import PBKDF2 >-from Crypto.Random import get_random_bytes >- >+from cryptography.hazmat.primitives import hashes >+from cryptography.hazmat.primitives import hmac >+from cryptography.hazmat.primitives.ciphers import algorithms as ciphers >+from cryptography.hazmat.primitives.ciphers import modes >+from cryptography.hazmat.primitives.ciphers.base import Cipher >+from cryptography.hazmat.backends import default_backend >+from cryptography.hazmat.primitives.kdf.pbkdf2 import PBKDF2HMAC >+from samba.tests import TestCase >+from samba.credentials import Credentials >+from samba import generate_random_bytes as get_random_bytes >+from samba.compat import get_string, get_bytes > > class Enctype(object): > DES_CRC = 1 >@@ -97,6 +111,15 @@ def _mac_equal(mac1, mac2): > res |= x ^ y > return res == 0 > >+def SIMPLE_HASH(string, algo_cls): >+ hash_ctx = hashes.Hash(algo_cls(), default_backend()) >+ hash_ctx.update(string) >+ return hash_ctx.finalize() >+ >+def HMAC_HASH(key, string, algo_cls): >+ hmac_ctx = hmac.HMAC(key, algo_cls(), default_backend()) >+ hmac_ctx.update(string) >+ return hmac_ctx.finalize() > > def _nfold(str, nbytes): > # Convert str to a string of length nbytes using the RFC 3961 nfold >@@ -199,7 +222,7 @@ class _SimplifiedEnctype(_EnctypeProfile): > if confounder is None: > confounder = get_random_bytes(cls.blocksize) > basic_plaintext = confounder + _zeropad(plaintext, cls.padsize) >- hmac = HMAC.new(ki.contents, basic_plaintext, cls.hashmod).digest() >+ hmac = HMAC_HASH(ki.contents, basic_plaintext, cls.hashalgo) > return cls.basic_encrypt(ke, basic_plaintext) + hmac[:cls.macsize] > > @classmethod >@@ -212,7 +235,7 @@ class _SimplifiedEnctype(_EnctypeProfile): > if len(basic_ctext) % cls.padsize != 0: > raise ValueError('ciphertext does not meet padding requirement') > basic_plaintext = cls.basic_decrypt(ke, basic_ctext) >- hmac = HMAC.new(ki.contents, basic_plaintext, cls.hashmod).digest() >+ hmac = HMAC_HASH(ki.contents, basic_plaintext, cls.hashalgo) > expmac = hmac[:cls.macsize] > if not _mac_equal(mac, expmac): > raise InvalidChecksum('ciphertext integrity failure') >@@ -223,7 +246,7 @@ class _SimplifiedEnctype(_EnctypeProfile): > def prf(cls, key, string): > # Hash the input. RFC 3961 says to truncate to the padding > # size, but implementations truncate to the block size. >- hashval = cls.hashmod.new(string).digest() >+ hashval = SIMPLE_HASH(string, cls.hashalgo) > truncated = hashval[:-(len(hashval) % cls.blocksize)] > # Encrypt the hash with a derived key. > kp = cls.derive(key, b'prf') >@@ -237,7 +260,7 @@ class _DES3CBC(_SimplifiedEnctype): > blocksize = 8 > padsize = 8 > macsize = 20 >- hashmod = SHA >+ hashalgo = hashes.SHA1 > > @classmethod > def random_to_key(cls, seed): >@@ -272,14 +295,20 @@ class _DES3CBC(_SimplifiedEnctype): > @classmethod > def basic_encrypt(cls, key, plaintext): > assert len(plaintext) % 8 == 0 >- des3 = DES3.new(key.contents, AES.MODE_CBC, bytes(8)) >- return des3.encrypt(plaintext) >+ algo = ciphers.TripleDES(key.contents) >+ cbc = modes.CBC(bytes(8)) >+ encryptor = Cipher(algo, cbc, default_backend()).encryptor() >+ ciphertext = encryptor.update(plaintext) >+ return ciphertext > > @classmethod > def basic_decrypt(cls, key, ciphertext): > assert len(ciphertext) % 8 == 0 >- des3 = DES3.new(key.contents, AES.MODE_CBC, bytes(8)) >- return des3.decrypt(ciphertext) >+ algo = ciphers.TripleDES(key.contents) >+ cbc = modes.CBC(bytes(8)) >+ decryptor = Cipher(algo, cbc, default_backend()).decryptor() >+ plaintext = decryptor.update(ciphertext) >+ return plaintext > > > class _AESEnctype(_SimplifiedEnctype): >@@ -287,21 +316,35 @@ class _AESEnctype(_SimplifiedEnctype): > blocksize = 16 > padsize = 1 > macsize = 12 >- hashmod = SHA >+ hashalgo = hashes.SHA1 > > @classmethod > def string_to_key(cls, string, salt, params): > (iterations,) = unpack('>L', params or b'\x00\x00\x10\x00') >- prf = lambda p, s: HMAC.new(p, s, SHA).digest() >- seed = PBKDF2(string, salt, cls.seedsize, iterations, prf) >+ pwbytes = get_bytes(string) >+ kdf = PBKDF2HMAC(algorithm=hashes.SHA1(), >+ length=cls.seedsize, >+ salt=salt, >+ iterations=iterations, >+ backend=default_backend()) >+ seed = kdf.derive(pwbytes) > tkey = cls.random_to_key(seed) > return cls.derive(tkey, b'kerberos') > > @classmethod > def basic_encrypt(cls, key, plaintext): > assert len(plaintext) >= 16 >- aes = AES.new(key.contents, AES.MODE_CBC, bytes(16)) >- ctext = aes.encrypt(_zeropad(plaintext, 16)) >+ >+ algo = ciphers.AES(key.contents) >+ cbc = modes.CBC(bytes(16)) >+ aes_ctx = Cipher(algo, cbc, default_backend()) >+ >+ def aes_encrypt(plaintext): >+ encryptor = aes_ctx.encryptor() >+ ciphertext = encryptor.update(plaintext) >+ return ciphertext >+ >+ ctext = aes_encrypt(_zeropad(plaintext, 16)) > if len(plaintext) > 16: > # Swap the last two ciphertext blocks and truncate the > # final block to match the plaintext length. >@@ -312,9 +355,18 @@ class _AESEnctype(_SimplifiedEnctype): > @classmethod > def basic_decrypt(cls, key, ciphertext): > assert len(ciphertext) >= 16 >- aes = AES.new(key.contents, AES.MODE_ECB) >+ >+ algo = ciphers.AES(key.contents) >+ cbc = modes.CBC(bytes(16)) >+ aes_ctx = Cipher(algo, cbc, default_backend()) >+ >+ def aes_decrypt(ciphertext): >+ decryptor = aes_ctx.decryptor() >+ plaintext = decryptor.update(ciphertext) >+ return plaintext >+ > if len(ciphertext) == 16: >- return aes.decrypt(ciphertext) >+ return aes_decrypt(ciphertext) > # Split the ciphertext into blocks. The last block may be partial. > cblocks = [ciphertext[p:p+16] for p in range(0, len(ciphertext), 16)] > lastlen = len(cblocks[-1]) >@@ -322,19 +374,19 @@ class _AESEnctype(_SimplifiedEnctype): > prev_cblock = bytes(16) > plaintext = b'' > for b in cblocks[:-2]: >- plaintext += _xorbytes(aes.decrypt(b), prev_cblock) >+ plaintext += _xorbytes(aes_decrypt(b), prev_cblock) > prev_cblock = b > # Decrypt the second-to-last cipher block. The left side of > # the decrypted block will be the final block of plaintext > # xor'd with the final partial cipher block; the right side > # will be the omitted bytes of ciphertext from the final > # block. >- b = aes.decrypt(cblocks[-2]) >+ b = aes_decrypt(cblocks[-2]) > lastplaintext =_xorbytes(b[:lastlen], cblocks[-1]) > omitted = b[lastlen:] > # Decrypt the final cipher block plus the omitted bytes to get > # the second-to-last plaintext block. >- plaintext += _xorbytes(aes.decrypt(cblocks[-1] + omitted), prev_cblock) >+ plaintext += _xorbytes(aes_decrypt(cblocks[-1] + omitted), prev_cblock) > return plaintext + lastplaintext > > >@@ -365,32 +417,43 @@ class _RC4(_EnctypeProfile): > > @classmethod > def string_to_key(cls, string, salt, params): >- utf16string = string.decode('UTF-8').encode('UTF-16LE') >- return Key(cls.enctype, MD4.new(utf16string).digest()) >+ utf8string = get_string(string) >+ tmp = Credentials() >+ tmp.set_anonymous() >+ tmp.set_password(utf8string) >+ nthash = tmp.get_nt_hash() >+ return Key(cls.enctype, nthash) > > @classmethod > def encrypt(cls, key, keyusage, plaintext, confounder): > if confounder is None: > confounder = get_random_bytes(8) >- ki = HMAC.new(key.contents, cls.usage_str(keyusage), MD5).digest() >- cksum = HMAC.new(ki, confounder + plaintext, MD5).digest() >- ke = HMAC.new(ki, cksum, MD5).digest() >- return cksum + ARC4.new(ke).encrypt(confounder + plaintext) >+ ki = HMAC_HASH(key.contents, cls.usage_str(keyusage), hashes.MD5) >+ cksum = HMAC_HASH(ki, confounder + plaintext, hashes.MD5) >+ ke = HMAC_HASH(ki, cksum, hashes.MD5) >+ >+ encryptor = Cipher(ciphers.ARC4(ke), None, default_backend()).encryptor() >+ ctext = encryptor.update(confounder + plaintext) >+ >+ return cksum + ctext > > @classmethod > def decrypt(cls, key, keyusage, ciphertext): > if len(ciphertext) < 24: > raise ValueError('ciphertext too short') > cksum, basic_ctext = ciphertext[:16], ciphertext[16:] >- ki = HMAC.new(key.contents, cls.usage_str(keyusage), MD5).digest() >- ke = HMAC.new(ki, cksum, MD5).digest() >- basic_plaintext = ARC4.new(ke).decrypt(basic_ctext) >- exp_cksum = HMAC.new(ki, basic_plaintext, MD5).digest() >+ ki = HMAC_HASH(key.contents, cls.usage_str(keyusage), hashes.MD5) >+ ke = HMAC_HASH(ki, cksum, hashes.MD5) >+ >+ decryptor = Cipher(ciphers.ARC4(ke), None, default_backend()).decryptor() >+ basic_plaintext = decryptor.update(basic_ctext) >+ >+ exp_cksum = HMAC_HASH(ki, basic_plaintext, hashes.MD5) > ok = _mac_equal(cksum, exp_cksum) > if not ok and keyusage == 9: > # Try again with usage 8, due to RFC 4757 errata. >- ki = HMAC.new(key.contents, pack('<i', 8), MD5).digest() >- exp_cksum = HMAC.new(ki, basic_plaintext, MD5).digest() >+ ki = HMAC_HASH(key.contents, pack('<i', 8), hashes.MD5) >+ exp_cksum = HMAC_HASH(ki, basic_plaintext, hashes.MD5) > ok = _mac_equal(cksum, exp_cksum) > if not ok: > raise InvalidChecksum('ciphertext integrity failure') >@@ -399,7 +462,7 @@ class _RC4(_EnctypeProfile): > > @classmethod > def prf(cls, key, string): >- return HMAC.new(key.contents, string, SHA).digest() >+ return HMAC_HASH(key.contents, string, hashes.SHA1) > > > class _ChecksumProfile(object): >@@ -424,7 +487,7 @@ class _SimplifiedChecksum(_ChecksumProfile): > @classmethod > def checksum(cls, key, keyusage, text): > kc = cls.enc.derive(key, pack('>iB', keyusage, 0x99)) >- hmac = HMAC.new(kc.contents, text, cls.enc.hashmod).digest() >+ hmac = HMAC_HASH(kc.contents, text, cls.enc.hashalgo) > return hmac[:cls.macsize] > > @classmethod >@@ -452,9 +515,9 @@ class _SHA1DES3(_SimplifiedChecksum): > class _HMACMD5(_ChecksumProfile): > @classmethod > def checksum(cls, key, keyusage, text): >- ksign = HMAC.new(key.contents, b'signaturekey\0', MD5).digest() >- md5hash = MD5.new(_RC4.usage_str(keyusage) + text).digest() >- return HMAC.new(ksign, md5hash, MD5).digest() >+ ksign = HMAC_HASH(key.contents, b'signaturekey\0', hashes.MD5) >+ md5hash = SIMPLE_HASH(_RC4.usage_str(keyusage) + text, hashes.MD5) >+ return HMAC_HASH(ksign, md5hash, hashes.MD5) > > @classmethod > def verify(cls, key, keyusage, text, cksum): >@@ -564,150 +627,173 @@ def cf2(enctype, key1, key2, pepper1, pepper2): > return e.random_to_key(_xorbytes(prfplus(key1, pepper1, e.seedsize), > prfplus(key2, pepper2, e.seedsize))) > >- >-if __name__ == '__main__': >- def h(hexstr): >- return bytes.fromhex(hexstr) >- >- # AES128 encrypt and decrypt >- kb = h('9062430C8CDA3388922E6D6A509F5B7A') >- conf = h('94B491F481485B9A0678CD3C4EA386AD') >- keyusage = 2 >- plain = b'9 bytesss' >- ctxt = h('68FB9679601F45C78857B2BF820FD6E53ECA8D42FD4B1D7024A09205ABB7CD2E' >- 'C26C355D2F') >- k = Key(Enctype.AES128, kb) >- assert(encrypt(k, keyusage, plain, conf) == ctxt) >- assert(decrypt(k, keyusage, ctxt) == plain) >- >- # AES256 encrypt and decrypt >- kb = h('F1C795E9248A09338D82C3F8D5B567040B0110736845041347235B1404231398') >- conf = h('E45CA518B42E266AD98E165E706FFB60') >- keyusage = 4 >- plain = b'30 bytes bytes bytes bytes byt' >- ctxt = h('D1137A4D634CFECE924DBC3BF6790648BD5CFF7DE0E7B99460211D0DAEF3D79A' >- '295C688858F3B34B9CBD6EEBAE81DAF6B734D4D498B6714F1C1D') >- k = Key(Enctype.AES256, kb) >- assert(encrypt(k, keyusage, plain, conf) == ctxt) >- assert(decrypt(k, keyusage, ctxt) == plain) >- >- # AES128 checksum >- kb = h('9062430C8CDA3388922E6D6A509F5B7A') >- keyusage = 3 >- plain = b'eight nine ten eleven twelve thirteen' >- cksum = h('01A4B088D45628F6946614E3') >- k = Key(Enctype.AES128, kb) >- verify_checksum(Cksumtype.SHA1_AES128, k, keyusage, plain, cksum) >- >- # AES256 checksum >- kb = h('B1AE4CD8462AFF1677053CC9279AAC30B796FB81CE21474DD3DDBCFEA4EC76D7') >- keyusage = 4 >- plain = b'fourteen' >- cksum = h('E08739E3279E2903EC8E3836') >- k = Key(Enctype.AES256, kb) >- verify_checksum(Cksumtype.SHA1_AES256, k, keyusage, plain, cksum) >- >- # AES128 string-to-key >- string = b'password' >- salt = b'ATHENA.MIT.EDUraeburn' >- params = h('00000002') >- kb = h('C651BF29E2300AC27FA469D693BDDA13') >- k = string_to_key(Enctype.AES128, string, salt, params) >- assert(k.contents == kb) >- >- # AES256 string-to-key >- string = b'X' * 64 >- salt = b'pass phrase equals block size' >- params = h('000004B0') >- kb = h('89ADEE3608DB8BC71F1BFBFE459486B05618B70CBAE22092534E56C553BA4B34') >- k = string_to_key(Enctype.AES256, string, salt, params) >- assert(k.contents == kb) >- >- # AES128 prf >- kb = h('77B39A37A868920F2A51F9DD150C5717') >- k = string_to_key(Enctype.AES128, b'key1', b'key1') >- assert(prf(k, b'\x01\x61') == kb) >- >- # AES256 prf >- kb = h('0D674DD0F9A6806525A4D92E828BD15A') >- k = string_to_key(Enctype.AES256, b'key2', b'key2') >- assert(prf(k, b'\x02\x62') == kb) >- >- # AES128 cf2 >- kb = h('97DF97E4B798B29EB31ED7280287A92A') >- k1 = string_to_key(Enctype.AES128, b'key1', b'key1') >- k2 = string_to_key(Enctype.AES128, b'key2', b'key2') >- k = cf2(Enctype.AES128, k1, k2, b'a', b'b') >- assert(k.contents == kb) >- >- # AES256 cf2 >- kb = h('4D6CA4E629785C1F01BAF55E2E548566B9617AE3A96868C337CB93B5E72B1C7B') >- k1 = string_to_key(Enctype.AES256, b'key1', b'key1') >- k2 = string_to_key(Enctype.AES256, b'key2', b'key2') >- k = cf2(Enctype.AES256, k1, k2, b'a', b'b') >- assert(k.contents == kb) >- >- # DES3 encrypt and decrypt >- kb = h('0DD52094E0F41CECCB5BE510A764B35176E3981332F1E598') >- conf = h('94690A17B2DA3C9B') >- keyusage = 3 >- plain = b'13 bytes byte' >- ctxt = h('839A17081ECBAFBCDC91B88C6955DD3C4514023CF177B77BF0D0177A16F705E8' >- '49CB7781D76A316B193F8D30') >- k = Key(Enctype.DES3, kb) >- assert(encrypt(k, keyusage, plain, conf) == ctxt) >- assert(decrypt(k, keyusage, ctxt) == _zeropad(plain, 8)) >- >- # DES3 string-to-key >- string = b'password' >- salt = b'ATHENA.MIT.EDUraeburn' >- kb = h('850BB51358548CD05E86768C313E3BFEF7511937DCF72C3E') >- k = string_to_key(Enctype.DES3, string, salt) >- assert(k.contents == kb) >- >- # DES3 checksum >- kb = h('7A25DF8992296DCEDA0E135BC4046E2375B3C14C98FBC162') >- keyusage = 2 >- plain = b'six seven' >- cksum = h('0EEFC9C3E049AABC1BA5C401677D9AB699082BB4') >- k = Key(Enctype.DES3, kb) >- verify_checksum(Cksumtype.SHA1_DES3, k, keyusage, plain, cksum) >- >- # DES3 cf2 >- kb = h('E58F9EB643862C13AD38E529313462A7F73E62834FE54A01') >- k1 = string_to_key(Enctype.DES3, b'key1', b'key1') >- k2 = string_to_key(Enctype.DES3, b'key2', b'key2') >- k = cf2(Enctype.DES3, k1, k2, b'a', b'b') >- assert(k.contents == kb) >- >- # RC4 encrypt and decrypt >- kb = h('68F263DB3FCE15D031C9EAB02D67107A') >- conf = h('37245E73A45FBF72') >- keyusage = 4 >- plain = b'30 bytes bytes bytes bytes byt' >- ctxt = h('95F9047C3AD75891C2E9B04B16566DC8B6EB9CE4231AFB2542EF87A7B5A0F260' >- 'A99F0460508DE0CECC632D07C354124E46C5D2234EB8') >- k = Key(Enctype.RC4, kb) >- assert(encrypt(k, keyusage, plain, conf) == ctxt) >- assert(decrypt(k, keyusage, ctxt) == plain) >- >- # RC4 string-to-key >- string = b'foo' >- kb = h('AC8E657F83DF82BEEA5D43BDAF7800CC') >- k = string_to_key(Enctype.RC4, string, None) >- assert(k.contents == kb) >- >- # RC4 checksum >- kb = h('F7D3A155AF5E238A0B7A871A96BA2AB2') >- keyusage = 6 >- plain = b'seventeen eighteen nineteen twenty' >- cksum = h('EB38CC97E2230F59DA4117DC5859D7EC') >- k = Key(Enctype.RC4, kb) >- verify_checksum(Cksumtype.HMAC_MD5, k, keyusage, plain, cksum) >- >- # RC4 cf2 >- kb = h('24D7F6B6BAE4E5C00D2082C5EBAB3672') >- k1 = string_to_key(Enctype.RC4, b'key1', b'key1') >- k2 = string_to_key(Enctype.RC4, b'key2', b'key2') >- k = cf2(Enctype.RC4, k1, k2, b'a', b'b') >- assert(k.contents == kb) >+def h(hexstr): >+ return bytes.fromhex(hexstr) >+ >+class KcrytoTest(TestCase): >+ """kcrypto Test case.""" >+ >+ def test_aes128_crypr(self): >+ # AES128 encrypt and decrypt >+ kb = h('9062430C8CDA3388922E6D6A509F5B7A') >+ conf = h('94B491F481485B9A0678CD3C4EA386AD') >+ keyusage = 2 >+ plain = b'9 bytesss' >+ ctxt = h('68FB9679601F45C78857B2BF820FD6E53ECA8D42FD4B1D7024A09205ABB7CD2E' >+ 'C26C355D2F') >+ k = Key(Enctype.AES128, kb) >+ self.assertEqual(encrypt(k, keyusage, plain, conf), ctxt) >+ self.assertEqual(decrypt(k, keyusage, ctxt), plain) >+ >+ def test_aes256_crypt(self): >+ # AES256 encrypt and decrypt >+ kb = h('F1C795E9248A09338D82C3F8D5B567040B0110736845041347235B1404231398') >+ conf = h('E45CA518B42E266AD98E165E706FFB60') >+ keyusage = 4 >+ plain = b'30 bytes bytes bytes bytes byt' >+ ctxt = h('D1137A4D634CFECE924DBC3BF6790648BD5CFF7DE0E7B99460211D0DAEF3D79A' >+ '295C688858F3B34B9CBD6EEBAE81DAF6B734D4D498B6714F1C1D') >+ k = Key(Enctype.AES256, kb) >+ self.assertEqual(encrypt(k, keyusage, plain, conf), ctxt) >+ self.assertEqual(decrypt(k, keyusage, ctxt), plain) >+ >+ def test_aes128_checksum(self): >+ # AES128 checksum >+ kb = h('9062430C8CDA3388922E6D6A509F5B7A') >+ keyusage = 3 >+ plain = b'eight nine ten eleven twelve thirteen' >+ cksum = h('01A4B088D45628F6946614E3') >+ k = Key(Enctype.AES128, kb) >+ verify_checksum(Cksumtype.SHA1_AES128, k, keyusage, plain, cksum) >+ >+ def test_aes256_checksum(self): >+ # AES256 checksum >+ kb = h('B1AE4CD8462AFF1677053CC9279AAC30B796FB81CE21474DD3DDBCFEA4EC76D7') >+ keyusage = 4 >+ plain = b'fourteen' >+ cksum = h('E08739E3279E2903EC8E3836') >+ k = Key(Enctype.AES256, kb) >+ verify_checksum(Cksumtype.SHA1_AES256, k, keyusage, plain, cksum) >+ >+ def test_aes128_string_to_key(self): >+ # AES128 string-to-key >+ string = b'password' >+ salt = b'ATHENA.MIT.EDUraeburn' >+ params = h('00000002') >+ kb = h('C651BF29E2300AC27FA469D693BDDA13') >+ k = string_to_key(Enctype.AES128, string, salt, params) >+ self.assertEqual(k.contents, kb) >+ >+ def test_aes256_string_to_key(self): >+ # AES256 string-to-key >+ string = b'X' * 64 >+ salt = b'pass phrase equals block size' >+ params = h('000004B0') >+ kb = h('89ADEE3608DB8BC71F1BFBFE459486B05618B70CBAE22092534E56C553BA4B34') >+ k = string_to_key(Enctype.AES256, string, salt, params) >+ self.assertEqual(k.contents, kb) >+ >+ def test_aes128_prf(self): >+ # AES128 prf >+ kb = h('77B39A37A868920F2A51F9DD150C5717') >+ k = string_to_key(Enctype.AES128, b'key1', b'key1') >+ self.assertEqual(prf(k, b'\x01\x61'), kb) >+ >+ def test_aes256_prf(self): >+ # AES256 prf >+ kb = h('0D674DD0F9A6806525A4D92E828BD15A') >+ k = string_to_key(Enctype.AES256, b'key2', b'key2') >+ self.assertEqual(prf(k, b'\x02\x62'), kb) >+ >+ def test_aes128_cf2(self): >+ # AES128 cf2 >+ kb = h('97DF97E4B798B29EB31ED7280287A92A') >+ k1 = string_to_key(Enctype.AES128, b'key1', b'key1') >+ k2 = string_to_key(Enctype.AES128, b'key2', b'key2') >+ k = cf2(Enctype.AES128, k1, k2, b'a', b'b') >+ self.assertEqual(k.contents, kb) >+ >+ def test_aes256_cf2(self): >+ # AES256 cf2 >+ kb = h('4D6CA4E629785C1F01BAF55E2E548566B9617AE3A96868C337CB93B5E72B1C7B') >+ k1 = string_to_key(Enctype.AES256, b'key1', b'key1') >+ k2 = string_to_key(Enctype.AES256, b'key2', b'key2') >+ k = cf2(Enctype.AES256, k1, k2, b'a', b'b') >+ self.assertEqual(k.contents, kb) >+ >+ def test_des3_crypt(self): >+ # DES3 encrypt and decrypt >+ kb = h('0DD52094E0F41CECCB5BE510A764B35176E3981332F1E598') >+ conf = h('94690A17B2DA3C9B') >+ keyusage = 3 >+ plain = b'13 bytes byte' >+ ctxt = h('839A17081ECBAFBCDC91B88C6955DD3C4514023CF177B77BF0D0177A16F705E8' >+ '49CB7781D76A316B193F8D30') >+ k = Key(Enctype.DES3, kb) >+ self.assertEqual(encrypt(k, keyusage, plain, conf), ctxt) >+ self.assertEqual(decrypt(k, keyusage, ctxt), _zeropad(plain, 8)) >+ >+ def test_des3_string_to_key(self): >+ # DES3 string-to-key >+ string = b'password' >+ salt = b'ATHENA.MIT.EDUraeburn' >+ kb = h('850BB51358548CD05E86768C313E3BFEF7511937DCF72C3E') >+ k = string_to_key(Enctype.DES3, string, salt) >+ self.assertEqual(k.contents, kb) >+ >+ def test_des3_checksum(self): >+ # DES3 checksum >+ kb = h('7A25DF8992296DCEDA0E135BC4046E2375B3C14C98FBC162') >+ keyusage = 2 >+ plain = b'six seven' >+ cksum = h('0EEFC9C3E049AABC1BA5C401677D9AB699082BB4') >+ k = Key(Enctype.DES3, kb) >+ verify_checksum(Cksumtype.SHA1_DES3, k, keyusage, plain, cksum) >+ >+ def test_des3_cf2(self): >+ # DES3 cf2 >+ kb = h('E58F9EB643862C13AD38E529313462A7F73E62834FE54A01') >+ k1 = string_to_key(Enctype.DES3, b'key1', b'key1') >+ k2 = string_to_key(Enctype.DES3, b'key2', b'key2') >+ k = cf2(Enctype.DES3, k1, k2, b'a', b'b') >+ self.assertEqual(k.contents, kb) >+ >+ def test_rc4_crypt(self): >+ # RC4 encrypt and decrypt >+ kb = h('68F263DB3FCE15D031C9EAB02D67107A') >+ conf = h('37245E73A45FBF72') >+ keyusage = 4 >+ plain = b'30 bytes bytes bytes bytes byt' >+ ctxt = h('95F9047C3AD75891C2E9B04B16566DC8B6EB9CE4231AFB2542EF87A7B5A0F260' >+ 'A99F0460508DE0CECC632D07C354124E46C5D2234EB8') >+ k = Key(Enctype.RC4, kb) >+ self.assertEqual(encrypt(k, keyusage, plain, conf), ctxt) >+ self.assertEqual(decrypt(k, keyusage, ctxt), plain) >+ >+ def test_rc4_string_to_key(self): >+ # RC4 string-to-key >+ string = b'foo' >+ kb = h('AC8E657F83DF82BEEA5D43BDAF7800CC') >+ k = string_to_key(Enctype.RC4, string, None) >+ self.assertEqual(k.contents, kb) >+ >+ def test_rc4_checksum(self): >+ # RC4 checksum >+ kb = h('F7D3A155AF5E238A0B7A871A96BA2AB2') >+ keyusage = 6 >+ plain = b'seventeen eighteen nineteen twenty' >+ cksum = h('EB38CC97E2230F59DA4117DC5859D7EC') >+ k = Key(Enctype.RC4, kb) >+ verify_checksum(Cksumtype.HMAC_MD5, k, keyusage, plain, cksum) >+ >+ def test_rc4_cf2(self): >+ # RC4 cf2 >+ kb = h('24D7F6B6BAE4E5C00D2082C5EBAB3672') >+ k1 = string_to_key(Enctype.RC4, b'key1', b'key1') >+ k2 = string_to_key(Enctype.RC4, b'key2', b'key2') >+ k = cf2(Enctype.RC4, k1, k2, b'a', b'b') >+ self.assertEqual(k.contents, kb) >+ >+if __name__ == "__main__": >+ import unittest >+ unittest.main() >-- >2.25.1 > > >From ee3891b9bcd52030989c657f63db32cd74168367 Mon Sep 17 00:00:00 2001 >From: Stefan Metzmacher <metze@samba.org> >Date: Wed, 25 Mar 2020 22:07:39 +0100 >Subject: [PATCH 021/686] s4:selftest: run samba.tests.krb5.kcrypto test > >Signed-off-by: Stefan Metzmacher <metze@samba.org> >Reviewed-by: Isaac Boukris <iboukris@samba.org> >(cherry picked from commit 7010a1311d193c78e9f26adeafe98458217edbca) >--- > source4/selftest/tests.py | 2 ++ > 1 file changed, 2 insertions(+) > >diff --git a/source4/selftest/tests.py b/source4/selftest/tests.py >index 1561f068ca1..e627158d2f9 100755 >--- a/source4/selftest/tests.py >+++ b/source4/selftest/tests.py >@@ -713,6 +713,8 @@ planoldpythontestsuite("nt4_dc", "samba.tests.netbios", extra_args=['-U"$USERNAM > planoldpythontestsuite("ad_dc:local", "samba.tests.gpo", extra_args=['-U"$USERNAME%$PASSWORD"'], py3_compatible=True) > planoldpythontestsuite("ad_dc:local", "samba.tests.dckeytab", extra_args=['-U"$USERNAME%$PASSWORD"'], py3_compatible=True) > >+planoldpythontestsuite("none", "samba.tests.krb5.kcrypto") >+ > for env in ["ad_dc", smbv1_disabled_testenv]: > planoldpythontestsuite(env, "samba.tests.smb", extra_args=['-U"$USERNAME%$PASSWORD"'], py3_compatible=True) > planoldpythontestsuite(env + ":local", "samba.tests.ntacls_backup", >-- >2.25.1 > > >From 092e785d1ba31b625bda4d3b1bd45b7a0d0a9d7d Mon Sep 17 00:00:00 2001 >From: Stefan Metzmacher <metze@samba.org> >Date: Mon, 23 Mar 2020 08:53:54 +0100 >Subject: [PATCH 022/686] python/tests/krb5: add support for Cksumtype.MD5 > >Signed-off-by: Stefan Metzmacher <metze@samba.org> >Reviewed-by: Isaac Boukris <iboukris@samba.org> >(cherry picked from commit 47385248c8e462162e01afc3d3d68b97dff3542c) >--- > python/samba/tests/krb5/kcrypto.py | 43 +++++++++++++++++++++++++++++- > 1 file changed, 42 insertions(+), 1 deletion(-) > >diff --git a/python/samba/tests/krb5/kcrypto.py b/python/samba/tests/krb5/kcrypto.py >index 0907d881b68..ed3c84fa186 100755 >--- a/python/samba/tests/krb5/kcrypto.py >+++ b/python/samba/tests/krb5/kcrypto.py >@@ -526,6 +526,13 @@ class _HMACMD5(_ChecksumProfile): > super(_HMACMD5, cls).verify(key, keyusage, text, cksum) > > >+class _MD5(_ChecksumProfile): >+ @classmethod >+ def checksum(cls, key, keyusage, text): >+ # This is unkeyed! >+ return SIMPLE_HASH(text, hashes.MD5) >+ >+ > _enctype_table = { > Enctype.DES3: _DES3CBC, > Enctype.AES128: _AES128CTS, >@@ -538,7 +545,8 @@ _checksum_table = { > Cksumtype.SHA1_DES3: _SHA1DES3, > Cksumtype.SHA1_AES128: _SHA1AES128, > Cksumtype.SHA1_AES256: _SHA1AES256, >- Cksumtype.HMAC_MD5: _HMACMD5 >+ Cksumtype.HMAC_MD5: _HMACMD5, >+ Cksumtype.MD5: _MD5, > } > > >@@ -794,6 +802,39 @@ class KcrytoTest(TestCase): > k = cf2(Enctype.RC4, k1, k2, b'a', b'b') > self.assertEqual(k.contents, kb) > >+ def _test_md5_unkeyed_checksum(self, etype, usage): >+ # MD5 unkeyed checksum >+ pw = b'pwd' >+ salt = b'bytes' >+ key = string_to_key(etype, pw, salt) >+ plain = b'seventeen eighteen nineteen twenty' >+ cksum = h('9d9588cdef3a8cefc9d2c208d978f60c') >+ verify_checksum(Cksumtype.MD5, key, usage, plain, cksum) >+ >+ def test_md5_unkeyed_checksum_des3_usage_40(self): >+ return self._test_md5_unkeyed_checksum(Enctype.DES3, 40) >+ >+ def test_md5_unkeyed_checksum_des3_usage_50(self): >+ return self._test_md5_unkeyed_checksum(Enctype.DES3, 50) >+ >+ def test_md5_unkeyed_checksum_rc4_usage_40(self): >+ return self._test_md5_unkeyed_checksum(Enctype.RC4, 40) >+ >+ def test_md5_unkeyed_checksum_rc4_usage_50(self): >+ return self._test_md5_unkeyed_checksum(Enctype.RC4, 50) >+ >+ def test_md5_unkeyed_checksum_aes128_usage_40(self): >+ return self._test_md5_unkeyed_checksum(Enctype.AES128, 40) >+ >+ def test_md5_unkeyed_checksum_aes128_usage_50(self): >+ return self._test_md5_unkeyed_checksum(Enctype.AES128, 50) >+ >+ def test_md5_unkeyed_checksum_aes256_usage_40(self): >+ return self._test_md5_unkeyed_checksum(Enctype.AES256, 40) >+ >+ def test_md5_unkeyed_checksum_aes256_usage_50(self): >+ return self._test_md5_unkeyed_checksum(Enctype.AES256, 50) >+ > if __name__ == "__main__": > import unittest > unittest.main() >-- >2.25.1 > > >From 5bf5da02dbb1c2cbee4e6f083c85f8147b75217f Mon Sep 17 00:00:00 2001 >From: Stefan Metzmacher <metze@samba.org> >Date: Thu, 13 Feb 2020 16:29:38 +0100 >Subject: [PATCH 023/686] python/tests/krb5: add rfc4120.asn1 > >Signed-off-by: Stefan Metzmacher <metze@samba.org> >Reviewed-by: Isaac Boukris <iboukris@samba.org> >(cherry picked from commit a2f75c314e9946f74e9dacceac690295999925b5) >--- > python/samba/tests/krb5/rfc4120.asn1 | 392 +++++++++++++++++++++++++++ > 1 file changed, 392 insertions(+) > create mode 100644 python/samba/tests/krb5/rfc4120.asn1 > >diff --git a/python/samba/tests/krb5/rfc4120.asn1 b/python/samba/tests/krb5/rfc4120.asn1 >new file mode 100644 >index 00000000000..ec44557f45a >--- /dev/null >+++ b/python/samba/tests/krb5/rfc4120.asn1 >@@ -0,0 +1,392 @@ >+KerberosV5Spec2 { >+ iso(1) identified-organization(3) dod(6) internet(1) >+ security(5) kerberosV5(2) modules(4) krb5spec2(2) >+} DEFINITIONS EXPLICIT TAGS ::= BEGIN >+ >+-- OID arc for KerberosV5 >+-- >+-- This OID may be used to identify Kerberos protocol messages >+-- encapsulated in other protocols. >+-- >+-- This OID also designates the OID arc for KerberosV5-related OIDs. >+-- >+-- NOTE: RFC 1510 had an incorrect value (5) for "dod" in its OID. >+id-krb5 OBJECT IDENTIFIER ::= { >+ iso(1) identified-organization(3) dod(6) internet(1) >+ security(5) kerberosV5(2) >+} >+ >+Int32 ::= INTEGER (-2147483648..2147483647) >+ -- signed values representable in 32 bits >+ >+UInt32 ::= INTEGER (0..4294967295) >+ -- unsigned 32 bit values >+ >+Microseconds ::= INTEGER (0..999999) >+ -- microseconds >+ >+KerberosString ::= GeneralString (IA5String) >+ >+Realm ::= KerberosString >+ >+PrincipalName ::= SEQUENCE { >+ name-type [0] Int32, >+ name-string [1] SEQUENCE OF KerberosString >+} >+ >+KerberosTime ::= GeneralizedTime -- with no fractional seconds >+ >+HostAddress ::= SEQUENCE { >+ addr-type [0] Int32, >+ address [1] OCTET STRING >+} >+ >+-- NOTE: HostAddresses is always used as an OPTIONAL field and >+-- should not be empty. >+HostAddresses -- NOTE: subtly different from rfc1510, >+ -- but has a value mapping and encodes the same >+ ::= SEQUENCE OF HostAddress >+ >+-- NOTE: AuthorizationData is always used as an OPTIONAL field and >+-- should not be empty. >+AuthorizationData ::= SEQUENCE OF SEQUENCE { >+ ad-type [0] Int32, >+ ad-data [1] OCTET STRING >+} >+ >+PA-DATA ::= SEQUENCE { >+ -- NOTE: first tag is [1], not [0] >+ padata-type [1] Int32, >+ padata-value [2] OCTET STRING -- might be encoded AP-REQ >+} >+ >+KerberosFlags ::= BIT STRING (SIZE (32..MAX)) >+ -- minimum number of bits shall be sent, >+ -- but no fewer than 32 >+ >+EncryptedData ::= SEQUENCE { >+ etype [0] Int32 -- EncryptionType --, >+ kvno [1] UInt32 OPTIONAL, >+ cipher [2] OCTET STRING -- ciphertext >+} >+ >+EncryptionKey ::= SEQUENCE { >+ keytype [0] Int32 -- actually encryption type --, >+ keyvalue [1] OCTET STRING >+} >+ >+Checksum ::= SEQUENCE { >+ cksumtype [0] Int32, >+ checksum [1] OCTET STRING >+} >+ >+Ticket ::= [APPLICATION 1] SEQUENCE { >+ tkt-vno [0] INTEGER (5), >+ realm [1] Realm, >+ sname [2] PrincipalName, >+ enc-part [3] EncryptedData -- EncTicketPart >+} >+ >+-- Encrypted part of ticket >+EncTicketPart ::= [APPLICATION 3] SEQUENCE { >+ flags [0] TicketFlags, >+ key [1] EncryptionKey, >+ crealm [2] Realm, >+ cname [3] PrincipalName, >+ transited [4] TransitedEncoding, >+ authtime [5] KerberosTime, >+ starttime [6] KerberosTime OPTIONAL, >+ endtime [7] KerberosTime, >+ renew-till [8] KerberosTime OPTIONAL, >+ caddr [9] HostAddresses OPTIONAL, >+ authorization-data [10] AuthorizationData OPTIONAL >+} >+ >+-- encoded Transited field >+TransitedEncoding ::= SEQUENCE { >+ tr-type [0] Int32 -- must be registered --, >+ contents [1] OCTET STRING >+} >+ >+TicketFlags ::= KerberosFlags >+ -- reserved(0), >+ -- forwardable(1), >+ -- forwarded(2), >+ -- proxiable(3), >+ -- proxy(4), >+ -- may-postdate(5), >+ -- postdated(6), >+ -- invalid(7), >+ -- renewable(8), >+ -- initial(9), >+ -- pre-authent(10), >+ -- hw-authent(11), >+-- the following are new since 1510 >+ -- transited-policy-checked(12), >+ -- ok-as-delegate(13) >+ >+AS-REQ ::= [APPLICATION 10] KDC-REQ >+ >+TGS-REQ ::= [APPLICATION 12] KDC-REQ >+ >+KDC-REQ ::= SEQUENCE { >+ -- NOTE: first tag is [1], not [0] >+ pvno [1] INTEGER (5) , >+ msg-type [2] INTEGER (10 -- AS -- | 12 -- TGS --), >+ padata [3] SEQUENCE OF PA-DATA OPTIONAL >+ -- NOTE: not empty --, >+ req-body [4] KDC-REQ-BODY >+} >+ >+KDC-REQ-BODY ::= SEQUENCE { >+ kdc-options [0] KDCOptions, >+ cname [1] PrincipalName OPTIONAL >+ -- Used only in AS-REQ --, >+ realm [2] Realm >+ -- Server's realm >+ -- Also client's in AS-REQ --, >+ sname [3] PrincipalName OPTIONAL, >+ from [4] KerberosTime OPTIONAL, >+ till [5] KerberosTime, >+ rtime [6] KerberosTime OPTIONAL, >+ nonce [7] UInt32, >+ etype [8] SEQUENCE OF Int32 -- EncryptionType >+ -- in preference order --, >+ addresses [9] HostAddresses OPTIONAL, >+ enc-authorization-data [10] EncryptedData OPTIONAL >+ -- AuthorizationData --, >+ additional-tickets [11] SEQUENCE OF Ticket OPTIONAL >+ -- NOTE: not empty >+} >+ >+KDCOptions ::= KerberosFlags >+ -- reserved(0), >+ -- forwardable(1), >+ -- forwarded(2), >+ -- proxiable(3), >+ -- proxy(4), >+ -- allow-postdate(5), >+ -- postdated(6), >+ -- unused7(7), >+ -- renewable(8), >+ -- unused9(9), >+ -- unused10(10), >+ -- opt-hardware-auth(11), >+ -- unused12(12), >+ -- unused13(13), >+-- 15 is reserved for canonicalize >+ -- unused15(15), >+-- 26 was unused in 1510 >+ -- disable-transited-check(26), >+-- >+ -- renewable-ok(27), >+ -- enc-tkt-in-skey(28), >+ -- renew(30), >+ -- validate(31) >+ >+AS-REP ::= [APPLICATION 11] KDC-REP >+ >+TGS-REP ::= [APPLICATION 13] KDC-REP >+ >+KDC-REP ::= SEQUENCE { >+ pvno [0] INTEGER (5), >+ msg-type [1] INTEGER (11 -- AS -- | 13 -- TGS --), >+ padata [2] SEQUENCE OF PA-DATA OPTIONAL >+ -- NOTE: not empty --, >+ crealm [3] Realm, >+ cname [4] PrincipalName, >+ ticket [5] Ticket, >+ enc-part [6] EncryptedData >+ -- EncASRepPart or EncTGSRepPart, >+ -- as appropriate >+} >+ >+EncASRepPart ::= [APPLICATION 25] EncKDCRepPart >+ >+EncTGSRepPart ::= [APPLICATION 26] EncKDCRepPart >+ >+EncKDCRepPart ::= SEQUENCE { >+ key [0] EncryptionKey, >+ last-req [1] LastReq, >+ nonce [2] UInt32, >+ key-expiration [3] KerberosTime OPTIONAL, >+ flags [4] TicketFlags, >+ authtime [5] KerberosTime, >+ starttime [6] KerberosTime OPTIONAL, >+ endtime [7] KerberosTime, >+ renew-till [8] KerberosTime OPTIONAL, >+ srealm [9] Realm, >+ sname [10] PrincipalName, >+ caddr [11] HostAddresses OPTIONAL >+} >+ >+LastReq ::= SEQUENCE OF SEQUENCE { >+ lr-type [0] Int32, >+ lr-value [1] KerberosTime >+} >+ >+AP-REQ ::= [APPLICATION 14] SEQUENCE { >+ pvno [0] INTEGER (5), >+ msg-type [1] INTEGER (14), >+ ap-options [2] APOptions, >+ ticket [3] Ticket, >+ authenticator [4] EncryptedData -- Authenticator >+} >+ >+APOptions ::= KerberosFlags >+ -- reserved(0), >+ -- use-session-key(1), >+ -- mutual-required(2) >+ >+-- Unencrypted authenticator >+Authenticator ::= [APPLICATION 2] SEQUENCE { >+ authenticator-vno [0] INTEGER (5), >+ crealm [1] Realm, >+ cname [2] PrincipalName, >+ cksum [3] Checksum OPTIONAL, >+ cusec [4] Microseconds, >+ ctime [5] KerberosTime, >+ subkey [6] EncryptionKey OPTIONAL, >+ seq-number [7] UInt32 OPTIONAL, >+ authorization-data [8] AuthorizationData OPTIONAL >+} >+ >+AP-REP ::= [APPLICATION 15] SEQUENCE { >+ pvno [0] INTEGER (5), >+ msg-type [1] INTEGER (15), >+ enc-part [2] EncryptedData -- EncAPRepPart >+} >+ >+EncAPRepPart ::= [APPLICATION 27] SEQUENCE { >+ ctime [0] KerberosTime, >+ cusec [1] Microseconds, >+ subkey [2] EncryptionKey OPTIONAL, >+ seq-number [3] UInt32 OPTIONAL >+} >+ >+KRB-SAFE ::= [APPLICATION 20] SEQUENCE { >+ pvno [0] INTEGER (5), >+ msg-type [1] INTEGER (20), >+ safe-body [2] KRB-SAFE-BODY, >+ cksum [3] Checksum >+} >+ >+KRB-SAFE-BODY ::= SEQUENCE { >+ user-data [0] OCTET STRING, >+ timestamp [1] KerberosTime OPTIONAL, >+ usec [2] Microseconds OPTIONAL, >+ seq-number [3] UInt32 OPTIONAL, >+ s-address [4] HostAddress, >+ r-address [5] HostAddress OPTIONAL >+} >+ >+KRB-PRIV ::= [APPLICATION 21] SEQUENCE { >+ pvno [0] INTEGER (5), >+ msg-type [1] INTEGER (21), >+ -- NOTE: there is no [2] tag >+ enc-part [3] EncryptedData -- EncKrbPrivPart >+} >+ >+EncKrbPrivPart ::= [APPLICATION 28] SEQUENCE { >+ user-data [0] OCTET STRING, >+ timestamp [1] KerberosTime OPTIONAL, >+ usec [2] Microseconds OPTIONAL, >+ seq-number [3] UInt32 OPTIONAL, >+ s-address [4] HostAddress -- sender's addr --, >+ r-address [5] HostAddress OPTIONAL -- recip's addr >+} >+ >+KRB-CRED ::= [APPLICATION 22] SEQUENCE { >+ pvno [0] INTEGER (5), >+ msg-type [1] INTEGER (22), >+ tickets [2] SEQUENCE OF Ticket, >+ enc-part [3] EncryptedData -- EncKrbCredPart >+} >+ >+EncKrbCredPart ::= [APPLICATION 29] SEQUENCE { >+ ticket-info [0] SEQUENCE OF KrbCredInfo, >+ nonce [1] UInt32 OPTIONAL, >+ timestamp [2] KerberosTime OPTIONAL, >+ usec [3] Microseconds OPTIONAL, >+ s-address [4] HostAddress OPTIONAL, >+ r-address [5] HostAddress OPTIONAL >+} >+ >+KrbCredInfo ::= SEQUENCE { >+ key [0] EncryptionKey, >+ prealm [1] Realm OPTIONAL, >+ pname [2] PrincipalName OPTIONAL, >+ flags [3] TicketFlags OPTIONAL, >+ authtime [4] KerberosTime OPTIONAL, >+ starttime [5] KerberosTime OPTIONAL, >+ endtime [6] KerberosTime OPTIONAL, >+ renew-till [7] KerberosTime OPTIONAL, >+ srealm [8] Realm OPTIONAL, >+ sname [9] PrincipalName OPTIONAL, >+ caddr [10] HostAddresses OPTIONAL >+} >+ >+KRB-ERROR ::= [APPLICATION 30] SEQUENCE { >+ pvno [0] INTEGER (5), >+ msg-type [1] INTEGER (30), >+ ctime [2] KerberosTime OPTIONAL, >+ cusec [3] Microseconds OPTIONAL, >+ stime [4] KerberosTime, >+ susec [5] Microseconds, >+ error-code [6] Int32, >+ crealm [7] Realm OPTIONAL, >+ cname [8] PrincipalName OPTIONAL, >+ realm [9] Realm -- service realm --, >+ sname [10] PrincipalName -- service name --, >+ e-text [11] KerberosString OPTIONAL, >+ e-data [12] OCTET STRING OPTIONAL >+} >+ >+METHOD-DATA ::= SEQUENCE OF PA-DATA >+ >+TYPED-DATA ::= SEQUENCE SIZE (1..MAX) OF SEQUENCE { >+ data-type [0] Int32, >+ data-value [1] OCTET STRING OPTIONAL >+} >+ >+-- preauth stuff follows >+ >+PA-ENC-TIMESTAMP ::= EncryptedData -- PA-ENC-TS-ENC >+ >+PA-ENC-TS-ENC ::= SEQUENCE { >+ patimestamp [0] KerberosTime -- client's time --, >+ pausec [1] Microseconds OPTIONAL >+} >+ >+ETYPE-INFO-ENTRY ::= SEQUENCE { >+ etype [0] Int32, >+ salt [1] OCTET STRING OPTIONAL >+} >+ >+ETYPE-INFO ::= SEQUENCE OF ETYPE-INFO-ENTRY >+ >+ETYPE-INFO2-ENTRY ::= SEQUENCE { >+ etype [0] Int32, >+ salt [1] KerberosString OPTIONAL, >+ s2kparams [2] OCTET STRING OPTIONAL >+} >+ >+ETYPE-INFO2 ::= SEQUENCE SIZE (1..MAX) OF ETYPE-INFO2-ENTRY >+ >+AD-IF-RELEVANT ::= AuthorizationData >+ >+AD-KDCIssued ::= SEQUENCE { >+ ad-checksum [0] Checksum, >+ i-realm [1] Realm OPTIONAL, >+ i-sname [2] PrincipalName OPTIONAL, >+ elements [3] AuthorizationData >+} >+ >+AD-AND-OR ::= SEQUENCE { >+ condition-count [0] Int32, >+ elements [1] AuthorizationData >+} >+ >+AD-MANDATORY-FOR-KDC ::= AuthorizationData >+ >+END >-- >2.25.1 > > >From b7fac786dc5a7415075cb0fa589efe3099788429 Mon Sep 17 00:00:00 2001 >From: Stefan Metzmacher <metze@samba.org> >Date: Thu, 13 Feb 2020 16:29:38 +0100 >Subject: [PATCH 024/686] python/tests/krb5: modify rfc4120.asn1 in order to > generate pyasn1 code > >The pyasn1 bindings are generated by pyasn1gen.py from >https://github.com/kimgr/asn1ate.git > >Signed-off-by: Stefan Metzmacher <metze@samba.org> >Reviewed-by: Isaac Boukris <iboukris@samba.org> >(cherry picked from commit 94d068427f6cf23ab68c135ed9833db4b9155b65) >--- > python/samba/tests/krb5/rfc4120.asn1 | 293 +++++- > python/samba/tests/krb5/rfc4120_pyasn1.py | 914 ++++++++++++++++++ > .../samba/tests/krb5/rfc4120_pyasn1_regen.sh | 41 + > python/samba/tests/source.py | 6 + > 4 files changed, 1243 insertions(+), 11 deletions(-) > create mode 100644 python/samba/tests/krb5/rfc4120_pyasn1.py > create mode 100755 python/samba/tests/krb5/rfc4120_pyasn1_regen.sh > >diff --git a/python/samba/tests/krb5/rfc4120.asn1 b/python/samba/tests/krb5/rfc4120.asn1 >index ec44557f45a..05b43106034 100644 >--- a/python/samba/tests/krb5/rfc4120.asn1 >+++ b/python/samba/tests/krb5/rfc4120.asn1 >@@ -25,15 +25,23 @@ UInt32 ::= INTEGER (0..4294967295) > Microseconds ::= INTEGER (0..999999) > -- microseconds > >-KerberosString ::= GeneralString (IA5String) >+-- >+-- asn1ate doesn't support 'GeneralString (IA5String)' >+-- only 'GeneralString' or 'IA5String', on the wire >+-- GeneralString is used. >+-- >+-- KerberosString ::= GeneralString (IA5String) >+KerberosString ::= GeneralString > > Realm ::= KerberosString > > PrincipalName ::= SEQUENCE { >- name-type [0] Int32, >+ name-type [0] NameType, -- Int32, > name-string [1] SEQUENCE OF KerberosString > } > >+NameType ::= Int32 >+ > KerberosTime ::= GeneralizedTime -- with no fractional seconds > > HostAddress ::= SEQUENCE { >@@ -50,36 +58,48 @@ HostAddresses -- NOTE: subtly different from rfc1510, > -- NOTE: AuthorizationData is always used as an OPTIONAL field and > -- should not be empty. > AuthorizationData ::= SEQUENCE OF SEQUENCE { >- ad-type [0] Int32, >+ ad-type [0] AuthDataType, -- Int32, > ad-data [1] OCTET STRING > } > >+AuthDataType ::= Int32 >+ > PA-DATA ::= SEQUENCE { > -- NOTE: first tag is [1], not [0] >- padata-type [1] Int32, >+ padata-type [1] PADataType, -- Int32 > padata-value [2] OCTET STRING -- might be encoded AP-REQ > } > >-KerberosFlags ::= BIT STRING (SIZE (32..MAX)) >+PADataType ::= Int32 >+ >+-- >+-- asn1ate doesn't support 'MAX' nor a lower range != 1. >+-- We'll use a custom enodeValue() hooks for BitString >+-- in order to encode them with at least 32-Bit. >+-- >+-- KerberosFlags ::= BIT STRING (SIZE (32..MAX)) >+KerberosFlags ::= BIT STRING (SIZE (1..32)) > -- minimum number of bits shall be sent, > -- but no fewer than 32 > > EncryptedData ::= SEQUENCE { >- etype [0] Int32 -- EncryptionType --, >+ etype [0] EncryptionType, --Int32 EncryptionType -- > kvno [1] UInt32 OPTIONAL, > cipher [2] OCTET STRING -- ciphertext > } > > EncryptionKey ::= SEQUENCE { >- keytype [0] Int32 -- actually encryption type --, >+ keytype [0] EncryptionType, -- Int32 actually encryption type -- > keyvalue [1] OCTET STRING > } > > Checksum ::= SEQUENCE { >- cksumtype [0] Int32, >+ cksumtype [0] ChecksumType, -- Int32, > checksum [1] OCTET STRING > } > >+ChecksumType ::= Int32 >+ > Ticket ::= [APPLICATION 1] SEQUENCE { > tkt-vno [0] INTEGER (5), > realm [1] Realm, >@@ -150,7 +170,7 @@ KDC-REQ-BODY ::= SEQUENCE { > till [5] KerberosTime, > rtime [6] KerberosTime OPTIONAL, > nonce [7] UInt32, >- etype [8] SEQUENCE OF Int32 -- EncryptionType >+ etype [8] SEQUENCE OF EncryptionType -- Int32 - EncryptionType > -- in preference order --, > addresses [9] HostAddresses OPTIONAL, > enc-authorization-data [10] EncryptedData OPTIONAL >@@ -159,6 +179,8 @@ KDC-REQ-BODY ::= SEQUENCE { > -- NOTE: not empty > } > >+EncryptionType ::= Int32 >+ > KDCOptions ::= KerberosFlags > -- reserved(0), > -- forwardable(1), >@@ -344,7 +366,11 @@ KRB-ERROR ::= [APPLICATION 30] SEQUENCE { > > METHOD-DATA ::= SEQUENCE OF PA-DATA > >-TYPED-DATA ::= SEQUENCE SIZE (1..MAX) OF SEQUENCE { >+-- >+-- asn1ate doesn't support 'MAX' >+-- >+-- TYPED-DATA ::= SEQUENCE SIZE (1..MAX) OF SEQUENCE { >+TYPED-DATA ::= SEQUENCE SIZE (1..256) OF SEQUENCE { > data-type [0] Int32, > data-value [1] OCTET STRING OPTIONAL > } >@@ -371,7 +397,7 @@ ETYPE-INFO2-ENTRY ::= SEQUENCE { > s2kparams [2] OCTET STRING OPTIONAL > } > >-ETYPE-INFO2 ::= SEQUENCE SIZE (1..MAX) OF ETYPE-INFO2-ENTRY >+ETYPE-INFO2 ::= SEQUENCE SIZE (1..256) OF ETYPE-INFO2-ENTRY > > AD-IF-RELEVANT ::= AuthorizationData > >@@ -389,4 +415,249 @@ AD-AND-OR ::= SEQUENCE { > > AD-MANDATORY-FOR-KDC ::= AuthorizationData > >+ >+ >+ >+ >+ >+-- >+-- >+-- prettyPrint values >+-- >+-- >+ >+NameTypeValues ::= INTEGER { -- Int32 >+ kRB5-NT-UNKNOWN(0), -- Name type not known >+ kRB5-NT-PRINCIPAL(1), -- Just the name of the principal as in >+ kRB5-NT-SRV-INST(2), -- Service and other unique instance (krbtgt) >+ kRB5-NT-SRV-HST(3), -- Service with host name as instance >+ kRB5-NT-SRV-XHST(4), -- Service with host as remaining components >+ kRB5-NT-UID(5), -- Unique ID >+ kRB5-NT-X500-PRINCIPAL(6), -- PKINIT >+ kRB5-NT-SMTP-NAME(7), -- Name in form of SMTP email name >+ kRB5-NT-ENTERPRISE-PRINCIPAL(10), -- Windows 2000 UPN >+ kRB5-NT-WELLKNOWN(11), -- Wellknown >+ kRB5-NT-ENT-PRINCIPAL-AND-ID(-130), -- Windows 2000 UPN and SID >+ kRB5-NT-MS-PRINCIPAL(-128), -- NT 4 style name >+ kRB5-NT-MS-PRINCIPAL-AND-ID(-129) -- NT style name and SID >+} >+NameTypeSequence ::= SEQUENCE { >+ dummy [0] NameTypeValues >+} >+ >+TicketFlagsValues ::= BIT STRING { -- KerberosFlags >+ reserved(0), >+ forwardable(1), >+ forwarded(2), >+ proxiable(3), >+ proxy(4), >+ may-postdate(5), >+ postdated(6), >+ invalid(7), >+ renewable(8), >+ initial(9), >+ pre-authent(10), >+ hw-authent(11), >+-- the following are new since 1510 >+ transited-policy-checked(12), >+ ok-as-delegate(13) >+} >+TicketFlagsSequence ::= SEQUENCE { >+ dummy [0] TicketFlagsValues >+} >+ >+KDCOptionsValues ::= BIT STRING { -- KerberosFlags >+ reserved(0), >+ forwardable(1), >+ forwarded(2), >+ proxiable(3), >+ proxy(4), >+ allow-postdate(5), >+ postdated(6), >+ unused7(7), >+ renewable(8), >+ unused9(9), >+ unused10(10), >+ opt-hardware-auth(11), >+ unused12(12), >+ unused13(13), >+-- 15 is reserved for canonicalize >+ unused15(15), >+-- 26 was unused in 1510 >+ disable-transited-check(26), >+-- >+ renewable-ok(27), >+ enc-tkt-in-skey(28), >+ renew(30), >+ validate(31) >+} >+KDCOptionsSequence ::= SEQUENCE { >+ dummy [0] KDCOptionsValues >+} >+ >+MessageTypeValues ::= INTEGER { >+ krb-as-req(10), -- Request for initial authentication >+ krb-as-rep(11), -- Response to KRB_AS_REQ request >+ krb-tgs-req(12), -- Request for authentication based on TGT >+ krb-tgs-rep(13), -- Response to KRB_TGS_REQ request >+ krb-ap-req(14), -- application request to server >+ krb-ap-rep(15), -- Response to KRB_AP_REQ_MUTUAL >+ krb-safe(20), -- Safe (checksummed) application message >+ krb-priv(21), -- Private (encrypted) application message >+ krb-cred(22), -- Private (encrypted) message to forward credentials >+ krb-error(30) -- Error response >+} >+MessageTypeSequence ::= SEQUENCE { >+ dummy [0] MessageTypeValues >+} >+ >+PADataTypeValues ::= INTEGER { >+ kRB5-PADATA-NONE(0), >+ -- kRB5-PADATA-TGS-REQ(1), >+ -- kRB5-PADATA-AP-REQ(1), >+ kRB5-PADATA-KDC-REQ(1), >+ kRB5-PADATA-ENC-TIMESTAMP(2), >+ kRB5-PADATA-PW-SALT(3), >+ kRB5-PADATA-ENC-UNIX-TIME(5), >+ kRB5-PADATA-SANDIA-SECUREID(6), >+ kRB5-PADATA-SESAME(7), >+ kRB5-PADATA-OSF-DCE(8), >+ kRB5-PADATA-CYBERSAFE-SECUREID(9), >+ kRB5-PADATA-AFS3-SALT(10), >+ kRB5-PADATA-ETYPE-INFO(11), >+ kRB5-PADATA-SAM-CHALLENGE(12), -- (sam/otp) >+ kRB5-PADATA-SAM-RESPONSE(13), -- (sam/otp) >+ kRB5-PADATA-PK-AS-REQ-19(14), -- (PKINIT-19) >+ kRB5-PADATA-PK-AS-REP-19(15), -- (PKINIT-19) >+ -- kRB5-PADATA-PK-AS-REQ-WIN(15), - (PKINIT - old number) >+ kRB5-PADATA-PK-AS-REQ(16), -- (PKINIT-25) >+ kRB5-PADATA-PK-AS-REP(17), -- (PKINIT-25) >+ kRB5-PADATA-PA-PK-OCSP-RESPONSE(18), >+ kRB5-PADATA-ETYPE-INFO2(19), >+ -- kRB5-PADATA-USE-SPECIFIED-KVNO(20), >+ kRB5-PADATA-SVR-REFERRAL-INFO(20), --- old ms referral number >+ kRB5-PADATA-SAM-REDIRECT(21), -- (sam/otp) >+ kRB5-PADATA-GET-FROM-TYPED-DATA(22), >+ kRB5-PADATA-SAM-ETYPE-INFO(23), >+ kRB5-PADATA-SERVER-REFERRAL(25), >+ kRB5-PADATA-ALT-PRINC(24), -- (crawdad@fnal.gov) >+ kRB5-PADATA-SAM-CHALLENGE2(30), -- (kenh@pobox.com) >+ kRB5-PADATA-SAM-RESPONSE2(31), -- (kenh@pobox.com) >+ kRB5-PA-EXTRA-TGT(41), -- Reserved extra TGT >+ kRB5-PADATA-TD-KRB-PRINCIPAL(102), -- PrincipalName >+ kRB5-PADATA-PK-TD-TRUSTED-CERTIFIERS(104), -- PKINIT >+ kRB5-PADATA-PK-TD-CERTIFICATE-INDEX(105), -- PKINIT >+ kRB5-PADATA-TD-APP-DEFINED-ERROR(106), -- application specific >+ kRB5-PADATA-TD-REQ-NONCE(107), -- INTEGER >+ kRB5-PADATA-TD-REQ-SEQ(108), -- INTEGER >+ kRB5-PADATA-PA-PAC-REQUEST(128), -- jbrezak@exchange.microsoft.com >+ kRB5-PADATA-FOR-USER(129), -- MS-KILE >+ kRB5-PADATA-FOR-X509-USER(130), -- MS-KILE >+ kRB5-PADATA-FOR-CHECK-DUPS(131), -- MS-KILE >+ kRB5-PADATA-AS-CHECKSUM(132), -- MS-KILE >+ -- kRB5-PADATA-PK-AS-09-BINDING(132), - client send this to >+ -- tell KDC that is supports >+ -- the asCheckSum in the >+ -- PK-AS-REP >+ kRB5-PADATA-FX-COOKIE(133), -- krb-wg-preauth-framework >+ kRB5-PADATA-AUTHENTICATION-SET(134), -- krb-wg-preauth-framework >+ kRB5-PADATA-AUTH-SET-SELECTED(135), -- krb-wg-preauth-framework >+ kRB5-PADATA-FX-FAST(136), -- krb-wg-preauth-framework >+ kRB5-PADATA-FX-ERROR(137), -- krb-wg-preauth-framework >+ kRB5-PADATA-ENCRYPTED-CHALLENGE(138), -- krb-wg-preauth-framework >+ kRB5-PADATA-OTP-CHALLENGE(141), -- (gareth.richards@rsa.com) >+ kRB5-PADATA-OTP-REQUEST(142), -- (gareth.richards@rsa.com) >+ kBB5-PADATA-OTP-CONFIRM(143), -- (gareth.richards@rsa.com) >+ kRB5-PADATA-OTP-PIN-CHANGE(144), -- (gareth.richards@rsa.com) >+ kRB5-PADATA-EPAK-AS-REQ(145), >+ kRB5-PADATA-EPAK-AS-REP(146), >+ kRB5-PADATA-PKINIT-KX(147), -- krb-wg-anon >+ kRB5-PADATA-PKU2U-NAME(148), -- zhu-pku2u >+ kRB5-PADATA-REQ-ENC-PA-REP(149), -- >+ kRB5-PADATA-SUPPORTED-ETYPES(165) -- MS-KILE >+} >+PADataTypeSequence ::= SEQUENCE { >+ dummy [0] PADataTypeValues >+} >+ >+AuthDataTypeValues ::= INTEGER { >+ kRB5-AUTHDATA-IF-RELEVANT(1), >+ kRB5-AUTHDATA-INTENDED-FOR-SERVER(2), >+ kRB5-AUTHDATA-INTENDED-FOR-APPLICATION-CLASS(3), >+ kRB5-AUTHDATA-KDC-ISSUED(4), >+ kRB5-AUTHDATA-AND-OR(5), >+ kRB5-AUTHDATA-MANDATORY-TICKET-EXTENSIONS(6), >+ kRB5-AUTHDATA-IN-TICKET-EXTENSIONS(7), >+ kRB5-AUTHDATA-MANDATORY-FOR-KDC(8), >+ kRB5-AUTHDATA-INITIAL-VERIFIED-CAS(9), >+ kRB5-AUTHDATA-OSF-DCE(64), >+ kRB5-AUTHDATA-SESAME(65), >+ kRB5-AUTHDATA-OSF-DCE-PKI-CERTID(66), >+ kRB5-AUTHDATA-WIN2K-PAC(128), >+ kRB5-AUTHDATA-GSS-API-ETYPE-NEGOTIATION(129), -- Authenticator only >+ kRB5-AUTHDATA-SIGNTICKET-OLDER(-17), >+ kRB5-AUTHDATA-SIGNTICKET-OLD(142), >+ kRB5-AUTHDATA-SIGNTICKET(512) >+} >+AuthDataTypeSequence ::= SEQUENCE { >+ dummy [0] AuthDataTypeValues >+} >+ >+ChecksumTypeValues ::= INTEGER { >+ kRB5-CKSUMTYPE-NONE(0), >+ kRB5-CKSUMTYPE-CRC32(1), >+ kRB5-CKSUMTYPE-RSA-MD4(2), >+ kRB5-CKSUMTYPE-RSA-MD4-DES(3), >+ kRB5-CKSUMTYPE-DES-MAC(4), >+ kRB5-CKSUMTYPE-DES-MAC-K(5), >+ kRB5-CKSUMTYPE-RSA-MD4-DES-K(6), >+ kRB5-CKSUMTYPE-RSA-MD5(7), >+ kRB5-CKSUMTYPE-RSA-MD5-DES(8), >+ kRB5-CKSUMTYPE-RSA-MD5-DES3(9), >+ kRB5-CKSUMTYPE-SHA1-OTHER(10), >+ kRB5-CKSUMTYPE-HMAC-SHA1-DES3(12), >+ kRB5-CKSUMTYPE-SHA1(14), >+ kRB5-CKSUMTYPE-HMAC-SHA1-96-AES-128(15), >+ kRB5-CKSUMTYPE-HMAC-SHA1-96-AES-256(16), >+ kRB5-CKSUMTYPE-GSSAPI(32771), -- 0x8003 >+ kRB5-CKSUMTYPE-HMAC-MD5(-138), -- unofficial microsoft number >+ kRB5-CKSUMTYPE-HMAC-MD5-ENC(-1138) -- even more unofficial >+} >+ChecksumTypeSequence ::= SEQUENCE { >+ dummy [0] ChecksumTypeValues >+} >+ >+EncryptionTypeValues ::= INTEGER { >+ kRB5-ENCTYPE-NULL(0), >+ kRB5-ENCTYPE-DES-CBC-CRC(1), >+ kRB5-ENCTYPE-DES-CBC-MD4(2), >+ kRB5-ENCTYPE-DES-CBC-MD5(3), >+ kRB5-ENCTYPE-DES3-CBC-MD5(5), >+ kRB5-ENCTYPE-OLD-DES3-CBC-SHA1(7), >+ kRB5-ENCTYPE-SIGN-DSA-GENERATE(8), >+ kRB5-ENCTYPE-ENCRYPT-RSA-PRIV(9), >+ kRB5-ENCTYPE-ENCRYPT-RSA-PUB(10), >+ kRB5-ENCTYPE-DES3-CBC-SHA1(16), -- with key derivation >+ kRB5-ENCTYPE-AES128-CTS-HMAC-SHA1-96(17), >+ kRB5-ENCTYPE-AES256-CTS-HMAC-SHA1-96(18), >+ kRB5-ENCTYPE-ARCFOUR-HMAC-MD5(23), >+ kRB5-ENCTYPE-ARCFOUR-HMAC-MD5-56(24), >+ kRB5-ENCTYPE-ENCTYPE-PK-CROSS(48), >+-- some "old" windows types >+ kRB5-ENCTYPE-ARCFOUR-MD4(-128), >+ kRB5-ENCTYPE-ARCFOUR-HMAC-OLD(-133), >+ kRB5-ENCTYPE-ARCFOUR-HMAC-OLD-EXP(-135), >+-- these are for Heimdal internal use >+-- kRB5-ENCTYPE-DES-CBC-NONE(-0x1000), >+-- kRB5-ENCTYPE-DES3-CBC-NONE(-0x1001), >+-- kRB5-ENCTYPE-DES-CFB64-NONE(-0x1002), >+-- kRB5-ENCTYPE-DES-PCBC-NONE(-0x1003), >+-- kRB5-ENCTYPE-DIGEST-MD5-NONE(-0x1004), - private use, lukeh@padl.com >+-- kRB5-ENCTYPE-CRAM-MD5-NONE(-0x1005) - private use, lukeh@padl.com >+ kRB5-ENCTYPE-DUMMY(-1111) >+} >+EncryptionTypeSequence ::= SEQUENCE { >+ dummy [0] EncryptionTypeValues >+} >+ > END >diff --git a/python/samba/tests/krb5/rfc4120_pyasn1.py b/python/samba/tests/krb5/rfc4120_pyasn1.py >new file mode 100644 >index 00000000000..b2627aa3dcb >--- /dev/null >+++ b/python/samba/tests/krb5/rfc4120_pyasn1.py >@@ -0,0 +1,914 @@ >+# Auto-generated by asn1ate v.0.6.1.dev0 from rfc4120.asn1 >+# (last modified on 2020-03-26 10:28:24.346775) >+ >+# KerberosV5Spec2 >+from pyasn1.type import univ, char, namedtype, namedval, tag, constraint, useful >+ >+ >+def _OID(*components): >+ output = [] >+ for x in tuple(components): >+ if isinstance(x, univ.ObjectIdentifier): >+ output.extend(list(x)) >+ else: >+ output.append(int(x)) >+ >+ return univ.ObjectIdentifier(output) >+ >+ >+class Int32(univ.Integer): >+ pass >+ >+ >+Int32.subtypeSpec = constraint.ValueRangeConstraint(-2147483648, 2147483647) >+ >+ >+class AuthDataType(Int32): >+ pass >+ >+ >+class AuthorizationData(univ.SequenceOf): >+ pass >+ >+ >+AuthorizationData.componentType = univ.Sequence(componentType=namedtype.NamedTypes( >+ namedtype.NamedType('ad-type', AuthDataType().subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 0))), >+ namedtype.NamedType('ad-data', univ.OctetString().subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 1))) >+)) >+ >+ >+class AD_AND_OR(univ.Sequence): >+ pass >+ >+ >+AD_AND_OR.componentType = namedtype.NamedTypes( >+ namedtype.NamedType('condition-count', Int32().subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 0))), >+ namedtype.NamedType('elements', AuthorizationData().subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 1))) >+) >+ >+ >+class AD_IF_RELEVANT(AuthorizationData): >+ pass >+ >+ >+class ChecksumType(Int32): >+ pass >+ >+ >+class Checksum(univ.Sequence): >+ pass >+ >+ >+Checksum.componentType = namedtype.NamedTypes( >+ namedtype.NamedType('cksumtype', ChecksumType().subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 0))), >+ namedtype.NamedType('checksum', univ.OctetString().subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 1))) >+) >+ >+ >+class KerberosString(char.GeneralString): >+ pass >+ >+ >+class NameType(Int32): >+ pass >+ >+ >+class PrincipalName(univ.Sequence): >+ pass >+ >+ >+PrincipalName.componentType = namedtype.NamedTypes( >+ namedtype.NamedType('name-type', NameType().subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 0))), >+ namedtype.NamedType('name-string', univ.SequenceOf(componentType=KerberosString()).subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 1))) >+) >+ >+ >+class Realm(KerberosString): >+ pass >+ >+ >+class AD_KDCIssued(univ.Sequence): >+ pass >+ >+ >+AD_KDCIssued.componentType = namedtype.NamedTypes( >+ namedtype.NamedType('ad-checksum', Checksum().subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatConstructed, 0))), >+ namedtype.OptionalNamedType('i-realm', Realm().subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 1))), >+ namedtype.OptionalNamedType('i-sname', PrincipalName().subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatConstructed, 2))), >+ namedtype.NamedType('elements', AuthorizationData().subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 3))) >+) >+ >+ >+class AD_MANDATORY_FOR_KDC(AuthorizationData): >+ pass >+ >+ >+class EncryptionType(Int32): >+ pass >+ >+ >+class UInt32(univ.Integer): >+ pass >+ >+ >+UInt32.subtypeSpec = constraint.ValueRangeConstraint(0, 4294967295) >+ >+ >+class EncryptedData(univ.Sequence): >+ pass >+ >+ >+EncryptedData.componentType = namedtype.NamedTypes( >+ namedtype.NamedType('etype', EncryptionType().subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 0))), >+ namedtype.OptionalNamedType('kvno', UInt32().subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 1))), >+ namedtype.NamedType('cipher', univ.OctetString().subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 2))) >+) >+ >+ >+class AP_REP(univ.Sequence): >+ pass >+ >+ >+AP_REP.tagSet = univ.Sequence.tagSet.tagExplicitly(tag.Tag(tag.tagClassApplication, tag.tagFormatConstructed, 15)) >+AP_REP.componentType = namedtype.NamedTypes( >+ namedtype.NamedType('pvno', univ.Integer().subtype(subtypeSpec=constraint.SingleValueConstraint(5)).subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 0))), >+ namedtype.NamedType('msg-type', univ.Integer().subtype(subtypeSpec=constraint.SingleValueConstraint(15)).subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 1))), >+ namedtype.NamedType('enc-part', EncryptedData().subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatConstructed, 2))) >+) >+ >+ >+class KerberosFlags(univ.BitString): >+ pass >+ >+ >+KerberosFlags.subtypeSpec=constraint.ValueSizeConstraint(1, 32) >+ >+ >+class APOptions(KerberosFlags): >+ pass >+ >+ >+class Ticket(univ.Sequence): >+ pass >+ >+ >+Ticket.tagSet = univ.Sequence.tagSet.tagExplicitly(tag.Tag(tag.tagClassApplication, tag.tagFormatConstructed, 1)) >+Ticket.componentType = namedtype.NamedTypes( >+ namedtype.NamedType('tkt-vno', univ.Integer().subtype(subtypeSpec=constraint.SingleValueConstraint(5)).subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 0))), >+ namedtype.NamedType('realm', Realm().subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 1))), >+ namedtype.NamedType('sname', PrincipalName().subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatConstructed, 2))), >+ namedtype.NamedType('enc-part', EncryptedData().subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatConstructed, 3))) >+) >+ >+ >+class AP_REQ(univ.Sequence): >+ pass >+ >+ >+AP_REQ.tagSet = univ.Sequence.tagSet.tagExplicitly(tag.Tag(tag.tagClassApplication, tag.tagFormatConstructed, 14)) >+AP_REQ.componentType = namedtype.NamedTypes( >+ namedtype.NamedType('pvno', univ.Integer().subtype(subtypeSpec=constraint.SingleValueConstraint(5)).subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 0))), >+ namedtype.NamedType('msg-type', univ.Integer().subtype(subtypeSpec=constraint.SingleValueConstraint(14)).subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 1))), >+ namedtype.NamedType('ap-options', APOptions().subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 2))), >+ namedtype.NamedType('ticket', Ticket().subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 3))), >+ namedtype.NamedType('authenticator', EncryptedData().subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatConstructed, 4))) >+) >+ >+ >+class PADataType(Int32): >+ pass >+ >+ >+class PA_DATA(univ.Sequence): >+ pass >+ >+ >+PA_DATA.componentType = namedtype.NamedTypes( >+ namedtype.NamedType('padata-type', PADataType().subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 1))), >+ namedtype.NamedType('padata-value', univ.OctetString().subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 2))) >+) >+ >+ >+class KDC_REP(univ.Sequence): >+ pass >+ >+ >+KDC_REP.componentType = namedtype.NamedTypes( >+ namedtype.NamedType('pvno', univ.Integer().subtype(subtypeSpec=constraint.SingleValueConstraint(5)).subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 0))), >+ namedtype.NamedType('msg-type', univ.Integer().subtype(subtypeSpec=constraint.SingleValueConstraint(11, 13)).subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 1))), >+ namedtype.OptionalNamedType('padata', univ.SequenceOf(componentType=PA_DATA()).subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 2))), >+ namedtype.NamedType('crealm', Realm().subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 3))), >+ namedtype.NamedType('cname', PrincipalName().subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatConstructed, 4))), >+ namedtype.NamedType('ticket', Ticket().subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 5))), >+ namedtype.NamedType('enc-part', EncryptedData().subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatConstructed, 6))) >+) >+ >+ >+class AS_REP(KDC_REP): >+ pass >+ >+ >+AS_REP.tagSet = KDC_REP.tagSet.tagExplicitly(tag.Tag(tag.tagClassApplication, tag.tagFormatConstructed, 11)) >+ >+ >+class HostAddress(univ.Sequence): >+ pass >+ >+ >+HostAddress.componentType = namedtype.NamedTypes( >+ namedtype.NamedType('addr-type', Int32().subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 0))), >+ namedtype.NamedType('address', univ.OctetString().subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 1))) >+) >+ >+ >+class HostAddresses(univ.SequenceOf): >+ pass >+ >+ >+HostAddresses.componentType = HostAddress() >+ >+ >+class KDCOptions(KerberosFlags): >+ pass >+ >+ >+class KerberosTime(useful.GeneralizedTime): >+ pass >+ >+ >+class KDC_REQ_BODY(univ.Sequence): >+ pass >+ >+ >+KDC_REQ_BODY.componentType = namedtype.NamedTypes( >+ namedtype.NamedType('kdc-options', KDCOptions().subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 0))), >+ namedtype.OptionalNamedType('cname', PrincipalName().subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatConstructed, 1))), >+ namedtype.NamedType('realm', Realm().subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 2))), >+ namedtype.OptionalNamedType('sname', PrincipalName().subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatConstructed, 3))), >+ namedtype.OptionalNamedType('from', KerberosTime().subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 4))), >+ namedtype.NamedType('till', KerberosTime().subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 5))), >+ namedtype.OptionalNamedType('rtime', KerberosTime().subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 6))), >+ namedtype.NamedType('nonce', UInt32().subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 7))), >+ namedtype.NamedType('etype', univ.SequenceOf(componentType=EncryptionType()).subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 8))), >+ namedtype.OptionalNamedType('addresses', HostAddresses().subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 9))), >+ namedtype.OptionalNamedType('enc-authorization-data', EncryptedData().subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatConstructed, 10))), >+ namedtype.OptionalNamedType('additional-tickets', univ.SequenceOf(componentType=Ticket()).subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 11))) >+) >+ >+ >+class KDC_REQ(univ.Sequence): >+ pass >+ >+ >+KDC_REQ.componentType = namedtype.NamedTypes( >+ namedtype.NamedType('pvno', univ.Integer().subtype(subtypeSpec=constraint.SingleValueConstraint(5)).subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 1))), >+ namedtype.NamedType('msg-type', univ.Integer().subtype(subtypeSpec=constraint.SingleValueConstraint(10, 12)).subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 2))), >+ namedtype.OptionalNamedType('padata', univ.SequenceOf(componentType=PA_DATA()).subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 3))), >+ namedtype.NamedType('req-body', KDC_REQ_BODY().subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatConstructed, 4))) >+) >+ >+ >+class AS_REQ(KDC_REQ): >+ pass >+ >+ >+AS_REQ.tagSet = KDC_REQ.tagSet.tagExplicitly(tag.Tag(tag.tagClassApplication, tag.tagFormatConstructed, 10)) >+ >+ >+class AuthDataTypeValues(univ.Integer): >+ pass >+ >+ >+AuthDataTypeValues.namedValues = namedval.NamedValues( >+ ('kRB5-AUTHDATA-IF-RELEVANT', 1), >+ ('kRB5-AUTHDATA-INTENDED-FOR-SERVER', 2), >+ ('kRB5-AUTHDATA-INTENDED-FOR-APPLICATION-CLASS', 3), >+ ('kRB5-AUTHDATA-KDC-ISSUED', 4), >+ ('kRB5-AUTHDATA-AND-OR', 5), >+ ('kRB5-AUTHDATA-MANDATORY-TICKET-EXTENSIONS', 6), >+ ('kRB5-AUTHDATA-IN-TICKET-EXTENSIONS', 7), >+ ('kRB5-AUTHDATA-MANDATORY-FOR-KDC', 8), >+ ('kRB5-AUTHDATA-INITIAL-VERIFIED-CAS', 9), >+ ('kRB5-AUTHDATA-OSF-DCE', 64), >+ ('kRB5-AUTHDATA-SESAME', 65), >+ ('kRB5-AUTHDATA-OSF-DCE-PKI-CERTID', 66), >+ ('kRB5-AUTHDATA-WIN2K-PAC', 128), >+ ('kRB5-AUTHDATA-GSS-API-ETYPE-NEGOTIATION', 129), >+ ('kRB5-AUTHDATA-SIGNTICKET-OLDER', -17), >+ ('kRB5-AUTHDATA-SIGNTICKET-OLD', 142), >+ ('kRB5-AUTHDATA-SIGNTICKET', 512) >+) >+ >+ >+class AuthDataTypeSequence(univ.Sequence): >+ pass >+ >+ >+AuthDataTypeSequence.componentType = namedtype.NamedTypes( >+ namedtype.NamedType('dummy', AuthDataTypeValues().subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 0))) >+) >+ >+ >+class EncryptionKey(univ.Sequence): >+ pass >+ >+ >+EncryptionKey.componentType = namedtype.NamedTypes( >+ namedtype.NamedType('keytype', EncryptionType().subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 0))), >+ namedtype.NamedType('keyvalue', univ.OctetString().subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 1))) >+) >+ >+ >+class Microseconds(univ.Integer): >+ pass >+ >+ >+Microseconds.subtypeSpec = constraint.ValueRangeConstraint(0, 999999) >+ >+ >+class Authenticator(univ.Sequence): >+ pass >+ >+ >+Authenticator.tagSet = univ.Sequence.tagSet.tagExplicitly(tag.Tag(tag.tagClassApplication, tag.tagFormatConstructed, 2)) >+Authenticator.componentType = namedtype.NamedTypes( >+ namedtype.NamedType('authenticator-vno', univ.Integer().subtype(subtypeSpec=constraint.SingleValueConstraint(5)).subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 0))), >+ namedtype.NamedType('crealm', Realm().subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 1))), >+ namedtype.NamedType('cname', PrincipalName().subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatConstructed, 2))), >+ namedtype.OptionalNamedType('cksum', Checksum().subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatConstructed, 3))), >+ namedtype.NamedType('cusec', Microseconds().subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 4))), >+ namedtype.NamedType('ctime', KerberosTime().subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 5))), >+ namedtype.OptionalNamedType('subkey', EncryptionKey().subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatConstructed, 6))), >+ namedtype.OptionalNamedType('seq-number', UInt32().subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 7))), >+ namedtype.OptionalNamedType('authorization-data', AuthorizationData().subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 8))) >+) >+ >+ >+class ChecksumTypeValues(univ.Integer): >+ pass >+ >+ >+ChecksumTypeValues.namedValues = namedval.NamedValues( >+ ('kRB5-CKSUMTYPE-NONE', 0), >+ ('kRB5-CKSUMTYPE-CRC32', 1), >+ ('kRB5-CKSUMTYPE-RSA-MD4', 2), >+ ('kRB5-CKSUMTYPE-RSA-MD4-DES', 3), >+ ('kRB5-CKSUMTYPE-DES-MAC', 4), >+ ('kRB5-CKSUMTYPE-DES-MAC-K', 5), >+ ('kRB5-CKSUMTYPE-RSA-MD4-DES-K', 6), >+ ('kRB5-CKSUMTYPE-RSA-MD5', 7), >+ ('kRB5-CKSUMTYPE-RSA-MD5-DES', 8), >+ ('kRB5-CKSUMTYPE-RSA-MD5-DES3', 9), >+ ('kRB5-CKSUMTYPE-SHA1-OTHER', 10), >+ ('kRB5-CKSUMTYPE-HMAC-SHA1-DES3', 12), >+ ('kRB5-CKSUMTYPE-SHA1', 14), >+ ('kRB5-CKSUMTYPE-HMAC-SHA1-96-AES-128', 15), >+ ('kRB5-CKSUMTYPE-HMAC-SHA1-96-AES-256', 16), >+ ('kRB5-CKSUMTYPE-GSSAPI', 32771), >+ ('kRB5-CKSUMTYPE-HMAC-MD5', -138), >+ ('kRB5-CKSUMTYPE-HMAC-MD5-ENC', -1138) >+) >+ >+ >+class ChecksumTypeSequence(univ.Sequence): >+ pass >+ >+ >+ChecksumTypeSequence.componentType = namedtype.NamedTypes( >+ namedtype.NamedType('dummy', ChecksumTypeValues().subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 0))) >+) >+ >+ >+class ETYPE_INFO_ENTRY(univ.Sequence): >+ pass >+ >+ >+ETYPE_INFO_ENTRY.componentType = namedtype.NamedTypes( >+ namedtype.NamedType('etype', Int32().subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 0))), >+ namedtype.OptionalNamedType('salt', univ.OctetString().subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 1))) >+) >+ >+ >+class ETYPE_INFO(univ.SequenceOf): >+ pass >+ >+ >+ETYPE_INFO.componentType = ETYPE_INFO_ENTRY() >+ >+ >+class ETYPE_INFO2_ENTRY(univ.Sequence): >+ pass >+ >+ >+ETYPE_INFO2_ENTRY.componentType = namedtype.NamedTypes( >+ namedtype.NamedType('etype', Int32().subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 0))), >+ namedtype.OptionalNamedType('salt', KerberosString().subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 1))), >+ namedtype.OptionalNamedType('s2kparams', univ.OctetString().subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 2))) >+) >+ >+ >+class ETYPE_INFO2(univ.SequenceOf): >+ pass >+ >+ >+ETYPE_INFO2.componentType = ETYPE_INFO2_ENTRY() >+ETYPE_INFO2.subtypeSpec=constraint.ValueSizeConstraint(1, 256) >+ >+ >+class EncAPRepPart(univ.Sequence): >+ pass >+ >+ >+EncAPRepPart.tagSet = univ.Sequence.tagSet.tagExplicitly(tag.Tag(tag.tagClassApplication, tag.tagFormatConstructed, 27)) >+EncAPRepPart.componentType = namedtype.NamedTypes( >+ namedtype.NamedType('ctime', KerberosTime().subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 0))), >+ namedtype.NamedType('cusec', Microseconds().subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 1))), >+ namedtype.OptionalNamedType('subkey', EncryptionKey().subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatConstructed, 2))), >+ namedtype.OptionalNamedType('seq-number', UInt32().subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 3))) >+) >+ >+ >+class LastReq(univ.SequenceOf): >+ pass >+ >+ >+LastReq.componentType = univ.Sequence(componentType=namedtype.NamedTypes( >+ namedtype.NamedType('lr-type', Int32().subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 0))), >+ namedtype.NamedType('lr-value', KerberosTime().subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 1))) >+)) >+ >+ >+class TicketFlags(KerberosFlags): >+ pass >+ >+ >+class EncKDCRepPart(univ.Sequence): >+ pass >+ >+ >+EncKDCRepPart.componentType = namedtype.NamedTypes( >+ namedtype.NamedType('key', EncryptionKey().subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatConstructed, 0))), >+ namedtype.NamedType('last-req', LastReq().subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 1))), >+ namedtype.NamedType('nonce', UInt32().subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 2))), >+ namedtype.OptionalNamedType('key-expiration', KerberosTime().subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 3))), >+ namedtype.NamedType('flags', TicketFlags().subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 4))), >+ namedtype.NamedType('authtime', KerberosTime().subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 5))), >+ namedtype.OptionalNamedType('starttime', KerberosTime().subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 6))), >+ namedtype.NamedType('endtime', KerberosTime().subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 7))), >+ namedtype.OptionalNamedType('renew-till', KerberosTime().subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 8))), >+ namedtype.NamedType('srealm', Realm().subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 9))), >+ namedtype.NamedType('sname', PrincipalName().subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatConstructed, 10))), >+ namedtype.OptionalNamedType('caddr', HostAddresses().subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 11))) >+) >+ >+ >+class EncASRepPart(EncKDCRepPart): >+ pass >+ >+ >+EncASRepPart.tagSet = EncKDCRepPart.tagSet.tagExplicitly(tag.Tag(tag.tagClassApplication, tag.tagFormatConstructed, 25)) >+ >+ >+class KrbCredInfo(univ.Sequence): >+ pass >+ >+ >+KrbCredInfo.componentType = namedtype.NamedTypes( >+ namedtype.NamedType('key', EncryptionKey().subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatConstructed, 0))), >+ namedtype.OptionalNamedType('prealm', Realm().subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 1))), >+ namedtype.OptionalNamedType('pname', PrincipalName().subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatConstructed, 2))), >+ namedtype.OptionalNamedType('flags', TicketFlags().subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 3))), >+ namedtype.OptionalNamedType('authtime', KerberosTime().subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 4))), >+ namedtype.OptionalNamedType('starttime', KerberosTime().subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 5))), >+ namedtype.OptionalNamedType('endtime', KerberosTime().subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 6))), >+ namedtype.OptionalNamedType('renew-till', KerberosTime().subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 7))), >+ namedtype.OptionalNamedType('srealm', Realm().subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 8))), >+ namedtype.OptionalNamedType('sname', PrincipalName().subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatConstructed, 9))), >+ namedtype.OptionalNamedType('caddr', HostAddresses().subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 10))) >+) >+ >+ >+class EncKrbCredPart(univ.Sequence): >+ pass >+ >+ >+EncKrbCredPart.tagSet = univ.Sequence.tagSet.tagExplicitly(tag.Tag(tag.tagClassApplication, tag.tagFormatConstructed, 29)) >+EncKrbCredPart.componentType = namedtype.NamedTypes( >+ namedtype.NamedType('ticket-info', univ.SequenceOf(componentType=KrbCredInfo()).subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 0))), >+ namedtype.OptionalNamedType('nonce', UInt32().subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 1))), >+ namedtype.OptionalNamedType('timestamp', KerberosTime().subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 2))), >+ namedtype.OptionalNamedType('usec', Microseconds().subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 3))), >+ namedtype.OptionalNamedType('s-address', HostAddress().subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatConstructed, 4))), >+ namedtype.OptionalNamedType('r-address', HostAddress().subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatConstructed, 5))) >+) >+ >+ >+class EncKrbPrivPart(univ.Sequence): >+ pass >+ >+ >+EncKrbPrivPart.tagSet = univ.Sequence.tagSet.tagExplicitly(tag.Tag(tag.tagClassApplication, tag.tagFormatConstructed, 28)) >+EncKrbPrivPart.componentType = namedtype.NamedTypes( >+ namedtype.NamedType('user-data', univ.OctetString().subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 0))), >+ namedtype.OptionalNamedType('timestamp', KerberosTime().subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 1))), >+ namedtype.OptionalNamedType('usec', Microseconds().subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 2))), >+ namedtype.OptionalNamedType('seq-number', UInt32().subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 3))), >+ namedtype.NamedType('s-address', HostAddress().subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatConstructed, 4))), >+ namedtype.OptionalNamedType('r-address', HostAddress().subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatConstructed, 5))) >+) >+ >+ >+class EncTGSRepPart(EncKDCRepPart): >+ pass >+ >+ >+EncTGSRepPart.tagSet = EncKDCRepPart.tagSet.tagExplicitly(tag.Tag(tag.tagClassApplication, tag.tagFormatConstructed, 26)) >+ >+ >+class TransitedEncoding(univ.Sequence): >+ pass >+ >+ >+TransitedEncoding.componentType = namedtype.NamedTypes( >+ namedtype.NamedType('tr-type', Int32().subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 0))), >+ namedtype.NamedType('contents', univ.OctetString().subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 1))) >+) >+ >+ >+class EncTicketPart(univ.Sequence): >+ pass >+ >+ >+EncTicketPart.tagSet = univ.Sequence.tagSet.tagExplicitly(tag.Tag(tag.tagClassApplication, tag.tagFormatConstructed, 3)) >+EncTicketPart.componentType = namedtype.NamedTypes( >+ namedtype.NamedType('flags', TicketFlags().subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 0))), >+ namedtype.NamedType('key', EncryptionKey().subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatConstructed, 1))), >+ namedtype.NamedType('crealm', Realm().subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 2))), >+ namedtype.NamedType('cname', PrincipalName().subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatConstructed, 3))), >+ namedtype.NamedType('transited', TransitedEncoding().subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatConstructed, 4))), >+ namedtype.NamedType('authtime', KerberosTime().subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 5))), >+ namedtype.OptionalNamedType('starttime', KerberosTime().subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 6))), >+ namedtype.NamedType('endtime', KerberosTime().subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 7))), >+ namedtype.OptionalNamedType('renew-till', KerberosTime().subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 8))), >+ namedtype.OptionalNamedType('caddr', HostAddresses().subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 9))), >+ namedtype.OptionalNamedType('authorization-data', AuthorizationData().subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 10))) >+) >+ >+ >+class EncryptionTypeValues(univ.Integer): >+ pass >+ >+ >+EncryptionTypeValues.namedValues = namedval.NamedValues( >+ ('kRB5-ENCTYPE-NULL', 0), >+ ('kRB5-ENCTYPE-DES-CBC-CRC', 1), >+ ('kRB5-ENCTYPE-DES-CBC-MD4', 2), >+ ('kRB5-ENCTYPE-DES-CBC-MD5', 3), >+ ('kRB5-ENCTYPE-DES3-CBC-MD5', 5), >+ ('kRB5-ENCTYPE-OLD-DES3-CBC-SHA1', 7), >+ ('kRB5-ENCTYPE-SIGN-DSA-GENERATE', 8), >+ ('kRB5-ENCTYPE-ENCRYPT-RSA-PRIV', 9), >+ ('kRB5-ENCTYPE-ENCRYPT-RSA-PUB', 10), >+ ('kRB5-ENCTYPE-DES3-CBC-SHA1', 16), >+ ('kRB5-ENCTYPE-AES128-CTS-HMAC-SHA1-96', 17), >+ ('kRB5-ENCTYPE-AES256-CTS-HMAC-SHA1-96', 18), >+ ('kRB5-ENCTYPE-ARCFOUR-HMAC-MD5', 23), >+ ('kRB5-ENCTYPE-ARCFOUR-HMAC-MD5-56', 24), >+ ('kRB5-ENCTYPE-ENCTYPE-PK-CROSS', 48), >+ ('kRB5-ENCTYPE-ARCFOUR-MD4', -128), >+ ('kRB5-ENCTYPE-ARCFOUR-HMAC-OLD', -133), >+ ('kRB5-ENCTYPE-ARCFOUR-HMAC-OLD-EXP', -135), >+ ('kRB5-ENCTYPE-DUMMY', -1111) >+) >+ >+ >+class EncryptionTypeSequence(univ.Sequence): >+ pass >+ >+ >+EncryptionTypeSequence.componentType = namedtype.NamedTypes( >+ namedtype.NamedType('dummy', EncryptionTypeValues().subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 0))) >+) >+ >+ >+class KDCOptionsValues(univ.BitString): >+ pass >+ >+ >+KDCOptionsValues.namedValues = namedval.NamedValues( >+ ('reserved', 0), >+ ('forwardable', 1), >+ ('forwarded', 2), >+ ('proxiable', 3), >+ ('proxy', 4), >+ ('allow-postdate', 5), >+ ('postdated', 6), >+ ('unused7', 7), >+ ('renewable', 8), >+ ('unused9', 9), >+ ('unused10', 10), >+ ('opt-hardware-auth', 11), >+ ('unused12', 12), >+ ('unused13', 13), >+ ('unused15', 15), >+ ('disable-transited-check', 26), >+ ('renewable-ok', 27), >+ ('enc-tkt-in-skey', 28), >+ ('renew', 30), >+ ('validate', 31) >+) >+ >+ >+class KDCOptionsSequence(univ.Sequence): >+ pass >+ >+ >+KDCOptionsSequence.componentType = namedtype.NamedTypes( >+ namedtype.NamedType('dummy', KDCOptionsValues().subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 0))) >+) >+ >+ >+class KRB_CRED(univ.Sequence): >+ pass >+ >+ >+KRB_CRED.tagSet = univ.Sequence.tagSet.tagExplicitly(tag.Tag(tag.tagClassApplication, tag.tagFormatConstructed, 22)) >+KRB_CRED.componentType = namedtype.NamedTypes( >+ namedtype.NamedType('pvno', univ.Integer().subtype(subtypeSpec=constraint.SingleValueConstraint(5)).subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 0))), >+ namedtype.NamedType('msg-type', univ.Integer().subtype(subtypeSpec=constraint.SingleValueConstraint(22)).subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 1))), >+ namedtype.NamedType('tickets', univ.SequenceOf(componentType=Ticket()).subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 2))), >+ namedtype.NamedType('enc-part', EncryptedData().subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatConstructed, 3))) >+) >+ >+ >+class KRB_ERROR(univ.Sequence): >+ pass >+ >+ >+KRB_ERROR.tagSet = univ.Sequence.tagSet.tagExplicitly(tag.Tag(tag.tagClassApplication, tag.tagFormatConstructed, 30)) >+KRB_ERROR.componentType = namedtype.NamedTypes( >+ namedtype.NamedType('pvno', univ.Integer().subtype(subtypeSpec=constraint.SingleValueConstraint(5)).subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 0))), >+ namedtype.NamedType('msg-type', univ.Integer().subtype(subtypeSpec=constraint.SingleValueConstraint(30)).subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 1))), >+ namedtype.OptionalNamedType('ctime', KerberosTime().subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 2))), >+ namedtype.OptionalNamedType('cusec', Microseconds().subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 3))), >+ namedtype.NamedType('stime', KerberosTime().subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 4))), >+ namedtype.NamedType('susec', Microseconds().subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 5))), >+ namedtype.NamedType('error-code', Int32().subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 6))), >+ namedtype.OptionalNamedType('crealm', Realm().subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 7))), >+ namedtype.OptionalNamedType('cname', PrincipalName().subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatConstructed, 8))), >+ namedtype.NamedType('realm', Realm().subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 9))), >+ namedtype.NamedType('sname', PrincipalName().subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatConstructed, 10))), >+ namedtype.OptionalNamedType('e-text', KerberosString().subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 11))), >+ namedtype.OptionalNamedType('e-data', univ.OctetString().subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 12))) >+) >+ >+ >+class KRB_PRIV(univ.Sequence): >+ pass >+ >+ >+KRB_PRIV.tagSet = univ.Sequence.tagSet.tagExplicitly(tag.Tag(tag.tagClassApplication, tag.tagFormatConstructed, 21)) >+KRB_PRIV.componentType = namedtype.NamedTypes( >+ namedtype.NamedType('pvno', univ.Integer().subtype(subtypeSpec=constraint.SingleValueConstraint(5)).subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 0))), >+ namedtype.NamedType('msg-type', univ.Integer().subtype(subtypeSpec=constraint.SingleValueConstraint(21)).subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 1))), >+ namedtype.NamedType('enc-part', EncryptedData().subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatConstructed, 3))) >+) >+ >+ >+class KRB_SAFE_BODY(univ.Sequence): >+ pass >+ >+ >+KRB_SAFE_BODY.componentType = namedtype.NamedTypes( >+ namedtype.NamedType('user-data', univ.OctetString().subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 0))), >+ namedtype.OptionalNamedType('timestamp', KerberosTime().subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 1))), >+ namedtype.OptionalNamedType('usec', Microseconds().subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 2))), >+ namedtype.OptionalNamedType('seq-number', UInt32().subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 3))), >+ namedtype.NamedType('s-address', HostAddress().subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatConstructed, 4))), >+ namedtype.OptionalNamedType('r-address', HostAddress().subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatConstructed, 5))) >+) >+ >+ >+class KRB_SAFE(univ.Sequence): >+ pass >+ >+ >+KRB_SAFE.tagSet = univ.Sequence.tagSet.tagExplicitly(tag.Tag(tag.tagClassApplication, tag.tagFormatConstructed, 20)) >+KRB_SAFE.componentType = namedtype.NamedTypes( >+ namedtype.NamedType('pvno', univ.Integer().subtype(subtypeSpec=constraint.SingleValueConstraint(5)).subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 0))), >+ namedtype.NamedType('msg-type', univ.Integer().subtype(subtypeSpec=constraint.SingleValueConstraint(20)).subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 1))), >+ namedtype.NamedType('safe-body', KRB_SAFE_BODY().subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatConstructed, 2))), >+ namedtype.NamedType('cksum', Checksum().subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatConstructed, 3))) >+) >+ >+ >+class METHOD_DATA(univ.SequenceOf): >+ pass >+ >+ >+METHOD_DATA.componentType = PA_DATA() >+ >+ >+class MessageTypeValues(univ.Integer): >+ pass >+ >+ >+MessageTypeValues.namedValues = namedval.NamedValues( >+ ('krb-as-req', 10), >+ ('krb-as-rep', 11), >+ ('krb-tgs-req', 12), >+ ('krb-tgs-rep', 13), >+ ('krb-ap-req', 14), >+ ('krb-ap-rep', 15), >+ ('krb-safe', 20), >+ ('krb-priv', 21), >+ ('krb-cred', 22), >+ ('krb-error', 30) >+) >+ >+ >+class MessageTypeSequence(univ.Sequence): >+ pass >+ >+ >+MessageTypeSequence.componentType = namedtype.NamedTypes( >+ namedtype.NamedType('dummy', MessageTypeValues().subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 0))) >+) >+ >+ >+class NameTypeValues(univ.Integer): >+ pass >+ >+ >+NameTypeValues.namedValues = namedval.NamedValues( >+ ('kRB5-NT-UNKNOWN', 0), >+ ('kRB5-NT-PRINCIPAL', 1), >+ ('kRB5-NT-SRV-INST', 2), >+ ('kRB5-NT-SRV-HST', 3), >+ ('kRB5-NT-SRV-XHST', 4), >+ ('kRB5-NT-UID', 5), >+ ('kRB5-NT-X500-PRINCIPAL', 6), >+ ('kRB5-NT-SMTP-NAME', 7), >+ ('kRB5-NT-ENTERPRISE-PRINCIPAL', 10), >+ ('kRB5-NT-WELLKNOWN', 11), >+ ('kRB5-NT-ENT-PRINCIPAL-AND-ID', -130), >+ ('kRB5-NT-MS-PRINCIPAL', -128), >+ ('kRB5-NT-MS-PRINCIPAL-AND-ID', -129) >+) >+ >+ >+class NameTypeSequence(univ.Sequence): >+ pass >+ >+ >+NameTypeSequence.componentType = namedtype.NamedTypes( >+ namedtype.NamedType('dummy', NameTypeValues().subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 0))) >+) >+ >+ >+class PA_ENC_TIMESTAMP(EncryptedData): >+ pass >+ >+ >+class PA_ENC_TS_ENC(univ.Sequence): >+ pass >+ >+ >+PA_ENC_TS_ENC.componentType = namedtype.NamedTypes( >+ namedtype.NamedType('patimestamp', KerberosTime().subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 0))), >+ namedtype.OptionalNamedType('pausec', Microseconds().subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 1))) >+) >+ >+ >+class PADataTypeValues(univ.Integer): >+ pass >+ >+ >+PADataTypeValues.namedValues = namedval.NamedValues( >+ ('kRB5-PADATA-NONE', 0), >+ ('kRB5-PADATA-KDC-REQ', 1), >+ ('kRB5-PADATA-ENC-TIMESTAMP', 2), >+ ('kRB5-PADATA-PW-SALT', 3), >+ ('kRB5-PADATA-ENC-UNIX-TIME', 5), >+ ('kRB5-PADATA-SANDIA-SECUREID', 6), >+ ('kRB5-PADATA-SESAME', 7), >+ ('kRB5-PADATA-OSF-DCE', 8), >+ ('kRB5-PADATA-CYBERSAFE-SECUREID', 9), >+ ('kRB5-PADATA-AFS3-SALT', 10), >+ ('kRB5-PADATA-ETYPE-INFO', 11), >+ ('kRB5-PADATA-SAM-CHALLENGE', 12), >+ ('kRB5-PADATA-SAM-RESPONSE', 13), >+ ('kRB5-PADATA-PK-AS-REQ-19', 14), >+ ('kRB5-PADATA-PK-AS-REP-19', 15), >+ ('kRB5-PADATA-PK-AS-REQ', 16), >+ ('kRB5-PADATA-PK-AS-REP', 17), >+ ('kRB5-PADATA-PA-PK-OCSP-RESPONSE', 18), >+ ('kRB5-PADATA-ETYPE-INFO2', 19), >+ ('kRB5-PADATA-SVR-REFERRAL-INFO', 20), >+ ('kRB5-PADATA-SAM-REDIRECT', 21), >+ ('kRB5-PADATA-GET-FROM-TYPED-DATA', 22), >+ ('kRB5-PADATA-SAM-ETYPE-INFO', 23), >+ ('kRB5-PADATA-SERVER-REFERRAL', 25), >+ ('kRB5-PADATA-ALT-PRINC', 24), >+ ('kRB5-PADATA-SAM-CHALLENGE2', 30), >+ ('kRB5-PADATA-SAM-RESPONSE2', 31), >+ ('kRB5-PA-EXTRA-TGT', 41), >+ ('kRB5-PADATA-TD-KRB-PRINCIPAL', 102), >+ ('kRB5-PADATA-PK-TD-TRUSTED-CERTIFIERS', 104), >+ ('kRB5-PADATA-PK-TD-CERTIFICATE-INDEX', 105), >+ ('kRB5-PADATA-TD-APP-DEFINED-ERROR', 106), >+ ('kRB5-PADATA-TD-REQ-NONCE', 107), >+ ('kRB5-PADATA-TD-REQ-SEQ', 108), >+ ('kRB5-PADATA-PA-PAC-REQUEST', 128), >+ ('kRB5-PADATA-FOR-USER', 129), >+ ('kRB5-PADATA-FOR-X509-USER', 130), >+ ('kRB5-PADATA-FOR-CHECK-DUPS', 131), >+ ('kRB5-PADATA-AS-CHECKSUM', 132), >+ ('kRB5-PADATA-FX-COOKIE', 133), >+ ('kRB5-PADATA-AUTHENTICATION-SET', 134), >+ ('kRB5-PADATA-AUTH-SET-SELECTED', 135), >+ ('kRB5-PADATA-FX-FAST', 136), >+ ('kRB5-PADATA-FX-ERROR', 137), >+ ('kRB5-PADATA-ENCRYPTED-CHALLENGE', 138), >+ ('kRB5-PADATA-OTP-CHALLENGE', 141), >+ ('kRB5-PADATA-OTP-REQUEST', 142), >+ ('kBB5-PADATA-OTP-CONFIRM', 143), >+ ('kRB5-PADATA-OTP-PIN-CHANGE', 144), >+ ('kRB5-PADATA-EPAK-AS-REQ', 145), >+ ('kRB5-PADATA-EPAK-AS-REP', 146), >+ ('kRB5-PADATA-PKINIT-KX', 147), >+ ('kRB5-PADATA-PKU2U-NAME', 148), >+ ('kRB5-PADATA-REQ-ENC-PA-REP', 149), >+ ('kRB5-PADATA-SUPPORTED-ETYPES', 165) >+) >+ >+ >+class PADataTypeSequence(univ.Sequence): >+ pass >+ >+ >+PADataTypeSequence.componentType = namedtype.NamedTypes( >+ namedtype.NamedType('dummy', PADataTypeValues().subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 0))) >+) >+ >+ >+class TGS_REP(KDC_REP): >+ pass >+ >+ >+TGS_REP.tagSet = KDC_REP.tagSet.tagExplicitly(tag.Tag(tag.tagClassApplication, tag.tagFormatConstructed, 13)) >+ >+ >+class TGS_REQ(KDC_REQ): >+ pass >+ >+ >+TGS_REQ.tagSet = KDC_REQ.tagSet.tagExplicitly(tag.Tag(tag.tagClassApplication, tag.tagFormatConstructed, 12)) >+ >+ >+class TYPED_DATA(univ.SequenceOf): >+ pass >+ >+ >+TYPED_DATA.componentType = univ.Sequence(componentType=namedtype.NamedTypes( >+ namedtype.NamedType('data-type', Int32().subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 0))), >+ namedtype.OptionalNamedType('data-value', univ.OctetString().subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 1))) >+)) >+ >+TYPED_DATA.subtypeSpec=constraint.ValueSizeConstraint(1, 256) >+ >+ >+class TicketFlagsValues(univ.BitString): >+ pass >+ >+ >+TicketFlagsValues.namedValues = namedval.NamedValues( >+ ('reserved', 0), >+ ('forwardable', 1), >+ ('forwarded', 2), >+ ('proxiable', 3), >+ ('proxy', 4), >+ ('may-postdate', 5), >+ ('postdated', 6), >+ ('invalid', 7), >+ ('renewable', 8), >+ ('initial', 9), >+ ('pre-authent', 10), >+ ('hw-authent', 11), >+ ('transited-policy-checked', 12), >+ ('ok-as-delegate', 13) >+) >+ >+ >+class TicketFlagsSequence(univ.Sequence): >+ pass >+ >+ >+TicketFlagsSequence.componentType = namedtype.NamedTypes( >+ namedtype.NamedType('dummy', TicketFlagsValues().subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 0))) >+) >+ >+ >+id_krb5 = _OID(1, 3, 6, 1, 5, 2) >+ >+ >diff --git a/python/samba/tests/krb5/rfc4120_pyasn1_regen.sh b/python/samba/tests/krb5/rfc4120_pyasn1_regen.sh >new file mode 100755 >index 00000000000..2e3995688f2 >--- /dev/null >+++ b/python/samba/tests/krb5/rfc4120_pyasn1_regen.sh >@@ -0,0 +1,41 @@ >+#!/bin/bash >+# >+ >+# >+# I used https://github.com/kimgr/asn1ate.git >+# to generate pyasn1 bindings for rfc4120.asn1 >+# >+ >+PATH_TO_ASN1ATE_CHECKOUT=$1 >+PATH_TO_ASN1_INPUT_FILE=$2 >+ >+set -u >+set -e >+ >+usage() { >+ echo "usage: $0 PATH_TO_ASN1ATE_CHECKOUT PATH_TO_ASN1_INPUT_FILE > PATH_TO_PYASN1_OUTPUT_FILE" >+} >+ >+test -n "${PATH_TO_ASN1ATE_CHECKOUT}" || { >+ usage >+ exit 1 >+} >+test -n "${PATH_TO_ASN1_INPUT_FILE}" || { >+ usage >+ exit 1 >+} >+test -d "${PATH_TO_ASN1ATE_CHECKOUT}" || { >+ usage >+ exit 1 >+} >+test -f "${PATH_TO_ASN1_INPUT_FILE}" || { >+ usage >+ exit 1 >+} >+ >+PATH_TO_PYASN1GEN_PY="${PATH_TO_ASN1ATE_CHECKOUT}/asn1ate/pyasn1gen.py" >+ >+PYTHONPATH="${PATH_TO_ASN1ATE_CHECKOUT}:${PYTHONPATH-}" >+export PYTHONPATH >+ >+python3 "${PATH_TO_PYASN1GEN_PY}" "${PATH_TO_ASN1_INPUT_FILE}" >diff --git a/python/samba/tests/source.py b/python/samba/tests/source.py >index b7608b1bab3..cebfb9ae8fb 100644 >--- a/python/samba/tests/source.py >+++ b/python/samba/tests/source.py >@@ -93,6 +93,9 @@ class TestSource(TestCase): > if fname.endswith("python/samba/tests/krb5/kcrypto.py"): > # Imported from MIT testing repo > continue >+ if fname.endswith("python/samba/tests/krb5/rfc4120_pyasn1.py"): >+ # Autogenerated >+ continue > match = copyright_re.search(text) > if not match: > incorrect.append((fname, 'no copyright line found\n')) >@@ -138,6 +141,9 @@ class TestSource(TestCase): > if fname.endswith("python/samba/tests/krb5/kcrypto.py"): > # Imported from MIT testing repo > continue >+ if fname.endswith("python/samba/tests/krb5/rfc4120_pyasn1.py"): >+ # Autogenerated >+ continue > if not gpl_re.search(text): > incorrect.append(fname) > >-- >2.25.1 > > >From 3e737d4d89eb15186c245c714f636426b9fe6b2b Mon Sep 17 00:00:00 2001 >From: Stefan Metzmacher <metze@samba.org> >Date: Thu, 13 Feb 2020 16:29:38 +0100 >Subject: [PATCH 025/686] python/tests/krb5: add raw_testcase.py as the base > for our Kerberos protocol testing > >Pair-Programmed-With: Isaac Boukris <iboukris@samba.org> > >Signed-off-by: Stefan Metzmacher <metze@samba.org> >Signed-off-by: Isaac Boukris <iboukris@samba.org> >Reviewed-by: Isaac Boukris <iboukris@samba.org> >(cherry picked from commit fb7cba50ae3472b29aa806208badc1ded8979073) >--- > python/samba/tests/krb5/raw_testcase.py | 869 ++++++++++++++++++++++++ > 1 file changed, 869 insertions(+) > create mode 100644 python/samba/tests/krb5/raw_testcase.py > >diff --git a/python/samba/tests/krb5/raw_testcase.py b/python/samba/tests/krb5/raw_testcase.py >new file mode 100644 >index 00000000000..6c7bcd418a0 >--- /dev/null >+++ b/python/samba/tests/krb5/raw_testcase.py >@@ -0,0 +1,869 @@ >+# Unix SMB/CIFS implementation. >+# Copyright (C) Isaac Boukris 2020 >+# Copyright (C) Stefan Metzmacher 2020 >+# >+# This program is free software; you can redistribute it and/or modify >+# it under the terms of the GNU General Public License as published by >+# the Free Software Foundation; either version 3 of the License, or >+# (at your option) any later version. >+# >+# This program is distributed in the hope that it will be useful, >+# but WITHOUT ANY WARRANTY; without even the implied warranty of >+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the >+# GNU General Public License for more details. >+# >+# You should have received a copy of the GNU General Public License >+# along with this program. If not, see <http://www.gnu.org/licenses/>. >+# >+ >+import sys >+import socket >+import struct >+import time >+import datetime >+import random >+ >+import samba.tests >+from samba.credentials import Credentials >+from samba.tests import TestCase >+import samba.tests.krb5.rfc4120_pyasn1 as krb5_asn1 >+import samba.tests.krb5.kcrypto as kcrypto >+ >+from pyasn1.codec.der.decoder import decode as pyasn1_der_decode >+from pyasn1.codec.der.encoder import encode as pyasn1_der_encode >+from pyasn1.codec.native.decoder import decode as pyasn1_native_decode >+from pyasn1.codec.native.encoder import encode as pyasn1_native_encode >+ >+from pyasn1.codec.ber.encoder import BitStringEncoder as BitStringEncoder >+def BitStringEncoder_encodeValue32(self, value, asn1Spec, encodeFun, **options): >+ # >+ # BitStrings like KDCOptions or TicketFlags should at least >+ # be 32-Bit on the wire >+ # >+ if asn1Spec is not None: >+ # TODO: try to avoid ASN.1 schema instantiation >+ value = asn1Spec.clone(value) >+ >+ valueLength = len(value) >+ if valueLength % 8: >+ alignedValue = value << (8 - valueLength % 8) >+ else: >+ alignedValue = value >+ >+ substrate = alignedValue.asOctets() >+ length = len(substrate) >+ # We need at least 32-Bit / 4-Bytes >+ if length < 4: >+ padding = 4 - length >+ else: >+ padding = 0 >+ ret = b'\x00' + substrate + (b'\x00' * padding) >+ return ret, False, True >+BitStringEncoder.encodeValue = BitStringEncoder_encodeValue32 >+ >+def BitString_NamedValues_prettyPrint(self, scope=0): >+ ret = "%s" % self.asBinary() >+ bits = [] >+ highest_bit = 32 >+ for byte in self.asNumbers(): >+ for bit in [7,6,5,4,3,2,1,0]: >+ mask = 1 << bit >+ if byte & mask: >+ val = 1 >+ else: >+ val = 0 >+ bits.append(val) >+ if len(bits) < highest_bit: >+ for bitPosition in range(len(bits), highest_bit): >+ bits.append(0) >+ indent = " " * scope >+ delim = ": (\n%s " % indent >+ for bitPosition in range(highest_bit): >+ if bitPosition in self.prettyPrintNamedValues: >+ name = self.prettyPrintNamedValues[bitPosition] >+ elif bits[bitPosition] != 0: >+ name = "unknown-bit-%u" % bitPosition >+ else: >+ continue >+ ret += "%s%s:%u" % (delim, name, bits[bitPosition]) >+ delim = ",\n%s " % indent >+ ret += "\n%s)" % indent >+ return ret >+krb5_asn1.TicketFlags.prettyPrintNamedValues = krb5_asn1.TicketFlagsValues.namedValues >+krb5_asn1.TicketFlags.namedValues = krb5_asn1.TicketFlagsValues.namedValues >+krb5_asn1.TicketFlags.prettyPrint = BitString_NamedValues_prettyPrint >+krb5_asn1.KDCOptions.prettyPrintNamedValues = krb5_asn1.KDCOptionsValues.namedValues >+krb5_asn1.KDCOptions.namedValues = krb5_asn1.KDCOptionsValues.namedValues >+krb5_asn1.KDCOptions.prettyPrint = BitString_NamedValues_prettyPrint >+ >+def Integer_NamedValues_prettyPrint(self, scope=0): >+ intval = int(self) >+ if intval in self.prettyPrintNamedValues: >+ name = self.prettyPrintNamedValues[intval] >+ else: >+ name = "<__unknown__>" >+ ret = "%d (0x%x) %s" % (intval, intval, name) >+ return ret >+krb5_asn1.NameType.prettyPrintNamedValues = krb5_asn1.NameTypeValues.namedValues >+krb5_asn1.NameType.prettyPrint = Integer_NamedValues_prettyPrint >+krb5_asn1.AuthDataType.prettyPrintNamedValues = krb5_asn1.AuthDataTypeValues.namedValues >+krb5_asn1.AuthDataType.prettyPrint = Integer_NamedValues_prettyPrint >+krb5_asn1.PADataType.prettyPrintNamedValues = krb5_asn1.PADataTypeValues.namedValues >+krb5_asn1.PADataType.prettyPrint = Integer_NamedValues_prettyPrint >+krb5_asn1.EncryptionType.prettyPrintNamedValues = krb5_asn1.EncryptionTypeValues.namedValues >+krb5_asn1.EncryptionType.prettyPrint = Integer_NamedValues_prettyPrint >+krb5_asn1.ChecksumType.prettyPrintNamedValues = krb5_asn1.ChecksumTypeValues.namedValues >+krb5_asn1.ChecksumType.prettyPrint = Integer_NamedValues_prettyPrint >+ >+class Krb5EncryptionKey(object): >+ def __init__(self, key, kvno): >+ EncTypeChecksum = { >+ kcrypto.Enctype.AES256: kcrypto.Cksumtype.SHA1_AES256, >+ kcrypto.Enctype.AES128: kcrypto.Cksumtype.SHA1_AES128, >+ kcrypto.Enctype.RC4: kcrypto.Cksumtype.HMAC_MD5, >+ } >+ self.key = key >+ self.etype = key.enctype >+ self.ctype = EncTypeChecksum[self.etype] >+ self.kvno = kvno >+ return >+ >+ def encrypt(self, usage, plaintext): >+ ciphertext = kcrypto.encrypt(self.key, usage, plaintext) >+ return ciphertext >+ >+ def decrypt(self, usage, ciphertext): >+ plaintext = kcrypto.decrypt(self.key, usage, ciphertext) >+ return plaintext >+ >+ def make_checksum(self, usage, plaintext, ctype=None): >+ if ctype is None: >+ ctype = self.ctype >+ cksum = kcrypto.make_checksum(ctype, self.key, usage, plaintext) >+ return cksum >+ >+ def export_obj(self): >+ EncryptionKey_obj = { >+ 'keytype': self.etype, >+ 'keyvalue': self.key.contents, >+ }; >+ return EncryptionKey_obj >+ >+class RawKerberosTest(TestCase): >+ """A raw Kerberos Test case.""" >+ >+ def setUp(self): >+ super(RawKerberosTest, self).setUp() >+ self.do_asn1_print = False >+ self.do_hexdump = False >+ >+ self.host = samba.tests.env_get_var_value('SERVER') >+ >+ self.s = None >+ >+ def tearDown(self): >+ self._disconnect("tearDown") >+ super(TestCase, self).tearDown() >+ >+ def _disconnect(self, reason): >+ if self.s is None: >+ return >+ self.s.close() >+ self.s = None >+ if self.do_hexdump: >+ sys.stderr.write("disconnect[%s]\n" % reason) >+ >+ def _connect_tcp(self): >+ tcp_port = 88 >+ try: >+ self.a = socket.getaddrinfo(self.host, tcp_port, socket.AF_UNSPEC, >+ socket.SOCK_STREAM, socket.SOL_TCP, >+ 0) >+ self.s = socket.socket(self.a[0][0], self.a[0][1], self.a[0][2]) >+ self.s.settimeout(10) >+ self.s.connect(self.a[0][4]) >+ except socket.error as e: >+ self.s.close() >+ raise >+ except IOError as e: >+ self.s.close() >+ raise >+ except Exception as e: >+ raise >+ finally: >+ pass >+ >+ def connect(self): >+ self.assertNotConnected() >+ self._connect_tcp() >+ if self.do_hexdump: >+ sys.stderr.write("connected[%s]\n" % self.host) >+ return >+ >+ def get_user_creds(self): >+ c = Credentials() >+ c.guess() >+ domain = samba.tests.env_get_var_value('DOMAIN') >+ realm = samba.tests.env_get_var_value('REALM') >+ username = samba.tests.env_get_var_value('USERNAME') >+ password = samba.tests.env_get_var_value('PASSWORD') >+ c.set_domain(domain) >+ c.set_realm(realm) >+ c.set_username(username) >+ c.set_password(password) >+ return c >+ >+ def get_service_creds(self, allow_missing_password=False): >+ c = Credentials() >+ c.guess() >+ domain = samba.tests.env_get_var_value('DOMAIN') >+ realm = samba.tests.env_get_var_value('REALM') >+ username = samba.tests.env_get_var_value('SERVICE_USERNAME') >+ password = samba.tests.env_get_var_value('SERVICE_PASSWORD', >+ allow_missing=allow_missing_password) >+ c.set_domain(domain) >+ c.set_realm(realm) >+ c.set_username(username) >+ if password is not None: >+ c.set_password(password) >+ return c >+ >+ def get_anon_creds(self): >+ c = Credentials() >+ c.set_anonymous() >+ return c >+ >+ def asn1_dump(self, name, obj, asn1_print=None): >+ if asn1_print is None: >+ asn1_print = self.do_asn1_print >+ if asn1_print: >+ if name is not None: >+ sys.stderr.write("%s:\n%s" % (name, obj)) >+ else: >+ sys.stderr.write("%s" % (obj)) >+ >+ def hex_dump(self, name, blob, hexdump=None): >+ if hexdump is None: >+ hexdump = self.do_hexdump >+ if hexdump: >+ sys.stderr.write("%s: %d\n%s" % (name, len(blob), self.hexdump(blob))) >+ >+ def der_decode(self, blob, asn1Spec=None, native_encode=True, asn1_print=None, hexdump=None): >+ if asn1Spec is not None: >+ class_name = type(asn1Spec).__name__.split(':')[0] >+ else: >+ class_name = "<None-asn1Spec>" >+ self.hex_dump(class_name, blob, hexdump=hexdump) >+ obj,_ = pyasn1_der_decode(blob, asn1Spec=asn1Spec) >+ self.asn1_dump(None, obj, asn1_print=asn1_print) >+ if native_encode: >+ obj = pyasn1_native_encode(obj) >+ return obj >+ >+ def der_encode(self, obj, asn1Spec=None, native_decode=True, asn1_print=None, hexdump=None): >+ if native_decode: >+ obj = pyasn1_native_decode(obj, asn1Spec=asn1Spec) >+ class_name = type(obj).__name__.split(':')[0] >+ if class_name is not None: >+ self.asn1_dump(None, obj, asn1_print=asn1_print) >+ blob = pyasn1_der_encode(obj) >+ if class_name is not None: >+ self.hex_dump(class_name, blob, hexdump=hexdump) >+ return blob >+ >+ def send_pdu(self, req, asn1_print=None, hexdump=None): >+ try: >+ k5_pdu = self.der_encode(req, native_decode=False, asn1_print=asn1_print, hexdump=False) >+ header = struct.pack('>I', len(k5_pdu)) >+ req_pdu = header >+ req_pdu += k5_pdu >+ self.hex_dump("send_pdu", header, hexdump=hexdump) >+ self.hex_dump("send_pdu", k5_pdu, hexdump=hexdump) >+ while True: >+ sent = self.s.send(req_pdu, 0) >+ if sent == len(req_pdu): >+ break >+ req_pdu = req_pdu[sent:] >+ except socket.error as e: >+ self._disconnect("send_pdu: %s" % e) >+ raise >+ except IOError as e: >+ self._disconnect("send_pdu: %s" % e) >+ raise >+ finally: >+ pass >+ >+ def recv_raw(self, num_recv=0xffff, hexdump=None, timeout=None): >+ rep_pdu = None >+ try: >+ if timeout is not None: >+ self.s.settimeout(timeout) >+ rep_pdu = self.s.recv(num_recv, 0) >+ self.s.settimeout(10) >+ if len(rep_pdu) == 0: >+ self._disconnect("recv_raw: EOF") >+ return None >+ self.hex_dump("recv_raw", rep_pdu, hexdump=hexdump) >+ except socket.timeout as e: >+ self.s.settimeout(10) >+ sys.stderr.write("recv_raw: TIMEOUT\n") >+ pass >+ except socket.error as e: >+ self._disconnect("recv_raw: %s" % e) >+ raise >+ except IOError as e: >+ self._disconnect("recv_raw: %s" % e) >+ raise >+ finally: >+ pass >+ return rep_pdu >+ >+ def recv_pdu_raw(self, asn1_print=None, hexdump=None, timeout=None): >+ rep_pdu = None >+ rep = None >+ try: >+ raw_pdu = self.recv_raw(num_recv=4, hexdump=hexdump, timeout=timeout) >+ if raw_pdu is None: >+ return (None, None) >+ header = struct.unpack(">I", raw_pdu[0:4]) >+ k5_len = header[0] >+ if k5_len == 0: >+ return (None, "") >+ missing = k5_len >+ rep_pdu = b'' >+ while missing > 0: >+ raw_pdu = self.recv_raw(num_recv=missing, hexdump=hexdump, timeout=timeout) >+ self.assertGreaterEqual(len(raw_pdu), 1) >+ rep_pdu += raw_pdu >+ missing = k5_len - len(rep_pdu) >+ k5_raw = self.der_decode(rep_pdu, asn1Spec=None, native_encode=False, >+ asn1_print=False, hexdump=False) >+ pvno=k5_raw['field-0'] >+ self.assertEqual(pvno, 5) >+ msg_type=k5_raw['field-1'] >+ self.assertIn(msg_type, [11,13,30]) >+ if msg_type == 11: >+ asn1Spec=krb5_asn1.AS_REP() >+ elif msg_type == 13: >+ asn1Spec=krb5_asn1.TGS_REP() >+ elif msg_type == 30: >+ asn1Spec=krb5_asn1.KRB_ERROR() >+ rep = self.der_decode(rep_pdu, asn1Spec=asn1Spec, >+ asn1_print=asn1_print, hexdump=False) >+ finally: >+ pass >+ return (rep, rep_pdu) >+ >+ def recv_pdu(self, asn1_print=None, hexdump=None, timeout=None): >+ (rep, rep_pdu) = self.recv_pdu_raw(asn1_print=asn1_print, >+ hexdump=hexdump, >+ timeout=timeout) >+ return rep >+ >+ def assertIsConnected(self): >+ self.assertIsNotNone(self.s, msg="Not connected") >+ return >+ >+ def assertNotConnected(self): >+ self.assertIsNone(self.s, msg="Is connected") >+ return >+ >+ def send_recv_transaction(self, req, asn1_print=None, hexdump=None, timeout=None): >+ self.connect() >+ try: >+ self.send_pdu(req, asn1_print=asn1_print, hexdump=hexdump) >+ rep = self.recv_pdu(asn1_print=asn1_print, hexdump=hexdump, timeout=timeout) >+ except Exception: >+ self._disconnect("transaction failed") >+ raise >+ self._disconnect("transaction done") >+ return rep >+ >+ def assertNoValue(self, value): >+ self.assertTrue(value.isNoValue) >+ return >+ >+ def assertHasValue(self, value): >+ self.assertIsNotNone(value) >+ return >+ >+ def assertPrincipalEqual(self, princ1, princ2): >+ self.assertEqual(princ1['name-type'], princ2['name-type']) >+ self.assertEqual(len(princ1['name-string']), len(princ2['name-string']), >+ msg="princ1=%s != princ2=%s" % (princ1, princ2)) >+ for idx in range(len(princ1['name-string'])): >+ self.assertEqual(princ1['name-string'][idx], princ2['name-string'][idx], >+ msg="princ1=%s != princ2=%s" % (princ1, princ2)) >+ return >+ >+ def get_KerberosTimeWithUsec(self, epoch=None, offset=None): >+ if epoch is None: >+ epoch = time.time() >+ if offset is not None: >+ epoch = epoch + int(offset) >+ dt = datetime.datetime.fromtimestamp(epoch, tz=datetime.timezone.utc) >+ return (dt.strftime("%Y%m%d%H%M%SZ"), dt.microsecond) >+ >+ def get_KerberosTime(self, epoch=None, offset=None): >+ (s, _) = self.get_KerberosTimeWithUsec(epoch=epoch, offset=offset) >+ return s >+ >+ def SessionKey_create(self, etype, contents, kvno=None): >+ key = kcrypto.Key(etype, contents) >+ return Krb5EncryptionKey(key, kvno) >+ >+ def PasswordKey_create(self, etype=None, pwd=None, salt=None, kvno=None): >+ key = kcrypto.string_to_key(etype, pwd, salt) >+ return Krb5EncryptionKey(key, kvno) >+ >+ def PasswordKey_from_etype_info2(self, creds, etype_info2, kvno=None): >+ e = etype_info2['etype'] >+ salt = None >+ try: >+ salt = etype_info2['salt'] >+ except: >+ pass >+ >+ if e == kcrypto.Enctype.RC4: >+ self.assertIsNone(salt) >+ nthash = creds.get_nt_hash() >+ return self.SessionKey_create(etype=e, contents=nthash, kvno=kvno) >+ >+ password = creds.get_password() >+ return self.PasswordKey_create(etype=e, pwd=password, salt=salt, kvno=kvno) >+ >+ def RandomKey(self, etype): >+ e = kcrypto._get_enctype_profile(etype) >+ contents = samba.generate_random_bytes(e.keysize) >+ return self.SessionKey_create(etype=etype, contents=contents) >+ >+ def EncryptionKey_import(self, EncryptionKey_obj): >+ return self.SessionKey_create(EncryptionKey_obj['keytype'], >+ EncryptionKey_obj['keyvalue']) >+ >+ def EncryptedData_create(self, key, usage, plaintext): >+ # EncryptedData ::= SEQUENCE { >+ # etype [0] Int32 -- EncryptionType --, >+ # kvno [1] UInt32 OPTIONAL, >+ # cipher [2] OCTET STRING -- ciphertext >+ # } >+ ciphertext = key.encrypt(usage, plaintext) >+ EncryptedData_obj = { >+ 'etype': key.etype, >+ 'cipher': ciphertext >+ } >+ if key.kvno is not None: >+ EncryptedData_obj['kvno'] = key.kvno >+ return EncryptedData_obj >+ >+ def Checksum_create(self, key, usage, plaintext, ctype=None): >+ #Checksum ::= SEQUENCE { >+ # cksumtype [0] Int32, >+ # checksum [1] OCTET STRING >+ #} >+ if ctype is None: >+ ctype = key.ctype >+ checksum = key.make_checksum(usage, plaintext, ctype=ctype) >+ Checksum_obj = { >+ 'cksumtype': ctype, >+ 'checksum': checksum, >+ } >+ return Checksum_obj >+ >+ def PrincipalName_create(self, name_type, names): >+ # PrincipalName ::= SEQUENCE { >+ # name-type [0] Int32, >+ # name-string [1] SEQUENCE OF KerberosString >+ # } >+ PrincipalName_obj = { >+ 'name-type': name_type, >+ 'name-string': names, >+ } >+ return PrincipalName_obj >+ >+ def PA_DATA_create(self, padata_type, padata_value): >+ # PA-DATA ::= SEQUENCE { >+ # -- NOTE: first tag is [1], not [0] >+ # padata-type [1] Int32, >+ # padata-value [2] OCTET STRING -- might be encoded AP-REQ >+ # } >+ PA_DATA_obj = { >+ 'padata-type': padata_type, >+ 'padata-value': padata_value, >+ } >+ return PA_DATA_obj >+ >+ def PA_ENC_TS_ENC_create(self, ts, usec): >+ #PA-ENC-TS-ENC ::= SEQUENCE { >+ # patimestamp[0] KerberosTime, -- client's time >+ # pausec[1] krb5int32 OPTIONAL >+ #} >+ PA_ENC_TS_ENC_obj = { >+ 'patimestamp': ts, >+ 'pausec': usec, >+ } >+ return PA_ENC_TS_ENC_obj >+ >+ def KDC_REQ_BODY_create(self, >+ kdc_options, >+ cname, >+ realm, >+ sname, >+ from_time, >+ till_time, >+ renew_time, >+ nonce, >+ etypes, >+ addresses, >+ EncAuthorizationData, >+ EncAuthorizationData_key, >+ additional_tickets, >+ asn1_print=None, >+ hexdump=None): >+ #KDC-REQ-BODY ::= SEQUENCE { >+ # kdc-options [0] KDCOptions, >+ # cname [1] PrincipalName OPTIONAL >+ # -- Used only in AS-REQ --, >+ # realm [2] Realm >+ # -- Server's realm >+ # -- Also client's in AS-REQ --, >+ # sname [3] PrincipalName OPTIONAL, >+ # from [4] KerberosTime OPTIONAL, >+ # till [5] KerberosTime, >+ # rtime [6] KerberosTime OPTIONAL, >+ # nonce [7] UInt32, >+ # etype [8] SEQUENCE OF Int32 -- EncryptionType >+ # -- in preference order --, >+ # addresses [9] HostAddresses OPTIONAL, >+ # enc-authorization-data [10] EncryptedData OPTIONAL >+ # -- AuthorizationData --, >+ # additional-tickets [11] SEQUENCE OF Ticket OPTIONAL >+ # -- NOTE: not empty >+ #} >+ if EncAuthorizationData is not None: >+ enc_ad_plain = self.der_encode(EncAuthorizationData, >+ asn1Spec=krb5_asn1.AuthorizationData(), >+ asn1_print=asn1_print, >+ hexdump=hexdump) >+ enc_ad = self.EncryptedData_create(EncAuthorizationData_key, enc_ad_plain) >+ else: >+ enc_ad = None >+ KDC_REQ_BODY_obj = { >+ 'kdc-options': kdc_options, >+ 'realm': realm, >+ 'till': till_time, >+ 'nonce': nonce, >+ 'etype': etypes, >+ } >+ if cname is not None: >+ KDC_REQ_BODY_obj['cname'] = cname >+ if sname is not None: >+ KDC_REQ_BODY_obj['sname'] = sname >+ if from_time is not None: >+ KDC_REQ_BODY_obj['from'] = from_time >+ if renew_time is not None: >+ KDC_REQ_BODY_obj['rtime'] = renew_time >+ if addresses is not None: >+ KDC_REQ_BODY_obj['addresses'] = addresses >+ if enc_ad is not None: >+ KDC_REQ_BODY_obj['enc-authorization-data'] = enc_ad >+ if additional_tickets is not None: >+ KDC_REQ_BODY_obj['additional-tickets'] = additional_tickets >+ return KDC_REQ_BODY_obj >+ >+ def KDC_REQ_create(self, >+ msg_type, >+ padata, >+ kdc_options, >+ cname, >+ realm, >+ sname, >+ from_time, >+ till_time, >+ renew_time, >+ nonce, >+ etypes, >+ addresses, >+ EncAuthorizationData, >+ EncAuthorizationData_key, >+ additional_tickets, >+ asn1Spec=None, >+ asn1_print=None, >+ hexdump=None): >+ #KDC-REQ ::= SEQUENCE { >+ # -- NOTE: first tag is [1], not [0] >+ # pvno [1] INTEGER (5) , >+ # msg-type [2] INTEGER (10 -- AS -- | 12 -- TGS --), >+ # padata [3] SEQUENCE OF PA-DATA OPTIONAL >+ # -- NOTE: not empty --, >+ # req-body [4] KDC-REQ-BODY >+ #} >+ # >+ KDC_REQ_BODY_obj = self.KDC_REQ_BODY_create(kdc_options, >+ cname, >+ realm, >+ sname, >+ from_time, >+ till_time, >+ renew_time, >+ nonce, >+ etypes, >+ addresses, >+ EncAuthorizationData, >+ EncAuthorizationData_key, >+ additional_tickets, >+ asn1_print=asn1_print, >+ hexdump=hexdump) >+ KDC_REQ_obj = { >+ 'pvno': 5, >+ 'msg-type': msg_type, >+ 'req-body': KDC_REQ_BODY_obj, >+ } >+ if padata is not None: >+ KDC_REQ_obj['padata'] = padata >+ if asn1Spec is not None: >+ KDC_REQ_decoded = pyasn1_native_decode(KDC_REQ_obj, asn1Spec=asn1Spec) >+ else: >+ KDC_REQ_decoded = None >+ return KDC_REQ_obj, KDC_REQ_decoded >+ >+ def AS_REQ_create(self, >+ padata, # optional >+ kdc_options, # required >+ cname, # optional >+ realm, # required >+ sname, # optional >+ from_time, # optional >+ till_time, # required >+ renew_time, # optional >+ nonce, # required >+ etypes, # required >+ addresses, # optional >+ EncAuthorizationData, >+ EncAuthorizationData_key, >+ additional_tickets, >+ native_decoded_only=True, >+ asn1_print=None, >+ hexdump=None): >+ #KDC-REQ ::= SEQUENCE { >+ # -- NOTE: first tag is [1], not [0] >+ # pvno [1] INTEGER (5) , >+ # msg-type [2] INTEGER (10 -- AS -- | 12 -- TGS --), >+ # padata [3] SEQUENCE OF PA-DATA OPTIONAL >+ # -- NOTE: not empty --, >+ # req-body [4] KDC-REQ-BODY >+ #} >+ # >+ #KDC-REQ-BODY ::= SEQUENCE { >+ # kdc-options [0] KDCOptions, >+ # cname [1] PrincipalName OPTIONAL >+ # -- Used only in AS-REQ --, >+ # realm [2] Realm >+ # -- Server's realm >+ # -- Also client's in AS-REQ --, >+ # sname [3] PrincipalName OPTIONAL, >+ # from [4] KerberosTime OPTIONAL, >+ # till [5] KerberosTime, >+ # rtime [6] KerberosTime OPTIONAL, >+ # nonce [7] UInt32, >+ # etype [8] SEQUENCE OF Int32 -- EncryptionType >+ # -- in preference order --, >+ # addresses [9] HostAddresses OPTIONAL, >+ # enc-authorization-data [10] EncryptedData OPTIONAL >+ # -- AuthorizationData --, >+ # additional-tickets [11] SEQUENCE OF Ticket OPTIONAL >+ # -- NOTE: not empty >+ #} >+ obj,decoded = self.KDC_REQ_create(msg_type=10, >+ padata=padata, >+ kdc_options=kdc_options, >+ cname=cname, >+ realm=realm, >+ sname=sname, >+ from_time=from_time, >+ till_time=till_time, >+ renew_time=renew_time, >+ nonce=nonce, >+ etypes=etypes, >+ addresses=addresses, >+ EncAuthorizationData=EncAuthorizationData, >+ EncAuthorizationData_key=EncAuthorizationData_key, >+ additional_tickets=additional_tickets, >+ asn1Spec=krb5_asn1.AS_REQ(), >+ asn1_print=asn1_print, >+ hexdump=hexdump) >+ if native_decoded_only: >+ return decoded >+ return decoded, obj >+ >+ def AP_REQ_create(self, ap_options, ticket, authenticator): >+ # AP-REQ ::= [APPLICATION 14] SEQUENCE { >+ # pvno [0] INTEGER (5), >+ # msg-type [1] INTEGER (14), >+ # ap-options [2] APOptions, >+ # ticket [3] Ticket, >+ # authenticator [4] EncryptedData -- Authenticator >+ #} >+ AP_REQ_obj = { >+ 'pvno': 5, >+ 'msg-type': 14, >+ 'ap-options': ap_options, >+ 'ticket': ticket, >+ 'authenticator': authenticator, >+ } >+ return AP_REQ_obj >+ >+ def Authenticator_create(self, crealm, cname, cksum, cusec, ctime, subkey, seq_number, >+ authorization_data): >+ # -- Unencrypted authenticator >+ # Authenticator ::= [APPLICATION 2] SEQUENCE { >+ # authenticator-vno [0] INTEGER (5), >+ # crealm [1] Realm, >+ # cname [2] PrincipalName, >+ # cksum [3] Checksum OPTIONAL, >+ # cusec [4] Microseconds, >+ # ctime [5] KerberosTime, >+ # subkey [6] EncryptionKey OPTIONAL, >+ # seq-number [7] UInt32 OPTIONAL, >+ # authorization-data [8] AuthorizationData OPTIONAL >+ #} >+ Authenticator_obj = { >+ 'authenticator-vno': 5, >+ 'crealm': crealm, >+ 'cname': cname, >+ 'cusec': cusec, >+ 'ctime': ctime, >+ } >+ if cksum is not None: >+ Authenticator_obj['cksum'] = cksum >+ if subkey is not None: >+ Authenticator_obj['subkey'] = subkey >+ if seq_number is not None: >+ Authenticator_obj['seq-number'] = seq_number >+ if authorization_data is not None: >+ Authenticator_obj['authorization-data'] = authorization_data >+ return Authenticator_obj >+ >+ def TGS_REQ_create(self, >+ padata, # optional >+ cusec, >+ ctime, >+ ticket, >+ kdc_options, # required >+ cname, # optional >+ realm, # required >+ sname, # optional >+ from_time, # optional >+ till_time, # required >+ renew_time, # optional >+ nonce, # required >+ etypes, # required >+ addresses, # optional >+ EncAuthorizationData, >+ EncAuthorizationData_key, >+ additional_tickets, >+ ticket_session_key, >+ authenticator_subkey=None, >+ body_checksum_type=None, >+ native_decoded_only=True, >+ asn1_print=None, >+ hexdump=None): >+ #KDC-REQ ::= SEQUENCE { >+ # -- NOTE: first tag is [1], not [0] >+ # pvno [1] INTEGER (5) , >+ # msg-type [2] INTEGER (10 -- AS -- | 12 -- TGS --), >+ # padata [3] SEQUENCE OF PA-DATA OPTIONAL >+ # -- NOTE: not empty --, >+ # req-body [4] KDC-REQ-BODY >+ #} >+ # >+ #KDC-REQ-BODY ::= SEQUENCE { >+ # kdc-options [0] KDCOptions, >+ # cname [1] PrincipalName OPTIONAL >+ # -- Used only in AS-REQ --, >+ # realm [2] Realm >+ # -- Server's realm >+ # -- Also client's in AS-REQ --, >+ # sname [3] PrincipalName OPTIONAL, >+ # from [4] KerberosTime OPTIONAL, >+ # till [5] KerberosTime, >+ # rtime [6] KerberosTime OPTIONAL, >+ # nonce [7] UInt32, >+ # etype [8] SEQUENCE OF Int32 -- EncryptionType >+ # -- in preference order --, >+ # addresses [9] HostAddresses OPTIONAL, >+ # enc-authorization-data [10] EncryptedData OPTIONAL >+ # -- AuthorizationData --, >+ # additional-tickets [11] SEQUENCE OF Ticket OPTIONAL >+ # -- NOTE: not empty >+ #} >+ >+ req_body = self.KDC_REQ_BODY_create(kdc_options=kdc_options, >+ cname=None, >+ realm=realm, >+ sname=sname, >+ from_time=from_time, >+ till_time=till_time, >+ renew_time=renew_time, >+ nonce=nonce, >+ etypes=etypes, >+ addresses=addresses, >+ EncAuthorizationData=EncAuthorizationData, >+ EncAuthorizationData_key=EncAuthorizationData_key, >+ additional_tickets=additional_tickets) >+ req_body = self.der_encode(req_body, asn1Spec=krb5_asn1.KDC_REQ_BODY(), >+ asn1_print=asn1_print, hexdump=hexdump) >+ >+ req_body_checksum = self.Checksum_create(ticket_session_key, 6, req_body, >+ ctype=body_checksum_type) >+ >+ subkey_obj = None >+ if authenticator_subkey is not None: >+ subkey_obj = authenticator_subkey.export_obj() >+ seq_number = random.randint(0, 0xfffffffe) >+ authenticator = self.Authenticator_create(crealm=realm, >+ cname=cname, >+ cksum=req_body_checksum, >+ cusec=cusec, >+ ctime=ctime, >+ subkey=subkey_obj, >+ seq_number=seq_number, >+ authorization_data=None) >+ authenticator = self.der_encode(authenticator, asn1Spec=krb5_asn1.Authenticator(), >+ asn1_print=asn1_print, hexdump=hexdump) >+ >+ authenticator = self.EncryptedData_create(ticket_session_key, 7, authenticator) >+ >+ ap_options = krb5_asn1.APOptions('0') >+ ap_req = self.AP_REQ_create(ap_options=str(ap_options), >+ ticket=ticket, >+ authenticator=authenticator) >+ ap_req = self.der_encode(ap_req, asn1Spec=krb5_asn1.AP_REQ(), >+ asn1_print=asn1_print, hexdump=hexdump) >+ pa_tgs_req = self.PA_DATA_create(1, ap_req) >+ if padata is not None: >+ padata.append(pa_tgs_req) >+ else: >+ padata = [pa_tgs_req] >+ >+ obj,decoded = self.KDC_REQ_create(msg_type=12, >+ padata=padata, >+ kdc_options=kdc_options, >+ cname=None, >+ realm=realm, >+ sname=sname, >+ from_time=from_time, >+ till_time=till_time, >+ renew_time=renew_time, >+ nonce=nonce, >+ etypes=etypes, >+ addresses=addresses, >+ EncAuthorizationData=EncAuthorizationData, >+ EncAuthorizationData_key=EncAuthorizationData_key, >+ additional_tickets=additional_tickets, >+ asn1Spec=krb5_asn1.TGS_REQ(), >+ asn1_print=asn1_print, >+ hexdump=hexdump) >+ if native_decoded_only: >+ return decoded >+ return decoded, obj >-- >2.25.1 > > >From 975bfad2523ae33996864ec1b0be486778e2d162 Mon Sep 17 00:00:00 2001 >From: Stefan Metzmacher <metze@samba.org> >Date: Thu, 13 Feb 2020 16:29:38 +0100 >Subject: [PATCH 026/686] python/tests/krb5: add simple_tests.py with the first > simple test > >This just demonstrates that the infrastructure works:-) > >I'm running this as: > > SERVER=172.31.9.188 DOMAIN=W2012R2-L6 REALM=W2012R2-L6.BASE \ > USERNAME=administrator PASSWORD=A1b2C3d4 SERVICE_USERNAME="w2012r2-188" \ > python/samba/tests/krb5/simple_tests.py > >Pair-Programmed-With: Isaac Boukris <iboukris@samba.org> > >Signed-off-by: Stefan Metzmacher <metze@samba.org> >Signed-off-by: Isaac Boukris <iboukris@samba.org> >Reviewed-by: Isaac Boukris <iboukris@samba.org> >(cherry picked from commit 4f6d26609a66a42df671a540677af15e67efc0df) >--- > python/samba/tests/krb5/simple_tests.py | 171 ++++++++++++++++++++++++ > python/samba/tests/usage.py | 1 + > 2 files changed, 172 insertions(+) > create mode 100755 python/samba/tests/krb5/simple_tests.py > >diff --git a/python/samba/tests/krb5/simple_tests.py b/python/samba/tests/krb5/simple_tests.py >new file mode 100755 >index 00000000000..c9998c4d2db >--- /dev/null >+++ b/python/samba/tests/krb5/simple_tests.py >@@ -0,0 +1,171 @@ >+#!/usr/bin/env python3 >+# Unix SMB/CIFS implementation. >+# Copyright (C) Stefan Metzmacher 2020 >+# >+# This program is free software; you can redistribute it and/or modify >+# it under the terms of the GNU General Public License as published by >+# the Free Software Foundation; either version 3 of the License, or >+# (at your option) any later version. >+# >+# This program is distributed in the hope that it will be useful, >+# but WITHOUT ANY WARRANTY; without even the implied warranty of >+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the >+# GNU General Public License for more details. >+# >+# You should have received a copy of the GNU General Public License >+# along with this program. If not, see <http://www.gnu.org/licenses/>. >+# >+ >+import sys >+import os >+ >+sys.path.insert(0, "bin/python") >+os.environ["PYTHONUNBUFFERED"] = "1" >+ >+from samba.tests.krb5.raw_testcase import RawKerberosTest >+import samba.tests.krb5.rfc4120_pyasn1 as krb5_asn1 >+ >+global_asn1_print = False >+global_hexdump = False >+ >+class SimpleKerberosTests(RawKerberosTest): >+ >+ def setUp(self): >+ super(SimpleKerberosTests, self).setUp() >+ self.do_asn1_print = global_asn1_print >+ self.do_hexdump = global_hexdump >+ >+ def test_simple(self): >+ user_creds = self.get_user_creds() >+ user = user_creds.get_username() >+ realm = user_creds.get_realm() >+ >+ cname = self.PrincipalName_create(name_type=1, names=[user]) >+ sname = self.PrincipalName_create(name_type=2, names=["krbtgt", realm]) >+ >+ till = self.get_KerberosTime(offset=36000) >+ >+ kdc_options = krb5_asn1.KDCOptions('forwardable') >+ padata = None >+ >+ etypes=(18,17,23) >+ >+ req = self.AS_REQ_create(padata=padata, >+ kdc_options=str(kdc_options), >+ cname=cname, >+ realm=realm, >+ sname=sname, >+ from_time=None, >+ till_time=till, >+ renew_time=None, >+ nonce=0x7fffffff, >+ etypes=etypes, >+ addresses=None, >+ EncAuthorizationData=None, >+ EncAuthorizationData_key=None, >+ additional_tickets=None) >+ rep = self.send_recv_transaction(req) >+ self.assertIsNotNone(rep) >+ >+ self.assertEqual(rep['msg-type'], 30) >+ self.assertEqual(rep['error-code'], 25) >+ rep_padata = self.der_decode(rep['e-data'], asn1Spec=krb5_asn1.METHOD_DATA()) >+ >+ for pa in rep_padata: >+ if pa['padata-type'] == 19: >+ etype_info2 = pa['padata-value'] >+ break >+ >+ etype_info2 = self.der_decode(etype_info2, asn1Spec=krb5_asn1.ETYPE_INFO2()) >+ >+ key = self.PasswordKey_from_etype_info2(user_creds, etype_info2[0]) >+ >+ (patime, pausec) = self.get_KerberosTimeWithUsec() >+ pa_ts = self.PA_ENC_TS_ENC_create(patime, pausec) >+ pa_ts = self.der_encode(pa_ts, asn1Spec=krb5_asn1.PA_ENC_TS_ENC()) >+ >+ enc_pa_ts_usage = 1 >+ pa_ts = self.EncryptedData_create(key, enc_pa_ts_usage, pa_ts) >+ pa_ts = self.der_encode(pa_ts, asn1Spec=krb5_asn1.EncryptedData()) >+ >+ pa_ts = self.PA_DATA_create(2, pa_ts) >+ >+ kdc_options = krb5_asn1.KDCOptions('forwardable') >+ padata = [pa_ts] >+ >+ req = self.AS_REQ_create(padata=padata, >+ kdc_options=str(kdc_options), >+ cname=cname, >+ realm=realm, >+ sname=sname, >+ from_time=None, >+ till_time=till, >+ renew_time=None, >+ nonce=0x7fffffff, >+ etypes=etypes, >+ addresses=None, >+ EncAuthorizationData=None, >+ EncAuthorizationData_key=None, >+ additional_tickets=None) >+ rep = self.send_recv_transaction(req) >+ self.assertIsNotNone(rep) >+ >+ msg_type = rep['msg-type'] >+ self.assertEqual(msg_type, 11) >+ >+ usage = 3 >+ enc_part2 = key.decrypt(usage, rep['enc-part']['cipher']) >+ enc_part2 = self.der_decode(enc_part2, asn1Spec=krb5_asn1.EncASRepPart()) >+ >+ # TGS Request >+ service_creds = self.get_service_creds(allow_missing_password=True) >+ service_name = service_creds.get_username() >+ >+ sname = self.PrincipalName_create(name_type=2, names=["host", service_name]) >+ kdc_options = krb5_asn1.KDCOptions('forwardable') >+ till = self.get_KerberosTime(offset=36000) >+ ticket = rep['ticket'] >+ ticket_session_key = self.EncryptionKey_import(enc_part2['key']) >+ padata = [] >+ >+ subkey = self.RandomKey(ticket_session_key.etype) >+ subkey_usage = 9 >+ >+ (ctime, cusec) = self.get_KerberosTimeWithUsec() >+ >+ req = self.TGS_REQ_create(padata=padata, >+ cusec=cusec, >+ ctime=ctime, >+ ticket=ticket, >+ kdc_options=str(kdc_options), >+ cname=cname, >+ realm=realm, >+ sname=sname, >+ from_time=None, >+ till_time=till, >+ renew_time=None, >+ nonce=0x7ffffffe, >+ etypes=etypes, >+ addresses=None, >+ EncAuthorizationData=None, >+ EncAuthorizationData_key=None, >+ additional_tickets=None, >+ ticket_session_key=ticket_session_key, >+ authenticator_subkey=subkey) >+ rep = self.send_recv_transaction(req) >+ self.assertIsNotNone(rep) >+ >+ msg_type = rep['msg-type'] >+ self.assertEqual(msg_type, 13) >+ >+ enc_part2 = subkey.decrypt(subkey_usage, rep['enc-part']['cipher']) >+ enc_part2 = self.der_decode(enc_part2, asn1Spec=krb5_asn1.EncTGSRepPart()) >+ >+ return >+ >+ >+if __name__ == "__main__": >+ global_asn1_print = True >+ global_hexdump = True >+ import unittest >+ unittest.main() >diff --git a/python/samba/tests/usage.py b/python/samba/tests/usage.py >index cebc54461b9..de144f1d6a4 100644 >--- a/python/samba/tests/usage.py >+++ b/python/samba/tests/usage.py >@@ -84,6 +84,7 @@ EXCLUDE_USAGE = { > 'bin/python/samba/subunit/run.py', > 'python/samba/tests/dcerpc/raw_protocol.py', > 'python/samba/tests/krb5/kcrypto.py', >+ 'python/samba/tests/krb5/simple_tests.py', > } > > >-- >2.25.1 > > >From c331bb7b7884c3cd8742c0e54516e568850bcd34 Mon Sep 17 00:00:00 2001 >From: Stefan Metzmacher <metze@samba.org> >Date: Thu, 13 Feb 2020 16:29:38 +0100 >Subject: [PATCH 027/686] s4:selftest: run samba.tests.krb5.simple_tests > against ad_dc_default > >Signed-off-by: Stefan Metzmacher <metze@samba.org> >Reviewed-by: Isaac Boukris <iboukris@samba.org> > >Autobuild-User(master): Stefan Metzmacher <metze@samba.org> >Autobuild-Date(master): Fri Mar 27 19:54:25 UTC 2020 on sn-devel-184 > >(cherry picked from commit c4ccdf4b30de1b1e63d3fd99d33b924b816a5d37) >--- > source4/selftest/tests.py | 2 ++ > 1 file changed, 2 insertions(+) > >diff --git a/source4/selftest/tests.py b/source4/selftest/tests.py >index e627158d2f9..06828a53dae 100755 >--- a/source4/selftest/tests.py >+++ b/source4/selftest/tests.py >@@ -714,6 +714,8 @@ planoldpythontestsuite("ad_dc:local", "samba.tests.gpo", extra_args=['-U"$USERNA > planoldpythontestsuite("ad_dc:local", "samba.tests.dckeytab", extra_args=['-U"$USERNAME%$PASSWORD"'], py3_compatible=True) > > planoldpythontestsuite("none", "samba.tests.krb5.kcrypto") >+planoldpythontestsuite("ad_dc_default", "samba.tests.krb5.simple_tests", >+ environ={'SERVICE_USERNAME':'$SERVER'}) > > for env in ["ad_dc", smbv1_disabled_testenv]: > planoldpythontestsuite(env, "samba.tests.smb", extra_args=['-U"$USERNAME%$PASSWORD"'], py3_compatible=True) >-- >2.25.1 > > >From ab73e2eee23ad0adb0da4225391de98a9236c356 Mon Sep 17 00:00:00 2001 >From: Isaac Boukris <iboukris@gmail.com> >Date: Thu, 7 May 2020 17:17:12 +0200 >Subject: [PATCH 028/686] Revert "CVE-2018-16860 selftest: Add test for > S4U2Self with unkeyed checksum" > >This reverts commit 5639e973c1f6f1b28b122741763f1d05b47bc2d8. > >This is no longer needed as the next commit includes a Python >test for this, without the complexity of being inside krb5.kdc.canon. > >Signed-off-by: Isaac Boukris <iboukris@samba.org> >Reviewed-by: Andrew Bartlett <abartlet@samba.org> >(cherry picked from commit 19875a37318a7cd5585572616cf12a775591193f) >--- > source4/torture/krb5/kdc-canon-heimdal.c | 105 +---------------------- > 1 file changed, 4 insertions(+), 101 deletions(-) > >diff --git a/source4/torture/krb5/kdc-canon-heimdal.c b/source4/torture/krb5/kdc-canon-heimdal.c >index ee3045181dc..30eca87cb52 100644 >--- a/source4/torture/krb5/kdc-canon-heimdal.c >+++ b/source4/torture/krb5/kdc-canon-heimdal.c >@@ -44,8 +44,7 @@ > #define TEST_S4U2SELF 0x0000080 > #define TEST_REMOVEDOLLAR 0x0000100 > #define TEST_AS_REQ_SPN 0x0000200 >-#define TEST_MITM_S4U2SELF 0x0000400 >-#define TEST_ALL 0x00007FF >+#define TEST_ALL 0x00003FF > > struct test_data { > const char *test_name; >@@ -63,7 +62,6 @@ struct test_data { > bool upn; > bool other_upn_suffix; > bool s4u2self; >- bool mitm_s4u2self; > bool removedollar; > bool as_req_spn; > bool spn_is_upn; >@@ -214,67 +212,6 @@ static bool test_accept_ticket(struct torture_context *tctx, > return true; > } > >-krb5_error_code >-_krb5_s4u2self_to_checksumdata(krb5_context context, >- const PA_S4U2Self *self, >- krb5_data *data); >- >-/* Helper function to modify the principal in PA_FOR_USER padata */ >-static bool change_for_user_principal(struct torture_krb5_context *test_context, >- krb5_data *modified_send_buf) >-{ >- PA_DATA *for_user; >- int i = 0; >- size_t used; >- krb5_error_code ret; >- PA_S4U2Self self, mod_self; >- krb5_data cksum_data; >- krb5_principal admin; >- heim_octet_string orig_padata_value; >- krb5_context k5_ctx = test_context->smb_krb5_context->krb5_context; >- >- for_user = krb5_find_padata(test_context->tgs_req.padata->val, >- test_context->tgs_req.padata->len, KRB5_PADATA_FOR_USER, &i); >- torture_assert(test_context->tctx, for_user != NULL, "No PA_FOR_USER in s4u2self request"); >- orig_padata_value = for_user->padata_value; >- >- torture_assert_int_equal(test_context->tctx, >- krb5_make_principal(k5_ctx, &admin, test_context->test_data->realm, >- "Administrator", NULL), >- 0, "krb5_make_principal() failed"); >- torture_assert_int_equal(test_context->tctx, >- decode_PA_S4U2Self(for_user->padata_value.data, >- for_user->padata_value.length, &self, NULL), >- 0, "decode_PA_S4U2Self() failed"); >- mod_self = self; >- mod_self.name = admin->name; >- >- torture_assert_int_equal(test_context->tctx, >- _krb5_s4u2self_to_checksumdata(k5_ctx, &mod_self, &cksum_data), >- 0, "_krb5_s4u2self_to_checksumdata() failed"); >- torture_assert_int_equal(test_context->tctx, >- krb5_create_checksum(k5_ctx, NULL, KRB5_KU_OTHER_CKSUM, >- CKSUMTYPE_CRC32, cksum_data.data, >- cksum_data.length, &mod_self.cksum), >- 0, "krb5_create_checksum() failed"); >- >- ASN1_MALLOC_ENCODE(PA_S4U2Self, for_user->padata_value.data, for_user->padata_value.length, >- &mod_self, &used, ret); >- torture_assert(test_context->tctx, ret == 0, "Failed to encode PA_S4U2Self ASN1 struct"); >- ASN1_MALLOC_ENCODE(TGS_REQ, modified_send_buf->data, modified_send_buf->length, >- &test_context->tgs_req, &used, ret); >- torture_assert(test_context->tctx, ret == 0, "Failed to encode TGS_REQ ASN1 struct"); >- >- free(for_user->padata_value.data); >- for_user->padata_value = orig_padata_value; >- >- free_PA_S4U2Self(&self); >- krb5_data_free(&cksum_data); >- free_Checksum(&mod_self.cksum); >- >- return true; >-} >- > /* > * TEST_AS_REQ and TEST_AS_REQ_SELF - SEND > * >@@ -694,12 +631,7 @@ static bool torture_krb5_pre_send_tgs_req_canon_test(struct torture_krb5_context > > } > >- if (test_context->test_data->mitm_s4u2self) { >- torture_assert(test_context->tctx, change_for_user_principal(test_context, modified_send_buf), >- "Failed to modify PA_FOR_USER principal name"); >- } else { >- *modified_send_buf = *send_buf; >- } >+ *modified_send_buf = *send_buf; > > return true; > } >@@ -718,7 +650,6 @@ static bool torture_krb5_post_recv_tgs_req_canon_test(struct torture_krb5_contex > { > KRB_ERROR error; > size_t used; >- krb5_error_code expected_error; > > /* > * If this account did not have a servicePrincipalName, then >@@ -729,13 +660,9 @@ static bool torture_krb5_post_recv_tgs_req_canon_test(struct torture_krb5_contex > torture_assert_int_equal(test_context->tctx, > error.pvno, 5, > "Got wrong error.pvno"); >- expected_error = KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN - KRB5KDC_ERR_NONE; >- if (error.error_code != expected_error && test_context->test_data->mitm_s4u2self) { >- expected_error = KRB5KRB_AP_ERR_INAPP_CKSUM - KRB5KDC_ERR_NONE; >- } > torture_assert_int_equal(test_context->tctx, > error.error_code, >- expected_error, >+ KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN - KRB5KDC_ERR_NONE, > "Got wrong error.error_code"); > } else { > torture_assert_int_equal(test_context->tctx, >@@ -778,8 +705,6 @@ static bool torture_krb5_post_recv_tgs_req_canon_test(struct torture_krb5_contex > torture_assert_int_equal(test_context->tctx, > *test_context->tgs_rep.ticket.enc_part.kvno & 0xFFFF0000, > 0, "Unexpecedly got a RODC number in the KVNO, should just be principal KVNO"); >- torture_assert(test_context->tctx, test_context->test_data->mitm_s4u2self == false, >- "KDC accepted PA_S4U2Self with unkeyed checksum!"); > free_TGS_REP(&test_context->tgs_rep); > } > torture_assert(test_context->tctx, test_context->packet_count == 0, "too many packets"); >@@ -2081,23 +2006,7 @@ static bool torture_krb5_as_req_canon(struct torture_context *tctx, const void * > && (test_data->enterprise > || test_data->spn_is_upn > || test_data->upn == false)) { >- >- if (test_data->mitm_s4u2self) { >- torture_assert_int_equal(tctx, k5ret, KRB5KRB_AP_ERR_INAPP_CKSUM, >- assertion_message); >- /* Done testing mitm-s4u2self */ >- return true; >- } >- > torture_assert_int_equal(tctx, k5ret, 0, assertion_message); >- >- /* Check that the impersonate principal is not being canonicalized by the KDC. */ >- if (test_data->s4u2self) { >- torture_assert(tctx, krb5_principal_compare(k5_context, server_creds->client, >- principal), >- "TGS-REP cname does not match requested client principal"); >- } >- > torture_assert_int_equal(tctx, krb5_cc_store_cred(k5_context, > ccache, server_creds), > 0, "krb5_cc_store_cred failed"); >@@ -2571,7 +2480,7 @@ struct torture_suite *torture_krb5_canon(TALLOC_CTX *mem_ctx) > (i & TEST_UPN) ? "upn" : > ((i & TEST_AS_REQ_SPN) ? "spn" : > ((i & TEST_REMOVEDOLLAR) ? "removedollar" : "samaccountname")), >- (i & TEST_S4U2SELF) ? (i & TEST_MITM_S4U2SELF) ? "mitm-s4u2self" : "s4u2self" : "normal"); >+ (i & TEST_S4U2SELF) ? "s4u2self" : "normal"); > struct torture_suite *sub_suite = torture_suite_create(mem_ctx, name); > > struct test_data *test_data = talloc_zero(suite, struct test_data); >@@ -2585,11 +2494,6 @@ struct torture_suite *torture_krb5_canon(TALLOC_CTX *mem_ctx) > continue; > } > } >- if (i & TEST_MITM_S4U2SELF) { >- if (!(i & TEST_S4U2SELF)) { >- continue; >- } >- } > > test_data->test_name = name; > test_data->real_realm >@@ -2610,7 +2514,6 @@ struct torture_suite *torture_krb5_canon(TALLOC_CTX *mem_ctx) > test_data->win2k = (i & TEST_WIN2K) != 0; > test_data->upn = (i & TEST_UPN) != 0; > test_data->s4u2self = (i & TEST_S4U2SELF) != 0; >- test_data->mitm_s4u2self = (i & TEST_MITM_S4U2SELF) != 0; > test_data->removedollar = (i & TEST_REMOVEDOLLAR) != 0; > test_data->as_req_spn = (i & TEST_AS_REQ_SPN) != 0; > torture_suite_add_simple_tcase_const(sub_suite, name, torture_krb5_as_req_canon, >-- >2.25.1 > > >From b711e6b0180ac628bb1e1aa89c77e6434b088066 Mon Sep 17 00:00:00 2001 >From: Isaac Boukris <iboukris@gmail.com> >Date: Mon, 4 May 2020 18:09:53 +0200 >Subject: [PATCH 029/686] selftest: add python S4U2Self tests including unkeyed > checksums > >To test the CRC32 I reverted the unkeyed-checksum fix (43958af1) >and the weak-crypto fix (389d1b97). Note that the unkeyed-md5 >still worked even with weak-crypto disabled, and that the >unkeyed-sha1 never worked but I left it anyway. > >Signed-off-by: Isaac Boukris <iboukris@samba.org> >Reviewed-by: Andrew Bartlett <abartlet@samba.org> > >Autobuild-User(master): Andrew Bartlett <abartlet@samba.org> >Autobuild-Date(master): Fri May 15 12:25:40 UTC 2020 on sn-devel-184 > >(cherry picked from commit 8b5e7644130146bcc4e5a0dd05da6458a6025dd8) >--- > python/samba/tests/krb5/kcrypto.py | 85 ++++++++++ > python/samba/tests/krb5/raw_testcase.py | 23 +++ > python/samba/tests/krb5/rfc4120.asn1 | 8 + > python/samba/tests/krb5/rfc4120_pyasn1.py | 14 +- > python/samba/tests/krb5/s4u_tests.py | 197 ++++++++++++++++++++++ > python/samba/tests/usage.py | 1 + > selftest/knownfail | 2 + > selftest/skip_mit_kdc | 1 + > selftest/target/Samba4.pm | 23 +++ > source4/selftest/tests.py | 4 + > 10 files changed, 357 insertions(+), 1 deletion(-) > create mode 100755 python/samba/tests/krb5/s4u_tests.py > >diff --git a/python/samba/tests/krb5/kcrypto.py b/python/samba/tests/krb5/kcrypto.py >index ed3c84fa186..2572fa5bab3 100755 >--- a/python/samba/tests/krb5/kcrypto.py >+++ b/python/samba/tests/krb5/kcrypto.py >@@ -51,6 +51,7 @@ os.environ["PYTHONUNBUFFERED"] = "1" > from math import gcd > from functools import reduce > from struct import pack, unpack >+from binascii import crc32 > from cryptography.hazmat.primitives import hashes > from cryptography.hazmat.primitives import hmac > from cryptography.hazmat.primitives.ciphers import algorithms as ciphers >@@ -533,6 +534,21 @@ class _MD5(_ChecksumProfile): > return SIMPLE_HASH(text, hashes.MD5) > > >+class _SHA1(_ChecksumProfile): >+ @classmethod >+ def checksum(cls, key, keyusage, text): >+ # This is unkeyed! >+ return SIMPLE_HASH(text, hashes.SHA1) >+ >+ >+class _CRC32(_ChecksumProfile): >+ @classmethod >+ def checksum(cls, key, keyusage, text): >+ # This is unkeyed! >+ cksum = (~crc32(text, 0xffffffff)) & 0xffffffff >+ return pack('<I', cksum) >+ >+ > _enctype_table = { > Enctype.DES3: _DES3CBC, > Enctype.AES128: _AES128CTS, >@@ -547,6 +563,8 @@ _checksum_table = { > Cksumtype.SHA1_AES256: _SHA1AES256, > Cksumtype.HMAC_MD5: _HMACMD5, > Cksumtype.MD5: _MD5, >+ Cksumtype.SHA1: _SHA1, >+ Cksumtype.CRC32: _CRC32, > } > > >@@ -835,6 +853,73 @@ class KcrytoTest(TestCase): > def test_md5_unkeyed_checksum_aes256_usage_50(self): > return self._test_md5_unkeyed_checksum(Enctype.AES256, 50) > >+ def _test_sha1_unkeyed_checksum(self, etype, usage): >+ # SHA1 unkeyed checksum >+ pw = b'password' >+ salt = b'salt' >+ key = string_to_key(etype, pw, salt) >+ plain = b'twenty nineteen eighteen seventeen' >+ cksum = h('381c870d8875d1913555de19af5c885fd27b7da9') >+ verify_checksum(Cksumtype.SHA1, key, usage, plain, cksum) >+ >+ def test_sha1_unkeyed_checksum_des3_usage_40(self): >+ return self._test_sha1_unkeyed_checksum(Enctype.DES3, 40) >+ >+ def test_sha1_unkeyed_checksum_des3_usage_50(self): >+ return self._test_sha1_unkeyed_checksum(Enctype.DES3, 50) >+ >+ def test_sha1_unkeyed_checksum_rc4_usage_40(self): >+ return self._test_sha1_unkeyed_checksum(Enctype.RC4, 40) >+ >+ def test_sha1_unkeyed_checksum_rc4_usage_50(self): >+ return self._test_sha1_unkeyed_checksum(Enctype.RC4, 50) >+ >+ def test_sha1_unkeyed_checksum_aes128_usage_40(self): >+ return self._test_sha1_unkeyed_checksum(Enctype.AES128, 40) >+ >+ def test_sha1_unkeyed_checksum_aes128_usage_50(self): >+ return self._test_sha1_unkeyed_checksum(Enctype.AES128, 50) >+ >+ def test_sha1_unkeyed_checksum_aes256_usage_40(self): >+ return self._test_sha1_unkeyed_checksum(Enctype.AES256, 40) >+ >+ def test_sha1_unkeyed_checksum_aes256_usage_50(self): >+ return self._test_sha1_unkeyed_checksum(Enctype.AES256, 50) >+ >+ def _test_crc32_unkeyed_checksum(self, etype, usage): >+ # CRC32 unkeyed checksum >+ pw = b'password' >+ salt = b'salt' >+ key = string_to_key(etype, pw, salt) >+ plain = b'africa america asia australia europe' >+ cksum = h('ce595a53') >+ verify_checksum(Cksumtype.CRC32, key, usage, plain, cksum) >+ >+ def test_crc32_unkeyed_checksum_des3_usage_40(self): >+ return self._test_crc32_unkeyed_checksum(Enctype.DES3, 40) >+ >+ def test_crc32_unkeyed_checksum_des3_usage_50(self): >+ return self._test_crc32_unkeyed_checksum(Enctype.DES3, 50) >+ >+ def test_crc32_unkeyed_checksum_rc4_usage_40(self): >+ return self._test_crc32_unkeyed_checksum(Enctype.RC4, 40) >+ >+ def test_crc32_unkeyed_checksum_rc4_usage_50(self): >+ return self._test_crc32_unkeyed_checksum(Enctype.RC4, 50) >+ >+ def test_crc32_unkeyed_checksum_aes128_usage_40(self): >+ return self._test_crc32_unkeyed_checksum(Enctype.AES128, 40) >+ >+ def test_crc32_unkeyed_checksum_aes128_usage_50(self): >+ return self._test_crc32_unkeyed_checksum(Enctype.AES128, 50) >+ >+ def test_crc32_unkeyed_checksum_aes256_usage_40(self): >+ return self._test_crc32_unkeyed_checksum(Enctype.AES256, 40) >+ >+ def test_crc32_unkeyed_checksum_aes256_usage_50(self): >+ return self._test_crc32_unkeyed_checksum(Enctype.AES256, 50) >+ >+ > if __name__ == "__main__": > import unittest > unittest.main() >diff --git a/python/samba/tests/krb5/raw_testcase.py b/python/samba/tests/krb5/raw_testcase.py >index 6c7bcd418a0..f43ce9cbc3c 100644 >--- a/python/samba/tests/krb5/raw_testcase.py >+++ b/python/samba/tests/krb5/raw_testcase.py >@@ -867,3 +867,26 @@ class RawKerberosTest(TestCase): > if native_decoded_only: > return decoded > return decoded, obj >+ >+ def PA_S4U2Self_create(self, name, realm, tgt_session_key, ctype=None): >+ # PA-S4U2Self ::= SEQUENCE { >+ # name [0] PrincipalName, >+ # realm [1] Realm, >+ # cksum [2] Checksum, >+ # auth [3] GeneralString >+ # } >+ cksum_data = name['name-type'].to_bytes(4, byteorder='little') >+ for n in name['name-string']: >+ cksum_data += n.encode() >+ cksum_data += realm.encode() >+ cksum_data += "Kerberos".encode() >+ cksum = self.Checksum_create(tgt_session_key, 17, cksum_data, ctype) >+ >+ PA_S4U2Self_obj = { >+ 'name': name, >+ 'realm': realm, >+ 'cksum': cksum, >+ 'auth': "Kerberos", >+ } >+ pa_s4u2self = self.der_encode(PA_S4U2Self_obj, asn1Spec=krb5_asn1.PA_S4U2Self()) >+ return self.PA_DATA_create(129, pa_s4u2self) >diff --git a/python/samba/tests/krb5/rfc4120.asn1 b/python/samba/tests/krb5/rfc4120.asn1 >index 05b43106034..98ba887729d 100644 >--- a/python/samba/tests/krb5/rfc4120.asn1 >+++ b/python/samba/tests/krb5/rfc4120.asn1 >@@ -415,6 +415,14 @@ AD-AND-OR ::= SEQUENCE { > > AD-MANDATORY-FOR-KDC ::= AuthorizationData > >+-- S4U >+ >+PA-S4U2Self ::= SEQUENCE { >+ name [0] PrincipalName, >+ realm [1] Realm, >+ cksum [2] Checksum, >+ auth [3] KerberosString >+} > > > >diff --git a/python/samba/tests/krb5/rfc4120_pyasn1.py b/python/samba/tests/krb5/rfc4120_pyasn1.py >index b2627aa3dcb..05304a8a099 100644 >--- a/python/samba/tests/krb5/rfc4120_pyasn1.py >+++ b/python/samba/tests/krb5/rfc4120_pyasn1.py >@@ -1,5 +1,5 @@ > # Auto-generated by asn1ate v.0.6.1.dev0 from rfc4120.asn1 >-# (last modified on 2020-03-26 10:28:24.346775) >+# (last modified on 2020-05-06 17:51:00.323318) > > # KerberosV5Spec2 > from pyasn1.type import univ, char, namedtype, namedval, tag, constraint, useful >@@ -780,6 +780,18 @@ PA_ENC_TS_ENC.componentType = namedtype.NamedTypes( > ) > > >+class PA_S4U2Self(univ.Sequence): >+ pass >+ >+ >+PA_S4U2Self.componentType = namedtype.NamedTypes( >+ namedtype.NamedType('name', PrincipalName().subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatConstructed, 0))), >+ namedtype.NamedType('realm', Realm().subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 1))), >+ namedtype.NamedType('cksum', Checksum().subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatConstructed, 2))), >+ namedtype.NamedType('auth', KerberosString().subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 3))) >+) >+ >+ > class PADataTypeValues(univ.Integer): > pass > >diff --git a/python/samba/tests/krb5/s4u_tests.py b/python/samba/tests/krb5/s4u_tests.py >new file mode 100755 >index 00000000000..ae38635c53b >--- /dev/null >+++ b/python/samba/tests/krb5/s4u_tests.py >@@ -0,0 +1,197 @@ >+#!/usr/bin/env python3 >+# Unix SMB/CIFS implementation. >+# Copyright (C) Stefan Metzmacher 2020 >+# >+# This program is free software; you can redistribute it and/or modify >+# it under the terms of the GNU General Public License as published by >+# the Free Software Foundation; either version 3 of the License, or >+# (at your option) any later version. >+# >+# This program is distributed in the hope that it will be useful, >+# but WITHOUT ANY WARRANTY; without even the implied warranty of >+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the >+# GNU General Public License for more details. >+# >+# You should have received a copy of the GNU General Public License >+# along with this program. If not, see <http://www.gnu.org/licenses/>. >+# >+ >+import sys >+import os >+ >+sys.path.insert(0, "bin/python") >+os.environ["PYTHONUNBUFFERED"] = "1" >+ >+from samba.tests import env_get_var_value >+from samba.tests.krb5.kcrypto import Cksumtype >+from samba.tests.krb5.raw_testcase import RawKerberosTest >+import samba.tests.krb5.rfc4120_pyasn1 as krb5_asn1 >+ >+global_asn1_print = False >+global_hexdump = False >+ >+class S4UKerberosTests(RawKerberosTest): >+ >+ def setUp(self): >+ super(S4UKerberosTests, self).setUp() >+ self.do_asn1_print = global_asn1_print >+ self.do_hexdump = global_hexdump >+ >+ def _test_s4u2self(self, pa_s4u2self_ctype=None): >+ service_creds = self.get_service_creds() >+ service = service_creds.get_username() >+ realm = service_creds.get_realm() >+ >+ cname = self.PrincipalName_create(name_type=1, names=[service]) >+ sname = self.PrincipalName_create(name_type=2, names=["krbtgt", realm]) >+ >+ till = self.get_KerberosTime(offset=36000) >+ >+ kdc_options = krb5_asn1.KDCOptions('forwardable') >+ padata = None >+ >+ etypes=(18,17,23) >+ >+ req = self.AS_REQ_create(padata=padata, >+ kdc_options=str(kdc_options), >+ cname=cname, >+ realm=realm, >+ sname=sname, >+ from_time=None, >+ till_time=till, >+ renew_time=None, >+ nonce=0x7fffffff, >+ etypes=etypes, >+ addresses=None, >+ EncAuthorizationData=None, >+ EncAuthorizationData_key=None, >+ additional_tickets=None) >+ rep = self.send_recv_transaction(req) >+ self.assertIsNotNone(rep) >+ >+ self.assertEqual(rep['msg-type'], 30) >+ self.assertEqual(rep['error-code'], 25) >+ rep_padata = self.der_decode(rep['e-data'], asn1Spec=krb5_asn1.METHOD_DATA()) >+ >+ for pa in rep_padata: >+ if pa['padata-type'] == 19: >+ etype_info2 = pa['padata-value'] >+ break >+ >+ etype_info2 = self.der_decode(etype_info2, asn1Spec=krb5_asn1.ETYPE_INFO2()) >+ >+ key = self.PasswordKey_from_etype_info2(service_creds, etype_info2[0]) >+ >+ (patime, pausec) = self.get_KerberosTimeWithUsec() >+ pa_ts = self.PA_ENC_TS_ENC_create(patime, pausec) >+ pa_ts = self.der_encode(pa_ts, asn1Spec=krb5_asn1.PA_ENC_TS_ENC()) >+ >+ enc_pa_ts_usage = 1 >+ pa_ts = self.EncryptedData_create(key, enc_pa_ts_usage, pa_ts) >+ pa_ts = self.der_encode(pa_ts, asn1Spec=krb5_asn1.EncryptedData()) >+ >+ pa_ts = self.PA_DATA_create(2, pa_ts) >+ >+ kdc_options = krb5_asn1.KDCOptions('forwardable') >+ padata = [pa_ts] >+ >+ req = self.AS_REQ_create(padata=padata, >+ kdc_options=str(kdc_options), >+ cname=cname, >+ realm=realm, >+ sname=sname, >+ from_time=None, >+ till_time=till, >+ renew_time=None, >+ nonce=0x7fffffff, >+ etypes=etypes, >+ addresses=None, >+ EncAuthorizationData=None, >+ EncAuthorizationData_key=None, >+ additional_tickets=None) >+ rep = self.send_recv_transaction(req) >+ self.assertIsNotNone(rep) >+ >+ msg_type = rep['msg-type'] >+ self.assertEqual(msg_type, 11) >+ >+ usage = 3 >+ enc_part2 = key.decrypt(usage, rep['enc-part']['cipher']) >+ enc_part2 = self.der_decode(enc_part2, asn1Spec=krb5_asn1.EncASRepPart()) >+ >+ # S4U2Self Request >+ sname = cname >+ >+ for_user_name = env_get_var_value('FOR_USER') >+ uname = self.PrincipalName_create(name_type=1, names=[for_user_name]) >+ >+ kdc_options = krb5_asn1.KDCOptions('forwardable') >+ till = self.get_KerberosTime(offset=36000) >+ ticket = rep['ticket'] >+ ticket_session_key = self.EncryptionKey_import(enc_part2['key']) >+ pa_s4u = self.PA_S4U2Self_create(name=uname, realm=realm, >+ tgt_session_key=ticket_session_key, >+ ctype=pa_s4u2self_ctype) >+ padata = [pa_s4u] >+ >+ subkey = self.RandomKey(ticket_session_key.etype) >+ subkey_usage = 9 >+ >+ (ctime, cusec) = self.get_KerberosTimeWithUsec() >+ >+ req = self.TGS_REQ_create(padata=padata, >+ cusec=cusec, >+ ctime=ctime, >+ ticket=ticket, >+ kdc_options=str(kdc_options), >+ cname=cname, >+ realm=realm, >+ sname=sname, >+ from_time=None, >+ till_time=till, >+ renew_time=None, >+ nonce=0x7ffffffe, >+ etypes=etypes, >+ addresses=None, >+ EncAuthorizationData=None, >+ EncAuthorizationData_key=None, >+ additional_tickets=None, >+ ticket_session_key=ticket_session_key, >+ authenticator_subkey=subkey) >+ rep = self.send_recv_transaction(req) >+ self.assertIsNotNone(rep) >+ >+ msg_type = rep['msg-type'] >+ if msg_type == 13: >+ enc_part2 = subkey.decrypt(subkey_usage, rep['enc-part']['cipher']) >+ enc_part2 = self.der_decode(enc_part2, asn1Spec=krb5_asn1.EncTGSRepPart()) >+ >+ return msg_type >+ >+ # Using the checksum type from the tgt_session_key happens to work everywhere >+ def test_s4u2self(self): >+ msg_type = self._test_s4u2self() >+ self.assertEqual(msg_type, 13) >+ >+ # Per spec, the checksum of PA-FOR-USER is HMAC_MD5, see [MS-SFU] 2.2.1 >+ def test_s4u2self_hmac_md5_checksum(self): >+ msg_type = self._test_s4u2self(pa_s4u2self_ctype=Cksumtype.HMAC_MD5) >+ self.assertEqual(msg_type, 13) >+ >+ def test_s4u2self_md5_unkeyed_checksum(self): >+ msg_type = self._test_s4u2self(pa_s4u2self_ctype=Cksumtype.MD5) >+ self.assertEqual(msg_type, 30) >+ >+ def test_s4u2self_sha1_unkeyed_checksum(self): >+ msg_type = self._test_s4u2self(pa_s4u2self_ctype=Cksumtype.SHA1) >+ self.assertEqual(msg_type, 30) >+ >+ def test_s4u2self_crc32_unkeyed_checksum(self): >+ msg_type = self._test_s4u2self(pa_s4u2self_ctype=Cksumtype.CRC32) >+ self.assertEqual(msg_type, 30) >+ >+if __name__ == "__main__": >+ global_asn1_print = True >+ global_hexdump = True >+ import unittest >+ unittest.main() >diff --git a/python/samba/tests/usage.py b/python/samba/tests/usage.py >index de144f1d6a4..8af43bc8299 100644 >--- a/python/samba/tests/usage.py >+++ b/python/samba/tests/usage.py >@@ -85,6 +85,7 @@ EXCLUDE_USAGE = { > 'python/samba/tests/dcerpc/raw_protocol.py', > 'python/samba/tests/krb5/kcrypto.py', > 'python/samba/tests/krb5/simple_tests.py', >+ 'python/samba/tests/krb5/s4u_tests.py', > } > > >diff --git a/selftest/knownfail b/selftest/knownfail >index 1817db384e0..3a851b06e8e 100644 >--- a/selftest/knownfail >+++ b/selftest/knownfail >@@ -361,3 +361,5 @@ > ^samba.tests.ntlmdisabled.python\(ktest\).python2.ntlmdisabled.NtlmDisabledTests.test_samr_change_password\(ktest\) > ^samba.tests.ntlmdisabled.python\(ad_dc_no_ntlm\).python3.ntlmdisabled.NtlmDisabledTests.test_ntlm_connection\(ad_dc_no_ntlm\) > ^samba.tests.ntlmdisabled.python\(ad_dc_no_ntlm\).python2.ntlmdisabled.NtlmDisabledTests.test_ntlm_connection\(ad_dc_no_ntlm\) >+# Fixed upstream heimdal in PR #439 >+^samba.tests.krb5.s4u_tests.samba.tests.krb5.s4u_tests.S4UKerberosTests.test_s4u2self_hmac_md5_checksum >diff --git a/selftest/skip_mit_kdc b/selftest/skip_mit_kdc >index 4a51c98ea0b..ea644638c9f 100644 >--- a/selftest/skip_mit_kdc >+++ b/selftest/skip_mit_kdc >@@ -3,3 +3,4 @@ > .*RODC > ^samba4.ntvfs.cifs.ntlm.base.unlink > ^samba4.ntvfs.cifs.krb5.base.unlink >+^samba.tests.krb5.s4u_tests >diff --git a/selftest/target/Samba4.pm b/selftest/target/Samba4.pm >index 2fbd5e24928..aa12e823ae5 100755 >--- a/selftest/target/Samba4.pm >+++ b/selftest/target/Samba4.pm >@@ -954,6 +954,29 @@ sub provision_raw_step2($$$) > return undef; > } > >+ my $srv_account = "srv_account"; >+ $samba_tool_cmd = ""; >+ $samba_tool_cmd .= "RESOLV_CONF=\"$ret->{RESOLV_CONF}\" "; >+ $samba_tool_cmd .= "KRB5_CONFIG=\"$ret->{KRB5_CONFIG}\" "; >+ $samba_tool_cmd .= "KRB5CCNAME=\"$ret->{KRB5_CCACHE}\" "; >+ $samba_tool_cmd .= Samba::bindir_path($self, "samba-tool") >+ . " user create --configfile=$ctx->{smb_conf} $srv_account $ctx->{password}"; >+ unless (system($samba_tool_cmd) == 0) { >+ warn("Unable to add $srv_account user: \n$samba_tool_cmd\n"); >+ return undef; >+ } >+ >+ $samba_tool_cmd = ""; >+ $samba_tool_cmd .= "RESOLV_CONF=\"$ret->{RESOLV_CONF}\" "; >+ $samba_tool_cmd .= "KRB5_CONFIG=\"$ret->{KRB5_CONFIG}\" "; >+ $samba_tool_cmd .= "KRB5CCNAME=\"$ret->{KRB5_CCACHE}\" "; >+ $samba_tool_cmd .= Samba::bindir_path($self, "samba-tool") >+ . " spn add HOST/$srv_account --configfile=$ctx->{smb_conf} $srv_account"; >+ unless (system($samba_tool_cmd) == 0) { >+ warn("Unable to add spn for $srv_account: \n$samba_tool_cmd\n"); >+ return undef; >+ } >+ > my $ldbmodify = ""; > $ldbmodify .= "KRB5_CONFIG=\"$ret->{KRB5_CONFIG}\" "; > $ldbmodify .= "KRB5CCNAME=\"$ret->{KRB5_CCACHE}\" "; >diff --git a/source4/selftest/tests.py b/source4/selftest/tests.py >index 06828a53dae..dd3b894203b 100755 >--- a/source4/selftest/tests.py >+++ b/source4/selftest/tests.py >@@ -716,6 +716,10 @@ planoldpythontestsuite("ad_dc:local", "samba.tests.dckeytab", extra_args=['-U"$U > planoldpythontestsuite("none", "samba.tests.krb5.kcrypto") > planoldpythontestsuite("ad_dc_default", "samba.tests.krb5.simple_tests", > environ={'SERVICE_USERNAME':'$SERVER'}) >+planoldpythontestsuite("ad_dc_default:local", "samba.tests.krb5.s4u_tests", >+ environ={'SERVICE_USERNAME':'srv_account', >+ 'SERVICE_PASSWORD':'$PASSWORD', >+ 'FOR_USER':'$USERNAME'}) > > for env in ["ad_dc", smbv1_disabled_testenv]: > planoldpythontestsuite(env, "samba.tests.smb", extra_args=['-U"$USERNAME%$PASSWORD"'], py3_compatible=True) >-- >2.25.1 > > >From fa598b44e786421f8cb94cff5aec762871256629 Mon Sep 17 00:00:00 2001 >From: Isaac Boukris <iboukris@gmail.com> >Date: Sun, 19 Jan 2020 16:24:24 +0100 >Subject: [PATCH 030/686] selftest: add test for disallowed-forwardable server > >BUG: https://bugzilla.samba.org/show_bug.cgi?id=14233 > >Signed-off-by: Isaac Boukris <iboukris@samba.org> >Reviewed-by: Andreas Schneider <asn@samba.org> >Reviewed-by: Andrew Bartlett <abartlet@samba.org> >(cherry picked from commit 197f97bc13c513ae6ae2b4129b23489081f63c64) >--- > selftest/knownfail.d/disallowed_forwardable_server | 1 + > testprogs/blackbox/test_s4u_heimdal.sh | 13 +++++++++++-- > 2 files changed, 12 insertions(+), 2 deletions(-) > create mode 100644 selftest/knownfail.d/disallowed_forwardable_server > >diff --git a/selftest/knownfail.d/disallowed_forwardable_server b/selftest/knownfail.d/disallowed_forwardable_server >new file mode 100644 >index 00000000000..2e05909ab89 >--- /dev/null >+++ b/selftest/knownfail.d/disallowed_forwardable_server >@@ -0,0 +1 @@ >+^samba4.blackbox.krb5.s4u.test S4U2Proxy using received ticket >diff --git a/testprogs/blackbox/test_s4u_heimdal.sh b/testprogs/blackbox/test_s4u_heimdal.sh >index 0e12c7ec096..c6ada54e85b 100755 >--- a/testprogs/blackbox/test_s4u_heimdal.sh >+++ b/testprogs/blackbox/test_s4u_heimdal.sh >@@ -54,7 +54,7 @@ testit "set not-delegated flag" $samba_tool user sensitive $princ on || failed=` > > > echo $PASSWORD > $PREFIX/tmppassfile >-testit "kinit with password" $samba4kinit -f --password-file=$PREFIX/tmppassfile $impersonator || failed=`expr $failed + 1` >+testit "kinit impersonator" $samba4kinit -f --password-file=$PREFIX/tmppassfile $impersonator || failed=`expr $failed + 1` > > testit "test S4U2Self with normal user" $samba4kgetcred --out-cache=$ocache --forwardable --impersonate=${USERNAME} $impersonator || failed=`expr $failed + 1` > testit "test S4U2Proxy with normal user" $samba4kgetcred --out-cache=$ocache --delegation-credential-cache=${ocache} $target || failed=`expr $failed + 1` >@@ -68,6 +68,15 @@ testit "unset not-delegated flag" $samba_tool user sensitive $princ off || faile > testit "test S4U2Self after unsetting ND flag" $samba4kgetcred --out-cache=$ocache --forwardable --impersonate=$princ $impersonator || failed=`expr $failed + 1` > testit "test S4U2Proxy after unsetting ND flag" $samba4kgetcred --out-cache=$ocache --delegation-credential-cache=${ocache} $target || failed=`expr $failed + 1` > >+testit "kinit user cache" $samba4kinit -c $ocache -f --password-file=$PREFIX/tmppassfile $USERNAME || failed=`expr $failed + 1` >+testit "get a ticket to impersonator" $samba4kgetcred -c $ocache --forwardable $impersonator || failed=`expr $failed + 1` >+testit "test S4U2Proxy evidence ticket obtained by TGS" $samba4kgetcred --out-cache=$ocache --delegation-credential-cache=${ocache} $target || failed=`expr $failed + 1` > >-rm -f $ocache $PREFIX/tmpccache tmppassfile >+testit "set not-delegated on impersonator" $samba_tool user sensitive $impersonator on || failed=`expr $failed + 1` >+testit "kinit user cache again" $samba4kinit -c $ocache -f --password-file=$PREFIX/tmppassfile $USERNAME || failed=`expr $failed + 1` >+testit "get a ticket to sensitive impersonator" $samba4kgetcred -c $ocache --forwardable $impersonator || failed=`expr $failed + 1` >+testit_expect_failure "test S4U2Proxy using received ticket" $samba4kgetcred --out-cache=$ocache --delegation-credential-cache=${ocache} $target || failed=`expr $failed + 1` >+ >+ >+rm -f $ocache $PREFIX/tmpccache $PREFIX/tmppassfile > exit $failed >-- >2.25.1 > > >From 8fbf70bcbcc7ec56c55949e03dd1e35f462b6701 Mon Sep 17 00:00:00 2001 >From: Isaac Boukris <iboukris@gmail.com> >Date: Mon, 13 Jan 2020 23:42:54 +0100 >Subject: [PATCH 031/686] heimdal: apply disallow-forwardable on server in TGS > request > >upstream commit: 839b073facd2aecda6740224d73e560bc79965dc > >BUG: https://bugzilla.samba.org/show_bug.cgi?id=14233 > >Signed-off-by: Isaac Boukris <iboukris@samba.org> >Reviewed-by: Andreas Schneider <asn@samba.org> >Reviewed-by: Andrew Bartlett <abartlet@samba.org> >(cherry picked from commit 8fdff19c5461315556014d25d237a958edeed1a2) >--- > selftest/knownfail.d/disallowed_forwardable_server | 1 - > source4/heimdal/kdc/krb5tgs.c | 6 ++++++ > 2 files changed, 6 insertions(+), 1 deletion(-) > delete mode 100644 selftest/knownfail.d/disallowed_forwardable_server > >diff --git a/selftest/knownfail.d/disallowed_forwardable_server b/selftest/knownfail.d/disallowed_forwardable_server >deleted file mode 100644 >index 2e05909ab89..00000000000 >--- a/selftest/knownfail.d/disallowed_forwardable_server >+++ /dev/null >@@ -1 +0,0 @@ >-^samba4.blackbox.krb5.s4u.test S4U2Proxy using received ticket >diff --git a/source4/heimdal/kdc/krb5tgs.c b/source4/heimdal/kdc/krb5tgs.c >index ee3ac3d8f53..efbdd6ed77f 100644 >--- a/source4/heimdal/kdc/krb5tgs.c >+++ b/source4/heimdal/kdc/krb5tgs.c >@@ -866,6 +866,12 @@ tgs_make_reply(krb5_context context, > et.flags.anonymous = tgt->flags.anonymous; > et.flags.ok_as_delegate = server->entry.flags.ok_as_delegate; > >+ /* See MS-KILE 3.3.5.1 */ >+ if (!server->entry.flags.forwardable) >+ et.flags.forwardable = 0; >+ if (!server->entry.flags.proxiable) >+ et.flags.proxiable = 0; >+ > if(rspac->length) { > /* > * No not need to filter out the any PAC from the >-- >2.25.1 > > >From da9081c347de5f13f3875ef6ec9b39a57ff95fd0 Mon Sep 17 00:00:00 2001 >From: Isaac Boukris <iboukris@gmail.com> >Date: Thu, 7 May 2020 01:25:36 +0200 >Subject: [PATCH 032/686] selftest: allow EncASRepPart to be encoded as > EncTGSRepPart > >that's how MIT kdc encodes it, clients accept both. > >BUG: https://bugzilla.samba.org/show_bug.cgi?id=14233 > >Signed-off-by: Isaac Boukris <iboukris@samba.org> >Reviewed-by: Andreas Schneider <asn@samba.org> >Reviewed-by: Andrew Bartlett <abartlet@samba.org> >(cherry picked from commit a823cc1e8bc9a68a7e662022705039397a5df7e1) >--- > python/samba/tests/krb5/simple_tests.py | 7 ++++++- > 1 file changed, 6 insertions(+), 1 deletion(-) > >diff --git a/python/samba/tests/krb5/simple_tests.py b/python/samba/tests/krb5/simple_tests.py >index c9998c4d2db..236fbda1cd5 100755 >--- a/python/samba/tests/krb5/simple_tests.py >+++ b/python/samba/tests/krb5/simple_tests.py >@@ -115,7 +115,12 @@ class SimpleKerberosTests(RawKerberosTest): > > usage = 3 > enc_part2 = key.decrypt(usage, rep['enc-part']['cipher']) >- enc_part2 = self.der_decode(enc_part2, asn1Spec=krb5_asn1.EncASRepPart()) >+ >+ # MIT KDC encodes both EncASRepPart and EncTGSRepPart with application tag 26 >+ try: >+ enc_part2 = self.der_decode(enc_part2, asn1Spec=krb5_asn1.EncASRepPart()) >+ except Exception: >+ enc_part2 = self.der_decode(enc_part2, asn1Spec=krb5_asn1.EncTGSRepPart()) > > # TGS Request > service_creds = self.get_service_creds(allow_missing_password=True) >-- >2.25.1 > > >From 474664fad2d1b99d1c13f7b35066038612bc0953 Mon Sep 17 00:00:00 2001 >From: Isaac Boukris <iboukris@gmail.com> >Date: Wed, 6 May 2020 15:54:55 +0200 >Subject: [PATCH 033/686] selftest: test forwardable flag in cross-realm tgt > tickets > >BUG: https://bugzilla.samba.org/show_bug.cgi?id=14233 > >Signed-off-by: Isaac Boukris <iboukris@samba.org> >Reviewed-by: Andreas Schneider <asn@samba.org> >Reviewed-by: Andrew Bartlett <abartlet@samba.org> >(cherry picked from commit 9b302a57ff0d4c3a373f762f2ad4daf736b0853b) >--- > python/samba/tests/krb5/xrealm_tests.py | 180 ++++++++++++++++++++++++ > python/samba/tests/usage.py | 1 + > selftest/knownfail.d/xrealm | 1 + > source4/selftest/tests.py | 2 + > 4 files changed, 184 insertions(+) > create mode 100755 python/samba/tests/krb5/xrealm_tests.py > create mode 100644 selftest/knownfail.d/xrealm > >diff --git a/python/samba/tests/krb5/xrealm_tests.py b/python/samba/tests/krb5/xrealm_tests.py >new file mode 100755 >index 00000000000..64064b8a670 >--- /dev/null >+++ b/python/samba/tests/krb5/xrealm_tests.py >@@ -0,0 +1,180 @@ >+#!/usr/bin/env python3 >+# Unix SMB/CIFS implementation. >+# Copyright (C) Stefan Metzmacher 2020 >+# >+# This program is free software; you can redistribute it and/or modify >+# it under the terms of the GNU General Public License as published by >+# the Free Software Foundation; either version 3 of the License, or >+# (at your option) any later version. >+# >+# This program is distributed in the hope that it will be useful, >+# but WITHOUT ANY WARRANTY; without even the implied warranty of >+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the >+# GNU General Public License for more details. >+# >+# You should have received a copy of the GNU General Public License >+# along with this program. If not, see <http://www.gnu.org/licenses/>. >+# >+ >+import sys >+import os >+ >+sys.path.insert(0, "bin/python") >+os.environ["PYTHONUNBUFFERED"] = "1" >+ >+from samba.tests.krb5.raw_testcase import RawKerberosTest >+import samba.tests.krb5.rfc4120_pyasn1 as krb5_asn1 >+import samba.tests >+ >+global_asn1_print = False >+global_hexdump = False >+ >+class XrealmKerberosTests(RawKerberosTest): >+ >+ def setUp(self): >+ super(XrealmKerberosTests, self).setUp() >+ self.do_asn1_print = global_asn1_print >+ self.do_hexdump = global_hexdump >+ >+ def test_xrealm(self): >+ user_creds = self.get_user_creds() >+ user = user_creds.get_username() >+ realm = user_creds.get_realm() >+ >+ cname = self.PrincipalName_create(name_type=1, names=[user]) >+ sname = self.PrincipalName_create(name_type=2, names=["krbtgt", realm]) >+ >+ till = self.get_KerberosTime(offset=36000) >+ >+ kdc_options = krb5_asn1.KDCOptions('forwardable') >+ padata = None >+ >+ etypes=(18,17,23) >+ >+ req = self.AS_REQ_create(padata=padata, >+ kdc_options=str(kdc_options), >+ cname=cname, >+ realm=realm, >+ sname=sname, >+ from_time=None, >+ till_time=till, >+ renew_time=None, >+ nonce=0x7fffffff, >+ etypes=etypes, >+ addresses=None, >+ EncAuthorizationData=None, >+ EncAuthorizationData_key=None, >+ additional_tickets=None) >+ rep = self.send_recv_transaction(req) >+ self.assertIsNotNone(rep) >+ >+ self.assertEqual(rep['msg-type'], 30) >+ self.assertEqual(rep['error-code'], 25) >+ rep_padata = self.der_decode(rep['e-data'], asn1Spec=krb5_asn1.METHOD_DATA()) >+ >+ for pa in rep_padata: >+ if pa['padata-type'] == 19: >+ etype_info2 = pa['padata-value'] >+ break >+ >+ etype_info2 = self.der_decode(etype_info2, asn1Spec=krb5_asn1.ETYPE_INFO2()) >+ >+ key = self.PasswordKey_from_etype_info2(user_creds, etype_info2[0]) >+ >+ (patime, pausec) = self.get_KerberosTimeWithUsec() >+ pa_ts = self.PA_ENC_TS_ENC_create(patime, pausec) >+ pa_ts = self.der_encode(pa_ts, asn1Spec=krb5_asn1.PA_ENC_TS_ENC()) >+ >+ enc_pa_ts_usage = 1 >+ pa_ts = self.EncryptedData_create(key, enc_pa_ts_usage, pa_ts) >+ pa_ts = self.der_encode(pa_ts, asn1Spec=krb5_asn1.EncryptedData()) >+ >+ pa_ts = self.PA_DATA_create(2, pa_ts) >+ >+ kdc_options = krb5_asn1.KDCOptions('forwardable') >+ padata = [pa_ts] >+ >+ req = self.AS_REQ_create(padata=padata, >+ kdc_options=str(kdc_options), >+ cname=cname, >+ realm=realm, >+ sname=sname, >+ from_time=None, >+ till_time=till, >+ renew_time=None, >+ nonce=0x7fffffff, >+ etypes=etypes, >+ addresses=None, >+ EncAuthorizationData=None, >+ EncAuthorizationData_key=None, >+ additional_tickets=None) >+ rep = self.send_recv_transaction(req) >+ self.assertIsNotNone(rep) >+ >+ msg_type = rep['msg-type'] >+ self.assertEqual(msg_type, 11) >+ >+ usage = 3 >+ enc_part2 = key.decrypt(usage, rep['enc-part']['cipher']) >+ >+ # MIT KDC encodes both EncASRepPart and EncTGSRepPart with application tag 26 >+ try: >+ enc_part2 = self.der_decode(enc_part2, asn1Spec=krb5_asn1.EncASRepPart()) >+ except Exception: >+ enc_part2 = self.der_decode(enc_part2, asn1Spec=krb5_asn1.EncTGSRepPart()) >+ >+ # TGS Request (for cross-realm TGT) >+ trust_realm = samba.tests.env_get_var_value('TRUST_REALM') >+ sname = self.PrincipalName_create(name_type=2, names=["krbtgt", trust_realm]) >+ >+ kdc_options = krb5_asn1.KDCOptions('forwardable') >+ till = self.get_KerberosTime(offset=36000) >+ ticket = rep['ticket'] >+ ticket_session_key = self.EncryptionKey_import(enc_part2['key']) >+ padata = [] >+ >+ subkey = self.RandomKey(ticket_session_key.etype) >+ subkey_usage = 9 >+ >+ (ctime, cusec) = self.get_KerberosTimeWithUsec() >+ >+ req = self.TGS_REQ_create(padata=padata, >+ cusec=cusec, >+ ctime=ctime, >+ ticket=ticket, >+ kdc_options=str(kdc_options), >+ cname=cname, >+ realm=realm, >+ sname=sname, >+ from_time=None, >+ till_time=till, >+ renew_time=None, >+ nonce=0x7ffffffe, >+ etypes=etypes, >+ addresses=None, >+ EncAuthorizationData=None, >+ EncAuthorizationData_key=None, >+ additional_tickets=None, >+ ticket_session_key=ticket_session_key, >+ authenticator_subkey=subkey) >+ rep = self.send_recv_transaction(req) >+ self.assertIsNotNone(rep) >+ >+ msg_type = rep['msg-type'] >+ self.assertEqual(msg_type, 13) >+ >+ enc_part2 = subkey.decrypt(subkey_usage, rep['enc-part']['cipher']) >+ enc_part2 = self.der_decode(enc_part2, asn1Spec=krb5_asn1.EncTGSRepPart()) >+ >+ # Check the forwardable flag >+ fwd_pos = len(tuple(krb5_asn1.TicketFlags('forwardable'))) -1 >+ assert(krb5_asn1.TicketFlags(enc_part2['flags'])[fwd_pos]) >+ >+ return >+ >+ >+if __name__ == "__main__": >+ global_asn1_print = True >+ global_hexdump = True >+ import unittest >+ unittest.main() >diff --git a/python/samba/tests/usage.py b/python/samba/tests/usage.py >index 8af43bc8299..27cdb4c0cb3 100644 >--- a/python/samba/tests/usage.py >+++ b/python/samba/tests/usage.py >@@ -86,6 +86,7 @@ EXCLUDE_USAGE = { > 'python/samba/tests/krb5/kcrypto.py', > 'python/samba/tests/krb5/simple_tests.py', > 'python/samba/tests/krb5/s4u_tests.py', >+ 'python/samba/tests/krb5/xrealm_tests.py', > } > > >diff --git a/selftest/knownfail.d/xrealm b/selftest/knownfail.d/xrealm >new file mode 100644 >index 00000000000..2e09644b1d8 >--- /dev/null >+++ b/selftest/knownfail.d/xrealm >@@ -0,0 +1 @@ >+^samba.tests.krb5.xrealm_tests.samba.tests.krb5.xrealm_tests.XrealmKerberosTests.test_xrealm >diff --git a/source4/selftest/tests.py b/source4/selftest/tests.py >index dd3b894203b..4aed6e1af91 100755 >--- a/source4/selftest/tests.py >+++ b/source4/selftest/tests.py >@@ -721,6 +721,8 @@ planoldpythontestsuite("ad_dc_default:local", "samba.tests.krb5.s4u_tests", > 'SERVICE_PASSWORD':'$PASSWORD', > 'FOR_USER':'$USERNAME'}) > >+planoldpythontestsuite("fl2008r2dc:local", "samba.tests.krb5.xrealm_tests") >+ > for env in ["ad_dc", smbv1_disabled_testenv]: > planoldpythontestsuite(env, "samba.tests.smb", extra_args=['-U"$USERNAME%$PASSWORD"'], py3_compatible=True) > planoldpythontestsuite(env + ":local", "samba.tests.ntacls_backup", >-- >2.25.1 > > >From 12273e330ea1ad3063d24c397354ed6a50369611 Mon Sep 17 00:00:00 2001 >From: Isaac Boukris <iboukris@gmail.com> >Date: Sat, 9 May 2020 16:26:45 +0200 >Subject: [PATCH 034/686] selftest: test forwardable flag in cross-realm with > s4u2proxy > >Signed-off-by: Isaac Boukris <iboukris@samba.org> >Reviewed-by: Andrew Bartlett <abartlet@samba.org> >(cherry picked from commit fb7dfdbe8f94f7f053d67832e7f28a751136d733) > >[jsutton@samba.org Backported to fix conflicts] >--- > selftest/knownfail.d/s4u2p_fwd | 2 ++ > source4/selftest/tests.py | 2 +- > testprogs/blackbox/test_s4u_heimdal.sh | 17 ++++++++++++++--- > 3 files changed, 17 insertions(+), 4 deletions(-) > create mode 100644 selftest/knownfail.d/s4u2p_fwd > >diff --git a/selftest/knownfail.d/s4u2p_fwd b/selftest/knownfail.d/s4u2p_fwd >new file mode 100644 >index 00000000000..63ade3eece0 >--- /dev/null >+++ b/selftest/knownfail.d/s4u2p_fwd >@@ -0,0 +1,2 @@ >+^samba4.blackbox.krb5.s4u.get a ticket to impersonator for trust user >+^samba4.blackbox.krb5.s4u.test S4U2Proxy evidence ticket obtained by TGS of trust user >diff --git a/source4/selftest/tests.py b/source4/selftest/tests.py >index 4aed6e1af91..91c25cfb978 100755 >--- a/source4/selftest/tests.py >+++ b/source4/selftest/tests.py >@@ -460,7 +460,7 @@ if have_heimdal_support: > plantestsuite("samba4.blackbox.kinit_trust(fl2003dc:local)", "fl2003dc:local", [os.path.join(bbdir, "test_kinit_trusts_heimdal.sh"), '$SERVER', '$USERNAME', '$PASSWORD', '$REALM', '$DOMAIN', '$TRUST_SERVER', '$TRUST_USERNAME', '$TRUST_PASSWORD', '$TRUST_REALM', '$TRUST_DOMAIN', '$PREFIX', "external", "arcfour-hmac-md5"]) > plantestsuite("samba4.blackbox.export.keytab(ad_dc_ntvfs:local)", "ad_dc_ntvfs:local", [os.path.join(bbdir, "test_export_keytab_heimdal.sh"), '$SERVER', '$USERNAME', '$REALM', '$DOMAIN', "$PREFIX", smbclient4]) > plantestsuite("samba4.blackbox.kpasswd(ad_dc_ntvfs:local)", "ad_dc_ntvfs:local", [os.path.join(bbdir, "test_kpasswd_heimdal.sh"), '$SERVER', '$USERNAME', '$PASSWORD', '$REALM', '$DOMAIN', "$PREFIX/ad_dc_ntvfs"]) >- plantestsuite("samba4.blackbox.krb5.s4u", "fl2008r2dc:local", [os.path.join(bbdir, "test_s4u_heimdal.sh"), '$SERVER', '$USERNAME', '$PASSWORD', '$REALM', '$DOMAIN', '$PREFIX', configuration]) >+ plantestsuite("samba4.blackbox.krb5.s4u", "fl2008r2dc:local", [os.path.join(bbdir, "test_s4u_heimdal.sh"), '$SERVER', '$USERNAME', '$PASSWORD', '$REALM', '$DOMAIN', '$TRUST_SERVER', '$TRUST_USERNAME', '$TRUST_PASSWORD', '$TRUST_REALM', '$TRUST_DOMAIN', '$PREFIX', configuration]) > else: > plantestsuite("samba4.blackbox.kinit(ad_dc_ntvfs:local)", "ad_dc_ntvfs:local", [os.path.join(bbdir, "test_kinit_mit.sh"), '$SERVER', '$USERNAME', '$PASSWORD', '$REALM', '$DOMAIN', '$PREFIX', smbclient4, configuration]) > plantestsuite("samba4.blackbox.kinit(fl2000dc:local)", "fl2000dc:local", [os.path.join(bbdir, "test_kinit_mit.sh"), '$SERVER', '$USERNAME', '$PASSWORD', '$REALM', '$DOMAIN', '$PREFIX', smbclient4, configuration]) >diff --git a/testprogs/blackbox/test_s4u_heimdal.sh b/testprogs/blackbox/test_s4u_heimdal.sh >index c6ada54e85b..c63eeaa2e30 100755 >--- a/testprogs/blackbox/test_s4u_heimdal.sh >+++ b/testprogs/blackbox/test_s4u_heimdal.sh >@@ -12,8 +12,13 @@ USERNAME=$2 > PASSWORD=$3 > REALM=$4 > DOMAIN=$5 >-PREFIX=$6 >-shift 6 >+TRUST_SERVER=$6 >+TRUST_USERNAME=$7 >+TRUST_PASSWORD=$8 >+TRUST_REALM=$9 >+TRUST_DOMAIN=${10} >+PREFIX=${11} >+shift 11 > failed=0 > > >@@ -39,7 +44,7 @@ export KRB5CCNAME > rm -rf $KRB5CCNAME_PATH > > princ=test_impersonate_princ >-impersonator=test_impersonator >+impersonator=test_impersonator.$REALM > target="CIFS/$SERVER.$REALM" > > >@@ -72,6 +77,12 @@ testit "kinit user cache" $samba4kinit -c $ocache -f --password-file=$PREFIX/tmp > testit "get a ticket to impersonator" $samba4kgetcred -c $ocache --forwardable $impersonator || failed=`expr $failed + 1` > testit "test S4U2Proxy evidence ticket obtained by TGS" $samba4kgetcred --out-cache=$ocache --delegation-credential-cache=${ocache} $target || failed=`expr $failed + 1` > >+echo $TRUST_PASSWORD > $PREFIX/tmppassfile >+testit "kinit trust user cache" $samba4kinit -c $ocache -f --password-file=$PREFIX/tmppassfile $TRUST_USERNAME@$TRUST_REALM || failed=`expr $failed + 1` >+testit "get a ticket to impersonator for trust user" $samba4kgetcred -c $ocache --forwardable $impersonator || failed=`expr $failed + 1` >+testit "test S4U2Proxy evidence ticket obtained by TGS of trust user" $samba4kgetcred --out-cache=$ocache --delegation-credential-cache=${ocache} $target || failed=`expr $failed + 1` >+ >+echo $PASSWORD > $PREFIX/tmppassfile > testit "set not-delegated on impersonator" $samba_tool user sensitive $impersonator on || failed=`expr $failed + 1` > testit "kinit user cache again" $samba4kinit -c $ocache -f --password-file=$PREFIX/tmppassfile $USERNAME || failed=`expr $failed + 1` > testit "get a ticket to sensitive impersonator" $samba4kgetcred -c $ocache --forwardable $impersonator || failed=`expr $failed + 1` >-- >2.25.1 > > >From afe2d6ee8ece7f143d44e636719c39e8e4d56602 Mon Sep 17 00:00:00 2001 >From: Isaac Boukris <iboukris@gmail.com> >Date: Tue, 14 Jan 2020 13:16:02 +0100 >Subject: [PATCH 035/686] db-glue.c: set forwardable flag on cross-realm tgt > tickets > >BUG: https://bugzilla.samba.org/show_bug.cgi?id=14233 > >Match Windows behavior and allow the forwardable flag to be >set in cross-realm tickets. We used to allow forwardable to >any server, but now that we apply disallow-forwardable policy >in heimdal we need to explicitly allow in the corss-realm case >(and remove the workaround we have for it the MIT plugin). > >Signed-off-by: Isaac Boukris <iboukris@samba.org> >Reviewed-by: Andreas Schneider <asn@samba.org> >Reviewed-by: Andrew Bartlett <abartlet@samba.org> > >Autobuild-User(master): Andrew Bartlett <abartlet@samba.org> >Autobuild-Date(master): Fri Jun 12 22:10:34 UTC 2020 on sn-devel-184 > >(cherry picked from commit 7655a0298e5f55582bf48ec776d8cd8b79fb5dd9) >--- > selftest/knownfail.d/s4u2p_fwd | 2 -- > selftest/knownfail.d/xrealm | 1 - > source4/kdc/db-glue.c | 3 +++ > source4/kdc/mit_samba.c | 5 ----- > 4 files changed, 3 insertions(+), 8 deletions(-) > delete mode 100644 selftest/knownfail.d/s4u2p_fwd > delete mode 100644 selftest/knownfail.d/xrealm > >diff --git a/selftest/knownfail.d/s4u2p_fwd b/selftest/knownfail.d/s4u2p_fwd >deleted file mode 100644 >index 63ade3eece0..00000000000 >--- a/selftest/knownfail.d/s4u2p_fwd >+++ /dev/null >@@ -1,2 +0,0 @@ >-^samba4.blackbox.krb5.s4u.get a ticket to impersonator for trust user >-^samba4.blackbox.krb5.s4u.test S4U2Proxy evidence ticket obtained by TGS of trust user >diff --git a/selftest/knownfail.d/xrealm b/selftest/knownfail.d/xrealm >deleted file mode 100644 >index 2e09644b1d8..00000000000 >--- a/selftest/knownfail.d/xrealm >+++ /dev/null >@@ -1 +0,0 @@ >-^samba.tests.krb5.xrealm_tests.samba.tests.krb5.xrealm_tests.XrealmKerberosTests.test_xrealm >diff --git a/source4/kdc/db-glue.c b/source4/kdc/db-glue.c >index f62a633c6c7..63d910eccb4 100644 >--- a/source4/kdc/db-glue.c >+++ b/source4/kdc/db-glue.c >@@ -1556,6 +1556,9 @@ static krb5_error_code samba_kdc_trust_message2entry(krb5_context context, > > entry_ex->entry.max_renew = NULL; > >+ /* Match Windows behavior and allow forwardable flag in cross-realm. */ >+ entry_ex->entry.flags.forwardable = 1; >+ > ret = samba_kdc_sort_encryption_keys(entry_ex); > if (ret != 0) { > krb5_clear_error_message(context); >diff --git a/source4/kdc/mit_samba.c b/source4/kdc/mit_samba.c >index 5a4f6e73e97..54dcd545ea1 100644 >--- a/source4/kdc/mit_samba.c >+++ b/source4/kdc/mit_samba.c >@@ -304,11 +304,6 @@ fetch_referral_principal: > > sdb_free_entry(&sentry); > >- if ((kflags & KRB5_KDB_FLAG_CLIENT_REFERRALS_ONLY) == 0) { >- kentry->attributes &= ~KRB5_KDB_DISALLOW_FORWARDABLE; >- kentry->attributes &= ~KRB5_KDB_DISALLOW_PROXIABLE; >- } >- > done: > krb5_free_principal(ctx->context, referral_principal); > referral_principal = NULL; >-- >2.25.1 > > >From cf9e1dc2218ef88aa0e28690d336473adb2af5c2 Mon Sep 17 00:00:00 2001 >From: Gary Lockyer <gary@catalyst.net.nz> >Date: Tue, 3 Nov 2020 09:25:48 +1300 >Subject: [PATCH 036/686] selftest: add mit kdc specific known fail > >Add a MIT kerberos specific known fail, will be needed by subsequent >commits. > >Signed-off-by: Gary Lockyer <gary@catalyst.net.nz> >Reviewed-by: Andrew Bartlett <abartlet@samba.org> >BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817 >(cherry picked from commit 04248f5e868d38498bdc8f9705c9a60fcfe79c09) >--- > selftest/knownfail_mit_kdc | 0 > selftest/wscript | 2 ++ > 2 files changed, 2 insertions(+) > create mode 100644 selftest/knownfail_mit_kdc > >diff --git a/selftest/knownfail_mit_kdc b/selftest/knownfail_mit_kdc >new file mode 100644 >index 00000000000..e69de29bb2d >diff --git a/selftest/wscript b/selftest/wscript >index b7eec2c2605..80e0f1feabd 100644 >--- a/selftest/wscript >+++ b/selftest/wscript >@@ -268,6 +268,8 @@ def cmd_testonly(opt): > > if CONFIG_GET(opt, 'USING_SYSTEM_KRB5') and CONFIG_GET(opt, 'MIT_KDC_PATH'): > env.OPTIONS += " --mitkrb5 --exclude=${srcdir}/selftest/skip_mit_kdc" >+ env.FILTER_XFAIL += " --expected-failures=${srcdir}/selftest/"\ >+ "knownfail_mit_kdc" > > if not CONFIG_GET(opt, 'HAVE_GSS_KRB5_CRED_NO_CI_FLAGS_X'): > # older MIT krb5 libraries (< 1.14) don't have >-- >2.25.1 > > >From 9cc79dc5fdb638cf0c9955a7438b3362c3468031 Mon Sep 17 00:00:00 2001 >From: Gary Lockyer <gary@catalyst.net.nz> >Date: Tue, 27 Oct 2020 09:29:56 +1300 >Subject: [PATCH 037/686] tests python krb5: Make PrincipalName_create a class > method > >Make PrincipalName_create a class method, so it can be used in helper >classes. > >Signed-off-by: Gary Lockyer <gary@catalyst.net.nz> >Reviewed-by: Andrew Bartlett <abartlet@samba.org> >BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817 >(cherry picked from commit b14dca7c1c063e069517ff01b33c63a000d398c3) >--- > python/samba/tests/krb5/raw_testcase.py | 1 + > 1 file changed, 1 insertion(+) > >diff --git a/python/samba/tests/krb5/raw_testcase.py b/python/samba/tests/krb5/raw_testcase.py >index f43ce9cbc3c..45e46e0b7ba 100644 >--- a/python/samba/tests/krb5/raw_testcase.py >+++ b/python/samba/tests/krb5/raw_testcase.py >@@ -470,6 +470,7 @@ class RawKerberosTest(TestCase): > } > return Checksum_obj > >+ @classmethod > def PrincipalName_create(self, name_type, names): > # PrincipalName ::= SEQUENCE { > # name-type [0] Int32, >-- >2.25.1 > > >From 04724db90987f96f7717fe6e36794743d6e56c99 Mon Sep 17 00:00:00 2001 >From: Gary Lockyer <gary@catalyst.net.nz> >Date: Tue, 27 Oct 2020 09:31:24 +1300 >Subject: [PATCH 038/686] tests python krb5: Add canonicalize flag to ASN1 > >Add the canonicalize flag to KerberosFlags, so that it can be used in >python based canonicalization tests. > >Signed-off-by: Gary Lockyer <gary@catalyst.net.nz> >Reviewed-by: Andrew Bartlett <abartlet@samba.org> >BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817 >(cherry picked from commit 41c8aa4b991aad306d731b08d068c480eb5c7fed) >--- > python/samba/tests/krb5/rfc4120.asn1 | 8 ++++---- > python/samba/tests/krb5/rfc4120_pyasn1.py | 4 ++-- > 2 files changed, 6 insertions(+), 6 deletions(-) > >diff --git a/python/samba/tests/krb5/rfc4120.asn1 b/python/samba/tests/krb5/rfc4120.asn1 >index 98ba887729d..58e0c1636a1 100644 >--- a/python/samba/tests/krb5/rfc4120.asn1 >+++ b/python/samba/tests/krb5/rfc4120.asn1 >@@ -196,8 +196,8 @@ KDCOptions ::= KerberosFlags > -- opt-hardware-auth(11), > -- unused12(12), > -- unused13(13), >--- 15 is reserved for canonicalize >- -- unused15(15), >+-- Canonicalize is used in RFC 6806 >+ -- canonicalize(15), > -- 26 was unused in 1510 > -- disable-transited-check(26), > -- >@@ -489,8 +489,8 @@ KDCOptionsValues ::= BIT STRING { -- KerberosFlags > opt-hardware-auth(11), > unused12(12), > unused13(13), >--- 15 is reserved for canonicalize >- unused15(15), >+-- Canonicalize is used by RFC 6806 >+ canonicalize(15), > -- 26 was unused in 1510 > disable-transited-check(26), > -- >diff --git a/python/samba/tests/krb5/rfc4120_pyasn1.py b/python/samba/tests/krb5/rfc4120_pyasn1.py >index 05304a8a099..b4ea678afd8 100644 >--- a/python/samba/tests/krb5/rfc4120_pyasn1.py >+++ b/python/samba/tests/krb5/rfc4120_pyasn1.py >@@ -1,5 +1,5 @@ > # Auto-generated by asn1ate v.0.6.1.dev0 from rfc4120.asn1 >-# (last modified on 2020-05-06 17:51:00.323318) >+# (last modified on 2020-11-03 14:07:15.270009) > > # KerberosV5Spec2 > from pyasn1.type import univ, char, namedtype, namedval, tag, constraint, useful >@@ -610,7 +610,7 @@ KDCOptionsValues.namedValues = namedval.NamedValues( > ('opt-hardware-auth', 11), > ('unused12', 12), > ('unused13', 13), >- ('unused15', 15), >+ ('canonicalize', 15), > ('disable-transited-check', 26), > ('renewable-ok', 27), > ('enc-tkt-in-skey', 28), >-- >2.25.1 > > >From f5eebcb5bd6cf92e1553ee58f0b2a249edb20b53 Mon Sep 17 00:00:00 2001 >From: Gary Lockyer <gary@catalyst.net.nz> >Date: Tue, 27 Oct 2020 09:32:21 +1300 >Subject: [PATCH 039/686] tests python krb5: Add python kerberos > canonicalization tests > >Add python canonicalization tests, loosely based on the code in >source4/torture/krb5/kdc-canon-heimdal.c. The long term goal is to move >the integration level tests out of kdc-canon-heimdal, leaving it as a >heimdal library unit test. > >Signed-off-by: Gary Lockyer <gary@catalyst.net.nz> >Reviewed-by: Andrew Bartlett <abartlet@samba.org> >BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817 >(cherry picked from commit 005435dc4d7de9d442c7513edec8c782fe20fda3) >--- > .../tests/krb5/as_canonicalization_tests.py | 499 ++++++++++++++++++ > python/samba/tests/usage.py | 1 + > selftest/knownfail_mit_kdc | 144 +++++ > source4/selftest/tests.py | 1 + > 4 files changed, 645 insertions(+) > create mode 100755 python/samba/tests/krb5/as_canonicalization_tests.py > >diff --git a/python/samba/tests/krb5/as_canonicalization_tests.py b/python/samba/tests/krb5/as_canonicalization_tests.py >new file mode 100755 >index 00000000000..7b599ad6e44 >--- /dev/null >+++ b/python/samba/tests/krb5/as_canonicalization_tests.py >@@ -0,0 +1,499 @@ >+#!/usr/bin/env python3 >+# Unix SMB/CIFS implementation. >+# >+# Copyright (C) Catalyst IT Ltd. 2020 >+# >+# This program is free software; you can redistribute it and/or modify >+# it under the terms of the GNU General Public License as published by >+# the Free Software Foundation; either version 3 of the License, or >+# (at your option) any later version. >+# >+# This program is distributed in the hope that it will be useful, >+# but WITHOUT ANY WARRANTY; without even the implied warranty of >+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the >+# GNU General Public License for more details. >+# >+# You should have received a copy of the GNU General Public License >+# along with this program. If not, see <http://www.gnu.org/licenses/>. >+# >+ >+import sys >+import os >+from enum import Enum, unique >+import pyasn1 >+ >+sys.path.insert(0, "bin/python") >+os.environ["PYTHONUNBUFFERED"] = "1" >+ >+from samba.tests.krb5.raw_testcase import RawKerberosTest >+import samba.tests.krb5.rfc4120_pyasn1 as krb5_asn1 >+import samba >+from samba.auth import system_session >+from samba.credentials import ( >+ Credentials, >+ CLI_CRED_NTLMv2_AUTH, >+ CLI_CRED_NTLM_AUTH, >+ DONT_USE_KERBEROS) >+from samba.dcerpc.misc import SEC_CHAN_WKSTA >+from samba.dsdb import ( >+ UF_WORKSTATION_TRUST_ACCOUNT, >+ UF_PASSWD_NOTREQD, >+ UF_NORMAL_ACCOUNT) >+from samba.samdb import SamDB >+from samba.tests import delete_force, DynamicTestCase >+ >+global_asn1_print = False >+global_hexdump = False >+ >+ >+@unique >+class TestOptions(Enum): >+ Canonicalize = 1 >+ Enterprise = 2 >+ UpperRealm = 4 >+ UpperUserName = 8 >+ NetbiosRealm = 16 >+ UPN = 32 >+ RemoveDollar = 64 >+ Last = 128 >+ >+ def is_set(self, x): >+ return self.value & x >+ >+ >+@unique >+class CredentialsType(Enum): >+ User = 1 >+ Machine = 2 >+ >+ def is_set(self, x): >+ return self.value & x >+ >+ >+class TestData: >+ >+ def __init__(self, options, creds): >+ self.options = options >+ self.user_creds = creds >+ self.user_name = self.get_username(options, creds) >+ self.realm = self.get_realm(options, creds) >+ self.cname = RawKerberosTest.PrincipalName_create( >+ name_type=1, names=[self.user_name]) >+ self.sname = RawKerberosTest.PrincipalName_create( >+ name_type=2, names=["krbtgt", self.realm]) >+ self.canonicalize = TestOptions.Canonicalize.is_set(options) >+ >+ def get_realm(self, options, creds): >+ realm = creds.get_realm() >+ if TestOptions.NetbiosRealm.is_set(options): >+ realm = creds.get_domain() >+ if TestOptions.UpperRealm.is_set(options): >+ realm = realm.upper() >+ else: >+ realm = realm.lower() >+ return realm >+ >+ def get_username(self, options, creds): >+ name = creds.get_username() >+ if TestOptions.RemoveDollar.is_set(options) and name.endswith("$"): >+ name = name[:-1] >+ if TestOptions.Enterprise.is_set(options): >+ realm = creds.get_realm() >+ name = "{0}@{1}".format(name, realm) >+ if TestOptions.UpperUserName.is_set(options): >+ name = name.upper() >+ return name >+ >+ def __repr__(self): >+ rep = "Test Data: " >+ rep += "options = '" + "{:08b}".format(self.options) + "'" >+ rep += "user name = '" + self.user_name + "'" >+ rep += ", realm = '" + self.realm + "'" >+ rep += ", cname = '" + str(self.cname) + "'" >+ rep += ", sname = '" + str(self.sname) + "'" >+ return rep >+ >+ >+MACHINE_NAME = "tstkrb5cnnusr" >+USER_NAME = "tstkrb5cnnmch" >+ >+# Encryption types >+AES256_CTS_HMAC_SHA1_96 = int( >+ krb5_asn1.EncryptionTypeValues('kRB5-ENCTYPE-AES256-CTS-HMAC-SHA1-96')) >+AES128_CTS_HMAC_SHA1_96 = int( >+ krb5_asn1.EncryptionTypeValues('kRB5-ENCTYPE-AES128-CTS-HMAC-SHA1-96')) >+ARCFOUR_HMAC_MD5 = int( >+ krb5_asn1.EncryptionTypeValues('kRB5-ENCTYPE-ARCFOUR-HMAC-MD5')) >+ >+# Message types >+KRB_ERROR = int(krb5_asn1.MessageTypeValues('krb-error')) >+KRB_AS_REP = int(krb5_asn1.MessageTypeValues('krb-as-rep')) >+ >+# PAData types >+PADATA_ENC_TIMESTAMP = int( >+ krb5_asn1.PADataTypeValues('kRB5-PADATA-ENC-TIMESTAMP')) >+PADATA_ETYPE_INFO2 = int( >+ krb5_asn1.PADataTypeValues('kRB5-PADATA-ETYPE-INFO2')) >+ >+# Error codes >+KDC_ERR_C_PRINCIPAL_UNKNOWN = 6 >+KDC_ERR_PREAUTH_REQUIRED = 25 >+ >+# Name types >+NT_UNKNOWN = int(krb5_asn1.NameTypeValues('kRB5-NT-UNKNOWN')) >+NT_PRINCIPAL = int(krb5_asn1.NameTypeValues('kRB5-NT-PRINCIPAL')) >+NT_SRV_INST = int(krb5_asn1.NameTypeValues('kRB5-NT-SRV-INST')) >+ >+ >+@DynamicTestCase >+class KerberosASCanonicalizationTests(RawKerberosTest): >+ >+ @classmethod >+ def setUpDynamicTestCases(cls): >+ >+ def skip(ct, options): >+ ''' Filter out any mutually exclusive test options ''' >+ if ct != CredentialsType.Machine and\ >+ TestOptions.RemoveDollar.is_set(options): >+ return True >+ return False >+ >+ def build_test_name(ct, options): >+ name = "%sCredentials" % ct.name >+ for opt in TestOptions: >+ if opt.is_set(options): >+ name += ("_%s" % opt.name) >+ return name >+ >+ for ct in CredentialsType: >+ for x in range(TestOptions.Last.value): >+ if skip(ct, x): >+ continue >+ name = build_test_name(ct, x) >+ cls.generate_dynamic_test("test", name, x, ct) >+ >+ @classmethod >+ def setUpClass(cls): >+ cls.lp = cls.get_loadparm(cls) >+ cls.username = os.environ["USERNAME"] >+ cls.password = os.environ["PASSWORD"] >+ cls.domain = os.environ["DOMAIN"] >+ cls.realm = os.environ["REALM"] >+ cls.host = os.environ["SERVER"] >+ >+ c = Credentials() >+ c.set_username(cls.username) >+ c.set_password(cls.password) >+ c.set_domain(cls.domain) >+ c.set_realm(cls.realm) >+ cls.credentials = c >+ >+ cls.session = system_session() >+ cls.ldb = SamDB(url="ldap://%s" % cls.host, >+ session_info=cls.session, >+ credentials=cls.credentials, >+ lp=cls.lp) >+ cls.create_machine_account() >+ cls.create_user_account() >+ >+ @classmethod >+ def tearDownClass(cls): >+ super(KerberosASCanonicalizationTests, cls).tearDownClass() >+ delete_force(cls.ldb, cls.machine_dn) >+ delete_force(cls.ldb, cls.user_dn) >+ >+ def setUp(self): >+ super(KerberosASCanonicalizationTests, self).setUp() >+ self.do_asn1_print = global_asn1_print >+ self.do_hexdump = global_hexdump >+ >+ # >+ # Create a test user account >+ @classmethod >+ def create_user_account(cls): >+ cls.user_pass = samba.generate_random_password(32, 32) >+ cls.user_name = USER_NAME >+ cls.user_dn = "cn=%s,%s" % (cls.user_name, cls.ldb.domain_dn()) >+ >+ # remove the account if it exists, this will happen if a previous test >+ # run failed >+ delete_force(cls.ldb, cls.user_dn) >+ >+ utf16pw = ('"%s"' % cls.user_pass).encode('utf-16-le') >+ cls.ldb.add({ >+ "dn": cls.user_dn, >+ "objectclass": "user", >+ "sAMAccountName": "%s" % cls.user_name, >+ "userAccountControl": str(UF_NORMAL_ACCOUNT), >+ "unicodePwd": utf16pw}) >+ >+ cls.user_creds = Credentials() >+ cls.user_creds.guess(cls.lp) >+ cls.user_creds.set_password(cls.user_pass) >+ cls.user_creds.set_username(cls.user_name) >+ cls.user_creds.set_workstation(cls.machine_name) >+ >+ # >+ # Create the machine account >+ @classmethod >+ def create_machine_account(cls): >+ cls.machine_pass = samba.generate_random_password(32, 32) >+ cls.machine_name = MACHINE_NAME >+ cls.machine_dn = "cn=%s,%s" % (cls.machine_name, cls.ldb.domain_dn()) >+ >+ # remove the account if it exists, this will happen if a previous test >+ # run failed >+ delete_force(cls.ldb, cls.machine_dn) >+ >+ utf16pw = ('"%s"' % cls.machine_pass).encode('utf-16-le') >+ cls.ldb.add({ >+ "dn": cls.machine_dn, >+ "objectclass": "computer", >+ "sAMAccountName": "%s$" % cls.machine_name, >+ "userAccountControl": >+ str(UF_WORKSTATION_TRUST_ACCOUNT | UF_PASSWD_NOTREQD), >+ "unicodePwd": utf16pw}) >+ >+ cls.machine_creds = Credentials() >+ cls.machine_creds.guess(cls.lp) >+ cls.machine_creds.set_secure_channel_type(SEC_CHAN_WKSTA) >+ cls.machine_creds.set_kerberos_state(DONT_USE_KERBEROS) >+ cls.machine_creds.set_password(cls.machine_pass) >+ cls.machine_creds.set_username(cls.machine_name + "$") >+ cls.machine_creds.set_workstation(cls.machine_name) >+ >+ def _test_with_args(self, x, ct): >+ if ct == CredentialsType.User: >+ creds = self.user_creds >+ elif ct == CredentialsType.Machine: >+ creds = self.machine_creds >+ else: >+ raise Exception("Unexpected credential type") >+ data = TestData(x, creds) >+ >+ try: >+ (rep, as_rep) = self.as_req(data) >+ except pyasn1.error.PyAsn1Error as e: >+ import traceback >+ self.fail("ASN1 Error, Options {0:08b}:{1} {2}".format( >+ traceback.format_exc(), >+ data.options, >+ e)) >+ # If as_req triggered an expected server error response >+ # No need to test the response data. >+ if rep is not None: >+ # The kvno is optional, heimdal includes it >+ # MIT does not. >+ if 'kvno' in rep['enc-part']: >+ kvno = rep['enc-part']['kvno'] >+ self.check_kvno(kvno, data) >+ >+ cname = rep['cname'] >+ self.check_cname(cname, data) >+ >+ crealm = rep['crealm'].decode('ascii') >+ self.check_crealm(crealm, data) >+ >+ sname = as_rep['sname'] >+ self.check_sname(sname, data) >+ >+ srealm = as_rep['srealm'].decode('ascii') >+ self.check_srealm(srealm, data) >+ >+ def as_req(self, data): >+ user_creds = data.user_creds >+ realm = data.realm >+ >+ cname = data.cname >+ sname = data.sname >+ >+ till = self.get_KerberosTime(offset=36000) >+ >+ kdc_options = "0" >+ if data.canonicalize: >+ kdc_options = str(krb5_asn1.KDCOptions('canonicalize')) >+ >+ padata = None >+ >+ # Set the allowable encryption types >+ etypes = ( >+ AES256_CTS_HMAC_SHA1_96, >+ AES128_CTS_HMAC_SHA1_96, >+ ARCFOUR_HMAC_MD5) >+ >+ req = self.AS_REQ_create(padata=padata, >+ kdc_options=kdc_options, >+ cname=cname, >+ realm=realm, >+ sname=sname, >+ from_time=None, >+ till_time=till, >+ renew_time=None, >+ nonce=0x7fffffff, >+ etypes=etypes, >+ addresses=None, >+ EncAuthorizationData=None, >+ EncAuthorizationData_key=None, >+ additional_tickets=None) >+ rep = self.send_recv_transaction(req) >+ self.assertIsNotNone(rep) >+ >+ # >+ # Check the protocol version, should be 5 >+ self.assertEqual( >+ rep['pvno'], 5, "Data {0}".format(str(data))) >+ >+ self.assertEqual( >+ rep['msg-type'], KRB_ERROR, "Data {0}".format(str(data))) >+ >+ # We should get KDC_ERR_PREAUTH_REQUIRED >+ # unless the RemoveDollar and Enterprise options are set >+ # then we should get a KDC_ERR_C_PRINCIPAL_UNKNOWN >+ if TestOptions.RemoveDollar.is_set(data.options) and\ >+ TestOptions.Enterprise.is_set(data.options): >+ self.assertEqual( >+ rep['error-code'], >+ KDC_ERR_C_PRINCIPAL_UNKNOWN, >+ "Error code {0}, Data {1}".format(rep['error-code'], str(data))) >+ return (None, None) >+ >+ self.assertEqual( >+ rep['error-code'], >+ KDC_ERR_PREAUTH_REQUIRED, >+ "Error code {0}, Data {1}".format(rep['error-code'], str(data))) >+ >+ rep_padata = self.der_decode( >+ rep['e-data'], asn1Spec=krb5_asn1.METHOD_DATA()) >+ >+ for pa in rep_padata: >+ if pa['padata-type'] == 19: >+ etype_info2 = pa['padata-value'] >+ break >+ >+ etype_info2 = self.der_decode( >+ etype_info2, asn1Spec=krb5_asn1.ETYPE_INFO2()) >+ >+ key = self.PasswordKey_from_etype_info2(user_creds, etype_info2[0]) >+ >+ (patime, pausec) = self.get_KerberosTimeWithUsec() >+ pa_ts = self.PA_ENC_TS_ENC_create(patime, pausec) >+ pa_ts = self.der_encode(pa_ts, asn1Spec=krb5_asn1.PA_ENC_TS_ENC()) >+ >+ enc_pa_ts_usage = 1 >+ pa_ts = self.EncryptedData_create(key, enc_pa_ts_usage, pa_ts) >+ pa_ts = self.der_encode(pa_ts, asn1Spec=krb5_asn1.EncryptedData()) >+ >+ pa_ts = self.PA_DATA_create(PADATA_ENC_TIMESTAMP, pa_ts) >+ >+ kdc_options = "0" >+ if data.canonicalize: >+ kdc_options = str(krb5_asn1.KDCOptions('canonicalize')) >+ padata = [pa_ts] >+ >+ req = self.AS_REQ_create(padata=padata, >+ kdc_options=kdc_options, >+ cname=cname, >+ realm=realm, >+ sname=sname, >+ from_time=None, >+ till_time=till, >+ renew_time=None, >+ nonce=0x7fffffff, >+ etypes=etypes, >+ addresses=None, >+ EncAuthorizationData=None, >+ EncAuthorizationData_key=None, >+ additional_tickets=None) >+ rep = self.send_recv_transaction(req) >+ self.assertIsNotNone(rep) >+ >+ # >+ # Check the protocol version, should be 5 >+ self.assertEqual( >+ rep['pvno'], 5, "Data {0}".format(str(data))) >+ >+ msg_type = rep['msg-type'] >+ # Should not have got an error. >+ # If we did, fail and print the error code to help debugging >+ self.assertNotEqual( >+ msg_type, >+ KRB_ERROR, >+ "Error code {0}, Data {1}".format( >+ rep.get('error-code', ''), >+ str(data))) >+ >+ self.assertEqual(msg_type, KRB_AS_REP, "Data {0}".format(str(data))) >+ >+ # Decrypt and decode the EncKdcRepPart >+ enc = key.decrypt(3, rep['enc-part']['cipher']) >+ if enc[0] == 0x7A: >+ # MIT Kerberos Tags the EncASRepPart as a EncKDCRepPart >+ # i.e. tag number 26 instead of tag number 25 >+ as_rep = self.der_decode(enc, asn1Spec=krb5_asn1.EncTGSRepPart()) >+ else: >+ as_rep = self.der_decode(enc, asn1Spec=krb5_asn1.EncASRepPart()) >+ >+ return (rep, as_rep) >+ >+ def check_cname(self, cname, data): >+ nt = cname['name-type'] >+ self.assertEqual( >+ NT_PRINCIPAL, >+ nt, >+ "cname name-type, Options {0:08b}".format(data.options)) >+ >+ ns = cname['name-string'] >+ name = ns[0].decode('ascii') >+ >+ expected = data.user_name >+ if TestOptions.Canonicalize.is_set(data.options): >+ expected = data.user_creds.get_username() >+ self.assertEqual( >+ expected, >+ name, >+ "cname principal, Options {0:08b}".format(data.options)) >+ >+ def check_crealm(self, crealm, data): >+ realm = data.user_creds.get_realm() >+ self.assertEqual( >+ realm, crealm, "crealm, Options {0:08b}".format(data.options)) >+ >+ def check_sname(self, sname, data): >+ nt = sname['name-type'] >+ self.assertEqual( >+ NT_SRV_INST, >+ nt, >+ "sname name-type, Options {0:08b}".format(data.options)) >+ >+ ns = sname['name-string'] >+ name = ns[0].decode('ascii') >+ self.assertEqual( >+ 'krbtgt', >+ name, >+ "sname principal, Options {0:08b}".format(data.options)) >+ >+ realm = ns[1].decode('ascii') >+ expected = data.realm >+ if TestOptions.Canonicalize.is_set(data.options): >+ expected = data.user_creds.get_realm().upper() >+ self.assertEqual( >+ expected, >+ realm, >+ "sname realm, Options {0:08b}".format(data.options)) >+ >+ def check_srealm(self, srealm, data): >+ realm = data.user_creds.get_realm() >+ self.assertEqual( >+ realm, srealm, "srealm, Options {0:08b}".format(data.options)) >+ >+ def check_kvno(self, kvno, data): >+ self.assertEqual( >+ 1, kvno, "kvno, Options {0:08b}".format(data.options)) >+ >+ >+if __name__ == "__main__": >+ global_asn1_print = True >+ global_hexdump = True >+ import unittest >+ >+ unittest.main() >diff --git a/python/samba/tests/usage.py b/python/samba/tests/usage.py >index 27cdb4c0cb3..dc86f4808ae 100644 >--- a/python/samba/tests/usage.py >+++ b/python/samba/tests/usage.py >@@ -87,6 +87,7 @@ EXCLUDE_USAGE = { > 'python/samba/tests/krb5/simple_tests.py', > 'python/samba/tests/krb5/s4u_tests.py', > 'python/samba/tests/krb5/xrealm_tests.py', >+ 'python/samba/tests/krb5/as_canonicalization_tests.py', > } > > >diff --git a/selftest/knownfail_mit_kdc b/selftest/knownfail_mit_kdc >index e69de29bb2d..96d3e51da5c 100644 >--- a/selftest/knownfail_mit_kdc >+++ b/selftest/knownfail_mit_kdc >@@ -0,0 +1,144 @@ >+# >+# Currently MOST but not quite all the Canonicalization tests fail on the >+# MIT KDC >+# >+samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials\( >+samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Canonicalize\( >+samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Canonicalize_Enterprise\( >+samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Canonicalize_Enterprise_NetbiosRealm\( >+samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Canonicalize_Enterprise_NetbiosRealm_UPN\( >+samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Canonicalize_Enterprise_UPN\( >+samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Canonicalize_Enterprise_UpperRealm\( >+samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Canonicalize_Enterprise_UpperRealm_NetbiosRealm\( >+samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Canonicalize_Enterprise_UpperRealm_NetbiosRealm_UPN\( >+samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Canonicalize_Enterprise_UpperRealm_UPN\( >+samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Canonicalize_Enterprise_UpperRealm_UpperUserName\( >+samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Canonicalize_Enterprise_UpperRealm_UpperUserName_NetbiosRealm\( >+samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Canonicalize_Enterprise_UpperRealm_UpperUserName_NetbiosRealm_UPN\( >+samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Canonicalize_Enterprise_UpperRealm_UpperUserName_UPN\( >+samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Canonicalize_Enterprise_UpperUserName\( >+samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Canonicalize_Enterprise_UpperUserName_NetbiosRealm\( >+samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Canonicalize_Enterprise_UpperUserName_NetbiosRealm_UPN\( >+samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Canonicalize_Enterprise_UpperUserName_UPN\( >+samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Canonicalize_NetbiosRealm\( >+samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Canonicalize_NetbiosRealm_RemoveDollar\( >+samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Canonicalize_NetbiosRealm_UPN\( >+samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Canonicalize_NetbiosRealm_UPN_RemoveDollar\( >+samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Canonicalize_RemoveDollar\( >+samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Canonicalize_UPN\( >+samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Canonicalize_UPN_RemoveDollar\( >+samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Canonicalize_UpperRealm\( >+samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Canonicalize_UpperRealm_NetbiosRealm\( >+samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Canonicalize_UpperRealm_NetbiosRealm_RemoveDollar\( >+samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Canonicalize_UpperRealm_NetbiosRealm_UPN\( >+samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Canonicalize_UpperRealm_NetbiosRealm_UPN_RemoveDollar\( >+samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Canonicalize_UpperRealm_RemoveDollar\( >+samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Canonicalize_UpperRealm_UPN\( >+samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Canonicalize_UpperRealm_UPN_RemoveDollar\( >+samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Canonicalize_UpperRealm_UpperUserName\( >+samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Canonicalize_UpperRealm_UpperUserName_NetbiosRealm\( >+samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Canonicalize_UpperRealm_UpperUserName_NetbiosRealm_RemoveDollar\( >+samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Canonicalize_UpperRealm_UpperUserName_NetbiosRealm_UPN\( >+samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Canonicalize_UpperRealm_UpperUserName_NetbiosRealm_UPN_RemoveDollar\( >+samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Canonicalize_UpperRealm_UpperUserName_RemoveDollar\( >+samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Canonicalize_UpperRealm_UpperUserName_UPN\( >+samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Canonicalize_UpperRealm_UpperUserName_UPN_RemoveDollar\( >+samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Canonicalize_UpperUserName\( >+samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Canonicalize_UpperUserName_NetbiosRealm\( >+samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Canonicalize_UpperUserName_NetbiosRealm_RemoveDollar\( >+samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Canonicalize_UpperUserName_NetbiosRealm_UPN\( >+samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Canonicalize_UpperUserName_NetbiosRealm_UPN_RemoveDollar\( >+samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Canonicalize_UpperUserName_RemoveDollar\( >+samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Canonicalize_UpperUserName_UPN\( >+samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Canonicalize_UpperUserName_UPN_RemoveDollar\( >+samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Enterprise\( >+samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Enterprise_NetbiosRealm\( >+samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Enterprise_NetbiosRealm_UPN\( >+samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Enterprise_UPN\( >+samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Enterprise_UpperRealm_NetbiosRealm\( >+samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Enterprise_UpperRealm_NetbiosRealm_UPN\( >+samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Enterprise_UpperRealm_UpperUserName_NetbiosRealm\( >+samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Enterprise_UpperRealm_UpperUserName_NetbiosRealm_UPN\( >+samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Enterprise_UpperUserName\( >+samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Enterprise_UpperUserName_NetbiosRealm\( >+samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Enterprise_UpperUserName_NetbiosRealm_UPN\( >+samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Enterprise_UpperUserName_UPN\( >+samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_NetbiosRealm\( >+samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_NetbiosRealm_RemoveDollar\( >+samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_NetbiosRealm_UPN\( >+samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_NetbiosRealm_UPN_RemoveDollar\( >+samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_RemoveDollar\( >+samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_UPN\( >+samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_UPN_RemoveDollar\( >+samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_UpperRealm_NetbiosRealm\( >+samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_UpperRealm_NetbiosRealm_RemoveDollar\( >+samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_UpperRealm_NetbiosRealm_UPN\( >+samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_UpperRealm_NetbiosRealm_UPN_RemoveDollar\( >+samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_UpperRealm_UpperUserName_NetbiosRealm\( >+samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_UpperRealm_UpperUserName_NetbiosRealm_RemoveDollar\( >+samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_UpperRealm_UpperUserName_NetbiosRealm_UPN\( >+samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_UpperRealm_UpperUserName_NetbiosRealm_UPN_RemoveDollar\( >+samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_UpperUserName\( >+samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_UpperUserName_NetbiosRealm\( >+samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_UpperUserName_NetbiosRealm_RemoveDollar\( >+samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_UpperUserName_NetbiosRealm_UPN\( >+samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_UpperUserName_NetbiosRealm_UPN_RemoveDollar\( >+samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_UpperUserName_RemoveDollar\( >+samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_UpperUserName_UPN\( >+samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_UpperUserName_UPN_RemoveDollar\( >+samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_UserCredentials\( >+samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_UserCredentials_Canonicalize\( >+samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_UserCredentials_Canonicalize_Enterprise\( >+samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_UserCredentials_Canonicalize_Enterprise_NetbiosRealm\( >+samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_UserCredentials_Canonicalize_Enterprise_NetbiosRealm_UPN\( >+samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_UserCredentials_Canonicalize_Enterprise_UPN\( >+samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_UserCredentials_Canonicalize_Enterprise_UpperRealm\( >+samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_UserCredentials_Canonicalize_Enterprise_UpperRealm_NetbiosRealm\( >+samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_UserCredentials_Canonicalize_Enterprise_UpperRealm_NetbiosRealm_UPN\( >+samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_UserCredentials_Canonicalize_Enterprise_UpperRealm_UPN\( >+samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_UserCredentials_Canonicalize_Enterprise_UpperRealm_UpperUserName\( >+samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_UserCredentials_Canonicalize_Enterprise_UpperRealm_UpperUserName_NetbiosRealm\( >+samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_UserCredentials_Canonicalize_Enterprise_UpperRealm_UpperUserName_NetbiosRealm_UPN\( >+samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_UserCredentials_Canonicalize_Enterprise_UpperRealm_UpperUserName_UPN\( >+samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_UserCredentials_Canonicalize_Enterprise_UpperUserName\( >+samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_UserCredentials_Canonicalize_Enterprise_UpperUserName_NetbiosRealm\( >+samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_UserCredentials_Canonicalize_Enterprise_UpperUserName_NetbiosRealm_UPN\( >+samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_UserCredentials_Canonicalize_Enterprise_UpperUserName_UPN\( >+samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_UserCredentials_Canonicalize_NetbiosRealm\( >+samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_UserCredentials_Canonicalize_NetbiosRealm_UPN\( >+samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_UserCredentials_Canonicalize_UPN\( >+samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_UserCredentials_Canonicalize_UpperRealm\( >+samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_UserCredentials_Canonicalize_UpperRealm_NetbiosRealm\( >+samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_UserCredentials_Canonicalize_UpperRealm_NetbiosRealm_UPN\( >+samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_UserCredentials_Canonicalize_UpperRealm_UPN\( >+samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_UserCredentials_Canonicalize_UpperRealm_UpperUserName\( >+samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_UserCredentials_Canonicalize_UpperRealm_UpperUserName_NetbiosRealm\( >+samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_UserCredentials_Canonicalize_UpperRealm_UpperUserName_NetbiosRealm_UPN\( >+samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_UserCredentials_Canonicalize_UpperRealm_UpperUserName_UPN\( >+samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_UserCredentials_Canonicalize_UpperUserName\( >+samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_UserCredentials_Canonicalize_UpperUserName_NetbiosRealm\( >+samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_UserCredentials_Canonicalize_UpperUserName_NetbiosRealm_UPN\( >+samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_UserCredentials_Canonicalize_UpperUserName_UPN\( >+samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_UserCredentials_Enterprise\( >+samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_UserCredentials_Enterprise_NetbiosRealm\( >+samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_UserCredentials_Enterprise_NetbiosRealm_UPN\( >+samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_UserCredentials_Enterprise_UPN\( >+samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_UserCredentials_Enterprise_UpperRealm_NetbiosRealm\( >+samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_UserCredentials_Enterprise_UpperRealm_NetbiosRealm_UPN\( >+samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_UserCredentials_Enterprise_UpperRealm_UpperUserName_NetbiosRealm\( >+samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_UserCredentials_Enterprise_UpperRealm_UpperUserName_NetbiosRealm_UPN\( >+samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_UserCredentials_Enterprise_UpperUserName\( >+samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_UserCredentials_Enterprise_UpperUserName_NetbiosRealm\( >+samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_UserCredentials_Enterprise_UpperUserName_NetbiosRealm_UPN\( >+samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_UserCredentials_Enterprise_UpperUserName_UPN\( >+samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_UserCredentials_NetbiosRealm\( >+samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_UserCredentials_NetbiosRealm_UPN\( >+samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_UserCredentials_UPN\( >+samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_UserCredentials_UpperRealm_NetbiosRealm\( >+samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_UserCredentials_UpperRealm_NetbiosRealm_UPN\( >+samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_UserCredentials_UpperRealm_UpperUserName_NetbiosRealm\( >+samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_UserCredentials_UpperRealm_UpperUserName_NetbiosRealm_UPN\( >+samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_UserCredentials_UpperUserName\( >+samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_UserCredentials_UpperUserName_NetbiosRealm\( >+samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_UserCredentials_UpperUserName_NetbiosRealm_UPN\( >+samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_UserCredentials_UpperUserName_UPN\( >diff --git a/source4/selftest/tests.py b/source4/selftest/tests.py >index 91c25cfb978..d56226bf561 100755 >--- a/source4/selftest/tests.py >+++ b/source4/selftest/tests.py >@@ -1228,6 +1228,7 @@ for env in ["rodc", "promoted_dc", "fl2000dc", "fl2008r2dc"]: > '--option=torture:expect_machine_account=true'] + extra_options, > "samba4.krb5.kdc with machine account") > >+planpythontestsuite("ad_dc", "samba.tests.krb5.as_canonicalization_tests") > > for env in [ > 'vampire_dc', >-- >2.25.1 > > >From 8d58ba078a1582ce44664baaeddb161922fdfb63 Mon Sep 17 00:00:00 2001 >From: Andrew Bartlett <abartlet@samba.org> >Date: Tue, 10 Nov 2020 11:09:13 +1300 >Subject: [PATCH 040/686] selftest: Send enterprise principals tagged as such > >This test passed against Samba but failed against Windows when >an enterprise principal (user@domain.com@REALM) was encoded as >NT_PRINCIPAL. > >Signed-off-by: Andrew Bartlett <abartlet@samba.org> >Reviewed-by: Gary Lockyer <gary@catalyst.net.nz> >BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817 >(cherry picked from commit d7f731ed3577b407370d8fe7a62b4c3ee2dd9c75) >--- > .../tests/krb5/as_canonicalization_tests.py | 24 ++++++-- > selftest/knownfail.d/kdc-enterprise | 57 +++++++++++++++++++ > selftest/knownfail_mit_kdc | 8 +++ > 3 files changed, 84 insertions(+), 5 deletions(-) > create mode 100644 selftest/knownfail.d/kdc-enterprise > >diff --git a/python/samba/tests/krb5/as_canonicalization_tests.py b/python/samba/tests/krb5/as_canonicalization_tests.py >index 7b599ad6e44..3f8ed5c5a11 100755 >--- a/python/samba/tests/krb5/as_canonicalization_tests.py >+++ b/python/samba/tests/krb5/as_canonicalization_tests.py >@@ -77,10 +77,16 @@ class TestData: > self.user_creds = creds > self.user_name = self.get_username(options, creds) > self.realm = self.get_realm(options, creds) >+ >+ if TestOptions.Enterprise.is_set(options): >+ client_name_type = NT_ENTERPRISE_PRINCIPAL >+ else: >+ client_name_type = NT_PRINCIPAL >+ > self.cname = RawKerberosTest.PrincipalName_create( >- name_type=1, names=[self.user_name]) >+ name_type=client_name_type, names=[self.user_name]) > self.sname = RawKerberosTest.PrincipalName_create( >- name_type=2, names=["krbtgt", self.realm]) >+ name_type=NT_SRV_INST, names=["krbtgt", self.realm]) > self.canonicalize = TestOptions.Canonicalize.is_set(options) > > def get_realm(self, options, creds): >@@ -143,6 +149,7 @@ KDC_ERR_PREAUTH_REQUIRED = 25 > NT_UNKNOWN = int(krb5_asn1.NameTypeValues('kRB5-NT-UNKNOWN')) > NT_PRINCIPAL = int(krb5_asn1.NameTypeValues('kRB5-NT-PRINCIPAL')) > NT_SRV_INST = int(krb5_asn1.NameTypeValues('kRB5-NT-SRV-INST')) >+NT_ENTERPRISE_PRINCIPAL = int(krb5_asn1.NameTypeValues('kRB5-NT-ENTERPRISE-PRINCIPAL')) > > > @DynamicTestCase >@@ -436,10 +443,17 @@ class KerberosASCanonicalizationTests(RawKerberosTest): > return (rep, as_rep) > > def check_cname(self, cname, data): >- nt = cname['name-type'] >+ if TestOptions.Canonicalize.is_set(data.options): >+ expected_name_type = NT_PRINCIPAL >+ elif TestOptions.Enterprise.is_set(data.options): >+ expected_name_type = NT_ENTERPRISE_PRINCIPAL >+ else: >+ expected_name_type = NT_PRINCIPAL >+ >+ name_type = cname['name-type'] > self.assertEqual( >- NT_PRINCIPAL, >- nt, >+ expected_name_type, >+ name_type, > "cname name-type, Options {0:08b}".format(data.options)) > > ns = cname['name-string'] >diff --git a/selftest/knownfail.d/kdc-enterprise b/selftest/knownfail.d/kdc-enterprise >new file mode 100644 >index 00000000000..4e4f8a93e03 >--- /dev/null >+++ b/selftest/knownfail.d/kdc-enterprise >@@ -0,0 +1,57 @@ >+samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Canonicalize_Enterprise_NetbiosRealm_RemoveDollar\( >+samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Canonicalize_Enterprise_NetbiosRealm_UPN_RemoveDollar\( >+samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Canonicalize_Enterprise_RemoveDollar\( >+samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Canonicalize_Enterprise_UPN_RemoveDollar\( >+samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Canonicalize_Enterprise_UpperRealm_NetbiosRealm_RemoveDollar\( >+samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Canonicalize_Enterprise_UpperRealm_NetbiosRealm_UPN_RemoveDollar\( >+samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Canonicalize_Enterprise_UpperRealm_RemoveDollar\( >+samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Canonicalize_Enterprise_UpperRealm_UPN_RemoveDollar\( >+samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Canonicalize_Enterprise_UpperRealm_UpperUserName_NetbiosRealm_RemoveDollar\( >+samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Canonicalize_Enterprise_UpperRealm_UpperUserName_NetbiosRealm_UPN_RemoveDollar\( >+samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Canonicalize_Enterprise_UpperRealm_UpperUserName_RemoveDollar\( >+samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Canonicalize_Enterprise_UpperRealm_UpperUserName_UPN_RemoveDollar\( >+samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Canonicalize_Enterprise_UpperUserName_NetbiosRealm_RemoveDollar\( >+samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Canonicalize_Enterprise_UpperUserName_NetbiosRealm_UPN_RemoveDollar\( >+samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Canonicalize_Enterprise_UpperUserName_RemoveDollar\( >+samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Canonicalize_Enterprise_UpperUserName_UPN_RemoveDollar\( >+samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Enterprise\( >+samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Enterprise_NetbiosRealm\( >+samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Enterprise_NetbiosRealm_RemoveDollar\( >+samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Enterprise_NetbiosRealm_UPN\( >+samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Enterprise_NetbiosRealm_UPN_RemoveDollar\( >+samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Enterprise_RemoveDollar\( >+samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Enterprise_UPN\( >+samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Enterprise_UPN_RemoveDollar\( >+samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Enterprise_UpperRealm_NetbiosRealm\( >+samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Enterprise_UpperRealm_NetbiosRealm_RemoveDollar\( >+samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Enterprise_UpperRealm_NetbiosRealm_UPN\( >+samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Enterprise_UpperRealm_NetbiosRealm_UPN_RemoveDollar\( >+samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Enterprise_UpperRealm_RemoveDollar\( >+samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Enterprise_UpperRealm_UPN_RemoveDollar\( >+samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Enterprise_UpperRealm_UpperUserName_NetbiosRealm\( >+samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Enterprise_UpperRealm_UpperUserName_NetbiosRealm_RemoveDollar\( >+samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Enterprise_UpperRealm_UpperUserName_NetbiosRealm_UPN\( >+samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Enterprise_UpperRealm_UpperUserName_NetbiosRealm_UPN_RemoveDollar\( >+samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Enterprise_UpperRealm_UpperUserName_RemoveDollar\( >+samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Enterprise_UpperRealm_UpperUserName_UPN_RemoveDollar\( >+samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Enterprise_UpperUserName\( >+samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Enterprise_UpperUserName_NetbiosRealm\( >+samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Enterprise_UpperUserName_NetbiosRealm_RemoveDollar\( >+samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Enterprise_UpperUserName_NetbiosRealm_UPN\( >+samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Enterprise_UpperUserName_NetbiosRealm_UPN_RemoveDollar\( >+samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Enterprise_UpperUserName_RemoveDollar\( >+samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Enterprise_UpperUserName_UPN\( >+samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Enterprise_UpperUserName_UPN_RemoveDollar\( >+samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_UserCredentials_Enterprise\( >+samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_UserCredentials_Enterprise_NetbiosRealm\( >+samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_UserCredentials_Enterprise_NetbiosRealm_UPN\( >+samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_UserCredentials_Enterprise_UPN\( >+samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_UserCredentials_Enterprise_UpperRealm_NetbiosRealm\( >+samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_UserCredentials_Enterprise_UpperRealm_NetbiosRealm_UPN\( >+samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_UserCredentials_Enterprise_UpperRealm_UpperUserName_NetbiosRealm\( >+samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_UserCredentials_Enterprise_UpperRealm_UpperUserName_NetbiosRealm_UPN\( >+samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_UserCredentials_Enterprise_UpperUserName\( >+samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_UserCredentials_Enterprise_UpperUserName_NetbiosRealm\( >+samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_UserCredentials_Enterprise_UpperUserName_NetbiosRealm_UPN\( >+samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_UserCredentials_Enterprise_UpperUserName_UPN\( >+ >diff --git a/selftest/knownfail_mit_kdc b/selftest/knownfail_mit_kdc >index 96d3e51da5c..9bac4737591 100644 >--- a/selftest/knownfail_mit_kdc >+++ b/selftest/knownfail_mit_kdc >@@ -142,3 +142,11 @@ samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_ > samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_UserCredentials_UpperUserName_NetbiosRealm\( > samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_UserCredentials_UpperUserName_NetbiosRealm_UPN\( > samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_UserCredentials_UpperUserName_UPN\( >+samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Enterprise_UpperRealm\( >+samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Enterprise_UpperRealm_UPN\( >+samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Enterprise_UpperRealm_UpperUserName\( >+samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Enterprise_UpperRealm_UpperUserName_UPN\( >+samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_UserCredentials_Enterprise_UpperRealm\( >+samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_UserCredentials_Enterprise_UpperRealm_UPN\( >+samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_UserCredentials_Enterprise_UpperRealm_UpperUserName\( >+samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_UserCredentials_Enterprise_UpperRealm_UpperUserName_UPN\( >-- >2.25.1 > > >From 553a0c6cd516990d057a6373537227edbd15c4aa Mon Sep 17 00:00:00 2001 >From: Andrew Bartlett <abartlet@samba.org> >Date: Tue, 10 Nov 2020 11:09:59 +1300 >Subject: [PATCH 041/686] selftest: Fix flipped machine and user constants > >This naturally does not change the test, but reduces developer >confusion. > >Signed-off-by: Andrew Bartlett <abartlet@samba.org> >Reviewed-by: Gary Lockyer <gary@catalyst.net.nz> >BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817 >(cherry picked from commit 579a3c641c72b65f6ba39141a55c765b517bd7f8) >--- > python/samba/tests/krb5/as_canonicalization_tests.py | 4 ++-- > 1 file changed, 2 insertions(+), 2 deletions(-) > >diff --git a/python/samba/tests/krb5/as_canonicalization_tests.py b/python/samba/tests/krb5/as_canonicalization_tests.py >index 3f8ed5c5a11..7cdf614482e 100755 >--- a/python/samba/tests/krb5/as_canonicalization_tests.py >+++ b/python/samba/tests/krb5/as_canonicalization_tests.py >@@ -120,8 +120,8 @@ class TestData: > return rep > > >-MACHINE_NAME = "tstkrb5cnnusr" >-USER_NAME = "tstkrb5cnnmch" >+MACHINE_NAME = "tstkrb5cnnmch" >+USER_NAME = "tstkrb5cnnusr" > > # Encryption types > AES256_CTS_HMAC_SHA1_96 = int( >-- >2.25.1 > > >From 55496b2d9456c00e1a82865e36ed5876e5f7ecac Mon Sep 17 00:00:00 2001 >From: Andrew Bartlett <abartlet@samba.org> >Date: Tue, 10 Nov 2020 11:12:13 +1300 >Subject: [PATCH 042/686] selftest: Make as_canonicalization_tests.py easier to > run outside "make test" > >This takes the realm from the LDAP base DN and so avoids one >easy mistake to make. So far the NT4 domain name is not >auto-detected, so much be read from the smb.conf. > >By using .guess() the smb.conf is read for the unspecified >parts (eg workstation for an NTLM login to the LDAP server if >the target server is an IP address). > >Signed-off-by: Andrew Bartlett <abartlet@samba.org> >Reviewed-by: Gary Lockyer <gary@catalyst.net.nz> >BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817 >(cherry picked from commit d85e71f449037fa035fa2fae6b64caf695c53cb3) >--- > python/samba/tests/krb5/as_canonicalization_tests.py | 12 ++++++++++-- > 1 file changed, 10 insertions(+), 2 deletions(-) > >diff --git a/python/samba/tests/krb5/as_canonicalization_tests.py b/python/samba/tests/krb5/as_canonicalization_tests.py >index 7cdf614482e..c0c3208d216 100755 >--- a/python/samba/tests/krb5/as_canonicalization_tests.py >+++ b/python/samba/tests/krb5/as_canonicalization_tests.py >@@ -185,14 +185,20 @@ class KerberosASCanonicalizationTests(RawKerberosTest): > cls.username = os.environ["USERNAME"] > cls.password = os.environ["PASSWORD"] > cls.domain = os.environ["DOMAIN"] >- cls.realm = os.environ["REALM"] > cls.host = os.environ["SERVER"] > > c = Credentials() > c.set_username(cls.username) > c.set_password(cls.password) > c.set_domain(cls.domain) >- c.set_realm(cls.realm) >+ try: >+ realm = os.environ["REALM"] >+ c.set_realm(realm) >+ except KeyError: >+ pass >+ >+ c.guess() >+ > cls.credentials = c > > cls.session = system_session() >@@ -236,6 +242,7 @@ class KerberosASCanonicalizationTests(RawKerberosTest): > > cls.user_creds = Credentials() > cls.user_creds.guess(cls.lp) >+ cls.user_creds.set_realm(cls.ldb.domain_dns_name().upper()) > cls.user_creds.set_password(cls.user_pass) > cls.user_creds.set_username(cls.user_name) > cls.user_creds.set_workstation(cls.machine_name) >@@ -263,6 +270,7 @@ class KerberosASCanonicalizationTests(RawKerberosTest): > > cls.machine_creds = Credentials() > cls.machine_creds.guess(cls.lp) >+ cls.machine_creds.set_realm(cls.ldb.domain_dns_name().upper()) > cls.machine_creds.set_secure_channel_type(SEC_CHAN_WKSTA) > cls.machine_creds.set_kerberos_state(DONT_USE_KERBEROS) > cls.machine_creds.set_password(cls.machine_pass) >-- >2.25.1 > > >From bd2bcbe856e89b2404068d0859d52176d031cf5b Mon Sep 17 00:00:00 2001 >From: Andrew Bartlett <abartlet@samba.org> >Date: Tue, 10 Nov 2020 13:46:28 +1300 >Subject: [PATCH 043/686] samdb: Add samdb.domain_netbios_name() > >Signed-off-by: Andrew Bartlett <abartlet@samba.org> >Reviewed-by: Gary Lockyer <gary@catalyst.net.nz> >BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817 > >[abartlet@samba.org: Backported from commit >d79218dbba3d0f26d6a0e22b3c91b0731bf641dd as this backport >to Samba 4.13 does not include 07ce48088824bba2054e029edfa6fbae972c1921 >(samba-tool: Create unix user with modified template homedir)] > >[jsutton@samba.org Backported to fix conflicts in selftests/tests.py and > remove changes in python/samba/netcmd/user.py] >--- > python/samba/samdb.py | 15 +++++++++++++++ > python/samba/tests/samdb.py | 13 ++++++++++--- > selftest/tests.py | 1 + > 3 files changed, 26 insertions(+), 3 deletions(-) > >diff --git a/python/samba/samdb.py b/python/samba/samdb.py >index 308b5f96a7b..0d76d98783e 100644 >--- a/python/samba/samdb.py >+++ b/python/samba/samdb.py >@@ -751,6 +751,21 @@ accountExpires: %u > domain_dn = self.get_default_basedn() > return domain_dn.canonical_str().split('/')[0] > >+ def domain_netbios_name(self): >+ """return the NetBIOS name of the domain root""" >+ domain_dn = self.get_default_basedn() >+ dns_name = self.domain_dns_name() >+ filter = "(&(objectClass=crossRef)(nETBIOSName=*)(ncName=%s)(dnsroot=%s))" % (domain_dn, dns_name) >+ partitions_dn = self.get_partitions_dn() >+ res = self.search(partitions_dn, >+ scope=ldb.SCOPE_ONELEVEL, >+ expression=filter) >+ try: >+ netbios_domain = res[0]["nETBIOSName"][0].decode() >+ except IndexError: >+ return None >+ return netbios_domain >+ > def forest_dns_name(self): > """return the DNS name of the forest root""" > forest_dn = self.get_root_basedn() >diff --git a/python/samba/tests/samdb.py b/python/samba/tests/samdb.py >index a185a1566e3..834c5a204a6 100644 >--- a/python/samba/tests/samdb.py >+++ b/python/samba/tests/samdb.py >@@ -38,13 +38,13 @@ class SamDBTestCase(TestCaseInTempDir): > super(SamDBTestCase, self).setUp() > self.session = system_session() > logger = logging.getLogger("selftest") >- domain = "dsdb" >- realm = "dsdb.samba.example.com" >+ self.domain = "dsdb" >+ self.realm = "dsdb.samba.example.com" > host_name = "test" > server_role = "active directory domain controller" > self.result = provision(logger, > self.session, targetdir=self.tempdir, >- realm=realm, domain=domain, >+ realm=self.realm, domain=self.domain, > hostname=host_name, > use_ntvfs=True, > serverrole=server_role, >@@ -61,3 +61,10 @@ class SamDBTestCase(TestCaseInTempDir): > shutil.rmtree(os.path.join(self.tempdir, d)) > > super(SamDBTestCase, self).tearDown() >+ >+ >+class SamDBTests(SamDBTestCase): >+ >+ def test_get_domain(self): >+ self.assertEqual(self.samdb.domain_dns_name(), self.realm.lower()) >+ self.assertEqual(self.samdb.domain_netbios_name(), self.domain.upper()) >diff --git a/selftest/tests.py b/selftest/tests.py >index e7639c4da27..1748feeefb4 100644 >--- a/selftest/tests.py >+++ b/selftest/tests.py >@@ -163,6 +163,7 @@ planpythontestsuite("none", "samba.tests.graph", py3_compatible=True) > plantestsuite("wafsamba.duplicate_symbols", "none", [os.path.join(srcdir(), "buildtools/wafsamba/test_duplicate_symbol.sh")]) > planpythontestsuite("none", "samba.tests.glue", py3_compatible=True) > planpythontestsuite("none", "samba.tests.tdb_util", py3_compatible=True) >+planpythontestsuite("none", "samba.tests.samdb", py3_compatible=True) > planpythontestsuite("none", "samba.tests.samdb_api", py3_compatible=True) > > if with_pam: >-- >2.25.1 > > >From 63654ae298faeca069fc0c7d8ed2740a0ade29f2 Mon Sep 17 00:00:00 2001 >From: Andrew Bartlett <abartlet@samba.org> >Date: Tue, 10 Nov 2020 13:47:30 +1300 >Subject: [PATCH 044/686] selftest: Make as_canonicalization_tests.py > auto-detect the NT4 domain name > >Signed-off-by: Andrew Bartlett <abartlet@samba.org> >Reviewed-by: Gary Lockyer <gary@catalyst.net.nz> >BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817 >(cherry picked from commit 2693f12fbe321e0f4932b1f74d7006dbac140e8e) >--- > python/samba/tests/krb5/as_canonicalization_tests.py | 9 +++++++-- > 1 file changed, 7 insertions(+), 2 deletions(-) > >diff --git a/python/samba/tests/krb5/as_canonicalization_tests.py b/python/samba/tests/krb5/as_canonicalization_tests.py >index c0c3208d216..221ff486fd8 100755 >--- a/python/samba/tests/krb5/as_canonicalization_tests.py >+++ b/python/samba/tests/krb5/as_canonicalization_tests.py >@@ -184,18 +184,21 @@ class KerberosASCanonicalizationTests(RawKerberosTest): > cls.lp = cls.get_loadparm(cls) > cls.username = os.environ["USERNAME"] > cls.password = os.environ["PASSWORD"] >- cls.domain = os.environ["DOMAIN"] > cls.host = os.environ["SERVER"] > > c = Credentials() > c.set_username(cls.username) > c.set_password(cls.password) >- c.set_domain(cls.domain) > try: > realm = os.environ["REALM"] > c.set_realm(realm) > except KeyError: > pass >+ try: >+ domain = os.environ["DOMAIN"] >+ c.set_domain(domain) >+ except KeyError: >+ pass > > c.guess() > >@@ -243,6 +246,7 @@ class KerberosASCanonicalizationTests(RawKerberosTest): > cls.user_creds = Credentials() > cls.user_creds.guess(cls.lp) > cls.user_creds.set_realm(cls.ldb.domain_dns_name().upper()) >+ cls.user_creds.set_domain(cls.ldb.domain_netbios_name().upper()) > cls.user_creds.set_password(cls.user_pass) > cls.user_creds.set_username(cls.user_name) > cls.user_creds.set_workstation(cls.machine_name) >@@ -271,6 +275,7 @@ class KerberosASCanonicalizationTests(RawKerberosTest): > cls.machine_creds = Credentials() > cls.machine_creds.guess(cls.lp) > cls.machine_creds.set_realm(cls.ldb.domain_dns_name().upper()) >+ cls.machine_creds.set_domain(cls.ldb.domain_netbios_name().upper()) > cls.machine_creds.set_secure_channel_type(SEC_CHAN_WKSTA) > cls.machine_creds.set_kerberos_state(DONT_USE_KERBEROS) > cls.machine_creds.set_password(cls.machine_pass) >-- >2.25.1 > > >From 9671d8e817d867bec9f5d9e05dcb040a957ce061 Mon Sep 17 00:00:00 2001 >From: Andrew Bartlett <abartlet@samba.org> >Date: Tue, 10 Nov 2020 11:21:24 +1300 >Subject: [PATCH 045/686] selftest: Fix formatting of failure (traceback and > options swapped in format string) > >Signed-off-by: Andrew Bartlett <abartlet@samba.org> >Reviewed-by: Gary Lockyer <gary@catalyst.net.nz> >BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817 >(cherry picked from commit ab8c0a181bebe17a597af49790f6e7b17e13c29b) >--- > python/samba/tests/krb5/as_canonicalization_tests.py | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > >diff --git a/python/samba/tests/krb5/as_canonicalization_tests.py b/python/samba/tests/krb5/as_canonicalization_tests.py >index 221ff486fd8..f0e9f6307f6 100755 >--- a/python/samba/tests/krb5/as_canonicalization_tests.py >+++ b/python/samba/tests/krb5/as_canonicalization_tests.py >@@ -296,8 +296,8 @@ class KerberosASCanonicalizationTests(RawKerberosTest): > except pyasn1.error.PyAsn1Error as e: > import traceback > self.fail("ASN1 Error, Options {0:08b}:{1} {2}".format( >- traceback.format_exc(), > data.options, >+ traceback.format_exc(), > e)) > # If as_req triggered an expected server error response > # No need to test the response data. >-- >2.25.1 > > >From 1881eb17c7c775f162f971deec36c33756960740 Mon Sep 17 00:00:00 2001 >From: Andrew Bartlett <abartlet@samba.org> >Date: Tue, 10 Nov 2020 11:27:06 +1300 >Subject: [PATCH 046/686] selftest: Add in encrypted-pa-data from RFC 6806 > >This comes from Windows 2019 which supports FAST. > >Signed-off-by: Andrew Bartlett <abartlet@samba.org> >Reviewed-by: Gary Lockyer <gary@catalyst.net.nz> >BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817 >(cherry picked from commit fc77ece0e2b5fd324809e17a9b208cc7854cee4b) >--- > python/samba/tests/krb5/rfc4120.asn1 | 3 ++- > python/samba/tests/krb5/rfc4120_pyasn1.py | 19 ++++++++++--------- > 2 files changed, 12 insertions(+), 10 deletions(-) > >diff --git a/python/samba/tests/krb5/rfc4120.asn1 b/python/samba/tests/krb5/rfc4120.asn1 >index 58e0c1636a1..654f9788ca7 100644 >--- a/python/samba/tests/krb5/rfc4120.asn1 >+++ b/python/samba/tests/krb5/rfc4120.asn1 >@@ -239,7 +239,8 @@ EncKDCRepPart ::= SEQUENCE { > renew-till [8] KerberosTime OPTIONAL, > srealm [9] Realm, > sname [10] PrincipalName, >- caddr [11] HostAddresses OPTIONAL >+ caddr [11] HostAddresses OPTIONAL, >+ encrypted-pa-data[12] METHOD-DATA OPTIONAL > } > > LastReq ::= SEQUENCE OF SEQUENCE { >diff --git a/python/samba/tests/krb5/rfc4120_pyasn1.py b/python/samba/tests/krb5/rfc4120_pyasn1.py >index b4ea678afd8..1d89f94adf1 100644 >--- a/python/samba/tests/krb5/rfc4120_pyasn1.py >+++ b/python/samba/tests/krb5/rfc4120_pyasn1.py >@@ -1,5 +1,5 @@ > # Auto-generated by asn1ate v.0.6.1.dev0 from rfc4120.asn1 >-# (last modified on 2020-11-03 14:07:15.270009) >+# (last modified on 2020-11-06 11:30:42.476808) > > # KerberosV5Spec2 > from pyasn1.type import univ, char, namedtype, namedval, tag, constraint, useful >@@ -438,6 +438,13 @@ LastReq.componentType = univ.Sequence(componentType=namedtype.NamedTypes( > )) > > >+class METHOD_DATA(univ.SequenceOf): >+ pass >+ >+ >+METHOD_DATA.componentType = PA_DATA() >+ >+ > class TicketFlags(KerberosFlags): > pass > >@@ -458,7 +465,8 @@ EncKDCRepPart.componentType = namedtype.NamedTypes( > namedtype.OptionalNamedType('renew-till', KerberosTime().subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 8))), > namedtype.NamedType('srealm', Realm().subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 9))), > namedtype.NamedType('sname', PrincipalName().subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatConstructed, 10))), >- namedtype.OptionalNamedType('caddr', HostAddresses().subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 11))) >+ namedtype.OptionalNamedType('caddr', HostAddresses().subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 11))), >+ namedtype.OptionalNamedType('encrypted-pa-data', METHOD_DATA().subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 12))) > ) > > >@@ -702,13 +710,6 @@ KRB_SAFE.componentType = namedtype.NamedTypes( > ) > > >-class METHOD_DATA(univ.SequenceOf): >- pass >- >- >-METHOD_DATA.componentType = PA_DATA() >- >- > class MessageTypeValues(univ.Integer): > pass > >-- >2.25.1 > > >From 9b88ad620b67cb10072e24c4b8c8331555923201 Mon Sep 17 00:00:00 2001 >From: Andrew Bartlett <abartlet@samba.org> >Date: Tue, 10 Nov 2020 13:50:37 +1300 >Subject: [PATCH 047/686] selftest: Windows 2019 implements the RemoveDollar > behaviour for Enterprise principals > >This is documented in MS-KILE. > >Signed-off-by: Andrew Bartlett <abartlet@samba.org> >Reviewed-by: Gary Lockyer <gary@catalyst.net.nz> >BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817 > >Autobuild-User(master): Gary Lockyer <gary@samba.org> >Autobuild-Date(master): Wed Nov 11 02:38:46 UTC 2020 on sn-devel-184 > >(cherry picked from commit f214a3ba5a3e9f129f10062392ae03edd62d8186) >--- > .../tests/krb5/as_canonicalization_tests.py | 11 ---------- > selftest/knownfail.d/kdc-enterprise | 20 ------------------- > selftest/knownfail_mit_kdc | 20 +++++++++++++++++++ > 3 files changed, 20 insertions(+), 31 deletions(-) > >diff --git a/python/samba/tests/krb5/as_canonicalization_tests.py b/python/samba/tests/krb5/as_canonicalization_tests.py >index f0e9f6307f6..caa186bed41 100755 >--- a/python/samba/tests/krb5/as_canonicalization_tests.py >+++ b/python/samba/tests/krb5/as_canonicalization_tests.py >@@ -366,17 +366,6 @@ class KerberosASCanonicalizationTests(RawKerberosTest): > self.assertEqual( > rep['msg-type'], KRB_ERROR, "Data {0}".format(str(data))) > >- # We should get KDC_ERR_PREAUTH_REQUIRED >- # unless the RemoveDollar and Enterprise options are set >- # then we should get a KDC_ERR_C_PRINCIPAL_UNKNOWN >- if TestOptions.RemoveDollar.is_set(data.options) and\ >- TestOptions.Enterprise.is_set(data.options): >- self.assertEqual( >- rep['error-code'], >- KDC_ERR_C_PRINCIPAL_UNKNOWN, >- "Error code {0}, Data {1}".format(rep['error-code'], str(data))) >- return (None, None) >- > self.assertEqual( > rep['error-code'], > KDC_ERR_PREAUTH_REQUIRED, >diff --git a/selftest/knownfail.d/kdc-enterprise b/selftest/knownfail.d/kdc-enterprise >index 4e4f8a93e03..d15d67c8af6 100644 >--- a/selftest/knownfail.d/kdc-enterprise >+++ b/selftest/knownfail.d/kdc-enterprise >@@ -1,19 +1,3 @@ >-samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Canonicalize_Enterprise_NetbiosRealm_RemoveDollar\( >-samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Canonicalize_Enterprise_NetbiosRealm_UPN_RemoveDollar\( >-samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Canonicalize_Enterprise_RemoveDollar\( >-samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Canonicalize_Enterprise_UPN_RemoveDollar\( >-samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Canonicalize_Enterprise_UpperRealm_NetbiosRealm_RemoveDollar\( >-samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Canonicalize_Enterprise_UpperRealm_NetbiosRealm_UPN_RemoveDollar\( >-samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Canonicalize_Enterprise_UpperRealm_RemoveDollar\( >-samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Canonicalize_Enterprise_UpperRealm_UPN_RemoveDollar\( >-samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Canonicalize_Enterprise_UpperRealm_UpperUserName_NetbiosRealm_RemoveDollar\( >-samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Canonicalize_Enterprise_UpperRealm_UpperUserName_NetbiosRealm_UPN_RemoveDollar\( >-samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Canonicalize_Enterprise_UpperRealm_UpperUserName_RemoveDollar\( >-samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Canonicalize_Enterprise_UpperRealm_UpperUserName_UPN_RemoveDollar\( >-samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Canonicalize_Enterprise_UpperUserName_NetbiosRealm_RemoveDollar\( >-samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Canonicalize_Enterprise_UpperUserName_NetbiosRealm_UPN_RemoveDollar\( >-samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Canonicalize_Enterprise_UpperUserName_RemoveDollar\( >-samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Canonicalize_Enterprise_UpperUserName_UPN_RemoveDollar\( > samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Enterprise\( > samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Enterprise_NetbiosRealm\( > samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Enterprise_NetbiosRealm_RemoveDollar\( >@@ -26,14 +10,10 @@ samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_ > samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Enterprise_UpperRealm_NetbiosRealm_RemoveDollar\( > samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Enterprise_UpperRealm_NetbiosRealm_UPN\( > samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Enterprise_UpperRealm_NetbiosRealm_UPN_RemoveDollar\( >-samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Enterprise_UpperRealm_RemoveDollar\( >-samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Enterprise_UpperRealm_UPN_RemoveDollar\( > samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Enterprise_UpperRealm_UpperUserName_NetbiosRealm\( > samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Enterprise_UpperRealm_UpperUserName_NetbiosRealm_RemoveDollar\( > samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Enterprise_UpperRealm_UpperUserName_NetbiosRealm_UPN\( > samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Enterprise_UpperRealm_UpperUserName_NetbiosRealm_UPN_RemoveDollar\( >-samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Enterprise_UpperRealm_UpperUserName_RemoveDollar\( >-samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Enterprise_UpperRealm_UpperUserName_UPN_RemoveDollar\( > samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Enterprise_UpperUserName\( > samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Enterprise_UpperUserName_NetbiosRealm\( > samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Enterprise_UpperUserName_NetbiosRealm_RemoveDollar\( >diff --git a/selftest/knownfail_mit_kdc b/selftest/knownfail_mit_kdc >index 9bac4737591..00edbc0c34d 100644 >--- a/selftest/knownfail_mit_kdc >+++ b/selftest/knownfail_mit_kdc >@@ -150,3 +150,23 @@ samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_ > samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_UserCredentials_Enterprise_UpperRealm_UPN\( > samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_UserCredentials_Enterprise_UpperRealm_UpperUserName\( > samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_UserCredentials_Enterprise_UpperRealm_UpperUserName_UPN\( >+samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Canonicalize_Enterprise_NetbiosRealm_RemoveDollar\( >+samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Canonicalize_Enterprise_NetbiosRealm_UPN_RemoveDollar\( >+samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Canonicalize_Enterprise_RemoveDollar\( >+samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Canonicalize_Enterprise_UPN_RemoveDollar\( >+samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Canonicalize_Enterprise_UpperRealm_NetbiosRealm_RemoveDollar\( >+samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Canonicalize_Enterprise_UpperRealm_NetbiosRealm_UPN_RemoveDollar\( >+samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Canonicalize_Enterprise_UpperRealm_RemoveDollar\( >+samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Canonicalize_Enterprise_UpperRealm_UPN_RemoveDollar\( >+samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Canonicalize_Enterprise_UpperRealm_UpperUserName_NetbiosRealm_RemoveDollar\( >+samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Canonicalize_Enterprise_UpperRealm_UpperUserName_NetbiosRealm_UPN_RemoveDollar\( >+samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Canonicalize_Enterprise_UpperRealm_UpperUserName_RemoveDollar\( >+samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Canonicalize_Enterprise_UpperRealm_UpperUserName_UPN_RemoveDollar\( >+samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Canonicalize_Enterprise_UpperUserName_NetbiosRealm_RemoveDollar\( >+samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Canonicalize_Enterprise_UpperUserName_NetbiosRealm_UPN_RemoveDollar\( >+samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Canonicalize_Enterprise_UpperUserName_RemoveDollar\( >+samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Canonicalize_Enterprise_UpperUserName_UPN_RemoveDollar\( >+samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Enterprise_UpperRealm_RemoveDollar\( >+samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Enterprise_UpperRealm_UPN_RemoveDollar\( >+samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Enterprise_UpperRealm_UpperUserName_RemoveDollar\( >+samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Enterprise_UpperRealm_UpperUserName_UPN_RemoveDollar\( >-- >2.25.1 > > >From 2c77435119d3577110f9eb8bbdbb3028634373a7 Mon Sep 17 00:00:00 2001 >From: Gary Lockyer <gary@catalyst.net.nz> >Date: Wed, 4 Nov 2020 13:54:46 +1300 >Subject: [PATCH 048/686] selftest: add heimdal kdc specific known fail > >Add a heimdal kerberos specific known fail, will be needed by subsequent >commits. > >Signed-off-by: Gary Lockyer <gary@catalyst.net.nz> >Reviewed-by: Andrew Bartlett <abartlet@samba.org> >BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817 >(cherry picked from commit 5cb5134377f099353e0f91c44cc11e45d548d40f) >--- > selftest/knownfail_heimdal_kdc | 0 > selftest/wscript | 3 +++ > 2 files changed, 3 insertions(+) > create mode 100644 selftest/knownfail_heimdal_kdc > >diff --git a/selftest/knownfail_heimdal_kdc b/selftest/knownfail_heimdal_kdc >new file mode 100644 >index 00000000000..e69de29bb2d >diff --git a/selftest/wscript b/selftest/wscript >index 80e0f1feabd..257dae04156 100644 >--- a/selftest/wscript >+++ b/selftest/wscript >@@ -270,6 +270,9 @@ def cmd_testonly(opt): > env.OPTIONS += " --mitkrb5 --exclude=${srcdir}/selftest/skip_mit_kdc" > env.FILTER_XFAIL += " --expected-failures=${srcdir}/selftest/"\ > "knownfail_mit_kdc" >+ else: >+ env.FILTER_XFAIL += " --expected-failures=${srcdir}/selftest/"\ >+ "knownfail_heimdal_kdc" > > if not CONFIG_GET(opt, 'HAVE_GSS_KRB5_CRED_NO_CI_FLAGS_X'): > # older MIT krb5 libraries (< 1.14) don't have >-- >2.25.1 > > >From b5e9b33136e1bc3319358ed128b5a969b9078aab Mon Sep 17 00:00:00 2001 >From: Gary Lockyer <gary@catalyst.net.nz> >Date: Wed, 4 Nov 2020 13:58:24 +1300 >Subject: [PATCH 049/686] tests python krb5: Add python kerberos compatability > tests > >Add new python test to document the differences between the MIT and >Heimdal Kerberos implementations. > >Signed-off-by: Gary Lockyer <gary@catalyst.net.nz> >Reviewed-by: Andrew Bartlett <abartlet@samba.org> >BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817 >(cherry picked from commit 1e1d8b9c83f32c06ecab31214a20b77529ee038e) >--- > .../samba/tests/krb5/compatability_tests.py | 174 ++++++++++++++++++ > python/samba/tests/usage.py | 1 + > selftest/knownfail_heimdal_kdc | 4 + > selftest/knownfail_mit_kdc | 4 + > source4/selftest/tests.py | 1 + > 5 files changed, 184 insertions(+) > create mode 100755 python/samba/tests/krb5/compatability_tests.py > >diff --git a/python/samba/tests/krb5/compatability_tests.py b/python/samba/tests/krb5/compatability_tests.py >new file mode 100755 >index 00000000000..63bd5269c2b >--- /dev/null >+++ b/python/samba/tests/krb5/compatability_tests.py >@@ -0,0 +1,174 @@ >+#!/usr/bin/env python3 >+# Unix SMB/CIFS implementation. >+# Copyright (C) Stefan Metzmacher 2020 >+# Copyright (C) Catalyst.Net Ltd 2020 >+# >+# This program is free software; you can redistribute it and/or modify >+# it under the terms of the GNU General Public License as published by >+# the Free Software Foundation; either version 3 of the License, or >+# (at your option) any later version. >+# >+# This program is distributed in the hope that it will be useful, >+# but WITHOUT ANY WARRANTY; without even the implied warranty of >+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the >+# GNU General Public License for more details. >+# >+# You should have received a copy of the GNU General Public License >+# along with this program. If not, see <http://www.gnu.org/licenses/>. >+# >+ >+import sys >+import os >+ >+sys.path.insert(0, "bin/python") >+os.environ["PYTHONUNBUFFERED"] = "1" >+ >+from samba.tests.krb5.raw_testcase import RawKerberosTest >+import samba.tests.krb5.rfc4120_pyasn1 as krb5_asn1 >+ >+global_asn1_print = False >+global_hexdump = False >+ >+ >+class SimpleKerberosTests(RawKerberosTest): >+ >+ def setUp(self): >+ super(SimpleKerberosTests, self).setUp() >+ self.do_asn1_print = global_asn1_print >+ self.do_hexdump = global_hexdump >+ >+ def test_mit_EncASRepPart_tag(self): >+ creds = self.get_user_creds() >+ (enc, _) = self.as_req(creds) >+ self.assertEqual(0x7a, enc[0]) >+ >+ def test_heimdal_EncASRepPart_tag(self): >+ creds = self.get_user_creds() >+ (enc, _) = self.as_req(creds) >+ self.assertEqual(0x79, enc[0]) >+ >+ def test_mit_EncryptedData_kvno(self): >+ creds = self.get_user_creds() >+ (_, enc) = self.as_req(creds) >+ if 'kvno' in enc: >+ self.fail("kvno present in EncryptedData") >+ >+ def test_heimdal_EncryptedData_kvno(self): >+ creds = self.get_user_creds() >+ (_, enc) = self.as_req(creds) >+ if 'kvno' not in enc: >+ self.fail("kvno absent in EncryptedData") >+ >+ def test_mit_EncASRepPart_FAST_support(self): >+ creds = self.get_user_creds() >+ (enc, _) = self.as_req(creds) >+ self.assertEqual(0x7A, enc[0]) >+ as_rep = self.der_decode(enc, asn1Spec=krb5_asn1.EncTGSRepPart()) >+ flags = int(as_rep['flags'], base=2) >+ # MIT sets enc-pa-rep, flag bit 15 >+ # RFC 6806 11. Negotiation of FAST and Detecting Modified Requests >+ self.assertTrue(0x00010000 & flags) >+ >+ def test_heimdal_EncASRepPart_FAST_support(self): >+ creds = self.get_user_creds() >+ (enc, _) = self.as_req(creds) >+ self.assertEqual(0x79, enc[0]) >+ as_rep = self.der_decode(enc, asn1Spec=krb5_asn1.EncASRepPart()) >+ flags = as_rep['flags'] >+ flags = int(as_rep['flags'], base=2) >+ # Heimdal does not set enc-pa-rep, flag bit 15 >+ # RFC 6806 11. Negotiation of FAST and Detecting Modified Requests >+ self.assertFalse(0x00010000 & flags) >+ >+ def as_req(self, creds): >+ user = creds.get_username() >+ realm = creds.get_realm() >+ >+ cname = self.PrincipalName_create(name_type=1, names=[user]) >+ sname = self.PrincipalName_create(name_type=2, names=["krbtgt", realm]) >+ >+ till = self.get_KerberosTime(offset=36000) >+ >+ kdc_options = krb5_asn1.KDCOptions('forwardable') >+ padata = None >+ >+ etypes = (18, 17, 23) >+ >+ req = self.AS_REQ_create(padata=padata, >+ kdc_options=str(kdc_options), >+ cname=cname, >+ realm=realm, >+ sname=sname, >+ from_time=None, >+ till_time=till, >+ renew_time=None, >+ nonce=0x7fffffff, >+ etypes=etypes, >+ addresses=None, >+ EncAuthorizationData=None, >+ EncAuthorizationData_key=None, >+ additional_tickets=None) >+ rep = self.send_recv_transaction(req) >+ self.assertIsNotNone(rep) >+ >+ self.assertEqual(rep['msg-type'], 30) >+ self.assertEqual(rep['error-code'], 25) >+ rep_padata = self.der_decode( >+ rep['e-data'], >+ asn1Spec=krb5_asn1.METHOD_DATA()) >+ >+ for pa in rep_padata: >+ if pa['padata-type'] == 19: >+ etype_info2 = pa['padata-value'] >+ break >+ >+ etype_info2 = self.der_decode( >+ etype_info2, >+ asn1Spec=krb5_asn1.ETYPE_INFO2()) >+ >+ key = self.PasswordKey_from_etype_info2(creds, etype_info2[0]) >+ >+ (patime, pausec) = self.get_KerberosTimeWithUsec() >+ pa_ts = self.PA_ENC_TS_ENC_create(patime, pausec) >+ pa_ts = self.der_encode(pa_ts, asn1Spec=krb5_asn1.PA_ENC_TS_ENC()) >+ >+ enc_pa_ts_usage = 1 >+ pa_ts = self.EncryptedData_create(key, enc_pa_ts_usage, pa_ts) >+ pa_ts = self.der_encode(pa_ts, asn1Spec=krb5_asn1.EncryptedData()) >+ >+ pa_ts = self.PA_DATA_create(2, pa_ts) >+ >+ kdc_options = krb5_asn1.KDCOptions('forwardable') >+ padata = [pa_ts] >+ >+ req = self.AS_REQ_create(padata=padata, >+ kdc_options=str(kdc_options), >+ cname=cname, >+ realm=realm, >+ sname=sname, >+ from_time=None, >+ till_time=till, >+ renew_time=None, >+ nonce=0x7fffffff, >+ etypes=etypes, >+ addresses=None, >+ EncAuthorizationData=None, >+ EncAuthorizationData_key=None, >+ additional_tickets=None) >+ rep = self.send_recv_transaction(req) >+ self.assertIsNotNone(rep) >+ >+ msg_type = rep['msg-type'] >+ self.assertEqual(msg_type, 11) >+ >+ usage = 3 >+ enc_part = rep['enc-part'] >+ enc_as_rep_part = key.decrypt(usage, rep['enc-part']['cipher']) >+ return (enc_as_rep_part, enc_part) >+ >+ >+if __name__ == "__main__": >+ global_asn1_print = True >+ global_hexdump = True >+ import unittest >+ unittest.main() >diff --git a/python/samba/tests/usage.py b/python/samba/tests/usage.py >index dc86f4808ae..cf1314ac9c6 100644 >--- a/python/samba/tests/usage.py >+++ b/python/samba/tests/usage.py >@@ -88,6 +88,7 @@ EXCLUDE_USAGE = { > 'python/samba/tests/krb5/s4u_tests.py', > 'python/samba/tests/krb5/xrealm_tests.py', > 'python/samba/tests/krb5/as_canonicalization_tests.py', >+ 'python/samba/tests/krb5/compatability_tests.py', > } > > >diff --git a/selftest/knownfail_heimdal_kdc b/selftest/knownfail_heimdal_kdc >index e69de29bb2d..7ab56b6721b 100644 >--- a/selftest/knownfail_heimdal_kdc >+++ b/selftest/knownfail_heimdal_kdc >@@ -0,0 +1,4 @@ >+# >+# We expect all the MIT specific compatability tests to fail on heimdal >+# kerberos >+^samba.tests.krb5.compatability_tests.samba.tests.krb5.compatability_tests.SimpleKerberosTests.test_mit_ >diff --git a/selftest/knownfail_mit_kdc b/selftest/knownfail_mit_kdc >index 00edbc0c34d..9953d51f21d 100644 >--- a/selftest/knownfail_mit_kdc >+++ b/selftest/knownfail_mit_kdc >@@ -1,4 +1,8 @@ > # >+# We expect all the heimdal specific compatability tests to fail on MIT >+# kerberos >+^samba.tests.krb5.compatability_tests.samba.tests.krb5.compatability_tests.SimpleKerberosTests.test_heimdal_ >+# > # Currently MOST but not quite all the Canonicalization tests fail on the > # MIT KDC > # >diff --git a/source4/selftest/tests.py b/source4/selftest/tests.py >index d56226bf561..c37b9050c2b 100755 >--- a/source4/selftest/tests.py >+++ b/source4/selftest/tests.py >@@ -1229,6 +1229,7 @@ for env in ["rodc", "promoted_dc", "fl2000dc", "fl2008r2dc"]: > "samba4.krb5.kdc with machine account") > > planpythontestsuite("ad_dc", "samba.tests.krb5.as_canonicalization_tests") >+planpythontestsuite("ad_dc", "samba.tests.krb5.compatability_tests") > > for env in [ > 'vampire_dc', >-- >2.25.1 > > >From 169891ce134e0bfb6ec289b2170af86273288e19 Mon Sep 17 00:00:00 2001 >From: Gary Lockyer <gary@catalyst.net.nz> >Date: Tue, 10 Nov 2020 11:19:02 +1300 >Subject: [PATCH 050/686] tests python krb5: Add constants module > >Extract the constants used in the tests into a separate module. >To reduce code duplication > >Signed-off-by: Gary Lockyer <gary@catalyst.net.nz> >Reviewed-by: Andrew Bartlett <abartlet@samba.org> >BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817 >(cherry picked from commit 532c941fbb8fc5fc5da4aa2d0e170229076e9aa7) >--- > python/samba/tests/krb5/rfc4120_constants.py | 49 ++++++++++++++++++++ > python/samba/tests/usage.py | 1 + > 2 files changed, 50 insertions(+) > create mode 100644 python/samba/tests/krb5/rfc4120_constants.py > >diff --git a/python/samba/tests/krb5/rfc4120_constants.py b/python/samba/tests/krb5/rfc4120_constants.py >new file mode 100644 >index 00000000000..e939bb75e82 >--- /dev/null >+++ b/python/samba/tests/krb5/rfc4120_constants.py >@@ -0,0 +1,49 @@ >+# Unix SMB/CIFS implementation. >+# Copyright (C) 2020 Catalyst.Net Ltd >+# >+# This program is free software; you can redistribute it and/or modify >+# it under the terms of the GNU General Public License as published by >+# the Free Software Foundation; either version 3 of the License, or >+# (at your option) any later version. >+# >+# This program is distributed in the hope that it will be useful, >+# but WITHOUT ANY WARRANTY; without even the implied warranty of >+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the >+# GNU General Public License for more details. >+# >+# You should have received a copy of the GNU General Public License >+# along with this program. If not, see <http://www.gnu.org/licenses/>. >+# >+ >+import samba.tests.krb5.rfc4120_pyasn1 as krb5_asn1 >+ >+# Encryption types >+AES256_CTS_HMAC_SHA1_96 = int( >+ krb5_asn1.EncryptionTypeValues('kRB5-ENCTYPE-AES256-CTS-HMAC-SHA1-96')) >+AES128_CTS_HMAC_SHA1_96 = int( >+ krb5_asn1.EncryptionTypeValues('kRB5-ENCTYPE-AES128-CTS-HMAC-SHA1-96')) >+ARCFOUR_HMAC_MD5 = int( >+ krb5_asn1.EncryptionTypeValues('kRB5-ENCTYPE-ARCFOUR-HMAC-MD5')) >+ >+# Message types >+KRB_ERROR = int(krb5_asn1.MessageTypeValues('krb-error')) >+KRB_AS_REP = int(krb5_asn1.MessageTypeValues('krb-as-rep')) >+ >+# PAData types >+PADATA_ENC_TIMESTAMP = int( >+ krb5_asn1.PADataTypeValues('kRB5-PADATA-ENC-TIMESTAMP')) >+PADATA_ETYPE_INFO2 = int( >+ krb5_asn1.PADataTypeValues('kRB5-PADATA-ETYPE-INFO2')) >+ >+# Error codes >+KDC_ERR_C_PRINCIPAL_UNKNOWN = 6 >+KDC_ERR_PREAUTH_FAILED = 24 >+KDC_ERR_PREAUTH_REQUIRED = 25 >+KDC_ERR_SKEW = 37 >+ >+# Name types >+NT_UNKNOWN = int(krb5_asn1.NameTypeValues('kRB5-NT-UNKNOWN')) >+NT_PRINCIPAL = int(krb5_asn1.NameTypeValues('kRB5-NT-PRINCIPAL')) >+NT_SRV_INST = int(krb5_asn1.NameTypeValues('kRB5-NT-SRV-INST')) >+NT_ENTERPRISE_PRINCIPAL = int(krb5_asn1.NameTypeValues( >+ 'kRB5-NT-ENTERPRISE-PRINCIPAL')) >diff --git a/python/samba/tests/usage.py b/python/samba/tests/usage.py >index cf1314ac9c6..a642940570d 100644 >--- a/python/samba/tests/usage.py >+++ b/python/samba/tests/usage.py >@@ -89,6 +89,7 @@ EXCLUDE_USAGE = { > 'python/samba/tests/krb5/xrealm_tests.py', > 'python/samba/tests/krb5/as_canonicalization_tests.py', > 'python/samba/tests/krb5/compatability_tests.py', >+ 'python/samba/tests/krb5/rfc4120_constants.py', > } > > >-- >2.25.1 > > >From 502ac974c027ecc654076fb5474e0ddc848e21f1 Mon Sep 17 00:00:00 2001 >From: Gary Lockyer <gary@catalyst.net.nz> >Date: Tue, 10 Nov 2020 11:20:03 +1300 >Subject: [PATCH 051/686] tests python krb5: Refactor canonicalization test > constants > >Modify tests to use the constants defined in rfc4120_constants.py > >Signed-off-by: Gary Lockyer <gary@catalyst.net.nz> >Reviewed-by: Andrew Bartlett <abartlet@samba.org> >BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817 >(cherry picked from commit 97b830cbcac53fcf49bbcd272812d1ba019bac51) >--- > .../tests/krb5/as_canonicalization_tests.py | 30 +------------------ > 1 file changed, 1 insertion(+), 29 deletions(-) > >diff --git a/python/samba/tests/krb5/as_canonicalization_tests.py b/python/samba/tests/krb5/as_canonicalization_tests.py >index caa186bed41..303788b672e 100755 >--- a/python/samba/tests/krb5/as_canonicalization_tests.py >+++ b/python/samba/tests/krb5/as_canonicalization_tests.py >@@ -41,6 +41,7 @@ from samba.dsdb import ( > UF_NORMAL_ACCOUNT) > from samba.samdb import SamDB > from samba.tests import delete_force, DynamicTestCase >+from samba.tests.krb5.rfc4120_constants import * > > global_asn1_print = False > global_hexdump = False >@@ -123,35 +124,6 @@ class TestData: > MACHINE_NAME = "tstkrb5cnnmch" > USER_NAME = "tstkrb5cnnusr" > >-# Encryption types >-AES256_CTS_HMAC_SHA1_96 = int( >- krb5_asn1.EncryptionTypeValues('kRB5-ENCTYPE-AES256-CTS-HMAC-SHA1-96')) >-AES128_CTS_HMAC_SHA1_96 = int( >- krb5_asn1.EncryptionTypeValues('kRB5-ENCTYPE-AES128-CTS-HMAC-SHA1-96')) >-ARCFOUR_HMAC_MD5 = int( >- krb5_asn1.EncryptionTypeValues('kRB5-ENCTYPE-ARCFOUR-HMAC-MD5')) >- >-# Message types >-KRB_ERROR = int(krb5_asn1.MessageTypeValues('krb-error')) >-KRB_AS_REP = int(krb5_asn1.MessageTypeValues('krb-as-rep')) >- >-# PAData types >-PADATA_ENC_TIMESTAMP = int( >- krb5_asn1.PADataTypeValues('kRB5-PADATA-ENC-TIMESTAMP')) >-PADATA_ETYPE_INFO2 = int( >- krb5_asn1.PADataTypeValues('kRB5-PADATA-ETYPE-INFO2')) >- >-# Error codes >-KDC_ERR_C_PRINCIPAL_UNKNOWN = 6 >-KDC_ERR_PREAUTH_REQUIRED = 25 >- >-# Name types >-NT_UNKNOWN = int(krb5_asn1.NameTypeValues('kRB5-NT-UNKNOWN')) >-NT_PRINCIPAL = int(krb5_asn1.NameTypeValues('kRB5-NT-PRINCIPAL')) >-NT_SRV_INST = int(krb5_asn1.NameTypeValues('kRB5-NT-SRV-INST')) >-NT_ENTERPRISE_PRINCIPAL = int(krb5_asn1.NameTypeValues('kRB5-NT-ENTERPRISE-PRINCIPAL')) >- >- > @DynamicTestCase > class KerberosASCanonicalizationTests(RawKerberosTest): > >-- >2.25.1 > > >From 831593578f5fd987c6eb5ec2f45b0e968e57b868 Mon Sep 17 00:00:00 2001 >From: Gary Lockyer <gary@catalyst.net.nz> >Date: Tue, 10 Nov 2020 11:20:58 +1300 >Subject: [PATCH 052/686] tests python krb5: Refactor compatability test > constants > >Modify tests to use the constants defined in rfc4120_constants.py > >Signed-off-by: Gary Lockyer <gary@catalyst.net.nz> >Reviewed-by: Andrew Bartlett <abartlet@samba.org> >BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817 >(cherry picked from commit 82a413f48b7ef71feb68fc34f7ca753d45eb8974) >--- > .../samba/tests/krb5/compatability_tests.py | 42 ++++++++++++------- > 1 file changed, 28 insertions(+), 14 deletions(-) > >diff --git a/python/samba/tests/krb5/compatability_tests.py b/python/samba/tests/krb5/compatability_tests.py >index 63bd5269c2b..bf561346ab3 100755 >--- a/python/samba/tests/krb5/compatability_tests.py >+++ b/python/samba/tests/krb5/compatability_tests.py >@@ -25,10 +25,17 @@ os.environ["PYTHONUNBUFFERED"] = "1" > > from samba.tests.krb5.raw_testcase import RawKerberosTest > import samba.tests.krb5.rfc4120_pyasn1 as krb5_asn1 >+from samba.tests.krb5.rfc4120_constants import * > > global_asn1_print = False > global_hexdump = False > >+HIEMDAL_ENC_AS_REP_PART_TYPE_TAG = 0x79 >+# MIT uses the EncTGSRepPart tag for the EncASRepPart >+MIT_ENC_AS_REP_PART_TYPE_TAG = 0x7A >+ >+ENC_PA_REP_FLAG = 0x00010000 >+ > > class SimpleKerberosTests(RawKerberosTest): > >@@ -40,12 +47,12 @@ class SimpleKerberosTests(RawKerberosTest): > def test_mit_EncASRepPart_tag(self): > creds = self.get_user_creds() > (enc, _) = self.as_req(creds) >- self.assertEqual(0x7a, enc[0]) >+ self.assertEqual(MIT_ENC_AS_REP_PART_TYPE_TAG, enc[0]) > > def test_heimdal_EncASRepPart_tag(self): > creds = self.get_user_creds() > (enc, _) = self.as_req(creds) >- self.assertEqual(0x79, enc[0]) >+ self.assertEqual(HIEMDAL_ENC_AS_REP_PART_TYPE_TAG, enc[0]) > > def test_mit_EncryptedData_kvno(self): > creds = self.get_user_creds() >@@ -62,37 +69,44 @@ class SimpleKerberosTests(RawKerberosTest): > def test_mit_EncASRepPart_FAST_support(self): > creds = self.get_user_creds() > (enc, _) = self.as_req(creds) >- self.assertEqual(0x7A, enc[0]) >+ self.assertEqual(MIT_ENC_AS_REP_PART_TYPE_TAG, enc[0]) > as_rep = self.der_decode(enc, asn1Spec=krb5_asn1.EncTGSRepPart()) > flags = int(as_rep['flags'], base=2) > # MIT sets enc-pa-rep, flag bit 15 > # RFC 6806 11. Negotiation of FAST and Detecting Modified Requests >- self.assertTrue(0x00010000 & flags) >+ self.assertTrue(ENC_PA_REP_FLAG & flags) > > def test_heimdal_EncASRepPart_FAST_support(self): > creds = self.get_user_creds() > (enc, _) = self.as_req(creds) >- self.assertEqual(0x79, enc[0]) >+ self.assertEqual(HIEMDAL_ENC_AS_REP_PART_TYPE_TAG, enc[0]) > as_rep = self.der_decode(enc, asn1Spec=krb5_asn1.EncASRepPart()) > flags = as_rep['flags'] > flags = int(as_rep['flags'], base=2) > # Heimdal does not set enc-pa-rep, flag bit 15 > # RFC 6806 11. Negotiation of FAST and Detecting Modified Requests >- self.assertFalse(0x00010000 & flags) >+ self.assertFalse(ENC_PA_REP_FLAG & flags) > > def as_req(self, creds): > user = creds.get_username() > realm = creds.get_realm() > >- cname = self.PrincipalName_create(name_type=1, names=[user]) >- sname = self.PrincipalName_create(name_type=2, names=["krbtgt", realm]) >+ cname = self.PrincipalName_create( >+ name_type=NT_PRINCIPAL, >+ names=[user]) >+ sname = self.PrincipalName_create( >+ name_type=NT_SRV_INST, >+ names=["krbtgt", realm]) > > till = self.get_KerberosTime(offset=36000) > > kdc_options = krb5_asn1.KDCOptions('forwardable') > padata = None > >- etypes = (18, 17, 23) >+ etypes = ( >+ AES256_CTS_HMAC_SHA1_96, >+ AES128_CTS_HMAC_SHA1_96, >+ ARCFOUR_HMAC_MD5) > > req = self.AS_REQ_create(padata=padata, > kdc_options=str(kdc_options), >@@ -111,14 +125,14 @@ class SimpleKerberosTests(RawKerberosTest): > rep = self.send_recv_transaction(req) > self.assertIsNotNone(rep) > >- self.assertEqual(rep['msg-type'], 30) >- self.assertEqual(rep['error-code'], 25) >+ self.assertEqual(rep['msg-type'], KRB_ERROR) >+ self.assertEqual(rep['error-code'], KDC_ERR_PREAUTH_REQUIRED) > rep_padata = self.der_decode( > rep['e-data'], > asn1Spec=krb5_asn1.METHOD_DATA()) > > for pa in rep_padata: >- if pa['padata-type'] == 19: >+ if pa['padata-type'] == PADATA_ETYPE_INFO2: > etype_info2 = pa['padata-value'] > break > >@@ -136,7 +150,7 @@ class SimpleKerberosTests(RawKerberosTest): > pa_ts = self.EncryptedData_create(key, enc_pa_ts_usage, pa_ts) > pa_ts = self.der_encode(pa_ts, asn1Spec=krb5_asn1.EncryptedData()) > >- pa_ts = self.PA_DATA_create(2, pa_ts) >+ pa_ts = self.PA_DATA_create(PADATA_ENC_TIMESTAMP, pa_ts) > > kdc_options = krb5_asn1.KDCOptions('forwardable') > padata = [pa_ts] >@@ -159,7 +173,7 @@ class SimpleKerberosTests(RawKerberosTest): > self.assertIsNotNone(rep) > > msg_type = rep['msg-type'] >- self.assertEqual(msg_type, 11) >+ self.assertEqual(msg_type, KRB_AS_REP) > > usage = 3 > enc_part = rep['enc-part'] >-- >2.25.1 > > >From 7c5000863307f55157dec2f38dd61eeae7072757 Mon Sep 17 00:00:00 2001 >From: Gary Lockyer <gary@catalyst.net.nz> >Date: Tue, 10 Nov 2020 13:51:39 +1300 >Subject: [PATCH 053/686] tests python krb5: raw_testcase permit RC4 salts > >MIT kerberos returns a salt when ARCFOUR_HMAC_MD5, this commit removes >the check that a salt is not returned. A test for the difference >between MIT and Heimdal will be added in the subsequent commits. > >Signed-off-by: Gary Lockyer <gary@catalyst.net.nz> >Reviewed-by: Andrew Bartlett <abartlet@samba.org> >BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817 >(cherry picked from commit 1bab87c50baf0fecb5d4cd09e1a9896730c6377e) >--- > python/samba/tests/krb5/raw_testcase.py | 1 - > 1 file changed, 1 deletion(-) > >diff --git a/python/samba/tests/krb5/raw_testcase.py b/python/samba/tests/krb5/raw_testcase.py >index 45e46e0b7ba..e67f5464e59 100644 >--- a/python/samba/tests/krb5/raw_testcase.py >+++ b/python/samba/tests/krb5/raw_testcase.py >@@ -425,7 +425,6 @@ class RawKerberosTest(TestCase): > pass > > if e == kcrypto.Enctype.RC4: >- self.assertIsNone(salt) > nthash = creds.get_nt_hash() > return self.SessionKey_create(etype=e, contents=nthash, kvno=kvno) > >-- >2.25.1 > > >From 077a1a0428e5ba924f3692ef7f6789573b946f29 Mon Sep 17 00:00:00 2001 >From: Gary Lockyer <gary@catalyst.net.nz> >Date: Fri, 6 Nov 2020 09:07:04 +1300 >Subject: [PATCH 054/686] tests python krb5: Convert kdc-heimdal to python > >Implement the tests in source4/torture/krb5/kdc-heimdal.c in python. >The following tests were not re-implemented as they are client side >tests for the "Orpheus Lyre" attack: > TORTURE_KRB5_TEST_CHANGE_SERVER_OUT > TORTURE_KRB5_TEST_CHANGE_SERVER_IN > TORTURE_KRB5_TEST_CHANGE_SERVER_BOTH > >Signed-off-by: Gary Lockyer <gary@catalyst.net.nz> >Reviewed-by: Andrew Bartlett <abartlet@samba.org> >BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817 >(cherry picked from commit a00a1c9745033dae05eee17cfa4e2c5354a81e68) >--- > python/samba/tests/krb5/kdc_tests.py | 219 +++++++++++++++++++++++++++ > python/samba/tests/usage.py | 1 + > source4/selftest/tests.py | 1 + > 3 files changed, 221 insertions(+) > create mode 100755 python/samba/tests/krb5/kdc_tests.py > >diff --git a/python/samba/tests/krb5/kdc_tests.py b/python/samba/tests/krb5/kdc_tests.py >new file mode 100755 >index 00000000000..57a25448965 >--- /dev/null >+++ b/python/samba/tests/krb5/kdc_tests.py >@@ -0,0 +1,219 @@ >+#!/usr/bin/env python3 >+# Unix SMB/CIFS implementation. >+# Copyright (C) Stefan Metzmacher 2020 >+# Copyright (C) 2020 Catalyst.Net Ltd >+# >+# This program is free software; you can redistribute it and/or modify >+# it under the terms of the GNU General Public License as published by >+# the Free Software Foundation; either version 3 of the License, or >+# (at your option) any later version. >+# >+# This program is distributed in the hope that it will be useful, >+# but WITHOUT ANY WARRANTY; without even the implied warranty of >+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the >+# GNU General Public License for more details. >+# >+# You should have received a copy of the GNU General Public License >+# along with this program. If not, see <http://www.gnu.org/licenses/>. >+# >+ >+import sys >+import os >+ >+sys.path.insert(0, "bin/python") >+os.environ["PYTHONUNBUFFERED"] = "1" >+ >+from samba.tests.krb5.raw_testcase import RawKerberosTest >+import samba.tests.krb5.rfc4120_pyasn1 as krb5_asn1 >+from samba.tests.krb5.rfc4120_constants import * >+ >+global_asn1_print = False >+global_hexdump = False >+ >+ >+class KdcTests(RawKerberosTest): >+ """ Port of the tests in source4/torture/krb5/kdc-heimdal.c >+ To python. >+ """ >+ >+ def setUp(self): >+ super(KdcTests, self).setUp() >+ self.do_asn1_print = global_asn1_print >+ self.do_hexdump = global_hexdump >+ >+ def as_req(self, creds, etypes, padata=None): >+ user = creds.get_username() >+ realm = creds.get_realm() >+ >+ cname = self.PrincipalName_create( >+ name_type=NT_PRINCIPAL, >+ names=[user]) >+ sname = self.PrincipalName_create( >+ name_type=NT_SRV_INST, >+ names=["krbtgt", realm]) >+ till = self.get_KerberosTime(offset=36000) >+ >+ kdc_options = 0 >+ >+ req = self.AS_REQ_create(padata=padata, >+ kdc_options=str(kdc_options), >+ cname=cname, >+ realm=realm, >+ sname=sname, >+ from_time=None, >+ till_time=till, >+ renew_time=None, >+ nonce=0x7fffffff, >+ etypes=etypes, >+ addresses=None, >+ EncAuthorizationData=None, >+ EncAuthorizationData_key=None, >+ additional_tickets=None) >+ rep = self.send_recv_transaction(req) >+ return rep >+ >+ def get_pa_data(self, creds, rep, skew=0): >+ rep_padata = self.der_decode( >+ rep['e-data'], >+ asn1Spec=krb5_asn1.METHOD_DATA()) >+ >+ for pa in rep_padata: >+ if pa['padata-type'] == PADATA_ETYPE_INFO2: >+ etype_info2 = pa['padata-value'] >+ break >+ >+ etype_info2 = self.der_decode( >+ etype_info2, asn1Spec=krb5_asn1.ETYPE_INFO2()) >+ >+ key = self.PasswordKey_from_etype_info2(creds, etype_info2[0]) >+ >+ (patime, pausec) = self.get_KerberosTimeWithUsec(offset=skew) >+ pa_ts = self.PA_ENC_TS_ENC_create(patime, pausec) >+ pa_ts = self.der_encode(pa_ts, asn1Spec=krb5_asn1.PA_ENC_TS_ENC()) >+ >+ enc_pa_ts_usage = 1 >+ pa_ts = self.EncryptedData_create(key, enc_pa_ts_usage, pa_ts) >+ pa_ts = self.der_encode(pa_ts, asn1Spec=krb5_asn1.EncryptedData()) >+ >+ pa_ts = self.PA_DATA_create(PADATA_ENC_TIMESTAMP, pa_ts) >+ >+ padata = [pa_ts] >+ return padata >+ >+ def check_pre_authenication(self, rep): >+ """ Check that the kdc response was pre-authentication required >+ """ >+ self.check_error_rep(rep, KDC_ERR_PREAUTH_REQUIRED) >+ >+ def check_as_reply(self, rep): >+ """ Check that the kdc response is an AS-REP and that the >+ values for: >+ msg-type >+ pvno >+ tkt-pvno >+ kvno >+ match the expected values >+ """ >+ >+ # Should have a reply, and it should an AS-REP message. >+ self.assertIsNotNone(rep) >+ self.assertEqual(rep['msg-type'], KRB_AS_REP) >+ >+ # Protocol version number should be 5 >+ pvno = int(rep['pvno']) >+ self.assertEqual(5, pvno) >+ >+ # The ticket version number should be 5 >+ tkt_vno = int(rep['ticket']['tkt-vno']) >+ self.assertEqual(5, tkt_vno) >+ >+ # Check that the kvno is not an RODC kvno >+ # MIT kerberos does not provide the kvno, so we treat it as optional. >+ # This is tested in compatability_test.py >+ if 'kvno' in rep['enc-part']: >+ kvno = int(rep['enc-part']['kvno']) >+ # If the high order bits are set this is an RODC kvno. >+ self.assertEqual(0, kvno & 0xFFFF0000) >+ >+ def check_error_rep(self, rep, expected): >+ """ Check that the reply is an error message, with the expected >+ error-code specified. >+ """ >+ self.assertIsNotNone(rep) >+ self.assertEqual(rep['msg-type'], KRB_ERROR) >+ self.assertEqual(rep['error-code'], expected) >+ >+ def test_aes256_cts_hmac_sha1_96(self): >+ creds = self.get_user_creds() >+ etype = (AES256_CTS_HMAC_SHA1_96,) >+ >+ rep = self.as_req(creds, etype) >+ self.check_pre_authenication(rep) >+ >+ padata = self.get_pa_data(creds, rep) >+ rep = self.as_req(creds, etype, padata=padata) >+ self.check_as_reply(rep) >+ >+ etype = rep['enc-part']['etype'] >+ self.assertEquals(AES256_CTS_HMAC_SHA1_96, etype) >+ >+ def test_arc4_hmac_md5(self): >+ creds = self.get_user_creds() >+ etype = (ARCFOUR_HMAC_MD5,) >+ >+ rep = self.as_req(creds, etype) >+ self.check_pre_authenication(rep) >+ >+ padata = self.get_pa_data(creds, rep) >+ rep = self.as_req(creds, etype, padata=padata) >+ self.check_as_reply(rep) >+ >+ etype = rep['enc-part']['etype'] >+ self.assertEquals(ARCFOUR_HMAC_MD5, etype) >+ >+ def test_aes_rc4(self): >+ creds = self.get_user_creds() >+ etype = (AES256_CTS_HMAC_SHA1_96, ARCFOUR_HMAC_MD5) >+ >+ rep = self.as_req(creds, etype) >+ self.check_pre_authenication(rep) >+ >+ padata = self.get_pa_data(creds, rep) >+ rep = self.as_req(creds, etype, padata=padata) >+ self.check_as_reply(rep) >+ >+ etype = rep['enc-part']['etype'] >+ self.assertEquals(AES256_CTS_HMAC_SHA1_96, etype) >+ >+ def test_clock_skew(self): >+ creds = self.get_user_creds() >+ etype = (AES256_CTS_HMAC_SHA1_96, ARCFOUR_HMAC_MD5) >+ >+ rep = self.as_req(creds, etype) >+ self.check_pre_authenication(rep) >+ >+ padata = self.get_pa_data(creds, rep, skew=3600) >+ rep = self.as_req(creds, etype, padata=padata) >+ >+ self.check_error_rep(rep, KDC_ERR_SKEW) >+ >+ def test_invalid_password(self): >+ creds = self.insta_creds(template=self.get_user_creds()) >+ creds.set_password("Not the correct password") >+ >+ etype = (AES256_CTS_HMAC_SHA1_96,) >+ >+ rep = self.as_req(creds, etype) >+ self.check_pre_authenication(rep) >+ >+ padata = self.get_pa_data(creds, rep) >+ rep = self.as_req(creds, etype, padata=padata) >+ >+ self.check_error_rep(rep, KDC_ERR_PREAUTH_FAILED) >+ >+ >+if __name__ == "__main__": >+ global_asn1_print = True >+ global_hexdump = True >+ import unittest >+ unittest.main() >diff --git a/python/samba/tests/usage.py b/python/samba/tests/usage.py >index a642940570d..11cd405deea 100644 >--- a/python/samba/tests/usage.py >+++ b/python/samba/tests/usage.py >@@ -90,6 +90,7 @@ EXCLUDE_USAGE = { > 'python/samba/tests/krb5/as_canonicalization_tests.py', > 'python/samba/tests/krb5/compatability_tests.py', > 'python/samba/tests/krb5/rfc4120_constants.py', >+ 'python/samba/tests/krb5/kdc_tests.py', > } > > >diff --git a/source4/selftest/tests.py b/source4/selftest/tests.py >index c37b9050c2b..f2cdae9342c 100755 >--- a/source4/selftest/tests.py >+++ b/source4/selftest/tests.py >@@ -1230,6 +1230,7 @@ for env in ["rodc", "promoted_dc", "fl2000dc", "fl2008r2dc"]: > > planpythontestsuite("ad_dc", "samba.tests.krb5.as_canonicalization_tests") > planpythontestsuite("ad_dc", "samba.tests.krb5.compatability_tests") >+planpythontestsuite("ad_dc", "samba.tests.krb5.kdc_tests") > > for env in [ > 'vampire_dc', >-- >2.25.1 > > >From 0ab271f36f48d560bac41058bcb34a7bb60aa57e Mon Sep 17 00:00:00 2001 >From: Gary Lockyer <gary@catalyst.net.nz> >Date: Tue, 10 Nov 2020 16:56:46 +1300 >Subject: [PATCH 055/686] tests python krb5: refactor compatability tests > >Refactor to aid the adding of tests for the inclusion of a salt when >ARCFOUR_HMAC_MD5 encryption selected > >Signed-off-by: Gary Lockyer <gary@catalyst.net.nz> >Reviewed-by: Andrew Bartlett <abartlet@samba.org> >BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817 >(cherry picked from commit d492355f293e2da400318665035b056dfaba852c) >--- > .../samba/tests/krb5/compatability_tests.py | 24 ++++++++++++++----- > 1 file changed, 18 insertions(+), 6 deletions(-) > >diff --git a/python/samba/tests/krb5/compatability_tests.py b/python/samba/tests/krb5/compatability_tests.py >index bf561346ab3..5990d2ce8df 100755 >--- a/python/samba/tests/krb5/compatability_tests.py >+++ b/python/samba/tests/krb5/compatability_tests.py >@@ -87,7 +87,7 @@ class SimpleKerberosTests(RawKerberosTest): > # RFC 6806 11. Negotiation of FAST and Detecting Modified Requests > self.assertFalse(ENC_PA_REP_FLAG & flags) > >- def as_req(self, creds): >+ def as_pre_auth_req(self, creds, etypes): > user = creds.get_username() > realm = creds.get_realm() > >@@ -103,10 +103,6 @@ class SimpleKerberosTests(RawKerberosTest): > kdc_options = krb5_asn1.KDCOptions('forwardable') > padata = None > >- etypes = ( >- AES256_CTS_HMAC_SHA1_96, >- AES128_CTS_HMAC_SHA1_96, >- ARCFOUR_HMAC_MD5) > > req = self.AS_REQ_create(padata=padata, > kdc_options=str(kdc_options), >@@ -123,10 +119,16 @@ class SimpleKerberosTests(RawKerberosTest): > EncAuthorizationData_key=None, > additional_tickets=None) > rep = self.send_recv_transaction(req) >- self.assertIsNotNone(rep) > >+ return (rep, cname, sname, realm, till) >+ >+ def check_preauth_rep(self, rep): >+ self.assertIsNotNone(rep) > self.assertEqual(rep['msg-type'], KRB_ERROR) > self.assertEqual(rep['error-code'], KDC_ERR_PREAUTH_REQUIRED) >+ >+ def get_etype_info2(self, rep): >+ > rep_padata = self.der_decode( > rep['e-data'], > asn1Spec=krb5_asn1.METHOD_DATA()) >@@ -139,7 +141,17 @@ class SimpleKerberosTests(RawKerberosTest): > etype_info2 = self.der_decode( > etype_info2, > asn1Spec=krb5_asn1.ETYPE_INFO2()) >+ return etype_info2 >+ >+ def as_req(self, creds): >+ etypes = ( >+ AES256_CTS_HMAC_SHA1_96, >+ AES128_CTS_HMAC_SHA1_96, >+ ARCFOUR_HMAC_MD5) >+ (rep, cname, sname, realm, till) = self.as_pre_auth_req(creds, etypes) >+ self.check_preauth_rep(rep) > >+ etype_info2 = self.get_etype_info2(rep) > key = self.PasswordKey_from_etype_info2(creds, etype_info2[0]) > > (patime, pausec) = self.get_KerberosTimeWithUsec() >-- >2.25.1 > > >From 4ca40699c28f42ead5f735df243d7ec2d0b215f1 Mon Sep 17 00:00:00 2001 >From: Gary Lockyer <gary@catalyst.net.nz> >Date: Tue, 10 Nov 2020 16:57:11 +1300 >Subject: [PATCH 056/686] tests python krb5: add arcfour salt tests > >MIT kerberos returns a salt when ARCFOUR_HMAC_MD5 encryption selected, >Heimdal does not. > >Signed-off-by: Gary Lockyer <gary@catalyst.net.nz> >Reviewed-by: Andrew Bartlett <abartlet@samba.org> >BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817 > >Autobuild-User(master): Andrew Bartlett <abartlet@samba.org> >Autobuild-Date(master): Thu Nov 12 22:54:22 UTC 2020 on sn-devel-184 > >(cherry picked from commit 2ba6d596ff0a3580eca9285fd83569bcb147ce77) >--- > .../samba/tests/krb5/compatability_tests.py | 20 +++++++++++++++++++ > 1 file changed, 20 insertions(+) > >diff --git a/python/samba/tests/krb5/compatability_tests.py b/python/samba/tests/krb5/compatability_tests.py >index 5990d2ce8df..e4b1453e712 100755 >--- a/python/samba/tests/krb5/compatability_tests.py >+++ b/python/samba/tests/krb5/compatability_tests.py >@@ -87,6 +87,26 @@ class SimpleKerberosTests(RawKerberosTest): > # RFC 6806 11. Negotiation of FAST and Detecting Modified Requests > self.assertFalse(ENC_PA_REP_FLAG & flags) > >+ def test_mit_arcfour_salt(self): >+ creds = self.get_user_creds() >+ etypes = (ARCFOUR_HMAC_MD5,) >+ (rep, *_) = self.as_pre_auth_req(creds, etypes) >+ self.check_preauth_rep(rep) >+ etype_info2 = self.get_etype_info2(rep) >+ if 'salt' not in etype_info2[0]: >+ self.fail( >+ "(MIT) Salt not populated for ARCFOUR_HMAC_MD5 encryption") >+ >+ def test_heimdal_arcfour_salt(self): >+ creds = self.get_user_creds() >+ etypes = (ARCFOUR_HMAC_MD5,) >+ (rep, *_) = self.as_pre_auth_req(creds, etypes) >+ self.check_preauth_rep(rep) >+ etype_info2 = self.get_etype_info2(rep) >+ if 'salt' in etype_info2[0]: >+ self.fail( >+ "(Heimdal) Salt populated for ARCFOUR_HMAC_MD5 encryption") >+ > def as_pre_auth_req(self, creds, etypes): > user = creds.get_username() > realm = creds.get_realm() >-- >2.25.1 > > >From 65822aeaf3015ec94f371054227f4d5516d364af Mon Sep 17 00:00:00 2001 >From: Gary Lockyer <gary@catalyst.net.nz> >Date: Wed, 18 Nov 2020 14:49:28 +1300 >Subject: [PATCH 057/686] tests python krb5: Extra canonicalization tests > >Add tests that set the server name to the client name for the machine >account in the kerberos AS_REQ. This replicates the TEST_AS_REQ_SELF >test phase in source4/torture/krb5/kdc-canon-heimdal.c. > >Signed-off-by: Gary Lockyer <gary@catalyst.net.nz> >Reviewed-by: Andrew Bartlett <abartlet@samba.org> >BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817 > >Autobuild-User(master): Andrew Bartlett <abartlet@samba.org> >Autobuild-Date(master): Mon Nov 30 05:21:42 UTC 2020 on sn-devel-184 > >(cherry picked from commit 7f7e2b0e1e17321d800de787098bb2b2c8259ecd) >--- > .../tests/krb5/as_canonicalization_tests.py | 74 +++++++++----- > selftest/knownfail.d/kdc-enterprise | 26 +++++ > selftest/knownfail_mit_kdc | 96 +++++++++++++++++++ > 3 files changed, 172 insertions(+), 24 deletions(-) > >diff --git a/python/samba/tests/krb5/as_canonicalization_tests.py b/python/samba/tests/krb5/as_canonicalization_tests.py >index 303788b672e..6ea3ff0491e 100755 >--- a/python/samba/tests/krb5/as_canonicalization_tests.py >+++ b/python/samba/tests/krb5/as_canonicalization_tests.py >@@ -56,7 +56,8 @@ class TestOptions(Enum): > NetbiosRealm = 16 > UPN = 32 > RemoveDollar = 64 >- Last = 128 >+ AsReqSelf = 128 >+ Last = 256 > > def is_set(self, x): > return self.value & x >@@ -76,8 +77,8 @@ class TestData: > def __init__(self, options, creds): > self.options = options > self.user_creds = creds >- self.user_name = self.get_username(options, creds) >- self.realm = self.get_realm(options, creds) >+ self.user_name = self._get_username(options, creds) >+ self.realm = self._get_realm(options, creds) > > if TestOptions.Enterprise.is_set(options): > client_name_type = NT_ENTERPRISE_PRINCIPAL >@@ -86,11 +87,14 @@ class TestData: > > self.cname = RawKerberosTest.PrincipalName_create( > name_type=client_name_type, names=[self.user_name]) >- self.sname = RawKerberosTest.PrincipalName_create( >- name_type=NT_SRV_INST, names=["krbtgt", self.realm]) >+ if TestOptions.AsReqSelf.is_set(options): >+ self.sname = self.cname >+ else: >+ self.sname = RawKerberosTest.PrincipalName_create( >+ name_type=NT_SRV_INST, names=["krbtgt", self.realm]) > self.canonicalize = TestOptions.Canonicalize.is_set(options) > >- def get_realm(self, options, creds): >+ def _get_realm(self, options, creds): > realm = creds.get_realm() > if TestOptions.NetbiosRealm.is_set(options): > realm = creds.get_domain() >@@ -100,7 +104,7 @@ class TestData: > realm = realm.lower() > return realm > >- def get_username(self, options, creds): >+ def _get_username(self, options, creds): > name = creds.get_username() > if TestOptions.RemoveDollar.is_set(options) and name.endswith("$"): > name = name[:-1] >@@ -135,6 +139,9 @@ class KerberosASCanonicalizationTests(RawKerberosTest): > if ct != CredentialsType.Machine and\ > TestOptions.RemoveDollar.is_set(options): > return True >+ if ct != CredentialsType.Machine and\ >+ TestOptions.AsReqSelf.is_set(options): >+ return True > return False > > def build_test_name(ct, options): >@@ -448,26 +455,45 @@ class KerberosASCanonicalizationTests(RawKerberosTest): > > def check_sname(self, sname, data): > nt = sname['name-type'] >- self.assertEqual( >- NT_SRV_INST, >- nt, >- "sname name-type, Options {0:08b}".format(data.options)) >- > ns = sname['name-string'] > name = ns[0].decode('ascii') >- self.assertEqual( >- 'krbtgt', >- name, >- "sname principal, Options {0:08b}".format(data.options)) > >- realm = ns[1].decode('ascii') >- expected = data.realm >- if TestOptions.Canonicalize.is_set(data.options): >- expected = data.user_creds.get_realm().upper() >- self.assertEqual( >- expected, >- realm, >- "sname realm, Options {0:08b}".format(data.options)) >+ if TestOptions.AsReqSelf.is_set(data.options): >+ expected_name_type = NT_PRINCIPAL >+ if not TestOptions.Canonicalize.is_set(data.options)\ >+ and TestOptions.Enterprise.is_set(data.options): >+ >+ expected_name_type = NT_ENTERPRISE_PRINCIPAL >+ >+ self.assertEqual( >+ expected_name_type, >+ nt, >+ "sname name-type, Options {0:08b}".format(data.options)) >+ expected = data.user_name >+ if TestOptions.Canonicalize.is_set(data.options): >+ expected = data.user_creds.get_username() >+ self.assertEqual( >+ expected, >+ name, >+ "sname principal, Options {0:08b}".format(data.options)) >+ else: >+ self.assertEqual( >+ NT_SRV_INST, >+ nt, >+ "sname name-type, Options {0:08b}".format(data.options)) >+ self.assertEqual( >+ 'krbtgt', >+ name, >+ "sname principal, Options {0:08b}".format(data.options)) >+ >+ realm = ns[1].decode('ascii') >+ expected = data.realm >+ if TestOptions.Canonicalize.is_set(data.options): >+ expected = data.user_creds.get_realm().upper() >+ self.assertEqual( >+ expected, >+ realm, >+ "sname realm, Options {0:08b}".format(data.options)) > > def check_srealm(self, srealm, data): > realm = data.user_creds.get_realm() >diff --git a/selftest/knownfail.d/kdc-enterprise b/selftest/knownfail.d/kdc-enterprise >index d15d67c8af6..c9b6c98a2ee 100644 >--- a/selftest/knownfail.d/kdc-enterprise >+++ b/selftest/knownfail.d/kdc-enterprise >@@ -35,3 +35,29 @@ samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_ > samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_UserCredentials_Enterprise_UpperUserName_NetbiosRealm_UPN\( > samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_UserCredentials_Enterprise_UpperUserName_UPN\( > >+ >+ >+^samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Enterprise_AsReqSelf\( >+^samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Enterprise_NetbiosRealm_AsReqSelf\( >+^samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Enterprise_NetbiosRealm_RemoveDollar_AsReqSelf\( >+^samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Enterprise_NetbiosRealm_UPN_AsReqSelf\( >+^samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Enterprise_NetbiosRealm_UPN_RemoveDollar_AsReqSelf\( >+^samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Enterprise_RemoveDollar_AsReqSelf\( >+^samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Enterprise_UPN_AsReqSelf\( >+^samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Enterprise_UPN_RemoveDollar_AsReqSelf\( >+^samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Enterprise_UpperRealm_NetbiosRealm_AsReqSelf\( >+^samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Enterprise_UpperRealm_NetbiosRealm_RemoveDollar_AsReqSelf\( >+^samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Enterprise_UpperRealm_NetbiosRealm_UPN_AsReqSelf\( >+^samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Enterprise_UpperRealm_NetbiosRealm_UPN_RemoveDollar_AsReqSelf\( >+^samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Enterprise_UpperRealm_UpperUserName_NetbiosRealm_AsReqSelf\( >+^samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Enterprise_UpperRealm_UpperUserName_NetbiosRealm_RemoveDollar_AsReqSelf\( >+^samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Enterprise_UpperRealm_UpperUserName_NetbiosRealm_UPN_AsReqSelf\( >+^samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Enterprise_UpperRealm_UpperUserName_NetbiosRealm_UPN_RemoveDollar_AsReqSelf\( >+^samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Enterprise_UpperUserName_AsReqSelf\( >+^samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Enterprise_UpperUserName_NetbiosRealm_AsReqSelf\( >+^samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Enterprise_UpperUserName_NetbiosRealm_RemoveDollar_AsReqSelf\( >+^samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Enterprise_UpperUserName_NetbiosRealm_UPN_AsReqSelf\( >+^samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Enterprise_UpperUserName_NetbiosRealm_UPN_RemoveDollar_AsReqSelf\( >+^samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Enterprise_UpperUserName_RemoveDollar_AsReqSelf\( >+^samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Enterprise_UpperUserName_UPN_AsReqSelf\( >+^samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Enterprise_UpperUserName_UPN_RemoveDollar_AsReqSelf\( >diff --git a/selftest/knownfail_mit_kdc b/selftest/knownfail_mit_kdc >index 9953d51f21d..f1a4971430e 100644 >--- a/selftest/knownfail_mit_kdc >+++ b/selftest/knownfail_mit_kdc >@@ -174,3 +174,99 @@ samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_ > samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Enterprise_UpperRealm_UPN_RemoveDollar\( > samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Enterprise_UpperRealm_UpperUserName_RemoveDollar\( > samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Enterprise_UpperRealm_UpperUserName_UPN_RemoveDollar\( >+^samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_AsReqSelf\( >+^samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Canonicalize_AsReqSelf\( >+^samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Canonicalize_Enterprise_AsReqSelf\( >+^samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Canonicalize_Enterprise_NetbiosRealm_AsReqSelf\( >+^samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Canonicalize_Enterprise_NetbiosRealm_RemoveDollar_AsReqSelf\( >+^samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Canonicalize_Enterprise_NetbiosRealm_UPN_AsReqSelf\( >+^samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Canonicalize_Enterprise_NetbiosRealm_UPN_RemoveDollar_AsReqSelf\( >+^samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Canonicalize_Enterprise_RemoveDollar_AsReqSelf\( >+^samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Canonicalize_Enterprise_UPN_AsReqSelf\( >+^samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Canonicalize_Enterprise_UPN_RemoveDollar_AsReqSelf\( >+^samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Canonicalize_Enterprise_UpperRealm_AsReqSelf\( >+^samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Canonicalize_Enterprise_UpperRealm_NetbiosRealm_AsReqSelf\( >+^samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Canonicalize_Enterprise_UpperRealm_NetbiosRealm_RemoveDollar_AsReqSelf\( >+^samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Canonicalize_Enterprise_UpperRealm_NetbiosRealm_UPN_AsReqSelf\( >+^samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Canonicalize_Enterprise_UpperRealm_NetbiosRealm_UPN_RemoveDollar_AsReqSelf\( >+^samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Canonicalize_Enterprise_UpperRealm_RemoveDollar_AsReqSelf\( >+^samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Canonicalize_Enterprise_UpperRealm_UPN_AsReqSelf\( >+^samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Canonicalize_Enterprise_UpperRealm_UPN_RemoveDollar_AsReqSelf\( >+^samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Canonicalize_Enterprise_UpperRealm_UpperUserName_AsReqSelf\( >+^samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Canonicalize_Enterprise_UpperRealm_UpperUserName_NetbiosRealm_AsReqSelf\( >+^samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Canonicalize_Enterprise_UpperRealm_UpperUserName_NetbiosRealm_RemoveDollar_AsReqSelf\( >+^samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Canonicalize_Enterprise_UpperRealm_UpperUserName_NetbiosRealm_UPN_AsReqSelf\( >+^samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Canonicalize_Enterprise_UpperRealm_UpperUserName_NetbiosRealm_UPN_RemoveDollar_AsReqSelf\( >+^samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Canonicalize_Enterprise_UpperRealm_UpperUserName_RemoveDollar_AsReqSelf\( >+^samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Canonicalize_Enterprise_UpperRealm_UpperUserName_UPN_AsReqSelf\( >+^samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Canonicalize_Enterprise_UpperRealm_UpperUserName_UPN_RemoveDollar_AsReqSelf\( >+^samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Canonicalize_Enterprise_UpperUserName_AsReqSelf\( >+^samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Canonicalize_Enterprise_UpperUserName_NetbiosRealm_AsReqSelf\( >+^samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Canonicalize_Enterprise_UpperUserName_NetbiosRealm_RemoveDollar_AsReqSelf\(ad_dc >+^samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Canonicalize_Enterprise_UpperUserName_NetbiosRealm_UPN_AsReqSelf\( >+^samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Canonicalize_Enterprise_UpperUserName_NetbiosRealm_UPN_RemoveDollar_AsReqSelf\( >+^samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Canonicalize_Enterprise_UpperUserName_RemoveDollar_AsReqSelf\( >+^samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Canonicalize_Enterprise_UpperUserName_UPN_AsReqSelf\( >+^samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Canonicalize_Enterprise_UpperUserName_UPN_RemoveDollar_AsReqSelf\( >+^samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Canonicalize_NetbiosRealm_AsReqSelf\( >+^samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Canonicalize_NetbiosRealm_RemoveDollar_AsReqSelf\( >+^samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Canonicalize_NetbiosRealm_UPN_AsReqSelf\( >+^samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Canonicalize_NetbiosRealm_UPN_RemoveDollar_AsReqSelf\( >+^samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Canonicalize_RemoveDollar_AsReqSelf\( >+^samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Canonicalize_UPN_AsReqSelf\( >+^samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Canonicalize_UPN_RemoveDollar_AsReqSelf\( >+^samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Canonicalize_UpperRealm_AsReqSelf\( >+^samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Canonicalize_UpperRealm_NetbiosRealm_AsReqSelf\( >+^samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Canonicalize_UpperRealm_NetbiosRealm_RemoveDollar_AsReqSelf\( >+^samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Canonicalize_UpperRealm_NetbiosRealm_UPN_AsReqSelf\( >+^samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Canonicalize_UpperRealm_NetbiosRealm_UPN_RemoveDollar_AsReqSelf\( >+^samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Canonicalize_UpperRealm_RemoveDollar_AsReqSelf\( >+^samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Canonicalize_UpperRealm_UPN_AsReqSelf\( >+^samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Canonicalize_UpperRealm_UPN_RemoveDollar_AsReqSelf\( >+^samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Canonicalize_UpperRealm_UpperUserName_AsReqSelf\( >+^samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Canonicalize_UpperRealm_UpperUserName_NetbiosRealm_AsReqSelf\( >+^samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Canonicalize_UpperRealm_UpperUserName_NetbiosRealm_RemoveDollar_AsReqSelf\( >+^samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Canonicalize_UpperRealm_UpperUserName_NetbiosRealm_UPN_AsReqSelf\( >+^samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Canonicalize_UpperRealm_UpperUserName_NetbiosRealm_UPN_RemoveDollar_AsReqSelf\( >+^samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Canonicalize_UpperRealm_UpperUserName_RemoveDollar_AsReqSelf\( >+^samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Canonicalize_UpperRealm_UpperUserName_UPN_AsReqSelf\( >+^samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Canonicalize_UpperRealm_UpperUserName_UPN_RemoveDollar_AsReqSelf\( >+^samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Canonicalize_UpperUserName_AsReqSelf\( >+^samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Canonicalize_UpperUserName_NetbiosRealm_AsReqSelf\( >+^samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Canonicalize_UpperUserName_NetbiosRealm_RemoveDollar_AsReqSelf\( >+^samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Canonicalize_UpperUserName_NetbiosRealm_UPN_AsReqSelf\( >+^samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Canonicalize_UpperUserName_NetbiosRealm_UPN_RemoveDollar_AsReqSelf\( >+^samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Canonicalize_UpperUserName_RemoveDollar_AsReqSelf\( >+^samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Canonicalize_UpperUserName_UPN_AsReqSelf\( >+^samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Canonicalize_UpperUserName_UPN_RemoveDollar_AsReqSelf\( >+^samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Enterprise_UpperRealm_AsReqSelf\( >+^samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Enterprise_UpperRealm_RemoveDollar_AsReqSelf\( >+^samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Enterprise_UpperRealm_UPN_AsReqSelf\( >+^samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Enterprise_UpperRealm_UPN_RemoveDollar_AsReqSelf\( >+^samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Enterprise_UpperRealm_UpperUserName_AsReqSelf\( >+^samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Enterprise_UpperRealm_UpperUserName_RemoveDollar_AsReqSelf\( >+^samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Enterprise_UpperRealm_UpperUserName_UPN_AsReqSelf\( >+^samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Enterprise_UpperRealm_UpperUserName_UPN_RemoveDollar_AsReqSelf\( >+^samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_NetbiosRealm_AsReqSelf\( >+^samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_NetbiosRealm_RemoveDollar_AsReqSelf\( >+^samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_NetbiosRealm_UPN_AsReqSelf\( >+^samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_NetbiosRealm_UPN_RemoveDollar_AsReqSelf\( >+^samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_RemoveDollar_AsReqSelf\( >+^samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_UPN_AsReqSelf\( >+^samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_UPN_RemoveDollar_AsReqSelf\( >+^samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_UpperRealm_NetbiosRealm_AsReqSelf\( >+^samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_UpperRealm_NetbiosRealm_RemoveDollar_AsReqSelf\( >+^samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_UpperRealm_NetbiosRealm_UPN_AsReqSelf\( >+^samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_UpperRealm_NetbiosRealm_UPN_RemoveDollar_AsReqSelf\( >+^samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_UpperRealm_UpperUserName_NetbiosRealm_AsReqSelf\( >+^samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_UpperRealm_UpperUserName_NetbiosRealm_RemoveDollar_AsReqSelf\( >+^samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_UpperRealm_UpperUserName_NetbiosRealm_UPN_AsReqSelf\( >+^samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_UpperRealm_UpperUserName_NetbiosRealm_UPN_RemoveDollar_AsReqSelf\( >+^samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_UpperUserName_AsReqSelf\( >+^samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_UpperUserName_NetbiosRealm_AsReqSelf\( >+^samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_UpperUserName_NetbiosRealm_RemoveDollar_AsReqSelf\( >+^samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_UpperUserName_NetbiosRealm_UPN_AsReqSelf\( >+^samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_UpperUserName_NetbiosRealm_UPN_RemoveDollar_AsReqSelf\( >+^samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_UpperUserName_RemoveDollar_AsReqSelf\( >+^samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_UpperUserName_UPN_AsReqSelf\( >+^samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_UpperUserName_UPN_RemoveDollar_AsReqSelf\( >-- >2.25.1 > > >From 60e333bae9e29c23ff076b95c18e28fc7c9cc3f4 Mon Sep 17 00:00:00 2001 >From: Gary Lockyer <gary@catalyst.net.nz> >Date: Thu, 10 Dec 2020 10:15:28 +1300 >Subject: [PATCH 058/686] tests python krb5: Add Authorization data ad-type > constants > >Add constants for the Authorization Data Type values. >RFC 4120 7.5.4. Authorization Data Types > >Signed-off-by: Gary Lockyer <gary@catalyst.net.nz> >Reviewed-by: Andrew Bartlett <abartlet@samba.org> >BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817 >(cherry picked from commit d74c9dcf3aaa613abfac49288f427484468bf6e1) >--- > python/samba/tests/krb5/rfc4120_constants.py | 14 ++++++++++++++ > 1 file changed, 14 insertions(+) > >diff --git a/python/samba/tests/krb5/rfc4120_constants.py b/python/samba/tests/krb5/rfc4120_constants.py >index e939bb75e82..e1d0c5baa68 100644 >--- a/python/samba/tests/krb5/rfc4120_constants.py >+++ b/python/samba/tests/krb5/rfc4120_constants.py >@@ -47,3 +47,17 @@ NT_PRINCIPAL = int(krb5_asn1.NameTypeValues('kRB5-NT-PRINCIPAL')) > NT_SRV_INST = int(krb5_asn1.NameTypeValues('kRB5-NT-SRV-INST')) > NT_ENTERPRISE_PRINCIPAL = int(krb5_asn1.NameTypeValues( > 'kRB5-NT-ENTERPRISE-PRINCIPAL')) >+ >+# Authorization data ad-type values >+ >+AD_IF_RELEVANT = 1 >+AD_INTENDED_FOR_SERVER = 2 >+AD_INTENDED_FOR_APPLICATION_CLASS = 3 >+AD_KDC_ISSUED = 4 >+AD_AND_OR = 5 >+AD_MANDATORY_TICKET_EXTENSIONS = 6 >+AD_IN_TICKET_EXTENSIONS = 7 >+AD_MANDATORY_FOR_KDC = 8 >+AD_INITIAL_VERIFIED_CAS = 9 >+AD_WIN2K_PAC = 128 >+AD_SIGNTICKET = 512 >-- >2.25.1 > > >From 49178797b6b65eaf020e7096ff5c0c0b8b3692b9 Mon Sep 17 00:00:00 2001 >From: Gary Lockyer <gary@catalyst.net.nz> >Date: Mon, 30 Nov 2020 14:16:28 +1300 >Subject: [PATCH 059/686] tests python krb5: add test base class > >Add a base class for the KDC tests to reduce the amount of code >duplication in the tests. > >Signed-off-by: Gary Lockyer <gary@catalyst.net.nz> >Reviewed-by: Andrew Bartlett <abartlet@samba.org> >BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817 >(cherry picked from commit 0f232ed42fb2671d025643cafb19891373562e4a) >--- > python/samba/tests/krb5/kdc_base_test.py | 419 +++++++++++++++++++++++ > 1 file changed, 419 insertions(+) > create mode 100755 python/samba/tests/krb5/kdc_base_test.py > >diff --git a/python/samba/tests/krb5/kdc_base_test.py b/python/samba/tests/krb5/kdc_base_test.py >new file mode 100755 >index 00000000000..4fc7ee85ba9 >--- /dev/null >+++ b/python/samba/tests/krb5/kdc_base_test.py >@@ -0,0 +1,419 @@ >+#!/usr/bin/env python3 >+# Unix SMB/CIFS implementation. >+# Copyright (C) Stefan Metzmacher 2020 >+# Copyright (C) 2020 Catalyst.Net Ltd >+# >+# This program is free software; you can redistribute it and/or modify >+# it under the terms of the GNU General Public License as published by >+# the Free Software Foundation; either version 3 of the License, or >+# (at your option) any later version. >+# >+# This program is distributed in the hope that it will be useful, >+# but WITHOUT ANY WARRANTY; without even the implied warranty of >+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the >+# GNU General Public License for more details. >+# >+# You should have received a copy of the GNU General Public License >+# along with this program. If not, see <http://www.gnu.org/licenses/>. >+# >+ >+import sys >+import os >+ >+sys.path.insert(0, "bin/python") >+os.environ["PYTHONUNBUFFERED"] = "1" >+from collections import namedtuple >+from ldb import SCOPE_BASE >+from samba import generate_random_password >+from samba.auth import system_session >+from samba.credentials import Credentials >+from samba.dcerpc import krb5pac >+from samba.dsdb import UF_WORKSTATION_TRUST_ACCOUNT, UF_NORMAL_ACCOUNT >+from samba.ndr import ndr_unpack >+from samba.samdb import SamDB >+ >+from samba.tests import delete_force >+from samba.tests.krb5.raw_testcase import RawKerberosTest >+import samba.tests.krb5.rfc4120_pyasn1 as krb5_asn1 >+from samba.tests.krb5.rfc4120_constants import ( >+ AD_IF_RELEVANT, >+ AD_WIN2K_PAC, >+ KDC_ERR_PREAUTH_REQUIRED, >+ KRB_AS_REP, >+ KRB_TGS_REP, >+ KRB_ERROR, >+ PADATA_ENC_TIMESTAMP, >+ PADATA_ETYPE_INFO2, >+) >+ >+global_asn1_print = False >+global_hexdump = False >+ >+ >+class KDCBaseTest(RawKerberosTest): >+ """ Base class for KDC tests. >+ """ >+ >+ @classmethod >+ def setUpClass(cls): >+ cls.lp = cls.get_loadparm(cls) >+ cls.username = os.environ["USERNAME"] >+ cls.password = os.environ["PASSWORD"] >+ cls.host = os.environ["SERVER"] >+ >+ c = Credentials() >+ c.set_username(cls.username) >+ c.set_password(cls.password) >+ try: >+ realm = os.environ["REALM"] >+ c.set_realm(realm) >+ except KeyError: >+ pass >+ try: >+ domain = os.environ["DOMAIN"] >+ c.set_domain(domain) >+ except KeyError: >+ pass >+ >+ c.guess() >+ >+ cls.credentials = c >+ >+ cls.session = system_session() >+ cls.ldb = SamDB(url="ldap://%s" % cls.host, >+ session_info=cls.session, >+ credentials=cls.credentials, >+ lp=cls.lp) >+ # fetch the dnsHostName from the RootDse >+ res = cls.ldb.search( >+ base="", expression="", scope=SCOPE_BASE, attrs=["dnsHostName"]) >+ cls.dns_host_name = str(res[0]['dnsHostName']) >+ >+ def setUp(self): >+ super().setUp() >+ self.do_asn1_print = global_asn1_print >+ self.do_hexdump = global_hexdump >+ self.accounts = [] >+ >+ def tearDown(self): >+ # Clean up any accounts created by create_account >+ for dn in self.accounts: >+ delete_force(self.ldb, dn) >+ >+ def create_account(self, name, machine_account=False, spn=None): >+ '''Create an account for testing. >+ The dn of the created account is added to self.accounts, >+ which is used by tearDown to clean up the created accounts. >+ ''' >+ dn = "cn=%s,%s" % (name, self.ldb.domain_dn()) >+ >+ # remove the account if it exists, this will happen if a previous test >+ # run failed >+ delete_force(self.ldb, dn) >+ if machine_account: >+ object_class = "computer" >+ account_name = "%s$" % name >+ account_control = str(UF_WORKSTATION_TRUST_ACCOUNT) >+ else: >+ object_class = "user" >+ account_name = name >+ account_control = str(UF_NORMAL_ACCOUNT) >+ >+ password = generate_random_password(32, 32) >+ utf16pw = ('"%s"' % password).encode('utf-16-le') >+ >+ details = { >+ "dn": dn, >+ "objectclass": object_class, >+ "sAMAccountName": account_name, >+ "userAccountControl": account_control, >+ "unicodePwd": utf16pw} >+ if spn is not None: >+ details["servicePrincipalName"] = spn >+ self.ldb.add(details) >+ >+ creds = Credentials() >+ creds.guess(self.lp) >+ creds.set_realm(self.ldb.domain_dns_name().upper()) >+ creds.set_domain(self.ldb.domain_netbios_name().upper()) >+ creds.set_password(password) >+ creds.set_username(account_name) >+ if machine_account: >+ creds.set_workstation(name) >+ # >+ # Save the account name so it can be deleted in the tearDown >+ self.accounts.append(dn) >+ >+ return (creds, dn) >+ >+ def as_req(self, cname, sname, realm, etypes, padata=None): >+ '''Send a Kerberos AS_REQ, returns the undecoded response >+ ''' >+ >+ till = self.get_KerberosTime(offset=36000) >+ kdc_options = 0 >+ >+ req = self.AS_REQ_create(padata=padata, >+ kdc_options=str(kdc_options), >+ cname=cname, >+ realm=realm, >+ sname=sname, >+ from_time=None, >+ till_time=till, >+ renew_time=None, >+ nonce=0x7fffffff, >+ etypes=etypes, >+ addresses=None, >+ EncAuthorizationData=None, >+ EncAuthorizationData_key=None, >+ additional_tickets=None) >+ rep = self.send_recv_transaction(req) >+ return rep >+ >+ def get_as_rep_key(self, creds, rep): >+ '''Extract the session key from an AS-REP >+ ''' >+ rep_padata = self.der_decode( >+ rep['e-data'], >+ asn1Spec=krb5_asn1.METHOD_DATA()) >+ >+ for pa in rep_padata: >+ if pa['padata-type'] == PADATA_ETYPE_INFO2: >+ padata_value = pa['padata-value'] >+ break >+ >+ etype_info2 = self.der_decode( >+ padata_value, asn1Spec=krb5_asn1.ETYPE_INFO2()) >+ >+ key = self.PasswordKey_from_etype_info2(creds, etype_info2[0]) >+ return key >+ >+ def get_pa_data(self, creds, rep, skew=0): >+ '''generate the pa_data data element for an AS-REQ >+ ''' >+ key = self.get_as_rep_key(creds, rep) >+ >+ (patime, pausec) = self.get_KerberosTimeWithUsec(offset=skew) >+ padata = self.PA_ENC_TS_ENC_create(patime, pausec) >+ padata = self.der_encode(padata, asn1Spec=krb5_asn1.PA_ENC_TS_ENC()) >+ >+ usage = 1 >+ padata = self.EncryptedData_create(key, usage, padata) >+ padata = self.der_encode(padata, asn1Spec=krb5_asn1.EncryptedData()) >+ >+ padata = self.PA_DATA_create(PADATA_ENC_TIMESTAMP, padata) >+ >+ return [padata] >+ >+ def get_as_rep_enc_data(self, key, rep): >+ ''' Decrypt and Decode the encrypted data in an AS-REP >+ ''' >+ usage = 3 >+ enc_part = key.decrypt(usage, rep['enc-part']['cipher']) >+ # MIT KDC encodes both EncASRepPart and EncTGSRepPart with >+ # application tag 26 >+ try: >+ enc_part = self.der_decode( >+ enc_part, asn1Spec=krb5_asn1.EncASRepPart()) >+ except Exception: >+ enc_part = self.der_decode( >+ enc_part, asn1Spec=krb5_asn1.EncTGSRepPart()) >+ >+ return enc_part >+ >+ def check_pre_authenication(self, rep): >+ """ Check that the kdc response was pre-authentication required >+ """ >+ self.check_error_rep(rep, KDC_ERR_PREAUTH_REQUIRED) >+ >+ def check_as_reply(self, rep): >+ """ Check that the kdc response is an AS-REP and that the >+ values for: >+ msg-type >+ pvno >+ tkt-pvno >+ kvno >+ match the expected values >+ """ >+ >+ # Should have a reply, and it should an AS-REP message. >+ self.assertIsNotNone(rep) >+ self.assertEqual(rep['msg-type'], KRB_AS_REP, "rep = {%s}" % rep) >+ >+ # Protocol version number should be 5 >+ pvno = int(rep['pvno']) >+ self.assertEqual(5, pvno, "rep = {%s}" % rep) >+ >+ # The ticket version number should be 5 >+ tkt_vno = int(rep['ticket']['tkt-vno']) >+ self.assertEqual(5, tkt_vno, "rep = {%s}" % rep) >+ >+ # Check that the kvno is not an RODC kvno >+ # MIT kerberos does not provide the kvno, so we treat it as optional. >+ # This is tested in compatability_test.py >+ if 'kvno' in rep['enc-part']: >+ kvno = int(rep['enc-part']['kvno']) >+ # If the high order bits are set this is an RODC kvno. >+ self.assertEqual(0, kvno & 0xFFFF0000, "rep = {%s}" % rep) >+ >+ def check_tgs_reply(self, rep): >+ """ Check that the kdc response is an TGS-REP and that the >+ values for: >+ msg-type >+ pvno >+ tkt-pvno >+ kvno >+ match the expected values >+ """ >+ >+ # Should have a reply, and it should an TGS-REP message. >+ self.assertIsNotNone(rep) >+ self.assertEqual(rep['msg-type'], KRB_TGS_REP, "rep = {%s}" % rep) >+ >+ # Protocol version number should be 5 >+ pvno = int(rep['pvno']) >+ self.assertEqual(5, pvno, "rep = {%s}" % rep) >+ >+ # The ticket version number should be 5 >+ tkt_vno = int(rep['ticket']['tkt-vno']) >+ self.assertEqual(5, tkt_vno, "rep = {%s}" % rep) >+ >+ # Check that the kvno is not an RODC kvno >+ # MIT kerberos does not provide the kvno, so we treat it as optional. >+ # This is tested in compatability_test.py >+ if 'kvno' in rep['enc-part']: >+ kvno = int(rep['enc-part']['kvno']) >+ # If the high order bits are set this is an RODC kvno. >+ self.assertEqual(0, kvno & 0xFFFF0000, "rep = {%s}" % rep) >+ >+ def check_error_rep(self, rep, expected): >+ """ Check that the reply is an error message, with the expected >+ error-code specified. >+ """ >+ self.assertIsNotNone(rep) >+ self.assertEqual(rep['msg-type'], KRB_ERROR, "rep = {%s}" % rep) >+ self.assertEqual(rep['error-code'], expected, "rep = {%s}" % rep) >+ >+ def tgs_req(self, cname, sname, realm, ticket, key, etypes): >+ '''Send a TGS-REQ, returns the response and the decrypted and >+ decoded enc-part >+ ''' >+ >+ kdc_options = "0" >+ till = self.get_KerberosTime(offset=36000) >+ padata = [] >+ >+ subkey = self.RandomKey(key.etype) >+ subkey_usage = 9 >+ >+ (ctime, cusec) = self.get_KerberosTimeWithUsec() >+ >+ req = self.TGS_REQ_create(padata=padata, >+ cusec=cusec, >+ ctime=ctime, >+ ticket=ticket, >+ kdc_options=str(kdc_options), >+ cname=cname, >+ realm=realm, >+ sname=sname, >+ from_time=None, >+ till_time=till, >+ renew_time=None, >+ nonce=0x7ffffffe, >+ etypes=etypes, >+ addresses=None, >+ EncAuthorizationData=None, >+ EncAuthorizationData_key=None, >+ additional_tickets=None, >+ ticket_session_key=key, >+ authenticator_subkey=subkey) >+ rep = self.send_recv_transaction(req) >+ self.assertIsNotNone(rep) >+ >+ msg_type = rep['msg-type'] >+ enc_part = None >+ if msg_type == KRB_TGS_REP: >+ enc_part = subkey.decrypt(subkey_usage, rep['enc-part']['cipher']) >+ enc_part = self.der_decode( >+ enc_part, asn1Spec=krb5_asn1.EncTGSRepPart()) >+ return (rep, enc_part) >+ >+ # Named tuple to contain values of interest when the PAC is decoded. >+ PacData = namedtuple( >+ "PacData", >+ "account_name account_sid logon_name upn domain_name") >+ PAC_LOGON_INFO = 1 >+ PAC_CREDENTIAL_INFO = 2 >+ PAC_SRV_CHECKSUM = 6 >+ PAC_KDC_CHECKSUM = 7 >+ PAC_LOGON_NAME = 10 >+ PAC_CONSTRAINED_DELEGATION = 11 >+ PAC_UPN_DNS_INFO = 12 >+ >+ def get_pac_data(self, authorization_data): >+ '''Decode the PAC element contained in the authorization-data element >+ ''' >+ account_name = None >+ user_sid = None >+ logon_name = None >+ upn = None >+ domain_name = None >+ >+ # The PAC data will be wrapped in an AD_IF_RELEVANT element >+ ad_if_relevant_elements = ( >+ x for x in authorization_data if x['ad-type'] == AD_IF_RELEVANT) >+ for dt in ad_if_relevant_elements: >+ buf = self.der_decode( >+ dt['ad-data'], asn1Spec=krb5_asn1.AD_IF_RELEVANT()) >+ # The PAC data is further wrapped in a AD_WIN2K_PAC element >+ for ad in (x for x in buf if x['ad-type'] == AD_WIN2K_PAC): >+ pb = ndr_unpack(krb5pac.PAC_DATA, ad['ad-data']) >+ for pac in pb.buffers: >+ if pac.type == self.PAC_LOGON_INFO: >+ account_name = ( >+ pac.info.info.info3.base.account_name) >+ user_sid = ( >+ str(pac.info.info.info3.base.domain_sid) + >+ "-" + str(pac.info.info.info3.base.rid)) >+ elif pac.type == self.PAC_LOGON_NAME: >+ logon_name = pac.info.account_name >+ elif pac.type == self.PAC_UPN_DNS_INFO: >+ upn = pac.info.upn_name >+ domain_name = pac.info.dns_domain_name >+ >+ return self.PacData( >+ account_name, >+ user_sid, >+ logon_name, >+ upn, >+ domain_name) >+ >+ def decode_service_ticket(self, creds, ticket): >+ '''Decrypt and decode a service ticket >+ ''' >+ >+ name = creds.get_username() >+ if name.endswith('$'): >+ name = name[:-1] >+ realm = creds.get_realm() >+ salt = "%s.%s@%s" % (name, realm.lower(), realm.upper()) >+ >+ key = self.PasswordKey_create( >+ ticket['enc-part']['etype'], >+ creds.get_password(), >+ salt, >+ ticket['enc-part']['kvno']) >+ >+ enc_part = key.decrypt(2, ticket['enc-part']['cipher']) >+ enc_ticket_part = self.der_decode( >+ enc_part, asn1Spec=krb5_asn1.EncTicketPart()) >+ return enc_ticket_part >+ >+ def get_objectSid(self, dn): >+ ''' Get the objectSID for a DN >+ Note: performs an Ldb query. >+ ''' >+ res = self.ldb.search(dn, scope=SCOPE_BASE, attrs=["objectSID"]) >+ self.assertTrue(len(res) == 1, "did not get objectSid for %s" % dn) >+ sid = self.ldb.schema_format_value("objectSID", res[0]["objectSID"][0]) >+ return sid.decode('utf8') >-- >2.25.1 > > >From 469948dd013eaff517680f59453e38c3bf8f851e Mon Sep 17 00:00:00 2001 >From: Gary Lockyer <gary@catalyst.net.nz> >Date: Mon, 30 Nov 2020 14:19:15 +1300 >Subject: [PATCH 060/686] tests python krb5: initial TGS tests > >Initial tests on the KDC TGS > >Signed-off-by: Gary Lockyer <gary@catalyst.net.nz> >Reviewed-by: Andrew Bartlett <abartlet@samba.org> >BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817 >(cherry picked from commit 1ed461a142f68f5de5e21b873ebddfcf5ae0ca1e) >--- > python/samba/tests/krb5/kdc_base_test.py | 1 - > python/samba/tests/krb5/kdc_tgs_tests.py | 210 +++++++++++++++++++ > python/samba/tests/krb5/rfc4120_constants.py | 2 + > python/samba/tests/usage.py | 2 + > selftest/knownfail_mit_kdc | 5 + > source4/selftest/tests.py | 3 + > 6 files changed, 222 insertions(+), 1 deletion(-) > mode change 100755 => 100644 python/samba/tests/krb5/kdc_base_test.py > create mode 100755 python/samba/tests/krb5/kdc_tgs_tests.py > >diff --git a/python/samba/tests/krb5/kdc_base_test.py b/python/samba/tests/krb5/kdc_base_test.py >old mode 100755 >new mode 100644 >index 4fc7ee85ba9..1a823d173e3 >--- a/python/samba/tests/krb5/kdc_base_test.py >+++ b/python/samba/tests/krb5/kdc_base_test.py >@@ -1,4 +1,3 @@ >-#!/usr/bin/env python3 > # Unix SMB/CIFS implementation. > # Copyright (C) Stefan Metzmacher 2020 > # Copyright (C) 2020 Catalyst.Net Ltd >diff --git a/python/samba/tests/krb5/kdc_tgs_tests.py b/python/samba/tests/krb5/kdc_tgs_tests.py >new file mode 100755 >index 00000000000..23a1d868a79 >--- /dev/null >+++ b/python/samba/tests/krb5/kdc_tgs_tests.py >@@ -0,0 +1,210 @@ >+#!/usr/bin/env python3 >+# Unix SMB/CIFS implementation. >+# Copyright (C) Stefan Metzmacher 2020 >+# Copyright (C) 2020 Catalyst.Net Ltd >+# >+# This program is free software; you can redistribute it and/or modify >+# it under the terms of the GNU General Public License as published by >+# the Free Software Foundation; either version 3 of the License, or >+# (at your option) any later version. >+# >+# This program is distributed in the hope that it will be useful, >+# but WITHOUT ANY WARRANTY; without even the implied warranty of >+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the >+# GNU General Public License for more details. >+# >+# You should have received a copy of the GNU General Public License >+# along with this program. If not, see <http://www.gnu.org/licenses/>. >+# >+ >+import sys >+import os >+ >+sys.path.insert(0, "bin/python") >+os.environ["PYTHONUNBUFFERED"] = "1" >+ >+from samba.tests.krb5.kdc_base_test import KDCBaseTest >+from samba.tests.krb5.rfc4120_constants import ( >+ AES256_CTS_HMAC_SHA1_96, >+ ARCFOUR_HMAC_MD5, >+ KRB_ERROR, >+ KDC_ERR_BADMATCH, >+ NT_PRINCIPAL, >+ NT_SRV_INST, >+) >+ >+global_asn1_print = False >+global_hexdump = False >+ >+ >+class KdcTgsTests(KDCBaseTest): >+ >+ def setUp(self): >+ super().setUp() >+ self.do_asn1_print = global_asn1_print >+ self.do_hexdump = global_hexdump >+ >+ def test_tgs_req_cname_does_not_not_match_authenticator_cname(self): >+ ''' Try and obtain a ticket from the TGS, but supply a cname >+ that differs from that provided to the krbtgt >+ ''' >+ # Create the user account >+ user_name = "tsttktusr" >+ (uc, _) = self.create_account(user_name) >+ realm = uc.get_realm().lower() >+ >+ # Do the initial AS-REQ, should get a pre-authentication required >+ # response >+ etype = (AES256_CTS_HMAC_SHA1_96,) >+ cname = self.PrincipalName_create( >+ name_type=NT_PRINCIPAL, names=[user_name]) >+ sname = self.PrincipalName_create( >+ name_type=NT_SRV_INST, names=["krbtgt", realm]) >+ >+ rep = self.as_req(cname, sname, realm, etype) >+ self.check_pre_authenication(rep) >+ >+ # Do the next AS-REQ >+ padata = self.get_pa_data(uc, rep) >+ key = self.get_as_rep_key(uc, rep) >+ rep = self.as_req(cname, sname, realm, etype, padata=padata) >+ self.check_as_reply(rep) >+ >+ # Request a service ticket, but use a cname that does not match >+ # that in the original AS-REQ >+ enc_part2 = self.get_as_rep_enc_data(key, rep) >+ key = self.EncryptionKey_import(enc_part2['key']) >+ ticket = rep['ticket'] >+ >+ cname = self.PrincipalName_create( >+ name_type=NT_PRINCIPAL, >+ names=["Administrator"]) >+ sname = self.PrincipalName_create( >+ name_type=NT_PRINCIPAL, >+ names=["host", self.dns_host_name]) >+ >+ (rep, enc_part) = self.tgs_req(cname, sname, realm, ticket, key, etype) >+ >+ self.assertIsNone( >+ enc_part, >+ "rep = {%s}, enc_part = {%s}" % (rep, enc_part)) >+ self.assertEqual(KRB_ERROR, rep['msg-type'], "rep = {%s}" % rep) >+ self.assertEqual( >+ KDC_ERR_BADMATCH, >+ rep['error-code'], >+ "rep = {%s}" % rep) >+ >+ def test_ldap_service_ticket(self): >+ '''Get a ticket to the ldap service >+ ''' >+ # Create the user account >+ user_name = "tsttktusr" >+ (uc, _) = self.create_account(user_name) >+ realm = uc.get_realm().lower() >+ >+ # Do the initial AS-REQ, should get a pre-authentication required >+ # response >+ etype = (AES256_CTS_HMAC_SHA1_96,) >+ cname = self.PrincipalName_create( >+ name_type=NT_PRINCIPAL, names=[user_name]) >+ sname = self.PrincipalName_create( >+ name_type=NT_SRV_INST, names=["krbtgt", realm]) >+ >+ rep = self.as_req(cname, sname, realm, etype) >+ self.check_pre_authenication(rep) >+ >+ # Do the next AS-REQ >+ padata = self.get_pa_data(uc, rep) >+ key = self.get_as_rep_key(uc, rep) >+ rep = self.as_req(cname, sname, realm, etype, padata=padata) >+ self.check_as_reply(rep) >+ >+ enc_part2 = self.get_as_rep_enc_data(key, rep) >+ key = self.EncryptionKey_import(enc_part2['key']) >+ ticket = rep['ticket'] >+ >+ # Request a ticket to the ldap service >+ sname = self.PrincipalName_create( >+ name_type=NT_SRV_INST, >+ names=["ldap", self.dns_host_name]) >+ >+ (rep, _) = self.tgs_req( >+ cname, sname, uc.get_realm(), ticket, key, etype) >+ >+ self.check_tgs_reply(rep) >+ >+ def test_get_ticket_for_host_service_of_machine_account(self): >+ >+ # Create a user and machine account for the test. >+ # >+ user_name = "tsttktusr" >+ (uc, dn) = self.create_account(user_name) >+ (mc, _) = self.create_account("tsttktmac", machine_account=True) >+ realm = uc.get_realm().lower() >+ >+ # Do the initial AS-REQ, should get a pre-authentication required >+ # response >+ etype = (AES256_CTS_HMAC_SHA1_96, ARCFOUR_HMAC_MD5) >+ cname = self.PrincipalName_create( >+ name_type=NT_PRINCIPAL, names=[user_name]) >+ sname = self.PrincipalName_create( >+ name_type=NT_SRV_INST, names=["krbtgt", realm]) >+ >+ rep = self.as_req(cname, sname, realm, etype) >+ self.check_pre_authenication(rep) >+ >+ # Do the next AS-REQ >+ padata = self.get_pa_data(uc, rep) >+ key = self.get_as_rep_key(uc, rep) >+ rep = self.as_req(cname, sname, realm, etype, padata=padata) >+ self.check_as_reply(rep) >+ >+ # Request a ticket to the host service on the machine account >+ ticket = rep['ticket'] >+ enc_part2 = self.get_as_rep_enc_data(key, rep) >+ key = self.EncryptionKey_import(enc_part2['key']) >+ cname = self.PrincipalName_create( >+ name_type=NT_PRINCIPAL, >+ names=[user_name]) >+ sname = self.PrincipalName_create( >+ name_type=NT_PRINCIPAL, >+ names=[mc.get_username()]) >+ >+ (rep, enc_part) = self.tgs_req( >+ cname, sname, uc.get_realm(), ticket, key, etype) >+ self.check_tgs_reply(rep) >+ >+ # Check the contents of the service ticket >+ ticket = rep['ticket'] >+ enc_part = self.decode_service_ticket(mc, ticket) >+ >+ pac_data = self.get_pac_data(enc_part['authorization-data']) >+ sid = self.get_objectSid(dn) >+ upn = "%s@%s" % (uc.get_username(), realm) >+ self.assertEqual( >+ uc.get_username(), >+ str(pac_data.account_name), >+ "rep = {%s},%s" % (rep, pac_data)) >+ self.assertEqual( >+ uc.get_username(), >+ pac_data.logon_name, >+ "rep = {%s},%s" % (rep, pac_data)) >+ self.assertEqual( >+ uc.get_realm(), >+ pac_data.domain_name, >+ "rep = {%s},%s" % (rep, pac_data)) >+ self.assertEqual( >+ upn, >+ pac_data.upn, >+ "rep = {%s},%s" % (rep, pac_data)) >+ self.assertEqual( >+ sid, >+ pac_data.account_sid, >+ "rep = {%s},%s" % (rep, pac_data)) >+ >+ >+if __name__ == "__main__": >+ global_asn1_print = True >+ global_hexdump = True >+ import unittest >+ unittest.main() >diff --git a/python/samba/tests/krb5/rfc4120_constants.py b/python/samba/tests/krb5/rfc4120_constants.py >index e1d0c5baa68..19bb6691d43 100644 >--- a/python/samba/tests/krb5/rfc4120_constants.py >+++ b/python/samba/tests/krb5/rfc4120_constants.py >@@ -28,6 +28,7 @@ ARCFOUR_HMAC_MD5 = int( > # Message types > KRB_ERROR = int(krb5_asn1.MessageTypeValues('krb-error')) > KRB_AS_REP = int(krb5_asn1.MessageTypeValues('krb-as-rep')) >+KRB_TGS_REP = int(krb5_asn1.MessageTypeValues('krb-tgs-rep')) > > # PAData types > PADATA_ENC_TIMESTAMP = int( >@@ -39,6 +40,7 @@ PADATA_ETYPE_INFO2 = int( > KDC_ERR_C_PRINCIPAL_UNKNOWN = 6 > KDC_ERR_PREAUTH_FAILED = 24 > KDC_ERR_PREAUTH_REQUIRED = 25 >+KDC_ERR_BADMATCH = 36 > KDC_ERR_SKEW = 37 > > # Name types >diff --git a/python/samba/tests/usage.py b/python/samba/tests/usage.py >index 11cd405deea..838a3148d8e 100644 >--- a/python/samba/tests/usage.py >+++ b/python/samba/tests/usage.py >@@ -91,6 +91,8 @@ EXCLUDE_USAGE = { > 'python/samba/tests/krb5/compatability_tests.py', > 'python/samba/tests/krb5/rfc4120_constants.py', > 'python/samba/tests/krb5/kdc_tests.py', >+ 'python/samba/tests/krb5/kdc_base_test.py', >+ 'python/samba/tests/krb5/kdc_tgs_tests.py', > } > > >diff --git a/selftest/knownfail_mit_kdc b/selftest/knownfail_mit_kdc >index f1a4971430e..e64303c6b0f 100644 >--- a/selftest/knownfail_mit_kdc >+++ b/selftest/knownfail_mit_kdc >@@ -270,3 +270,8 @@ samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_ > ^samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_UpperUserName_RemoveDollar_AsReqSelf\( > ^samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_UpperUserName_UPN_AsReqSelf\( > ^samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_UpperUserName_UPN_RemoveDollar_AsReqSelf\( >+# >+# MIT currently returns an error code of 12 KRB5KDC_ERR_POLICY: KDC policy rejects request, to the >+# following tests >+^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_ldap_service_ticket\(ad_dc\) >+^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_get_ticket_for_host_service_of_machine_account\(ad_dc\) >diff --git a/source4/selftest/tests.py b/source4/selftest/tests.py >index f2cdae9342c..4ce9602b53f 100755 >--- a/source4/selftest/tests.py >+++ b/source4/selftest/tests.py >@@ -1231,6 +1231,9 @@ for env in ["rodc", "promoted_dc", "fl2000dc", "fl2008r2dc"]: > planpythontestsuite("ad_dc", "samba.tests.krb5.as_canonicalization_tests") > planpythontestsuite("ad_dc", "samba.tests.krb5.compatability_tests") > planpythontestsuite("ad_dc", "samba.tests.krb5.kdc_tests") >+planpythontestsuite( >+ "ad_dc", >+ "samba.tests.krb5.kdc_tgs_tests") > > for env in [ > 'vampire_dc', >-- >2.25.1 > > >From c9a58373964088c637985626dd55743b69e2a712 Mon Sep 17 00:00:00 2001 >From: Gary Lockyer <gary@catalyst.net.nz> >Date: Thu, 10 Dec 2020 16:26:06 +1300 >Subject: [PATCH 061/686] tests python krb5: Add key usage constants > >Signed-off-by: Gary Lockyer <gary@catalyst.net.nz> >Reviewed-by: Andreas Schneider <asn@samba.org> >BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817 >(cherry picked from commit d8ed73b75ad67da99be392b2db18fe2e1ffed87f) >--- > python/samba/tests/krb5/rfc4120_constants.py | 50 ++++++++++++++++++++ > 1 file changed, 50 insertions(+) > >diff --git a/python/samba/tests/krb5/rfc4120_constants.py b/python/samba/tests/krb5/rfc4120_constants.py >index 19bb6691d43..9de56578c99 100644 >--- a/python/samba/tests/krb5/rfc4120_constants.py >+++ b/python/samba/tests/krb5/rfc4120_constants.py >@@ -63,3 +63,53 @@ AD_MANDATORY_FOR_KDC = 8 > AD_INITIAL_VERIFIED_CAS = 9 > AD_WIN2K_PAC = 128 > AD_SIGNTICKET = 512 >+ >+# Key usage numbers >+# RFC 4120 Section 7.5.1. Key Usage Numbers >+KU_PA_ENC_TIMESTAMP = 1 >+''' AS-REQ PA-ENC-TIMESTAMP padata timestamp, encrypted with the >+ client key (section 5.2.7.2) ''' >+KU_TICKET = 2 >+''' AS-REP Ticket and TGS-REP Ticket (includes tgs session key or >+ application session key), encrypted with the service key >+ (section 5.3) ''' >+KU_AS_REP_ENC_PART = 3 >+''' AS-REP encrypted part (includes tgs session key or application >+ session key), encrypted with the client key (section 5.4.2) ''' >+KU_TGS_REQ_AUTH_DAT_SESSION = 4 >+''' TGS-REQ KDC-REQ-BODY AuthorizationData, encrypted with the tgs >+ session key (section 5.4.1) ''' >+KU_TGS_REQ_AUTH_DAT_SUBKEY = 5 >+''' TGS-REQ KDC-REQ-BODY AuthorizationData, encrypted with the tgs >+ authenticator subkey (section 5.4.1) ''' >+KU_TGS_REQ_AUTH_CKSUM = 6 >+''' TGS-REQ PA-TGS-REQ padata AP-REQ Authenticator cksum, keyed >+ with the tgs session key (section 5.5.1) ''' >+KU_TGS_REQ_AUTH = 7 >+''' TGS-REQ PA-TGS-REQ padata AP-REQ Authenticator (includes tgs >+ authenticator subkey), encrypted with the tgs session key >+ (section 5.5.1) ''' >+KU_TGS_REP_ENC_PART_SESSION = 8 >+''' TGS-REP encrypted part (includes application session key), >+ encrypted with the tgs session key (section 5.4.2) ''' >+KU_TGS_REP_ENC_PART_SUB_KEY = 9 >+''' TGS-REP encrypted part (includes application session key), >+ encrypted with the tgs authenticator subkey (section 5.4.2) ''' >+KU_AP_REQ_AUTH_CKSUM = 10 >+''' AP-REQ Authenticator cksum, keyed with the application session >+ key (section 5.5.1) ''' >+KU_AP_REQ_AUTH = 11 >+''' AP-REQ Authenticator (includes application authenticator >+ subkey), encrypted with the application session key (section 5.5.1) ''' >+KU_AP_REQ_ENC_PART = 12 >+''' AP-REP encrypted part (includes application session subkey), >+ encrypted with the application session key (section 5.5.2) ''' >+KU_KRB_PRIV = 13 >+''' KRB-PRIV encrypted part, encrypted with a key chosen by the >+ application (section 5.7.1) ''' >+KU_KRB_CRED = 14 >+''' KRB-CRED encrypted part, encrypted with a key chosen by the >+ application (section 5.8.1) ''' >+KU_KRB_SAFE_CKSUM = 15 >+''' KRB-SAFE cksum, keyed with a key chosen by the application >+ (section 5.6.1) ''' >-- >2.25.1 > > >From 1ed4be2f2e77fbc5ce25d7dd88fba3b09f733b49 Mon Sep 17 00:00:00 2001 >From: Gary Lockyer <gary@catalyst.net.nz> >Date: Thu, 10 Dec 2020 16:27:17 +1300 >Subject: [PATCH 062/686] tests python krb5: use key usage constants > >Signed-off-by: Gary Lockyer <gary@catalyst.net.nz> >Reviewed-by: Andreas Schneider <asn@samba.org> >BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817 >(cherry picked from commit 03676a4a5c55ab5f4958a86cbd4d7be0f0a8a294) >--- > .../tests/krb5/as_canonicalization_tests.py | 5 ++--- > python/samba/tests/krb5/compatability_tests.py | 7 +++---- > python/samba/tests/krb5/kdc_base_test.py | 16 +++++++++------- > python/samba/tests/krb5/kdc_tests.py | 3 +-- > python/samba/tests/krb5/s4u_tests.py | 15 +++++++++------ > python/samba/tests/krb5/simple_tests.py | 15 +++++++++------ > python/samba/tests/krb5/xrealm_tests.py | 15 +++++++++------ > 7 files changed, 42 insertions(+), 34 deletions(-) > >diff --git a/python/samba/tests/krb5/as_canonicalization_tests.py b/python/samba/tests/krb5/as_canonicalization_tests.py >index 6ea3ff0491e..e89b40eab8f 100755 >--- a/python/samba/tests/krb5/as_canonicalization_tests.py >+++ b/python/samba/tests/krb5/as_canonicalization_tests.py >@@ -367,8 +367,7 @@ class KerberosASCanonicalizationTests(RawKerberosTest): > pa_ts = self.PA_ENC_TS_ENC_create(patime, pausec) > pa_ts = self.der_encode(pa_ts, asn1Spec=krb5_asn1.PA_ENC_TS_ENC()) > >- enc_pa_ts_usage = 1 >- pa_ts = self.EncryptedData_create(key, enc_pa_ts_usage, pa_ts) >+ pa_ts = self.EncryptedData_create(key, KU_PA_ENC_TIMESTAMP, pa_ts) > pa_ts = self.der_encode(pa_ts, asn1Spec=krb5_asn1.EncryptedData()) > > pa_ts = self.PA_DATA_create(PADATA_ENC_TIMESTAMP, pa_ts) >@@ -413,7 +412,7 @@ class KerberosASCanonicalizationTests(RawKerberosTest): > self.assertEqual(msg_type, KRB_AS_REP, "Data {0}".format(str(data))) > > # Decrypt and decode the EncKdcRepPart >- enc = key.decrypt(3, rep['enc-part']['cipher']) >+ enc = key.decrypt(KU_AS_REP_ENC_PART, rep['enc-part']['cipher']) > if enc[0] == 0x7A: > # MIT Kerberos Tags the EncASRepPart as a EncKDCRepPart > # i.e. tag number 26 instead of tag number 25 >diff --git a/python/samba/tests/krb5/compatability_tests.py b/python/samba/tests/krb5/compatability_tests.py >index e4b1453e712..0b3701cd60d 100755 >--- a/python/samba/tests/krb5/compatability_tests.py >+++ b/python/samba/tests/krb5/compatability_tests.py >@@ -178,8 +178,7 @@ class SimpleKerberosTests(RawKerberosTest): > pa_ts = self.PA_ENC_TS_ENC_create(patime, pausec) > pa_ts = self.der_encode(pa_ts, asn1Spec=krb5_asn1.PA_ENC_TS_ENC()) > >- enc_pa_ts_usage = 1 >- pa_ts = self.EncryptedData_create(key, enc_pa_ts_usage, pa_ts) >+ pa_ts = self.EncryptedData_create(key, KU_PA_ENC_TIMESTAMP, pa_ts) > pa_ts = self.der_encode(pa_ts, asn1Spec=krb5_asn1.EncryptedData()) > > pa_ts = self.PA_DATA_create(PADATA_ENC_TIMESTAMP, pa_ts) >@@ -207,9 +206,9 @@ class SimpleKerberosTests(RawKerberosTest): > msg_type = rep['msg-type'] > self.assertEqual(msg_type, KRB_AS_REP) > >- usage = 3 > enc_part = rep['enc-part'] >- enc_as_rep_part = key.decrypt(usage, rep['enc-part']['cipher']) >+ enc_as_rep_part = key.decrypt( >+ KU_AS_REP_ENC_PART, rep['enc-part']['cipher']) > return (enc_as_rep_part, enc_part) > > >diff --git a/python/samba/tests/krb5/kdc_base_test.py b/python/samba/tests/krb5/kdc_base_test.py >index 1a823d173e3..e835d389f1c 100644 >--- a/python/samba/tests/krb5/kdc_base_test.py >+++ b/python/samba/tests/krb5/kdc_base_test.py >@@ -41,6 +41,10 @@ from samba.tests.krb5.rfc4120_constants import ( > KRB_AS_REP, > KRB_TGS_REP, > KRB_ERROR, >+ KU_AS_REP_ENC_PART, >+ KU_PA_ENC_TIMESTAMP, >+ KU_TGS_REP_ENC_PART_SUB_KEY, >+ KU_TICKET, > PADATA_ENC_TIMESTAMP, > PADATA_ETYPE_INFO2, > ) >@@ -196,8 +200,7 @@ class KDCBaseTest(RawKerberosTest): > padata = self.PA_ENC_TS_ENC_create(patime, pausec) > padata = self.der_encode(padata, asn1Spec=krb5_asn1.PA_ENC_TS_ENC()) > >- usage = 1 >- padata = self.EncryptedData_create(key, usage, padata) >+ padata = self.EncryptedData_create(key, KU_PA_ENC_TIMESTAMP, padata) > padata = self.der_encode(padata, asn1Spec=krb5_asn1.EncryptedData()) > > padata = self.PA_DATA_create(PADATA_ENC_TIMESTAMP, padata) >@@ -207,8 +210,7 @@ class KDCBaseTest(RawKerberosTest): > def get_as_rep_enc_data(self, key, rep): > ''' Decrypt and Decode the encrypted data in an AS-REP > ''' >- usage = 3 >- enc_part = key.decrypt(usage, rep['enc-part']['cipher']) >+ enc_part = key.decrypt(KU_AS_REP_ENC_PART, rep['enc-part']['cipher']) > # MIT KDC encodes both EncASRepPart and EncTGSRepPart with > # application tag 26 > try: >@@ -303,7 +305,6 @@ class KDCBaseTest(RawKerberosTest): > padata = [] > > subkey = self.RandomKey(key.etype) >- subkey_usage = 9 > > (ctime, cusec) = self.get_KerberosTimeWithUsec() > >@@ -332,7 +333,8 @@ class KDCBaseTest(RawKerberosTest): > msg_type = rep['msg-type'] > enc_part = None > if msg_type == KRB_TGS_REP: >- enc_part = subkey.decrypt(subkey_usage, rep['enc-part']['cipher']) >+ enc_part = subkey.decrypt( >+ KU_TGS_REP_ENC_PART_SUB_KEY, rep['enc-part']['cipher']) > enc_part = self.der_decode( > enc_part, asn1Spec=krb5_asn1.EncTGSRepPart()) > return (rep, enc_part) >@@ -403,7 +405,7 @@ class KDCBaseTest(RawKerberosTest): > salt, > ticket['enc-part']['kvno']) > >- enc_part = key.decrypt(2, ticket['enc-part']['cipher']) >+ enc_part = key.decrypt(KU_TICKET, ticket['enc-part']['cipher']) > enc_ticket_part = self.der_decode( > enc_part, asn1Spec=krb5_asn1.EncTicketPart()) > return enc_ticket_part >diff --git a/python/samba/tests/krb5/kdc_tests.py b/python/samba/tests/krb5/kdc_tests.py >index 57a25448965..17b9d154bd9 100755 >--- a/python/samba/tests/krb5/kdc_tests.py >+++ b/python/samba/tests/krb5/kdc_tests.py >@@ -91,8 +91,7 @@ class KdcTests(RawKerberosTest): > pa_ts = self.PA_ENC_TS_ENC_create(patime, pausec) > pa_ts = self.der_encode(pa_ts, asn1Spec=krb5_asn1.PA_ENC_TS_ENC()) > >- enc_pa_ts_usage = 1 >- pa_ts = self.EncryptedData_create(key, enc_pa_ts_usage, pa_ts) >+ pa_ts = self.EncryptedData_create(key, KU_PA_ENC_TIMESTAMP, pa_ts) > pa_ts = self.der_encode(pa_ts, asn1Spec=krb5_asn1.EncryptedData()) > > pa_ts = self.PA_DATA_create(PADATA_ENC_TIMESTAMP, pa_ts) >diff --git a/python/samba/tests/krb5/s4u_tests.py b/python/samba/tests/krb5/s4u_tests.py >index ae38635c53b..2e1bd3fbe1f 100755 >--- a/python/samba/tests/krb5/s4u_tests.py >+++ b/python/samba/tests/krb5/s4u_tests.py >@@ -25,6 +25,11 @@ os.environ["PYTHONUNBUFFERED"] = "1" > from samba.tests import env_get_var_value > from samba.tests.krb5.kcrypto import Cksumtype > from samba.tests.krb5.raw_testcase import RawKerberosTest >+from samba.tests.krb5.rfc4120_constants import ( >+ KU_PA_ENC_TIMESTAMP, >+ KU_AS_REP_ENC_PART, >+ KU_TGS_REP_ENC_PART_SUB_KEY, >+) > import samba.tests.krb5.rfc4120_pyasn1 as krb5_asn1 > > global_asn1_print = False >@@ -86,8 +91,7 @@ class S4UKerberosTests(RawKerberosTest): > pa_ts = self.PA_ENC_TS_ENC_create(patime, pausec) > pa_ts = self.der_encode(pa_ts, asn1Spec=krb5_asn1.PA_ENC_TS_ENC()) > >- enc_pa_ts_usage = 1 >- pa_ts = self.EncryptedData_create(key, enc_pa_ts_usage, pa_ts) >+ pa_ts = self.EncryptedData_create(key, KU_PA_ENC_TIMESTAMP, pa_ts) > pa_ts = self.der_encode(pa_ts, asn1Spec=krb5_asn1.EncryptedData()) > > pa_ts = self.PA_DATA_create(2, pa_ts) >@@ -115,8 +119,7 @@ class S4UKerberosTests(RawKerberosTest): > msg_type = rep['msg-type'] > self.assertEqual(msg_type, 11) > >- usage = 3 >- enc_part2 = key.decrypt(usage, rep['enc-part']['cipher']) >+ enc_part2 = key.decrypt(KU_AS_REP_ENC_PART, rep['enc-part']['cipher']) > enc_part2 = self.der_decode(enc_part2, asn1Spec=krb5_asn1.EncASRepPart()) > > # S4U2Self Request >@@ -135,7 +138,6 @@ class S4UKerberosTests(RawKerberosTest): > padata = [pa_s4u] > > subkey = self.RandomKey(ticket_session_key.etype) >- subkey_usage = 9 > > (ctime, cusec) = self.get_KerberosTimeWithUsec() > >@@ -163,7 +165,8 @@ class S4UKerberosTests(RawKerberosTest): > > msg_type = rep['msg-type'] > if msg_type == 13: >- enc_part2 = subkey.decrypt(subkey_usage, rep['enc-part']['cipher']) >+ enc_part2 = subkey.decrypt( >+ KU_TGS_REP_ENC_PART_SUB_KEY, rep['enc-part']['cipher']) > enc_part2 = self.der_decode(enc_part2, asn1Spec=krb5_asn1.EncTGSRepPart()) > > return msg_type >diff --git a/python/samba/tests/krb5/simple_tests.py b/python/samba/tests/krb5/simple_tests.py >index 236fbda1cd5..6c090af3d46 100755 >--- a/python/samba/tests/krb5/simple_tests.py >+++ b/python/samba/tests/krb5/simple_tests.py >@@ -23,6 +23,11 @@ sys.path.insert(0, "bin/python") > os.environ["PYTHONUNBUFFERED"] = "1" > > from samba.tests.krb5.raw_testcase import RawKerberosTest >+from samba.tests.krb5.rfc4120_constants import ( >+ KU_AS_REP_ENC_PART, >+ KU_PA_ENC_TIMESTAMP, >+ KU_TGS_REP_ENC_PART_SUB_KEY, >+) > import samba.tests.krb5.rfc4120_pyasn1 as krb5_asn1 > > global_asn1_print = False >@@ -84,8 +89,7 @@ class SimpleKerberosTests(RawKerberosTest): > pa_ts = self.PA_ENC_TS_ENC_create(patime, pausec) > pa_ts = self.der_encode(pa_ts, asn1Spec=krb5_asn1.PA_ENC_TS_ENC()) > >- enc_pa_ts_usage = 1 >- pa_ts = self.EncryptedData_create(key, enc_pa_ts_usage, pa_ts) >+ pa_ts = self.EncryptedData_create(key, KU_PA_ENC_TIMESTAMP, pa_ts) > pa_ts = self.der_encode(pa_ts, asn1Spec=krb5_asn1.EncryptedData()) > > pa_ts = self.PA_DATA_create(2, pa_ts) >@@ -113,8 +117,7 @@ class SimpleKerberosTests(RawKerberosTest): > msg_type = rep['msg-type'] > self.assertEqual(msg_type, 11) > >- usage = 3 >- enc_part2 = key.decrypt(usage, rep['enc-part']['cipher']) >+ enc_part2 = key.decrypt(KU_AS_REP_ENC_PART, rep['enc-part']['cipher']) > > # MIT KDC encodes both EncASRepPart and EncTGSRepPart with application tag 26 > try: >@@ -134,7 +137,6 @@ class SimpleKerberosTests(RawKerberosTest): > padata = [] > > subkey = self.RandomKey(ticket_session_key.etype) >- subkey_usage = 9 > > (ctime, cusec) = self.get_KerberosTimeWithUsec() > >@@ -163,7 +165,8 @@ class SimpleKerberosTests(RawKerberosTest): > msg_type = rep['msg-type'] > self.assertEqual(msg_type, 13) > >- enc_part2 = subkey.decrypt(subkey_usage, rep['enc-part']['cipher']) >+ enc_part2 = subkey.decrypt( >+ KU_TGS_REP_ENC_PART_SUB_KEY, rep['enc-part']['cipher']) > enc_part2 = self.der_decode(enc_part2, asn1Spec=krb5_asn1.EncTGSRepPart()) > > return >diff --git a/python/samba/tests/krb5/xrealm_tests.py b/python/samba/tests/krb5/xrealm_tests.py >index 64064b8a670..b4a02bff33a 100755 >--- a/python/samba/tests/krb5/xrealm_tests.py >+++ b/python/samba/tests/krb5/xrealm_tests.py >@@ -23,6 +23,11 @@ sys.path.insert(0, "bin/python") > os.environ["PYTHONUNBUFFERED"] = "1" > > from samba.tests.krb5.raw_testcase import RawKerberosTest >+from samba.tests.krb5.rfc4120_constants import ( >+ KU_PA_ENC_TIMESTAMP, >+ KU_AS_REP_ENC_PART, >+ KU_TGS_REP_ENC_PART_SUB_KEY, >+) > import samba.tests.krb5.rfc4120_pyasn1 as krb5_asn1 > import samba.tests > >@@ -85,8 +90,7 @@ class XrealmKerberosTests(RawKerberosTest): > pa_ts = self.PA_ENC_TS_ENC_create(patime, pausec) > pa_ts = self.der_encode(pa_ts, asn1Spec=krb5_asn1.PA_ENC_TS_ENC()) > >- enc_pa_ts_usage = 1 >- pa_ts = self.EncryptedData_create(key, enc_pa_ts_usage, pa_ts) >+ pa_ts = self.EncryptedData_create(key, KU_PA_ENC_TIMESTAMP, pa_ts) > pa_ts = self.der_encode(pa_ts, asn1Spec=krb5_asn1.EncryptedData()) > > pa_ts = self.PA_DATA_create(2, pa_ts) >@@ -114,8 +118,7 @@ class XrealmKerberosTests(RawKerberosTest): > msg_type = rep['msg-type'] > self.assertEqual(msg_type, 11) > >- usage = 3 >- enc_part2 = key.decrypt(usage, rep['enc-part']['cipher']) >+ enc_part2 = key.decrypt(KU_AS_REP_ENC_PART, rep['enc-part']['cipher']) > > # MIT KDC encodes both EncASRepPart and EncTGSRepPart with application tag 26 > try: >@@ -134,7 +137,6 @@ class XrealmKerberosTests(RawKerberosTest): > padata = [] > > subkey = self.RandomKey(ticket_session_key.etype) >- subkey_usage = 9 > > (ctime, cusec) = self.get_KerberosTimeWithUsec() > >@@ -163,7 +165,8 @@ class XrealmKerberosTests(RawKerberosTest): > msg_type = rep['msg-type'] > self.assertEqual(msg_type, 13) > >- enc_part2 = subkey.decrypt(subkey_usage, rep['enc-part']['cipher']) >+ enc_part2 = subkey.decrypt( >+ KU_TGS_REP_ENC_PART_SUB_KEY, rep['enc-part']['cipher']) > enc_part2 = self.der_decode(enc_part2, asn1Spec=krb5_asn1.EncTGSRepPart()) > > # Check the forwardable flag >-- >2.25.1 > > >From f1b7f4fff235e8d790da62546edb7daf6978818c Mon Sep 17 00:00:00 2001 >From: Gary Lockyer <gary@catalyst.net.nz> >Date: Fri, 11 Dec 2020 11:55:01 +1300 >Subject: [PATCH 063/686] tests python krb5: PEP8 cleanups > >Fix all the PEP8 warnings in samba/tests/krb5. With the exception of >rfc4120_pyasn1.py, which is generated from rfc4120.asn1. > >As these tests are new, it makes sense to ensure that they conform to >PEP8. And set an aspirational goal for the rest of our python code. > >Signed-off-by: Gary Lockyer <gary@catalyst.net.nz> >Reviewed-by: Andreas Schneider <asn@samba.org> >BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817 > >Autobuild-User(master): Gary Lockyer <gary@samba.org> >Autobuild-Date(master): Mon Dec 21 21:29:28 UTC 2020 on sn-devel-184 > >(cherry picked from commit c00d537526ca881c540ff66e703ad9c96dd1face) >--- > .../tests/krb5/as_canonicalization_tests.py | 54 ++- > .../samba/tests/krb5/compatability_tests.py | 24 +- > python/samba/tests/krb5/kcrypto.py | 67 +-- > python/samba/tests/krb5/kdc_base_test.py | 4 +- > python/samba/tests/krb5/kdc_tests.py | 17 +- > python/samba/tests/krb5/raw_testcase.py | 409 +++++++++++------- > python/samba/tests/krb5/rfc4120_constants.py | 32 +- > python/samba/tests/krb5/s4u_tests.py | 19 +- > python/samba/tests/krb5/simple_tests.py | 24 +- > python/samba/tests/krb5/xrealm_tests.py | 26 +- > 10 files changed, 413 insertions(+), 263 deletions(-) > >diff --git a/python/samba/tests/krb5/as_canonicalization_tests.py b/python/samba/tests/krb5/as_canonicalization_tests.py >index e89b40eab8f..43f532dc483 100755 >--- a/python/samba/tests/krb5/as_canonicalization_tests.py >+++ b/python/samba/tests/krb5/as_canonicalization_tests.py >@@ -31,8 +31,6 @@ import samba > from samba.auth import system_session > from samba.credentials import ( > Credentials, >- CLI_CRED_NTLMv2_AUTH, >- CLI_CRED_NTLM_AUTH, > DONT_USE_KERBEROS) > from samba.dcerpc.misc import SEC_CHAN_WKSTA > from samba.dsdb import ( >@@ -41,7 +39,20 @@ from samba.dsdb import ( > UF_NORMAL_ACCOUNT) > from samba.samdb import SamDB > from samba.tests import delete_force, DynamicTestCase >-from samba.tests.krb5.rfc4120_constants import * >+from samba.tests.krb5.rfc4120_constants import ( >+ AES256_CTS_HMAC_SHA1_96, >+ AES128_CTS_HMAC_SHA1_96, >+ ARCFOUR_HMAC_MD5, >+ KDC_ERR_PREAUTH_REQUIRED, >+ KRB_AS_REP, >+ KU_AS_REP_ENC_PART, >+ KRB_ERROR, >+ KU_PA_ENC_TIMESTAMP, >+ PADATA_ENC_TIMESTAMP, >+ NT_ENTERPRISE_PRINCIPAL, >+ NT_PRINCIPAL, >+ NT_SRV_INST, >+) > > global_asn1_print = False > global_hexdump = False >@@ -49,15 +60,15 @@ global_hexdump = False > > @unique > class TestOptions(Enum): >- Canonicalize = 1 >- Enterprise = 2 >- UpperRealm = 4 >- UpperUserName = 8 >- NetbiosRealm = 16 >- UPN = 32 >- RemoveDollar = 64 >- AsReqSelf = 128 >- Last = 256 >+ Canonicalize = 1 >+ Enterprise = 2 >+ UpperRealm = 4 >+ UpperUserName = 8 >+ NetbiosRealm = 16 >+ UPN = 32 >+ RemoveDollar = 64 >+ AsReqSelf = 128 >+ Last = 256 > > def is_set(self, x): > return self.value & x >@@ -65,7 +76,7 @@ class TestOptions(Enum): > > @unique > class CredentialsType(Enum): >- User = 1 >+ User = 1 > Machine = 2 > > def is_set(self, x): >@@ -126,7 +137,8 @@ class TestData: > > > MACHINE_NAME = "tstkrb5cnnmch" >-USER_NAME = "tstkrb5cnnusr" >+USER_NAME = "tstkrb5cnnusr" >+ > > @DynamicTestCase > class KerberosASCanonicalizationTests(RawKerberosTest): >@@ -160,21 +172,21 @@ class KerberosASCanonicalizationTests(RawKerberosTest): > > @classmethod > def setUpClass(cls): >- cls.lp = cls.get_loadparm(cls) >+ cls.lp = cls.get_loadparm(cls) > cls.username = os.environ["USERNAME"] > cls.password = os.environ["PASSWORD"] >- cls.host = os.environ["SERVER"] >+ cls.host = os.environ["SERVER"] > > c = Credentials() > c.set_username(cls.username) > c.set_password(cls.password) > try: >- realm = os.environ["REALM"] >+ realm = os.environ["REALM"] > c.set_realm(realm) > except KeyError: > pass > try: >- domain = os.environ["DOMAIN"] >+ domain = os.environ["DOMAIN"] > c.set_domain(domain) > except KeyError: > pass >@@ -200,7 +212,7 @@ class KerberosASCanonicalizationTests(RawKerberosTest): > def setUp(self): > super(KerberosASCanonicalizationTests, self).setUp() > self.do_asn1_print = global_asn1_print >- self.do_hexdump = global_hexdump >+ self.do_hexdump = global_hexdump > > # > # Create a test user account >@@ -340,7 +352,7 @@ class KerberosASCanonicalizationTests(RawKerberosTest): > # > # Check the protocol version, should be 5 > self.assertEqual( >- rep['pvno'], 5, "Data {0}".format(str(data))) >+ rep['pvno'], 5, "Data {0}".format(str(data))) > > self.assertEqual( > rep['msg-type'], KRB_ERROR, "Data {0}".format(str(data))) >@@ -397,7 +409,7 @@ class KerberosASCanonicalizationTests(RawKerberosTest): > # > # Check the protocol version, should be 5 > self.assertEqual( >- rep['pvno'], 5, "Data {0}".format(str(data))) >+ rep['pvno'], 5, "Data {0}".format(str(data))) > > msg_type = rep['msg-type'] > # Should not have got an error. >diff --git a/python/samba/tests/krb5/compatability_tests.py b/python/samba/tests/krb5/compatability_tests.py >index 0b3701cd60d..5a1ef02ef80 100755 >--- a/python/samba/tests/krb5/compatability_tests.py >+++ b/python/samba/tests/krb5/compatability_tests.py >@@ -25,7 +25,20 @@ os.environ["PYTHONUNBUFFERED"] = "1" > > from samba.tests.krb5.raw_testcase import RawKerberosTest > import samba.tests.krb5.rfc4120_pyasn1 as krb5_asn1 >-from samba.tests.krb5.rfc4120_constants import * >+from samba.tests.krb5.rfc4120_constants import ( >+ AES128_CTS_HMAC_SHA1_96, >+ AES256_CTS_HMAC_SHA1_96, >+ ARCFOUR_HMAC_MD5, >+ KDC_ERR_PREAUTH_REQUIRED, >+ KRB_AS_REP, >+ KRB_ERROR, >+ KU_AS_REP_ENC_PART, >+ KU_PA_ENC_TIMESTAMP, >+ PADATA_ENC_TIMESTAMP, >+ PADATA_ETYPE_INFO2, >+ NT_PRINCIPAL, >+ NT_SRV_INST, >+) > > global_asn1_print = False > global_hexdump = False >@@ -112,18 +125,17 @@ class SimpleKerberosTests(RawKerberosTest): > realm = creds.get_realm() > > cname = self.PrincipalName_create( >- name_type=NT_PRINCIPAL, >- names=[user]) >+ name_type=NT_PRINCIPAL, >+ names=[user]) > sname = self.PrincipalName_create( >- name_type=NT_SRV_INST, >- names=["krbtgt", realm]) >+ name_type=NT_SRV_INST, >+ names=["krbtgt", realm]) > > till = self.get_KerberosTime(offset=36000) > > kdc_options = krb5_asn1.KDCOptions('forwardable') > padata = None > >- > req = self.AS_REQ_create(padata=padata, > kdc_options=str(kdc_options), > cname=cname, >diff --git a/python/samba/tests/krb5/kcrypto.py b/python/samba/tests/krb5/kcrypto.py >index 2572fa5bab3..23502d7bb62 100755 >--- a/python/samba/tests/krb5/kcrypto.py >+++ b/python/samba/tests/krb5/kcrypto.py >@@ -64,6 +64,7 @@ from samba.credentials import Credentials > from samba import generate_random_bytes as get_random_bytes > from samba.compat import get_string, get_bytes > >+ > class Enctype(object): > DES_CRC = 1 > DES_MD4 = 2 >@@ -112,26 +113,30 @@ def _mac_equal(mac1, mac2): > res |= x ^ y > return res == 0 > >+ > def SIMPLE_HASH(string, algo_cls): > hash_ctx = hashes.Hash(algo_cls(), default_backend()) > hash_ctx.update(string) > return hash_ctx.finalize() > >+ > def HMAC_HASH(key, string, algo_cls): > hmac_ctx = hmac.HMAC(key, algo_cls(), default_backend()) > hmac_ctx.update(string) > return hmac_ctx.finalize() > >+ > def _nfold(str, nbytes): > # Convert str to a string of length nbytes using the RFC 3961 nfold > # operation. > > # Rotate the bytes in str to the right by nbits bits. > def rotate_right(str, nbits): >- nbytes, remain = (nbits//8) % len(str), nbits % 8 >- return bytes([(str[i-nbytes] >> remain) | >- (str[i-nbytes-1] << (8-remain) & 0xff) >- for i in range(len(str))]) >+ nbytes, remain = (nbits // 8) % len(str), nbits % 8 >+ return bytes([ >+ (str[i - nbytes] >> remain) >+ | (str[i - nbytes - 1] << (8 - remain) & 0xff) >+ for i in range(len(str))]) > > # Add equal-length strings together with end-around carry. > def add_ones_complement(str1, str2): >@@ -139,7 +144,7 @@ def _nfold(str, nbytes): > v = [a + b for a, b in zip(str1, str2)] > # Propagate carry bits to the left until there aren't any left. > while any(x & ~0xff for x in v): >- v = [(v[i-n+1]>>8) + (v[i]&0xff) for i in range(n)] >+ v = [(v[i - n + 1] >> 8) + (v[i] & 0xff) for i in range(n)] > return bytes([x for x in v]) > > # Concatenate copies of str to produce the least common multiple >@@ -150,7 +155,7 @@ def _nfold(str, nbytes): > slen = len(str) > lcm = nbytes * slen // gcd(nbytes, slen) > bigstr = b''.join((rotate_right(str, 13 * i) for i in range(lcm // slen))) >- slices = (bigstr[p:p+nbytes] for p in range(0, lcm, nbytes)) >+ slices = (bigstr[p:p + nbytes] for p in range(0, lcm, nbytes)) > return reduce(add_ones_complement, slices) > > >@@ -275,7 +280,7 @@ class _DES3CBC(_SimplifiedEnctype): > return b if bin(b & ~1).count('1') % 2 else b | 1 > assert len(seed) == 7 > firstbytes = [parity(b & ~1) for b in seed] >- lastbyte = parity(sum((seed[i]&1) << i+1 for i in range(7))) >+ lastbyte = parity(sum((seed[i] & 1) << i + 1 for i in range(7))) > keybytes = bytes([b for b in firstbytes + [lastbyte]]) > if _is_weak_des_key(keybytes): > keybytes[7] = bytes([keybytes[7] ^ 0xF0]) >@@ -369,7 +374,7 @@ class _AESEnctype(_SimplifiedEnctype): > if len(ciphertext) == 16: > return aes_decrypt(ciphertext) > # Split the ciphertext into blocks. The last block may be partial. >- cblocks = [ciphertext[p:p+16] for p in range(0, len(ciphertext), 16)] >+ cblocks = [ciphertext[p:p + 16] for p in range(0, len(ciphertext), 16)] > lastlen = len(cblocks[-1]) > # CBC-decrypt all but the last two blocks. > prev_cblock = bytes(16) >@@ -383,7 +388,7 @@ class _AESEnctype(_SimplifiedEnctype): > # will be the omitted bytes of ciphertext from the final > # block. > b = aes_decrypt(cblocks[-2]) >- lastplaintext =_xorbytes(b[:lastlen], cblocks[-1]) >+ lastplaintext = _xorbytes(b[:lastlen], cblocks[-1]) > omitted = b[lastlen:] > # Decrypt the final cipher block plus the omitted bytes to get > # the second-to-last plaintext block. >@@ -433,7 +438,8 @@ class _RC4(_EnctypeProfile): > cksum = HMAC_HASH(ki, confounder + plaintext, hashes.MD5) > ke = HMAC_HASH(ki, cksum, hashes.MD5) > >- encryptor = Cipher(ciphers.ARC4(ke), None, default_backend()).encryptor() >+ encryptor = Cipher( >+ ciphers.ARC4(ke), None, default_backend()).encryptor() > ctext = encryptor.update(confounder + plaintext) > > return cksum + ctext >@@ -446,7 +452,8 @@ class _RC4(_EnctypeProfile): > ki = HMAC_HASH(key.contents, cls.usage_str(keyusage), hashes.MD5) > ke = HMAC_HASH(ki, cksum, hashes.MD5) > >- decryptor = Cipher(ciphers.ARC4(ke), None, default_backend()).decryptor() >+ decryptor = Cipher( >+ ciphers.ARC4(ke), None, default_backend()).decryptor() > basic_plaintext = decryptor.update(basic_ctext) > > exp_cksum = HMAC_HASH(ki, basic_plaintext, hashes.MD5) >@@ -636,14 +643,14 @@ def verify_checksum(cksumtype, key, keyusage, text, cksum): > c.verify(key, keyusage, text, cksum) > > >-def prfplus(key, pepper, l): >- # Produce l bytes of output using the RFC 6113 PRF+ function. >+def prfplus(key, pepper, ln): >+ # Produce ln bytes of output using the RFC 6113 PRF+ function. > out = b'' > count = 1 >- while len(out) < l: >+ while len(out) < ln: > out += prf(key, bytes([count]) + pepper) > count += 1 >- return out[:l] >+ return out[:ln] > > > def cf2(enctype, key1, key2, pepper1, pepper2): >@@ -653,9 +660,11 @@ def cf2(enctype, key1, key2, pepper1, pepper2): > return e.random_to_key(_xorbytes(prfplus(key1, pepper1, e.seedsize), > prfplus(key2, pepper2, e.seedsize))) > >+ > def h(hexstr): > return bytes.fromhex(hexstr) > >+ > class KcrytoTest(TestCase): > """kcrypto Test case.""" > >@@ -665,20 +674,21 @@ class KcrytoTest(TestCase): > conf = h('94B491F481485B9A0678CD3C4EA386AD') > keyusage = 2 > plain = b'9 bytesss' >- ctxt = h('68FB9679601F45C78857B2BF820FD6E53ECA8D42FD4B1D7024A09205ABB7CD2E' >- 'C26C355D2F') >+ ctxt = h('68FB9679601F45C78857B2BF820FD6E53ECA8D42FD4B1D7024A09205ABB7' >+ 'CD2EC26C355D2F') > k = Key(Enctype.AES128, kb) > self.assertEqual(encrypt(k, keyusage, plain, conf), ctxt) > self.assertEqual(decrypt(k, keyusage, ctxt), plain) > > def test_aes256_crypt(self): > # AES256 encrypt and decrypt >- kb = h('F1C795E9248A09338D82C3F8D5B567040B0110736845041347235B1404231398') >+ kb = h('F1C795E9248A09338D82C3F8D5B567040B0110736845041347235B14042313' >+ '98') > conf = h('E45CA518B42E266AD98E165E706FFB60') > keyusage = 4 > plain = b'30 bytes bytes bytes bytes byt' >- ctxt = h('D1137A4D634CFECE924DBC3BF6790648BD5CFF7DE0E7B99460211D0DAEF3D79A' >- '295C688858F3B34B9CBD6EEBAE81DAF6B734D4D498B6714F1C1D') >+ ctxt = h('D1137A4D634CFECE924DBC3BF6790648BD5CFF7DE0E7B99460211D0DAEF3' >+ 'D79A295C688858F3B34B9CBD6EEBAE81DAF6B734D4D498B6714F1C1D') > k = Key(Enctype.AES256, kb) > self.assertEqual(encrypt(k, keyusage, plain, conf), ctxt) > self.assertEqual(decrypt(k, keyusage, ctxt), plain) >@@ -694,7 +704,8 @@ class KcrytoTest(TestCase): > > def test_aes256_checksum(self): > # AES256 checksum >- kb = h('B1AE4CD8462AFF1677053CC9279AAC30B796FB81CE21474DD3DDBCFEA4EC76D7') >+ kb = h('B1AE4CD8462AFF1677053CC9279AAC30B796FB81CE21474DD3DDBC' >+ 'FEA4EC76D7') > keyusage = 4 > plain = b'fourteen' > cksum = h('E08739E3279E2903EC8E3836') >@@ -715,7 +726,8 @@ class KcrytoTest(TestCase): > string = b'X' * 64 > salt = b'pass phrase equals block size' > params = h('000004B0') >- kb = h('89ADEE3608DB8BC71F1BFBFE459486B05618B70CBAE22092534E56C553BA4B34') >+ kb = h('89ADEE3608DB8BC71F1BFBFE459486B05618B70CBAE22092534E56' >+ 'C553BA4B34') > k = string_to_key(Enctype.AES256, string, salt, params) > self.assertEqual(k.contents, kb) > >@@ -741,7 +753,8 @@ class KcrytoTest(TestCase): > > def test_aes256_cf2(self): > # AES256 cf2 >- kb = h('4D6CA4E629785C1F01BAF55E2E548566B9617AE3A96868C337CB93B5E72B1C7B') >+ kb = h('4D6CA4E629785C1F01BAF55E2E548566B9617AE3A96868C337CB93B5' >+ 'E72B1C7B') > k1 = string_to_key(Enctype.AES256, b'key1', b'key1') > k2 = string_to_key(Enctype.AES256, b'key2', b'key2') > k = cf2(Enctype.AES256, k1, k2, b'a', b'b') >@@ -753,8 +766,8 @@ class KcrytoTest(TestCase): > conf = h('94690A17B2DA3C9B') > keyusage = 3 > plain = b'13 bytes byte' >- ctxt = h('839A17081ECBAFBCDC91B88C6955DD3C4514023CF177B77BF0D0177A16F705E8' >- '49CB7781D76A316B193F8D30') >+ ctxt = h('839A17081ECBAFBCDC91B88C6955DD3C4514023CF177B77BF0D0177A16F7' >+ '05E849CB7781D76A316B193F8D30') > k = Key(Enctype.DES3, kb) > self.assertEqual(encrypt(k, keyusage, plain, conf), ctxt) > self.assertEqual(decrypt(k, keyusage, ctxt), _zeropad(plain, 8)) >@@ -790,8 +803,8 @@ class KcrytoTest(TestCase): > conf = h('37245E73A45FBF72') > keyusage = 4 > plain = b'30 bytes bytes bytes bytes byt' >- ctxt = h('95F9047C3AD75891C2E9B04B16566DC8B6EB9CE4231AFB2542EF87A7B5A0F260' >- 'A99F0460508DE0CECC632D07C354124E46C5D2234EB8') >+ ctxt = h('95F9047C3AD75891C2E9B04B16566DC8B6EB9CE4231AFB2542EF87A7B5A0' >+ 'F260A99F0460508DE0CECC632D07C354124E46C5D2234EB8') > k = Key(Enctype.RC4, kb) > self.assertEqual(encrypt(k, keyusage, plain, conf), ctxt) > self.assertEqual(decrypt(k, keyusage, ctxt), plain) >diff --git a/python/samba/tests/krb5/kdc_base_test.py b/python/samba/tests/krb5/kdc_base_test.py >index e835d389f1c..bef5458c881 100644 >--- a/python/samba/tests/krb5/kdc_base_test.py >+++ b/python/samba/tests/krb5/kdc_base_test.py >@@ -374,8 +374,8 @@ class KDCBaseTest(RawKerberosTest): > account_name = ( > pac.info.info.info3.base.account_name) > user_sid = ( >- str(pac.info.info.info3.base.domain_sid) + >- "-" + str(pac.info.info.info3.base.rid)) >+ str(pac.info.info.info3.base.domain_sid) >+ + "-" + str(pac.info.info.info3.base.rid)) > elif pac.type == self.PAC_LOGON_NAME: > logon_name = pac.info.account_name > elif pac.type == self.PAC_UPN_DNS_INFO: >diff --git a/python/samba/tests/krb5/kdc_tests.py b/python/samba/tests/krb5/kdc_tests.py >index 17b9d154bd9..c7c53953a86 100755 >--- a/python/samba/tests/krb5/kdc_tests.py >+++ b/python/samba/tests/krb5/kdc_tests.py >@@ -25,7 +25,20 @@ os.environ["PYTHONUNBUFFERED"] = "1" > > from samba.tests.krb5.raw_testcase import RawKerberosTest > import samba.tests.krb5.rfc4120_pyasn1 as krb5_asn1 >-from samba.tests.krb5.rfc4120_constants import * >+from samba.tests.krb5.rfc4120_constants import ( >+ AES256_CTS_HMAC_SHA1_96, >+ ARCFOUR_HMAC_MD5, >+ KDC_ERR_PREAUTH_FAILED, >+ KDC_ERR_PREAUTH_REQUIRED, >+ KDC_ERR_SKEW, >+ KRB_AS_REP, >+ KRB_ERROR, >+ KU_PA_ENC_TIMESTAMP, >+ PADATA_ENC_TIMESTAMP, >+ PADATA_ETYPE_INFO2, >+ NT_PRINCIPAL, >+ NT_SRV_INST, >+) > > global_asn1_print = False > global_hexdump = False >@@ -83,7 +96,7 @@ class KdcTests(RawKerberosTest): > break > > etype_info2 = self.der_decode( >- etype_info2, asn1Spec=krb5_asn1.ETYPE_INFO2()) >+ etype_info2, asn1Spec=krb5_asn1.ETYPE_INFO2()) > > key = self.PasswordKey_from_etype_info2(creds, etype_info2[0]) > >diff --git a/python/samba/tests/krb5/raw_testcase.py b/python/samba/tests/krb5/raw_testcase.py >index e67f5464e59..82e68ee7019 100644 >--- a/python/samba/tests/krb5/raw_testcase.py >+++ b/python/samba/tests/krb5/raw_testcase.py >@@ -35,7 +35,10 @@ from pyasn1.codec.native.decoder import decode as pyasn1_native_decode > from pyasn1.codec.native.encoder import encode as pyasn1_native_encode > > from pyasn1.codec.ber.encoder import BitStringEncoder as BitStringEncoder >-def BitStringEncoder_encodeValue32(self, value, asn1Spec, encodeFun, **options): >+ >+ >+def BitStringEncoder_encodeValue32( >+ self, value, asn1Spec, encodeFun, **options): > # > # BitStrings like KDCOptions or TicketFlags should at least > # be 32-Bit on the wire >@@ -59,14 +62,17 @@ def BitStringEncoder_encodeValue32(self, value, asn1Spec, encodeFun, **options): > padding = 0 > ret = b'\x00' + substrate + (b'\x00' * padding) > return ret, False, True >+ >+ > BitStringEncoder.encodeValue = BitStringEncoder_encodeValue32 > >+ > def BitString_NamedValues_prettyPrint(self, scope=0): > ret = "%s" % self.asBinary() > bits = [] > highest_bit = 32 > for byte in self.asNumbers(): >- for bit in [7,6,5,4,3,2,1,0]: >+ for bit in [7, 6, 5, 4, 3, 2, 1, 0]: > mask = 1 << bit > if byte & mask: > val = 1 >@@ -89,12 +95,21 @@ def BitString_NamedValues_prettyPrint(self, scope=0): > delim = ",\n%s " % indent > ret += "\n%s)" % indent > return ret >-krb5_asn1.TicketFlags.prettyPrintNamedValues = krb5_asn1.TicketFlagsValues.namedValues >-krb5_asn1.TicketFlags.namedValues = krb5_asn1.TicketFlagsValues.namedValues >-krb5_asn1.TicketFlags.prettyPrint = BitString_NamedValues_prettyPrint >-krb5_asn1.KDCOptions.prettyPrintNamedValues = krb5_asn1.KDCOptionsValues.namedValues >-krb5_asn1.KDCOptions.namedValues = krb5_asn1.KDCOptionsValues.namedValues >-krb5_asn1.KDCOptions.prettyPrint = BitString_NamedValues_prettyPrint >+ >+ >+krb5_asn1.TicketFlags.prettyPrintNamedValues =\ >+ krb5_asn1.TicketFlagsValues.namedValues >+krb5_asn1.TicketFlags.namedValues =\ >+ krb5_asn1.TicketFlagsValues.namedValues >+krb5_asn1.TicketFlags.prettyPrint =\ >+ BitString_NamedValues_prettyPrint >+krb5_asn1.KDCOptions.prettyPrintNamedValues =\ >+ krb5_asn1.KDCOptionsValues.namedValues >+krb5_asn1.KDCOptions.namedValues =\ >+ krb5_asn1.KDCOptionsValues.namedValues >+krb5_asn1.KDCOptions.prettyPrint =\ >+ BitString_NamedValues_prettyPrint >+ > > def Integer_NamedValues_prettyPrint(self, scope=0): > intval = int(self) >@@ -104,16 +119,29 @@ def Integer_NamedValues_prettyPrint(self, scope=0): > name = "<__unknown__>" > ret = "%d (0x%x) %s" % (intval, intval, name) > return ret >-krb5_asn1.NameType.prettyPrintNamedValues = krb5_asn1.NameTypeValues.namedValues >-krb5_asn1.NameType.prettyPrint = Integer_NamedValues_prettyPrint >-krb5_asn1.AuthDataType.prettyPrintNamedValues = krb5_asn1.AuthDataTypeValues.namedValues >-krb5_asn1.AuthDataType.prettyPrint = Integer_NamedValues_prettyPrint >-krb5_asn1.PADataType.prettyPrintNamedValues = krb5_asn1.PADataTypeValues.namedValues >-krb5_asn1.PADataType.prettyPrint = Integer_NamedValues_prettyPrint >-krb5_asn1.EncryptionType.prettyPrintNamedValues = krb5_asn1.EncryptionTypeValues.namedValues >-krb5_asn1.EncryptionType.prettyPrint = Integer_NamedValues_prettyPrint >-krb5_asn1.ChecksumType.prettyPrintNamedValues = krb5_asn1.ChecksumTypeValues.namedValues >-krb5_asn1.ChecksumType.prettyPrint = Integer_NamedValues_prettyPrint >+ >+ >+krb5_asn1.NameType.prettyPrintNamedValues =\ >+ krb5_asn1.NameTypeValues.namedValues >+krb5_asn1.NameType.prettyPrint =\ >+ Integer_NamedValues_prettyPrint >+krb5_asn1.AuthDataType.prettyPrintNamedValues =\ >+ krb5_asn1.AuthDataTypeValues.namedValues >+krb5_asn1.AuthDataType.prettyPrint =\ >+ Integer_NamedValues_prettyPrint >+krb5_asn1.PADataType.prettyPrintNamedValues =\ >+ krb5_asn1.PADataTypeValues.namedValues >+krb5_asn1.PADataType.prettyPrint =\ >+ Integer_NamedValues_prettyPrint >+krb5_asn1.EncryptionType.prettyPrintNamedValues =\ >+ krb5_asn1.EncryptionTypeValues.namedValues >+krb5_asn1.EncryptionType.prettyPrint =\ >+ Integer_NamedValues_prettyPrint >+krb5_asn1.ChecksumType.prettyPrintNamedValues =\ >+ krb5_asn1.ChecksumTypeValues.namedValues >+krb5_asn1.ChecksumType.prettyPrint =\ >+ Integer_NamedValues_prettyPrint >+ > > class Krb5EncryptionKey(object): > def __init__(self, key, kvno): >@@ -146,9 +174,10 @@ class Krb5EncryptionKey(object): > EncryptionKey_obj = { > 'keytype': self.etype, > 'keyvalue': self.key.contents, >- }; >+ } > return EncryptionKey_obj > >+ > class RawKerberosTest(TestCase): > """A raw Kerberos Test case.""" > >@@ -182,13 +211,13 @@ class RawKerberosTest(TestCase): > self.s = socket.socket(self.a[0][0], self.a[0][1], self.a[0][2]) > self.s.settimeout(10) > self.s.connect(self.a[0][4]) >- except socket.error as e: >+ except socket.error: > self.s.close() > raise >- except IOError as e: >+ except IOError: > self.s.close() > raise >- except Exception as e: >+ except Exception: > raise > finally: > pass >@@ -219,8 +248,9 @@ class RawKerberosTest(TestCase): > domain = samba.tests.env_get_var_value('DOMAIN') > realm = samba.tests.env_get_var_value('REALM') > username = samba.tests.env_get_var_value('SERVICE_USERNAME') >- password = samba.tests.env_get_var_value('SERVICE_PASSWORD', >- allow_missing=allow_missing_password) >+ password = samba.tests.env_get_var_value( >+ 'SERVICE_PASSWORD', >+ allow_missing=allow_missing_password) > c.set_domain(domain) > c.set_realm(realm) > c.set_username(username) >@@ -246,21 +276,34 @@ class RawKerberosTest(TestCase): > if hexdump is None: > hexdump = self.do_hexdump > if hexdump: >- sys.stderr.write("%s: %d\n%s" % (name, len(blob), self.hexdump(blob))) >- >- def der_decode(self, blob, asn1Spec=None, native_encode=True, asn1_print=None, hexdump=None): >+ sys.stderr.write( >+ "%s: %d\n%s" % (name, len(blob), self.hexdump(blob))) >+ >+ def der_decode( >+ self, >+ blob, >+ asn1Spec=None, >+ native_encode=True, >+ asn1_print=None, >+ hexdump=None): > if asn1Spec is not None: > class_name = type(asn1Spec).__name__.split(':')[0] > else: > class_name = "<None-asn1Spec>" > self.hex_dump(class_name, blob, hexdump=hexdump) >- obj,_ = pyasn1_der_decode(blob, asn1Spec=asn1Spec) >+ obj, _ = pyasn1_der_decode(blob, asn1Spec=asn1Spec) > self.asn1_dump(None, obj, asn1_print=asn1_print) > if native_encode: > obj = pyasn1_native_encode(obj) > return obj > >- def der_encode(self, obj, asn1Spec=None, native_decode=True, asn1_print=None, hexdump=None): >+ def der_encode( >+ self, >+ obj, >+ asn1Spec=None, >+ native_decode=True, >+ asn1_print=None, >+ hexdump=None): > if native_decode: > obj = pyasn1_native_decode(obj, asn1Spec=asn1Spec) > class_name = type(obj).__name__.split(':')[0] >@@ -273,7 +316,8 @@ class RawKerberosTest(TestCase): > > def send_pdu(self, req, asn1_print=None, hexdump=None): > try: >- k5_pdu = self.der_encode(req, native_decode=False, asn1_print=asn1_print, hexdump=False) >+ k5_pdu = self.der_encode( >+ req, native_decode=False, asn1_print=asn1_print, hexdump=False) > header = struct.pack('>I', len(k5_pdu)) > req_pdu = header > req_pdu += k5_pdu >@@ -304,7 +348,7 @@ class RawKerberosTest(TestCase): > self._disconnect("recv_raw: EOF") > return None > self.hex_dump("recv_raw", rep_pdu, hexdump=hexdump) >- except socket.timeout as e: >+ except socket.timeout: > self.s.settimeout(10) > sys.stderr.write("recv_raw: TIMEOUT\n") > pass >@@ -322,7 +366,8 @@ class RawKerberosTest(TestCase): > rep_pdu = None > rep = None > try: >- raw_pdu = self.recv_raw(num_recv=4, hexdump=hexdump, timeout=timeout) >+ raw_pdu = self.recv_raw( >+ num_recv=4, hexdump=hexdump, timeout=timeout) > if raw_pdu is None: > return (None, None) > header = struct.unpack(">I", raw_pdu[0:4]) >@@ -332,22 +377,27 @@ class RawKerberosTest(TestCase): > missing = k5_len > rep_pdu = b'' > while missing > 0: >- raw_pdu = self.recv_raw(num_recv=missing, hexdump=hexdump, timeout=timeout) >+ raw_pdu = self.recv_raw( >+ num_recv=missing, hexdump=hexdump, timeout=timeout) > self.assertGreaterEqual(len(raw_pdu), 1) > rep_pdu += raw_pdu > missing = k5_len - len(rep_pdu) >- k5_raw = self.der_decode(rep_pdu, asn1Spec=None, native_encode=False, >- asn1_print=False, hexdump=False) >- pvno=k5_raw['field-0'] >+ k5_raw = self.der_decode( >+ rep_pdu, >+ asn1Spec=None, >+ native_encode=False, >+ asn1_print=False, >+ hexdump=False) >+ pvno = k5_raw['field-0'] > self.assertEqual(pvno, 5) >- msg_type=k5_raw['field-1'] >- self.assertIn(msg_type, [11,13,30]) >+ msg_type = k5_raw['field-1'] >+ self.assertIn(msg_type, [11, 13, 30]) > if msg_type == 11: >- asn1Spec=krb5_asn1.AS_REP() >+ asn1Spec = krb5_asn1.AS_REP() > elif msg_type == 13: >- asn1Spec=krb5_asn1.TGS_REP() >+ asn1Spec = krb5_asn1.TGS_REP() > elif msg_type == 30: >- asn1Spec=krb5_asn1.KRB_ERROR() >+ asn1Spec = krb5_asn1.KRB_ERROR() > rep = self.der_decode(rep_pdu, asn1Spec=asn1Spec, > asn1_print=asn1_print, hexdump=False) > finally: >@@ -368,11 +418,17 @@ class RawKerberosTest(TestCase): > self.assertIsNone(self.s, msg="Is connected") > return > >- def send_recv_transaction(self, req, asn1_print=None, hexdump=None, timeout=None): >+ def send_recv_transaction( >+ self, >+ req, >+ asn1_print=None, >+ hexdump=None, >+ timeout=None): > self.connect() > try: > self.send_pdu(req, asn1_print=asn1_print, hexdump=hexdump) >- rep = self.recv_pdu(asn1_print=asn1_print, hexdump=hexdump, timeout=timeout) >+ rep = self.recv_pdu( >+ asn1_print=asn1_print, hexdump=hexdump, timeout=timeout) > except Exception: > self._disconnect("transaction failed") > raise >@@ -389,11 +445,15 @@ class RawKerberosTest(TestCase): > > def assertPrincipalEqual(self, princ1, princ2): > self.assertEqual(princ1['name-type'], princ2['name-type']) >- self.assertEqual(len(princ1['name-string']), len(princ2['name-string']), >- msg="princ1=%s != princ2=%s" % (princ1, princ2)) >+ self.assertEqual( >+ len(princ1['name-string']), >+ len(princ2['name-string']), >+ msg="princ1=%s != princ2=%s" % (princ1, princ2)) > for idx in range(len(princ1['name-string'])): >- self.assertEqual(princ1['name-string'][idx], princ2['name-string'][idx], >- msg="princ1=%s != princ2=%s" % (princ1, princ2)) >+ self.assertEqual( >+ princ1['name-string'][idx], >+ princ2['name-string'][idx], >+ msg="princ1=%s != princ2=%s" % (princ1, princ2)) > return > > def get_KerberosTimeWithUsec(self, epoch=None, offset=None): >@@ -421,7 +481,7 @@ class RawKerberosTest(TestCase): > salt = None > try: > salt = etype_info2['salt'] >- except: >+ except Exception: > pass > > if e == kcrypto.Enctype.RC4: >@@ -429,7 +489,8 @@ class RawKerberosTest(TestCase): > return self.SessionKey_create(etype=e, contents=nthash, kvno=kvno) > > password = creds.get_password() >- return self.PasswordKey_create(etype=e, pwd=password, salt=salt, kvno=kvno) >+ return self.PasswordKey_create( >+ etype=e, pwd=password, salt=salt, kvno=kvno) > > def RandomKey(self, etype): > e = kcrypto._get_enctype_profile(etype) >@@ -452,14 +513,14 @@ class RawKerberosTest(TestCase): > 'cipher': ciphertext > } > if key.kvno is not None: >- EncryptedData_obj['kvno'] = key.kvno >+ EncryptedData_obj['kvno'] = key.kvno > return EncryptedData_obj > > def Checksum_create(self, key, usage, plaintext, ctype=None): >- #Checksum ::= SEQUENCE { >+ # Checksum ::= SEQUENCE { > # cksumtype [0] Int32, > # checksum [1] OCTET STRING >- #} >+ # } > if ctype is None: > ctype = key.ctype > checksum = key.make_checksum(usage, plaintext, ctype=ctype) >@@ -494,10 +555,10 @@ class RawKerberosTest(TestCase): > return PA_DATA_obj > > def PA_ENC_TS_ENC_create(self, ts, usec): >- #PA-ENC-TS-ENC ::= SEQUENCE { >+ # PA-ENC-TS-ENC ::= SEQUENCE { > # patimestamp[0] KerberosTime, -- client's time > # pausec[1] krb5int32 OPTIONAL >- #} >+ # } > PA_ENC_TS_ENC_obj = { > 'patimestamp': ts, > 'pausec': usec, >@@ -520,7 +581,7 @@ class RawKerberosTest(TestCase): > additional_tickets, > asn1_print=None, > hexdump=None): >- #KDC-REQ-BODY ::= SEQUENCE { >+ # KDC-REQ-BODY ::= SEQUENCE { > # kdc-options [0] KDCOptions, > # cname [1] PrincipalName OPTIONAL > # -- Used only in AS-REQ --, >@@ -532,20 +593,23 @@ class RawKerberosTest(TestCase): > # till [5] KerberosTime, > # rtime [6] KerberosTime OPTIONAL, > # nonce [7] UInt32, >- # etype [8] SEQUENCE OF Int32 -- EncryptionType >+ # etype [8] SEQUENCE OF Int32 >+ # -- EncryptionType > # -- in preference order --, > # addresses [9] HostAddresses OPTIONAL, > # enc-authorization-data [10] EncryptedData OPTIONAL > # -- AuthorizationData --, > # additional-tickets [11] SEQUENCE OF Ticket OPTIONAL > # -- NOTE: not empty >- #} >+ # } > if EncAuthorizationData is not None: >- enc_ad_plain = self.der_encode(EncAuthorizationData, >- asn1Spec=krb5_asn1.AuthorizationData(), >- asn1_print=asn1_print, >- hexdump=hexdump) >- enc_ad = self.EncryptedData_create(EncAuthorizationData_key, enc_ad_plain) >+ enc_ad_plain = self.der_encode( >+ EncAuthorizationData, >+ asn1Spec=krb5_asn1.AuthorizationData(), >+ asn1_print=asn1_print, >+ hexdump=hexdump) >+ enc_ad = self.EncryptedData_create( >+ EncAuthorizationData_key, enc_ad_plain) > else: > enc_ad = None > KDC_REQ_BODY_obj = { >@@ -590,14 +654,14 @@ class RawKerberosTest(TestCase): > asn1Spec=None, > asn1_print=None, > hexdump=None): >- #KDC-REQ ::= SEQUENCE { >+ # KDC-REQ ::= SEQUENCE { > # -- NOTE: first tag is [1], not [0] > # pvno [1] INTEGER (5) , > # msg-type [2] INTEGER (10 -- AS -- | 12 -- TGS --), > # padata [3] SEQUENCE OF PA-DATA OPTIONAL > # -- NOTE: not empty --, > # req-body [4] KDC-REQ-BODY >- #} >+ # } > # > KDC_REQ_BODY_obj = self.KDC_REQ_BODY_create(kdc_options, > cname, >@@ -622,39 +686,40 @@ class RawKerberosTest(TestCase): > if padata is not None: > KDC_REQ_obj['padata'] = padata > if asn1Spec is not None: >- KDC_REQ_decoded = pyasn1_native_decode(KDC_REQ_obj, asn1Spec=asn1Spec) >+ KDC_REQ_decoded = pyasn1_native_decode( >+ KDC_REQ_obj, asn1Spec=asn1Spec) > else: > KDC_REQ_decoded = None > return KDC_REQ_obj, KDC_REQ_decoded > > def AS_REQ_create(self, >- padata, # optional >- kdc_options, # required >- cname, # optional >- realm, # required >- sname, # optional >- from_time, # optional >- till_time, # required >- renew_time, # optional >- nonce, # required >- etypes, # required >- addresses, # optional >+ padata, # optional >+ kdc_options, # required >+ cname, # optional >+ realm, # required >+ sname, # optional >+ from_time, # optional >+ till_time, # required >+ renew_time, # optional >+ nonce, # required >+ etypes, # required >+ addresses, # optional > EncAuthorizationData, > EncAuthorizationData_key, > additional_tickets, > native_decoded_only=True, > asn1_print=None, > hexdump=None): >- #KDC-REQ ::= SEQUENCE { >+ # KDC-REQ ::= SEQUENCE { > # -- NOTE: first tag is [1], not [0] > # pvno [1] INTEGER (5) , > # msg-type [2] INTEGER (10 -- AS -- | 12 -- TGS --), > # padata [3] SEQUENCE OF PA-DATA OPTIONAL > # -- NOTE: not empty --, > # req-body [4] KDC-REQ-BODY >- #} >+ # } > # >- #KDC-REQ-BODY ::= SEQUENCE { >+ # KDC-REQ-BODY ::= SEQUENCE { > # kdc-options [0] KDCOptions, > # cname [1] PrincipalName OPTIONAL > # -- Used only in AS-REQ --, >@@ -666,32 +731,34 @@ class RawKerberosTest(TestCase): > # till [5] KerberosTime, > # rtime [6] KerberosTime OPTIONAL, > # nonce [7] UInt32, >- # etype [8] SEQUENCE OF Int32 -- EncryptionType >+ # etype [8] SEQUENCE OF Int32 >+ # -- EncryptionType > # -- in preference order --, > # addresses [9] HostAddresses OPTIONAL, > # enc-authorization-data [10] EncryptedData OPTIONAL > # -- AuthorizationData --, > # additional-tickets [11] SEQUENCE OF Ticket OPTIONAL > # -- NOTE: not empty >- #} >- obj,decoded = self.KDC_REQ_create(msg_type=10, >- padata=padata, >- kdc_options=kdc_options, >- cname=cname, >- realm=realm, >- sname=sname, >- from_time=from_time, >- till_time=till_time, >- renew_time=renew_time, >- nonce=nonce, >- etypes=etypes, >- addresses=addresses, >- EncAuthorizationData=EncAuthorizationData, >- EncAuthorizationData_key=EncAuthorizationData_key, >- additional_tickets=additional_tickets, >- asn1Spec=krb5_asn1.AS_REQ(), >- asn1_print=asn1_print, >- hexdump=hexdump) >+ # } >+ obj, decoded = self.KDC_REQ_create( >+ msg_type=10, >+ padata=padata, >+ kdc_options=kdc_options, >+ cname=cname, >+ realm=realm, >+ sname=sname, >+ from_time=from_time, >+ till_time=till_time, >+ renew_time=renew_time, >+ nonce=nonce, >+ etypes=etypes, >+ addresses=addresses, >+ EncAuthorizationData=EncAuthorizationData, >+ EncAuthorizationData_key=EncAuthorizationData_key, >+ additional_tickets=additional_tickets, >+ asn1Spec=krb5_asn1.AS_REQ(), >+ asn1_print=asn1_print, >+ hexdump=hexdump) > if native_decoded_only: > return decoded > return decoded, obj >@@ -703,7 +770,7 @@ class RawKerberosTest(TestCase): > # ap-options [2] APOptions, > # ticket [3] Ticket, > # authenticator [4] EncryptedData -- Authenticator >- #} >+ # } > AP_REQ_obj = { > 'pvno': 5, > 'msg-type': 14, >@@ -713,8 +780,9 @@ class RawKerberosTest(TestCase): > } > return AP_REQ_obj > >- def Authenticator_create(self, crealm, cname, cksum, cusec, ctime, subkey, seq_number, >- authorization_data): >+ def Authenticator_create( >+ self, crealm, cname, cksum, cusec, ctime, subkey, seq_number, >+ authorization_data): > # -- Unencrypted authenticator > # Authenticator ::= [APPLICATION 2] SEQUENCE { > # authenticator-vno [0] INTEGER (5), >@@ -726,7 +794,7 @@ class RawKerberosTest(TestCase): > # subkey [6] EncryptionKey OPTIONAL, > # seq-number [7] UInt32 OPTIONAL, > # authorization-data [8] AuthorizationData OPTIONAL >- #} >+ # } > Authenticator_obj = { > 'authenticator-vno': 5, > 'crealm': crealm, >@@ -745,20 +813,20 @@ class RawKerberosTest(TestCase): > return Authenticator_obj > > def TGS_REQ_create(self, >- padata, # optional >+ padata, # optional > cusec, > ctime, > ticket, >- kdc_options, # required >- cname, # optional >- realm, # required >- sname, # optional >- from_time, # optional >- till_time, # required >- renew_time, # optional >- nonce, # required >- etypes, # required >- addresses, # optional >+ kdc_options, # required >+ cname, # optional >+ realm, # required >+ sname, # optional >+ from_time, # optional >+ till_time, # required >+ renew_time, # optional >+ nonce, # required >+ etypes, # required >+ addresses, # optional > EncAuthorizationData, > EncAuthorizationData_key, > additional_tickets, >@@ -768,16 +836,16 @@ class RawKerberosTest(TestCase): > native_decoded_only=True, > asn1_print=None, > hexdump=None): >- #KDC-REQ ::= SEQUENCE { >+ # KDC-REQ ::= SEQUENCE { > # -- NOTE: first tag is [1], not [0] > # pvno [1] INTEGER (5) , > # msg-type [2] INTEGER (10 -- AS -- | 12 -- TGS --), > # padata [3] SEQUENCE OF PA-DATA OPTIONAL > # -- NOTE: not empty --, > # req-body [4] KDC-REQ-BODY >- #} >+ # } > # >- #KDC-REQ-BODY ::= SEQUENCE { >+ # KDC-REQ-BODY ::= SEQUENCE { > # kdc-options [0] KDCOptions, > # cname [1] PrincipalName OPTIONAL > # -- Used only in AS-REQ --, >@@ -789,50 +857,57 @@ class RawKerberosTest(TestCase): > # till [5] KerberosTime, > # rtime [6] KerberosTime OPTIONAL, > # nonce [7] UInt32, >- # etype [8] SEQUENCE OF Int32 -- EncryptionType >+ # etype [8] SEQUENCE OF Int32 >+ # -- EncryptionType > # -- in preference order --, > # addresses [9] HostAddresses OPTIONAL, > # enc-authorization-data [10] EncryptedData OPTIONAL > # -- AuthorizationData --, > # additional-tickets [11] SEQUENCE OF Ticket OPTIONAL > # -- NOTE: not empty >- #} >- >- req_body = self.KDC_REQ_BODY_create(kdc_options=kdc_options, >- cname=None, >- realm=realm, >- sname=sname, >- from_time=from_time, >- till_time=till_time, >- renew_time=renew_time, >- nonce=nonce, >- etypes=etypes, >- addresses=addresses, >- EncAuthorizationData=EncAuthorizationData, >- EncAuthorizationData_key=EncAuthorizationData_key, >- additional_tickets=additional_tickets) >+ # } >+ >+ req_body = self.KDC_REQ_BODY_create( >+ kdc_options=kdc_options, >+ cname=None, >+ realm=realm, >+ sname=sname, >+ from_time=from_time, >+ till_time=till_time, >+ renew_time=renew_time, >+ nonce=nonce, >+ etypes=etypes, >+ addresses=addresses, >+ EncAuthorizationData=EncAuthorizationData, >+ EncAuthorizationData_key=EncAuthorizationData_key, >+ additional_tickets=additional_tickets) > req_body = self.der_encode(req_body, asn1Spec=krb5_asn1.KDC_REQ_BODY(), > asn1_print=asn1_print, hexdump=hexdump) > >- req_body_checksum = self.Checksum_create(ticket_session_key, 6, req_body, >- ctype=body_checksum_type) >+ req_body_checksum = self.Checksum_create( >+ ticket_session_key, 6, req_body, ctype=body_checksum_type) > > subkey_obj = None > if authenticator_subkey is not None: > subkey_obj = authenticator_subkey.export_obj() > seq_number = random.randint(0, 0xfffffffe) >- authenticator = self.Authenticator_create(crealm=realm, >- cname=cname, >- cksum=req_body_checksum, >- cusec=cusec, >- ctime=ctime, >- subkey=subkey_obj, >- seq_number=seq_number, >- authorization_data=None) >- authenticator = self.der_encode(authenticator, asn1Spec=krb5_asn1.Authenticator(), >- asn1_print=asn1_print, hexdump=hexdump) >- >- authenticator = self.EncryptedData_create(ticket_session_key, 7, authenticator) >+ authenticator = self.Authenticator_create( >+ crealm=realm, >+ cname=cname, >+ cksum=req_body_checksum, >+ cusec=cusec, >+ ctime=ctime, >+ subkey=subkey_obj, >+ seq_number=seq_number, >+ authorization_data=None) >+ authenticator = self.der_encode( >+ authenticator, >+ asn1Spec=krb5_asn1.Authenticator(), >+ asn1_print=asn1_print, >+ hexdump=hexdump) >+ >+ authenticator = self.EncryptedData_create( >+ ticket_session_key, 7, authenticator) > > ap_options = krb5_asn1.APOptions('0') > ap_req = self.AP_REQ_create(ap_options=str(ap_options), >@@ -846,24 +921,25 @@ class RawKerberosTest(TestCase): > else: > padata = [pa_tgs_req] > >- obj,decoded = self.KDC_REQ_create(msg_type=12, >- padata=padata, >- kdc_options=kdc_options, >- cname=None, >- realm=realm, >- sname=sname, >- from_time=from_time, >- till_time=till_time, >- renew_time=renew_time, >- nonce=nonce, >- etypes=etypes, >- addresses=addresses, >- EncAuthorizationData=EncAuthorizationData, >- EncAuthorizationData_key=EncAuthorizationData_key, >- additional_tickets=additional_tickets, >- asn1Spec=krb5_asn1.TGS_REQ(), >- asn1_print=asn1_print, >- hexdump=hexdump) >+ obj, decoded = self.KDC_REQ_create( >+ msg_type=12, >+ padata=padata, >+ kdc_options=kdc_options, >+ cname=None, >+ realm=realm, >+ sname=sname, >+ from_time=from_time, >+ till_time=till_time, >+ renew_time=renew_time, >+ nonce=nonce, >+ etypes=etypes, >+ addresses=addresses, >+ EncAuthorizationData=EncAuthorizationData, >+ EncAuthorizationData_key=EncAuthorizationData_key, >+ additional_tickets=additional_tickets, >+ asn1Spec=krb5_asn1.TGS_REQ(), >+ asn1_print=asn1_print, >+ hexdump=hexdump) > if native_decoded_only: > return decoded > return decoded, obj >@@ -888,5 +964,6 @@ class RawKerberosTest(TestCase): > 'cksum': cksum, > 'auth': "Kerberos", > } >- pa_s4u2self = self.der_encode(PA_S4U2Self_obj, asn1Spec=krb5_asn1.PA_S4U2Self()) >+ pa_s4u2self = self.der_encode( >+ PA_S4U2Self_obj, asn1Spec=krb5_asn1.PA_S4U2Self()) > return self.PA_DATA_create(129, pa_s4u2self) >diff --git a/python/samba/tests/krb5/rfc4120_constants.py b/python/samba/tests/krb5/rfc4120_constants.py >index 9de56578c99..5bbf1229d09 100644 >--- a/python/samba/tests/krb5/rfc4120_constants.py >+++ b/python/samba/tests/krb5/rfc4120_constants.py >@@ -38,31 +38,31 @@ PADATA_ETYPE_INFO2 = int( > > # Error codes > KDC_ERR_C_PRINCIPAL_UNKNOWN = 6 >-KDC_ERR_PREAUTH_FAILED = 24 >-KDC_ERR_PREAUTH_REQUIRED = 25 >-KDC_ERR_BADMATCH = 36 >-KDC_ERR_SKEW = 37 >+KDC_ERR_PREAUTH_FAILED = 24 >+KDC_ERR_PREAUTH_REQUIRED = 25 >+KDC_ERR_BADMATCH = 36 >+KDC_ERR_SKEW = 37 > > # Name types >-NT_UNKNOWN = int(krb5_asn1.NameTypeValues('kRB5-NT-UNKNOWN')) >+NT_UNKNOWN = int(krb5_asn1.NameTypeValues('kRB5-NT-UNKNOWN')) > NT_PRINCIPAL = int(krb5_asn1.NameTypeValues('kRB5-NT-PRINCIPAL')) >-NT_SRV_INST = int(krb5_asn1.NameTypeValues('kRB5-NT-SRV-INST')) >+NT_SRV_INST = int(krb5_asn1.NameTypeValues('kRB5-NT-SRV-INST')) > NT_ENTERPRISE_PRINCIPAL = int(krb5_asn1.NameTypeValues( > 'kRB5-NT-ENTERPRISE-PRINCIPAL')) > > # Authorization data ad-type values > >-AD_IF_RELEVANT = 1 >-AD_INTENDED_FOR_SERVER = 2 >+AD_IF_RELEVANT = 1 >+AD_INTENDED_FOR_SERVER = 2 > AD_INTENDED_FOR_APPLICATION_CLASS = 3 >-AD_KDC_ISSUED = 4 >-AD_AND_OR = 5 >-AD_MANDATORY_TICKET_EXTENSIONS = 6 >-AD_IN_TICKET_EXTENSIONS = 7 >-AD_MANDATORY_FOR_KDC = 8 >-AD_INITIAL_VERIFIED_CAS = 9 >-AD_WIN2K_PAC = 128 >-AD_SIGNTICKET = 512 >+AD_KDC_ISSUED = 4 >+AD_AND_OR = 5 >+AD_MANDATORY_TICKET_EXTENSIONS = 6 >+AD_IN_TICKET_EXTENSIONS = 7 >+AD_MANDATORY_FOR_KDC = 8 >+AD_INITIAL_VERIFIED_CAS = 9 >+AD_WIN2K_PAC = 128 >+AD_SIGNTICKET = 512 > > # Key usage numbers > # RFC 4120 Section 7.5.1. Key Usage Numbers >diff --git a/python/samba/tests/krb5/s4u_tests.py b/python/samba/tests/krb5/s4u_tests.py >index 2e1bd3fbe1f..30a58d6345a 100755 >--- a/python/samba/tests/krb5/s4u_tests.py >+++ b/python/samba/tests/krb5/s4u_tests.py >@@ -35,6 +35,7 @@ import samba.tests.krb5.rfc4120_pyasn1 as krb5_asn1 > global_asn1_print = False > global_hexdump = False > >+ > class S4UKerberosTests(RawKerberosTest): > > def setUp(self): >@@ -55,7 +56,7 @@ class S4UKerberosTests(RawKerberosTest): > kdc_options = krb5_asn1.KDCOptions('forwardable') > padata = None > >- etypes=(18,17,23) >+ etypes = (18, 17, 23) > > req = self.AS_REQ_create(padata=padata, > kdc_options=str(kdc_options), >@@ -76,14 +77,16 @@ class S4UKerberosTests(RawKerberosTest): > > self.assertEqual(rep['msg-type'], 30) > self.assertEqual(rep['error-code'], 25) >- rep_padata = self.der_decode(rep['e-data'], asn1Spec=krb5_asn1.METHOD_DATA()) >+ rep_padata = self.der_decode( >+ rep['e-data'], asn1Spec=krb5_asn1.METHOD_DATA()) > > for pa in rep_padata: > if pa['padata-type'] == 19: > etype_info2 = pa['padata-value'] > break > >- etype_info2 = self.der_decode(etype_info2, asn1Spec=krb5_asn1.ETYPE_INFO2()) >+ etype_info2 = self.der_decode( >+ etype_info2, asn1Spec=krb5_asn1.ETYPE_INFO2()) > > key = self.PasswordKey_from_etype_info2(service_creds, etype_info2[0]) > >@@ -120,7 +123,8 @@ class S4UKerberosTests(RawKerberosTest): > self.assertEqual(msg_type, 11) > > enc_part2 = key.decrypt(KU_AS_REP_ENC_PART, rep['enc-part']['cipher']) >- enc_part2 = self.der_decode(enc_part2, asn1Spec=krb5_asn1.EncASRepPart()) >+ enc_part2 = self.der_decode( >+ enc_part2, asn1Spec=krb5_asn1.EncASRepPart()) > > # S4U2Self Request > sname = cname >@@ -167,11 +171,13 @@ class S4UKerberosTests(RawKerberosTest): > if msg_type == 13: > enc_part2 = subkey.decrypt( > KU_TGS_REP_ENC_PART_SUB_KEY, rep['enc-part']['cipher']) >- enc_part2 = self.der_decode(enc_part2, asn1Spec=krb5_asn1.EncTGSRepPart()) >+ enc_part2 = self.der_decode( >+ enc_part2, asn1Spec=krb5_asn1.EncTGSRepPart()) > > return msg_type > >- # Using the checksum type from the tgt_session_key happens to work everywhere >+ # Using the checksum type from the tgt_session_key happens to work >+ # everywhere > def test_s4u2self(self): > msg_type = self._test_s4u2self() > self.assertEqual(msg_type, 13) >@@ -193,6 +199,7 @@ class S4UKerberosTests(RawKerberosTest): > msg_type = self._test_s4u2self(pa_s4u2self_ctype=Cksumtype.CRC32) > self.assertEqual(msg_type, 30) > >+ > if __name__ == "__main__": > global_asn1_print = True > global_hexdump = True >diff --git a/python/samba/tests/krb5/simple_tests.py b/python/samba/tests/krb5/simple_tests.py >index 6c090af3d46..889b91a9bf0 100755 >--- a/python/samba/tests/krb5/simple_tests.py >+++ b/python/samba/tests/krb5/simple_tests.py >@@ -33,6 +33,7 @@ import samba.tests.krb5.rfc4120_pyasn1 as krb5_asn1 > global_asn1_print = False > global_hexdump = False > >+ > class SimpleKerberosTests(RawKerberosTest): > > def setUp(self): >@@ -53,7 +54,7 @@ class SimpleKerberosTests(RawKerberosTest): > kdc_options = krb5_asn1.KDCOptions('forwardable') > padata = None > >- etypes=(18,17,23) >+ etypes = (18, 17, 23) > > req = self.AS_REQ_create(padata=padata, > kdc_options=str(kdc_options), >@@ -74,14 +75,16 @@ class SimpleKerberosTests(RawKerberosTest): > > self.assertEqual(rep['msg-type'], 30) > self.assertEqual(rep['error-code'], 25) >- rep_padata = self.der_decode(rep['e-data'], asn1Spec=krb5_asn1.METHOD_DATA()) >+ rep_padata = self.der_decode( >+ rep['e-data'], asn1Spec=krb5_asn1.METHOD_DATA()) > > for pa in rep_padata: > if pa['padata-type'] == 19: > etype_info2 = pa['padata-value'] > break > >- etype_info2 = self.der_decode(etype_info2, asn1Spec=krb5_asn1.ETYPE_INFO2()) >+ etype_info2 = self.der_decode( >+ etype_info2, asn1Spec=krb5_asn1.ETYPE_INFO2()) > > key = self.PasswordKey_from_etype_info2(user_creds, etype_info2[0]) > >@@ -119,17 +122,21 @@ class SimpleKerberosTests(RawKerberosTest): > > enc_part2 = key.decrypt(KU_AS_REP_ENC_PART, rep['enc-part']['cipher']) > >- # MIT KDC encodes both EncASRepPart and EncTGSRepPart with application tag 26 >+ # MIT KDC encodes both EncASRepPart and EncTGSRepPart with >+ # application tag 26 > try: >- enc_part2 = self.der_decode(enc_part2, asn1Spec=krb5_asn1.EncASRepPart()) >+ enc_part2 = self.der_decode( >+ enc_part2, asn1Spec=krb5_asn1.EncASRepPart()) > except Exception: >- enc_part2 = self.der_decode(enc_part2, asn1Spec=krb5_asn1.EncTGSRepPart()) >+ enc_part2 = self.der_decode( >+ enc_part2, asn1Spec=krb5_asn1.EncTGSRepPart()) > > # TGS Request > service_creds = self.get_service_creds(allow_missing_password=True) > service_name = service_creds.get_username() > >- sname = self.PrincipalName_create(name_type=2, names=["host", service_name]) >+ sname = self.PrincipalName_create( >+ name_type=2, names=["host", service_name]) > kdc_options = krb5_asn1.KDCOptions('forwardable') > till = self.get_KerberosTime(offset=36000) > ticket = rep['ticket'] >@@ -167,7 +174,8 @@ class SimpleKerberosTests(RawKerberosTest): > > enc_part2 = subkey.decrypt( > KU_TGS_REP_ENC_PART_SUB_KEY, rep['enc-part']['cipher']) >- enc_part2 = self.der_decode(enc_part2, asn1Spec=krb5_asn1.EncTGSRepPart()) >+ enc_part2 = self.der_decode( >+ enc_part2, asn1Spec=krb5_asn1.EncTGSRepPart()) > > return > >diff --git a/python/samba/tests/krb5/xrealm_tests.py b/python/samba/tests/krb5/xrealm_tests.py >index b4a02bff33a..efb953bdf7e 100755 >--- a/python/samba/tests/krb5/xrealm_tests.py >+++ b/python/samba/tests/krb5/xrealm_tests.py >@@ -34,6 +34,7 @@ import samba.tests > global_asn1_print = False > global_hexdump = False > >+ > class XrealmKerberosTests(RawKerberosTest): > > def setUp(self): >@@ -54,7 +55,7 @@ class XrealmKerberosTests(RawKerberosTest): > kdc_options = krb5_asn1.KDCOptions('forwardable') > padata = None > >- etypes=(18,17,23) >+ etypes = (18, 17, 23) > > req = self.AS_REQ_create(padata=padata, > kdc_options=str(kdc_options), >@@ -75,14 +76,16 @@ class XrealmKerberosTests(RawKerberosTest): > > self.assertEqual(rep['msg-type'], 30) > self.assertEqual(rep['error-code'], 25) >- rep_padata = self.der_decode(rep['e-data'], asn1Spec=krb5_asn1.METHOD_DATA()) >+ rep_padata = self.der_decode( >+ rep['e-data'], asn1Spec=krb5_asn1.METHOD_DATA()) > > for pa in rep_padata: > if pa['padata-type'] == 19: > etype_info2 = pa['padata-value'] > break > >- etype_info2 = self.der_decode(etype_info2, asn1Spec=krb5_asn1.ETYPE_INFO2()) >+ etype_info2 = self.der_decode( >+ etype_info2, asn1Spec=krb5_asn1.ETYPE_INFO2()) > > key = self.PasswordKey_from_etype_info2(user_creds, etype_info2[0]) > >@@ -120,15 +123,19 @@ class XrealmKerberosTests(RawKerberosTest): > > enc_part2 = key.decrypt(KU_AS_REP_ENC_PART, rep['enc-part']['cipher']) > >- # MIT KDC encodes both EncASRepPart and EncTGSRepPart with application tag 26 >+ # MIT KDC encodes both EncASRepPart and EncTGSRepPart with >+ # application tag 26 > try: >- enc_part2 = self.der_decode(enc_part2, asn1Spec=krb5_asn1.EncASRepPart()) >+ enc_part2 = self.der_decode( >+ enc_part2, asn1Spec=krb5_asn1.EncASRepPart()) > except Exception: >- enc_part2 = self.der_decode(enc_part2, asn1Spec=krb5_asn1.EncTGSRepPart()) >+ enc_part2 = self.der_decode( >+ enc_part2, asn1Spec=krb5_asn1.EncTGSRepPart()) > > # TGS Request (for cross-realm TGT) > trust_realm = samba.tests.env_get_var_value('TRUST_REALM') >- sname = self.PrincipalName_create(name_type=2, names=["krbtgt", trust_realm]) >+ sname = self.PrincipalName_create( >+ name_type=2, names=["krbtgt", trust_realm]) > > kdc_options = krb5_asn1.KDCOptions('forwardable') > till = self.get_KerberosTime(offset=36000) >@@ -167,10 +174,11 @@ class XrealmKerberosTests(RawKerberosTest): > > enc_part2 = subkey.decrypt( > KU_TGS_REP_ENC_PART_SUB_KEY, rep['enc-part']['cipher']) >- enc_part2 = self.der_decode(enc_part2, asn1Spec=krb5_asn1.EncTGSRepPart()) >+ enc_part2 = self.der_decode( >+ enc_part2, asn1Spec=krb5_asn1.EncTGSRepPart()) > > # Check the forwardable flag >- fwd_pos = len(tuple(krb5_asn1.TicketFlags('forwardable'))) -1 >+ fwd_pos = len(tuple(krb5_asn1.TicketFlags('forwardable'))) - 1 > assert(krb5_asn1.TicketFlags(enc_part2['flags'])[fwd_pos]) > > return >-- >2.25.1 > > >From c31294fe7f32899afc6ab845b5f204e9f39e6ce8 Mon Sep 17 00:00:00 2001 >From: Volker Lendecke <vl@samba.org> >Date: Fri, 16 Apr 2021 17:22:12 +0200 >Subject: [PATCH 064/686] librpc: Add py_descriptor_richcmp() equality function > >Only a python3 version. Do we still need the python2 flavor? > >Signed-off-by: Volker Lendecke <vl@samba.org> >Reviewed-by: Jeremy Allison <jra@samba.org> >BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817 >(cherry picked from commit 439b7ccdc1b1c91c66c1a7c83e340fa044c26377) >--- > source4/librpc/ndr/py_security.c | 37 ++++++++++++++++++++++++++++++++ > 1 file changed, 37 insertions(+) > >diff --git a/source4/librpc/ndr/py_security.c b/source4/librpc/ndr/py_security.c >index eb5224dc243..79a9fa5ac11 100644 >--- a/source4/librpc/ndr/py_security.c >+++ b/source4/librpc/ndr/py_security.c >@@ -308,9 +308,46 @@ static PyMethodDef py_descriptor_extra_methods[] = { > { NULL } > }; > >+static PyObject *py_descriptor_richcmp( >+ PyObject *py_self, PyObject *py_other, int op) >+{ >+ struct security_descriptor *self = pytalloc_get_ptr(py_self); >+ struct security_descriptor *other = pytalloc_get_ptr(py_other); >+ bool eq; >+ >+ if (other == NULL) { >+ Py_INCREF(Py_NotImplemented); >+ return Py_NotImplemented; >+ } >+ >+ eq = security_descriptor_equal(self, other); >+ >+ switch(op) { >+ case Py_EQ: >+ if (eq) { >+ Py_RETURN_TRUE; >+ } else { >+ Py_RETURN_FALSE; >+ } >+ break; >+ case Py_NE: >+ if (eq) { >+ Py_RETURN_FALSE; >+ } else { >+ Py_RETURN_TRUE; >+ } >+ break; >+ default: >+ break; >+ } >+ >+ return Py_NotImplemented; >+} >+ > static void py_descriptor_patch(PyTypeObject *type) > { > type->tp_new = py_descriptor_new; >+ type->tp_richcompare = py_descriptor_richcmp; > PyType_AddMethods(type, py_descriptor_extra_methods); > } > >-- >2.25.1 > > >From 78ac20a33aee9e4f6e0f25b077917e49ec6133eb Mon Sep 17 00:00:00 2001 >From: Gary Lockyer <gary@catalyst.net.nz> >Date: Wed, 17 Feb 2021 12:15:50 +1300 >Subject: [PATCH 065/686] tests python krb5: MS-KILE client principal look-up > >Tests of [MS-KILE]: Kerberos Protocol Extensions > section 3.3.5.6.1 Client Principal Lookup > >Signed-off-by: Gary Lockyer <gary@catalyst.net.nz> >Reviewed-by: Andrew Bartlett <abartlet@samba.org> >Reviewed-by: Isaac Boukris <iboukris@samba.org> >BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817 > >Autobuild-User(master): Andrew Bartlett <abartlet@samba.org> >Autobuild-Date(master): Mon Apr 12 00:38:26 UTC 2021 on sn-devel-184 > >(cherry picked from commit 768d48fca9f8c7527c0d12e7acc8942b5fd36ac2) >--- > python/samba/tests/krb5/kdc_base_test.py | 29 +- > .../ms_kile_client_principal_lookup_tests.py | 814 ++++++++++++++++++ > python/samba/tests/usage.py | 1 + > selftest/knownfail_heimdal_kdc | 12 + > selftest/knownfail_mit_kdc | 16 + > source4/selftest/tests.py | 3 + > 6 files changed, 874 insertions(+), 1 deletion(-) > create mode 100755 python/samba/tests/krb5/ms_kile_client_principal_lookup_tests.py > >diff --git a/python/samba/tests/krb5/kdc_base_test.py b/python/samba/tests/krb5/kdc_base_test.py >index bef5458c881..1c7f05dda6d 100644 >--- a/python/samba/tests/krb5/kdc_base_test.py >+++ b/python/samba/tests/krb5/kdc_base_test.py >@@ -22,6 +22,7 @@ import os > sys.path.insert(0, "bin/python") > os.environ["PYTHONUNBUFFERED"] = "1" > from collections import namedtuple >+import ldb > from ldb import SCOPE_BASE > from samba import generate_random_password > from samba.auth import system_session >@@ -103,7 +104,7 @@ class KDCBaseTest(RawKerberosTest): > for dn in self.accounts: > delete_force(self.ldb, dn) > >- def create_account(self, name, machine_account=False, spn=None): >+ def create_account(self, name, machine_account=False, spn=None, upn=None): > '''Create an account for testing. > The dn of the created account is added to self.accounts, > which is used by tearDown to clean up the created accounts. >@@ -133,6 +134,8 @@ class KDCBaseTest(RawKerberosTest): > "unicodePwd": utf16pw} > if spn is not None: > details["servicePrincipalName"] = spn >+ if upn is not None: >+ details["userPrincipalName"] = upn > self.ldb.add(details) > > creds = Credentials() >@@ -418,3 +421,27 @@ class KDCBaseTest(RawKerberosTest): > self.assertTrue(len(res) == 1, "did not get objectSid for %s" % dn) > sid = self.ldb.schema_format_value("objectSID", res[0]["objectSID"][0]) > return sid.decode('utf8') >+ >+ def add_attribute(self, dn_str, name, value): >+ if isinstance(value, list): >+ values = value >+ else: >+ values = [value] >+ flag = ldb.FLAG_MOD_ADD >+ >+ dn = ldb.Dn(self.ldb, dn_str) >+ msg = ldb.Message(dn) >+ msg[name] = ldb.MessageElement(values, flag, name) >+ self.ldb.modify(msg) >+ >+ def modify_attribute(self, dn_str, name, value): >+ if isinstance(value, list): >+ values = value >+ else: >+ values = [value] >+ flag = ldb.FLAG_MOD_REPLACE >+ >+ dn = ldb.Dn(self.ldb, dn_str) >+ msg = ldb.Message(dn) >+ msg[name] = ldb.MessageElement(values, flag, name) >+ self.ldb.modify(msg) >diff --git a/python/samba/tests/krb5/ms_kile_client_principal_lookup_tests.py b/python/samba/tests/krb5/ms_kile_client_principal_lookup_tests.py >new file mode 100755 >index 00000000000..356a25f8e18 >--- /dev/null >+++ b/python/samba/tests/krb5/ms_kile_client_principal_lookup_tests.py >@@ -0,0 +1,814 @@ >+#!/usr/bin/env python3 >+# Unix SMB/CIFS implementation. >+# Copyright (C) Stefan Metzmacher 2020 >+# Copyright (C) 2020 Catalyst.Net Ltd >+# >+# This program is free software; you can redistribute it and/or modify >+# it under the terms of the GNU General Public License as published by >+# the Free Software Foundation; either version 3 of the License, or >+# (at your option) any later version. >+# >+# This program is distributed in the hope that it will be useful, >+# but WITHOUT ANY WARRANTY; without even the implied warranty of >+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the >+# GNU General Public License for more details. >+# >+# You should have received a copy of the GNU General Public License >+# along with this program. If not, see <http://www.gnu.org/licenses/>. >+# >+ >+import sys >+import os >+ >+sys.path.insert(0, "bin/python") >+os.environ["PYTHONUNBUFFERED"] = "1" >+ >+from samba.dsdb import UF_NORMAL_ACCOUNT, UF_DONT_REQUIRE_PREAUTH >+from samba.tests.krb5.kdc_base_test import KDCBaseTest >+from samba.tests.krb5.rfc4120_constants import ( >+ AES256_CTS_HMAC_SHA1_96, >+ ARCFOUR_HMAC_MD5, >+ NT_ENTERPRISE_PRINCIPAL, >+ NT_PRINCIPAL, >+ NT_SRV_INST, >+ KDC_ERR_C_PRINCIPAL_UNKNOWN, >+) >+ >+global_asn1_print = False >+global_hexdump = False >+ >+ >+class MS_Kile_Client_Principal_Lookup_Tests(KDCBaseTest): >+ ''' Tests for MS-KILE client principal look-up >+ See [MS-KILE]: Kerberos Protocol Extensions >+ secion 3.3.5.6.1 Client Principal Lookup >+ ''' >+ >+ def setUp(self): >+ super().setUp() >+ self.do_asn1_print = global_asn1_print >+ self.do_hexdump = global_hexdump >+ >+ def check_pac(self, auth_data, dn, uc, name, upn=None): >+ >+ pac_data = self.get_pac_data(auth_data) >+ sid = self.get_objectSid(dn) >+ if upn is None: >+ upn = "%s@%s" % (name, uc.get_realm().lower()) >+ if name.endswith('$'): >+ name = name[:-1] >+ >+ self.assertEqual( >+ uc.get_username(), >+ str(pac_data.account_name), >+ "pac_data = {%s}" % str(pac_data)) >+ self.assertEqual( >+ name, >+ pac_data.logon_name, >+ "pac_data = {%s}" % str(pac_data)) >+ self.assertEqual( >+ uc.get_realm(), >+ pac_data.domain_name, >+ "pac_data = {%s}" % str(pac_data)) >+ self.assertEqual( >+ upn, >+ pac_data.upn, >+ "pac_data = {%s}" % str(pac_data)) >+ self.assertEqual( >+ sid, >+ pac_data.account_sid, >+ "pac_data = {%s}" % str(pac_data)) >+ >+ def test_nt_principal_step_1(self): >+ ''' Step 1 >+ For an NT_PRINCIPAL cname with no realm or the realm matches the >+ DC's domain >+ search for an account with the >+ sAMAccountName matching the cname. >+ ''' >+ >+ # Create user and machine accounts for the test. >+ # >+ user_name = "mskileusr" >+ (uc, dn) = self.create_account(user_name) >+ realm = uc.get_realm().lower() >+ >+ mach_name = "mskilemac" >+ (mc, _) = self.create_account(mach_name, machine_account=True) >+ >+ # Do the initial AS-REQ, should get a pre-authentication required >+ # response >+ etype = (AES256_CTS_HMAC_SHA1_96, ARCFOUR_HMAC_MD5) >+ cname = self.PrincipalName_create( >+ name_type=NT_PRINCIPAL, names=[user_name]) >+ sname = self.PrincipalName_create( >+ name_type=NT_SRV_INST, names=["krbtgt", realm]) >+ >+ rep = self.as_req(cname, sname, realm, etype) >+ self.check_pre_authenication(rep) >+ >+ # Do the next AS-REQ >+ padata = self.get_pa_data(uc, rep) >+ key = self.get_as_rep_key(uc, rep) >+ rep = self.as_req(cname, sname, realm, etype, padata=padata) >+ self.check_as_reply(rep) >+ >+ # Request a ticket to the host service on the machine account >+ ticket = rep['ticket'] >+ enc_part2 = self.get_as_rep_enc_data(key, rep) >+ key = self.EncryptionKey_import(enc_part2['key']) >+ cname = self.PrincipalName_create( >+ name_type=NT_PRINCIPAL, >+ names=[user_name]) >+ sname = self.PrincipalName_create( >+ name_type=NT_PRINCIPAL, >+ names=[mc.get_username()]) >+ >+ (rep, enc_part) = self.tgs_req( >+ cname, sname, uc.get_realm(), ticket, key, etype) >+ self.check_tgs_reply(rep) >+ >+ # Check the contents of the pac, and the ticket >+ ticket = rep['ticket'] >+ enc_part = self.decode_service_ticket(mc, ticket) >+ self.check_pac(enc_part['authorization-data'], dn, uc, user_name) >+ # check the crealm and cname >+ cname = enc_part['cname'] >+ self.assertEqual(NT_PRINCIPAL, cname['name-type']) >+ self.assertEqual(user_name.encode('UTF8'), cname['name-string'][0]) >+ self.assertEqual(realm.upper().encode('UTF8'), enc_part['crealm']) >+ >+ def test_nt_principal_step_2(self): >+ ''' Step 2 >+ If not found >+ search for sAMAccountName equal to the cname + "$" >+ >+ ''' >+ >+ # Create a machine account for the test. >+ # >+ user_name = "mskilemac" >+ (mc, dn) = self.create_account(user_name, machine_account=True) >+ realm = mc.get_realm().lower() >+ >+ mach_name = "mskilemac" >+ (mc, _) = self.create_account(mach_name, machine_account=True) >+ >+ # Do the initial AS-REQ, should get a pre-authentication required >+ # response >+ etype = (AES256_CTS_HMAC_SHA1_96, ARCFOUR_HMAC_MD5) >+ cname = self.PrincipalName_create( >+ name_type=NT_PRINCIPAL, names=[user_name]) >+ sname = self.PrincipalName_create( >+ name_type=NT_SRV_INST, names=["krbtgt", realm]) >+ >+ rep = self.as_req(cname, sname, realm, etype) >+ self.check_pre_authenication(rep) >+ >+ # Do the next AS-REQ >+ padata = self.get_pa_data(mc, rep) >+ key = self.get_as_rep_key(mc, rep) >+ rep = self.as_req(cname, sname, realm, etype, padata=padata) >+ self.check_as_reply(rep) >+ >+ # Request a ticket to the host service on the machine account >+ ticket = rep['ticket'] >+ enc_part2 = self.get_as_rep_enc_data(key, rep) >+ key = self.EncryptionKey_import(enc_part2['key']) >+ cname = self.PrincipalName_create( >+ name_type=NT_PRINCIPAL, >+ names=[user_name]) >+ sname = self.PrincipalName_create( >+ name_type=NT_PRINCIPAL, >+ names=[mc.get_username()]) >+ >+ (rep, enc_part) = self.tgs_req( >+ cname, sname, mc.get_realm(), ticket, key, etype) >+ self.check_tgs_reply(rep) >+ >+ # Check the contents of the pac, and the ticket >+ ticket = rep['ticket'] >+ enc_part = self.decode_service_ticket(mc, ticket) >+ self.check_pac(enc_part['authorization-data'], dn, mc, mach_name + '$') >+ # check the crealm and cname >+ cname = enc_part['cname'] >+ self.assertEqual(NT_PRINCIPAL, cname['name-type']) >+ self.assertEqual(user_name.encode('UTF8'), cname['name-string'][0]) >+ self.assertEqual(realm.upper().encode('UTF8'), enc_part['crealm']) >+ >+ def test_nt_principal_step_3(self): >+ ''' Step 3 >+ >+ If not found >+ search for a matching UPN name where the UPN is set to >+ cname@realm or cname@DC's domain name >+ >+ ''' >+ # Create a user account for the test. >+ # >+ user_name = "mskileusr" >+ upn_name = "mskileupn" >+ upn = upn_name + "@" + self.credentials.get_realm().lower() >+ (uc, dn) = self.create_account(user_name, upn=upn) >+ realm = uc.get_realm().lower() >+ >+ mach_name = "mskilemac" >+ (mc, _) = self.create_account(mach_name, machine_account=True) >+ >+ # Do the initial AS-REQ, should get a pre-authentication required >+ # response >+ etype = (AES256_CTS_HMAC_SHA1_96, ARCFOUR_HMAC_MD5) >+ cname = self.PrincipalName_create( >+ name_type=NT_PRINCIPAL, names=[upn_name]) >+ sname = self.PrincipalName_create( >+ name_type=NT_SRV_INST, names=["krbtgt", realm]) >+ >+ rep = self.as_req(cname, sname, realm, etype) >+ self.check_pre_authenication(rep) >+ >+ # Do the next AS-REQ >+ padata = self.get_pa_data(uc, rep) >+ key = self.get_as_rep_key(uc, rep) >+ rep = self.as_req(cname, sname, realm, etype, padata=padata) >+ self.check_as_reply(rep) >+ >+ # Request a ticket to the host service on the machine account >+ ticket = rep['ticket'] >+ enc_part2 = self.get_as_rep_enc_data(key, rep) >+ key = self.EncryptionKey_import(enc_part2['key']) >+ cname = self.PrincipalName_create( >+ name_type=NT_PRINCIPAL, >+ names=[upn_name]) >+ sname = self.PrincipalName_create( >+ name_type=NT_PRINCIPAL, >+ names=[mc.get_username()]) >+ >+ (rep, enc_part) = self.tgs_req( >+ cname, sname, uc.get_realm(), ticket, key, etype) >+ self.check_tgs_reply(rep) >+ >+ # Check the contents of the service ticket >+ ticket = rep['ticket'] >+ enc_part = self.decode_service_ticket(mc, ticket) >+ self.check_pac(enc_part['authorization-data'], dn, uc, upn_name) >+ # check the crealm and cname >+ cname = enc_part['cname'] >+ self.assertEqual(NT_PRINCIPAL, cname['name-type']) >+ self.assertEqual(upn_name.encode('UTF8'), cname['name-string'][0]) >+ self.assertEqual(realm.upper().encode('UTF8'), enc_part['crealm']) >+ >+ def test_nt_principal_step_4_a(self): >+ ''' Step 4, no pre-authentication >+ If not found and no pre-authentication >+ search for a matching altSecurityIdentity >+ ''' >+ # Create a user account for the test. >+ # with an altSecurityIdentity, and with UF_DONT_REQUIRE_PREAUTH >+ # set. >+ # >+ # note that in this case IDL_DRSCrackNames is called with >+ # pmsgIn.formatOffered set to >+ # DS_USER_PRINCIPAL_NAME_AND_ALTSECID >+ # >+ # setting UF_DONT_REQUIRE_PREAUTH seems to be the only way >+ # to trigger the no pre-auth step >+ >+ user_name = "mskileusr" >+ alt_name = "mskilealtsec" >+ (uc, dn) = self.create_account(user_name) >+ realm = uc.get_realm().lower() >+ alt_sec = "Kerberos:%s@%s" % (alt_name, realm) >+ self.add_attribute(dn, "altSecurityIdentities", alt_sec) >+ self.modify_attribute( >+ dn, >+ "userAccountControl", >+ str(UF_NORMAL_ACCOUNT | UF_DONT_REQUIRE_PREAUTH)) >+ >+ mach_name = "mskilemac" >+ (mc, _) = self.create_account(mach_name, machine_account=True) >+ >+ # Do the initial AS-REQ, as we've set UF_DONT_REQUIRE_PREAUTH >+ # we should get a valid AS-RESP >+ # response >+ etype = (AES256_CTS_HMAC_SHA1_96, ARCFOUR_HMAC_MD5) >+ cname = self.PrincipalName_create( >+ name_type=NT_PRINCIPAL, names=[alt_name]) >+ sname = self.PrincipalName_create( >+ name_type=NT_SRV_INST, names=["krbtgt", realm]) >+ >+ rep = self.as_req(cname, sname, realm, etype) >+ self.check_as_reply(rep) >+ salt = "%s%s" % (realm.upper(), user_name) >+ key = self.PasswordKey_create( >+ rep['enc-part']['etype'], >+ uc.get_password(), >+ salt.encode('UTF8'), >+ rep['enc-part']['kvno']) >+ >+ # Request a ticket to the host service on the machine account >+ ticket = rep['ticket'] >+ enc_part2 = self.get_as_rep_enc_data(key, rep) >+ key = self.EncryptionKey_import(enc_part2['key']) >+ cname = self.PrincipalName_create( >+ name_type=NT_PRINCIPAL, names=[alt_name]) >+ sname = self.PrincipalName_create( >+ name_type=NT_PRINCIPAL, >+ names=[mc.get_username()]) >+ >+ (rep, enc_part) = self.tgs_req( >+ cname, sname, uc.get_realm(), ticket, key, etype) >+ self.check_tgs_reply(rep) >+ >+ # Check the contents of the service ticket >+ ticket = rep['ticket'] >+ enc_part = self.decode_service_ticket(mc, ticket) >+ # >+ # We get an empty authorization-data element in the ticket. >+ # i.e. no PAC >+ self.assertEqual([], enc_part['authorization-data']) >+ # check the crealm and cname >+ cname = enc_part['cname'] >+ self.assertEqual(NT_PRINCIPAL, cname['name-type']) >+ self.assertEqual(alt_name.encode('UTF8'), cname['name-string'][0]) >+ self.assertEqual(realm.upper().encode('UTF8'), enc_part['crealm']) >+ >+ def test_nt_principal_step_4_b(self): >+ ''' Step 4, pre-authentication >+ If not found and pre-authentication >+ search for a matching user principal name >+ ''' >+ >+ # Create user and machine accounts for the test. >+ # >+ user_name = "mskileusr" >+ alt_name = "mskilealtsec" >+ (uc, dn) = self.create_account(user_name) >+ realm = uc.get_realm().lower() >+ alt_sec = "Kerberos:%s@%s" % (alt_name, realm) >+ self.add_attribute(dn, "altSecurityIdentities", alt_sec) >+ >+ mach_name = "mskilemac" >+ (mc, _) = self.create_account(mach_name, machine_account=True) >+ >+ # Do the initial AS-REQ, should get a pre-authentication required >+ # response >+ etype = (AES256_CTS_HMAC_SHA1_96, ARCFOUR_HMAC_MD5) >+ cname = self.PrincipalName_create( >+ name_type=NT_PRINCIPAL, names=[alt_name]) >+ sname = self.PrincipalName_create( >+ name_type=NT_SRV_INST, names=["krbtgt", realm]) >+ >+ rep = self.as_req(cname, sname, realm, etype) >+ self.check_pre_authenication(rep) >+ >+ # Do the next AS-REQ >+ padata = self.get_pa_data(uc, rep) >+ key = self.get_as_rep_key(uc, rep) >+ # Note: although we used the alt security id for the pre-auth >+ # we need to use the username for the auth >+ cname = self.PrincipalName_create( >+ name_type=NT_PRINCIPAL, names=[user_name]) >+ rep = self.as_req(cname, sname, realm, etype, padata=padata) >+ self.check_as_reply(rep) >+ >+ # Request a ticket to the host service on the machine account >+ ticket = rep['ticket'] >+ enc_part2 = self.get_as_rep_enc_data(key, rep) >+ key = self.EncryptionKey_import(enc_part2['key']) >+ cname = self.PrincipalName_create( >+ name_type=NT_PRINCIPAL, >+ names=[user_name]) >+ sname = self.PrincipalName_create( >+ name_type=NT_PRINCIPAL, >+ names=[mc.get_username()]) >+ >+ (rep, enc_part) = self.tgs_req( >+ cname, sname, uc.get_realm(), ticket, key, etype) >+ self.check_tgs_reply(rep) >+ >+ # Check the contents of the pac, and the ticket >+ ticket = rep['ticket'] >+ enc_part = self.decode_service_ticket(mc, ticket) >+ self.check_pac(enc_part['authorization-data'], dn, uc, user_name) >+ # check the crealm and cname >+ cname = enc_part['cname'] >+ self.assertEqual(NT_PRINCIPAL, cname['name-type']) >+ self.assertEqual(user_name.encode('UTF8'), cname['name-string'][0]) >+ self.assertEqual(realm.upper().encode('UTF8'), enc_part['crealm']) >+ >+ def test_nt_principal_step_4_c(self): >+ ''' Step 4, pre-authentication >+ If not found and pre-authentication >+ search for a matching user principal name >+ >+ This test uses the altsecid, so the AS-REQ should fail. >+ ''' >+ >+ # Create user and machine accounts for the test. >+ # >+ user_name = "mskileusr" >+ alt_name = "mskilealtsec" >+ (uc, dn) = self.create_account(user_name) >+ realm = uc.get_realm().lower() >+ alt_sec = "Kerberos:%s@%s" % (alt_name, realm) >+ self.add_attribute(dn, "altSecurityIdentities", alt_sec) >+ >+ mach_name = "mskilemac" >+ (mc, _) = self.create_account(mach_name, machine_account=True) >+ >+ # Do the initial AS-REQ, should get a pre-authentication required >+ # response >+ etype = (AES256_CTS_HMAC_SHA1_96, ARCFOUR_HMAC_MD5) >+ cname = self.PrincipalName_create( >+ name_type=NT_PRINCIPAL, names=[alt_name]) >+ sname = self.PrincipalName_create( >+ name_type=NT_SRV_INST, names=["krbtgt", realm]) >+ >+ rep = self.as_req(cname, sname, realm, etype) >+ self.check_pre_authenication(rep) >+ >+ # Do the next AS-REQ >+ padata = self.get_pa_data(uc, rep) >+ # Use the alternate security identifier >+ # this should fail >+ cname = self.PrincipalName_create( >+ name_type=NT_PRINCIPAL, names=[alt_sec]) >+ rep = self.as_req(cname, sname, realm, etype, padata=padata) >+ self.check_error_rep(rep, KDC_ERR_C_PRINCIPAL_UNKNOWN) >+ >+ def test_enterprise_principal_step_1_3(self): >+ ''' Steps 1-3 >+ For an NT_ENTERPRISE_PRINCIPAL cname >+ search for a user principal name matching the cname >+ >+ ''' >+ >+ # Create a user account for the test. >+ # >+ user_name = "mskileusr" >+ upn_name = "mskileupn" >+ upn = upn_name + "@" + self.credentials.get_realm().lower() >+ (uc, dn) = self.create_account(user_name, upn=upn) >+ realm = uc.get_realm().lower() >+ >+ mach_name = "mskilemac" >+ (mc, _) = self.create_account(mach_name, machine_account=True) >+ >+ # Do the initial AS-REQ, should get a pre-authentication required >+ # response >+ etype = (AES256_CTS_HMAC_SHA1_96, ARCFOUR_HMAC_MD5) >+ cname = self.PrincipalName_create( >+ name_type=NT_ENTERPRISE_PRINCIPAL, names=[upn]) >+ sname = self.PrincipalName_create( >+ name_type=NT_SRV_INST, names=["krbtgt", realm]) >+ >+ rep = self.as_req(cname, sname, realm, etype) >+ self.check_pre_authenication(rep) >+ >+ # Do the next AS-REQ >+ padata = self.get_pa_data(uc, rep) >+ key = self.get_as_rep_key(uc, rep) >+ rep = self.as_req(cname, sname, realm, etype, padata=padata) >+ self.check_as_reply(rep) >+ >+ # Request a ticket to the host service on the machine account >+ ticket = rep['ticket'] >+ enc_part2 = self.get_as_rep_enc_data(key, rep) >+ key = self.EncryptionKey_import(enc_part2['key']) >+ cname = self.PrincipalName_create( >+ name_type=NT_ENTERPRISE_PRINCIPAL, names=[upn]) >+ sname = self.PrincipalName_create( >+ name_type=NT_PRINCIPAL, >+ names=[mc.get_username()]) >+ >+ (rep, enc_part) = self.tgs_req( >+ cname, sname, uc.get_realm(), ticket, key, etype) >+ self.check_tgs_reply(rep) >+ >+ # Check the contents of the pac, and the ticket >+ ticket = rep['ticket'] >+ enc_part = self.decode_service_ticket(mc, ticket) >+ self.check_pac( >+ enc_part['authorization-data'], dn, uc, upn, upn=upn) >+ # check the crealm and cname >+ cname = enc_part['cname'] >+ crealm = enc_part['crealm'] >+ self.assertEqual(NT_ENTERPRISE_PRINCIPAL, cname['name-type']) >+ self.assertEqual(upn.encode('UTF8'), cname['name-string'][0]) >+ self.assertEqual(realm.upper().encode('UTF8'), crealm) >+ >+ def test_enterprise_principal_step_4(self): >+ ''' Step 4 >+ >+ If that fails >+ search for an account where the sAMAccountName matches >+ the name before the @ >+ >+ ''' >+ >+ # Create a user account for the test. >+ # >+ user_name = "mskileusr" >+ (uc, dn) = self.create_account(user_name) >+ realm = uc.get_realm().lower() >+ ename = user_name + "@" + realm >+ >+ mach_name = "mskilemac" >+ (mc, _) = self.create_account(mach_name, machine_account=True) >+ >+ # Do the initial AS-REQ, should get a pre-authentication required >+ # response >+ etype = (AES256_CTS_HMAC_SHA1_96, ARCFOUR_HMAC_MD5) >+ cname = self.PrincipalName_create( >+ name_type=NT_ENTERPRISE_PRINCIPAL, names=[ename]) >+ sname = self.PrincipalName_create( >+ name_type=NT_SRV_INST, names=["krbtgt", realm]) >+ >+ rep = self.as_req(cname, sname, realm, etype) >+ self.check_pre_authenication(rep) >+ >+ # Do the next AS-REQ >+ padata = self.get_pa_data(uc, rep) >+ key = self.get_as_rep_key(uc, rep) >+ rep = self.as_req(cname, sname, realm, etype, padata=padata) >+ self.check_as_reply(rep) >+ >+ # Request a ticket to the host service on the machine account >+ ticket = rep['ticket'] >+ enc_part2 = self.get_as_rep_enc_data(key, rep) >+ key = self.EncryptionKey_import(enc_part2['key']) >+ cname = self.PrincipalName_create( >+ name_type=NT_ENTERPRISE_PRINCIPAL, names=[ename]) >+ sname = self.PrincipalName_create( >+ name_type=NT_PRINCIPAL, >+ names=[mc.get_username()]) >+ >+ (rep, enc_part) = self.tgs_req( >+ cname, sname, uc.get_realm(), ticket, key, etype) >+ self.check_tgs_reply(rep) >+ >+ # Check the contents of the pac, and the ticket >+ ticket = rep['ticket'] >+ enc_part = self.decode_service_ticket(mc, ticket) >+ self.check_pac( >+ enc_part['authorization-data'], dn, uc, ename, upn=ename) >+ # check the crealm and cname >+ cname = enc_part['cname'] >+ crealm = enc_part['crealm'] >+ self.assertEqual(NT_ENTERPRISE_PRINCIPAL, cname['name-type']) >+ self.assertEqual(ename.encode('UTF8'), cname['name-string'][0]) >+ self.assertEqual(realm.upper().encode('UTF8'), crealm) >+ >+ def test_enterprise_principal_step_5(self): >+ ''' Step 5 >+ >+ If that fails >+ search for an account where the sAMAccountName matches >+ the name before the @ with a $ appended. >+ >+ ''' >+ >+ # Create a user account for the test. >+ # >+ user_name = "mskileusr" >+ (uc, _) = self.create_account(user_name) >+ realm = uc.get_realm().lower() >+ >+ mach_name = "mskilemac" >+ (mc, dn) = self.create_account(mach_name, machine_account=True) >+ ename = mach_name + "@" + realm >+ uname = mach_name + "$@" + realm >+ >+ # Do the initial AS-REQ, should get a pre-authentication required >+ # response >+ etype = (AES256_CTS_HMAC_SHA1_96, ARCFOUR_HMAC_MD5) >+ cname = self.PrincipalName_create( >+ name_type=NT_ENTERPRISE_PRINCIPAL, names=[ename]) >+ sname = self.PrincipalName_create( >+ name_type=NT_SRV_INST, names=["krbtgt", realm]) >+ >+ rep = self.as_req(cname, sname, realm, etype) >+ self.check_pre_authenication(rep) >+ >+ # Do the next AS-REQ >+ padata = self.get_pa_data(mc, rep) >+ key = self.get_as_rep_key(mc, rep) >+ rep = self.as_req(cname, sname, realm, etype, padata=padata) >+ self.check_as_reply(rep) >+ >+ # Request a ticket to the host service on the machine account >+ ticket = rep['ticket'] >+ enc_part2 = self.get_as_rep_enc_data(key, rep) >+ key = self.EncryptionKey_import(enc_part2['key']) >+ cname = self.PrincipalName_create( >+ name_type=NT_ENTERPRISE_PRINCIPAL, names=[ename]) >+ sname = self.PrincipalName_create( >+ name_type=NT_PRINCIPAL, >+ names=[mc.get_username()]) >+ >+ (rep, enc_part) = self.tgs_req( >+ cname, sname, uc.get_realm(), ticket, key, etype) >+ self.check_tgs_reply(rep) >+ >+ # Check the contents of the pac, and the ticket >+ ticket = rep['ticket'] >+ enc_part = self.decode_service_ticket(mc, ticket) >+ self.check_pac( >+ enc_part['authorization-data'], dn, mc, ename, upn=uname) >+ # check the crealm and cname >+ cname = enc_part['cname'] >+ crealm = enc_part['crealm'] >+ self.assertEqual(NT_ENTERPRISE_PRINCIPAL, cname['name-type']) >+ self.assertEqual(ename.encode('UTF8'), cname['name-string'][0]) >+ self.assertEqual(realm.upper().encode('UTF8'), crealm) >+ >+ def test_enterprise_principal_step_6_a(self): >+ ''' Step 6, no pre-authentication >+ If not found and no pre-authentication >+ search for a matching altSecurityIdentity >+ ''' >+ # Create a user account for the test. >+ # with an altSecurityIdentity, and with UF_DONT_REQUIRE_PREAUTH >+ # set. >+ # >+ # note that in this case IDL_DRSCrackNames is called with >+ # pmsgIn.formatOffered set to >+ # DS_USER_PRINCIPAL_NAME_AND_ALTSECID >+ # >+ # setting UF_DONT_REQUIRE_PREAUTH seems to be the only way >+ # to trigger the no pre-auth step >+ >+ user_name = "mskileusr" >+ alt_name = "mskilealtsec" >+ (uc, dn) = self.create_account(user_name) >+ realm = uc.get_realm().lower() >+ alt_sec = "Kerberos:%s@%s" % (alt_name, realm) >+ self.add_attribute(dn, "altSecurityIdentities", alt_sec) >+ self.modify_attribute( >+ dn, >+ "userAccountControl", >+ str(UF_NORMAL_ACCOUNT | UF_DONT_REQUIRE_PREAUTH)) >+ ename = alt_name + "@" + realm >+ >+ mach_name = "mskilemac" >+ (mc, _) = self.create_account(mach_name, machine_account=True) >+ >+ # Do the initial AS-REQ, as we've set UF_DONT_REQUIRE_PREAUTH >+ # we should get a valid AS-RESP >+ # response >+ etype = (AES256_CTS_HMAC_SHA1_96, ARCFOUR_HMAC_MD5) >+ cname = self.PrincipalName_create( >+ name_type=NT_ENTERPRISE_PRINCIPAL, names=[ename]) >+ sname = self.PrincipalName_create( >+ name_type=NT_SRV_INST, names=["krbtgt", realm]) >+ >+ rep = self.as_req(cname, sname, realm, etype) >+ self.check_as_reply(rep) >+ salt = "%s%s" % (realm.upper(), user_name) >+ key = self.PasswordKey_create( >+ rep['enc-part']['etype'], >+ uc.get_password(), >+ salt.encode('UTF8'), >+ rep['enc-part']['kvno']) >+ >+ # Request a ticket to the host service on the machine account >+ ticket = rep['ticket'] >+ enc_part2 = self.get_as_rep_enc_data(key, rep) >+ key = self.EncryptionKey_import(enc_part2['key']) >+ cname = self.PrincipalName_create( >+ name_type=NT_ENTERPRISE_PRINCIPAL, names=[ename]) >+ sname = self.PrincipalName_create( >+ name_type=NT_PRINCIPAL, >+ names=[mc.get_username()]) >+ >+ (rep, enc_part) = self.tgs_req( >+ cname, sname, uc.get_realm(), ticket, key, etype) >+ self.check_tgs_reply(rep) >+ >+ # Check the contents of the service ticket >+ ticket = rep['ticket'] >+ enc_part = self.decode_service_ticket(mc, ticket) >+ # >+ # We get an empty authorization-data element in the ticket. >+ # i.e. no PAC >+ self.assertEqual([], enc_part['authorization-data']) >+ # check the crealm and cname >+ cname = enc_part['cname'] >+ self.assertEqual(NT_ENTERPRISE_PRINCIPAL, cname['name-type']) >+ self.assertEqual(ename.encode('UTF8'), cname['name-string'][0]) >+ self.assertEqual(realm.upper().encode('UTF8'), enc_part['crealm']) >+ >+ def test_nt_enterprise_principal_step_6_b(self): >+ ''' Step 4, pre-authentication >+ If not found and pre-authentication >+ search for a matching user principal name >+ ''' >+ >+ # Create user and machine accounts for the test. >+ # >+ user_name = "mskileusr" >+ alt_name = "mskilealtsec" >+ (uc, dn) = self.create_account(user_name) >+ realm = uc.get_realm().lower() >+ alt_sec = "Kerberos:%s@%s" % (alt_name, realm) >+ self.add_attribute(dn, "altSecurityIdentities", alt_sec) >+ ename = alt_name + "@" + realm >+ uname = user_name + "@" + realm >+ >+ mach_name = "mskilemac" >+ (mc, _) = self.create_account(mach_name, machine_account=True) >+ >+ # Do the initial AS-REQ, should get a pre-authentication required >+ # response >+ etype = (AES256_CTS_HMAC_SHA1_96, ARCFOUR_HMAC_MD5) >+ cname = self.PrincipalName_create( >+ name_type=NT_ENTERPRISE_PRINCIPAL, names=[ename]) >+ sname = self.PrincipalName_create( >+ name_type=NT_SRV_INST, names=["krbtgt", realm]) >+ >+ rep = self.as_req(cname, sname, realm, etype) >+ self.check_pre_authenication(rep) >+ >+ # Do the next AS-REQ >+ padata = self.get_pa_data(uc, rep) >+ key = self.get_as_rep_key(uc, rep) >+ # Note: although we used the alt security id for the pre-auth >+ # we need to use the username for the auth >+ cname = self.PrincipalName_create( >+ name_type=NT_ENTERPRISE_PRINCIPAL, names=[uname]) >+ rep = self.as_req(cname, sname, realm, etype, padata=padata) >+ self.check_as_reply(rep) >+ >+ # Request a ticket to the host service on the machine account >+ ticket = rep['ticket'] >+ enc_part2 = self.get_as_rep_enc_data(key, rep) >+ key = self.EncryptionKey_import(enc_part2['key']) >+ cname = self.PrincipalName_create( >+ name_type=NT_ENTERPRISE_PRINCIPAL, >+ names=[uname]) >+ sname = self.PrincipalName_create( >+ name_type=NT_PRINCIPAL, >+ names=[mc.get_username()]) >+ >+ (rep, enc_part) = self.tgs_req( >+ cname, sname, uc.get_realm(), ticket, key, etype) >+ self.check_tgs_reply(rep) >+ >+ # Check the contents of the pac, and the ticket >+ ticket = rep['ticket'] >+ enc_part = self.decode_service_ticket(mc, ticket) >+ self.check_pac( >+ enc_part['authorization-data'], dn, uc, uname, upn=uname) >+ # check the crealm and cname >+ cname = enc_part['cname'] >+ self.assertEqual(NT_ENTERPRISE_PRINCIPAL, cname['name-type']) >+ self.assertEqual(uname.encode('UTF8'), cname['name-string'][0]) >+ self.assertEqual(realm.upper().encode('UTF8'), enc_part['crealm']) >+ >+ def test_nt_principal_step_6_c(self): >+ ''' Step 4, pre-authentication >+ If not found and pre-authentication >+ search for a matching user principal name >+ >+ This test uses the altsecid, so the AS-REQ should fail. >+ ''' >+ >+ # Create user and machine accounts for the test. >+ # >+ user_name = "mskileusr" >+ alt_name = "mskilealtsec" >+ (uc, dn) = self.create_account(user_name) >+ realm = uc.get_realm().lower() >+ alt_sec = "Kerberos:%s@%s" % (alt_name, realm) >+ self.add_attribute(dn, "altSecurityIdentities", alt_sec) >+ ename = alt_name + "@" + realm >+ >+ mach_name = "mskilemac" >+ (mc, _) = self.create_account(mach_name, machine_account=True) >+ >+ # Do the initial AS-REQ, should get a pre-authentication required >+ # response >+ etype = (AES256_CTS_HMAC_SHA1_96, ARCFOUR_HMAC_MD5) >+ cname = self.PrincipalName_create( >+ name_type=NT_ENTERPRISE_PRINCIPAL, names=[ename]) >+ sname = self.PrincipalName_create( >+ name_type=NT_SRV_INST, names=["krbtgt", realm]) >+ >+ rep = self.as_req(cname, sname, realm, etype) >+ self.check_pre_authenication(rep) >+ >+ # Do the next AS-REQ >+ padata = self.get_pa_data(uc, rep) >+ # Use the alternate security identifier >+ # this should fail >+ cname = self.PrincipalName_create( >+ name_type=NT_ENTERPRISE_PRINCIPAL, names=[ename]) >+ rep = self.as_req(cname, sname, realm, etype, padata=padata) >+ self.check_error_rep(rep, KDC_ERR_C_PRINCIPAL_UNKNOWN) >+ >+ >+if __name__ == "__main__": >+ global_asn1_print = False >+ global_hexdump = False >+ import unittest >+ unittest.main() >diff --git a/python/samba/tests/usage.py b/python/samba/tests/usage.py >index 838a3148d8e..14f7cbfd7cd 100644 >--- a/python/samba/tests/usage.py >+++ b/python/samba/tests/usage.py >@@ -93,6 +93,7 @@ EXCLUDE_USAGE = { > 'python/samba/tests/krb5/kdc_tests.py', > 'python/samba/tests/krb5/kdc_base_test.py', > 'python/samba/tests/krb5/kdc_tgs_tests.py', >+ 'python/samba/tests/krb5/ms_kile_client_principal_lookup_tests.py', > } > > >diff --git a/selftest/knownfail_heimdal_kdc b/selftest/knownfail_heimdal_kdc >index 7ab56b6721b..4e6ee93ce96 100644 >--- a/selftest/knownfail_heimdal_kdc >+++ b/selftest/knownfail_heimdal_kdc >@@ -2,3 +2,15 @@ > # We expect all the MIT specific compatability tests to fail on heimdal > # kerberos > ^samba.tests.krb5.compatability_tests.samba.tests.krb5.compatability_tests.SimpleKerberosTests.test_mit_ >+# >+# Heimdal currently fails the following MS-KILE client principal lookup >+# tests >+^samba.tests.krb5.ms_kile_client_principal_lookup_tests.samba.tests.krb5.ms_kile_client_principal_lookup_tests.MS_Kile_Client_Principal_Lookup_Tests.test_enterprise_principal_step_1_3 >+^samba.tests.krb5.ms_kile_client_principal_lookup_tests.samba.tests.krb5.ms_kile_client_principal_lookup_tests.MS_Kile_Client_Principal_Lookup_Tests.test_enterprise_principal_step_4 >+^samba.tests.krb5.ms_kile_client_principal_lookup_tests.samba.tests.krb5.ms_kile_client_principal_lookup_tests.MS_Kile_Client_Principal_Lookup_Tests.test_enterprise_principal_step_5 >+^samba.tests.krb5.ms_kile_client_principal_lookup_tests.samba.tests.krb5.ms_kile_client_principal_lookup_tests.MS_Kile_Client_Principal_Lookup_Tests.test_enterprise_principal_step_6_a >+^samba.tests.krb5.ms_kile_client_principal_lookup_tests.samba.tests.krb5.ms_kile_client_principal_lookup_tests.MS_Kile_Client_Principal_Lookup_Tests.test_nt_enterprise_principal_step_6_b >+^samba.tests.krb5.ms_kile_client_principal_lookup_tests.samba.tests.krb5.ms_kile_client_principal_lookup_tests.MS_Kile_Client_Principal_Lookup_Tests.test_nt_principal_step_4_a >+^samba.tests.krb5.ms_kile_client_principal_lookup_tests.samba.tests.krb5.ms_kile_client_principal_lookup_tests.MS_Kile_Client_Principal_Lookup_Tests.test_nt_principal_step_4_b >+^samba.tests.krb5.ms_kile_client_principal_lookup_tests.samba.tests.krb5.ms_kile_client_principal_lookup_tests.MS_Kile_Client_Principal_Lookup_Tests.test_nt_principal_step_4_c >+^samba.tests.krb5.ms_kile_client_principal_lookup_tests.samba.tests.krb5.ms_kile_client_principal_lookup_tests.MS_Kile_Client_Principal_Lookup_Tests.test_nt_principal_step_6_c >diff --git a/selftest/knownfail_mit_kdc b/selftest/knownfail_mit_kdc >index e64303c6b0f..2c2a643944c 100644 >--- a/selftest/knownfail_mit_kdc >+++ b/selftest/knownfail_mit_kdc >@@ -275,3 +275,19 @@ samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_ > # following tests > ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_ldap_service_ticket\(ad_dc\) > ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_get_ticket_for_host_service_of_machine_account\(ad_dc\) >+# >+# MIT currently fails the following MS-KILE tests. >+# >+^samba.tests.krb5.ms_kile_client_principal_lookup_tests.samba.tests.krb5.ms_kile_client_principal_lookup_tests.MS_Kile_Client_Principal_Lookup_Tests.test_enterprise_principal_step_1_3 >+^samba.tests.krb5.ms_kile_client_principal_lookup_tests.samba.tests.krb5.ms_kile_client_principal_lookup_tests.MS_Kile_Client_Principal_Lookup_Tests.test_enterprise_principal_step_4 >+^samba.tests.krb5.ms_kile_client_principal_lookup_tests.samba.tests.krb5.ms_kile_client_principal_lookup_tests.MS_Kile_Client_Principal_Lookup_Tests.test_enterprise_principal_step_5 >+^samba.tests.krb5.ms_kile_client_principal_lookup_tests.samba.tests.krb5.ms_kile_client_principal_lookup_tests.MS_Kile_Client_Principal_Lookup_Tests.test_enterprise_principal_step_6_a >+^samba.tests.krb5.ms_kile_client_principal_lookup_tests.samba.tests.krb5.ms_kile_client_principal_lookup_tests.MS_Kile_Client_Principal_Lookup_Tests.test_nt_enterprise_principal_step_6_b >+^samba.tests.krb5.ms_kile_client_principal_lookup_tests.samba.tests.krb5.ms_kile_client_principal_lookup_tests.MS_Kile_Client_Principal_Lookup_Tests.test_nt_principal_step_1 >+^samba.tests.krb5.ms_kile_client_principal_lookup_tests.samba.tests.krb5.ms_kile_client_principal_lookup_tests.MS_Kile_Client_Principal_Lookup_Tests.test_nt_principal_step_2 >+^samba.tests.krb5.ms_kile_client_principal_lookup_tests.samba.tests.krb5.ms_kile_client_principal_lookup_tests.MS_Kile_Client_Principal_Lookup_Tests.test_nt_principal_step_3 >+^samba.tests.krb5.ms_kile_client_principal_lookup_tests.samba.tests.krb5.ms_kile_client_principal_lookup_tests.MS_Kile_Client_Principal_Lookup_Tests.test_nt_principal_step_4_a >+^samba.tests.krb5.ms_kile_client_principal_lookup_tests.samba.tests.krb5.ms_kile_client_principal_lookup_tests.MS_Kile_Client_Principal_Lookup_Tests.test_nt_principal_step_4_b >+^samba.tests.krb5.ms_kile_client_principal_lookup_tests.samba.tests.krb5.ms_kile_client_principal_lookup_tests.MS_Kile_Client_Principal_Lookup_Tests.test_nt_principal_step_4_c >+^samba.tests.krb5.ms_kile_client_principal_lookup_tests.samba.tests.krb5.ms_kile_client_principal_lookup_tests.MS_Kile_Client_Principal_Lookup_Tests.test_nt_principal_step_6_c >+ >diff --git a/source4/selftest/tests.py b/source4/selftest/tests.py >index 4ce9602b53f..3310d47f167 100755 >--- a/source4/selftest/tests.py >+++ b/source4/selftest/tests.py >@@ -1234,6 +1234,9 @@ planpythontestsuite("ad_dc", "samba.tests.krb5.kdc_tests") > planpythontestsuite( > "ad_dc", > "samba.tests.krb5.kdc_tgs_tests") >+planpythontestsuite( >+ "ad_dc", >+ "samba.tests.krb5.ms_kile_client_principal_lookup_tests") > > for env in [ > 'vampire_dc', >-- >2.25.1 > > >From 63297ac692bc0c010ccf6cad704febaeabbbfe50 Mon Sep 17 00:00:00 2001 >From: Joseph Sutton <josephsutton@catalyst.net.nz> >Date: Wed, 28 Apr 2021 10:54:05 +1200 >Subject: [PATCH 066/686] auth:creds: Remove unused variable > >Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> >Reviewed-by: Andrew Bartlett <abartlet@samba.org> >Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> >BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817 >(cherry picked from commit 1ea2de561839ad948efab5112fbe4c1eae44d9ee) > >[jsutton@samba.org Backported to fix conflict] >--- > auth/credentials/pycredentials.c | 3 --- > 1 file changed, 3 deletions(-) > >diff --git a/auth/credentials/pycredentials.c b/auth/credentials/pycredentials.c >index 6fb2c807ed6..ae096e36302 100644 >--- a/auth/credentials/pycredentials.c >+++ b/auth/credentials/pycredentials.c >@@ -446,13 +446,10 @@ static PyObject *py_creds_get_forced_sasl_mech(PyObject *self, PyObject *unused) > static PyObject *py_creds_set_forced_sasl_mech(PyObject *self, PyObject *args) > { > char *newval; >- enum credentials_obtained obt = CRED_SPECIFIED; >- int _obt = obt; > > if (!PyArg_ParseTuple(args, "s", &newval)) { > return NULL; > } >- obt = _obt; > > cli_credentials_set_forced_sasl_mech(PyCredentials_AsCliCredentials(self), newval); > Py_RETURN_NONE; >-- >2.25.1 > > >From 2c44d208b6f2b630d350f22f1427cd1edb2bbafe Mon Sep 17 00:00:00 2001 >From: Joseph Sutton <josephsutton@catalyst.net.nz> >Date: Wed, 28 Apr 2021 10:55:13 +1200 >Subject: [PATCH 067/686] auth:creds: Fix parameter in creds.set_named_ccache() > >Use the passed-in value for 'obtained' rather than always using >CRED_SPECIFIED. > >Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> >Reviewed-by: Andrew Bartlett <abartlet@samba.org> >Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> >BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817 >(cherry picked from commit 2d05268aa0904221c452fc650fcdfb680efc20bb) >--- > auth/credentials/pycredentials.c | 3 ++- > 1 file changed, 2 insertions(+), 1 deletion(-) > >diff --git a/auth/credentials/pycredentials.c b/auth/credentials/pycredentials.c >index ae096e36302..a58859a70d8 100644 >--- a/auth/credentials/pycredentials.c >+++ b/auth/credentials/pycredentials.c >@@ -584,6 +584,7 @@ static PyObject *py_creds_set_named_ccache(PyObject *self, PyObject *args) > > if (!PyArg_ParseTuple(args, "s|iO", &newval, &_obt, &py_lp_ctx)) > return NULL; >+ obt = _obt; > > mem_ctx = talloc_new(NULL); > if (mem_ctx == NULL) { >@@ -599,7 +600,7 @@ static PyObject *py_creds_set_named_ccache(PyObject *self, PyObject *args) > > ret = cli_credentials_set_ccache(PyCredentials_AsCliCredentials(self), > lp_ctx, >- newval, CRED_SPECIFIED, >+ newval, obt, > &error_string); > > if (ret != 0) { >-- >2.25.1 > > >From 3542e733ada773f186050fde39b5339d0c5b4f44 Mon Sep 17 00:00:00 2001 >From: Joseph Sutton <josephsutton@catalyst.net.nz> >Date: Wed, 28 Apr 2021 11:07:22 +1200 >Subject: [PATCH 068/686] pygensec: Fix method documentation > >This changes the docstrings to use the correct method names. > >Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> >Reviewed-by: Andrew Bartlett <abartlet@samba.org> >Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> >BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817 >(cherry picked from commit 50ade4cadc766a196316fd5c5a57f8c502f0ea22) >--- > source4/auth/gensec/pygensec.c | 8 ++++---- > 1 file changed, 4 insertions(+), 4 deletions(-) > >diff --git a/source4/auth/gensec/pygensec.c b/source4/auth/gensec/pygensec.c >index c9f3fd3b489..ca60d3bdc5e 100644 >--- a/source4/auth/gensec/pygensec.c >+++ b/source4/auth/gensec/pygensec.c >@@ -634,13 +634,13 @@ static PyMethodDef py_gensec_security_methods[] = { > { "start_server", (PyCFunction)py_gensec_start_server, METH_VARARGS|METH_KEYWORDS|METH_CLASS, > "S.start_server(auth_ctx, settings) -> gensec" }, > { "set_credentials", (PyCFunction)py_gensec_set_credentials, METH_VARARGS, >- "S.start_client(credentials)" }, >+ "S.set_credentials(credentials)" }, > { "set_target_hostname", (PyCFunction)py_gensec_set_target_hostname, METH_VARARGS, >- "S.start_target_hostname(target_hostname) \n This sets the Kerberos target hostname to obtain a ticket for." }, >+ "S.set_target_hostname(target_hostname) \n This sets the Kerberos target hostname to obtain a ticket for." }, > { "set_target_service", (PyCFunction)py_gensec_set_target_service, METH_VARARGS, >- "S.start_target_service(target_service) \n This sets the Kerberos target service to obtain a ticket for. The default value is 'host'" }, >+ "S.set_target_service(target_service) \n This sets the Kerberos target service to obtain a ticket for. The default value is 'host'" }, > { "set_target_service_description", (PyCFunction)py_gensec_set_target_service_description, METH_VARARGS, >- "S.start_target_service_description(target_service_description) \n This description is set server-side and used in authentication and authorization logs. The default value is that provided to set_target_service() or None."}, >+ "S.set_target_service_description(target_service_description) \n This description is set server-side and used in authentication and authorization logs. The default value is that provided to set_target_service() or None."}, > { "session_info", (PyCFunction)py_gensec_session_info, METH_NOARGS, > "S.session_info() -> info" }, > { "session_key", (PyCFunction)py_gensec_session_key, METH_NOARGS, >-- >2.25.1 > > >From f0d5396de4fbcbda214199e2336d18d1541b2136 Mon Sep 17 00:00:00 2001 >From: Joseph Sutton <josephsutton@catalyst.net.nz> >Date: Thu, 15 Apr 2021 10:32:41 +1200 >Subject: [PATCH 069/686] Revert "s4-test: fixed ndrdump test for top level > build" > >This essentially reverts commit >b84c0a9ed6d556eb2d3797d606edcd03f9766606, but the datapath is now in the >source4 directory. > >Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> >Reviewed-by: Andrew Bartlett <abartlet@samba.org> >Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> >BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817 >(cherry picked from commit 6f144d49b5281a08bf7be550b949f4d91e8fe19b) > >[jsutton@samba.org Backported to fix conflict from formatting > differences] >--- > python/samba/tests/blackbox/ndrdump.py | 7 +------ > 1 file changed, 1 insertion(+), 6 deletions(-) > >diff --git a/python/samba/tests/blackbox/ndrdump.py b/python/samba/tests/blackbox/ndrdump.py >index 7ca7b93f559..c42f64f35a1 100644 >--- a/python/samba/tests/blackbox/ndrdump.py >+++ b/python/samba/tests/blackbox/ndrdump.py >@@ -24,12 +24,7 @@ from __future__ import print_function > import os > from samba.tests import BlackboxTestCase, BlackboxProcessError > >-for p in ["../../../../../source4/librpc/tests", "../../../../../librpc/tests"]: >- data_path_dir = os.path.abspath(os.path.join(os.path.dirname(__file__), p)) >- print(data_path_dir) >- if os.path.exists(data_path_dir): >- break >- >+data_path_dir = os.path.abspath(os.path.join(os.path.dirname(__file__), "../../../../../source4/librpc/tests")) > > class NdrDumpTests(BlackboxTestCase): > """Blackbox tests for ndrdump.""" >-- >2.25.1 > > >From 8c506ed00e43d16ab1b6e269faf33bf85fc0a523 Mon Sep 17 00:00:00 2001 >From: Joseph Sutton <josephsutton@catalyst.net.nz> >Date: Wed, 28 Apr 2021 10:57:00 +1200 >Subject: [PATCH 070/686] krb5ccache.idl: Add definition for a Kerberos > credentials cache > >Based on specifications found at >https://web.mit.edu/kerberos/krb5-devel/doc/formats/ccache_file_format.html > >This is primarily designed for parsing and storing a single Kerberos >ticket, due to the limitations of PIDL. > >Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> >Reviewed-by: Andrew Bartlett <abartlet@samba.org> >Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> >BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817 >(cherry picked from commit 74fb2cc473cea0eebf641fc4d32d706bac8aa6f2) > >[jsutton@samba.org Backported to fix conflicts, and added dummy function > decode_ccache so that tables are properly generated] >--- > librpc/idl/krb5ccache.idl | 119 +++++++++++++++++++++++++++++++++++ > librpc/idl/wscript_build | 2 +- > librpc/wscript_build | 8 ++- > source4/librpc/wscript_build | 7 +++ > 4 files changed, 134 insertions(+), 2 deletions(-) > create mode 100644 librpc/idl/krb5ccache.idl > >diff --git a/librpc/idl/krb5ccache.idl b/librpc/idl/krb5ccache.idl >new file mode 100644 >index 00000000000..15f1beb9aab >--- /dev/null >+++ b/librpc/idl/krb5ccache.idl >@@ -0,0 +1,119 @@ >+/* >+ krb5 credentials cache (version 3 or 4) >+ specification: https://web.mit.edu/kerberos/krb5-devel/doc/formats/ccache_file_format.html >+*/ >+ >+#include "idl_types.h" >+ >+[ >+ uuid("1702b695-99ca-4f32-93e4-1e1c4d5ddb53"), >+ version(0.0), >+ pointer_default(unique), >+ helpstring("KRB5 credentials cache") >+] >+interface krb5ccache >+{ >+ typedef struct { >+ uint32 name_type; >+ uint32 component_count; >+ [flag(STR_SIZE4|STR_NOTERM|STR_UTF8)] string realm; >+ [flag(STR_SIZE4|STR_NOTERM|STR_UTF8)] string components[component_count]; >+ } PRINCIPAL; >+ >+ typedef struct { >+ uint16 enctype; >+ DATA_BLOB data; >+ } KEYBLOCK; >+ >+ typedef struct { >+ uint16 addrtype; >+ DATA_BLOB data; >+ } ADDRESS; >+ >+ typedef struct { >+ uint32 count; >+ ADDRESS data[count]; >+ } ADDRESSES; >+ >+ typedef struct { >+ uint16 ad_type; >+ DATA_BLOB data; >+ } AUTHDATUM; >+ >+ typedef struct { >+ uint32 count; >+ AUTHDATUM data[count]; >+ } AUTHDATA; >+ >+ typedef struct { >+ PRINCIPAL client; >+ PRINCIPAL server; >+ KEYBLOCK keyblock; >+ uint32 authtime; >+ uint32 starttime; >+ uint32 endtime; >+ uint32 renew_till; >+ uint8 is_skey; >+ uint32 ticket_flags; >+ ADDRESSES addresses; >+ AUTHDATA authdata; >+ DATA_BLOB ticket; >+ DATA_BLOB second_ticket; >+ } CREDENTIAL; >+ >+ typedef struct { >+ [value(0)] int32 kdc_sec_offset; >+ [value(0)] int32 kdc_usec_offset; >+ } DELTATIME_TAG; >+ >+ typedef [nodiscriminant] union { >+ [case(1)] DELTATIME_TAG deltatime_tag; >+ } FIELD; >+ >+ typedef struct { >+ [value(1)] uint16 tag; >+ [subcontext(2),switch_is(tag)] FIELD field; >+ } V4TAG; >+ >+ typedef struct { >+ V4TAG tag; >+ /* >+ * We should allow for more than one tag to be properly parsed, but that >+ * would require manual parsing. >+ */ >+ [flag(NDR_REMAINING)] DATA_BLOB further_tags; >+ } V4TAGS; >+ >+ typedef struct { >+ [subcontext(2)] V4TAGS v4tags; >+ } V4HEADER; >+ >+ typedef [nodiscriminant] union { >+ /* >+ * We don't attempt to support file format versions 1 and 2 as they >+ * assume native CPU byte order, which makes no sense in PIDL. >+ */ >+ [case(3)] ; >+ [case(4)] V4HEADER v4header; >+ } OPTIONAL_HEADER; >+ >+ /* Public structures. */ >+ >+ typedef [flag(NDR_NOALIGN|NDR_BIG_ENDIAN|NDR_PAHEX),public] struct { >+ [value(5)] uint8 pvno; >+ [value(4)] uint8 version; >+ [switch_is(version)] OPTIONAL_HEADER optional_header; >+ PRINCIPAL principal; >+ CREDENTIAL cred; >+ [flag(NDR_REMAINING)] DATA_BLOB further_creds; >+ } CCACHE; >+ >+ typedef [flag(NDR_NOALIGN|NDR_BIG_ENDIAN|NDR_PAHEX),public] struct { >+ CREDENTIAL cred; >+ [flag(NDR_REMAINING)] DATA_BLOB further_creds; >+ } MULTIPLE_CREDENTIALS; >+ >+ [nopython] void decode_ccache( >+ [in] CCACHE ccache >+ ); >+} >diff --git a/librpc/idl/wscript_build b/librpc/idl/wscript_build >index aa058e87133..f20558899fb 100644 >--- a/librpc/idl/wscript_build >+++ b/librpc/idl/wscript_build >@@ -5,7 +5,7 @@ bld.SAMBA_PIDL_LIST('PIDL', > misc.idl ntlmssp.idl negoex.idl schannel.idl trkwks.idl > audiosrv.idl dfsblobs.idl dsbackup.idl eventlog.idl file_id.idl keysvc.idl > msgsvc.idl ntsvcs.idl remact.idl security.idl smb_acl.idl unixinfo.idl wzcsvc.idl >- browser.idl dfs.idl dssetup.idl frsapi.idl krb5pac.idl >+ browser.idl dfs.idl dssetup.idl frsapi.idl krb5pac.idl krb5ccache.idl > named_pipe_auth.idl orpc.idl rot.idl spoolss.idl w32time.idl > dbgidl.idl dnsserver.idl echo.idl frsrpc.idl lsa.idl nbt.idl dns.idl > oxidresolver.idl samr.idl server_id.idl srvsvc.idl winreg.idl dcerpc.idl >diff --git a/librpc/wscript_build b/librpc/wscript_build >index b560a08a7e2..4c0c5a09988 100644 >--- a/librpc/wscript_build >+++ b/librpc/wscript_build >@@ -375,6 +375,11 @@ bld.SAMBA_LIBRARY('ndr-krb5pac', > vnum='0.0.1' > ) > >+bld.SAMBA_SUBSYSTEM('NDR_KRB5CCACHE', >+ source='gen_ndr/ndr_krb5ccache.c', >+ deps='ndr NDR_COMPRESSION NDR_SECURITY ndr-standard asn1util' >+ ) >+ > bld.SAMBA_LIBRARY('ndr-standard', > source='gen_ndr/ndr_eventlog6.c', > vnum='0.0.1', >@@ -702,7 +707,8 @@ bld.SAMBA_LIBRARY('ndr-samba', > source=[], > deps='''NDR_DRSBLOBS NDR_DRSUAPI NDR_IDMAP NDR_NTLMSSP NDR_NEGOEX NDR_SCHANNEL NDR_MGMT > NDR_DNSSERVER NDR_EPMAPPER NDR_XATTR NDR_UNIXINFO NDR_NAMED_PIPE_AUTH NDR_DCOM >- NDR_NTPRINTING NDR_FSRVP NDR_WITNESS NDR_MDSSVC NDR_OPEN_FILES NDR_SMBXSRV''', >+ NDR_NTPRINTING NDR_FSRVP NDR_WITNESS NDR_MDSSVC NDR_OPEN_FILES NDR_SMBXSRV >+ NDR_KRB5CCACHE''', > private_library=True, > grouping_library=True > ) >diff --git a/source4/librpc/wscript_build b/source4/librpc/wscript_build >index d9b7743c9d1..d452e7012dc 100644 >--- a/source4/librpc/wscript_build >+++ b/source4/librpc/wscript_build >@@ -230,6 +230,13 @@ for env in bld.gen_python_environments(): > cflags_end=gen_cflags > ) > >+ bld.SAMBA_PYTHON('python_krb5ccache', >+ source='../../librpc/gen_ndr/py_krb5ccache.c', >+ deps='NDR_KRB5CCACHE %s %s' % (pytalloc_util, pyrpc_util), >+ realname='samba/dcerpc/krb5ccache.so', >+ cflags_end=gen_cflags >+ ) >+ > bld.SAMBA_PYTHON('python_netlogon', > source='../../librpc/gen_ndr/py_netlogon.c', > deps='RPC_NDR_NETLOGON %s %s' % (pytalloc_util, pyrpc_util), >-- >2.25.1 > > >From 000cb58d6c95d82a77249d329c8fce95c984de41 Mon Sep 17 00:00:00 2001 >From: Joseph Sutton <josephsutton@catalyst.net.nz> >Date: Wed, 28 Apr 2021 10:58:48 +1200 >Subject: [PATCH 071/686] librpc: Test parsing a Kerberos 5 credentials cache > with ndrdump > >This is the format used by the FILE: credentials cache type. > >Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> >Reviewed-by: Andrew Bartlett <abartlet@samba.org> >Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> >BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817 >(cherry picked from commit 1f17b1edca9c1638ef404fadce3ca7a4d176de12) > >[jsutton@samba.org Backported to fix conflicts] >--- > python/samba/tests/blackbox/ndrdump.py | 37 + > source3/selftest/ktest-krb5_ccache-2.txt | 1574 ++++++++++++++++++++++ > source3/selftest/ktest-krb5_ccache-3.txt | 832 ++++++++++++ > 3 files changed, 2443 insertions(+) > create mode 100644 source3/selftest/ktest-krb5_ccache-2.txt > create mode 100644 source3/selftest/ktest-krb5_ccache-3.txt > >diff --git a/python/samba/tests/blackbox/ndrdump.py b/python/samba/tests/blackbox/ndrdump.py >index c42f64f35a1..5cc3eceb353 100644 >--- a/python/samba/tests/blackbox/ndrdump.py >+++ b/python/samba/tests/blackbox/ndrdump.py >@@ -55,3 +55,40 @@ class NdrDumpTests(BlackboxTestCase): > self.data_path("dns-decode_dns_name_packet-hex.dat")) > except BlackboxProcessError as e: > self.fail(e) >+ >+ def test_ndrdump_Krb5ccache(self): >+ expected = open(self.data_path("../../../source3/selftest/" >+ "ktest-krb5_ccache-2.txt")).read() >+ try: >+ # Specify -d1 to match the generated output file, because ndrdump >+ # only outputs some additional info if this parameter is specified, >+ # and the --configfile parameter gives us an empty smb.conf to avoid >+ # extraneous output. >+ actual = self.check_output( >+ "ndrdump krb5ccache CCACHE struct " >+ "--configfile /dev/null -d1 --validate " + >+ self.data_path("../../../source3/selftest/" >+ "ktest-krb5_ccache-2")) >+ except BlackboxProcessError as e: >+ self.fail(e) >+ # check_output will return bytes >+ # convert expected to bytes for python 3 >+ self.assertEqual(actual, expected.encode('utf-8')) >+ >+ expected = open(self.data_path("../../../source3/selftest/" >+ "ktest-krb5_ccache-3.txt")).read() >+ try: >+ # Specify -d1 to match the generated output file, because ndrdump >+ # only outputs some additional info if this parameter is specified, >+ # and the --configfile parameter gives us an empty smb.conf to avoid >+ # extraneous output. >+ actual = self.check_output( >+ "ndrdump krb5ccache CCACHE struct " >+ "--configfile /dev/null -d1 --validate " + >+ self.data_path("../../../source3/selftest/" >+ "ktest-krb5_ccache-3")) >+ except BlackboxProcessError as e: >+ self.fail(e) >+ # check_output will return bytes >+ # convert expected to bytes for python 3 >+ self.assertEqual(actual, expected.encode('utf-8')) >diff --git a/source3/selftest/ktest-krb5_ccache-2.txt b/source3/selftest/ktest-krb5_ccache-2.txt >new file mode 100644 >index 00000000000..c86750ae585 >--- /dev/null >+++ b/source3/selftest/ktest-krb5_ccache-2.txt >@@ -0,0 +1,1574 @@ >+pull returned Success >+ CCACHE: struct CCACHE >+ pvno : 0x05 (5) >+ version : 0x04 (4) >+ optional_header : union OPTIONAL_HEADER(case 0x4) >+ v4header: struct V4HEADER >+ v4tags: struct V4TAGS >+ tag: struct V4TAG >+ tag : 0x0001 (1) >+ field : union FIELD(case 0x1) >+ deltatime_tag: struct DELTATIME_TAG >+ kdc_sec_offset : 0 >+ kdc_usec_offset : 0 >+ further_tags : DATA_BLOB length=0 >+ principal: struct PRINCIPAL >+ name_type : 0x00000001 (1) >+ component_count : 0x00000001 (1) >+ realm : 'KTEST.SAMBA.EXAMPLE.COM' >+ components: ARRAY(1) >+ components : 'administrator' >+ cred: struct CREDENTIAL >+ client: struct PRINCIPAL >+ name_type : 0x00000001 (1) >+ component_count : 0x00000001 (1) >+ realm : 'KTEST.SAMBA.EXAMPLE.COM' >+ components: ARRAY(1) >+ components : 'administrator' >+ server: struct PRINCIPAL >+ name_type : 0x00000000 (0) >+ component_count : 0x00000002 (2) >+ realm : 'KTEST.SAMBA.EXAMPLE.COM' >+ components: ARRAY(2) >+ components : 'krbtgt' >+ components : 'KTEST.SAMBA.EXAMPLE.COM' >+ keyblock: struct KEYBLOCK >+ enctype : 0x0017 (23) >+ data : DATA_BLOB length=16 >+[0000] 8B 94 0B 31 51 5B F7 A7 15 E9 EE D7 D7 0C 8C 90 ...1Q[.. ........ >+ authtime : 0x4d994f6a (1301892970) >+ starttime : 0x4d994f6a (1301892970) >+ endtime : 0x7d440b68 (2101611368) >+ renew_till : 0x7d440b68 (2101611368) >+ is_skey : 0x00 (0) >+ ticket_flags : 0x40e00000 (1088421888) >+ addresses: struct ADDRESSES >+ count : 0x00000000 (0) >+ data: ARRAY(0) >+ authdata: struct AUTHDATA >+ count : 0x00000000 (0) >+ data: ARRAY(0) >+ ticket : DATA_BLOB length=1032 >+[0000] 61 82 04 04 30 82 04 00 A0 03 02 01 05 A1 19 1B a...0... ........ >+[0010] 17 4B 54 45 53 54 2E 53 41 4D 42 41 2E 45 58 41 .KTEST.S AMBA.EXA >+[0020] 4D 50 4C 45 2E 43 4F 4D A2 2C 30 2A A0 03 02 01 MPLE.COM .,0*.... >+[0030] 00 A1 23 30 21 1B 06 6B 72 62 74 67 74 1B 17 4B ..#0!..k rbtgt..K >+[0040] 54 45 53 54 2E 53 41 4D 42 41 2E 45 58 41 4D 50 TEST.SAM BA.EXAMP >+[0050] 4C 45 2E 43 4F 4D A3 82 03 AE 30 82 03 AA A0 03 LE.COM.. ..0..... >+[0060] 02 01 17 A1 03 02 01 01 A2 82 03 9C 04 82 03 98 ........ ........ >+[0070] 80 66 8F CF AB 24 9D C8 76 E4 28 F5 25 6B 73 B2 .f...$.. v.(.%ks. >+[0080] 4B 94 ED 09 10 29 05 C4 C0 B8 B9 33 FA C4 46 AB K....).. ...3..F. >+[0090] F4 B5 9E 5B 07 54 D6 58 1D B8 CA 04 41 A6 33 A6 ...[.T.X ....A.3. >+[00A0] 67 9D EB 83 70 65 A9 2D 65 A5 19 8C 55 2A 0F FC g...pe.- e...U*.. >+[00B0] 1B BB 7A BD 86 C0 32 06 F2 2F 0A A5 93 E7 D1 1E ..z...2. ./...... >+[00C0] 16 C4 27 DD 1F A7 61 03 FF 05 81 EF 49 B7 25 A3 ..'...a. ....I.%. >+[00D0] 6E EA E6 E8 15 E3 10 AF A3 F1 21 B3 D9 C0 67 2F n....... ..!...g/ >+[00E0] 0C 0C B7 42 D6 9A 34 8E D4 5E 55 C2 FE 62 03 37 ...B..4. .^U..b.7 >+[00F0] A5 58 9B 43 E7 26 E3 71 B2 E5 F1 91 B4 23 8F AC .X.C.&.q .....#.. >+[0100] 7A 31 3C 4E B4 94 E4 81 36 98 71 3B 98 7B B7 AB z1<N.... 6.q;.{.. >+[0110] D5 AA D3 34 2A 3B C8 D7 61 EE 60 F9 68 9C A0 56 ...4*;.. a.`.h..V >+[0120] 51 E7 85 81 DE EF B9 9F 8B 4A 07 E1 05 93 08 5A Q....... .J.....Z >+[0130] AE B3 92 A5 17 40 B1 1C 42 A9 E4 AD 3C B4 4E D3 .....@.. B...<.N. >+[0140] BE 68 C4 0C 81 C0 AB 2D 3E 81 09 BD 16 82 EB C5 .h.....- >....... >+[0150] 1A 69 EE 8C 4E A4 D8 55 A5 0B 23 0F D0 89 48 C4 .i..N..U ..#...H. >+[0160] 51 FE 32 FD CC F6 71 E1 95 2D CC 1D 0A 0C 8A A2 Q.2...q. .-...... >+[0170] 69 58 3B 65 88 53 EC D0 2E E1 C6 CC 6B BC 09 E5 iX;e.S.. ....k... >+[0180] B9 15 27 8B E4 B2 24 18 61 42 BB 8B 09 1B 8A 7B ..'...$. aB.....{ >+[0190] 13 D8 51 E1 0B 79 12 48 DE A9 54 04 00 6D DD E6 ..Q..y.H ..T..m.. >+[01A0] 5E 03 91 FF C7 6D 0B 7C 91 44 E1 0F C0 7E 32 34 ^....m.| .D...~24 >+[01B0] 82 86 94 F7 CD 53 EC 52 38 18 AA ED FF FC 5C 01 .....S.R 8.....\. >+[01C0] D2 EE 99 45 8E 5B E6 B3 46 B0 F6 3B 22 29 EC 11 ...E.[.. F..;").. >+[01D0] 30 6A F6 A1 1F 9E AE 71 E3 A6 E7 3F F3 7D 2B 75 0j.....q ...?.}+u >+[01E0] 70 4D 63 47 5C 18 2C 8B B1 1A 69 B6 C5 46 01 17 pMcG\.,. ..i..F.. >+[01F0] 8E 64 3D 47 88 20 1C AA D7 60 32 28 11 60 EA 28 .d=G. .. .`2(.`.( >+[0200] 66 99 4C B1 2A 28 96 BF 18 2A 3E F4 D6 84 E5 A0 f.L.*(.. .*>..... >+[0210] F4 4E E7 F9 54 95 22 96 2A 87 01 CC 3E A7 FF 42 .N..T.". *...>..B >+[0220] 6A A4 4A 3A B9 24 10 65 99 53 58 2A 4E 72 E7 1F j.J:.$.e .SX*Nr.. >+[0230] 82 BC BD 3C 6C 9D 33 3A CE C6 6E 72 A2 81 B3 84 ...<l.3: ..nr.... >+[0240] 82 DF 3C 1F 76 E5 B8 08 AD 0A 6C 7D 7B D5 0C 46 ..<.v... ..l}{..F >+[0250] 69 A4 F4 E9 9E 3D D7 2D E1 43 D1 7A 52 16 75 56 i....=.- .C.zR.uV >+[0260] 54 83 D5 2A 2F A7 D2 CB 48 FE FF DB AE 46 F2 5B T..*/... H....F.[ >+[0270] F4 52 BE C8 5E B1 04 95 52 35 3E 92 E0 02 F7 85 .R..^... R5>..... >+[0280] AB F0 D0 93 08 42 E5 37 19 24 4E C1 AF FC 92 A9 .....B.7 .$N..... >+[0290] B1 27 B1 9A 2A 62 34 F1 DC C0 6B 83 AE C3 74 E8 .'..*b4. ..k...t. >+[02A0] A3 05 DD 82 DD A3 D7 90 A8 E3 9C EB 64 16 23 06 ........ ....d.#. >+[02B0] 5D FB E4 35 7C 22 29 78 E3 3B 75 92 91 0C 9D A1 ]..5|")x .;u..... >+[02C0] 87 7C 2E 82 AE 49 9D 4A 50 A9 C2 D5 85 B0 16 5D .|...I.J P......] >+[02D0] A2 CD B0 DD 29 3F 6F 66 C9 C1 9F 5C F0 B6 FC D2 ....)?of ...\.... >+[02E0] 52 BE 7B F0 1F 26 AF 8A FC C3 A6 24 8C C0 10 06 R.{..&.. ...$.... >+[02F0] 73 1E 17 9E 6E 6F 32 44 6A DF 82 5D D0 6B 74 CE s...no2D j..].kt. >+[0300] 58 0B 4C 7B EB A1 13 44 B1 3E D8 F8 BA F4 4E 55 X.L{...D .>....NU >+[0310] 71 3D C1 09 D9 E7 97 9A 14 5C 54 7E 57 81 5F 6B q=...... .\T~W._k >+[0320] 30 BE 9A E1 98 29 47 D4 C0 8F 63 0A F8 27 1F CE 0....)G. ..c..'.. >+[0330] ED D9 BB 7B 12 24 D0 34 2A 7C F0 F7 77 F4 F1 1D ...{.$.4 *|..w... >+[0340] 4C 5D 75 2D 6B 0D 80 35 82 CC D8 7A 6B FA A0 55 L]u-k..5 ...zk..U >+[0350] 34 CD 87 15 61 38 78 D4 69 0F AA 72 D6 AC FA 99 4...a8x. i..r.... >+[0360] BC 70 39 27 A7 25 2E 1B 6F 36 01 FD E9 B4 9A 79 .p9'.%.. o6.....y >+[0370] 6C 19 DD A6 8C 78 B0 40 92 60 58 F0 28 AD 08 78 l....x.@ .`X.(..x >+[0380] 4A 29 06 2C 82 2B 1A E3 91 0B 5F EE D6 B8 66 47 J).,.+.. .._...fG >+[0390] 31 9B A3 DF 9F 79 D7 BB 0E 2C FA 0E C9 66 84 8D 1....y.. .,...f.. >+[03A0] FF BA BB 21 27 9E AD 86 84 55 8D 4C 4C 47 D9 5F ...!'... .U.LLG._ >+[03B0] B2 7D 26 CA B7 49 3C 9D 1B 67 71 11 3A 8A EB EA .}&..I<. .gq.:... >+[03C0] 0F 15 EB F0 1E 46 F7 A4 34 04 D7 E3 50 67 47 D3 .....F.. 4...PgG. >+[03D0] 66 21 17 77 51 A7 1F 1D 84 3B 7C B1 5D 4E B8 D4 f!.wQ... .;|.]N.. >+[03E0] F9 C5 75 06 AA 19 45 1C E9 06 9E AD 23 26 6B 10 ..u...E. ....#&k. >+[03F0] 53 A0 36 D3 58 9F 5E 8C CB A5 F6 BC C9 30 3C BC S.6.X.^. .....0<. >+[0400] AD FF 7C 92 F0 C6 9A 02 ..|..... >+ second_ticket : DATA_BLOB length=0 >+ further_creds : DATA_BLOB length=10683 >+[0000] 00 00 00 01 00 00 00 01 00 00 00 17 4B 54 45 53 ........ ....KTES >+[0010] 54 2E 53 41 4D 42 41 2E 45 58 41 4D 50 4C 45 2E T.SAMBA. EXAMPLE. >+[0020] 43 4F 4D 00 00 00 0D 61 64 6D 69 6E 69 73 74 72 COM....a dministr >+[0030] 61 74 6F 72 00 00 00 01 00 00 00 02 00 00 00 17 ator.... ........ >+[0040] 4B 54 45 53 54 2E 53 41 4D 42 41 2E 45 58 41 4D KTEST.SA MBA.EXAM >+[0050] 50 4C 45 2E 43 4F 4D 00 00 00 04 63 69 66 73 00 PLE.COM. ...cifs. >+[0060] 00 00 0B 6C 6F 63 61 6C 6B 74 65 73 74 36 00 17 ...local ktest6.. >+[0070] 00 00 00 10 00 6E A1 B2 31 6D 48 C7 90 72 3A 0C .....n.. 1mH..r:. >+[0080] 4B 8B 83 8C 4D 99 4F 6A 4D 99 50 85 7D 44 0B 68 K...M.Oj M.P.}D.h >+[0090] 00 00 00 00 00 40 28 00 00 00 00 00 00 00 00 00 .....@(. ........ >+[00A0] 00 00 00 03 FA 61 82 03 F6 30 82 03 F2 A0 03 02 .....a.. .0...... >+[00B0] 01 05 A1 19 1B 17 4B 54 45 53 54 2E 53 41 4D 42 ......KT EST.SAMB >+[00C0] 41 2E 45 58 41 4D 50 4C 45 2E 43 4F 4D A2 1E 30 A.EXAMPL E.COM..0 >+[00D0] 1C A0 03 02 01 01 A1 15 30 13 1B 04 63 69 66 73 ........ 0...cifs >+[00E0] 1B 0B 6C 6F 63 61 6C 6B 74 65 73 74 36 A3 82 03 ..localk test6... >+[00F0] AE 30 82 03 AA A0 03 02 01 17 A1 03 02 01 02 A2 .0...... ........ >+[0100] 82 03 9C 04 82 03 98 C6 BB 64 A8 31 00 FC 5E 51 ........ .d.1..^Q >+[0110] 3C 87 F8 34 47 3B D0 6F 6F FD 9E A6 91 12 74 2D <..4G;.o o.....t- >+[0120] 44 BB AA 91 A0 2D 46 3E 9E FB FB C4 FB F1 15 FD D....-F> ........ >+[0130] BB DA EE 06 A9 20 6A 38 DC 46 06 27 D9 A2 9D 2D ..... j8 .F.'...- >+[0140] 1F FD 0D 7D 8A BB 0A 7C E8 47 17 BC 7B 70 E4 51 ...}...| .G..{p.Q >+[0150] 6A BA 51 68 62 28 4A 1E 51 D1 0D CD 02 55 75 44 j.Qhb(J. Q....UuD >+[0160] 8A B9 C2 84 F4 17 34 92 9B 31 85 9E 43 C1 0C 3A ......4. .1..C..: >+[0170] B2 69 7F 20 1A 18 1F 65 4F C0 20 C9 B5 AF E1 61 .i. ...e O. ....a >+[0180] 8C 90 10 63 26 A6 5D 05 3C CD 29 BB 7B 74 D5 8F ...c&.]. <.).{t.. >+[0190] 2C 7F 4B E8 84 24 57 37 8A C6 F7 91 FD 22 9A A5 ,.K..$W7 .....".. >+[01A0] 0D E9 4A 78 93 36 FC A8 8C 8A 27 8A C6 28 4B 7B ..Jx.6.. ..'..(K{ >+[01B0] DA 11 42 BC 09 10 81 82 14 0F 9C B8 48 26 91 78 ..B..... ....H&.x >+[01C0] A8 DD 97 6C 24 A1 D2 E8 85 19 B3 D3 85 4D 38 C7 ...l$... .....M8. >+[01D0] 7D 49 55 8E 85 46 E1 EE 7B BA 11 62 63 53 C5 16 }IU..F.. {..bcS.. >+[01E0] 4A 0C 1C 99 7C 0E FB 45 1D B4 98 58 67 7E 40 65 J...|..E ...Xg~@e >+[01F0] 4B 48 E2 89 9C 8B C2 B8 39 D1 04 C0 A8 56 E8 A1 KH...... 9....V.. >+[0200] 04 7A 7A C9 60 18 A0 29 E2 DC 82 4C 8F 18 CE 2F .zz.`..) ...L.../ >+[0210] 14 F0 18 5B 6C FF 85 45 88 73 CB A4 55 08 FC BF ...[l..E .s..U... >+[0220] C7 9F 51 0A DB 2C C1 E3 3C DD F6 F0 A3 2D F1 3B ..Q..,.. <....-.; >+[0230] A0 12 1D FC 2A 67 F5 1A 7F E5 7C 6C FB 8A 18 BD ....*g.. ..|l.... >+[0240] D1 5D E5 5E 68 30 AA 58 9E 10 13 E0 26 7E 7D C4 .].^h0.X ....&~}. >+[0250] E1 A5 B6 86 0F 1C 0F 13 A4 5E 5E 6A ED 42 79 31 ........ .^^j.By1 >+[0260] BB B3 5F 3A 3F DD CB 63 82 FB 06 AE 12 36 C9 1E .._:?..c .....6.. >+[0270] 06 7D 41 82 2E D2 FA 26 EC 17 50 5E D0 DE 26 85 .}A....& ..P^..&. >+[0280] 30 71 BC 45 3B DA 2E 08 8D B2 2A 3C E0 79 8F 77 0q.E;... ..*<.y.w >+[0290] 4C 01 69 7A 09 C7 88 E1 D1 DC FF 78 DB 25 7B B1 L.iz.... ...x.%{. >+[02A0] 3C BB 22 27 80 0D 75 96 18 B6 40 95 6D C8 AB 04 <."'..u. ..@.m... >+[02B0] 05 41 A1 C4 25 71 C4 53 3A A6 9C B2 4D E6 15 2C .A..%q.S :...M.., >+[02C0] B2 47 6C DA A8 7D CC A3 89 8B C9 1E 21 F5 E9 B2 .Gl..}.. ....!... >+[02D0] 42 95 68 28 AF C6 37 22 BA 30 8D 53 FA 08 0D CE B.h(..7" .0.S.... >+[02E0] CA 81 61 0D 84 A5 2D 75 BD 41 85 4C 88 56 72 C6 ..a...-u .A.L.Vr. >+[02F0] B6 10 F8 34 CD B2 F4 5C 94 FA 80 90 82 A0 BD 68 ...4...\ .......h >+[0300] EC 08 32 C3 B6 51 1E 3F 67 CB 7B EB 70 83 84 D4 ..2..Q.? g.{.p... >+[0310] CB 52 55 36 61 1E 60 90 5B 6F FE 9A 62 05 CF 26 .RU6a.`. [o..b..& >+[0320] 8E 65 E2 60 4B ED 63 B4 C4 E6 44 B4 2F B0 B8 07 .e.`K.c. ..D./... >+[0330] FE BE 0D 50 E4 56 A4 2E 0D 25 76 0B 0F 44 09 20 ...P.V.. .%v..D. >+[0340] 80 E5 C4 94 63 E0 54 46 1D AB 5E 0B 09 93 B1 30 ....c.TF ..^....0 >+[0350] 31 7B 04 DC 23 43 3B DB 7D 39 67 FE 9A 1F C1 08 1{..#C;. }9g..... >+[0360] AF 34 24 F6 74 E4 14 DA 34 8F 61 57 6A 7F 1D 4A .4$.t... 4.aWj..J >+[0370] 88 0A 90 78 93 F1 86 54 DB 22 86 D6 69 0F DF 44 ...x...T ."..i..D >+[0380] 7C D3 6B 9D 41 63 50 98 3A 97 B9 7B 4C 53 E3 85 |.k.AcP. :..{LS.. >+[0390] 73 9A C9 08 A0 75 12 50 02 87 B0 CF CC 84 84 D9 s....u.P ........ >+[03A0] BC FC 94 79 AF 6A A6 08 FF 19 7E E9 22 9B EC 5C ...y.j.. ..~."..\ >+[03B0] C1 6B 1D A4 B4 55 32 5E 23 C3 C0 D4 8B 80 E6 67 .k...U2^ #......g >+[03C0] B1 59 EB 9D 5D 9B AD C6 0E 7D E2 FE B1 24 8A B1 .Y..]... .}...$.. >+[03D0] 37 1E 60 7F 83 35 48 32 F7 03 E8 12 E6 21 7C 3D 7.`..5H2 .....!|= >+[03E0] 21 7F 6B 14 31 9C 1A A3 4C 2B 1C 5E EC 34 C1 2D !.k.1... L+.^.4.- >+[03F0] DA 19 6C E6 6D 8D 60 D7 55 9E E6 D0 B5 07 06 72 ..l.m.`. U......r >+[0400] C0 E9 4E 91 94 6B 3E 0B F1 0A 75 4D E8 CB 53 6B ..N..k>. ..uM..Sk >+[0410] 34 A4 2F 96 A5 39 1A 18 6E 27 00 6D 41 B7 D8 F5 4./..9.. n'.mA... >+[0420] 9A E5 01 FC 0B A8 97 56 EE 98 04 1D 98 84 5E 82 .......V ......^. >+[0430] C8 E8 EC 17 D5 FA 96 00 3B E1 98 1C D8 FA 66 A0 ........ ;.....f. >+[0440] DC 32 60 F6 03 46 08 3C E5 16 6F F2 8B 4D 72 9F .2`..F.< ..o..Mr. >+[0450] 0F E0 A9 71 6E 7C AE AA FB A3 4D F1 A1 B6 1B 9F ...qn|.. ..M..... >+[0460] 62 71 E1 2C 82 9B AE E3 07 9B 79 90 F1 C2 69 E5 bq.,.... ..y...i. >+[0470] 7E CB 57 E6 C9 1C 4E A8 C7 12 EA 4F 4C 52 17 03 ~.W...N. ...OLR.. >+[0480] AB D4 FD 34 60 F4 7C BE 9E 36 30 37 88 95 61 2E ...4`.|. .607..a. >+[0490] CF 70 AF 22 70 DB E8 AA 6E 3D 30 F7 4D 84 D5 00 .p."p... n=0.M... >+[04A0] 00 00 00 00 00 00 01 00 00 00 01 00 00 00 17 4B ........ .......K >+[04B0] 54 45 53 54 2E 53 41 4D 42 41 2E 45 58 41 4D 50 TEST.SAM BA.EXAMP >+[04C0] 4C 45 2E 43 4F 4D 00 00 00 0D 61 64 6D 69 6E 69 LE.COM.. ..admini >+[04D0] 73 74 72 61 74 6F 72 00 00 00 01 00 00 00 02 00 strator. ........ >+[04E0] 00 00 17 4B 54 45 53 54 2E 53 41 4D 42 41 2E 45 ...KTEST .SAMBA.E >+[04F0] 58 41 4D 50 4C 45 2E 43 4F 4D 00 00 00 04 63 69 XAMPLE.C OM....ci >+[0500] 66 73 00 00 00 0B 6C 6F 63 61 6C 6B 74 65 73 74 fs....lo calktest >+[0510] 36 00 17 00 00 00 10 00 6E A1 B2 31 6D 48 C7 90 6....... n..1mH.. >+[0520] 72 3A 0C 4B 8B 83 8C 4D 99 4F 6A 4D 99 50 85 7D r:.K...M .OjM.P.} >+[0530] 44 0B 68 00 00 00 00 00 40 28 00 00 00 00 00 00 D.h..... @(...... >+[0540] 00 00 00 00 00 00 03 FA 61 82 03 F6 30 82 03 F2 ........ a...0... >+[0550] A0 03 02 01 05 A1 19 1B 17 4B 54 45 53 54 2E 53 ........ .KTEST.S >+[0560] 41 4D 42 41 2E 45 58 41 4D 50 4C 45 2E 43 4F 4D AMBA.EXA MPLE.COM >+[0570] A2 1E 30 1C A0 03 02 01 01 A1 15 30 13 1B 04 63 ..0..... ...0...c >+[0580] 69 66 73 1B 0B 6C 6F 63 61 6C 6B 74 65 73 74 36 ifs..loc alktest6 >+[0590] A3 82 03 AE 30 82 03 AA A0 03 02 01 17 A1 03 02 ....0... ........ >+[05A0] 01 02 A2 82 03 9C 04 82 03 98 C6 BB 64 A8 31 00 ........ ....d.1. >+[05B0] FC 5E 51 3C 87 F8 34 47 3B D0 6F 6F FD 9E A6 91 .^Q<..4G ;.oo.... >+[05C0] 12 74 2D 44 BB AA 91 A0 2D 46 3E 9E FB FB C4 FB .t-D.... -F>..... >+[05D0] F1 15 FD BB DA EE 06 A9 20 6A 38 DC 46 06 27 D9 ........ j8.F.'. >+[05E0] A2 9D 2D 1F FD 0D 7D 8A BB 0A 7C E8 47 17 BC 7B ..-...}. ..|.G..{ >+[05F0] 70 E4 51 6A BA 51 68 62 28 4A 1E 51 D1 0D CD 02 p.Qj.Qhb (J.Q.... >+[0600] 55 75 44 8A B9 C2 84 F4 17 34 92 9B 31 85 9E 43 UuD..... .4..1..C >+[0610] C1 0C 3A B2 69 7F 20 1A 18 1F 65 4F C0 20 C9 B5 ..:.i. . ..eO. .. >+[0620] AF E1 61 8C 90 10 63 26 A6 5D 05 3C CD 29 BB 7B ..a...c& .].<.).{ >+[0630] 74 D5 8F 2C 7F 4B E8 84 24 57 37 8A C6 F7 91 FD t..,.K.. $W7..... >+[0640] 22 9A A5 0D E9 4A 78 93 36 FC A8 8C 8A 27 8A C6 "....Jx. 6....'.. >+[0650] 28 4B 7B DA 11 42 BC 09 10 81 82 14 0F 9C B8 48 (K{..B.. .......H >+[0660] 26 91 78 A8 DD 97 6C 24 A1 D2 E8 85 19 B3 D3 85 &.x...l$ ........ >+[0670] 4D 38 C7 7D 49 55 8E 85 46 E1 EE 7B BA 11 62 63 M8.}IU.. F..{..bc >+[0680] 53 C5 16 4A 0C 1C 99 7C 0E FB 45 1D B4 98 58 67 S..J...| ..E...Xg >+[0690] 7E 40 65 4B 48 E2 89 9C 8B C2 B8 39 D1 04 C0 A8 ~@eKH... ...9.... >+[06A0] 56 E8 A1 04 7A 7A C9 60 18 A0 29 E2 DC 82 4C 8F V...zz.` ..)...L. >+[06B0] 18 CE 2F 14 F0 18 5B 6C FF 85 45 88 73 CB A4 55 ../...[l ..E.s..U >+[06C0] 08 FC BF C7 9F 51 0A DB 2C C1 E3 3C DD F6 F0 A3 .....Q.. ,..<.... >+[06D0] 2D F1 3B A0 12 1D FC 2A 67 F5 1A 7F E5 7C 6C FB -.;....* g....|l. >+[06E0] 8A 18 BD D1 5D E5 5E 68 30 AA 58 9E 10 13 E0 26 ....].^h 0.X....& >+[06F0] 7E 7D C4 E1 A5 B6 86 0F 1C 0F 13 A4 5E 5E 6A ED ~}...... ....^^j. >+[0700] 42 79 31 BB B3 5F 3A 3F DD CB 63 82 FB 06 AE 12 By1.._:? ..c..... >+[0710] 36 C9 1E 06 7D 41 82 2E D2 FA 26 EC 17 50 5E D0 6...}A.. ..&..P^. >+[0720] DE 26 85 30 71 BC 45 3B DA 2E 08 8D B2 2A 3C E0 .&.0q.E; .....*<. >+[0730] 79 8F 77 4C 01 69 7A 09 C7 88 E1 D1 DC FF 78 DB y.wL.iz. ......x. >+[0740] 25 7B B1 3C BB 22 27 80 0D 75 96 18 B6 40 95 6D %{.<."'. .u...@.m >+[0750] C8 AB 04 05 41 A1 C4 25 71 C4 53 3A A6 9C B2 4D ....A..% q.S:...M >+[0760] E6 15 2C B2 47 6C DA A8 7D CC A3 89 8B C9 1E 21 ..,.Gl.. }......! >+[0770] F5 E9 B2 42 95 68 28 AF C6 37 22 BA 30 8D 53 FA ...B.h(. .7".0.S. >+[0780] 08 0D CE CA 81 61 0D 84 A5 2D 75 BD 41 85 4C 88 .....a.. .-u.A.L. >+[0790] 56 72 C6 B6 10 F8 34 CD B2 F4 5C 94 FA 80 90 82 Vr....4. ..\..... >+[07A0] A0 BD 68 EC 08 32 C3 B6 51 1E 3F 67 CB 7B EB 70 ..h..2.. Q.?g.{.p >+[07B0] 83 84 D4 CB 52 55 36 61 1E 60 90 5B 6F FE 9A 62 ....RU6a .`.[o..b >+[07C0] 05 CF 26 8E 65 E2 60 4B ED 63 B4 C4 E6 44 B4 2F ..&.e.`K .c...D./ >+[07D0] B0 B8 07 FE BE 0D 50 E4 56 A4 2E 0D 25 76 0B 0F ......P. V...%v.. >+[07E0] 44 09 20 80 E5 C4 94 63 E0 54 46 1D AB 5E 0B 09 D. ....c .TF..^.. >+[07F0] 93 B1 30 31 7B 04 DC 23 43 3B DB 7D 39 67 FE 9A ..01{..# C;.}9g.. >+[0800] 1F C1 08 AF 34 24 F6 74 E4 14 DA 34 8F 61 57 6A ....4$.t ...4.aWj >+[0810] 7F 1D 4A 88 0A 90 78 93 F1 86 54 DB 22 86 D6 69 ..J...x. ..T."..i >+[0820] 0F DF 44 7C D3 6B 9D 41 63 50 98 3A 97 B9 7B 4C ..D|.k.A cP.:..{L >+[0830] 53 E3 85 73 9A C9 08 A0 75 12 50 02 87 B0 CF CC S..s.... u.P..... >+[0840] 84 84 D9 BC FC 94 79 AF 6A A6 08 FF 19 7E E9 22 ......y. j....~." >+[0850] 9B EC 5C C1 6B 1D A4 B4 55 32 5E 23 C3 C0 D4 8B ..\.k... U2^#.... >+[0860] 80 E6 67 B1 59 EB 9D 5D 9B AD C6 0E 7D E2 FE B1 ..g.Y..] ....}... >+[0870] 24 8A B1 37 1E 60 7F 83 35 48 32 F7 03 E8 12 E6 $..7.`.. 5H2..... >+[0880] 21 7C 3D 21 7F 6B 14 31 9C 1A A3 4C 2B 1C 5E EC !|=!.k.1 ...L+.^. >+[0890] 34 C1 2D DA 19 6C E6 6D 8D 60 D7 55 9E E6 D0 B5 4.-..l.m .`.U.... >+[08A0] 07 06 72 C0 E9 4E 91 94 6B 3E 0B F1 0A 75 4D E8 ..r..N.. k>...uM. >+[08B0] CB 53 6B 34 A4 2F 96 A5 39 1A 18 6E 27 00 6D 41 .Sk4./.. 9..n'.mA >+[08C0] B7 D8 F5 9A E5 01 FC 0B A8 97 56 EE 98 04 1D 98 ........ ..V..... >+[08D0] 84 5E 82 C8 E8 EC 17 D5 FA 96 00 3B E1 98 1C D8 .^...... ...;.... >+[08E0] FA 66 A0 DC 32 60 F6 03 46 08 3C E5 16 6F F2 8B .f..2`.. F.<..o.. >+[08F0] 4D 72 9F 0F E0 A9 71 6E 7C AE AA FB A3 4D F1 A1 Mr....qn |....M.. >+[0900] B6 1B 9F 62 71 E1 2C 82 9B AE E3 07 9B 79 90 F1 ...bq.,. .....y.. >+[0910] C2 69 E5 7E CB 57 E6 C9 1C 4E A8 C7 12 EA 4F 4C .i.~.W.. .N....OL >+[0920] 52 17 03 AB D4 FD 34 60 F4 7C BE 9E 36 30 37 88 R.....4` .|..607. >+[0930] 95 61 2E CF 70 AF 22 70 DB E8 AA 6E 3D 30 F7 4D .a..p."p ...n=0.M >+[0940] 84 D5 00 00 00 00 00 00 00 01 00 00 00 01 00 00 ........ ........ >+[0950] 00 17 4B 54 45 53 54 2E 53 41 4D 42 41 2E 45 58 ..KTEST. SAMBA.EX >+[0960] 41 4D 50 4C 45 2E 43 4F 4D 00 00 00 0D 61 64 6D AMPLE.CO M....adm >+[0970] 69 6E 69 73 74 72 61 74 6F 72 00 00 00 01 00 00 inistrat or...... >+[0980] 00 02 00 00 00 17 4B 54 45 53 54 2E 53 41 4D 42 ......KT EST.SAMB >+[0990] 41 2E 45 58 41 4D 50 4C 45 2E 43 4F 4D 00 00 00 A.EXAMPL E.COM... >+[09A0] 04 63 69 66 73 00 00 00 0B 6C 6F 63 61 6C 6B 74 .cifs... .localkt >+[09B0] 65 73 74 36 00 17 00 00 00 10 00 6E A1 B2 31 6D est6.... ...n..1m >+[09C0] 48 C7 90 72 3A 0C 4B 8B 83 8C 4D 99 4F 6A 4D 99 H..r:.K. ..M.OjM. >+[09D0] 50 85 7D 44 0B 68 00 00 00 00 00 40 28 00 00 00 P.}D.h.. ...@(... >+[09E0] 00 00 00 00 00 00 00 00 00 03 FA 61 82 03 F6 30 ........ ...a...0 >+[09F0] 82 03 F2 A0 03 02 01 05 A1 19 1B 17 4B 54 45 53 ........ ....KTES >+[0A00] 54 2E 53 41 4D 42 41 2E 45 58 41 4D 50 4C 45 2E T.SAMBA. EXAMPLE. >+[0A10] 43 4F 4D A2 1E 30 1C A0 03 02 01 01 A1 15 30 13 COM..0.. ......0. >+[0A20] 1B 04 63 69 66 73 1B 0B 6C 6F 63 61 6C 6B 74 65 ..cifs.. localkte >+[0A30] 73 74 36 A3 82 03 AE 30 82 03 AA A0 03 02 01 17 st6....0 ........ >+[0A40] A1 03 02 01 02 A2 82 03 9C 04 82 03 98 C6 BB 64 ........ .......d >+[0A50] A8 31 00 FC 5E 51 3C 87 F8 34 47 3B D0 6F 6F FD .1..^Q<. .4G;.oo. >+[0A60] 9E A6 91 12 74 2D 44 BB AA 91 A0 2D 46 3E 9E FB ....t-D. ...-F>.. >+[0A70] FB C4 FB F1 15 FD BB DA EE 06 A9 20 6A 38 DC 46 ........ ... j8.F >+[0A80] 06 27 D9 A2 9D 2D 1F FD 0D 7D 8A BB 0A 7C E8 47 .'...-.. .}...|.G >+[0A90] 17 BC 7B 70 E4 51 6A BA 51 68 62 28 4A 1E 51 D1 ..{p.Qj. Qhb(J.Q. >+[0AA0] 0D CD 02 55 75 44 8A B9 C2 84 F4 17 34 92 9B 31 ...UuD.. ....4..1 >+[0AB0] 85 9E 43 C1 0C 3A B2 69 7F 20 1A 18 1F 65 4F C0 ..C..:.i . ...eO. >+[0AC0] 20 C9 B5 AF E1 61 8C 90 10 63 26 A6 5D 05 3C CD ....a.. .c&.].<. >+[0AD0] 29 BB 7B 74 D5 8F 2C 7F 4B E8 84 24 57 37 8A C6 ).{t..,. K..$W7.. >+[0AE0] F7 91 FD 22 9A A5 0D E9 4A 78 93 36 FC A8 8C 8A ...".... Jx.6.... >+[0AF0] 27 8A C6 28 4B 7B DA 11 42 BC 09 10 81 82 14 0F '..(K{.. B....... >+[0B00] 9C B8 48 26 91 78 A8 DD 97 6C 24 A1 D2 E8 85 19 ..H&.x.. .l$..... >+[0B10] B3 D3 85 4D 38 C7 7D 49 55 8E 85 46 E1 EE 7B BA ...M8.}I U..F..{. >+[0B20] 11 62 63 53 C5 16 4A 0C 1C 99 7C 0E FB 45 1D B4 .bcS..J. ..|..E.. >+[0B30] 98 58 67 7E 40 65 4B 48 E2 89 9C 8B C2 B8 39 D1 .Xg~@eKH ......9. >+[0B40] 04 C0 A8 56 E8 A1 04 7A 7A C9 60 18 A0 29 E2 DC ...V...z z.`..).. >+[0B50] 82 4C 8F 18 CE 2F 14 F0 18 5B 6C FF 85 45 88 73 .L.../.. .[l..E.s >+[0B60] CB A4 55 08 FC BF C7 9F 51 0A DB 2C C1 E3 3C DD ..U..... Q..,..<. >+[0B70] F6 F0 A3 2D F1 3B A0 12 1D FC 2A 67 F5 1A 7F E5 ...-.;.. ..*g.... >+[0B80] 7C 6C FB 8A 18 BD D1 5D E5 5E 68 30 AA 58 9E 10 |l.....] .^h0.X.. >+[0B90] 13 E0 26 7E 7D C4 E1 A5 B6 86 0F 1C 0F 13 A4 5E ..&~}... .......^ >+[0BA0] 5E 6A ED 42 79 31 BB B3 5F 3A 3F DD CB 63 82 FB ^j.By1.. _:?..c.. >+[0BB0] 06 AE 12 36 C9 1E 06 7D 41 82 2E D2 FA 26 EC 17 ...6...} A....&.. >+[0BC0] 50 5E D0 DE 26 85 30 71 BC 45 3B DA 2E 08 8D B2 P^..&.0q .E;..... >+[0BD0] 2A 3C E0 79 8F 77 4C 01 69 7A 09 C7 88 E1 D1 DC *<.y.wL. iz...... >+[0BE0] FF 78 DB 25 7B B1 3C BB 22 27 80 0D 75 96 18 B6 .x.%{.<. "'..u... >+[0BF0] 40 95 6D C8 AB 04 05 41 A1 C4 25 71 C4 53 3A A6 @.m....A ..%q.S:. >+[0C00] 9C B2 4D E6 15 2C B2 47 6C DA A8 7D CC A3 89 8B ..M..,.G l..}.... >+[0C10] C9 1E 21 F5 E9 B2 42 95 68 28 AF C6 37 22 BA 30 ..!...B. h(..7".0 >+[0C20] 8D 53 FA 08 0D CE CA 81 61 0D 84 A5 2D 75 BD 41 .S...... a...-u.A >+[0C30] 85 4C 88 56 72 C6 B6 10 F8 34 CD B2 F4 5C 94 FA .L.Vr... .4...\.. >+[0C40] 80 90 82 A0 BD 68 EC 08 32 C3 B6 51 1E 3F 67 CB .....h.. 2..Q.?g. >+[0C50] 7B EB 70 83 84 D4 CB 52 55 36 61 1E 60 90 5B 6F {.p....R U6a.`.[o >+[0C60] FE 9A 62 05 CF 26 8E 65 E2 60 4B ED 63 B4 C4 E6 ..b..&.e .`K.c... >+[0C70] 44 B4 2F B0 B8 07 FE BE 0D 50 E4 56 A4 2E 0D 25 D./..... .P.V...% >+[0C80] 76 0B 0F 44 09 20 80 E5 C4 94 63 E0 54 46 1D AB v..D. .. ..c.TF.. >+[0C90] 5E 0B 09 93 B1 30 31 7B 04 DC 23 43 3B DB 7D 39 ^....01{ ..#C;.}9 >+[0CA0] 67 FE 9A 1F C1 08 AF 34 24 F6 74 E4 14 DA 34 8F g......4 $.t...4. >+[0CB0] 61 57 6A 7F 1D 4A 88 0A 90 78 93 F1 86 54 DB 22 aWj..J.. .x...T." >+[0CC0] 86 D6 69 0F DF 44 7C D3 6B 9D 41 63 50 98 3A 97 ..i..D|. k.AcP.:. >+[0CD0] B9 7B 4C 53 E3 85 73 9A C9 08 A0 75 12 50 02 87 .{LS..s. ...u.P.. >+[0CE0] B0 CF CC 84 84 D9 BC FC 94 79 AF 6A A6 08 FF 19 ........ .y.j.... >+[0CF0] 7E E9 22 9B EC 5C C1 6B 1D A4 B4 55 32 5E 23 C3 ~."..\.k ...U2^#. >+[0D00] C0 D4 8B 80 E6 67 B1 59 EB 9D 5D 9B AD C6 0E 7D .....g.Y ..]....} >+[0D10] E2 FE B1 24 8A B1 37 1E 60 7F 83 35 48 32 F7 03 ...$..7. `..5H2.. >+[0D20] E8 12 E6 21 7C 3D 21 7F 6B 14 31 9C 1A A3 4C 2B ...!|=!. k.1...L+ >+[0D30] 1C 5E EC 34 C1 2D DA 19 6C E6 6D 8D 60 D7 55 9E .^.4.-.. l.m.`.U. >+[0D40] E6 D0 B5 07 06 72 C0 E9 4E 91 94 6B 3E 0B F1 0A .....r.. N..k>... >+[0D50] 75 4D E8 CB 53 6B 34 A4 2F 96 A5 39 1A 18 6E 27 uM..Sk4. /..9..n' >+[0D60] 00 6D 41 B7 D8 F5 9A E5 01 FC 0B A8 97 56 EE 98 .mA..... .....V.. >+[0D70] 04 1D 98 84 5E 82 C8 E8 EC 17 D5 FA 96 00 3B E1 ....^... ......;. >+[0D80] 98 1C D8 FA 66 A0 DC 32 60 F6 03 46 08 3C E5 16 ....f..2 `..F.<.. >+[0D90] 6F F2 8B 4D 72 9F 0F E0 A9 71 6E 7C AE AA FB A3 o..Mr... .qn|.... >+[0DA0] 4D F1 A1 B6 1B 9F 62 71 E1 2C 82 9B AE E3 07 9B M.....bq .,...... >+[0DB0] 79 90 F1 C2 69 E5 7E CB 57 E6 C9 1C 4E A8 C7 12 y...i.~. W...N... >+[0DC0] EA 4F 4C 52 17 03 AB D4 FD 34 60 F4 7C BE 9E 36 .OLR.... .4`.|..6 >+[0DD0] 30 37 88 95 61 2E CF 70 AF 22 70 DB E8 AA 6E 3D 07..a..p ."p...n= >+[0DE0] 30 F7 4D 84 D5 00 00 00 00 00 00 00 01 00 00 00 0.M..... ........ >+[0DF0] 01 00 00 00 17 4B 54 45 53 54 2E 53 41 4D 42 41 .....KTE ST.SAMBA >+[0E00] 2E 45 58 41 4D 50 4C 45 2E 43 4F 4D 00 00 00 0D .EXAMPLE .COM.... >+[0E10] 61 64 6D 69 6E 69 73 74 72 61 74 6F 72 00 00 00 administ rator... >+[0E20] 01 00 00 00 02 00 00 00 17 4B 54 45 53 54 2E 53 ........ .KTEST.S >+[0E30] 41 4D 42 41 2E 45 58 41 4D 50 4C 45 2E 43 4F 4D AMBA.EXA MPLE.COM >+[0E40] 00 00 00 04 63 69 66 73 00 00 00 0B 4C 4F 43 41 ....cifs ....LOCA >+[0E50] 4C 4B 54 45 53 54 36 00 17 00 00 00 10 1D C8 5E LKTEST6. .......^ >+[0E60] 46 48 82 F9 29 DB C6 A6 F1 72 6D 8D E9 4D 99 4F FH..)... .rm..M.O >+[0E70] 6A 4D 99 85 09 7D 44 0B 68 00 00 00 00 00 40 28 jM...}D. h.....@( >+[0E80] 00 00 00 00 00 00 00 00 00 00 00 00 03 FA 61 82 ........ ......a. >+[0E90] 03 F6 30 82 03 F2 A0 03 02 01 05 A1 19 1B 17 4B ..0..... .......K >+[0EA0] 54 45 53 54 2E 53 41 4D 42 41 2E 45 58 41 4D 50 TEST.SAM BA.EXAMP >+[0EB0] 4C 45 2E 43 4F 4D A2 1E 30 1C A0 03 02 01 01 A1 LE.COM.. 0....... >+[0EC0] 15 30 13 1B 04 63 69 66 73 1B 0B 4C 4F 43 41 4C .0...cif s..LOCAL >+[0ED0] 4B 54 45 53 54 36 A3 82 03 AE 30 82 03 AA A0 03 KTEST6.. ..0..... >+[0EE0] 02 01 17 A1 03 02 01 02 A2 82 03 9C 04 82 03 98 ........ ........ >+[0EF0] 66 D8 19 46 FA CB 73 2D CF 88 FD 4A EE 07 48 DA f..F..s- ...J..H. >+[0F00] 0E BC 58 30 43 40 A4 9C 00 0F 3B 17 C1 2D F5 9C ..X0C@.. ..;..-.. >+[0F10] 3E D9 2F 1D CA 01 9B D7 2E EC D7 70 ED 8B 8B 1B >./..... ...p.... >+[0F20] 5E F2 4E EE DD 0F C0 8D 61 E5 D7 0A 56 00 32 B1 ^.N..... a...V.2. >+[0F30] DB 91 37 29 0F 2F 85 EE A8 43 BA A5 B8 D4 19 74 ..7)./.. .C.....t >+[0F40] 33 F0 69 52 E1 58 98 83 D6 16 0B 44 A9 63 9B D4 3.iR.X.. ...D.c.. >+[0F50] 4E 6E A7 3E CD 9A 96 4D C4 96 F5 07 6D 29 B6 ED Nn.>...M ....m).. >+[0F60] 2A 62 3D 53 22 33 D1 95 E9 DF 74 4C 2A E2 29 AF *b=S"3.. ..tL*.). >+[0F70] 5B 69 B0 48 2D AD 94 FD A5 1D 54 D8 E2 5E C1 68 [i.H-... ..T..^.h >+[0F80] 6F BA 02 01 79 C3 C9 97 0B 76 66 45 E2 3B 10 17 o...y... .vfE.;.. >+[0F90] 95 40 46 E4 85 B9 87 BB CF CF 19 8C 3A C0 EA 38 .@F..... ....:..8 >+[0FA0] 3B B9 E9 4B 05 89 E5 27 8C 62 95 BC 0D 65 F0 D2 ;..K...' .b...e.. >+[0FB0] C0 5E BC 65 01 D5 0B CB 17 31 0F 06 49 4F A2 4A .^.e.... .1..IO.J >+[0FC0] 70 77 DB BD 92 5B 37 5C EC 06 DF C5 E2 31 C8 40 pw...[7\ .....1.@ >+[0FD0] 09 11 68 14 E7 7D CE 54 4F 52 61 31 2C 1C 53 52 ..h..}.T ORa1,.SR >+[0FE0] DB BE D8 95 39 EE 7D C6 CE C8 22 95 92 97 97 3D ....9.}. .."....= >+[0FF0] 5E 66 0F AD DC C2 4E 2E 2B 9F 63 20 30 DF B7 C1 ^f....N. +.c 0... >+[1000] D4 65 AA 6F 2D 10 24 07 20 8D 88 6E 4B 09 04 31 .e.o-.$. ..nK..1 >+[1010] B6 A3 EB F7 37 32 0E 0C 73 C6 F6 B8 4D D9 0C 4C ....72.. s...M..L >+[1020] 5B EC 10 6A 51 19 EA 3F FF 46 E7 73 16 A7 1F 33 [..jQ..? .F.s...3 >+[1030] 98 7C 9B AD 5A 23 A9 40 7C 0F DF EE 0F AA C7 E8 .|..Z#.@ |....... >+[1040] 63 07 98 3A 4A 0D 18 62 01 21 B2 AE A5 69 B0 C1 c..:J..b .!...i.. >+[1050] 15 51 BA 97 D2 C5 42 5B C5 30 38 18 A9 48 AB D7 .Q....B[ .08..H.. >+[1060] FC A1 BC 9F 71 E7 EA 18 54 42 DA D6 A4 FC C1 DC ....q... TB...... >+[1070] F3 12 30 62 AC 98 E1 7D 2B 34 1E 52 4C 26 67 32 ..0b...} +4.RL&g2 >+[1080] D9 44 1A 08 27 0E DA D0 FC 84 66 35 81 D6 EB 98 .D..'... ..f5.... >+[1090] 46 6F 1E 47 E0 14 31 BE 47 80 65 AA 0B 20 D6 33 Fo.G..1. G.e.. .3 >+[10A0] 36 3B 0D 40 2F 5A 2E 0E 01 BE 00 EB 33 3E 4B 32 6;.@/Z.. ....3>K2 >+[10B0] 91 F4 22 96 E5 5F D4 D5 92 94 CC 5B 59 6A 3E D2 ..".._.. ...[Yj>. >+[10C0] FB A0 4F 99 C4 07 8B 6F 2B 14 37 CD 37 44 C0 1F ..O....o +.7.7D.. >+[10D0] 80 9C 43 46 F2 5E F4 FE D3 39 70 61 BE 72 5B 3A ..CF.^.. .9pa.r[: >+[10E0] 8F 37 95 78 1E AB D9 E7 E9 DA FC 47 09 81 A0 0D .7.x.... ...G.... >+[10F0] 62 E1 F9 34 36 D1 DB E6 98 D8 F4 3E 77 5A 4D E2 b..46... ...>wZM. >+[1100] 5F 20 70 3D 3D 5B 34 D9 FD A8 31 F7 D9 59 F7 A3 _ p==[4. ..1..Y.. >+[1110] F0 66 F7 D9 AD 1C CD D5 85 33 A0 87 22 31 D4 F3 .f...... .3.."1.. >+[1120] 67 80 68 20 A2 90 72 7A 6F 64 FD 68 82 9E 91 B8 g.h ..rz od.h.... >+[1130] E3 F7 6D 6C 38 74 F0 96 A2 F6 25 D7 92 58 14 60 ..ml8t.. ..%..X.` >+[1140] 9F AE 01 4C 0C 09 67 3E 35 67 71 1E 2A 86 21 D3 ...L..g> 5gq.*.!. >+[1150] 60 61 98 16 94 67 0B 52 76 63 93 BD A3 3B A9 F0 `a...g.R vc...;.. >+[1160] A2 6A B7 E6 0F 35 64 DA 6A EA 20 A6 3D 94 71 59 .j...5d. j. .=.qY >+[1170] 5E CB B2 D3 F9 4D FE 1B 4B D8 64 C8 3B 7A A8 E6 ^....M.. K.d.;z.. >+[1180] D2 D5 76 71 26 D4 5C DA 1A 55 17 F2 16 C9 2F 77 ..vq&.\. .U..../w >+[1190] DB 95 19 48 A5 AC D0 C3 31 9C 0A CC 1B 44 11 6B ...H.... 1....D.k >+[11A0] 7C 88 7A 5D CF 6E 12 DA EF C5 C7 34 1D F4 CC EA |.z].n.. ...4.... >+[11B0] 37 24 4B B3 0F C1 A3 F2 29 A0 D8 93 39 C6 16 57 7$K..... )...9..W >+[11C0] D5 BF 57 BF 6C 7E F7 90 E0 EB A3 8B 07 56 9C EC ..W.l~.. .....V.. >+[11D0] 15 3E 21 DA A5 7C 00 3C F9 D2 A7 1C 6F 16 25 31 .>!..|.< ....o.%1 >+[11E0] C5 28 A7 EA F3 47 31 50 DD E1 ED 0A 93 DB 85 CC .(...G1P ........ >+[11F0] 6B 4B 2C 7F E8 F8 2D A9 6D 1D 0A 87 F2 10 8C 82 kK,...-. m....... >+[1200] 2F 9B D4 9B 92 8C 77 40 50 42 1E 42 C4 0A 4F E3 /.....w@ PB.B..O. >+[1210] 6C 6C DC 81 C4 1E BB F0 7D CF 3C 73 22 5B C3 1A ll...... }.<s"[.. >+[1220] 97 35 EE 3A CD 6D F3 68 A3 C5 65 7E E9 54 C0 E3 .5.:.m.h ..e~.T.. >+[1230] 7D 6A 32 4C D1 3E D0 78 4B BF 18 9F A5 25 4A 92 }j2L.>.x K....%J. >+[1240] 1E 6C 8F 01 D6 59 D7 CF 2E A0 CC 98 F6 75 28 2F .l...Y.. .....u(/ >+[1250] F7 2A 70 28 A9 45 1F 75 C2 4E 62 ED D8 C4 A0 8D .*p(.E.u .Nb..... >+[1260] 55 B2 84 1C A4 CE 87 EF 24 EE BC CE 40 09 EB 05 U....... $...@... >+[1270] 0B D1 14 31 50 32 2F B6 A8 97 17 4B A7 95 01 50 ...1P2/. ...K...P >+[1280] 6E 0E 23 49 9C 72 21 91 00 00 00 00 00 00 00 01 n.#I.r!. ........ >+[1290] 00 00 00 01 00 00 00 17 4B 54 45 53 54 2E 53 41 ........ KTEST.SA >+[12A0] 4D 42 41 2E 45 58 41 4D 50 4C 45 2E 43 4F 4D 00 MBA.EXAM PLE.COM. >+[12B0] 00 00 0D 61 64 6D 69 6E 69 73 74 72 61 74 6F 72 ...admin istrator >+[12C0] 00 00 00 01 00 00 00 02 00 00 00 17 4B 54 45 53 ........ ....KTES >+[12D0] 54 2E 53 41 4D 42 41 2E 45 58 41 4D 50 4C 45 2E T.SAMBA. EXAMPLE. >+[12E0] 43 4F 4D 00 00 00 04 63 69 66 73 00 00 00 0B 4C COM....c ifs....L >+[12F0] 4F 43 41 4C 4B 54 45 53 54 36 00 17 00 00 00 10 OCALKTES T6...... >+[1300] 1D C8 5E 46 48 82 F9 29 DB C6 A6 F1 72 6D 8D E9 ..^FH..) ....rm.. >+[1310] 4D 99 4F 6A 4D 99 85 09 7D 44 0B 68 00 00 00 00 M.OjM... }D.h.... >+[1320] 00 40 28 00 00 00 00 00 00 00 00 00 00 00 00 03 .@(..... ........ >+[1330] FA 61 82 03 F6 30 82 03 F2 A0 03 02 01 05 A1 19 .a...0.. ........ >+[1340] 1B 17 4B 54 45 53 54 2E 53 41 4D 42 41 2E 45 58 ..KTEST. SAMBA.EX >+[1350] 41 4D 50 4C 45 2E 43 4F 4D A2 1E 30 1C A0 03 02 AMPLE.CO M..0.... >+[1360] 01 01 A1 15 30 13 1B 04 63 69 66 73 1B 0B 4C 4F ....0... cifs..LO >+[1370] 43 41 4C 4B 54 45 53 54 36 A3 82 03 AE 30 82 03 CALKTEST 6....0.. >+[1380] AA A0 03 02 01 17 A1 03 02 01 02 A2 82 03 9C 04 ........ ........ >+[1390] 82 03 98 66 D8 19 46 FA CB 73 2D CF 88 FD 4A EE ...f..F. .s-...J. >+[13A0] 07 48 DA 0E BC 58 30 43 40 A4 9C 00 0F 3B 17 C1 .H...X0C @....;.. >+[13B0] 2D F5 9C 3E D9 2F 1D CA 01 9B D7 2E EC D7 70 ED -..>./.. ......p. >+[13C0] 8B 8B 1B 5E F2 4E EE DD 0F C0 8D 61 E5 D7 0A 56 ...^.N.. ...a...V >+[13D0] 00 32 B1 DB 91 37 29 0F 2F 85 EE A8 43 BA A5 B8 .2...7). /...C... >+[13E0] D4 19 74 33 F0 69 52 E1 58 98 83 D6 16 0B 44 A9 ..t3.iR. X.....D. >+[13F0] 63 9B D4 4E 6E A7 3E CD 9A 96 4D C4 96 F5 07 6D c..Nn.>. ..M....m >+[1400] 29 B6 ED 2A 62 3D 53 22 33 D1 95 E9 DF 74 4C 2A )..*b=S" 3....tL* >+[1410] E2 29 AF 5B 69 B0 48 2D AD 94 FD A5 1D 54 D8 E2 .).[i.H- .....T.. >+[1420] 5E C1 68 6F BA 02 01 79 C3 C9 97 0B 76 66 45 E2 ^.ho...y ....vfE. >+[1430] 3B 10 17 95 40 46 E4 85 B9 87 BB CF CF 19 8C 3A ;...@F.. .......: >+[1440] C0 EA 38 3B B9 E9 4B 05 89 E5 27 8C 62 95 BC 0D ..8;..K. ..'.b... >+[1450] 65 F0 D2 C0 5E BC 65 01 D5 0B CB 17 31 0F 06 49 e...^.e. ....1..I >+[1460] 4F A2 4A 70 77 DB BD 92 5B 37 5C EC 06 DF C5 E2 O.Jpw... [7\..... >+[1470] 31 C8 40 09 11 68 14 E7 7D CE 54 4F 52 61 31 2C 1.@..h.. }.TORa1, >+[1480] 1C 53 52 DB BE D8 95 39 EE 7D C6 CE C8 22 95 92 .SR....9 .}...".. >+[1490] 97 97 3D 5E 66 0F AD DC C2 4E 2E 2B 9F 63 20 30 ..=^f... .N.+.c 0 >+[14A0] DF B7 C1 D4 65 AA 6F 2D 10 24 07 20 8D 88 6E 4B ....e.o- .$. ..nK >+[14B0] 09 04 31 B6 A3 EB F7 37 32 0E 0C 73 C6 F6 B8 4D ..1....7 2..s...M >+[14C0] D9 0C 4C 5B EC 10 6A 51 19 EA 3F FF 46 E7 73 16 ..L[..jQ ..?.F.s. >+[14D0] A7 1F 33 98 7C 9B AD 5A 23 A9 40 7C 0F DF EE 0F ..3.|..Z #.@|.... >+[14E0] AA C7 E8 63 07 98 3A 4A 0D 18 62 01 21 B2 AE A5 ...c..:J ..b.!... >+[14F0] 69 B0 C1 15 51 BA 97 D2 C5 42 5B C5 30 38 18 A9 i...Q... .B[.08.. >+[1500] 48 AB D7 FC A1 BC 9F 71 E7 EA 18 54 42 DA D6 A4 H......q ...TB... >+[1510] FC C1 DC F3 12 30 62 AC 98 E1 7D 2B 34 1E 52 4C .....0b. ..}+4.RL >+[1520] 26 67 32 D9 44 1A 08 27 0E DA D0 FC 84 66 35 81 &g2.D..' .....f5. >+[1530] D6 EB 98 46 6F 1E 47 E0 14 31 BE 47 80 65 AA 0B ...Fo.G. .1.G.e.. >+[1540] 20 D6 33 36 3B 0D 40 2F 5A 2E 0E 01 BE 00 EB 33 .36;.@/ Z......3 >+[1550] 3E 4B 32 91 F4 22 96 E5 5F D4 D5 92 94 CC 5B 59 >K2..".. _.....[Y >+[1560] 6A 3E D2 FB A0 4F 99 C4 07 8B 6F 2B 14 37 CD 37 j>...O.. ..o+.7.7 >+[1570] 44 C0 1F 80 9C 43 46 F2 5E F4 FE D3 39 70 61 BE D....CF. ^...9pa. >+[1580] 72 5B 3A 8F 37 95 78 1E AB D9 E7 E9 DA FC 47 09 r[:.7.x. ......G. >+[1590] 81 A0 0D 62 E1 F9 34 36 D1 DB E6 98 D8 F4 3E 77 ...b..46 ......>w >+[15A0] 5A 4D E2 5F 20 70 3D 3D 5B 34 D9 FD A8 31 F7 D9 ZM._ p== [4...1.. >+[15B0] 59 F7 A3 F0 66 F7 D9 AD 1C CD D5 85 33 A0 87 22 Y...f... ....3.." >+[15C0] 31 D4 F3 67 80 68 20 A2 90 72 7A 6F 64 FD 68 82 1..g.h . .rzod.h. >+[15D0] 9E 91 B8 E3 F7 6D 6C 38 74 F0 96 A2 F6 25 D7 92 .....ml8 t....%.. >+[15E0] 58 14 60 9F AE 01 4C 0C 09 67 3E 35 67 71 1E 2A X.`...L. .g>5gq.* >+[15F0] 86 21 D3 60 61 98 16 94 67 0B 52 76 63 93 BD A3 .!.`a... g.Rvc... >+[1600] 3B A9 F0 A2 6A B7 E6 0F 35 64 DA 6A EA 20 A6 3D ;...j... 5d.j. .= >+[1610] 94 71 59 5E CB B2 D3 F9 4D FE 1B 4B D8 64 C8 3B .qY^.... M..K.d.; >+[1620] 7A A8 E6 D2 D5 76 71 26 D4 5C DA 1A 55 17 F2 16 z....vq& .\..U... >+[1630] C9 2F 77 DB 95 19 48 A5 AC D0 C3 31 9C 0A CC 1B ./w...H. ...1.... >+[1640] 44 11 6B 7C 88 7A 5D CF 6E 12 DA EF C5 C7 34 1D D.k|.z]. n.....4. >+[1650] F4 CC EA 37 24 4B B3 0F C1 A3 F2 29 A0 D8 93 39 ...7$K.. ...)...9 >+[1660] C6 16 57 D5 BF 57 BF 6C 7E F7 90 E0 EB A3 8B 07 ..W..W.l ~....... >+[1670] 56 9C EC 15 3E 21 DA A5 7C 00 3C F9 D2 A7 1C 6F V...>!.. |.<....o >+[1680] 16 25 31 C5 28 A7 EA F3 47 31 50 DD E1 ED 0A 93 .%1.(... G1P..... >+[1690] DB 85 CC 6B 4B 2C 7F E8 F8 2D A9 6D 1D 0A 87 F2 ...kK,.. .-.m.... >+[16A0] 10 8C 82 2F 9B D4 9B 92 8C 77 40 50 42 1E 42 C4 .../.... .w@PB.B. >+[16B0] 0A 4F E3 6C 6C DC 81 C4 1E BB F0 7D CF 3C 73 22 .O.ll... ...}.<s" >+[16C0] 5B C3 1A 97 35 EE 3A CD 6D F3 68 A3 C5 65 7E E9 [...5.:. m.h..e~. >+[16D0] 54 C0 E3 7D 6A 32 4C D1 3E D0 78 4B BF 18 9F A5 T..}j2L. >.xK.... >+[16E0] 25 4A 92 1E 6C 8F 01 D6 59 D7 CF 2E A0 CC 98 F6 %J..l... Y....... >+[16F0] 75 28 2F F7 2A 70 28 A9 45 1F 75 C2 4E 62 ED D8 u(/.*p(. E.u.Nb.. >+[1700] C4 A0 8D 55 B2 84 1C A4 CE 87 EF 24 EE BC CE 40 ...U.... ...$...@ >+[1710] 09 EB 05 0B D1 14 31 50 32 2F B6 A8 97 17 4B A7 ......1P 2/....K. >+[1720] 95 01 50 6E 0E 23 49 9C 72 21 91 00 00 00 00 00 ..Pn.#I. r!...... >+[1730] 00 00 01 00 00 00 01 00 00 00 17 4B 54 45 53 54 ........ ...KTEST >+[1740] 2E 53 41 4D 42 41 2E 45 58 41 4D 50 4C 45 2E 43 .SAMBA.E XAMPLE.C >+[1750] 4F 4D 00 00 00 0D 61 64 6D 69 6E 69 73 74 72 61 OM....ad ministra >+[1760] 74 6F 72 00 00 00 01 00 00 00 02 00 00 00 17 4B tor..... .......K >+[1770] 54 45 53 54 2E 53 41 4D 42 41 2E 45 58 41 4D 50 TEST.SAM BA.EXAMP >+[1780] 4C 45 2E 43 4F 4D 00 00 00 04 63 69 66 73 00 00 LE.COM.. ..cifs.. >+[1790] 00 0B 4C 4F 43 41 4C 4B 54 45 53 54 36 00 17 00 ..LOCALK TEST6... >+[17A0] 00 00 10 1D C8 5E 46 48 82 F9 29 DB C6 A6 F1 72 .....^FH ..)....r >+[17B0] 6D 8D E9 4D 99 4F 6A 4D 99 85 09 7D 44 0B 68 00 m..M.OjM ...}D.h. >+[17C0] 00 00 00 00 40 28 00 00 00 00 00 00 00 00 00 00 ....@(.. ........ >+[17D0] 00 00 03 FA 61 82 03 F6 30 82 03 F2 A0 03 02 01 ....a... 0....... >+[17E0] 05 A1 19 1B 17 4B 54 45 53 54 2E 53 41 4D 42 41 .....KTE ST.SAMBA >+[17F0] 2E 45 58 41 4D 50 4C 45 2E 43 4F 4D A2 1E 30 1C .EXAMPLE .COM..0. >+[1800] A0 03 02 01 01 A1 15 30 13 1B 04 63 69 66 73 1B .......0 ...cifs. >+[1810] 0B 4C 4F 43 41 4C 4B 54 45 53 54 36 A3 82 03 AE .LOCALKT EST6.... >+[1820] 30 82 03 AA A0 03 02 01 17 A1 03 02 01 02 A2 82 0....... ........ >+[1830] 03 9C 04 82 03 98 66 D8 19 46 FA CB 73 2D CF 88 ......f. .F..s-.. >+[1840] FD 4A EE 07 48 DA 0E BC 58 30 43 40 A4 9C 00 0F .J..H... X0C@.... >+[1850] 3B 17 C1 2D F5 9C 3E D9 2F 1D CA 01 9B D7 2E EC ;..-..>. /....... >+[1860] D7 70 ED 8B 8B 1B 5E F2 4E EE DD 0F C0 8D 61 E5 .p....^. N.....a. >+[1870] D7 0A 56 00 32 B1 DB 91 37 29 0F 2F 85 EE A8 43 ..V.2... 7)./...C >+[1880] BA A5 B8 D4 19 74 33 F0 69 52 E1 58 98 83 D6 16 .....t3. iR.X.... >+[1890] 0B 44 A9 63 9B D4 4E 6E A7 3E CD 9A 96 4D C4 96 .D.c..Nn .>...M.. >+[18A0] F5 07 6D 29 B6 ED 2A 62 3D 53 22 33 D1 95 E9 DF ..m)..*b =S"3.... >+[18B0] 74 4C 2A E2 29 AF 5B 69 B0 48 2D AD 94 FD A5 1D tL*.).[i .H-..... >+[18C0] 54 D8 E2 5E C1 68 6F BA 02 01 79 C3 C9 97 0B 76 T..^.ho. ..y....v >+[18D0] 66 45 E2 3B 10 17 95 40 46 E4 85 B9 87 BB CF CF fE.;...@ F....... >+[18E0] 19 8C 3A C0 EA 38 3B B9 E9 4B 05 89 E5 27 8C 62 ..:..8;. .K...'.b >+[18F0] 95 BC 0D 65 F0 D2 C0 5E BC 65 01 D5 0B CB 17 31 ...e...^ .e.....1 >+[1900] 0F 06 49 4F A2 4A 70 77 DB BD 92 5B 37 5C EC 06 ..IO.Jpw ...[7\.. >+[1910] DF C5 E2 31 C8 40 09 11 68 14 E7 7D CE 54 4F 52 ...1.@.. h..}.TOR >+[1920] 61 31 2C 1C 53 52 DB BE D8 95 39 EE 7D C6 CE C8 a1,.SR.. ..9.}... >+[1930] 22 95 92 97 97 3D 5E 66 0F AD DC C2 4E 2E 2B 9F "....=^f ....N.+. >+[1940] 63 20 30 DF B7 C1 D4 65 AA 6F 2D 10 24 07 20 8D c 0....e .o-.$. . >+[1950] 88 6E 4B 09 04 31 B6 A3 EB F7 37 32 0E 0C 73 C6 .nK..1.. ..72..s. >+[1960] F6 B8 4D D9 0C 4C 5B EC 10 6A 51 19 EA 3F FF 46 ..M..L[. .jQ..?.F >+[1970] E7 73 16 A7 1F 33 98 7C 9B AD 5A 23 A9 40 7C 0F .s...3.| ..Z#.@|. >+[1980] DF EE 0F AA C7 E8 63 07 98 3A 4A 0D 18 62 01 21 ......c. .:J..b.! >+[1990] B2 AE A5 69 B0 C1 15 51 BA 97 D2 C5 42 5B C5 30 ...i...Q ....B[.0 >+[19A0] 38 18 A9 48 AB D7 FC A1 BC 9F 71 E7 EA 18 54 42 8..H.... ..q...TB >+[19B0] DA D6 A4 FC C1 DC F3 12 30 62 AC 98 E1 7D 2B 34 ........ 0b...}+4 >+[19C0] 1E 52 4C 26 67 32 D9 44 1A 08 27 0E DA D0 FC 84 .RL&g2.D ..'..... >+[19D0] 66 35 81 D6 EB 98 46 6F 1E 47 E0 14 31 BE 47 80 f5....Fo .G..1.G. >+[19E0] 65 AA 0B 20 D6 33 36 3B 0D 40 2F 5A 2E 0E 01 BE e.. .36; .@/Z.... >+[19F0] 00 EB 33 3E 4B 32 91 F4 22 96 E5 5F D4 D5 92 94 ..3>K2.. ".._.... >+[1A00] CC 5B 59 6A 3E D2 FB A0 4F 99 C4 07 8B 6F 2B 14 .[Yj>... O....o+. >+[1A10] 37 CD 37 44 C0 1F 80 9C 43 46 F2 5E F4 FE D3 39 7.7D.... CF.^...9 >+[1A20] 70 61 BE 72 5B 3A 8F 37 95 78 1E AB D9 E7 E9 DA pa.r[:.7 .x...... >+[1A30] FC 47 09 81 A0 0D 62 E1 F9 34 36 D1 DB E6 98 D8 .G....b. .46..... >+[1A40] F4 3E 77 5A 4D E2 5F 20 70 3D 3D 5B 34 D9 FD A8 .>wZM._ p==[4... >+[1A50] 31 F7 D9 59 F7 A3 F0 66 F7 D9 AD 1C CD D5 85 33 1..Y...f .......3 >+[1A60] A0 87 22 31 D4 F3 67 80 68 20 A2 90 72 7A 6F 64 .."1..g. h ..rzod >+[1A70] FD 68 82 9E 91 B8 E3 F7 6D 6C 38 74 F0 96 A2 F6 .h...... ml8t.... >+[1A80] 25 D7 92 58 14 60 9F AE 01 4C 0C 09 67 3E 35 67 %..X.`.. .L..g>5g >+[1A90] 71 1E 2A 86 21 D3 60 61 98 16 94 67 0B 52 76 63 q.*.!.`a ...g.Rvc >+[1AA0] 93 BD A3 3B A9 F0 A2 6A B7 E6 0F 35 64 DA 6A EA ...;...j ...5d.j. >+[1AB0] 20 A6 3D 94 71 59 5E CB B2 D3 F9 4D FE 1B 4B D8 .=.qY^. ...M..K. >+[1AC0] 64 C8 3B 7A A8 E6 D2 D5 76 71 26 D4 5C DA 1A 55 d.;z.... vq&.\..U >+[1AD0] 17 F2 16 C9 2F 77 DB 95 19 48 A5 AC D0 C3 31 9C ..../w.. .H....1. >+[1AE0] 0A CC 1B 44 11 6B 7C 88 7A 5D CF 6E 12 DA EF C5 ...D.k|. z].n.... >+[1AF0] C7 34 1D F4 CC EA 37 24 4B B3 0F C1 A3 F2 29 A0 .4....7$ K.....). >+[1B00] D8 93 39 C6 16 57 D5 BF 57 BF 6C 7E F7 90 E0 EB ..9..W.. W.l~.... >+[1B10] A3 8B 07 56 9C EC 15 3E 21 DA A5 7C 00 3C F9 D2 ...V...> !..|.<.. >+[1B20] A7 1C 6F 16 25 31 C5 28 A7 EA F3 47 31 50 DD E1 ..o.%1.( ...G1P.. >+[1B30] ED 0A 93 DB 85 CC 6B 4B 2C 7F E8 F8 2D A9 6D 1D ......kK ,...-.m. >+[1B40] 0A 87 F2 10 8C 82 2F 9B D4 9B 92 8C 77 40 50 42 ....../. ....w@PB >+[1B50] 1E 42 C4 0A 4F E3 6C 6C DC 81 C4 1E BB F0 7D CF .B..O.ll ......}. >+[1B60] 3C 73 22 5B C3 1A 97 35 EE 3A CD 6D F3 68 A3 C5 <s"[...5 .:.m.h.. >+[1B70] 65 7E E9 54 C0 E3 7D 6A 32 4C D1 3E D0 78 4B BF e~.T..}j 2L.>.xK. >+[1B80] 18 9F A5 25 4A 92 1E 6C 8F 01 D6 59 D7 CF 2E A0 ...%J..l ...Y.... >+[1B90] CC 98 F6 75 28 2F F7 2A 70 28 A9 45 1F 75 C2 4E ...u(/.* p(.E.u.N >+[1BA0] 62 ED D8 C4 A0 8D 55 B2 84 1C A4 CE 87 EF 24 EE b.....U. ......$. >+[1BB0] BC CE 40 09 EB 05 0B D1 14 31 50 32 2F B6 A8 97 ..@..... .1P2/... >+[1BC0] 17 4B A7 95 01 50 6E 0E 23 49 9C 72 21 91 00 00 .K...Pn. #I.r!... >+[1BD0] 00 00 00 00 00 01 00 00 00 01 00 00 00 17 4B 54 ........ ......KT >+[1BE0] 45 53 54 2E 53 41 4D 42 41 2E 45 58 41 4D 50 4C EST.SAMB A.EXAMPL >+[1BF0] 45 2E 43 4F 4D 00 00 00 0D 61 64 6D 69 6E 69 73 E.COM... .adminis >+[1C00] 74 72 61 74 6F 72 00 00 00 01 00 00 00 02 00 00 trator.. ........ >+[1C10] 00 17 4B 54 45 53 54 2E 53 41 4D 42 41 2E 45 58 ..KTEST. SAMBA.EX >+[1C20] 41 4D 50 4C 45 2E 43 4F 4D 00 00 00 04 63 69 66 AMPLE.CO M....cif >+[1C30] 73 00 00 00 0B 4C 4F 43 41 4C 4B 54 45 53 54 36 s....LOC ALKTEST6 >+[1C40] 00 17 00 00 00 10 1D C8 5E 46 48 82 F9 29 DB C6 ........ ^FH..).. >+[1C50] A6 F1 72 6D 8D E9 4D 99 4F 6A 4D 99 85 09 7D 44 ..rm..M. OjM...}D >+[1C60] 0B 68 00 00 00 00 00 40 28 00 00 00 00 00 00 00 .h.....@ (....... >+[1C70] 00 00 00 00 00 03 FA 61 82 03 F6 30 82 03 F2 A0 .......a ...0.... >+[1C80] 03 02 01 05 A1 19 1B 17 4B 54 45 53 54 2E 53 41 ........ KTEST.SA >+[1C90] 4D 42 41 2E 45 58 41 4D 50 4C 45 2E 43 4F 4D A2 MBA.EXAM PLE.COM. >+[1CA0] 1E 30 1C A0 03 02 01 01 A1 15 30 13 1B 04 63 69 .0...... ..0...ci >+[1CB0] 66 73 1B 0B 4C 4F 43 41 4C 4B 54 45 53 54 36 A3 fs..LOCA LKTEST6. >+[1CC0] 82 03 AE 30 82 03 AA A0 03 02 01 17 A1 03 02 01 ...0.... ........ >+[1CD0] 02 A2 82 03 9C 04 82 03 98 66 D8 19 46 FA CB 73 ........ .f..F..s >+[1CE0] 2D CF 88 FD 4A EE 07 48 DA 0E BC 58 30 43 40 A4 -...J..H ...X0C@. >+[1CF0] 9C 00 0F 3B 17 C1 2D F5 9C 3E D9 2F 1D CA 01 9B ...;..-. .>./.... >+[1D00] D7 2E EC D7 70 ED 8B 8B 1B 5E F2 4E EE DD 0F C0 ....p... .^.N.... >+[1D10] 8D 61 E5 D7 0A 56 00 32 B1 DB 91 37 29 0F 2F 85 .a...V.2 ...7)./. >+[1D20] EE A8 43 BA A5 B8 D4 19 74 33 F0 69 52 E1 58 98 ..C..... t3.iR.X. >+[1D30] 83 D6 16 0B 44 A9 63 9B D4 4E 6E A7 3E CD 9A 96 ....D.c. .Nn.>... >+[1D40] 4D C4 96 F5 07 6D 29 B6 ED 2A 62 3D 53 22 33 D1 M....m). .*b=S"3. >+[1D50] 95 E9 DF 74 4C 2A E2 29 AF 5B 69 B0 48 2D AD 94 ...tL*.) .[i.H-.. >+[1D60] FD A5 1D 54 D8 E2 5E C1 68 6F BA 02 01 79 C3 C9 ...T..^. ho...y.. >+[1D70] 97 0B 76 66 45 E2 3B 10 17 95 40 46 E4 85 B9 87 ..vfE.;. ..@F.... >+[1D80] BB CF CF 19 8C 3A C0 EA 38 3B B9 E9 4B 05 89 E5 .....:.. 8;..K... >+[1D90] 27 8C 62 95 BC 0D 65 F0 D2 C0 5E BC 65 01 D5 0B '.b...e. ..^.e... >+[1DA0] CB 17 31 0F 06 49 4F A2 4A 70 77 DB BD 92 5B 37 ..1..IO. Jpw...[7 >+[1DB0] 5C EC 06 DF C5 E2 31 C8 40 09 11 68 14 E7 7D CE \.....1. @..h..}. >+[1DC0] 54 4F 52 61 31 2C 1C 53 52 DB BE D8 95 39 EE 7D TORa1,.S R....9.} >+[1DD0] C6 CE C8 22 95 92 97 97 3D 5E 66 0F AD DC C2 4E ...".... =^f....N >+[1DE0] 2E 2B 9F 63 20 30 DF B7 C1 D4 65 AA 6F 2D 10 24 .+.c 0.. ..e.o-.$ >+[1DF0] 07 20 8D 88 6E 4B 09 04 31 B6 A3 EB F7 37 32 0E . ..nK.. 1....72. >+[1E00] 0C 73 C6 F6 B8 4D D9 0C 4C 5B EC 10 6A 51 19 EA .s...M.. L[..jQ.. >+[1E10] 3F FF 46 E7 73 16 A7 1F 33 98 7C 9B AD 5A 23 A9 ?.F.s... 3.|..Z#. >+[1E20] 40 7C 0F DF EE 0F AA C7 E8 63 07 98 3A 4A 0D 18 @|...... .c..:J.. >+[1E30] 62 01 21 B2 AE A5 69 B0 C1 15 51 BA 97 D2 C5 42 b.!...i. ..Q....B >+[1E40] 5B C5 30 38 18 A9 48 AB D7 FC A1 BC 9F 71 E7 EA [.08..H. .....q.. >+[1E50] 18 54 42 DA D6 A4 FC C1 DC F3 12 30 62 AC 98 E1 .TB..... ...0b... >+[1E60] 7D 2B 34 1E 52 4C 26 67 32 D9 44 1A 08 27 0E DA }+4.RL&g 2.D..'.. >+[1E70] D0 FC 84 66 35 81 D6 EB 98 46 6F 1E 47 E0 14 31 ...f5... .Fo.G..1 >+[1E80] BE 47 80 65 AA 0B 20 D6 33 36 3B 0D 40 2F 5A 2E .G.e.. . 36;.@/Z. >+[1E90] 0E 01 BE 00 EB 33 3E 4B 32 91 F4 22 96 E5 5F D4 .....3>K 2..".._. >+[1EA0] D5 92 94 CC 5B 59 6A 3E D2 FB A0 4F 99 C4 07 8B ....[Yj> ...O.... >+[1EB0] 6F 2B 14 37 CD 37 44 C0 1F 80 9C 43 46 F2 5E F4 o+.7.7D. ...CF.^. >+[1EC0] FE D3 39 70 61 BE 72 5B 3A 8F 37 95 78 1E AB D9 ..9pa.r[ :.7.x... >+[1ED0] E7 E9 DA FC 47 09 81 A0 0D 62 E1 F9 34 36 D1 DB ....G... .b..46.. >+[1EE0] E6 98 D8 F4 3E 77 5A 4D E2 5F 20 70 3D 3D 5B 34 ....>wZM ._ p==[4 >+[1EF0] D9 FD A8 31 F7 D9 59 F7 A3 F0 66 F7 D9 AD 1C CD ...1..Y. ..f..... >+[1F00] D5 85 33 A0 87 22 31 D4 F3 67 80 68 20 A2 90 72 ..3.."1. .g.h ..r >+[1F10] 7A 6F 64 FD 68 82 9E 91 B8 E3 F7 6D 6C 38 74 F0 zod.h... ...ml8t. >+[1F20] 96 A2 F6 25 D7 92 58 14 60 9F AE 01 4C 0C 09 67 ...%..X. `...L..g >+[1F30] 3E 35 67 71 1E 2A 86 21 D3 60 61 98 16 94 67 0B >5gq.*.! .`a...g. >+[1F40] 52 76 63 93 BD A3 3B A9 F0 A2 6A B7 E6 0F 35 64 Rvc...;. ..j...5d >+[1F50] DA 6A EA 20 A6 3D 94 71 59 5E CB B2 D3 F9 4D FE .j. .=.q Y^....M. >+[1F60] 1B 4B D8 64 C8 3B 7A A8 E6 D2 D5 76 71 26 D4 5C .K.d.;z. ...vq&.\ >+[1F70] DA 1A 55 17 F2 16 C9 2F 77 DB 95 19 48 A5 AC D0 ..U..../ w...H... >+[1F80] C3 31 9C 0A CC 1B 44 11 6B 7C 88 7A 5D CF 6E 12 .1....D. k|.z].n. >+[1F90] DA EF C5 C7 34 1D F4 CC EA 37 24 4B B3 0F C1 A3 ....4... .7$K.... >+[1FA0] F2 29 A0 D8 93 39 C6 16 57 D5 BF 57 BF 6C 7E F7 .)...9.. W..W.l~. >+[1FB0] 90 E0 EB A3 8B 07 56 9C EC 15 3E 21 DA A5 7C 00 ......V. ..>!..|. >+[1FC0] 3C F9 D2 A7 1C 6F 16 25 31 C5 28 A7 EA F3 47 31 <....o.% 1.(...G1 >+[1FD0] 50 DD E1 ED 0A 93 DB 85 CC 6B 4B 2C 7F E8 F8 2D P....... .kK,...- >+[1FE0] A9 6D 1D 0A 87 F2 10 8C 82 2F 9B D4 9B 92 8C 77 .m...... ./.....w >+[1FF0] 40 50 42 1E 42 C4 0A 4F E3 6C 6C DC 81 C4 1E BB @PB.B..O .ll..... >+[2000] F0 7D CF 3C 73 22 5B C3 1A 97 35 EE 3A CD 6D F3 .}.<s"[. ..5.:.m. >+[2010] 68 A3 C5 65 7E E9 54 C0 E3 7D 6A 32 4C D1 3E D0 h..e~.T. .}j2L.>. >+[2020] 78 4B BF 18 9F A5 25 4A 92 1E 6C 8F 01 D6 59 D7 xK....%J ..l...Y. >+[2030] CF 2E A0 CC 98 F6 75 28 2F F7 2A 70 28 A9 45 1F ......u( /.*p(.E. >+[2040] 75 C2 4E 62 ED D8 C4 A0 8D 55 B2 84 1C A4 CE 87 u.Nb.... .U...... >+[2050] EF 24 EE BC CE 40 09 EB 05 0B D1 14 31 50 32 2F .$...@.. ....1P2/ >+[2060] B6 A8 97 17 4B A7 95 01 50 6E 0E 23 49 9C 72 21 ....K... Pn.#I.r! >+[2070] 91 00 00 00 00 00 00 00 01 00 00 00 01 00 00 00 ........ ........ >+[2080] 17 4B 54 45 53 54 2E 53 41 4D 42 41 2E 45 58 41 .KTEST.S AMBA.EXA >+[2090] 4D 50 4C 45 2E 43 4F 4D 00 00 00 0D 61 64 6D 69 MPLE.COM ....admi >+[20A0] 6E 69 73 74 72 61 74 6F 72 00 00 00 01 00 00 00 nistrato r....... >+[20B0] 02 00 00 00 17 4B 54 45 53 54 2E 53 41 4D 42 41 .....KTE ST.SAMBA >+[20C0] 2E 45 58 41 4D 50 4C 45 2E 43 4F 4D 00 00 00 04 .EXAMPLE .COM.... >+[20D0] 68 6F 73 74 00 00 00 0B 6C 6F 63 61 6C 6B 74 65 host.... localkte >+[20E0] 73 74 36 00 17 00 00 00 10 72 47 04 38 B6 E6 F0 st6..... .rG.8... >+[20F0] 44 9E 9F 27 66 E1 69 9C 9A 4D 99 4F 6A 4D 99 90 D..'f.i. .M.OjM.. >+[2100] F5 7D 44 0B 68 00 00 00 00 00 40 28 00 00 00 00 .}D.h... ..@(.... >+[2110] 00 00 00 00 00 00 00 00 03 FA 61 82 03 F6 30 82 ........ ..a...0. >+[2120] 03 F2 A0 03 02 01 05 A1 19 1B 17 4B 54 45 53 54 ........ ...KTEST >+[2130] 2E 53 41 4D 42 41 2E 45 58 41 4D 50 4C 45 2E 43 .SAMBA.E XAMPLE.C >+[2140] 4F 4D A2 1E 30 1C A0 03 02 01 01 A1 15 30 13 1B OM..0... .....0.. >+[2150] 04 68 6F 73 74 1B 0B 6C 6F 63 61 6C 6B 74 65 73 .host..l ocalktes >+[2160] 74 36 A3 82 03 AE 30 82 03 AA A0 03 02 01 17 A1 t6....0. ........ >+[2170] 03 02 01 02 A2 82 03 9C 04 82 03 98 58 95 95 EB ........ ....X... >+[2180] CB 8F 68 D4 77 43 0F 3B 44 B4 15 DA 40 6D FD E9 ..h.wC.; D...@m.. >+[2190] 85 D3 2F CD B5 1E 96 CD F6 E9 67 91 36 08 9E B4 ../..... ..g.6... >+[21A0] B3 47 70 7A B3 4E 82 5A 4F 8E 4B F5 8D 04 E4 5C .Gpz.N.Z O.K....\ >+[21B0] C4 D8 0C AF 08 25 F9 C1 64 B2 3A 35 26 E9 B2 72 .....%.. d.:5&..r >+[21C0] 66 B5 E9 81 FC BE 12 1B CC 8A A5 82 31 F6 7F C3 f....... ....1... >+[21D0] 5A 19 A3 31 F2 99 14 1E 64 E4 41 E8 C7 C3 F3 DF Z..1.... d.A..... >+[21E0] F5 65 7D B0 9F DC 5D 25 1D 1A A8 EA AA 88 6D F4 .e}...]% ......m. >+[21F0] 7C 25 9F 53 F6 A6 8F B1 24 AF 98 FE 53 7B 35 3C |%.S.... $...S{5< >+[2200] DB EC 7F 09 74 E9 C4 8D 20 B4 47 08 0E 32 B8 C9 ....t... .G..2.. >+[2210] 45 27 12 F9 8E F5 D6 C2 DD 1A 96 0E 68 5F 39 65 E'...... ....h_9e >+[2220] 72 C7 BD 8E 04 0E 13 E1 03 27 AC 50 80 76 E6 7A r....... .'.P.v.z >+[2230] 8E F4 C2 72 4F 68 B3 34 00 A9 54 41 DA FD 96 94 ...rOh.4 ..TA.... >+[2240] 29 A1 59 15 2F DB 6C 94 85 49 C5 D0 6D 48 B0 C4 ).Y./.l. .I..mH.. >+[2250] 65 D0 95 1D DB 3D 25 D0 75 50 D4 CF FA 2F 71 57 e....=%. uP.../qW >+[2260] BD 6C 1C 59 E1 C3 5B C7 24 95 FF B0 20 EF 6A DB .l.Y..[. $... .j. >+[2270] 79 87 67 91 94 E9 16 E2 BB 74 7A 08 E1 6A 36 5F y.g..... .tz..j6_ >+[2280] DF 11 AB 35 9B 3E 32 48 83 89 41 4E 06 BF F9 BB ...5.>2H ..AN.... >+[2290] EC E4 D7 6D 77 C4 55 22 DF F7 91 4D CB C5 01 A5 ...mw.U" ...M.... >+[22A0] BA 2D 1E 92 76 04 E8 02 2F 5E AF 1C B3 B7 A6 FB .-..v... /^...... >+[22B0] 3A 9F D9 7C 6D DA B4 8F 31 00 A5 30 F2 76 72 9B :..|m... 1..0.vr. >+[22C0] 62 97 E0 56 E5 E4 C7 6B 8B FC 84 75 57 66 6E D7 b..V...k ...uWfn. >+[22D0] B7 41 6F 61 F4 5B 0F 87 68 F6 54 02 26 1B 1F B7 .Aoa.[.. h.T.&... >+[22E0] 60 D6 E7 FA 4F C7 DB 35 58 EC 13 21 D4 C6 A1 27 `...O..5 X..!...' >+[22F0] BA E7 82 DF 29 FB 9D 5D E8 35 28 C9 9C 4E D7 BE ....)..] .5(..N.. >+[2300] 2F 6D F1 E8 0B 5A 74 C9 93 9F AD 42 24 4B B7 3B /m...Zt. ...B$K.; >+[2310] 38 2A 11 CF F0 BD 85 40 48 D8 9D E7 6B 65 70 42 8*.....@ H...kepB >+[2320] 60 DA 9B 65 CB C8 C5 D7 40 3A 12 DC 64 AF 82 54 `..e.... @:..d..T >+[2330] 34 05 38 4F C6 FB 38 E2 73 A9 89 B7 FC 33 15 85 4.8O..8. s....3.. >+[2340] 9E CA E9 E0 89 18 18 84 02 65 B4 74 5B D4 A1 6F ........ .e.t[..o >+[2350] 5F 79 20 CB D7 36 C8 6D 5B 1E 5E 0C 82 16 9F CC _y ..6.m [.^..... >+[2360] 5A 1E 57 C1 B6 94 51 87 A1 3D 12 D4 8B FE 0F 93 Z.W...Q. .=...... >+[2370] ED 53 A3 F4 88 3C 35 05 89 FE AF 0B 36 62 E3 2F .S...<5. ....6b./ >+[2380] 5C 4A 0E 07 67 39 A3 8E C0 45 07 7F 73 32 BC DE \J..g9.. .E..s2.. >+[2390] 2D 00 8B 47 79 3D 1C A1 90 AE B6 8F 83 B2 1B 31 -..Gy=.. .......1 >+[23A0] EE E4 F2 C5 C1 4A E2 4A 2F 28 F0 AA 19 43 6A 14 .....J.J /(...Cj. >+[23B0] B1 42 61 90 34 2E EE 3D 16 9F 5D 9F 7A A2 01 7A .Ba.4..= ..].z..z >+[23C0] 4B 96 FA 4D C9 85 1A 75 27 B7 6B FD 4D 7D 9C 65 K..M...u '.k.M}.e >+[23D0] 97 DB 05 CC 76 68 EA 05 5D 5D BB BD 51 4B 5B F2 ....vh.. ]]..QK[. >+[23E0] 48 59 BD 1E AD 56 D4 69 A5 75 CD ED EC B1 3E AB HY...V.i .u....>. >+[23F0] FA B7 F8 8D 4F BE 95 63 38 1C 4C 70 26 C4 3A 21 ....O..c 8.Lp&.:! >+[2400] 80 61 05 3A D4 E2 28 2C 85 01 5A DA FC 10 60 F3 .a.:..(, ..Z...`. >+[2410] 74 0C FD DB 2F 5B 25 4B 14 E4 7D 8A DB 85 12 D2 t.../[%K ..}..... >+[2420] D7 69 CD B5 B1 93 CE E5 E6 4D 57 D3 C2 D3 2E A0 .i...... .MW..... >+[2430] 08 37 09 CD 19 99 09 FA 33 68 4A E0 92 46 21 0C .7...... 3hJ..F!. >+[2440] 99 9F DA 05 15 20 8B 3D 7C 7B CA D6 81 AC AA 83 ..... .= |{...... >+[2450] 48 C8 24 4C C8 FC A5 14 2C BC 49 1A 1C 49 61 1D H.$L.... ,.I..Ia. >+[2460] 24 86 42 B1 37 6A C8 3A AC 18 CC C0 50 84 12 48 $.B.7j.: ....P..H >+[2470] 8B 29 0A 49 26 A4 E2 B9 E5 96 E7 37 C3 DE 4C 23 .).I&... ...7..L# >+[2480] D2 D4 62 14 8F 1E 72 39 CF 03 BC A3 00 C7 63 51 ..b...r9 ......cQ >+[2490] A9 6B E4 3E B2 65 A1 A2 BB EC 06 41 85 50 22 02 .k.>.e.. ...A.P". >+[24A0] 46 2F 72 2B 32 1A A4 2D 85 94 02 47 69 8D AD 6D F/r+2..- ...Gi..m >+[24B0] 66 AB D4 E4 29 C8 C7 DA F4 18 31 2A DF 50 6A 05 f...)... ..1*.Pj. >+[24C0] D6 47 26 C4 F9 87 0F 35 24 6E 72 D6 23 7D 3A 94 .G&....5 $nr.#}:. >+[24D0] 14 8D E8 57 AA BA D7 CF A9 2D E7 4C 10 7C D8 0D ...W.... .-.L.|.. >+[24E0] 51 30 1F E1 FB E5 E2 6C EE AA 65 2F D8 22 05 67 Q0.....l ..e/.".g >+[24F0] 87 4D 4D D2 11 3D B4 1E AA 20 3F 76 E3 94 93 6D .MM..=.. . ?v...m >+[2500] AC 10 05 AF 09 BD 67 86 C5 83 93 D6 1C D3 81 D9 ......g. ........ >+[2510] B1 3B E1 76 00 00 00 00 00 00 00 01 00 00 00 01 .;.v.... ........ >+[2520] 00 00 00 17 4B 54 45 53 54 2E 53 41 4D 42 41 2E ....KTES T.SAMBA. >+[2530] 45 58 41 4D 50 4C 45 2E 43 4F 4D 00 00 00 0D 61 EXAMPLE. COM....a >+[2540] 64 6D 69 6E 69 73 74 72 61 74 6F 72 00 00 00 01 dministr ator.... >+[2550] 00 00 00 02 00 00 00 17 4B 54 45 53 54 2E 53 41 ........ KTEST.SA >+[2560] 4D 42 41 2E 45 58 41 4D 50 4C 45 2E 43 4F 4D 00 MBA.EXAM PLE.COM. >+[2570] 00 00 04 68 6F 73 74 00 00 00 0B 4C 4F 43 41 4C ...host. ...LOCAL >+[2580] 4B 54 45 53 54 36 00 17 00 00 00 10 55 6E 3E FC KTEST6.. ....Un>. >+[2590] E2 F4 40 51 19 E6 6E EB 23 4C 48 8E 4D 99 4F 6A ..@Q..n. #LH.M.Oj >+[25A0] 4D 99 90 FC 7D 44 0B 68 00 00 00 00 00 40 28 00 M...}D.h .....@(. >+[25B0] 00 00 00 00 00 00 00 00 00 00 00 03 FA 61 82 03 ........ .....a.. >+[25C0] F6 30 82 03 F2 A0 03 02 01 05 A1 19 1B 17 4B 54 .0...... ......KT >+[25D0] 45 53 54 2E 53 41 4D 42 41 2E 45 58 41 4D 50 4C EST.SAMB A.EXAMPL >+[25E0] 45 2E 43 4F 4D A2 1E 30 1C A0 03 02 01 01 A1 15 E.COM..0 ........ >+[25F0] 30 13 1B 04 68 6F 73 74 1B 0B 4C 4F 43 41 4C 4B 0...host ..LOCALK >+[2600] 54 45 53 54 36 A3 82 03 AE 30 82 03 AA A0 03 02 TEST6... .0...... >+[2610] 01 17 A1 03 02 01 02 A2 82 03 9C 04 82 03 98 6E ........ .......n >+[2620] 87 B7 7B 3A 7E EF 4A 1B 29 C9 E3 C4 1F 42 4F 0E ..{:~.J. )....BO. >+[2630] C8 AC AC 4E A2 77 1D DA 93 37 F1 AF DA A3 75 2D ...N.w.. .7....u- >+[2640] 12 8B 40 34 23 0E 8E A9 90 58 46 42 42 39 31 D6 ..@4#... .XFBB91. >+[2650] 03 9E 5D 81 D9 E8 F6 08 2B D9 96 88 8A 2F F1 CC ..]..... +..../.. >+[2660] F2 EA 9E 9A 4B 31 B6 04 2D 3D 4C 7F 92 DE 3B 04 ....K1.. -=L...;. >+[2670] 19 EE 28 D0 83 81 C3 46 CD 74 23 4C 14 34 DE 62 ..(....F .t#L.4.b >+[2680] 0A AC E5 12 16 75 E9 A8 4B 32 78 CC 8D AE A2 E5 .....u.. K2x..... >+[2690] 6D E8 09 70 76 52 F5 E5 18 F7 E7 91 15 6A 69 AB m..pvR.. .....ji. >+[26A0] B8 62 DD 80 F5 28 6D DF ED 10 DA AC FB 92 27 CF .b...(m. ......'. >+[26B0] 98 B5 77 9D A5 96 E6 9A CC B9 C3 91 78 22 35 9C ..w..... ....x"5. >+[26C0] A1 13 A3 20 28 D1 16 E5 3E 4A 85 1E 12 0B CA 4D ... (... >J.....M >+[26D0] C6 C8 03 C8 28 2C D8 29 5D 9A 76 4A 92 13 43 56 ....(,.) ].vJ..CV >+[26E0] AF F7 C1 71 25 72 5C 38 75 1C 07 F1 5E 86 05 72 ...q%r\8 u...^..r >+[26F0] 6F 69 95 42 B6 F2 DA A9 91 06 9F B9 54 20 33 A5 oi.B.... ....T 3. >+[2700] 31 60 3B 54 DC 3A 95 34 96 26 07 52 6B 0E 1D 3B 1`;T.:.4 .&.Rk..; >+[2710] D9 F8 48 20 AC CD 05 3B 99 F8 EE DB 83 28 CD C7 ..H ...; .....(.. >+[2720] 2F 45 00 7E 2F 0A 65 7A D1 9E 95 4B EE C3 34 93 /E.~/.ez ...K..4. >+[2730] A8 C7 DF 03 8B 14 D0 FC CE 56 90 AC EE 93 C5 D3 ........ .V...... >+[2740] F7 12 24 69 0B 20 8D A2 65 87 55 26 2A F9 9A 88 ..$i. .. e.U&*... >+[2750] D7 0D 86 61 D6 92 B6 FE E5 D1 66 F9 1F 9D F4 04 ...a.... ..f..... >+[2760] 48 A6 39 BC 54 20 EA 10 21 E9 6D 30 46 1D C2 1C H.9.T .. !.m0F... >+[2770] A4 E8 B4 63 85 37 27 25 80 52 41 60 C7 A1 32 21 ...c.7'% .RA`..2! >+[2780] 43 90 02 E6 5F 5A E9 4E AF F9 B5 13 BD 42 BD A3 C..._Z.N .....B.. >+[2790] A5 4D 10 45 83 4D 92 18 1F C9 CF FB 84 29 89 23 .M.E.M.. .....).# >+[27A0] AC 71 4B 89 1B 52 E5 06 8C 3E 7C 88 CB D3 B3 CF .qK..R.. .>|..... >+[27B0] B9 7A 67 D6 24 F4 AC 00 A6 AD 91 30 9A 95 53 F1 .zg.$... ...0..S. >+[27C0] 48 06 A6 39 DB CF DC 9D C9 55 76 26 5E C1 DB 5D H..9.... .Uv&^..] >+[27D0] B3 5B 3E AE 1A A0 10 BA 82 21 83 44 02 E0 99 33 .[>..... .!.D...3 >+[27E0] 40 BA 29 9E 28 E5 73 4C 23 94 A2 4F BF 07 ED 4F @.).(.sL #..O...O >+[27F0] 7C 45 9B 30 C8 41 6B 0A 55 13 6E F5 AD 7A 0C B2 |E.0.Ak. U.n..z.. >+[2800] EA FF D0 06 13 4D F3 24 82 7F F6 51 2F 4A 4F 0D .....M.$ ...Q/JO. >+[2810] 37 F8 14 6B E9 E4 82 BB 3A 75 63 63 12 E8 78 6F 7..k.... :ucc..xo >+[2820] 6F FC 6C D3 4B A6 F1 CC 2A F1 7D EB 82 26 2F D0 o.l.K... *.}..&/. >+[2830] A1 8B 3E 9A 71 D7 91 D3 08 E6 FD 62 1B 84 13 2D ..>.q... ...b...- >+[2840] 8E A0 A0 C3 85 78 2F 0D F8 E7 10 FC CB 05 A7 B9 .....x/. ........ >+[2850] 9A 33 90 B5 9B 26 E3 23 98 B0 91 4B EB 32 37 D6 .3...&.# ...K.27. >+[2860] F4 ED 61 08 D8 75 CC 03 83 2C 3C CF 21 63 9C F6 ..a..u.. .,<.!c.. >+[2870] AF 5B 4F 12 07 74 17 CD 98 BB E7 5E C7 17 2D C4 .[O..t.. ...^..-. >+[2880] 87 A4 74 6D 5E CE DB A3 01 B9 AD 20 73 38 78 22 ..tm^... ... s8x" >+[2890] 3D 45 F5 51 77 C6 47 63 45 61 81 D9 FF 31 90 C4 =E.Qw.Gc Ea...1.. >+[28A0] 6F 5A F8 FE 6A 56 5B D4 EE EC 49 C7 A7 51 AE 5C oZ..jV[. ..I..Q.\ >+[28B0] 85 53 70 3D 1A 49 83 59 CF 65 58 B3 48 7E 04 9E .Sp=.I.Y .eX.H~.. >+[28C0] C7 64 8A 05 73 E3 DC 1A 65 5D 4F 41 01 56 73 90 .d..s... e]OA.Vs. >+[28D0] 61 F3 84 1F FF CF 46 B2 06 46 56 97 93 B9 DB 32 a.....F. .FV....2 >+[28E0] 2A 64 8A 48 02 05 84 E9 FA 76 8B 94 96 89 A0 73 *d.H.... .v.....s >+[28F0] 20 75 4D 52 1D 23 13 D1 83 D7 5D 59 23 6A 87 C1 uMR.#.. ..]Y#j.. >+[2900] 09 3E 01 3A 28 65 42 8C 35 F1 91 EA 6A 1F 83 0D .>.:(eB. 5...j... >+[2910] 8F 57 69 81 D4 A2 D2 EA 0C BF AF 95 A3 F4 90 15 .Wi..... ........ >+[2920] 61 34 F2 6C 8B D0 DA B5 1E 43 AC CE C7 8A 1B 2B a4.l.... .C.....+ >+[2930] 29 2B 89 1C C5 53 C8 04 F7 1E 46 72 F3 A8 CE F7 )+...S.. ..Fr.... >+[2940] 59 76 55 E7 53 1C A2 9F D8 23 F7 EA 71 B0 74 83 YvU.S... .#..q.t. >+[2950] 71 95 3E DC A6 FA 2D A4 42 13 93 8B 2B FA A2 70 q.>...-. B...+..p >+[2960] 25 21 2D F6 E1 26 56 DF 58 79 25 16 E8 C9 03 EC %!-..&V. Xy%..... >+[2970] 72 5F 35 CF 59 6B E1 AD 85 85 7B AB 78 F2 0D AC r_5.Yk.. ..{.x... >+[2980] AB 89 F2 DA 85 E7 DE 09 77 99 EC 7C F3 97 1F 71 ........ w..|...q >+[2990] 3C DB 09 44 7A 3C 69 E5 03 B0 6D 4D 3B 6B 4C D5 <..Dz<i. ..mM;kL. >+[29A0] AB 52 2F 6F 81 2B 51 5B D2 66 44 1E B7 66 5D 7F .R/o.+Q[ .fD..f]. >+[29B0] 09 6A 92 27 27 62 08 00 00 00 00 .j.''b.. ... >+push returned Success >+pull returned Success >+ CCACHE: struct CCACHE >+ pvno : 0x05 (5) >+ version : 0x04 (4) >+ optional_header : union OPTIONAL_HEADER(case 0x4) >+ v4header: struct V4HEADER >+ v4tags: struct V4TAGS >+ tag: struct V4TAG >+ tag : 0x0001 (1) >+ field : union FIELD(case 0x1) >+ deltatime_tag: struct DELTATIME_TAG >+ kdc_sec_offset : 0 >+ kdc_usec_offset : 0 >+ further_tags : DATA_BLOB length=0 >+ principal: struct PRINCIPAL >+ name_type : 0x00000001 (1) >+ component_count : 0x00000001 (1) >+ realm : 'KTEST.SAMBA.EXAMPLE.COM' >+ components: ARRAY(1) >+ components : 'administrator' >+ cred: struct CREDENTIAL >+ client: struct PRINCIPAL >+ name_type : 0x00000001 (1) >+ component_count : 0x00000001 (1) >+ realm : 'KTEST.SAMBA.EXAMPLE.COM' >+ components: ARRAY(1) >+ components : 'administrator' >+ server: struct PRINCIPAL >+ name_type : 0x00000000 (0) >+ component_count : 0x00000002 (2) >+ realm : 'KTEST.SAMBA.EXAMPLE.COM' >+ components: ARRAY(2) >+ components : 'krbtgt' >+ components : 'KTEST.SAMBA.EXAMPLE.COM' >+ keyblock: struct KEYBLOCK >+ enctype : 0x0017 (23) >+ data : DATA_BLOB length=16 >+[0000] 8B 94 0B 31 51 5B F7 A7 15 E9 EE D7 D7 0C 8C 90 ...1Q[.. ........ >+ authtime : 0x4d994f6a (1301892970) >+ starttime : 0x4d994f6a (1301892970) >+ endtime : 0x7d440b68 (2101611368) >+ renew_till : 0x7d440b68 (2101611368) >+ is_skey : 0x00 (0) >+ ticket_flags : 0x40e00000 (1088421888) >+ addresses: struct ADDRESSES >+ count : 0x00000000 (0) >+ data: ARRAY(0) >+ authdata: struct AUTHDATA >+ count : 0x00000000 (0) >+ data: ARRAY(0) >+ ticket : DATA_BLOB length=1032 >+[0000] 61 82 04 04 30 82 04 00 A0 03 02 01 05 A1 19 1B a...0... ........ >+[0010] 17 4B 54 45 53 54 2E 53 41 4D 42 41 2E 45 58 41 .KTEST.S AMBA.EXA >+[0020] 4D 50 4C 45 2E 43 4F 4D A2 2C 30 2A A0 03 02 01 MPLE.COM .,0*.... >+[0030] 00 A1 23 30 21 1B 06 6B 72 62 74 67 74 1B 17 4B ..#0!..k rbtgt..K >+[0040] 54 45 53 54 2E 53 41 4D 42 41 2E 45 58 41 4D 50 TEST.SAM BA.EXAMP >+[0050] 4C 45 2E 43 4F 4D A3 82 03 AE 30 82 03 AA A0 03 LE.COM.. ..0..... >+[0060] 02 01 17 A1 03 02 01 01 A2 82 03 9C 04 82 03 98 ........ ........ >+[0070] 80 66 8F CF AB 24 9D C8 76 E4 28 F5 25 6B 73 B2 .f...$.. v.(.%ks. >+[0080] 4B 94 ED 09 10 29 05 C4 C0 B8 B9 33 FA C4 46 AB K....).. ...3..F. >+[0090] F4 B5 9E 5B 07 54 D6 58 1D B8 CA 04 41 A6 33 A6 ...[.T.X ....A.3. >+[00A0] 67 9D EB 83 70 65 A9 2D 65 A5 19 8C 55 2A 0F FC g...pe.- e...U*.. >+[00B0] 1B BB 7A BD 86 C0 32 06 F2 2F 0A A5 93 E7 D1 1E ..z...2. ./...... >+[00C0] 16 C4 27 DD 1F A7 61 03 FF 05 81 EF 49 B7 25 A3 ..'...a. ....I.%. >+[00D0] 6E EA E6 E8 15 E3 10 AF A3 F1 21 B3 D9 C0 67 2F n....... ..!...g/ >+[00E0] 0C 0C B7 42 D6 9A 34 8E D4 5E 55 C2 FE 62 03 37 ...B..4. .^U..b.7 >+[00F0] A5 58 9B 43 E7 26 E3 71 B2 E5 F1 91 B4 23 8F AC .X.C.&.q .....#.. >+[0100] 7A 31 3C 4E B4 94 E4 81 36 98 71 3B 98 7B B7 AB z1<N.... 6.q;.{.. >+[0110] D5 AA D3 34 2A 3B C8 D7 61 EE 60 F9 68 9C A0 56 ...4*;.. a.`.h..V >+[0120] 51 E7 85 81 DE EF B9 9F 8B 4A 07 E1 05 93 08 5A Q....... .J.....Z >+[0130] AE B3 92 A5 17 40 B1 1C 42 A9 E4 AD 3C B4 4E D3 .....@.. B...<.N. >+[0140] BE 68 C4 0C 81 C0 AB 2D 3E 81 09 BD 16 82 EB C5 .h.....- >....... >+[0150] 1A 69 EE 8C 4E A4 D8 55 A5 0B 23 0F D0 89 48 C4 .i..N..U ..#...H. >+[0160] 51 FE 32 FD CC F6 71 E1 95 2D CC 1D 0A 0C 8A A2 Q.2...q. .-...... >+[0170] 69 58 3B 65 88 53 EC D0 2E E1 C6 CC 6B BC 09 E5 iX;e.S.. ....k... >+[0180] B9 15 27 8B E4 B2 24 18 61 42 BB 8B 09 1B 8A 7B ..'...$. aB.....{ >+[0190] 13 D8 51 E1 0B 79 12 48 DE A9 54 04 00 6D DD E6 ..Q..y.H ..T..m.. >+[01A0] 5E 03 91 FF C7 6D 0B 7C 91 44 E1 0F C0 7E 32 34 ^....m.| .D...~24 >+[01B0] 82 86 94 F7 CD 53 EC 52 38 18 AA ED FF FC 5C 01 .....S.R 8.....\. >+[01C0] D2 EE 99 45 8E 5B E6 B3 46 B0 F6 3B 22 29 EC 11 ...E.[.. F..;").. >+[01D0] 30 6A F6 A1 1F 9E AE 71 E3 A6 E7 3F F3 7D 2B 75 0j.....q ...?.}+u >+[01E0] 70 4D 63 47 5C 18 2C 8B B1 1A 69 B6 C5 46 01 17 pMcG\.,. ..i..F.. >+[01F0] 8E 64 3D 47 88 20 1C AA D7 60 32 28 11 60 EA 28 .d=G. .. .`2(.`.( >+[0200] 66 99 4C B1 2A 28 96 BF 18 2A 3E F4 D6 84 E5 A0 f.L.*(.. .*>..... >+[0210] F4 4E E7 F9 54 95 22 96 2A 87 01 CC 3E A7 FF 42 .N..T.". *...>..B >+[0220] 6A A4 4A 3A B9 24 10 65 99 53 58 2A 4E 72 E7 1F j.J:.$.e .SX*Nr.. >+[0230] 82 BC BD 3C 6C 9D 33 3A CE C6 6E 72 A2 81 B3 84 ...<l.3: ..nr.... >+[0240] 82 DF 3C 1F 76 E5 B8 08 AD 0A 6C 7D 7B D5 0C 46 ..<.v... ..l}{..F >+[0250] 69 A4 F4 E9 9E 3D D7 2D E1 43 D1 7A 52 16 75 56 i....=.- .C.zR.uV >+[0260] 54 83 D5 2A 2F A7 D2 CB 48 FE FF DB AE 46 F2 5B T..*/... H....F.[ >+[0270] F4 52 BE C8 5E B1 04 95 52 35 3E 92 E0 02 F7 85 .R..^... R5>..... >+[0280] AB F0 D0 93 08 42 E5 37 19 24 4E C1 AF FC 92 A9 .....B.7 .$N..... >+[0290] B1 27 B1 9A 2A 62 34 F1 DC C0 6B 83 AE C3 74 E8 .'..*b4. ..k...t. >+[02A0] A3 05 DD 82 DD A3 D7 90 A8 E3 9C EB 64 16 23 06 ........ ....d.#. >+[02B0] 5D FB E4 35 7C 22 29 78 E3 3B 75 92 91 0C 9D A1 ]..5|")x .;u..... >+[02C0] 87 7C 2E 82 AE 49 9D 4A 50 A9 C2 D5 85 B0 16 5D .|...I.J P......] >+[02D0] A2 CD B0 DD 29 3F 6F 66 C9 C1 9F 5C F0 B6 FC D2 ....)?of ...\.... >+[02E0] 52 BE 7B F0 1F 26 AF 8A FC C3 A6 24 8C C0 10 06 R.{..&.. ...$.... >+[02F0] 73 1E 17 9E 6E 6F 32 44 6A DF 82 5D D0 6B 74 CE s...no2D j..].kt. >+[0300] 58 0B 4C 7B EB A1 13 44 B1 3E D8 F8 BA F4 4E 55 X.L{...D .>....NU >+[0310] 71 3D C1 09 D9 E7 97 9A 14 5C 54 7E 57 81 5F 6B q=...... .\T~W._k >+[0320] 30 BE 9A E1 98 29 47 D4 C0 8F 63 0A F8 27 1F CE 0....)G. ..c..'.. >+[0330] ED D9 BB 7B 12 24 D0 34 2A 7C F0 F7 77 F4 F1 1D ...{.$.4 *|..w... >+[0340] 4C 5D 75 2D 6B 0D 80 35 82 CC D8 7A 6B FA A0 55 L]u-k..5 ...zk..U >+[0350] 34 CD 87 15 61 38 78 D4 69 0F AA 72 D6 AC FA 99 4...a8x. i..r.... >+[0360] BC 70 39 27 A7 25 2E 1B 6F 36 01 FD E9 B4 9A 79 .p9'.%.. o6.....y >+[0370] 6C 19 DD A6 8C 78 B0 40 92 60 58 F0 28 AD 08 78 l....x.@ .`X.(..x >+[0380] 4A 29 06 2C 82 2B 1A E3 91 0B 5F EE D6 B8 66 47 J).,.+.. .._...fG >+[0390] 31 9B A3 DF 9F 79 D7 BB 0E 2C FA 0E C9 66 84 8D 1....y.. .,...f.. >+[03A0] FF BA BB 21 27 9E AD 86 84 55 8D 4C 4C 47 D9 5F ...!'... .U.LLG._ >+[03B0] B2 7D 26 CA B7 49 3C 9D 1B 67 71 11 3A 8A EB EA .}&..I<. .gq.:... >+[03C0] 0F 15 EB F0 1E 46 F7 A4 34 04 D7 E3 50 67 47 D3 .....F.. 4...PgG. >+[03D0] 66 21 17 77 51 A7 1F 1D 84 3B 7C B1 5D 4E B8 D4 f!.wQ... .;|.]N.. >+[03E0] F9 C5 75 06 AA 19 45 1C E9 06 9E AD 23 26 6B 10 ..u...E. ....#&k. >+[03F0] 53 A0 36 D3 58 9F 5E 8C CB A5 F6 BC C9 30 3C BC S.6.X.^. .....0<. >+[0400] AD FF 7C 92 F0 C6 9A 02 ..|..... >+ second_ticket : DATA_BLOB length=0 >+ further_creds : DATA_BLOB length=10683 >+[0000] 00 00 00 01 00 00 00 01 00 00 00 17 4B 54 45 53 ........ ....KTES >+[0010] 54 2E 53 41 4D 42 41 2E 45 58 41 4D 50 4C 45 2E T.SAMBA. EXAMPLE. >+[0020] 43 4F 4D 00 00 00 0D 61 64 6D 69 6E 69 73 74 72 COM....a dministr >+[0030] 61 74 6F 72 00 00 00 01 00 00 00 02 00 00 00 17 ator.... ........ >+[0040] 4B 54 45 53 54 2E 53 41 4D 42 41 2E 45 58 41 4D KTEST.SA MBA.EXAM >+[0050] 50 4C 45 2E 43 4F 4D 00 00 00 04 63 69 66 73 00 PLE.COM. ...cifs. >+[0060] 00 00 0B 6C 6F 63 61 6C 6B 74 65 73 74 36 00 17 ...local ktest6.. >+[0070] 00 00 00 10 00 6E A1 B2 31 6D 48 C7 90 72 3A 0C .....n.. 1mH..r:. >+[0080] 4B 8B 83 8C 4D 99 4F 6A 4D 99 50 85 7D 44 0B 68 K...M.Oj M.P.}D.h >+[0090] 00 00 00 00 00 40 28 00 00 00 00 00 00 00 00 00 .....@(. ........ >+[00A0] 00 00 00 03 FA 61 82 03 F6 30 82 03 F2 A0 03 02 .....a.. .0...... >+[00B0] 01 05 A1 19 1B 17 4B 54 45 53 54 2E 53 41 4D 42 ......KT EST.SAMB >+[00C0] 41 2E 45 58 41 4D 50 4C 45 2E 43 4F 4D A2 1E 30 A.EXAMPL E.COM..0 >+[00D0] 1C A0 03 02 01 01 A1 15 30 13 1B 04 63 69 66 73 ........ 0...cifs >+[00E0] 1B 0B 6C 6F 63 61 6C 6B 74 65 73 74 36 A3 82 03 ..localk test6... >+[00F0] AE 30 82 03 AA A0 03 02 01 17 A1 03 02 01 02 A2 .0...... ........ >+[0100] 82 03 9C 04 82 03 98 C6 BB 64 A8 31 00 FC 5E 51 ........ .d.1..^Q >+[0110] 3C 87 F8 34 47 3B D0 6F 6F FD 9E A6 91 12 74 2D <..4G;.o o.....t- >+[0120] 44 BB AA 91 A0 2D 46 3E 9E FB FB C4 FB F1 15 FD D....-F> ........ >+[0130] BB DA EE 06 A9 20 6A 38 DC 46 06 27 D9 A2 9D 2D ..... j8 .F.'...- >+[0140] 1F FD 0D 7D 8A BB 0A 7C E8 47 17 BC 7B 70 E4 51 ...}...| .G..{p.Q >+[0150] 6A BA 51 68 62 28 4A 1E 51 D1 0D CD 02 55 75 44 j.Qhb(J. Q....UuD >+[0160] 8A B9 C2 84 F4 17 34 92 9B 31 85 9E 43 C1 0C 3A ......4. .1..C..: >+[0170] B2 69 7F 20 1A 18 1F 65 4F C0 20 C9 B5 AF E1 61 .i. ...e O. ....a >+[0180] 8C 90 10 63 26 A6 5D 05 3C CD 29 BB 7B 74 D5 8F ...c&.]. <.).{t.. >+[0190] 2C 7F 4B E8 84 24 57 37 8A C6 F7 91 FD 22 9A A5 ,.K..$W7 .....".. >+[01A0] 0D E9 4A 78 93 36 FC A8 8C 8A 27 8A C6 28 4B 7B ..Jx.6.. ..'..(K{ >+[01B0] DA 11 42 BC 09 10 81 82 14 0F 9C B8 48 26 91 78 ..B..... ....H&.x >+[01C0] A8 DD 97 6C 24 A1 D2 E8 85 19 B3 D3 85 4D 38 C7 ...l$... .....M8. >+[01D0] 7D 49 55 8E 85 46 E1 EE 7B BA 11 62 63 53 C5 16 }IU..F.. {..bcS.. >+[01E0] 4A 0C 1C 99 7C 0E FB 45 1D B4 98 58 67 7E 40 65 J...|..E ...Xg~@e >+[01F0] 4B 48 E2 89 9C 8B C2 B8 39 D1 04 C0 A8 56 E8 A1 KH...... 9....V.. >+[0200] 04 7A 7A C9 60 18 A0 29 E2 DC 82 4C 8F 18 CE 2F .zz.`..) ...L.../ >+[0210] 14 F0 18 5B 6C FF 85 45 88 73 CB A4 55 08 FC BF ...[l..E .s..U... >+[0220] C7 9F 51 0A DB 2C C1 E3 3C DD F6 F0 A3 2D F1 3B ..Q..,.. <....-.; >+[0230] A0 12 1D FC 2A 67 F5 1A 7F E5 7C 6C FB 8A 18 BD ....*g.. ..|l.... >+[0240] D1 5D E5 5E 68 30 AA 58 9E 10 13 E0 26 7E 7D C4 .].^h0.X ....&~}. >+[0250] E1 A5 B6 86 0F 1C 0F 13 A4 5E 5E 6A ED 42 79 31 ........ .^^j.By1 >+[0260] BB B3 5F 3A 3F DD CB 63 82 FB 06 AE 12 36 C9 1E .._:?..c .....6.. >+[0270] 06 7D 41 82 2E D2 FA 26 EC 17 50 5E D0 DE 26 85 .}A....& ..P^..&. >+[0280] 30 71 BC 45 3B DA 2E 08 8D B2 2A 3C E0 79 8F 77 0q.E;... ..*<.y.w >+[0290] 4C 01 69 7A 09 C7 88 E1 D1 DC FF 78 DB 25 7B B1 L.iz.... ...x.%{. >+[02A0] 3C BB 22 27 80 0D 75 96 18 B6 40 95 6D C8 AB 04 <."'..u. ..@.m... >+[02B0] 05 41 A1 C4 25 71 C4 53 3A A6 9C B2 4D E6 15 2C .A..%q.S :...M.., >+[02C0] B2 47 6C DA A8 7D CC A3 89 8B C9 1E 21 F5 E9 B2 .Gl..}.. ....!... >+[02D0] 42 95 68 28 AF C6 37 22 BA 30 8D 53 FA 08 0D CE B.h(..7" .0.S.... >+[02E0] CA 81 61 0D 84 A5 2D 75 BD 41 85 4C 88 56 72 C6 ..a...-u .A.L.Vr. >+[02F0] B6 10 F8 34 CD B2 F4 5C 94 FA 80 90 82 A0 BD 68 ...4...\ .......h >+[0300] EC 08 32 C3 B6 51 1E 3F 67 CB 7B EB 70 83 84 D4 ..2..Q.? g.{.p... >+[0310] CB 52 55 36 61 1E 60 90 5B 6F FE 9A 62 05 CF 26 .RU6a.`. [o..b..& >+[0320] 8E 65 E2 60 4B ED 63 B4 C4 E6 44 B4 2F B0 B8 07 .e.`K.c. ..D./... >+[0330] FE BE 0D 50 E4 56 A4 2E 0D 25 76 0B 0F 44 09 20 ...P.V.. .%v..D. >+[0340] 80 E5 C4 94 63 E0 54 46 1D AB 5E 0B 09 93 B1 30 ....c.TF ..^....0 >+[0350] 31 7B 04 DC 23 43 3B DB 7D 39 67 FE 9A 1F C1 08 1{..#C;. }9g..... >+[0360] AF 34 24 F6 74 E4 14 DA 34 8F 61 57 6A 7F 1D 4A .4$.t... 4.aWj..J >+[0370] 88 0A 90 78 93 F1 86 54 DB 22 86 D6 69 0F DF 44 ...x...T ."..i..D >+[0380] 7C D3 6B 9D 41 63 50 98 3A 97 B9 7B 4C 53 E3 85 |.k.AcP. :..{LS.. >+[0390] 73 9A C9 08 A0 75 12 50 02 87 B0 CF CC 84 84 D9 s....u.P ........ >+[03A0] BC FC 94 79 AF 6A A6 08 FF 19 7E E9 22 9B EC 5C ...y.j.. ..~."..\ >+[03B0] C1 6B 1D A4 B4 55 32 5E 23 C3 C0 D4 8B 80 E6 67 .k...U2^ #......g >+[03C0] B1 59 EB 9D 5D 9B AD C6 0E 7D E2 FE B1 24 8A B1 .Y..]... .}...$.. >+[03D0] 37 1E 60 7F 83 35 48 32 F7 03 E8 12 E6 21 7C 3D 7.`..5H2 .....!|= >+[03E0] 21 7F 6B 14 31 9C 1A A3 4C 2B 1C 5E EC 34 C1 2D !.k.1... L+.^.4.- >+[03F0] DA 19 6C E6 6D 8D 60 D7 55 9E E6 D0 B5 07 06 72 ..l.m.`. U......r >+[0400] C0 E9 4E 91 94 6B 3E 0B F1 0A 75 4D E8 CB 53 6B ..N..k>. ..uM..Sk >+[0410] 34 A4 2F 96 A5 39 1A 18 6E 27 00 6D 41 B7 D8 F5 4./..9.. n'.mA... >+[0420] 9A E5 01 FC 0B A8 97 56 EE 98 04 1D 98 84 5E 82 .......V ......^. >+[0430] C8 E8 EC 17 D5 FA 96 00 3B E1 98 1C D8 FA 66 A0 ........ ;.....f. >+[0440] DC 32 60 F6 03 46 08 3C E5 16 6F F2 8B 4D 72 9F .2`..F.< ..o..Mr. >+[0450] 0F E0 A9 71 6E 7C AE AA FB A3 4D F1 A1 B6 1B 9F ...qn|.. ..M..... >+[0460] 62 71 E1 2C 82 9B AE E3 07 9B 79 90 F1 C2 69 E5 bq.,.... ..y...i. >+[0470] 7E CB 57 E6 C9 1C 4E A8 C7 12 EA 4F 4C 52 17 03 ~.W...N. ...OLR.. >+[0480] AB D4 FD 34 60 F4 7C BE 9E 36 30 37 88 95 61 2E ...4`.|. .607..a. >+[0490] CF 70 AF 22 70 DB E8 AA 6E 3D 30 F7 4D 84 D5 00 .p."p... n=0.M... >+[04A0] 00 00 00 00 00 00 01 00 00 00 01 00 00 00 17 4B ........ .......K >+[04B0] 54 45 53 54 2E 53 41 4D 42 41 2E 45 58 41 4D 50 TEST.SAM BA.EXAMP >+[04C0] 4C 45 2E 43 4F 4D 00 00 00 0D 61 64 6D 69 6E 69 LE.COM.. ..admini >+[04D0] 73 74 72 61 74 6F 72 00 00 00 01 00 00 00 02 00 strator. ........ >+[04E0] 00 00 17 4B 54 45 53 54 2E 53 41 4D 42 41 2E 45 ...KTEST .SAMBA.E >+[04F0] 58 41 4D 50 4C 45 2E 43 4F 4D 00 00 00 04 63 69 XAMPLE.C OM....ci >+[0500] 66 73 00 00 00 0B 6C 6F 63 61 6C 6B 74 65 73 74 fs....lo calktest >+[0510] 36 00 17 00 00 00 10 00 6E A1 B2 31 6D 48 C7 90 6....... n..1mH.. >+[0520] 72 3A 0C 4B 8B 83 8C 4D 99 4F 6A 4D 99 50 85 7D r:.K...M .OjM.P.} >+[0530] 44 0B 68 00 00 00 00 00 40 28 00 00 00 00 00 00 D.h..... @(...... >+[0540] 00 00 00 00 00 00 03 FA 61 82 03 F6 30 82 03 F2 ........ a...0... >+[0550] A0 03 02 01 05 A1 19 1B 17 4B 54 45 53 54 2E 53 ........ .KTEST.S >+[0560] 41 4D 42 41 2E 45 58 41 4D 50 4C 45 2E 43 4F 4D AMBA.EXA MPLE.COM >+[0570] A2 1E 30 1C A0 03 02 01 01 A1 15 30 13 1B 04 63 ..0..... ...0...c >+[0580] 69 66 73 1B 0B 6C 6F 63 61 6C 6B 74 65 73 74 36 ifs..loc alktest6 >+[0590] A3 82 03 AE 30 82 03 AA A0 03 02 01 17 A1 03 02 ....0... ........ >+[05A0] 01 02 A2 82 03 9C 04 82 03 98 C6 BB 64 A8 31 00 ........ ....d.1. >+[05B0] FC 5E 51 3C 87 F8 34 47 3B D0 6F 6F FD 9E A6 91 .^Q<..4G ;.oo.... >+[05C0] 12 74 2D 44 BB AA 91 A0 2D 46 3E 9E FB FB C4 FB .t-D.... -F>..... >+[05D0] F1 15 FD BB DA EE 06 A9 20 6A 38 DC 46 06 27 D9 ........ j8.F.'. >+[05E0] A2 9D 2D 1F FD 0D 7D 8A BB 0A 7C E8 47 17 BC 7B ..-...}. ..|.G..{ >+[05F0] 70 E4 51 6A BA 51 68 62 28 4A 1E 51 D1 0D CD 02 p.Qj.Qhb (J.Q.... >+[0600] 55 75 44 8A B9 C2 84 F4 17 34 92 9B 31 85 9E 43 UuD..... .4..1..C >+[0610] C1 0C 3A B2 69 7F 20 1A 18 1F 65 4F C0 20 C9 B5 ..:.i. . ..eO. .. >+[0620] AF E1 61 8C 90 10 63 26 A6 5D 05 3C CD 29 BB 7B ..a...c& .].<.).{ >+[0630] 74 D5 8F 2C 7F 4B E8 84 24 57 37 8A C6 F7 91 FD t..,.K.. $W7..... >+[0640] 22 9A A5 0D E9 4A 78 93 36 FC A8 8C 8A 27 8A C6 "....Jx. 6....'.. >+[0650] 28 4B 7B DA 11 42 BC 09 10 81 82 14 0F 9C B8 48 (K{..B.. .......H >+[0660] 26 91 78 A8 DD 97 6C 24 A1 D2 E8 85 19 B3 D3 85 &.x...l$ ........ >+[0670] 4D 38 C7 7D 49 55 8E 85 46 E1 EE 7B BA 11 62 63 M8.}IU.. F..{..bc >+[0680] 53 C5 16 4A 0C 1C 99 7C 0E FB 45 1D B4 98 58 67 S..J...| ..E...Xg >+[0690] 7E 40 65 4B 48 E2 89 9C 8B C2 B8 39 D1 04 C0 A8 ~@eKH... ...9.... >+[06A0] 56 E8 A1 04 7A 7A C9 60 18 A0 29 E2 DC 82 4C 8F V...zz.` ..)...L. >+[06B0] 18 CE 2F 14 F0 18 5B 6C FF 85 45 88 73 CB A4 55 ../...[l ..E.s..U >+[06C0] 08 FC BF C7 9F 51 0A DB 2C C1 E3 3C DD F6 F0 A3 .....Q.. ,..<.... >+[06D0] 2D F1 3B A0 12 1D FC 2A 67 F5 1A 7F E5 7C 6C FB -.;....* g....|l. >+[06E0] 8A 18 BD D1 5D E5 5E 68 30 AA 58 9E 10 13 E0 26 ....].^h 0.X....& >+[06F0] 7E 7D C4 E1 A5 B6 86 0F 1C 0F 13 A4 5E 5E 6A ED ~}...... ....^^j. >+[0700] 42 79 31 BB B3 5F 3A 3F DD CB 63 82 FB 06 AE 12 By1.._:? ..c..... >+[0710] 36 C9 1E 06 7D 41 82 2E D2 FA 26 EC 17 50 5E D0 6...}A.. ..&..P^. >+[0720] DE 26 85 30 71 BC 45 3B DA 2E 08 8D B2 2A 3C E0 .&.0q.E; .....*<. >+[0730] 79 8F 77 4C 01 69 7A 09 C7 88 E1 D1 DC FF 78 DB y.wL.iz. ......x. >+[0740] 25 7B B1 3C BB 22 27 80 0D 75 96 18 B6 40 95 6D %{.<."'. .u...@.m >+[0750] C8 AB 04 05 41 A1 C4 25 71 C4 53 3A A6 9C B2 4D ....A..% q.S:...M >+[0760] E6 15 2C B2 47 6C DA A8 7D CC A3 89 8B C9 1E 21 ..,.Gl.. }......! >+[0770] F5 E9 B2 42 95 68 28 AF C6 37 22 BA 30 8D 53 FA ...B.h(. .7".0.S. >+[0780] 08 0D CE CA 81 61 0D 84 A5 2D 75 BD 41 85 4C 88 .....a.. .-u.A.L. >+[0790] 56 72 C6 B6 10 F8 34 CD B2 F4 5C 94 FA 80 90 82 Vr....4. ..\..... >+[07A0] A0 BD 68 EC 08 32 C3 B6 51 1E 3F 67 CB 7B EB 70 ..h..2.. Q.?g.{.p >+[07B0] 83 84 D4 CB 52 55 36 61 1E 60 90 5B 6F FE 9A 62 ....RU6a .`.[o..b >+[07C0] 05 CF 26 8E 65 E2 60 4B ED 63 B4 C4 E6 44 B4 2F ..&.e.`K .c...D./ >+[07D0] B0 B8 07 FE BE 0D 50 E4 56 A4 2E 0D 25 76 0B 0F ......P. V...%v.. >+[07E0] 44 09 20 80 E5 C4 94 63 E0 54 46 1D AB 5E 0B 09 D. ....c .TF..^.. >+[07F0] 93 B1 30 31 7B 04 DC 23 43 3B DB 7D 39 67 FE 9A ..01{..# C;.}9g.. >+[0800] 1F C1 08 AF 34 24 F6 74 E4 14 DA 34 8F 61 57 6A ....4$.t ...4.aWj >+[0810] 7F 1D 4A 88 0A 90 78 93 F1 86 54 DB 22 86 D6 69 ..J...x. ..T."..i >+[0820] 0F DF 44 7C D3 6B 9D 41 63 50 98 3A 97 B9 7B 4C ..D|.k.A cP.:..{L >+[0830] 53 E3 85 73 9A C9 08 A0 75 12 50 02 87 B0 CF CC S..s.... u.P..... >+[0840] 84 84 D9 BC FC 94 79 AF 6A A6 08 FF 19 7E E9 22 ......y. j....~." >+[0850] 9B EC 5C C1 6B 1D A4 B4 55 32 5E 23 C3 C0 D4 8B ..\.k... U2^#.... >+[0860] 80 E6 67 B1 59 EB 9D 5D 9B AD C6 0E 7D E2 FE B1 ..g.Y..] ....}... >+[0870] 24 8A B1 37 1E 60 7F 83 35 48 32 F7 03 E8 12 E6 $..7.`.. 5H2..... >+[0880] 21 7C 3D 21 7F 6B 14 31 9C 1A A3 4C 2B 1C 5E EC !|=!.k.1 ...L+.^. >+[0890] 34 C1 2D DA 19 6C E6 6D 8D 60 D7 55 9E E6 D0 B5 4.-..l.m .`.U.... >+[08A0] 07 06 72 C0 E9 4E 91 94 6B 3E 0B F1 0A 75 4D E8 ..r..N.. k>...uM. >+[08B0] CB 53 6B 34 A4 2F 96 A5 39 1A 18 6E 27 00 6D 41 .Sk4./.. 9..n'.mA >+[08C0] B7 D8 F5 9A E5 01 FC 0B A8 97 56 EE 98 04 1D 98 ........ ..V..... >+[08D0] 84 5E 82 C8 E8 EC 17 D5 FA 96 00 3B E1 98 1C D8 .^...... ...;.... >+[08E0] FA 66 A0 DC 32 60 F6 03 46 08 3C E5 16 6F F2 8B .f..2`.. F.<..o.. >+[08F0] 4D 72 9F 0F E0 A9 71 6E 7C AE AA FB A3 4D F1 A1 Mr....qn |....M.. >+[0900] B6 1B 9F 62 71 E1 2C 82 9B AE E3 07 9B 79 90 F1 ...bq.,. .....y.. >+[0910] C2 69 E5 7E CB 57 E6 C9 1C 4E A8 C7 12 EA 4F 4C .i.~.W.. .N....OL >+[0920] 52 17 03 AB D4 FD 34 60 F4 7C BE 9E 36 30 37 88 R.....4` .|..607. >+[0930] 95 61 2E CF 70 AF 22 70 DB E8 AA 6E 3D 30 F7 4D .a..p."p ...n=0.M >+[0940] 84 D5 00 00 00 00 00 00 00 01 00 00 00 01 00 00 ........ ........ >+[0950] 00 17 4B 54 45 53 54 2E 53 41 4D 42 41 2E 45 58 ..KTEST. SAMBA.EX >+[0960] 41 4D 50 4C 45 2E 43 4F 4D 00 00 00 0D 61 64 6D AMPLE.CO M....adm >+[0970] 69 6E 69 73 74 72 61 74 6F 72 00 00 00 01 00 00 inistrat or...... >+[0980] 00 02 00 00 00 17 4B 54 45 53 54 2E 53 41 4D 42 ......KT EST.SAMB >+[0990] 41 2E 45 58 41 4D 50 4C 45 2E 43 4F 4D 00 00 00 A.EXAMPL E.COM... >+[09A0] 04 63 69 66 73 00 00 00 0B 6C 6F 63 61 6C 6B 74 .cifs... .localkt >+[09B0] 65 73 74 36 00 17 00 00 00 10 00 6E A1 B2 31 6D est6.... ...n..1m >+[09C0] 48 C7 90 72 3A 0C 4B 8B 83 8C 4D 99 4F 6A 4D 99 H..r:.K. ..M.OjM. >+[09D0] 50 85 7D 44 0B 68 00 00 00 00 00 40 28 00 00 00 P.}D.h.. ...@(... >+[09E0] 00 00 00 00 00 00 00 00 00 03 FA 61 82 03 F6 30 ........ ...a...0 >+[09F0] 82 03 F2 A0 03 02 01 05 A1 19 1B 17 4B 54 45 53 ........ ....KTES >+[0A00] 54 2E 53 41 4D 42 41 2E 45 58 41 4D 50 4C 45 2E T.SAMBA. EXAMPLE. >+[0A10] 43 4F 4D A2 1E 30 1C A0 03 02 01 01 A1 15 30 13 COM..0.. ......0. >+[0A20] 1B 04 63 69 66 73 1B 0B 6C 6F 63 61 6C 6B 74 65 ..cifs.. localkte >+[0A30] 73 74 36 A3 82 03 AE 30 82 03 AA A0 03 02 01 17 st6....0 ........ >+[0A40] A1 03 02 01 02 A2 82 03 9C 04 82 03 98 C6 BB 64 ........ .......d >+[0A50] A8 31 00 FC 5E 51 3C 87 F8 34 47 3B D0 6F 6F FD .1..^Q<. .4G;.oo. >+[0A60] 9E A6 91 12 74 2D 44 BB AA 91 A0 2D 46 3E 9E FB ....t-D. ...-F>.. >+[0A70] FB C4 FB F1 15 FD BB DA EE 06 A9 20 6A 38 DC 46 ........ ... j8.F >+[0A80] 06 27 D9 A2 9D 2D 1F FD 0D 7D 8A BB 0A 7C E8 47 .'...-.. .}...|.G >+[0A90] 17 BC 7B 70 E4 51 6A BA 51 68 62 28 4A 1E 51 D1 ..{p.Qj. Qhb(J.Q. >+[0AA0] 0D CD 02 55 75 44 8A B9 C2 84 F4 17 34 92 9B 31 ...UuD.. ....4..1 >+[0AB0] 85 9E 43 C1 0C 3A B2 69 7F 20 1A 18 1F 65 4F C0 ..C..:.i . ...eO. >+[0AC0] 20 C9 B5 AF E1 61 8C 90 10 63 26 A6 5D 05 3C CD ....a.. .c&.].<. >+[0AD0] 29 BB 7B 74 D5 8F 2C 7F 4B E8 84 24 57 37 8A C6 ).{t..,. K..$W7.. >+[0AE0] F7 91 FD 22 9A A5 0D E9 4A 78 93 36 FC A8 8C 8A ...".... Jx.6.... >+[0AF0] 27 8A C6 28 4B 7B DA 11 42 BC 09 10 81 82 14 0F '..(K{.. B....... >+[0B00] 9C B8 48 26 91 78 A8 DD 97 6C 24 A1 D2 E8 85 19 ..H&.x.. .l$..... >+[0B10] B3 D3 85 4D 38 C7 7D 49 55 8E 85 46 E1 EE 7B BA ...M8.}I U..F..{. >+[0B20] 11 62 63 53 C5 16 4A 0C 1C 99 7C 0E FB 45 1D B4 .bcS..J. ..|..E.. >+[0B30] 98 58 67 7E 40 65 4B 48 E2 89 9C 8B C2 B8 39 D1 .Xg~@eKH ......9. >+[0B40] 04 C0 A8 56 E8 A1 04 7A 7A C9 60 18 A0 29 E2 DC ...V...z z.`..).. >+[0B50] 82 4C 8F 18 CE 2F 14 F0 18 5B 6C FF 85 45 88 73 .L.../.. .[l..E.s >+[0B60] CB A4 55 08 FC BF C7 9F 51 0A DB 2C C1 E3 3C DD ..U..... Q..,..<. >+[0B70] F6 F0 A3 2D F1 3B A0 12 1D FC 2A 67 F5 1A 7F E5 ...-.;.. ..*g.... >+[0B80] 7C 6C FB 8A 18 BD D1 5D E5 5E 68 30 AA 58 9E 10 |l.....] .^h0.X.. >+[0B90] 13 E0 26 7E 7D C4 E1 A5 B6 86 0F 1C 0F 13 A4 5E ..&~}... .......^ >+[0BA0] 5E 6A ED 42 79 31 BB B3 5F 3A 3F DD CB 63 82 FB ^j.By1.. _:?..c.. >+[0BB0] 06 AE 12 36 C9 1E 06 7D 41 82 2E D2 FA 26 EC 17 ...6...} A....&.. >+[0BC0] 50 5E D0 DE 26 85 30 71 BC 45 3B DA 2E 08 8D B2 P^..&.0q .E;..... >+[0BD0] 2A 3C E0 79 8F 77 4C 01 69 7A 09 C7 88 E1 D1 DC *<.y.wL. iz...... >+[0BE0] FF 78 DB 25 7B B1 3C BB 22 27 80 0D 75 96 18 B6 .x.%{.<. "'..u... >+[0BF0] 40 95 6D C8 AB 04 05 41 A1 C4 25 71 C4 53 3A A6 @.m....A ..%q.S:. >+[0C00] 9C B2 4D E6 15 2C B2 47 6C DA A8 7D CC A3 89 8B ..M..,.G l..}.... >+[0C10] C9 1E 21 F5 E9 B2 42 95 68 28 AF C6 37 22 BA 30 ..!...B. h(..7".0 >+[0C20] 8D 53 FA 08 0D CE CA 81 61 0D 84 A5 2D 75 BD 41 .S...... a...-u.A >+[0C30] 85 4C 88 56 72 C6 B6 10 F8 34 CD B2 F4 5C 94 FA .L.Vr... .4...\.. >+[0C40] 80 90 82 A0 BD 68 EC 08 32 C3 B6 51 1E 3F 67 CB .....h.. 2..Q.?g. >+[0C50] 7B EB 70 83 84 D4 CB 52 55 36 61 1E 60 90 5B 6F {.p....R U6a.`.[o >+[0C60] FE 9A 62 05 CF 26 8E 65 E2 60 4B ED 63 B4 C4 E6 ..b..&.e .`K.c... >+[0C70] 44 B4 2F B0 B8 07 FE BE 0D 50 E4 56 A4 2E 0D 25 D./..... .P.V...% >+[0C80] 76 0B 0F 44 09 20 80 E5 C4 94 63 E0 54 46 1D AB v..D. .. ..c.TF.. >+[0C90] 5E 0B 09 93 B1 30 31 7B 04 DC 23 43 3B DB 7D 39 ^....01{ ..#C;.}9 >+[0CA0] 67 FE 9A 1F C1 08 AF 34 24 F6 74 E4 14 DA 34 8F g......4 $.t...4. >+[0CB0] 61 57 6A 7F 1D 4A 88 0A 90 78 93 F1 86 54 DB 22 aWj..J.. .x...T." >+[0CC0] 86 D6 69 0F DF 44 7C D3 6B 9D 41 63 50 98 3A 97 ..i..D|. k.AcP.:. >+[0CD0] B9 7B 4C 53 E3 85 73 9A C9 08 A0 75 12 50 02 87 .{LS..s. ...u.P.. >+[0CE0] B0 CF CC 84 84 D9 BC FC 94 79 AF 6A A6 08 FF 19 ........ .y.j.... >+[0CF0] 7E E9 22 9B EC 5C C1 6B 1D A4 B4 55 32 5E 23 C3 ~."..\.k ...U2^#. >+[0D00] C0 D4 8B 80 E6 67 B1 59 EB 9D 5D 9B AD C6 0E 7D .....g.Y ..]....} >+[0D10] E2 FE B1 24 8A B1 37 1E 60 7F 83 35 48 32 F7 03 ...$..7. `..5H2.. >+[0D20] E8 12 E6 21 7C 3D 21 7F 6B 14 31 9C 1A A3 4C 2B ...!|=!. k.1...L+ >+[0D30] 1C 5E EC 34 C1 2D DA 19 6C E6 6D 8D 60 D7 55 9E .^.4.-.. l.m.`.U. >+[0D40] E6 D0 B5 07 06 72 C0 E9 4E 91 94 6B 3E 0B F1 0A .....r.. N..k>... >+[0D50] 75 4D E8 CB 53 6B 34 A4 2F 96 A5 39 1A 18 6E 27 uM..Sk4. /..9..n' >+[0D60] 00 6D 41 B7 D8 F5 9A E5 01 FC 0B A8 97 56 EE 98 .mA..... .....V.. >+[0D70] 04 1D 98 84 5E 82 C8 E8 EC 17 D5 FA 96 00 3B E1 ....^... ......;. >+[0D80] 98 1C D8 FA 66 A0 DC 32 60 F6 03 46 08 3C E5 16 ....f..2 `..F.<.. >+[0D90] 6F F2 8B 4D 72 9F 0F E0 A9 71 6E 7C AE AA FB A3 o..Mr... .qn|.... >+[0DA0] 4D F1 A1 B6 1B 9F 62 71 E1 2C 82 9B AE E3 07 9B M.....bq .,...... >+[0DB0] 79 90 F1 C2 69 E5 7E CB 57 E6 C9 1C 4E A8 C7 12 y...i.~. W...N... >+[0DC0] EA 4F 4C 52 17 03 AB D4 FD 34 60 F4 7C BE 9E 36 .OLR.... .4`.|..6 >+[0DD0] 30 37 88 95 61 2E CF 70 AF 22 70 DB E8 AA 6E 3D 07..a..p ."p...n= >+[0DE0] 30 F7 4D 84 D5 00 00 00 00 00 00 00 01 00 00 00 0.M..... ........ >+[0DF0] 01 00 00 00 17 4B 54 45 53 54 2E 53 41 4D 42 41 .....KTE ST.SAMBA >+[0E00] 2E 45 58 41 4D 50 4C 45 2E 43 4F 4D 00 00 00 0D .EXAMPLE .COM.... >+[0E10] 61 64 6D 69 6E 69 73 74 72 61 74 6F 72 00 00 00 administ rator... >+[0E20] 01 00 00 00 02 00 00 00 17 4B 54 45 53 54 2E 53 ........ .KTEST.S >+[0E30] 41 4D 42 41 2E 45 58 41 4D 50 4C 45 2E 43 4F 4D AMBA.EXA MPLE.COM >+[0E40] 00 00 00 04 63 69 66 73 00 00 00 0B 4C 4F 43 41 ....cifs ....LOCA >+[0E50] 4C 4B 54 45 53 54 36 00 17 00 00 00 10 1D C8 5E LKTEST6. .......^ >+[0E60] 46 48 82 F9 29 DB C6 A6 F1 72 6D 8D E9 4D 99 4F FH..)... .rm..M.O >+[0E70] 6A 4D 99 85 09 7D 44 0B 68 00 00 00 00 00 40 28 jM...}D. h.....@( >+[0E80] 00 00 00 00 00 00 00 00 00 00 00 00 03 FA 61 82 ........ ......a. >+[0E90] 03 F6 30 82 03 F2 A0 03 02 01 05 A1 19 1B 17 4B ..0..... .......K >+[0EA0] 54 45 53 54 2E 53 41 4D 42 41 2E 45 58 41 4D 50 TEST.SAM BA.EXAMP >+[0EB0] 4C 45 2E 43 4F 4D A2 1E 30 1C A0 03 02 01 01 A1 LE.COM.. 0....... >+[0EC0] 15 30 13 1B 04 63 69 66 73 1B 0B 4C 4F 43 41 4C .0...cif s..LOCAL >+[0ED0] 4B 54 45 53 54 36 A3 82 03 AE 30 82 03 AA A0 03 KTEST6.. ..0..... >+[0EE0] 02 01 17 A1 03 02 01 02 A2 82 03 9C 04 82 03 98 ........ ........ >+[0EF0] 66 D8 19 46 FA CB 73 2D CF 88 FD 4A EE 07 48 DA f..F..s- ...J..H. >+[0F00] 0E BC 58 30 43 40 A4 9C 00 0F 3B 17 C1 2D F5 9C ..X0C@.. ..;..-.. >+[0F10] 3E D9 2F 1D CA 01 9B D7 2E EC D7 70 ED 8B 8B 1B >./..... ...p.... >+[0F20] 5E F2 4E EE DD 0F C0 8D 61 E5 D7 0A 56 00 32 B1 ^.N..... a...V.2. >+[0F30] DB 91 37 29 0F 2F 85 EE A8 43 BA A5 B8 D4 19 74 ..7)./.. .C.....t >+[0F40] 33 F0 69 52 E1 58 98 83 D6 16 0B 44 A9 63 9B D4 3.iR.X.. ...D.c.. >+[0F50] 4E 6E A7 3E CD 9A 96 4D C4 96 F5 07 6D 29 B6 ED Nn.>...M ....m).. >+[0F60] 2A 62 3D 53 22 33 D1 95 E9 DF 74 4C 2A E2 29 AF *b=S"3.. ..tL*.). >+[0F70] 5B 69 B0 48 2D AD 94 FD A5 1D 54 D8 E2 5E C1 68 [i.H-... ..T..^.h >+[0F80] 6F BA 02 01 79 C3 C9 97 0B 76 66 45 E2 3B 10 17 o...y... .vfE.;.. >+[0F90] 95 40 46 E4 85 B9 87 BB CF CF 19 8C 3A C0 EA 38 .@F..... ....:..8 >+[0FA0] 3B B9 E9 4B 05 89 E5 27 8C 62 95 BC 0D 65 F0 D2 ;..K...' .b...e.. >+[0FB0] C0 5E BC 65 01 D5 0B CB 17 31 0F 06 49 4F A2 4A .^.e.... .1..IO.J >+[0FC0] 70 77 DB BD 92 5B 37 5C EC 06 DF C5 E2 31 C8 40 pw...[7\ .....1.@ >+[0FD0] 09 11 68 14 E7 7D CE 54 4F 52 61 31 2C 1C 53 52 ..h..}.T ORa1,.SR >+[0FE0] DB BE D8 95 39 EE 7D C6 CE C8 22 95 92 97 97 3D ....9.}. .."....= >+[0FF0] 5E 66 0F AD DC C2 4E 2E 2B 9F 63 20 30 DF B7 C1 ^f....N. +.c 0... >+[1000] D4 65 AA 6F 2D 10 24 07 20 8D 88 6E 4B 09 04 31 .e.o-.$. ..nK..1 >+[1010] B6 A3 EB F7 37 32 0E 0C 73 C6 F6 B8 4D D9 0C 4C ....72.. s...M..L >+[1020] 5B EC 10 6A 51 19 EA 3F FF 46 E7 73 16 A7 1F 33 [..jQ..? .F.s...3 >+[1030] 98 7C 9B AD 5A 23 A9 40 7C 0F DF EE 0F AA C7 E8 .|..Z#.@ |....... >+[1040] 63 07 98 3A 4A 0D 18 62 01 21 B2 AE A5 69 B0 C1 c..:J..b .!...i.. >+[1050] 15 51 BA 97 D2 C5 42 5B C5 30 38 18 A9 48 AB D7 .Q....B[ .08..H.. >+[1060] FC A1 BC 9F 71 E7 EA 18 54 42 DA D6 A4 FC C1 DC ....q... TB...... >+[1070] F3 12 30 62 AC 98 E1 7D 2B 34 1E 52 4C 26 67 32 ..0b...} +4.RL&g2 >+[1080] D9 44 1A 08 27 0E DA D0 FC 84 66 35 81 D6 EB 98 .D..'... ..f5.... >+[1090] 46 6F 1E 47 E0 14 31 BE 47 80 65 AA 0B 20 D6 33 Fo.G..1. G.e.. .3 >+[10A0] 36 3B 0D 40 2F 5A 2E 0E 01 BE 00 EB 33 3E 4B 32 6;.@/Z.. ....3>K2 >+[10B0] 91 F4 22 96 E5 5F D4 D5 92 94 CC 5B 59 6A 3E D2 ..".._.. ...[Yj>. >+[10C0] FB A0 4F 99 C4 07 8B 6F 2B 14 37 CD 37 44 C0 1F ..O....o +.7.7D.. >+[10D0] 80 9C 43 46 F2 5E F4 FE D3 39 70 61 BE 72 5B 3A ..CF.^.. .9pa.r[: >+[10E0] 8F 37 95 78 1E AB D9 E7 E9 DA FC 47 09 81 A0 0D .7.x.... ...G.... >+[10F0] 62 E1 F9 34 36 D1 DB E6 98 D8 F4 3E 77 5A 4D E2 b..46... ...>wZM. >+[1100] 5F 20 70 3D 3D 5B 34 D9 FD A8 31 F7 D9 59 F7 A3 _ p==[4. ..1..Y.. >+[1110] F0 66 F7 D9 AD 1C CD D5 85 33 A0 87 22 31 D4 F3 .f...... .3.."1.. >+[1120] 67 80 68 20 A2 90 72 7A 6F 64 FD 68 82 9E 91 B8 g.h ..rz od.h.... >+[1130] E3 F7 6D 6C 38 74 F0 96 A2 F6 25 D7 92 58 14 60 ..ml8t.. ..%..X.` >+[1140] 9F AE 01 4C 0C 09 67 3E 35 67 71 1E 2A 86 21 D3 ...L..g> 5gq.*.!. >+[1150] 60 61 98 16 94 67 0B 52 76 63 93 BD A3 3B A9 F0 `a...g.R vc...;.. >+[1160] A2 6A B7 E6 0F 35 64 DA 6A EA 20 A6 3D 94 71 59 .j...5d. j. .=.qY >+[1170] 5E CB B2 D3 F9 4D FE 1B 4B D8 64 C8 3B 7A A8 E6 ^....M.. K.d.;z.. >+[1180] D2 D5 76 71 26 D4 5C DA 1A 55 17 F2 16 C9 2F 77 ..vq&.\. .U..../w >+[1190] DB 95 19 48 A5 AC D0 C3 31 9C 0A CC 1B 44 11 6B ...H.... 1....D.k >+[11A0] 7C 88 7A 5D CF 6E 12 DA EF C5 C7 34 1D F4 CC EA |.z].n.. ...4.... >+[11B0] 37 24 4B B3 0F C1 A3 F2 29 A0 D8 93 39 C6 16 57 7$K..... )...9..W >+[11C0] D5 BF 57 BF 6C 7E F7 90 E0 EB A3 8B 07 56 9C EC ..W.l~.. .....V.. >+[11D0] 15 3E 21 DA A5 7C 00 3C F9 D2 A7 1C 6F 16 25 31 .>!..|.< ....o.%1 >+[11E0] C5 28 A7 EA F3 47 31 50 DD E1 ED 0A 93 DB 85 CC .(...G1P ........ >+[11F0] 6B 4B 2C 7F E8 F8 2D A9 6D 1D 0A 87 F2 10 8C 82 kK,...-. m....... >+[1200] 2F 9B D4 9B 92 8C 77 40 50 42 1E 42 C4 0A 4F E3 /.....w@ PB.B..O. >+[1210] 6C 6C DC 81 C4 1E BB F0 7D CF 3C 73 22 5B C3 1A ll...... }.<s"[.. >+[1220] 97 35 EE 3A CD 6D F3 68 A3 C5 65 7E E9 54 C0 E3 .5.:.m.h ..e~.T.. >+[1230] 7D 6A 32 4C D1 3E D0 78 4B BF 18 9F A5 25 4A 92 }j2L.>.x K....%J. >+[1240] 1E 6C 8F 01 D6 59 D7 CF 2E A0 CC 98 F6 75 28 2F .l...Y.. .....u(/ >+[1250] F7 2A 70 28 A9 45 1F 75 C2 4E 62 ED D8 C4 A0 8D .*p(.E.u .Nb..... >+[1260] 55 B2 84 1C A4 CE 87 EF 24 EE BC CE 40 09 EB 05 U....... $...@... >+[1270] 0B D1 14 31 50 32 2F B6 A8 97 17 4B A7 95 01 50 ...1P2/. ...K...P >+[1280] 6E 0E 23 49 9C 72 21 91 00 00 00 00 00 00 00 01 n.#I.r!. ........ >+[1290] 00 00 00 01 00 00 00 17 4B 54 45 53 54 2E 53 41 ........ KTEST.SA >+[12A0] 4D 42 41 2E 45 58 41 4D 50 4C 45 2E 43 4F 4D 00 MBA.EXAM PLE.COM. >+[12B0] 00 00 0D 61 64 6D 69 6E 69 73 74 72 61 74 6F 72 ...admin istrator >+[12C0] 00 00 00 01 00 00 00 02 00 00 00 17 4B 54 45 53 ........ ....KTES >+[12D0] 54 2E 53 41 4D 42 41 2E 45 58 41 4D 50 4C 45 2E T.SAMBA. EXAMPLE. >+[12E0] 43 4F 4D 00 00 00 04 63 69 66 73 00 00 00 0B 4C COM....c ifs....L >+[12F0] 4F 43 41 4C 4B 54 45 53 54 36 00 17 00 00 00 10 OCALKTES T6...... >+[1300] 1D C8 5E 46 48 82 F9 29 DB C6 A6 F1 72 6D 8D E9 ..^FH..) ....rm.. >+[1310] 4D 99 4F 6A 4D 99 85 09 7D 44 0B 68 00 00 00 00 M.OjM... }D.h.... >+[1320] 00 40 28 00 00 00 00 00 00 00 00 00 00 00 00 03 .@(..... ........ >+[1330] FA 61 82 03 F6 30 82 03 F2 A0 03 02 01 05 A1 19 .a...0.. ........ >+[1340] 1B 17 4B 54 45 53 54 2E 53 41 4D 42 41 2E 45 58 ..KTEST. SAMBA.EX >+[1350] 41 4D 50 4C 45 2E 43 4F 4D A2 1E 30 1C A0 03 02 AMPLE.CO M..0.... >+[1360] 01 01 A1 15 30 13 1B 04 63 69 66 73 1B 0B 4C 4F ....0... cifs..LO >+[1370] 43 41 4C 4B 54 45 53 54 36 A3 82 03 AE 30 82 03 CALKTEST 6....0.. >+[1380] AA A0 03 02 01 17 A1 03 02 01 02 A2 82 03 9C 04 ........ ........ >+[1390] 82 03 98 66 D8 19 46 FA CB 73 2D CF 88 FD 4A EE ...f..F. .s-...J. >+[13A0] 07 48 DA 0E BC 58 30 43 40 A4 9C 00 0F 3B 17 C1 .H...X0C @....;.. >+[13B0] 2D F5 9C 3E D9 2F 1D CA 01 9B D7 2E EC D7 70 ED -..>./.. ......p. >+[13C0] 8B 8B 1B 5E F2 4E EE DD 0F C0 8D 61 E5 D7 0A 56 ...^.N.. ...a...V >+[13D0] 00 32 B1 DB 91 37 29 0F 2F 85 EE A8 43 BA A5 B8 .2...7). /...C... >+[13E0] D4 19 74 33 F0 69 52 E1 58 98 83 D6 16 0B 44 A9 ..t3.iR. X.....D. >+[13F0] 63 9B D4 4E 6E A7 3E CD 9A 96 4D C4 96 F5 07 6D c..Nn.>. ..M....m >+[1400] 29 B6 ED 2A 62 3D 53 22 33 D1 95 E9 DF 74 4C 2A )..*b=S" 3....tL* >+[1410] E2 29 AF 5B 69 B0 48 2D AD 94 FD A5 1D 54 D8 E2 .).[i.H- .....T.. >+[1420] 5E C1 68 6F BA 02 01 79 C3 C9 97 0B 76 66 45 E2 ^.ho...y ....vfE. >+[1430] 3B 10 17 95 40 46 E4 85 B9 87 BB CF CF 19 8C 3A ;...@F.. .......: >+[1440] C0 EA 38 3B B9 E9 4B 05 89 E5 27 8C 62 95 BC 0D ..8;..K. ..'.b... >+[1450] 65 F0 D2 C0 5E BC 65 01 D5 0B CB 17 31 0F 06 49 e...^.e. ....1..I >+[1460] 4F A2 4A 70 77 DB BD 92 5B 37 5C EC 06 DF C5 E2 O.Jpw... [7\..... >+[1470] 31 C8 40 09 11 68 14 E7 7D CE 54 4F 52 61 31 2C 1.@..h.. }.TORa1, >+[1480] 1C 53 52 DB BE D8 95 39 EE 7D C6 CE C8 22 95 92 .SR....9 .}...".. >+[1490] 97 97 3D 5E 66 0F AD DC C2 4E 2E 2B 9F 63 20 30 ..=^f... .N.+.c 0 >+[14A0] DF B7 C1 D4 65 AA 6F 2D 10 24 07 20 8D 88 6E 4B ....e.o- .$. ..nK >+[14B0] 09 04 31 B6 A3 EB F7 37 32 0E 0C 73 C6 F6 B8 4D ..1....7 2..s...M >+[14C0] D9 0C 4C 5B EC 10 6A 51 19 EA 3F FF 46 E7 73 16 ..L[..jQ ..?.F.s. >+[14D0] A7 1F 33 98 7C 9B AD 5A 23 A9 40 7C 0F DF EE 0F ..3.|..Z #.@|.... >+[14E0] AA C7 E8 63 07 98 3A 4A 0D 18 62 01 21 B2 AE A5 ...c..:J ..b.!... >+[14F0] 69 B0 C1 15 51 BA 97 D2 C5 42 5B C5 30 38 18 A9 i...Q... .B[.08.. >+[1500] 48 AB D7 FC A1 BC 9F 71 E7 EA 18 54 42 DA D6 A4 H......q ...TB... >+[1510] FC C1 DC F3 12 30 62 AC 98 E1 7D 2B 34 1E 52 4C .....0b. ..}+4.RL >+[1520] 26 67 32 D9 44 1A 08 27 0E DA D0 FC 84 66 35 81 &g2.D..' .....f5. >+[1530] D6 EB 98 46 6F 1E 47 E0 14 31 BE 47 80 65 AA 0B ...Fo.G. .1.G.e.. >+[1540] 20 D6 33 36 3B 0D 40 2F 5A 2E 0E 01 BE 00 EB 33 .36;.@/ Z......3 >+[1550] 3E 4B 32 91 F4 22 96 E5 5F D4 D5 92 94 CC 5B 59 >K2..".. _.....[Y >+[1560] 6A 3E D2 FB A0 4F 99 C4 07 8B 6F 2B 14 37 CD 37 j>...O.. ..o+.7.7 >+[1570] 44 C0 1F 80 9C 43 46 F2 5E F4 FE D3 39 70 61 BE D....CF. ^...9pa. >+[1580] 72 5B 3A 8F 37 95 78 1E AB D9 E7 E9 DA FC 47 09 r[:.7.x. ......G. >+[1590] 81 A0 0D 62 E1 F9 34 36 D1 DB E6 98 D8 F4 3E 77 ...b..46 ......>w >+[15A0] 5A 4D E2 5F 20 70 3D 3D 5B 34 D9 FD A8 31 F7 D9 ZM._ p== [4...1.. >+[15B0] 59 F7 A3 F0 66 F7 D9 AD 1C CD D5 85 33 A0 87 22 Y...f... ....3.." >+[15C0] 31 D4 F3 67 80 68 20 A2 90 72 7A 6F 64 FD 68 82 1..g.h . .rzod.h. >+[15D0] 9E 91 B8 E3 F7 6D 6C 38 74 F0 96 A2 F6 25 D7 92 .....ml8 t....%.. >+[15E0] 58 14 60 9F AE 01 4C 0C 09 67 3E 35 67 71 1E 2A X.`...L. .g>5gq.* >+[15F0] 86 21 D3 60 61 98 16 94 67 0B 52 76 63 93 BD A3 .!.`a... g.Rvc... >+[1600] 3B A9 F0 A2 6A B7 E6 0F 35 64 DA 6A EA 20 A6 3D ;...j... 5d.j. .= >+[1610] 94 71 59 5E CB B2 D3 F9 4D FE 1B 4B D8 64 C8 3B .qY^.... M..K.d.; >+[1620] 7A A8 E6 D2 D5 76 71 26 D4 5C DA 1A 55 17 F2 16 z....vq& .\..U... >+[1630] C9 2F 77 DB 95 19 48 A5 AC D0 C3 31 9C 0A CC 1B ./w...H. ...1.... >+[1640] 44 11 6B 7C 88 7A 5D CF 6E 12 DA EF C5 C7 34 1D D.k|.z]. n.....4. >+[1650] F4 CC EA 37 24 4B B3 0F C1 A3 F2 29 A0 D8 93 39 ...7$K.. ...)...9 >+[1660] C6 16 57 D5 BF 57 BF 6C 7E F7 90 E0 EB A3 8B 07 ..W..W.l ~....... >+[1670] 56 9C EC 15 3E 21 DA A5 7C 00 3C F9 D2 A7 1C 6F V...>!.. |.<....o >+[1680] 16 25 31 C5 28 A7 EA F3 47 31 50 DD E1 ED 0A 93 .%1.(... G1P..... >+[1690] DB 85 CC 6B 4B 2C 7F E8 F8 2D A9 6D 1D 0A 87 F2 ...kK,.. .-.m.... >+[16A0] 10 8C 82 2F 9B D4 9B 92 8C 77 40 50 42 1E 42 C4 .../.... .w@PB.B. >+[16B0] 0A 4F E3 6C 6C DC 81 C4 1E BB F0 7D CF 3C 73 22 .O.ll... ...}.<s" >+[16C0] 5B C3 1A 97 35 EE 3A CD 6D F3 68 A3 C5 65 7E E9 [...5.:. m.h..e~. >+[16D0] 54 C0 E3 7D 6A 32 4C D1 3E D0 78 4B BF 18 9F A5 T..}j2L. >.xK.... >+[16E0] 25 4A 92 1E 6C 8F 01 D6 59 D7 CF 2E A0 CC 98 F6 %J..l... Y....... >+[16F0] 75 28 2F F7 2A 70 28 A9 45 1F 75 C2 4E 62 ED D8 u(/.*p(. E.u.Nb.. >+[1700] C4 A0 8D 55 B2 84 1C A4 CE 87 EF 24 EE BC CE 40 ...U.... ...$...@ >+[1710] 09 EB 05 0B D1 14 31 50 32 2F B6 A8 97 17 4B A7 ......1P 2/....K. >+[1720] 95 01 50 6E 0E 23 49 9C 72 21 91 00 00 00 00 00 ..Pn.#I. r!...... >+[1730] 00 00 01 00 00 00 01 00 00 00 17 4B 54 45 53 54 ........ ...KTEST >+[1740] 2E 53 41 4D 42 41 2E 45 58 41 4D 50 4C 45 2E 43 .SAMBA.E XAMPLE.C >+[1750] 4F 4D 00 00 00 0D 61 64 6D 69 6E 69 73 74 72 61 OM....ad ministra >+[1760] 74 6F 72 00 00 00 01 00 00 00 02 00 00 00 17 4B tor..... .......K >+[1770] 54 45 53 54 2E 53 41 4D 42 41 2E 45 58 41 4D 50 TEST.SAM BA.EXAMP >+[1780] 4C 45 2E 43 4F 4D 00 00 00 04 63 69 66 73 00 00 LE.COM.. ..cifs.. >+[1790] 00 0B 4C 4F 43 41 4C 4B 54 45 53 54 36 00 17 00 ..LOCALK TEST6... >+[17A0] 00 00 10 1D C8 5E 46 48 82 F9 29 DB C6 A6 F1 72 .....^FH ..)....r >+[17B0] 6D 8D E9 4D 99 4F 6A 4D 99 85 09 7D 44 0B 68 00 m..M.OjM ...}D.h. >+[17C0] 00 00 00 00 40 28 00 00 00 00 00 00 00 00 00 00 ....@(.. ........ >+[17D0] 00 00 03 FA 61 82 03 F6 30 82 03 F2 A0 03 02 01 ....a... 0....... >+[17E0] 05 A1 19 1B 17 4B 54 45 53 54 2E 53 41 4D 42 41 .....KTE ST.SAMBA >+[17F0] 2E 45 58 41 4D 50 4C 45 2E 43 4F 4D A2 1E 30 1C .EXAMPLE .COM..0. >+[1800] A0 03 02 01 01 A1 15 30 13 1B 04 63 69 66 73 1B .......0 ...cifs. >+[1810] 0B 4C 4F 43 41 4C 4B 54 45 53 54 36 A3 82 03 AE .LOCALKT EST6.... >+[1820] 30 82 03 AA A0 03 02 01 17 A1 03 02 01 02 A2 82 0....... ........ >+[1830] 03 9C 04 82 03 98 66 D8 19 46 FA CB 73 2D CF 88 ......f. .F..s-.. >+[1840] FD 4A EE 07 48 DA 0E BC 58 30 43 40 A4 9C 00 0F .J..H... X0C@.... >+[1850] 3B 17 C1 2D F5 9C 3E D9 2F 1D CA 01 9B D7 2E EC ;..-..>. /....... >+[1860] D7 70 ED 8B 8B 1B 5E F2 4E EE DD 0F C0 8D 61 E5 .p....^. N.....a. >+[1870] D7 0A 56 00 32 B1 DB 91 37 29 0F 2F 85 EE A8 43 ..V.2... 7)./...C >+[1880] BA A5 B8 D4 19 74 33 F0 69 52 E1 58 98 83 D6 16 .....t3. iR.X.... >+[1890] 0B 44 A9 63 9B D4 4E 6E A7 3E CD 9A 96 4D C4 96 .D.c..Nn .>...M.. >+[18A0] F5 07 6D 29 B6 ED 2A 62 3D 53 22 33 D1 95 E9 DF ..m)..*b =S"3.... >+[18B0] 74 4C 2A E2 29 AF 5B 69 B0 48 2D AD 94 FD A5 1D tL*.).[i .H-..... >+[18C0] 54 D8 E2 5E C1 68 6F BA 02 01 79 C3 C9 97 0B 76 T..^.ho. ..y....v >+[18D0] 66 45 E2 3B 10 17 95 40 46 E4 85 B9 87 BB CF CF fE.;...@ F....... >+[18E0] 19 8C 3A C0 EA 38 3B B9 E9 4B 05 89 E5 27 8C 62 ..:..8;. .K...'.b >+[18F0] 95 BC 0D 65 F0 D2 C0 5E BC 65 01 D5 0B CB 17 31 ...e...^ .e.....1 >+[1900] 0F 06 49 4F A2 4A 70 77 DB BD 92 5B 37 5C EC 06 ..IO.Jpw ...[7\.. >+[1910] DF C5 E2 31 C8 40 09 11 68 14 E7 7D CE 54 4F 52 ...1.@.. h..}.TOR >+[1920] 61 31 2C 1C 53 52 DB BE D8 95 39 EE 7D C6 CE C8 a1,.SR.. ..9.}... >+[1930] 22 95 92 97 97 3D 5E 66 0F AD DC C2 4E 2E 2B 9F "....=^f ....N.+. >+[1940] 63 20 30 DF B7 C1 D4 65 AA 6F 2D 10 24 07 20 8D c 0....e .o-.$. . >+[1950] 88 6E 4B 09 04 31 B6 A3 EB F7 37 32 0E 0C 73 C6 .nK..1.. ..72..s. >+[1960] F6 B8 4D D9 0C 4C 5B EC 10 6A 51 19 EA 3F FF 46 ..M..L[. .jQ..?.F >+[1970] E7 73 16 A7 1F 33 98 7C 9B AD 5A 23 A9 40 7C 0F .s...3.| ..Z#.@|. >+[1980] DF EE 0F AA C7 E8 63 07 98 3A 4A 0D 18 62 01 21 ......c. .:J..b.! >+[1990] B2 AE A5 69 B0 C1 15 51 BA 97 D2 C5 42 5B C5 30 ...i...Q ....B[.0 >+[19A0] 38 18 A9 48 AB D7 FC A1 BC 9F 71 E7 EA 18 54 42 8..H.... ..q...TB >+[19B0] DA D6 A4 FC C1 DC F3 12 30 62 AC 98 E1 7D 2B 34 ........ 0b...}+4 >+[19C0] 1E 52 4C 26 67 32 D9 44 1A 08 27 0E DA D0 FC 84 .RL&g2.D ..'..... >+[19D0] 66 35 81 D6 EB 98 46 6F 1E 47 E0 14 31 BE 47 80 f5....Fo .G..1.G. >+[19E0] 65 AA 0B 20 D6 33 36 3B 0D 40 2F 5A 2E 0E 01 BE e.. .36; .@/Z.... >+[19F0] 00 EB 33 3E 4B 32 91 F4 22 96 E5 5F D4 D5 92 94 ..3>K2.. ".._.... >+[1A00] CC 5B 59 6A 3E D2 FB A0 4F 99 C4 07 8B 6F 2B 14 .[Yj>... O....o+. >+[1A10] 37 CD 37 44 C0 1F 80 9C 43 46 F2 5E F4 FE D3 39 7.7D.... CF.^...9 >+[1A20] 70 61 BE 72 5B 3A 8F 37 95 78 1E AB D9 E7 E9 DA pa.r[:.7 .x...... >+[1A30] FC 47 09 81 A0 0D 62 E1 F9 34 36 D1 DB E6 98 D8 .G....b. .46..... >+[1A40] F4 3E 77 5A 4D E2 5F 20 70 3D 3D 5B 34 D9 FD A8 .>wZM._ p==[4... >+[1A50] 31 F7 D9 59 F7 A3 F0 66 F7 D9 AD 1C CD D5 85 33 1..Y...f .......3 >+[1A60] A0 87 22 31 D4 F3 67 80 68 20 A2 90 72 7A 6F 64 .."1..g. h ..rzod >+[1A70] FD 68 82 9E 91 B8 E3 F7 6D 6C 38 74 F0 96 A2 F6 .h...... ml8t.... >+[1A80] 25 D7 92 58 14 60 9F AE 01 4C 0C 09 67 3E 35 67 %..X.`.. .L..g>5g >+[1A90] 71 1E 2A 86 21 D3 60 61 98 16 94 67 0B 52 76 63 q.*.!.`a ...g.Rvc >+[1AA0] 93 BD A3 3B A9 F0 A2 6A B7 E6 0F 35 64 DA 6A EA ...;...j ...5d.j. >+[1AB0] 20 A6 3D 94 71 59 5E CB B2 D3 F9 4D FE 1B 4B D8 .=.qY^. ...M..K. >+[1AC0] 64 C8 3B 7A A8 E6 D2 D5 76 71 26 D4 5C DA 1A 55 d.;z.... vq&.\..U >+[1AD0] 17 F2 16 C9 2F 77 DB 95 19 48 A5 AC D0 C3 31 9C ..../w.. .H....1. >+[1AE0] 0A CC 1B 44 11 6B 7C 88 7A 5D CF 6E 12 DA EF C5 ...D.k|. z].n.... >+[1AF0] C7 34 1D F4 CC EA 37 24 4B B3 0F C1 A3 F2 29 A0 .4....7$ K.....). >+[1B00] D8 93 39 C6 16 57 D5 BF 57 BF 6C 7E F7 90 E0 EB ..9..W.. W.l~.... >+[1B10] A3 8B 07 56 9C EC 15 3E 21 DA A5 7C 00 3C F9 D2 ...V...> !..|.<.. >+[1B20] A7 1C 6F 16 25 31 C5 28 A7 EA F3 47 31 50 DD E1 ..o.%1.( ...G1P.. >+[1B30] ED 0A 93 DB 85 CC 6B 4B 2C 7F E8 F8 2D A9 6D 1D ......kK ,...-.m. >+[1B40] 0A 87 F2 10 8C 82 2F 9B D4 9B 92 8C 77 40 50 42 ....../. ....w@PB >+[1B50] 1E 42 C4 0A 4F E3 6C 6C DC 81 C4 1E BB F0 7D CF .B..O.ll ......}. >+[1B60] 3C 73 22 5B C3 1A 97 35 EE 3A CD 6D F3 68 A3 C5 <s"[...5 .:.m.h.. >+[1B70] 65 7E E9 54 C0 E3 7D 6A 32 4C D1 3E D0 78 4B BF e~.T..}j 2L.>.xK. >+[1B80] 18 9F A5 25 4A 92 1E 6C 8F 01 D6 59 D7 CF 2E A0 ...%J..l ...Y.... >+[1B90] CC 98 F6 75 28 2F F7 2A 70 28 A9 45 1F 75 C2 4E ...u(/.* p(.E.u.N >+[1BA0] 62 ED D8 C4 A0 8D 55 B2 84 1C A4 CE 87 EF 24 EE b.....U. ......$. >+[1BB0] BC CE 40 09 EB 05 0B D1 14 31 50 32 2F B6 A8 97 ..@..... .1P2/... >+[1BC0] 17 4B A7 95 01 50 6E 0E 23 49 9C 72 21 91 00 00 .K...Pn. #I.r!... >+[1BD0] 00 00 00 00 00 01 00 00 00 01 00 00 00 17 4B 54 ........ ......KT >+[1BE0] 45 53 54 2E 53 41 4D 42 41 2E 45 58 41 4D 50 4C EST.SAMB A.EXAMPL >+[1BF0] 45 2E 43 4F 4D 00 00 00 0D 61 64 6D 69 6E 69 73 E.COM... .adminis >+[1C00] 74 72 61 74 6F 72 00 00 00 01 00 00 00 02 00 00 trator.. ........ >+[1C10] 00 17 4B 54 45 53 54 2E 53 41 4D 42 41 2E 45 58 ..KTEST. SAMBA.EX >+[1C20] 41 4D 50 4C 45 2E 43 4F 4D 00 00 00 04 63 69 66 AMPLE.CO M....cif >+[1C30] 73 00 00 00 0B 4C 4F 43 41 4C 4B 54 45 53 54 36 s....LOC ALKTEST6 >+[1C40] 00 17 00 00 00 10 1D C8 5E 46 48 82 F9 29 DB C6 ........ ^FH..).. >+[1C50] A6 F1 72 6D 8D E9 4D 99 4F 6A 4D 99 85 09 7D 44 ..rm..M. OjM...}D >+[1C60] 0B 68 00 00 00 00 00 40 28 00 00 00 00 00 00 00 .h.....@ (....... >+[1C70] 00 00 00 00 00 03 FA 61 82 03 F6 30 82 03 F2 A0 .......a ...0.... >+[1C80] 03 02 01 05 A1 19 1B 17 4B 54 45 53 54 2E 53 41 ........ KTEST.SA >+[1C90] 4D 42 41 2E 45 58 41 4D 50 4C 45 2E 43 4F 4D A2 MBA.EXAM PLE.COM. >+[1CA0] 1E 30 1C A0 03 02 01 01 A1 15 30 13 1B 04 63 69 .0...... ..0...ci >+[1CB0] 66 73 1B 0B 4C 4F 43 41 4C 4B 54 45 53 54 36 A3 fs..LOCA LKTEST6. >+[1CC0] 82 03 AE 30 82 03 AA A0 03 02 01 17 A1 03 02 01 ...0.... ........ >+[1CD0] 02 A2 82 03 9C 04 82 03 98 66 D8 19 46 FA CB 73 ........ .f..F..s >+[1CE0] 2D CF 88 FD 4A EE 07 48 DA 0E BC 58 30 43 40 A4 -...J..H ...X0C@. >+[1CF0] 9C 00 0F 3B 17 C1 2D F5 9C 3E D9 2F 1D CA 01 9B ...;..-. .>./.... >+[1D00] D7 2E EC D7 70 ED 8B 8B 1B 5E F2 4E EE DD 0F C0 ....p... .^.N.... >+[1D10] 8D 61 E5 D7 0A 56 00 32 B1 DB 91 37 29 0F 2F 85 .a...V.2 ...7)./. >+[1D20] EE A8 43 BA A5 B8 D4 19 74 33 F0 69 52 E1 58 98 ..C..... t3.iR.X. >+[1D30] 83 D6 16 0B 44 A9 63 9B D4 4E 6E A7 3E CD 9A 96 ....D.c. .Nn.>... >+[1D40] 4D C4 96 F5 07 6D 29 B6 ED 2A 62 3D 53 22 33 D1 M....m). .*b=S"3. >+[1D50] 95 E9 DF 74 4C 2A E2 29 AF 5B 69 B0 48 2D AD 94 ...tL*.) .[i.H-.. >+[1D60] FD A5 1D 54 D8 E2 5E C1 68 6F BA 02 01 79 C3 C9 ...T..^. ho...y.. >+[1D70] 97 0B 76 66 45 E2 3B 10 17 95 40 46 E4 85 B9 87 ..vfE.;. ..@F.... >+[1D80] BB CF CF 19 8C 3A C0 EA 38 3B B9 E9 4B 05 89 E5 .....:.. 8;..K... >+[1D90] 27 8C 62 95 BC 0D 65 F0 D2 C0 5E BC 65 01 D5 0B '.b...e. ..^.e... >+[1DA0] CB 17 31 0F 06 49 4F A2 4A 70 77 DB BD 92 5B 37 ..1..IO. Jpw...[7 >+[1DB0] 5C EC 06 DF C5 E2 31 C8 40 09 11 68 14 E7 7D CE \.....1. @..h..}. >+[1DC0] 54 4F 52 61 31 2C 1C 53 52 DB BE D8 95 39 EE 7D TORa1,.S R....9.} >+[1DD0] C6 CE C8 22 95 92 97 97 3D 5E 66 0F AD DC C2 4E ...".... =^f....N >+[1DE0] 2E 2B 9F 63 20 30 DF B7 C1 D4 65 AA 6F 2D 10 24 .+.c 0.. ..e.o-.$ >+[1DF0] 07 20 8D 88 6E 4B 09 04 31 B6 A3 EB F7 37 32 0E . ..nK.. 1....72. >+[1E00] 0C 73 C6 F6 B8 4D D9 0C 4C 5B EC 10 6A 51 19 EA .s...M.. L[..jQ.. >+[1E10] 3F FF 46 E7 73 16 A7 1F 33 98 7C 9B AD 5A 23 A9 ?.F.s... 3.|..Z#. >+[1E20] 40 7C 0F DF EE 0F AA C7 E8 63 07 98 3A 4A 0D 18 @|...... .c..:J.. >+[1E30] 62 01 21 B2 AE A5 69 B0 C1 15 51 BA 97 D2 C5 42 b.!...i. ..Q....B >+[1E40] 5B C5 30 38 18 A9 48 AB D7 FC A1 BC 9F 71 E7 EA [.08..H. .....q.. >+[1E50] 18 54 42 DA D6 A4 FC C1 DC F3 12 30 62 AC 98 E1 .TB..... ...0b... >+[1E60] 7D 2B 34 1E 52 4C 26 67 32 D9 44 1A 08 27 0E DA }+4.RL&g 2.D..'.. >+[1E70] D0 FC 84 66 35 81 D6 EB 98 46 6F 1E 47 E0 14 31 ...f5... .Fo.G..1 >+[1E80] BE 47 80 65 AA 0B 20 D6 33 36 3B 0D 40 2F 5A 2E .G.e.. . 36;.@/Z. >+[1E90] 0E 01 BE 00 EB 33 3E 4B 32 91 F4 22 96 E5 5F D4 .....3>K 2..".._. >+[1EA0] D5 92 94 CC 5B 59 6A 3E D2 FB A0 4F 99 C4 07 8B ....[Yj> ...O.... >+[1EB0] 6F 2B 14 37 CD 37 44 C0 1F 80 9C 43 46 F2 5E F4 o+.7.7D. ...CF.^. >+[1EC0] FE D3 39 70 61 BE 72 5B 3A 8F 37 95 78 1E AB D9 ..9pa.r[ :.7.x... >+[1ED0] E7 E9 DA FC 47 09 81 A0 0D 62 E1 F9 34 36 D1 DB ....G... .b..46.. >+[1EE0] E6 98 D8 F4 3E 77 5A 4D E2 5F 20 70 3D 3D 5B 34 ....>wZM ._ p==[4 >+[1EF0] D9 FD A8 31 F7 D9 59 F7 A3 F0 66 F7 D9 AD 1C CD ...1..Y. ..f..... >+[1F00] D5 85 33 A0 87 22 31 D4 F3 67 80 68 20 A2 90 72 ..3.."1. .g.h ..r >+[1F10] 7A 6F 64 FD 68 82 9E 91 B8 E3 F7 6D 6C 38 74 F0 zod.h... ...ml8t. >+[1F20] 96 A2 F6 25 D7 92 58 14 60 9F AE 01 4C 0C 09 67 ...%..X. `...L..g >+[1F30] 3E 35 67 71 1E 2A 86 21 D3 60 61 98 16 94 67 0B >5gq.*.! .`a...g. >+[1F40] 52 76 63 93 BD A3 3B A9 F0 A2 6A B7 E6 0F 35 64 Rvc...;. ..j...5d >+[1F50] DA 6A EA 20 A6 3D 94 71 59 5E CB B2 D3 F9 4D FE .j. .=.q Y^....M. >+[1F60] 1B 4B D8 64 C8 3B 7A A8 E6 D2 D5 76 71 26 D4 5C .K.d.;z. ...vq&.\ >+[1F70] DA 1A 55 17 F2 16 C9 2F 77 DB 95 19 48 A5 AC D0 ..U..../ w...H... >+[1F80] C3 31 9C 0A CC 1B 44 11 6B 7C 88 7A 5D CF 6E 12 .1....D. k|.z].n. >+[1F90] DA EF C5 C7 34 1D F4 CC EA 37 24 4B B3 0F C1 A3 ....4... .7$K.... >+[1FA0] F2 29 A0 D8 93 39 C6 16 57 D5 BF 57 BF 6C 7E F7 .)...9.. W..W.l~. >+[1FB0] 90 E0 EB A3 8B 07 56 9C EC 15 3E 21 DA A5 7C 00 ......V. ..>!..|. >+[1FC0] 3C F9 D2 A7 1C 6F 16 25 31 C5 28 A7 EA F3 47 31 <....o.% 1.(...G1 >+[1FD0] 50 DD E1 ED 0A 93 DB 85 CC 6B 4B 2C 7F E8 F8 2D P....... .kK,...- >+[1FE0] A9 6D 1D 0A 87 F2 10 8C 82 2F 9B D4 9B 92 8C 77 .m...... ./.....w >+[1FF0] 40 50 42 1E 42 C4 0A 4F E3 6C 6C DC 81 C4 1E BB @PB.B..O .ll..... >+[2000] F0 7D CF 3C 73 22 5B C3 1A 97 35 EE 3A CD 6D F3 .}.<s"[. ..5.:.m. >+[2010] 68 A3 C5 65 7E E9 54 C0 E3 7D 6A 32 4C D1 3E D0 h..e~.T. .}j2L.>. >+[2020] 78 4B BF 18 9F A5 25 4A 92 1E 6C 8F 01 D6 59 D7 xK....%J ..l...Y. >+[2030] CF 2E A0 CC 98 F6 75 28 2F F7 2A 70 28 A9 45 1F ......u( /.*p(.E. >+[2040] 75 C2 4E 62 ED D8 C4 A0 8D 55 B2 84 1C A4 CE 87 u.Nb.... .U...... >+[2050] EF 24 EE BC CE 40 09 EB 05 0B D1 14 31 50 32 2F .$...@.. ....1P2/ >+[2060] B6 A8 97 17 4B A7 95 01 50 6E 0E 23 49 9C 72 21 ....K... Pn.#I.r! >+[2070] 91 00 00 00 00 00 00 00 01 00 00 00 01 00 00 00 ........ ........ >+[2080] 17 4B 54 45 53 54 2E 53 41 4D 42 41 2E 45 58 41 .KTEST.S AMBA.EXA >+[2090] 4D 50 4C 45 2E 43 4F 4D 00 00 00 0D 61 64 6D 69 MPLE.COM ....admi >+[20A0] 6E 69 73 74 72 61 74 6F 72 00 00 00 01 00 00 00 nistrato r....... >+[20B0] 02 00 00 00 17 4B 54 45 53 54 2E 53 41 4D 42 41 .....KTE ST.SAMBA >+[20C0] 2E 45 58 41 4D 50 4C 45 2E 43 4F 4D 00 00 00 04 .EXAMPLE .COM.... >+[20D0] 68 6F 73 74 00 00 00 0B 6C 6F 63 61 6C 6B 74 65 host.... localkte >+[20E0] 73 74 36 00 17 00 00 00 10 72 47 04 38 B6 E6 F0 st6..... .rG.8... >+[20F0] 44 9E 9F 27 66 E1 69 9C 9A 4D 99 4F 6A 4D 99 90 D..'f.i. .M.OjM.. >+[2100] F5 7D 44 0B 68 00 00 00 00 00 40 28 00 00 00 00 .}D.h... ..@(.... >+[2110] 00 00 00 00 00 00 00 00 03 FA 61 82 03 F6 30 82 ........ ..a...0. >+[2120] 03 F2 A0 03 02 01 05 A1 19 1B 17 4B 54 45 53 54 ........ ...KTEST >+[2130] 2E 53 41 4D 42 41 2E 45 58 41 4D 50 4C 45 2E 43 .SAMBA.E XAMPLE.C >+[2140] 4F 4D A2 1E 30 1C A0 03 02 01 01 A1 15 30 13 1B OM..0... .....0.. >+[2150] 04 68 6F 73 74 1B 0B 6C 6F 63 61 6C 6B 74 65 73 .host..l ocalktes >+[2160] 74 36 A3 82 03 AE 30 82 03 AA A0 03 02 01 17 A1 t6....0. ........ >+[2170] 03 02 01 02 A2 82 03 9C 04 82 03 98 58 95 95 EB ........ ....X... >+[2180] CB 8F 68 D4 77 43 0F 3B 44 B4 15 DA 40 6D FD E9 ..h.wC.; D...@m.. >+[2190] 85 D3 2F CD B5 1E 96 CD F6 E9 67 91 36 08 9E B4 ../..... ..g.6... >+[21A0] B3 47 70 7A B3 4E 82 5A 4F 8E 4B F5 8D 04 E4 5C .Gpz.N.Z O.K....\ >+[21B0] C4 D8 0C AF 08 25 F9 C1 64 B2 3A 35 26 E9 B2 72 .....%.. d.:5&..r >+[21C0] 66 B5 E9 81 FC BE 12 1B CC 8A A5 82 31 F6 7F C3 f....... ....1... >+[21D0] 5A 19 A3 31 F2 99 14 1E 64 E4 41 E8 C7 C3 F3 DF Z..1.... d.A..... >+[21E0] F5 65 7D B0 9F DC 5D 25 1D 1A A8 EA AA 88 6D F4 .e}...]% ......m. >+[21F0] 7C 25 9F 53 F6 A6 8F B1 24 AF 98 FE 53 7B 35 3C |%.S.... $...S{5< >+[2200] DB EC 7F 09 74 E9 C4 8D 20 B4 47 08 0E 32 B8 C9 ....t... .G..2.. >+[2210] 45 27 12 F9 8E F5 D6 C2 DD 1A 96 0E 68 5F 39 65 E'...... ....h_9e >+[2220] 72 C7 BD 8E 04 0E 13 E1 03 27 AC 50 80 76 E6 7A r....... .'.P.v.z >+[2230] 8E F4 C2 72 4F 68 B3 34 00 A9 54 41 DA FD 96 94 ...rOh.4 ..TA.... >+[2240] 29 A1 59 15 2F DB 6C 94 85 49 C5 D0 6D 48 B0 C4 ).Y./.l. .I..mH.. >+[2250] 65 D0 95 1D DB 3D 25 D0 75 50 D4 CF FA 2F 71 57 e....=%. uP.../qW >+[2260] BD 6C 1C 59 E1 C3 5B C7 24 95 FF B0 20 EF 6A DB .l.Y..[. $... .j. >+[2270] 79 87 67 91 94 E9 16 E2 BB 74 7A 08 E1 6A 36 5F y.g..... .tz..j6_ >+[2280] DF 11 AB 35 9B 3E 32 48 83 89 41 4E 06 BF F9 BB ...5.>2H ..AN.... >+[2290] EC E4 D7 6D 77 C4 55 22 DF F7 91 4D CB C5 01 A5 ...mw.U" ...M.... >+[22A0] BA 2D 1E 92 76 04 E8 02 2F 5E AF 1C B3 B7 A6 FB .-..v... /^...... >+[22B0] 3A 9F D9 7C 6D DA B4 8F 31 00 A5 30 F2 76 72 9B :..|m... 1..0.vr. >+[22C0] 62 97 E0 56 E5 E4 C7 6B 8B FC 84 75 57 66 6E D7 b..V...k ...uWfn. >+[22D0] B7 41 6F 61 F4 5B 0F 87 68 F6 54 02 26 1B 1F B7 .Aoa.[.. h.T.&... >+[22E0] 60 D6 E7 FA 4F C7 DB 35 58 EC 13 21 D4 C6 A1 27 `...O..5 X..!...' >+[22F0] BA E7 82 DF 29 FB 9D 5D E8 35 28 C9 9C 4E D7 BE ....)..] .5(..N.. >+[2300] 2F 6D F1 E8 0B 5A 74 C9 93 9F AD 42 24 4B B7 3B /m...Zt. ...B$K.; >+[2310] 38 2A 11 CF F0 BD 85 40 48 D8 9D E7 6B 65 70 42 8*.....@ H...kepB >+[2320] 60 DA 9B 65 CB C8 C5 D7 40 3A 12 DC 64 AF 82 54 `..e.... @:..d..T >+[2330] 34 05 38 4F C6 FB 38 E2 73 A9 89 B7 FC 33 15 85 4.8O..8. s....3.. >+[2340] 9E CA E9 E0 89 18 18 84 02 65 B4 74 5B D4 A1 6F ........ .e.t[..o >+[2350] 5F 79 20 CB D7 36 C8 6D 5B 1E 5E 0C 82 16 9F CC _y ..6.m [.^..... >+[2360] 5A 1E 57 C1 B6 94 51 87 A1 3D 12 D4 8B FE 0F 93 Z.W...Q. .=...... >+[2370] ED 53 A3 F4 88 3C 35 05 89 FE AF 0B 36 62 E3 2F .S...<5. ....6b./ >+[2380] 5C 4A 0E 07 67 39 A3 8E C0 45 07 7F 73 32 BC DE \J..g9.. .E..s2.. >+[2390] 2D 00 8B 47 79 3D 1C A1 90 AE B6 8F 83 B2 1B 31 -..Gy=.. .......1 >+[23A0] EE E4 F2 C5 C1 4A E2 4A 2F 28 F0 AA 19 43 6A 14 .....J.J /(...Cj. >+[23B0] B1 42 61 90 34 2E EE 3D 16 9F 5D 9F 7A A2 01 7A .Ba.4..= ..].z..z >+[23C0] 4B 96 FA 4D C9 85 1A 75 27 B7 6B FD 4D 7D 9C 65 K..M...u '.k.M}.e >+[23D0] 97 DB 05 CC 76 68 EA 05 5D 5D BB BD 51 4B 5B F2 ....vh.. ]]..QK[. >+[23E0] 48 59 BD 1E AD 56 D4 69 A5 75 CD ED EC B1 3E AB HY...V.i .u....>. >+[23F0] FA B7 F8 8D 4F BE 95 63 38 1C 4C 70 26 C4 3A 21 ....O..c 8.Lp&.:! >+[2400] 80 61 05 3A D4 E2 28 2C 85 01 5A DA FC 10 60 F3 .a.:..(, ..Z...`. >+[2410] 74 0C FD DB 2F 5B 25 4B 14 E4 7D 8A DB 85 12 D2 t.../[%K ..}..... >+[2420] D7 69 CD B5 B1 93 CE E5 E6 4D 57 D3 C2 D3 2E A0 .i...... .MW..... >+[2430] 08 37 09 CD 19 99 09 FA 33 68 4A E0 92 46 21 0C .7...... 3hJ..F!. >+[2440] 99 9F DA 05 15 20 8B 3D 7C 7B CA D6 81 AC AA 83 ..... .= |{...... >+[2450] 48 C8 24 4C C8 FC A5 14 2C BC 49 1A 1C 49 61 1D H.$L.... ,.I..Ia. >+[2460] 24 86 42 B1 37 6A C8 3A AC 18 CC C0 50 84 12 48 $.B.7j.: ....P..H >+[2470] 8B 29 0A 49 26 A4 E2 B9 E5 96 E7 37 C3 DE 4C 23 .).I&... ...7..L# >+[2480] D2 D4 62 14 8F 1E 72 39 CF 03 BC A3 00 C7 63 51 ..b...r9 ......cQ >+[2490] A9 6B E4 3E B2 65 A1 A2 BB EC 06 41 85 50 22 02 .k.>.e.. ...A.P". >+[24A0] 46 2F 72 2B 32 1A A4 2D 85 94 02 47 69 8D AD 6D F/r+2..- ...Gi..m >+[24B0] 66 AB D4 E4 29 C8 C7 DA F4 18 31 2A DF 50 6A 05 f...)... ..1*.Pj. >+[24C0] D6 47 26 C4 F9 87 0F 35 24 6E 72 D6 23 7D 3A 94 .G&....5 $nr.#}:. >+[24D0] 14 8D E8 57 AA BA D7 CF A9 2D E7 4C 10 7C D8 0D ...W.... .-.L.|.. >+[24E0] 51 30 1F E1 FB E5 E2 6C EE AA 65 2F D8 22 05 67 Q0.....l ..e/.".g >+[24F0] 87 4D 4D D2 11 3D B4 1E AA 20 3F 76 E3 94 93 6D .MM..=.. . ?v...m >+[2500] AC 10 05 AF 09 BD 67 86 C5 83 93 D6 1C D3 81 D9 ......g. ........ >+[2510] B1 3B E1 76 00 00 00 00 00 00 00 01 00 00 00 01 .;.v.... ........ >+[2520] 00 00 00 17 4B 54 45 53 54 2E 53 41 4D 42 41 2E ....KTES T.SAMBA. >+[2530] 45 58 41 4D 50 4C 45 2E 43 4F 4D 00 00 00 0D 61 EXAMPLE. COM....a >+[2540] 64 6D 69 6E 69 73 74 72 61 74 6F 72 00 00 00 01 dministr ator.... >+[2550] 00 00 00 02 00 00 00 17 4B 54 45 53 54 2E 53 41 ........ KTEST.SA >+[2560] 4D 42 41 2E 45 58 41 4D 50 4C 45 2E 43 4F 4D 00 MBA.EXAM PLE.COM. >+[2570] 00 00 04 68 6F 73 74 00 00 00 0B 4C 4F 43 41 4C ...host. ...LOCAL >+[2580] 4B 54 45 53 54 36 00 17 00 00 00 10 55 6E 3E FC KTEST6.. ....Un>. >+[2590] E2 F4 40 51 19 E6 6E EB 23 4C 48 8E 4D 99 4F 6A ..@Q..n. #LH.M.Oj >+[25A0] 4D 99 90 FC 7D 44 0B 68 00 00 00 00 00 40 28 00 M...}D.h .....@(. >+[25B0] 00 00 00 00 00 00 00 00 00 00 00 03 FA 61 82 03 ........ .....a.. >+[25C0] F6 30 82 03 F2 A0 03 02 01 05 A1 19 1B 17 4B 54 .0...... ......KT >+[25D0] 45 53 54 2E 53 41 4D 42 41 2E 45 58 41 4D 50 4C EST.SAMB A.EXAMPL >+[25E0] 45 2E 43 4F 4D A2 1E 30 1C A0 03 02 01 01 A1 15 E.COM..0 ........ >+[25F0] 30 13 1B 04 68 6F 73 74 1B 0B 4C 4F 43 41 4C 4B 0...host ..LOCALK >+[2600] 54 45 53 54 36 A3 82 03 AE 30 82 03 AA A0 03 02 TEST6... .0...... >+[2610] 01 17 A1 03 02 01 02 A2 82 03 9C 04 82 03 98 6E ........ .......n >+[2620] 87 B7 7B 3A 7E EF 4A 1B 29 C9 E3 C4 1F 42 4F 0E ..{:~.J. )....BO. >+[2630] C8 AC AC 4E A2 77 1D DA 93 37 F1 AF DA A3 75 2D ...N.w.. .7....u- >+[2640] 12 8B 40 34 23 0E 8E A9 90 58 46 42 42 39 31 D6 ..@4#... .XFBB91. >+[2650] 03 9E 5D 81 D9 E8 F6 08 2B D9 96 88 8A 2F F1 CC ..]..... +..../.. >+[2660] F2 EA 9E 9A 4B 31 B6 04 2D 3D 4C 7F 92 DE 3B 04 ....K1.. -=L...;. >+[2670] 19 EE 28 D0 83 81 C3 46 CD 74 23 4C 14 34 DE 62 ..(....F .t#L.4.b >+[2680] 0A AC E5 12 16 75 E9 A8 4B 32 78 CC 8D AE A2 E5 .....u.. K2x..... >+[2690] 6D E8 09 70 76 52 F5 E5 18 F7 E7 91 15 6A 69 AB m..pvR.. .....ji. >+[26A0] B8 62 DD 80 F5 28 6D DF ED 10 DA AC FB 92 27 CF .b...(m. ......'. >+[26B0] 98 B5 77 9D A5 96 E6 9A CC B9 C3 91 78 22 35 9C ..w..... ....x"5. >+[26C0] A1 13 A3 20 28 D1 16 E5 3E 4A 85 1E 12 0B CA 4D ... (... >J.....M >+[26D0] C6 C8 03 C8 28 2C D8 29 5D 9A 76 4A 92 13 43 56 ....(,.) ].vJ..CV >+[26E0] AF F7 C1 71 25 72 5C 38 75 1C 07 F1 5E 86 05 72 ...q%r\8 u...^..r >+[26F0] 6F 69 95 42 B6 F2 DA A9 91 06 9F B9 54 20 33 A5 oi.B.... ....T 3. >+[2700] 31 60 3B 54 DC 3A 95 34 96 26 07 52 6B 0E 1D 3B 1`;T.:.4 .&.Rk..; >+[2710] D9 F8 48 20 AC CD 05 3B 99 F8 EE DB 83 28 CD C7 ..H ...; .....(.. >+[2720] 2F 45 00 7E 2F 0A 65 7A D1 9E 95 4B EE C3 34 93 /E.~/.ez ...K..4. >+[2730] A8 C7 DF 03 8B 14 D0 FC CE 56 90 AC EE 93 C5 D3 ........ .V...... >+[2740] F7 12 24 69 0B 20 8D A2 65 87 55 26 2A F9 9A 88 ..$i. .. e.U&*... >+[2750] D7 0D 86 61 D6 92 B6 FE E5 D1 66 F9 1F 9D F4 04 ...a.... ..f..... >+[2760] 48 A6 39 BC 54 20 EA 10 21 E9 6D 30 46 1D C2 1C H.9.T .. !.m0F... >+[2770] A4 E8 B4 63 85 37 27 25 80 52 41 60 C7 A1 32 21 ...c.7'% .RA`..2! >+[2780] 43 90 02 E6 5F 5A E9 4E AF F9 B5 13 BD 42 BD A3 C..._Z.N .....B.. >+[2790] A5 4D 10 45 83 4D 92 18 1F C9 CF FB 84 29 89 23 .M.E.M.. .....).# >+[27A0] AC 71 4B 89 1B 52 E5 06 8C 3E 7C 88 CB D3 B3 CF .qK..R.. .>|..... >+[27B0] B9 7A 67 D6 24 F4 AC 00 A6 AD 91 30 9A 95 53 F1 .zg.$... ...0..S. >+[27C0] 48 06 A6 39 DB CF DC 9D C9 55 76 26 5E C1 DB 5D H..9.... .Uv&^..] >+[27D0] B3 5B 3E AE 1A A0 10 BA 82 21 83 44 02 E0 99 33 .[>..... .!.D...3 >+[27E0] 40 BA 29 9E 28 E5 73 4C 23 94 A2 4F BF 07 ED 4F @.).(.sL #..O...O >+[27F0] 7C 45 9B 30 C8 41 6B 0A 55 13 6E F5 AD 7A 0C B2 |E.0.Ak. U.n..z.. >+[2800] EA FF D0 06 13 4D F3 24 82 7F F6 51 2F 4A 4F 0D .....M.$ ...Q/JO. >+[2810] 37 F8 14 6B E9 E4 82 BB 3A 75 63 63 12 E8 78 6F 7..k.... :ucc..xo >+[2820] 6F FC 6C D3 4B A6 F1 CC 2A F1 7D EB 82 26 2F D0 o.l.K... *.}..&/. >+[2830] A1 8B 3E 9A 71 D7 91 D3 08 E6 FD 62 1B 84 13 2D ..>.q... ...b...- >+[2840] 8E A0 A0 C3 85 78 2F 0D F8 E7 10 FC CB 05 A7 B9 .....x/. ........ >+[2850] 9A 33 90 B5 9B 26 E3 23 98 B0 91 4B EB 32 37 D6 .3...&.# ...K.27. >+[2860] F4 ED 61 08 D8 75 CC 03 83 2C 3C CF 21 63 9C F6 ..a..u.. .,<.!c.. >+[2870] AF 5B 4F 12 07 74 17 CD 98 BB E7 5E C7 17 2D C4 .[O..t.. ...^..-. >+[2880] 87 A4 74 6D 5E CE DB A3 01 B9 AD 20 73 38 78 22 ..tm^... ... s8x" >+[2890] 3D 45 F5 51 77 C6 47 63 45 61 81 D9 FF 31 90 C4 =E.Qw.Gc Ea...1.. >+[28A0] 6F 5A F8 FE 6A 56 5B D4 EE EC 49 C7 A7 51 AE 5C oZ..jV[. ..I..Q.\ >+[28B0] 85 53 70 3D 1A 49 83 59 CF 65 58 B3 48 7E 04 9E .Sp=.I.Y .eX.H~.. >+[28C0] C7 64 8A 05 73 E3 DC 1A 65 5D 4F 41 01 56 73 90 .d..s... e]OA.Vs. >+[28D0] 61 F3 84 1F FF CF 46 B2 06 46 56 97 93 B9 DB 32 a.....F. .FV....2 >+[28E0] 2A 64 8A 48 02 05 84 E9 FA 76 8B 94 96 89 A0 73 *d.H.... .v.....s >+[28F0] 20 75 4D 52 1D 23 13 D1 83 D7 5D 59 23 6A 87 C1 uMR.#.. ..]Y#j.. >+[2900] 09 3E 01 3A 28 65 42 8C 35 F1 91 EA 6A 1F 83 0D .>.:(eB. 5...j... >+[2910] 8F 57 69 81 D4 A2 D2 EA 0C BF AF 95 A3 F4 90 15 .Wi..... ........ >+[2920] 61 34 F2 6C 8B D0 DA B5 1E 43 AC CE C7 8A 1B 2B a4.l.... .C.....+ >+[2930] 29 2B 89 1C C5 53 C8 04 F7 1E 46 72 F3 A8 CE F7 )+...S.. ..Fr.... >+[2940] 59 76 55 E7 53 1C A2 9F D8 23 F7 EA 71 B0 74 83 YvU.S... .#..q.t. >+[2950] 71 95 3E DC A6 FA 2D A4 42 13 93 8B 2B FA A2 70 q.>...-. B...+..p >+[2960] 25 21 2D F6 E1 26 56 DF 58 79 25 16 E8 C9 03 EC %!-..&V. Xy%..... >+[2970] 72 5F 35 CF 59 6B E1 AD 85 85 7B AB 78 F2 0D AC r_5.Yk.. ..{.x... >+[2980] AB 89 F2 DA 85 E7 DE 09 77 99 EC 7C F3 97 1F 71 ........ w..|...q >+[2990] 3C DB 09 44 7A 3C 69 E5 03 B0 6D 4D 3B 6B 4C D5 <..Dz<i. ..mM;kL. >+[29A0] AB 52 2F 6F 81 2B 51 5B D2 66 44 1E B7 66 5D 7F .R/o.+Q[ .fD..f]. >+[29B0] 09 6A 92 27 27 62 08 00 00 00 00 .j.''b.. ... >+dump OK >diff --git a/source3/selftest/ktest-krb5_ccache-3.txt b/source3/selftest/ktest-krb5_ccache-3.txt >new file mode 100644 >index 00000000000..76c492cd2b1 >--- /dev/null >+++ b/source3/selftest/ktest-krb5_ccache-3.txt >@@ -0,0 +1,832 @@ >+pull returned Success >+ CCACHE: struct CCACHE >+ pvno : 0x05 (5) >+ version : 0x04 (4) >+ optional_header : union OPTIONAL_HEADER(case 0x4) >+ v4header: struct V4HEADER >+ v4tags: struct V4TAGS >+ tag: struct V4TAG >+ tag : 0x0001 (1) >+ field : union FIELD(case 0x1) >+ deltatime_tag: struct DELTATIME_TAG >+ kdc_sec_offset : 0 >+ kdc_usec_offset : 0 >+ further_tags : DATA_BLOB length=0 >+ principal: struct PRINCIPAL >+ name_type : 0x00000001 (1) >+ component_count : 0x00000001 (1) >+ realm : 'KTEST.SAMBA.EXAMPLE.COM' >+ components: ARRAY(1) >+ components : 'administrator' >+ cred: struct CREDENTIAL >+ client: struct PRINCIPAL >+ name_type : 0x00000001 (1) >+ component_count : 0x00000001 (1) >+ realm : 'KTEST.SAMBA.EXAMPLE.COM' >+ components: ARRAY(1) >+ components : 'administrator' >+ server: struct PRINCIPAL >+ name_type : 0x00000000 (0) >+ component_count : 0x00000002 (2) >+ realm : 'KTEST.SAMBA.EXAMPLE.COM' >+ components: ARRAY(2) >+ components : 'krbtgt' >+ components : 'KTEST.SAMBA.EXAMPLE.COM' >+ keyblock: struct KEYBLOCK >+ enctype : 0x0017 (23) >+ data : DATA_BLOB length=16 >+[0000] E5 E4 15 C8 A8 0F 4D 95 F9 1B E3 B9 98 CA A1 7F ......M. ........ >+ authtime : 0x4d9b9045 (1302040645) >+ starttime : 0x4d9b9045 (1302040645) >+ endtime : 0x7d464c43 (2101759043) >+ renew_till : 0x7d464c43 (2101759043) >+ is_skey : 0x00 (0) >+ ticket_flags : 0x40e00000 (1088421888) >+ addresses: struct ADDRESSES >+ count : 0x00000000 (0) >+ data: ARRAY(0) >+ authdata: struct AUTHDATA >+ count : 0x00000000 (0) >+ data: ARRAY(0) >+ ticket : DATA_BLOB length=1032 >+[0000] 61 82 04 04 30 82 04 00 A0 03 02 01 05 A1 19 1B a...0... ........ >+[0010] 17 4B 54 45 53 54 2E 53 41 4D 42 41 2E 45 58 41 .KTEST.S AMBA.EXA >+[0020] 4D 50 4C 45 2E 43 4F 4D A2 2C 30 2A A0 03 02 01 MPLE.COM .,0*.... >+[0030] 00 A1 23 30 21 1B 06 6B 72 62 74 67 74 1B 17 4B ..#0!..k rbtgt..K >+[0040] 54 45 53 54 2E 53 41 4D 42 41 2E 45 58 41 4D 50 TEST.SAM BA.EXAMP >+[0050] 4C 45 2E 43 4F 4D A3 82 03 AE 30 82 03 AA A0 03 LE.COM.. ..0..... >+[0060] 02 01 17 A1 03 02 01 01 A2 82 03 9C 04 82 03 98 ........ ........ >+[0070] 01 40 48 A6 B8 F0 DA 43 54 A5 18 CF B0 15 CB 68 .@H....C T......h >+[0080] 9F A0 69 44 87 A9 FF 06 25 B9 29 48 59 64 26 48 ..iD.... %.)HYd&H >+[0090] 96 7C 46 6A 79 E5 F0 77 DB 46 6C 20 A1 59 D9 F8 .|Fjy..w .Fl .Y.. >+[00A0] 6A 8A 2D B5 D9 EF A4 54 DE 19 20 C0 7B 93 D4 3D j.-....T .. .{..= >+[00B0] ED 72 35 AF 9D 87 75 9E 44 01 A4 6C D9 EA 94 A3 .r5...u. D..l.... >+[00C0] 18 C6 42 75 E3 0A 0C 76 9A AE 75 BC A3 02 91 BC ..Bu...v ..u..... >+[00D0] 2D BB 3C 23 73 A6 1A A7 8A 3E 85 42 5D 1F 5D 7D -.<#s... .>.B].]} >+[00E0] 0B 1F C3 88 2A 93 40 F9 E9 18 7D 3F 73 DA AC 1F ....*.@. ..}?s... >+[00F0] E7 7B C3 B8 14 56 C3 63 86 5B AF C9 C3 21 9F 94 .{...V.c .[...!.. >+[0100] B4 67 06 60 7F 56 2D F4 C7 22 CD B4 1C 14 B7 5B .g.`.V-. .".....[ >+[0110] 26 67 9D 18 28 B5 5D C2 FC 13 B6 CA 9F AB CD 32 &g..(.]. .......2 >+[0120] 71 D5 51 5F A2 11 5A 5D 4A B3 3B 1D D1 6B 4F 7D q.Q_..Z] J.;..kO} >+[0130] E9 54 F0 B4 AC 80 DE 27 80 C5 64 3C 0B 22 79 1C .T.....' ..d<."y. >+[0140] 9E D1 58 A1 3E 20 5A 9F E3 34 49 D8 16 C6 6B 2D ..X.> Z. .4I...k- >+[0150] 36 0E E2 C2 3F 44 DE 63 32 DB EB 78 50 A2 6F 37 6...?D.c 2..xP.o7 >+[0160] 05 2B 13 D4 31 07 D4 2A C0 53 B1 30 39 79 C3 D8 .+..1..* .S.09y.. >+[0170] C4 4C 30 97 E8 F9 DA ED 10 B0 D0 21 71 8B 56 F3 .L0..... ...!q.V. >+[0180] 0F 3A 2D 26 A2 3D AD 70 27 82 95 59 0A D7 7D 4E .:-&.=.p '..Y..}N >+[0190] 2D 76 96 4D 94 70 2A BB 26 3B 7E FC E1 59 5A 55 -v.M.p*. &;~..YZU >+[01A0] 04 A2 DA 27 AD 46 70 45 43 C0 FB C1 42 7F F0 CB ...'.FpE C...B... >+[01B0] 21 D2 CD 54 35 7C 60 13 EE BB BB 60 6B 91 2B BE !..T5|`. ...`k.+. >+[01C0] 91 8A CF 49 29 F8 60 D1 AB A5 51 B5 5E 4B B2 3A ...I).`. ..Q.^K.: >+[01D0] F4 56 3A 89 2D 88 D0 73 08 A6 FB D8 6E B3 B1 4E .V:.-..s ....n..N >+[01E0] D8 90 27 58 D2 53 40 B2 A0 3C 40 4D E9 21 C6 83 ..'X.S@. .<@M.!.. >+[01F0] FC 15 14 F0 8C 08 46 C5 29 14 E3 84 CC 2C 56 C9 ......F. )....,V. >+[0200] 20 53 45 34 D0 BE E0 CC F7 F1 15 D4 D4 B1 3C 43 SE4.... ......<C >+[0210] EB 5E 9D 33 07 B4 5B E7 D8 24 B0 EB 7B 27 24 6B .^.3..[. .$..{'$k >+[0220] 2A 90 C9 17 D9 24 CF FD 56 28 D7 73 74 03 2F DA *....$.. V(.st./. >+[0230] C4 E0 B3 78 E4 9A 60 4D 5C C7 F5 CF 9C 14 7C B6 ...x..`M \.....|. >+[0240] 1B 5D 76 D1 E3 73 73 2F 41 BD E3 E7 F0 92 B4 5B .]v..ss/ A......[ >+[0250] 07 B4 16 77 DC 3C 28 A4 92 82 C5 7C CA 00 9C 77 ...w.<(. ...|...w >+[0260] B8 28 7F D0 3F EA 2B C1 79 2B 73 FF E0 E0 A5 17 .(..?.+. y+s..... >+[0270] 02 CA 6C B6 02 D2 51 D3 CE 6F 5B 56 E0 7B 38 22 ..l...Q. .o[V.{8" >+[0280] 76 52 48 2D 0A 2F 15 58 A9 FE 03 65 E1 D5 A8 60 vRH-./.X ...e...` >+[0290] E3 5D E6 53 D8 AA 05 D0 90 61 EF B6 28 4A B9 84 .].S.... .a..(J.. >+[02A0] 56 79 80 D2 53 08 1D 17 C4 05 4E F8 04 10 2B CF Vy..S... ..N...+. >+[02B0] 08 DD 61 68 27 21 A5 8A C0 35 6A 0A 94 6D 9E FD ..ah'!.. .5j..m.. >+[02C0] C9 45 AC E3 4F 60 BB 96 AF D4 4E 71 A9 D9 BE 33 .E..O`.. ..Nq...3 >+[02D0] DC 61 8B 14 77 6C A7 72 70 02 65 62 32 9C 8E 53 .a..wl.r p.eb2..S >+[02E0] C9 A3 5B B9 14 3C 00 A2 1D C7 CD 36 5B 5F BE 40 ..[..<.. ...6[_.@ >+[02F0] 28 E2 58 0D D1 05 53 78 F0 86 0F 80 1A 6A 1D DC (.X...Sx .....j.. >+[0300] D4 CD F2 83 0E 25 E1 60 DB C7 F4 B6 05 4F 0D 11 .....%.` .....O.. >+[0310] A4 AE A5 F8 6D 14 CF DF 03 C5 27 75 75 B5 0C F1 ....m... ..'uu... >+[0320] C3 01 F9 A4 FD 2E 0B BD 51 A8 C1 3B DE 48 CF 3A ........ Q..;.H.: >+[0330] CF B3 41 23 9A 9D 0C 79 11 7C 9B D3 71 43 4E 9D ..A#...y .|..qCN. >+[0340] B5 52 19 28 2C A0 4E 0E 8D 7A 84 9A B9 A0 EB FA .R.(,.N. .z...... >+[0350] 6E A1 DF B9 2F 6B FE 5E AE 85 D1 6B A2 C5 BE 07 n.../k.^ ...k.... >+[0360] E7 D6 33 3A 0F 2B ED FB 30 6F 88 1E F9 09 CC C3 ..3:.+.. 0o...... >+[0370] 8F 59 A0 D4 8D 9F A6 08 B0 D3 ED EB 15 13 1B 8E .Y...... ........ >+[0380] 19 C6 14 9C 25 E7 E9 EF 5A 67 7B CD 86 C4 D1 51 ....%... Zg{....Q >+[0390] 2B DE 27 30 D9 F5 6E F9 E4 3E CF 42 54 AE 42 61 +.'0..n. .>.BT.Ba >+[03A0] C5 22 B7 AE 51 76 8F 12 83 7F E1 9F 97 D8 31 38 ."..Qv.. ......18 >+[03B0] A6 B9 11 B4 E1 BA 19 5B E4 A5 A3 6F 4B B3 03 93 .......[ ...oK... >+[03C0] 4C D6 1E 08 FC 94 D1 C5 7C AA 95 EB 9C 7A C2 57 L....... |....z.W >+[03D0] 60 CA 17 FF 8E 66 80 76 CB 35 46 26 C3 BD CA 83 `....f.v .5F&.... >+[03E0] F0 04 08 0D 4C 5D B2 E4 7C 1C 82 28 D7 2C 42 B1 ....L].. |..(.,B. >+[03F0] 36 72 60 5E 26 4A 79 D0 41 94 3C 2C 65 0E 32 18 6r`^&Jy. A.<,e.2. >+[0400] B8 56 26 9D D3 84 78 BB .V&...x. >+ second_ticket : DATA_BLOB length=0 >+ further_creds : DATA_BLOB length=4748 >+[0000] 00 00 00 01 00 00 00 01 00 00 00 17 4B 54 45 53 ........ ....KTES >+[0010] 54 2E 53 41 4D 42 41 2E 45 58 41 4D 50 4C 45 2E T.SAMBA. EXAMPLE. >+[0020] 43 4F 4D 00 00 00 0D 61 64 6D 69 6E 69 73 74 72 COM....a dministr >+[0030] 61 74 6F 72 00 00 00 01 00 00 00 02 00 00 00 17 ator.... ........ >+[0040] 4B 54 45 53 54 2E 53 41 4D 42 41 2E 45 58 41 4D KTEST.SA MBA.EXAM >+[0050] 50 4C 45 2E 43 4F 4D 00 00 00 04 68 6F 73 74 00 PLE.COM. ...host. >+[0060] 00 00 0B 6C 6F 63 61 6C 6B 74 65 73 74 36 00 17 ...local ktest6.. >+[0070] 00 00 00 10 EA 0D 3A 24 41 21 F7 7D 7D A3 C5 BB ......:$ A!.}}... >+[0080] A4 88 F6 17 4D 9B 90 45 4D 9B 90 52 7D 46 4C 43 ....M..E M..R}FLC >+[0090] 00 00 00 00 00 40 28 00 00 00 00 00 00 00 00 00 .....@(. ........ >+[00A0] 00 00 00 03 FA 61 82 03 F6 30 82 03 F2 A0 03 02 .....a.. .0...... >+[00B0] 01 05 A1 19 1B 17 4B 54 45 53 54 2E 53 41 4D 42 ......KT EST.SAMB >+[00C0] 41 2E 45 58 41 4D 50 4C 45 2E 43 4F 4D A2 1E 30 A.EXAMPL E.COM..0 >+[00D0] 1C A0 03 02 01 01 A1 15 30 13 1B 04 68 6F 73 74 ........ 0...host >+[00E0] 1B 0B 6C 6F 63 61 6C 6B 74 65 73 74 36 A3 82 03 ..localk test6... >+[00F0] AE 30 82 03 AA A0 03 02 01 17 A1 03 02 01 03 A2 .0...... ........ >+[0100] 82 03 9C 04 82 03 98 44 8B C4 7D BA 9F FE 59 F6 .......D ..}...Y. >+[0110] C1 DF 62 89 02 A4 55 54 AB D6 D6 2E 8B 5E 35 3D ..b...UT .....^5= >+[0120] D9 46 9D 8B 49 93 A6 66 5F 1A 8B 81 AD 09 19 E9 .F..I..f _....... >+[0130] 59 CE 58 18 50 63 4A A6 7D 6F 71 21 51 4A 41 C2 Y.X.PcJ. }oq!QJA. >+[0140] A1 FE B0 D5 0A 3D 38 9F E5 3B 72 A2 7A 59 22 A4 .....=8. .;r.zY". >+[0150] B7 1C A3 8D DB EA 5D A5 E2 D3 1D AE 42 D0 7F 75 ......]. ....B..u >+[0160] B5 E9 ED B5 04 7B 67 1E 28 90 7D 3D 1A 3E F6 62 .....{g. (.}=.>.b >+[0170] D0 A1 56 89 28 76 5C 19 1A FD 66 E5 F2 86 E7 58 ..V.(v\. ..f....X >+[0180] 93 31 90 C5 CD F8 71 96 56 21 15 13 F0 EA C2 CC .1....q. V!...... >+[0190] 48 4C B4 50 EF F9 81 44 29 8A 75 C4 31 75 D1 BA HL.P...D ).u.1u.. >+[01A0] E2 0B 05 B2 E0 EA 64 3A 11 45 84 3D 69 55 FF E6 ......d: .E.=iU.. >+[01B0] 32 7E C9 CA C4 28 E8 40 B6 5E F9 26 0F 09 12 1F 2~...(.@ .^.&.... >+[01C0] 1F D4 9C 9A 50 E8 B7 6D F8 4F 55 6E 2A D4 AC 6A ....P..m .OUn*..j >+[01D0] 79 D1 C2 2A 88 99 F8 39 75 36 F1 2D C7 89 0A C6 y..*...9 u6.-.... >+[01E0] B4 C7 A1 7B F1 BF 22 87 A4 B2 93 22 54 A1 72 25 ...{..". ..."T.r% >+[01F0] AF 67 FE 20 D5 C8 29 47 28 FF 51 FB F9 4E 2C 17 .g. ..)G (.Q..N,. >+[0200] 10 BE 2E 13 8B 18 BE 3C A3 BE 50 49 A7 65 DD 2E .......< ..PI.e.. >+[0210] CC EB D6 0F 47 4E DB 7E 08 D5 F0 37 79 36 8F 24 ....GN.~ ...7y6.$ >+[0220] 34 28 86 89 EC A3 84 7F 44 4E 37 03 B5 D8 89 1C 4(...... DN7..... >+[0230] C7 AA AC 42 70 5F 96 73 35 8B 83 D1 16 24 27 C1 ...Bp_.s 5....$'. >+[0240] EC 0E AE 83 59 5A C2 EB C1 91 B6 3D BB 8D 21 49 ....YZ.. ...=..!I >+[0250] 63 41 3C 91 1D E9 01 C2 4F A9 E4 42 C1 FD 54 E3 cA<..... O..B..T. >+[0260] 7B 3B DF 24 3D 98 E9 84 F8 1D 8D CE 4D 85 AC 8A {;.$=... ....M... >+[0270] 12 15 48 C4 DA 1B 3C B8 FC A3 0B AF E2 4D 71 E9 ..H...<. .....Mq. >+[0280] 0A 28 53 DC 4E 6C 23 2C 73 26 50 FE 37 03 BF D1 .(S.Nl#, s&P.7... >+[0290] 5F 8A 39 4F 04 2E 4A CE 3C 90 11 0C DA 84 5C C3 _.9O..J. <.....\. >+[02A0] F8 BE C7 74 ED F4 CF 7E B2 AE 9B 47 D6 2A 1D 93 ...t...~ ...G.*.. >+[02B0] 3F A8 8B 51 E9 A3 A0 59 55 DB E3 52 67 E3 DE FF ?..Q...Y U..Rg... >+[02C0] B1 56 74 A0 87 21 99 23 8C 8E D1 92 A6 3D 93 D6 .Vt..!.# .....=.. >+[02D0] 4D 5B 84 2B B1 8D DD E4 F7 01 A6 6C 4A DF 3C 6E M[.+.... ...lJ.<n >+[02E0] A0 FA 74 93 BE 18 7C 30 29 9D B8 DB 5F D1 AA B7 ..t...|0 )..._... >+[02F0] 51 7C 2A 90 1A 8B 06 95 E1 80 0D 27 B2 6C 52 1C Q|*..... ...'.lR. >+[0300] C7 D1 E9 16 14 F1 6C 57 48 28 BD 13 B5 83 BA A7 ......lW H(...... >+[0310] 75 31 69 52 03 38 69 13 62 ED C6 DC C2 01 C8 F1 u1iR.8i. b....... >+[0320] 45 02 4D 8C 64 CF 96 90 3E C2 08 EC 2B 8D 92 93 E.M.d... >...+... >+[0330] 4B 6D 22 B3 41 DE 85 35 2D 19 09 E5 68 8E 1F 98 Km".A..5 -...h... >+[0340] 1B F2 73 F2 D4 91 08 89 42 0C 05 8B 42 77 6B CC ..s..... B...Bwk. >+[0350] 18 78 43 1A 73 C2 7C E7 C2 23 28 56 F7 A0 19 B3 .xC.s.|. .#(V.... >+[0360] 99 A6 25 4F C3 5E 70 EC 78 BB 30 15 36 77 B3 A6 ..%O.^p. x.0.6w.. >+[0370] 89 98 B6 A0 85 CC 8F E7 41 40 B5 E0 89 93 25 04 ........ A@....%. >+[0380] B8 1D 0B 06 31 1D C7 30 52 E1 64 29 8C 64 B9 89 ....1..0 R.d).d.. >+[0390] 1F 86 5A AD 74 15 1C C8 AF 37 7B 27 E0 C0 DB 73 ..Z.t... .7{'...s >+[03A0] 30 72 65 D3 C0 A5 07 61 E9 0C 07 A1 27 18 8F 50 0re....a ....'..P >+[03B0] DB CE FB 4C DD 75 98 F2 28 D2 76 FF F2 41 9F D5 ...L.u.. (.v..A.. >+[03C0] 74 22 8A 03 73 B1 A8 B3 B8 80 93 E5 E2 CD 4B F2 t"..s... ......K. >+[03D0] 6B 99 DF 5B 5B C7 22 69 81 2A 8A CD 2A F9 9D 08 k..[[."i .*..*... >+[03E0] B8 B0 40 77 D3 43 8B AF 40 DD 0C CB 45 E3 88 CB ..@w.C.. @...E... >+[03F0] 06 AA 63 38 EB DD 72 89 03 0E DC 3E 97 3F 16 D4 ..c8..r. ...>.?.. >+[0400] 1A 21 40 D8 30 BD B0 B4 04 C2 7A 22 43 15 A2 D8 .!@.0... ..z"C... >+[0410] 2F 08 28 3B 63 26 AA B3 1C B6 FC E4 0B 2A CD 0E /.(;c&.. .....*.. >+[0420] A8 7C E8 11 33 03 D3 C5 6C 35 6A 5D 3C 5A 80 1A .|..3... l5j]<Z.. >+[0430] BC 1C 54 DE 5C 6A E2 F3 A1 18 8E 47 88 8B 71 11 ..T.\j.. ...G..q. >+[0440] 09 2F 29 88 D9 BB DC 34 09 E1 2F 7E A7 E8 29 DC ./)....4 ../~..). >+[0450] F9 5A 1D 9E C8 A4 CC 52 8A E6 CB 4A 3F F9 77 F7 .Z.....R ...J?.w. >+[0460] 53 64 62 9E 5F E6 D7 F6 43 E6 9C 03 C9 55 B1 CB Sdb._... C....U.. >+[0470] 25 40 74 AA E9 AB 34 58 E1 E8 9B B3 1D 9E 83 FD %@t...4X ........ >+[0480] 7A BF DC 45 2D A8 9A F8 AF 9C 63 EF 1B 2B 9D CC z..E-... ..c..+.. >+[0490] F3 08 74 EC 6E 40 8E 18 62 BD F3 87 66 87 67 00 ..t.n@.. b...f.g. >+[04A0] 00 00 00 00 00 00 01 00 00 00 01 00 00 00 17 4B ........ .......K >+[04B0] 54 45 53 54 2E 53 41 4D 42 41 2E 45 58 41 4D 50 TEST.SAM BA.EXAMP >+[04C0] 4C 45 2E 43 4F 4D 00 00 00 0D 61 64 6D 69 6E 69 LE.COM.. ..admini >+[04D0] 73 74 72 61 74 6F 72 00 00 00 01 00 00 00 02 00 strator. ........ >+[04E0] 00 00 17 4B 54 45 53 54 2E 53 41 4D 42 41 2E 45 ...KTEST .SAMBA.E >+[04F0] 58 41 4D 50 4C 45 2E 43 4F 4D 00 00 00 04 63 69 XAMPLE.C OM....ci >+[0500] 66 73 00 00 00 0B 6C 6F 63 61 6C 6B 74 65 73 74 fs....lo calktest >+[0510] 36 00 17 00 00 00 10 92 C6 A1 91 6D 55 01 4E BE 6....... ...mU.N. >+[0520] E4 3F E3 36 B0 D3 28 4D 9B 90 45 4D 9B 90 5A 7D .?.6..(M ..EM..Z} >+[0530] 46 4C 43 00 00 00 00 00 40 28 00 00 00 00 00 00 FLC..... @(...... >+[0540] 00 00 00 00 00 00 03 FA 61 82 03 F6 30 82 03 F2 ........ a...0... >+[0550] A0 03 02 01 05 A1 19 1B 17 4B 54 45 53 54 2E 53 ........ .KTEST.S >+[0560] 41 4D 42 41 2E 45 58 41 4D 50 4C 45 2E 43 4F 4D AMBA.EXA MPLE.COM >+[0570] A2 1E 30 1C A0 03 02 01 01 A1 15 30 13 1B 04 63 ..0..... ...0...c >+[0580] 69 66 73 1B 0B 6C 6F 63 61 6C 6B 74 65 73 74 36 ifs..loc alktest6 >+[0590] A3 82 03 AE 30 82 03 AA A0 03 02 01 17 A1 03 02 ....0... ........ >+[05A0] 01 03 A2 82 03 9C 04 82 03 98 FE 09 00 80 36 35 ........ ......65 >+[05B0] D4 6E 71 0C 33 22 36 9E 89 88 32 E3 34 4A 4C BF .nq.3"6. ..2.4JL. >+[05C0] 80 19 81 CC A0 CB 96 DB 31 F7 2A 19 75 DE 0E DA ........ 1.*.u... >+[05D0] D0 18 FA 9E 75 E6 E4 13 C9 BE 3F C0 1B AD 5B 98 ....u... ..?...[. >+[05E0] E9 FC A3 9D 16 FF C8 91 03 AC 8B E6 2D 15 B3 F1 ........ ....-... >+[05F0] 23 4E 25 9E 45 3A F8 8A 19 B7 71 52 A6 92 1C FB #N%.E:.. ..qR.... >+[0600] 1F D4 4C 51 AF 9C 0E 73 D9 A8 D8 43 F2 64 71 BC ..LQ...s ...C.dq. >+[0610] AD B1 7B 8F BF 8D FF 72 89 0F 5E B6 C2 E3 C0 01 ..{....r ..^..... >+[0620] 98 41 AD 3F 6E DC 87 F5 9A E6 40 0C 17 0F 75 80 .A.?n... ..@...u. >+[0630] 0C 28 62 06 EB BF F8 69 8C 43 48 38 A8 AE F2 5E .(b....i .CH8...^ >+[0640] 45 11 23 FB 6B 85 83 54 BA 60 39 CE 08 00 D1 05 E.#.k..T .`9..... >+[0650] 5F 6F 79 96 30 28 06 DD C7 75 52 8E 3C C4 3F FC _oy.0(.. .uR.<.?. >+[0660] C1 31 28 2C 64 3B D1 7E 2F C2 DB B0 E8 A8 EF C5 .1(,d;.~ /....... >+[0670] F2 DC 43 D0 14 21 C8 D0 D3 15 45 8E 2A 3E 3B 4A ..C..!.. ..E.*>;J >+[0680] 60 25 3D 11 E4 F9 16 02 3E 55 8F CE D2 E9 95 E7 `%=..... >U...... >+[0690] B1 C4 8F C4 0B 3E 3C 14 15 28 1A 21 49 15 CE 8E .....><. .(.!I... >+[06A0] 91 5E 98 71 00 1F 29 D3 12 C8 D0 11 4F E7 14 E3 .^.q..). ....O... >+[06B0] 72 1B 61 6D 7B 8A 00 A6 5E 01 01 50 C2 CF 1A A9 r.am{... ^..P.... >+[06C0] 34 8C BA 33 9E 62 C5 69 97 6A 24 3D E0 C6 3F C6 4..3.b.i .j$=..?. >+[06D0] F4 36 B1 80 D6 5C 44 19 5B 65 C7 CA 47 DE 4B 65 .6...\D. [e..G.Ke >+[06E0] 41 29 9F F8 EA E8 E0 3B E2 C6 98 9D 58 A4 6C 62 A).....; ....X.lb >+[06F0] EF 25 12 C9 0E 97 CE 9D F0 D8 08 AD 13 73 A6 82 .%...... .....s.. >+[0700] C5 54 23 F4 A4 CB 91 35 91 BD 10 B4 04 DD 55 7E .T#....5 ......U~ >+[0710] C9 DE AE CB B0 8F C0 D8 28 AE BD 78 64 91 6C AB ........ (..xd.l. >+[0720] CA 36 EA 0E 0E 97 DC 40 ED 26 1D 09 17 28 30 D3 .6.....@ .&...(0. >+[0730] 78 DC F7 D2 9C 78 DA 6F 6F 57 00 B3 FD 8E 75 A1 x....x.o oW....u. >+[0740] 56 98 5C 4B D8 61 A6 0A 89 27 CD 11 BF 7F 79 53 V.\K.a.. .'....yS >+[0750] D9 50 9A 8D EC DD DB BB B8 23 27 0D 20 5B 53 51 .P...... .#'. [SQ >+[0760] 07 C4 26 31 3B D4 DF ED 3C 40 B4 1C 8B 46 E2 A6 ..&1;... <@...F.. >+[0770] B7 0F 97 D2 B3 1D 19 FD 13 60 7B 38 E6 37 0C 59 ........ .`{8.7.Y >+[0780] B0 A8 47 5D 32 A5 0C 57 76 EF 2C ED 40 9F BF 4B ..G]2..W v.,.@..K >+[0790] 43 99 3C 68 C4 DE 84 9C A1 36 8C CA CB 2A 08 36 C.<h.... .6...*.6 >+[07A0] 4E CD 43 06 9E F8 E7 1D 52 3B 59 37 4F 6F 65 D9 N.C..... R;Y7Ooe. >+[07B0] 2A F9 AD 5A 50 95 71 3F B1 5F C8 8E 2E E9 E4 FE *..ZP.q? ._...... >+[07C0] C8 A9 42 2C EE 18 E0 81 3C 00 E2 80 8D 8A 8B 71 ..B,.... <......q >+[07D0] C7 F5 AC 5C 36 1D E0 BC F0 11 57 67 CB 2C BE F6 ...\6... ..Wg.,.. >+[07E0] 90 4E F9 90 97 14 1F 0C 9D 5D 4D DF 0D D0 C0 C5 .N...... .]M..... >+[07F0] 08 E7 31 72 8E 35 63 17 8D 8B 3D 49 14 C8 A5 90 ..1r.5c. ..=I.... >+[0800] 88 24 AF 75 CA 0A CB 95 8A 2C 70 A6 CE 2F 3F B6 .$.u.... .,p../?. >+[0810] D7 1A 44 AC 05 93 EF 3D 03 C7 C2 8E 0F 31 9F 53 ..D....= .....1.S >+[0820] 67 CA 73 D3 B8 07 76 36 35 6F B5 32 30 38 86 7E g.s...v6 5o.208.~ >+[0830] 7E 95 3F DC F4 6F A9 67 0E 15 E8 4A CA 3F 18 0E ~.?..o.g ...J.?.. >+[0840] C6 E7 20 22 6B F1 39 6A 9C A6 47 64 81 E4 CB A8 .. "k.9j ..Gd.... >+[0850] 31 FF E2 97 13 41 89 45 79 53 2B A8 90 97 DE 7B 1....A.E yS+....{ >+[0860] 18 56 95 02 2A 94 D2 7E 5C D0 A0 BC A0 38 D2 BC .V..*..~ \....8.. >+[0870] 03 91 F7 35 FE 1A 5E 80 10 13 4E 83 CB F6 D7 8A ...5..^. ..N..... >+[0880] 02 A2 E8 1F D8 9B F1 76 F9 18 66 56 9C 4D 9E BF .......v ..fV.M.. >+[0890] 1D F4 66 86 E0 7B 88 EC 9C F7 50 13 7D 34 8A 54 ..f..{.. ..P.}4.T >+[08A0] 7A E1 EC F6 44 12 47 84 7D 16 B4 42 25 E5 A2 CC z...D.G. }..B%... >+[08B0] D8 CA 7A 38 21 85 A3 F8 41 6D 0D AC 1D FA 36 5D ..z8!... Am....6] >+[08C0] 23 EA 20 CC 43 A5 7E D9 25 97 BC 0E 74 F5 3D 98 #. .C.~. %...t.=. >+[08D0] B9 79 C2 65 50 0E 8D E7 7A F3 F3 88 37 A3 40 01 .y.eP... z...7.@. >+[08E0] 96 C6 FC 1D 6E 9E 06 A1 90 A0 78 3C DA 7F E9 C6 ....n... ..x<.... >+[08F0] 23 47 70 04 03 EE C2 4A C3 95 07 44 00 BD 29 2A #Gp....J ...D..)* >+[0900] B5 FA 17 1E D6 BC 00 A0 93 55 E0 82 0A AB 04 D4 ........ .U...... >+[0910] D5 56 84 2A B2 56 51 05 DB 30 E2 83 5A 75 D3 A8 .V.*.VQ. .0..Zu.. >+[0920] 30 B7 3E C4 25 70 A8 34 E4 A2 EB 3E FB D8 2D 10 0.>.%p.4 ...>..-. >+[0930] 72 8E DA 4D 2D 55 EC 49 66 5E 01 96 E4 C1 0C 23 r..M-U.I f^.....# >+[0940] 57 91 00 00 00 00 00 00 00 01 00 00 00 01 00 00 W....... ........ >+[0950] 00 17 4B 54 45 53 54 2E 53 41 4D 42 41 2E 45 58 ..KTEST. SAMBA.EX >+[0960] 41 4D 50 4C 45 2E 43 4F 4D 00 00 00 0D 61 64 6D AMPLE.CO M....adm >+[0970] 69 6E 69 73 74 72 61 74 6F 72 00 00 00 01 00 00 inistrat or...... >+[0980] 00 02 00 00 00 17 4B 54 45 53 54 2E 53 41 4D 42 ......KT EST.SAMB >+[0990] 41 2E 45 58 41 4D 50 4C 45 2E 43 4F 4D 00 00 00 A.EXAMPL E.COM... >+[09A0] 04 68 6F 73 74 00 00 00 0B 4C 4F 43 41 4C 4B 54 .host... .LOCALKT >+[09B0] 45 53 54 36 00 17 00 00 00 10 9D AE 06 BE 29 E0 EST6.... ......). >+[09C0] F7 9A 46 97 29 E0 69 8E 5A F0 4D 9B 90 45 4D 9B ..F.).i. Z.M..EM. >+[09D0] 90 61 7D 46 4C 43 00 00 00 00 00 40 28 00 00 00 .a}FLC.. ...@(... >+[09E0] 00 00 00 00 00 00 00 00 00 03 FA 61 82 03 F6 30 ........ ...a...0 >+[09F0] 82 03 F2 A0 03 02 01 05 A1 19 1B 17 4B 54 45 53 ........ ....KTES >+[0A00] 54 2E 53 41 4D 42 41 2E 45 58 41 4D 50 4C 45 2E T.SAMBA. EXAMPLE. >+[0A10] 43 4F 4D A2 1E 30 1C A0 03 02 01 01 A1 15 30 13 COM..0.. ......0. >+[0A20] 1B 04 68 6F 73 74 1B 0B 4C 4F 43 41 4C 4B 54 45 ..host.. LOCALKTE >+[0A30] 53 54 36 A3 82 03 AE 30 82 03 AA A0 03 02 01 17 ST6....0 ........ >+[0A40] A1 03 02 01 03 A2 82 03 9C 04 82 03 98 B9 C5 6E ........ .......n >+[0A50] 77 F9 59 6D 19 F0 A6 56 2F 14 B3 9A A3 17 06 A6 w.Ym...V /....... >+[0A60] AD F5 92 38 6A 1E EA 3D 53 BF 5E 95 13 FF 5D BB ...8j..= S.^...]. >+[0A70] 43 4F 51 AE FB 12 3B 06 67 36 91 B9 E0 C4 C4 F3 COQ...;. g6...... >+[0A80] 45 A0 48 E6 DC 49 E8 EA 6F 55 D2 3F 79 57 54 FF E.H..I.. oU.?yWT. >+[0A90] 10 8D 89 4A A4 E2 B2 80 FD EE 36 C5 D5 4C D0 97 ...J.... ..6..L.. >+[0AA0] B3 EC 96 8B E8 5A 05 F0 13 39 8B 1B B3 C4 32 2A .....Z.. .9....2* >+[0AB0] 9B BB EF 06 C4 1C 53 2F 0A F6 A8 C6 BE 09 57 26 ......S/ ......W& >+[0AC0] B9 39 7B 7B 50 13 2D 6C 52 FF C4 B5 83 28 A8 47 .9{{P.-l R....(.G >+[0AD0] 5A CD 1C DD A7 65 FD 8A 84 2A 10 E7 44 E6 83 E7 Z....e.. .*..D... >+[0AE0] E7 AA B8 E5 0A 8B 7E E1 87 7B 3D C4 9F 68 BD 19 ......~. .{=..h.. >+[0AF0] 2B 59 5E 5A 45 0D B5 71 CC A6 C7 03 3C B3 17 D3 +Y^ZE..q ....<... >+[0B00] AF 99 F6 A2 52 A0 99 F7 39 56 B4 33 B4 C5 F4 CC ....R... 9V.3.... >+[0B10] 74 34 4C 00 76 26 10 D1 3A 87 6E 6A 52 9B 7A BF t4L.v&.. :.njR.z. >+[0B20] 4E 59 36 32 C5 41 29 CF E1 BF 14 E0 54 BF 4A 25 NY62.A). ....T.J% >+[0B30] 1F 0B 6E 9A 8C 0E 5D 47 A9 64 1B A4 9D 99 A9 09 ..n...]G .d...... >+[0B40] 39 14 E7 41 22 98 8C 62 CC E2 B5 91 8E C1 31 EB 9..A"..b ......1. >+[0B50] B2 70 A6 3B 86 FC DD 19 0B 3F 5D C9 B5 1A 95 73 .p.;.... .?]....s >+[0B60] EB 97 89 BE 14 87 85 17 BE 40 F6 80 14 23 4D 66 ........ .@...#Mf >+[0B70] E4 B0 E5 51 46 34 DA 1C C8 CB FF C6 84 A3 DF D2 ...QF4.. ........ >+[0B80] DC 00 AF 7B 27 C8 78 44 CB 6E 7B CC 5C 94 1E 7A ...{'.xD .n{.\..z >+[0B90] 95 29 19 F4 14 BE 5C 23 C3 B9 A4 2C 5D 4D F3 61 .)....\# ...,]M.a >+[0BA0] 63 1F D4 FE 37 EE 44 14 06 B7 14 50 B6 74 37 75 c...7.D. ...P.t7u >+[0BB0] 2C AB 06 F0 93 F9 93 34 75 63 44 7E 12 48 D1 F1 ,......4 ucD~.H.. >+[0BC0] 06 55 14 11 B9 23 43 CE 01 16 3E 6B A3 BD 23 55 .U...#C. ..>k..#U >+[0BD0] DE 48 5D AF E1 2B 89 E8 E7 C2 E2 34 25 A2 09 4A .H]..+.. ...4%..J >+[0BE0] 1F BE 05 AA DE 4B 08 65 27 4C 9B C7 54 96 C2 FB .....K.e 'L..T... >+[0BF0] E2 CE 53 4A 32 93 8D 0B 44 77 8C D3 65 54 F9 0E ..SJ2... Dw..eT.. >+[0C00] 7F 74 1E FE 3D 74 83 0F 2F E7 9F BC A2 B0 2B 25 .t..=t.. /.....+% >+[0C10] BB D2 6F A8 49 C1 3E 9E B5 93 67 74 39 A4 FE 84 ..o.I.>. ..gt9... >+[0C20] 4C 45 5F 30 74 E0 CA 5F F6 46 EC 89 B5 2D C8 14 LE_0t.._ .F...-.. >+[0C30] 69 76 BC 93 15 F4 60 30 5F AB EB 02 DD 12 4C 62 iv....`0 _.....Lb >+[0C40] F9 73 F7 01 E1 7F 2A 6F 09 05 BF 3A 3A 7E 69 A3 .s....*o ...::~i. >+[0C50] 7B FC 20 2B D6 CE C0 74 4F BB 29 E4 BE CE 04 9D {. +...t O.)..... >+[0C60] 24 D4 98 4A ED 94 A8 81 CD 26 A0 63 EA 09 57 42 $..J.... .&.c..WB >+[0C70] 26 B7 B5 4E B5 CB 45 35 A7 84 D8 74 CA C3 9F FF &..N..E5 ...t.... >+[0C80] C8 1E 2A 75 34 01 C5 A7 B4 9D 6F A3 E1 BB 2B F8 ..*u4... ..o...+. >+[0C90] F0 21 D6 77 57 74 2E 80 DB 76 53 01 86 33 17 32 .!.wWt.. .vS..3.2 >+[0CA0] 2E 16 E1 8D 89 3A B2 67 ED A3 ED 39 82 87 26 A6 .....:.g ...9..&. >+[0CB0] DB CE 59 84 E4 0A A6 CA 7E 07 98 F7 02 91 6E 56 ..Y..... ~.....nV >+[0CC0] 9F 60 03 D3 88 B0 FF EB 20 CA 9E 5B 37 26 67 00 .`...... ..[7&g. >+[0CD0] CC BD 9D 53 15 31 53 14 FD 9C E1 28 08 CB C4 0B ...S.1S. ...(.... >+[0CE0] E3 50 D9 DB 0C E2 E4 F9 44 50 E9 28 6E 01 96 AA .P...... DP.(n... >+[0CF0] C1 D2 4E B2 DE 38 A2 F8 94 32 79 AE 49 64 FB 57 ..N..8.. .2y.Id.W >+[0D00] 50 F6 73 E8 98 43 C6 DD 67 3C 91 AC 97 C9 2E 8C P.s..C.. g<...... >+[0D10] 06 59 A1 FC 49 EC 2F BF 6F 64 21 63 ED C8 6C CE .Y..I./. od!c..l. >+[0D20] 37 28 7B 80 7F 5F 85 F6 98 93 C0 66 A8 D6 F1 2C 7({.._.. ...f..., >+[0D30] D8 01 68 B1 C8 EA 82 0D 5B 9B 35 4F 3D B3 47 19 ..h..... [.5O=.G. >+[0D40] 54 7A C6 9F AD D7 54 CF B0 DB 3E 18 BA 2A 39 08 Tz....T. ..>..*9. >+[0D50] 0C C4 98 4B 43 DE 53 68 25 B1 83 93 1D E1 6C BF ...KC.Sh %.....l. >+[0D60] F5 B4 A9 83 17 34 64 8C 2F 91 80 97 4A 48 EC 90 .....4d. /...JH.. >+[0D70] BB FA 92 2C 01 80 E4 99 91 0E 67 88 D5 75 AB 7C ...,.... ..g..u.| >+[0D80] 98 59 98 45 C9 11 A9 8C 02 98 91 DE AB A0 FF 45 .Y.E.... .......E >+[0D90] 11 66 6F C5 DE 61 6D C6 DB C9 CA A3 A0 2B B1 73 .fo..am. .....+.s >+[0DA0] 05 85 37 BF AB CA 43 7A 6F 38 C8 BE ED CE 12 49 ..7...Cz o8.....I >+[0DB0] 93 C7 7C 1A 33 60 52 7A 67 67 AA 60 57 7E C8 FF ..|.3`Rz gg.`W~.. >+[0DC0] DF 91 91 18 45 74 C0 9E 36 19 BC 42 F9 46 CC 84 ....Et.. 6..B.F.. >+[0DD0] 09 2E 8C 59 1A E3 65 51 F4 87 6F 4C 3E 29 38 E6 ...Y..eQ ..oL>)8. >+[0DE0] 77 E8 A9 B7 FA 00 00 00 00 00 00 00 01 00 00 00 w....... ........ >+[0DF0] 01 00 00 00 17 4B 54 45 53 54 2E 53 41 4D 42 41 .....KTE ST.SAMBA >+[0E00] 2E 45 58 41 4D 50 4C 45 2E 43 4F 4D 00 00 00 0D .EXAMPLE .COM.... >+[0E10] 61 64 6D 69 6E 69 73 74 72 61 74 6F 72 00 00 00 administ rator... >+[0E20] 01 00 00 00 02 00 00 00 17 4B 54 45 53 54 2E 53 ........ .KTEST.S >+[0E30] 41 4D 42 41 2E 45 58 41 4D 50 4C 45 2E 43 4F 4D AMBA.EXA MPLE.COM >+[0E40] 00 00 00 04 63 69 66 73 00 00 00 0B 4C 4F 43 41 ....cifs ....LOCA >+[0E50] 4C 4B 54 45 53 54 36 00 17 00 00 00 10 01 78 D0 LKTEST6. ......x. >+[0E60] 3B 9B FF F0 88 86 4B 3B FE 41 A9 6B 00 4D 9B 90 ;.....K; .A.k.M.. >+[0E70] 45 4D 9B 90 6B 7D 46 4C 43 00 00 00 00 00 40 28 EM..k}FL C.....@( >+[0E80] 00 00 00 00 00 00 00 00 00 00 00 00 03 FA 61 82 ........ ......a. >+[0E90] 03 F6 30 82 03 F2 A0 03 02 01 05 A1 19 1B 17 4B ..0..... .......K >+[0EA0] 54 45 53 54 2E 53 41 4D 42 41 2E 45 58 41 4D 50 TEST.SAM BA.EXAMP >+[0EB0] 4C 45 2E 43 4F 4D A2 1E 30 1C A0 03 02 01 01 A1 LE.COM.. 0....... >+[0EC0] 15 30 13 1B 04 63 69 66 73 1B 0B 4C 4F 43 41 4C .0...cif s..LOCAL >+[0ED0] 4B 54 45 53 54 36 A3 82 03 AE 30 82 03 AA A0 03 KTEST6.. ..0..... >+[0EE0] 02 01 17 A1 03 02 01 03 A2 82 03 9C 04 82 03 98 ........ ........ >+[0EF0] CA EA 4D 46 2D D1 E9 58 5D 25 8D 9F DF EA C9 01 ..MF-..X ]%...... >+[0F00] B6 08 27 CD 14 85 02 DC 20 C6 51 AA F9 6A B1 CE ..'..... .Q..j.. >+[0F10] F5 77 84 BF 9A AC 6B A7 B2 F2 1F 60 BF CB C6 FC .w....k. ...`.... >+[0F20] C7 14 B7 41 1C A8 C9 70 7B 86 BC 8E 70 2B 65 4B ...A...p {...p+eK >+[0F30] DC F5 B9 23 F8 08 BF 96 C9 A8 77 F4 54 67 25 F8 ...#.... ..w.Tg%. >+[0F40] 0F A8 C5 D6 D1 BB 46 5E A0 7E D2 98 9C CD AF E0 ......F^ .~...... >+[0F50] 82 62 ED 39 D2 FB F2 E8 9B 1B EE E5 B4 1B C9 0A .b.9.... ........ >+[0F60] 86 27 52 6E 11 8B D7 AD B4 54 F9 C6 69 8D E0 F1 .'Rn.... .T..i... >+[0F70] CD 63 1C 89 7C 8F B6 A0 71 53 A6 DA B1 66 D2 9D .c..|... qS...f.. >+[0F80] D3 4C A8 FB C6 9D 81 74 10 8E 84 D2 3D D8 1C BE .L.....t ....=... >+[0F90] BB 3F F7 BF 91 3E 89 66 43 A1 E0 90 1B 1A 97 FF .?...>.f C....... >+[0FA0] EF CC 35 75 14 62 4F 67 3A 29 F4 F9 C5 2E BE C5 ..5u.bOg :)...... >+[0FB0] C2 2B A8 35 22 D9 92 31 1D 49 2A A5 19 AA 08 0F .+.5"..1 .I*..... >+[0FC0] A8 22 0B 68 D2 A2 D7 07 7B 37 1E A3 AC 9B 4F 0A .".h.... {7....O. >+[0FD0] A4 FA 7F 37 6F 3E 35 79 4E 00 4B B6 28 A3 6A E4 ...7o>5y N.K.(.j. >+[0FE0] 0C 95 53 BA E8 41 07 DA BE E9 08 B9 51 24 91 49 ..S..A.. ....Q$.I >+[0FF0] 78 5D 44 12 BC 85 63 81 B8 E0 88 D5 95 0C D3 A8 x]D...c. ........ >+[1000] 1D 32 4B E4 A0 C8 A7 7D 3C 97 EE D8 59 AC 3A 21 .2K....} <...Y.:! >+[1010] 09 F2 7A CC D0 4A F3 50 10 DC FC 26 BB C2 6A 8E ..z..J.P ...&..j. >+[1020] 8B 14 2B 2D 50 2E B3 1E 9B D2 69 56 22 F2 48 BD ..+-P... ..iV".H. >+[1030] E9 2E 2F 28 DE 77 67 5F 68 AA 29 05 4B 36 58 40 ../(.wg_ h.).K6X@ >+[1040] E5 54 11 C5 4D 68 96 49 9D 53 37 87 5F D2 3A 9B .T..Mh.I .S7._.:. >+[1050] E9 8E 79 BE AE 11 B4 6B AB FD DB 8A F5 A0 9B 29 ..y....k .......) >+[1060] D9 F5 ED CA FA 3F FE 35 FC F4 69 7E E4 D0 44 29 .....?.5 ..i~..D) >+[1070] 48 FF 82 61 26 FC D3 E2 10 EE 14 F7 4A E3 CD F2 H..a&... ....J... >+[1080] 8B BC 8B 43 64 2C DE 40 6E BB E1 56 C0 B6 2C D0 ...Cd,.@ n..V..,. >+[1090] E5 1E E9 B3 FB 38 48 66 ED AF D2 25 D1 35 5C C6 .....8Hf ...%.5\. >+[10A0] F0 4D 36 19 0B EC 33 07 34 D0 27 8D 14 DC 01 45 .M6...3. 4.'....E >+[10B0] DE F8 73 A6 A0 F4 C1 91 9D BD 05 E3 70 25 E1 10 ..s..... ....p%.. >+[10C0] 44 F6 4B 46 F7 24 84 BF 20 96 AD 6A 96 94 81 58 D.KF.$.. ..j...X >+[10D0] 80 95 06 92 F5 7F 17 39 3B 32 47 B2 C5 CE 7B 73 .......9 ;2G...{s >+[10E0] CF 53 AE FA D1 9A 60 5A 98 EC 8C FA BD C0 CE 8D .S....`Z ........ >+[10F0] C5 27 E6 17 1A 4D 47 D8 3F 5D A9 7C FB 2C B3 05 .'...MG. ?].|.,.. >+[1100] 0C 69 20 48 99 80 11 DC 48 AB A7 EA 5B 98 C1 15 .i H.... H...[... >+[1110] 27 AE FA 3E 1E 1E E0 E1 F8 32 C0 54 13 D6 30 34 '..>.... .2.T..04 >+[1120] 71 98 26 61 6C 1C C4 C7 4E C4 A6 7E FE A8 B8 89 q.&al... N..~.... >+[1130] 2A 70 3C 19 58 8D 57 45 55 83 0A C2 B5 F7 89 0E *p<.X.WE U....... >+[1140] 7B 7A 17 0C CF 6E 08 A5 F7 21 4A 62 81 4F 49 CA {z...n.. .!Jb.OI. >+[1150] E2 ED C2 B4 C7 33 5C BC A1 A0 DE 4E 09 37 BE 24 .....3\. ...N.7.$ >+[1160] 62 22 94 55 75 AA 53 DE E0 74 5A B0 B8 E9 BF 2B b".Uu.S. .tZ....+ >+[1170] 12 65 2F 90 6B 84 ED 11 AD F7 CE 19 A1 96 E4 1E .e/.k... ........ >+[1180] 8C EA C8 81 1B 47 4F 5F B1 5D A5 8B E3 0D 5A 80 .....GO_ .]....Z. >+[1190] 89 EC 4B D9 CE ED E8 67 7F 96 FC 1B EF 65 C2 68 ..K....g .....e.h >+[11A0] 40 F7 20 36 83 58 62 F4 CA 02 F4 5C 0D 46 B1 CB @. 6.Xb. ...\.F.. >+[11B0] 50 D2 D8 3D B7 9A 96 48 8C CF EB E6 8C F4 B2 B4 P..=...H ........ >+[11C0] 47 C9 34 C9 DC 14 F1 33 1B 6F 9E 65 27 D7 9D 46 G.4....3 .o.e'..F >+[11D0] 1E 91 FF 2E FB 8E 97 5D 17 8F 48 54 7C 3C A0 11 .......] ..HT|<.. >+[11E0] 9C AA 77 E9 79 DE 26 D1 F0 7C EA 24 73 BE EC 60 ..w.y.&. .|.$s..` >+[11F0] B4 EE BD ED 0D 0A AB 74 60 6E 46 C0 35 5B 65 1A .......t `nF.5[e. >+[1200] A4 4A 5C 22 AC B9 CD B7 56 06 88 09 FC 48 68 55 .J\".... V....HhU >+[1210] B7 5E 39 72 DF 8A 4C CD 79 74 B0 84 0B 78 DA B2 .^9r..L. yt...x.. >+[1220] 55 F8 06 0B 5C 27 06 B3 CA 10 65 6B 04 A3 64 11 U...\'.. ..ek..d. >+[1230] 04 09 DC DF 67 00 70 B1 16 DF 24 E9 27 85 11 91 ....g.p. ..$.'... >+[1240] 31 CB 92 95 50 18 91 08 C2 A1 A3 76 C7 1A FC 64 1...P... ...v...d >+[1250] 9E 2C 3A E7 30 F4 16 0D A0 56 C0 BC D2 FE 2D A0 .,:.0... .V....-. >+[1260] 20 A4 E2 82 AD F0 C5 12 71 09 23 E1 66 52 53 D0 ....... q.#.fRS. >+[1270] 89 30 E7 BE B7 C2 89 F2 1C 7A F6 8E D7 28 F0 A4 .0...... .z...(.. >+[1280] 33 46 7C A2 79 66 DE 26 00 00 00 00 3F|.yf.& .... >+push returned Success >+pull returned Success >+ CCACHE: struct CCACHE >+ pvno : 0x05 (5) >+ version : 0x04 (4) >+ optional_header : union OPTIONAL_HEADER(case 0x4) >+ v4header: struct V4HEADER >+ v4tags: struct V4TAGS >+ tag: struct V4TAG >+ tag : 0x0001 (1) >+ field : union FIELD(case 0x1) >+ deltatime_tag: struct DELTATIME_TAG >+ kdc_sec_offset : 0 >+ kdc_usec_offset : 0 >+ further_tags : DATA_BLOB length=0 >+ principal: struct PRINCIPAL >+ name_type : 0x00000001 (1) >+ component_count : 0x00000001 (1) >+ realm : 'KTEST.SAMBA.EXAMPLE.COM' >+ components: ARRAY(1) >+ components : 'administrator' >+ cred: struct CREDENTIAL >+ client: struct PRINCIPAL >+ name_type : 0x00000001 (1) >+ component_count : 0x00000001 (1) >+ realm : 'KTEST.SAMBA.EXAMPLE.COM' >+ components: ARRAY(1) >+ components : 'administrator' >+ server: struct PRINCIPAL >+ name_type : 0x00000000 (0) >+ component_count : 0x00000002 (2) >+ realm : 'KTEST.SAMBA.EXAMPLE.COM' >+ components: ARRAY(2) >+ components : 'krbtgt' >+ components : 'KTEST.SAMBA.EXAMPLE.COM' >+ keyblock: struct KEYBLOCK >+ enctype : 0x0017 (23) >+ data : DATA_BLOB length=16 >+[0000] E5 E4 15 C8 A8 0F 4D 95 F9 1B E3 B9 98 CA A1 7F ......M. ........ >+ authtime : 0x4d9b9045 (1302040645) >+ starttime : 0x4d9b9045 (1302040645) >+ endtime : 0x7d464c43 (2101759043) >+ renew_till : 0x7d464c43 (2101759043) >+ is_skey : 0x00 (0) >+ ticket_flags : 0x40e00000 (1088421888) >+ addresses: struct ADDRESSES >+ count : 0x00000000 (0) >+ data: ARRAY(0) >+ authdata: struct AUTHDATA >+ count : 0x00000000 (0) >+ data: ARRAY(0) >+ ticket : DATA_BLOB length=1032 >+[0000] 61 82 04 04 30 82 04 00 A0 03 02 01 05 A1 19 1B a...0... ........ >+[0010] 17 4B 54 45 53 54 2E 53 41 4D 42 41 2E 45 58 41 .KTEST.S AMBA.EXA >+[0020] 4D 50 4C 45 2E 43 4F 4D A2 2C 30 2A A0 03 02 01 MPLE.COM .,0*.... >+[0030] 00 A1 23 30 21 1B 06 6B 72 62 74 67 74 1B 17 4B ..#0!..k rbtgt..K >+[0040] 54 45 53 54 2E 53 41 4D 42 41 2E 45 58 41 4D 50 TEST.SAM BA.EXAMP >+[0050] 4C 45 2E 43 4F 4D A3 82 03 AE 30 82 03 AA A0 03 LE.COM.. ..0..... >+[0060] 02 01 17 A1 03 02 01 01 A2 82 03 9C 04 82 03 98 ........ ........ >+[0070] 01 40 48 A6 B8 F0 DA 43 54 A5 18 CF B0 15 CB 68 .@H....C T......h >+[0080] 9F A0 69 44 87 A9 FF 06 25 B9 29 48 59 64 26 48 ..iD.... %.)HYd&H >+[0090] 96 7C 46 6A 79 E5 F0 77 DB 46 6C 20 A1 59 D9 F8 .|Fjy..w .Fl .Y.. >+[00A0] 6A 8A 2D B5 D9 EF A4 54 DE 19 20 C0 7B 93 D4 3D j.-....T .. .{..= >+[00B0] ED 72 35 AF 9D 87 75 9E 44 01 A4 6C D9 EA 94 A3 .r5...u. D..l.... >+[00C0] 18 C6 42 75 E3 0A 0C 76 9A AE 75 BC A3 02 91 BC ..Bu...v ..u..... >+[00D0] 2D BB 3C 23 73 A6 1A A7 8A 3E 85 42 5D 1F 5D 7D -.<#s... .>.B].]} >+[00E0] 0B 1F C3 88 2A 93 40 F9 E9 18 7D 3F 73 DA AC 1F ....*.@. ..}?s... >+[00F0] E7 7B C3 B8 14 56 C3 63 86 5B AF C9 C3 21 9F 94 .{...V.c .[...!.. >+[0100] B4 67 06 60 7F 56 2D F4 C7 22 CD B4 1C 14 B7 5B .g.`.V-. .".....[ >+[0110] 26 67 9D 18 28 B5 5D C2 FC 13 B6 CA 9F AB CD 32 &g..(.]. .......2 >+[0120] 71 D5 51 5F A2 11 5A 5D 4A B3 3B 1D D1 6B 4F 7D q.Q_..Z] J.;..kO} >+[0130] E9 54 F0 B4 AC 80 DE 27 80 C5 64 3C 0B 22 79 1C .T.....' ..d<."y. >+[0140] 9E D1 58 A1 3E 20 5A 9F E3 34 49 D8 16 C6 6B 2D ..X.> Z. .4I...k- >+[0150] 36 0E E2 C2 3F 44 DE 63 32 DB EB 78 50 A2 6F 37 6...?D.c 2..xP.o7 >+[0160] 05 2B 13 D4 31 07 D4 2A C0 53 B1 30 39 79 C3 D8 .+..1..* .S.09y.. >+[0170] C4 4C 30 97 E8 F9 DA ED 10 B0 D0 21 71 8B 56 F3 .L0..... ...!q.V. >+[0180] 0F 3A 2D 26 A2 3D AD 70 27 82 95 59 0A D7 7D 4E .:-&.=.p '..Y..}N >+[0190] 2D 76 96 4D 94 70 2A BB 26 3B 7E FC E1 59 5A 55 -v.M.p*. &;~..YZU >+[01A0] 04 A2 DA 27 AD 46 70 45 43 C0 FB C1 42 7F F0 CB ...'.FpE C...B... >+[01B0] 21 D2 CD 54 35 7C 60 13 EE BB BB 60 6B 91 2B BE !..T5|`. ...`k.+. >+[01C0] 91 8A CF 49 29 F8 60 D1 AB A5 51 B5 5E 4B B2 3A ...I).`. ..Q.^K.: >+[01D0] F4 56 3A 89 2D 88 D0 73 08 A6 FB D8 6E B3 B1 4E .V:.-..s ....n..N >+[01E0] D8 90 27 58 D2 53 40 B2 A0 3C 40 4D E9 21 C6 83 ..'X.S@. .<@M.!.. >+[01F0] FC 15 14 F0 8C 08 46 C5 29 14 E3 84 CC 2C 56 C9 ......F. )....,V. >+[0200] 20 53 45 34 D0 BE E0 CC F7 F1 15 D4 D4 B1 3C 43 SE4.... ......<C >+[0210] EB 5E 9D 33 07 B4 5B E7 D8 24 B0 EB 7B 27 24 6B .^.3..[. .$..{'$k >+[0220] 2A 90 C9 17 D9 24 CF FD 56 28 D7 73 74 03 2F DA *....$.. V(.st./. >+[0230] C4 E0 B3 78 E4 9A 60 4D 5C C7 F5 CF 9C 14 7C B6 ...x..`M \.....|. >+[0240] 1B 5D 76 D1 E3 73 73 2F 41 BD E3 E7 F0 92 B4 5B .]v..ss/ A......[ >+[0250] 07 B4 16 77 DC 3C 28 A4 92 82 C5 7C CA 00 9C 77 ...w.<(. ...|...w >+[0260] B8 28 7F D0 3F EA 2B C1 79 2B 73 FF E0 E0 A5 17 .(..?.+. y+s..... >+[0270] 02 CA 6C B6 02 D2 51 D3 CE 6F 5B 56 E0 7B 38 22 ..l...Q. .o[V.{8" >+[0280] 76 52 48 2D 0A 2F 15 58 A9 FE 03 65 E1 D5 A8 60 vRH-./.X ...e...` >+[0290] E3 5D E6 53 D8 AA 05 D0 90 61 EF B6 28 4A B9 84 .].S.... .a..(J.. >+[02A0] 56 79 80 D2 53 08 1D 17 C4 05 4E F8 04 10 2B CF Vy..S... ..N...+. >+[02B0] 08 DD 61 68 27 21 A5 8A C0 35 6A 0A 94 6D 9E FD ..ah'!.. .5j..m.. >+[02C0] C9 45 AC E3 4F 60 BB 96 AF D4 4E 71 A9 D9 BE 33 .E..O`.. ..Nq...3 >+[02D0] DC 61 8B 14 77 6C A7 72 70 02 65 62 32 9C 8E 53 .a..wl.r p.eb2..S >+[02E0] C9 A3 5B B9 14 3C 00 A2 1D C7 CD 36 5B 5F BE 40 ..[..<.. ...6[_.@ >+[02F0] 28 E2 58 0D D1 05 53 78 F0 86 0F 80 1A 6A 1D DC (.X...Sx .....j.. >+[0300] D4 CD F2 83 0E 25 E1 60 DB C7 F4 B6 05 4F 0D 11 .....%.` .....O.. >+[0310] A4 AE A5 F8 6D 14 CF DF 03 C5 27 75 75 B5 0C F1 ....m... ..'uu... >+[0320] C3 01 F9 A4 FD 2E 0B BD 51 A8 C1 3B DE 48 CF 3A ........ Q..;.H.: >+[0330] CF B3 41 23 9A 9D 0C 79 11 7C 9B D3 71 43 4E 9D ..A#...y .|..qCN. >+[0340] B5 52 19 28 2C A0 4E 0E 8D 7A 84 9A B9 A0 EB FA .R.(,.N. .z...... >+[0350] 6E A1 DF B9 2F 6B FE 5E AE 85 D1 6B A2 C5 BE 07 n.../k.^ ...k.... >+[0360] E7 D6 33 3A 0F 2B ED FB 30 6F 88 1E F9 09 CC C3 ..3:.+.. 0o...... >+[0370] 8F 59 A0 D4 8D 9F A6 08 B0 D3 ED EB 15 13 1B 8E .Y...... ........ >+[0380] 19 C6 14 9C 25 E7 E9 EF 5A 67 7B CD 86 C4 D1 51 ....%... Zg{....Q >+[0390] 2B DE 27 30 D9 F5 6E F9 E4 3E CF 42 54 AE 42 61 +.'0..n. .>.BT.Ba >+[03A0] C5 22 B7 AE 51 76 8F 12 83 7F E1 9F 97 D8 31 38 ."..Qv.. ......18 >+[03B0] A6 B9 11 B4 E1 BA 19 5B E4 A5 A3 6F 4B B3 03 93 .......[ ...oK... >+[03C0] 4C D6 1E 08 FC 94 D1 C5 7C AA 95 EB 9C 7A C2 57 L....... |....z.W >+[03D0] 60 CA 17 FF 8E 66 80 76 CB 35 46 26 C3 BD CA 83 `....f.v .5F&.... >+[03E0] F0 04 08 0D 4C 5D B2 E4 7C 1C 82 28 D7 2C 42 B1 ....L].. |..(.,B. >+[03F0] 36 72 60 5E 26 4A 79 D0 41 94 3C 2C 65 0E 32 18 6r`^&Jy. A.<,e.2. >+[0400] B8 56 26 9D D3 84 78 BB .V&...x. >+ second_ticket : DATA_BLOB length=0 >+ further_creds : DATA_BLOB length=4748 >+[0000] 00 00 00 01 00 00 00 01 00 00 00 17 4B 54 45 53 ........ ....KTES >+[0010] 54 2E 53 41 4D 42 41 2E 45 58 41 4D 50 4C 45 2E T.SAMBA. EXAMPLE. >+[0020] 43 4F 4D 00 00 00 0D 61 64 6D 69 6E 69 73 74 72 COM....a dministr >+[0030] 61 74 6F 72 00 00 00 01 00 00 00 02 00 00 00 17 ator.... ........ >+[0040] 4B 54 45 53 54 2E 53 41 4D 42 41 2E 45 58 41 4D KTEST.SA MBA.EXAM >+[0050] 50 4C 45 2E 43 4F 4D 00 00 00 04 68 6F 73 74 00 PLE.COM. ...host. >+[0060] 00 00 0B 6C 6F 63 61 6C 6B 74 65 73 74 36 00 17 ...local ktest6.. >+[0070] 00 00 00 10 EA 0D 3A 24 41 21 F7 7D 7D A3 C5 BB ......:$ A!.}}... >+[0080] A4 88 F6 17 4D 9B 90 45 4D 9B 90 52 7D 46 4C 43 ....M..E M..R}FLC >+[0090] 00 00 00 00 00 40 28 00 00 00 00 00 00 00 00 00 .....@(. ........ >+[00A0] 00 00 00 03 FA 61 82 03 F6 30 82 03 F2 A0 03 02 .....a.. .0...... >+[00B0] 01 05 A1 19 1B 17 4B 54 45 53 54 2E 53 41 4D 42 ......KT EST.SAMB >+[00C0] 41 2E 45 58 41 4D 50 4C 45 2E 43 4F 4D A2 1E 30 A.EXAMPL E.COM..0 >+[00D0] 1C A0 03 02 01 01 A1 15 30 13 1B 04 68 6F 73 74 ........ 0...host >+[00E0] 1B 0B 6C 6F 63 61 6C 6B 74 65 73 74 36 A3 82 03 ..localk test6... >+[00F0] AE 30 82 03 AA A0 03 02 01 17 A1 03 02 01 03 A2 .0...... ........ >+[0100] 82 03 9C 04 82 03 98 44 8B C4 7D BA 9F FE 59 F6 .......D ..}...Y. >+[0110] C1 DF 62 89 02 A4 55 54 AB D6 D6 2E 8B 5E 35 3D ..b...UT .....^5= >+[0120] D9 46 9D 8B 49 93 A6 66 5F 1A 8B 81 AD 09 19 E9 .F..I..f _....... >+[0130] 59 CE 58 18 50 63 4A A6 7D 6F 71 21 51 4A 41 C2 Y.X.PcJ. }oq!QJA. >+[0140] A1 FE B0 D5 0A 3D 38 9F E5 3B 72 A2 7A 59 22 A4 .....=8. .;r.zY". >+[0150] B7 1C A3 8D DB EA 5D A5 E2 D3 1D AE 42 D0 7F 75 ......]. ....B..u >+[0160] B5 E9 ED B5 04 7B 67 1E 28 90 7D 3D 1A 3E F6 62 .....{g. (.}=.>.b >+[0170] D0 A1 56 89 28 76 5C 19 1A FD 66 E5 F2 86 E7 58 ..V.(v\. ..f....X >+[0180] 93 31 90 C5 CD F8 71 96 56 21 15 13 F0 EA C2 CC .1....q. V!...... >+[0190] 48 4C B4 50 EF F9 81 44 29 8A 75 C4 31 75 D1 BA HL.P...D ).u.1u.. >+[01A0] E2 0B 05 B2 E0 EA 64 3A 11 45 84 3D 69 55 FF E6 ......d: .E.=iU.. >+[01B0] 32 7E C9 CA C4 28 E8 40 B6 5E F9 26 0F 09 12 1F 2~...(.@ .^.&.... >+[01C0] 1F D4 9C 9A 50 E8 B7 6D F8 4F 55 6E 2A D4 AC 6A ....P..m .OUn*..j >+[01D0] 79 D1 C2 2A 88 99 F8 39 75 36 F1 2D C7 89 0A C6 y..*...9 u6.-.... >+[01E0] B4 C7 A1 7B F1 BF 22 87 A4 B2 93 22 54 A1 72 25 ...{..". ..."T.r% >+[01F0] AF 67 FE 20 D5 C8 29 47 28 FF 51 FB F9 4E 2C 17 .g. ..)G (.Q..N,. >+[0200] 10 BE 2E 13 8B 18 BE 3C A3 BE 50 49 A7 65 DD 2E .......< ..PI.e.. >+[0210] CC EB D6 0F 47 4E DB 7E 08 D5 F0 37 79 36 8F 24 ....GN.~ ...7y6.$ >+[0220] 34 28 86 89 EC A3 84 7F 44 4E 37 03 B5 D8 89 1C 4(...... DN7..... >+[0230] C7 AA AC 42 70 5F 96 73 35 8B 83 D1 16 24 27 C1 ...Bp_.s 5....$'. >+[0240] EC 0E AE 83 59 5A C2 EB C1 91 B6 3D BB 8D 21 49 ....YZ.. ...=..!I >+[0250] 63 41 3C 91 1D E9 01 C2 4F A9 E4 42 C1 FD 54 E3 cA<..... O..B..T. >+[0260] 7B 3B DF 24 3D 98 E9 84 F8 1D 8D CE 4D 85 AC 8A {;.$=... ....M... >+[0270] 12 15 48 C4 DA 1B 3C B8 FC A3 0B AF E2 4D 71 E9 ..H...<. .....Mq. >+[0280] 0A 28 53 DC 4E 6C 23 2C 73 26 50 FE 37 03 BF D1 .(S.Nl#, s&P.7... >+[0290] 5F 8A 39 4F 04 2E 4A CE 3C 90 11 0C DA 84 5C C3 _.9O..J. <.....\. >+[02A0] F8 BE C7 74 ED F4 CF 7E B2 AE 9B 47 D6 2A 1D 93 ...t...~ ...G.*.. >+[02B0] 3F A8 8B 51 E9 A3 A0 59 55 DB E3 52 67 E3 DE FF ?..Q...Y U..Rg... >+[02C0] B1 56 74 A0 87 21 99 23 8C 8E D1 92 A6 3D 93 D6 .Vt..!.# .....=.. >+[02D0] 4D 5B 84 2B B1 8D DD E4 F7 01 A6 6C 4A DF 3C 6E M[.+.... ...lJ.<n >+[02E0] A0 FA 74 93 BE 18 7C 30 29 9D B8 DB 5F D1 AA B7 ..t...|0 )..._... >+[02F0] 51 7C 2A 90 1A 8B 06 95 E1 80 0D 27 B2 6C 52 1C Q|*..... ...'.lR. >+[0300] C7 D1 E9 16 14 F1 6C 57 48 28 BD 13 B5 83 BA A7 ......lW H(...... >+[0310] 75 31 69 52 03 38 69 13 62 ED C6 DC C2 01 C8 F1 u1iR.8i. b....... >+[0320] 45 02 4D 8C 64 CF 96 90 3E C2 08 EC 2B 8D 92 93 E.M.d... >...+... >+[0330] 4B 6D 22 B3 41 DE 85 35 2D 19 09 E5 68 8E 1F 98 Km".A..5 -...h... >+[0340] 1B F2 73 F2 D4 91 08 89 42 0C 05 8B 42 77 6B CC ..s..... B...Bwk. >+[0350] 18 78 43 1A 73 C2 7C E7 C2 23 28 56 F7 A0 19 B3 .xC.s.|. .#(V.... >+[0360] 99 A6 25 4F C3 5E 70 EC 78 BB 30 15 36 77 B3 A6 ..%O.^p. x.0.6w.. >+[0370] 89 98 B6 A0 85 CC 8F E7 41 40 B5 E0 89 93 25 04 ........ A@....%. >+[0380] B8 1D 0B 06 31 1D C7 30 52 E1 64 29 8C 64 B9 89 ....1..0 R.d).d.. >+[0390] 1F 86 5A AD 74 15 1C C8 AF 37 7B 27 E0 C0 DB 73 ..Z.t... .7{'...s >+[03A0] 30 72 65 D3 C0 A5 07 61 E9 0C 07 A1 27 18 8F 50 0re....a ....'..P >+[03B0] DB CE FB 4C DD 75 98 F2 28 D2 76 FF F2 41 9F D5 ...L.u.. (.v..A.. >+[03C0] 74 22 8A 03 73 B1 A8 B3 B8 80 93 E5 E2 CD 4B F2 t"..s... ......K. >+[03D0] 6B 99 DF 5B 5B C7 22 69 81 2A 8A CD 2A F9 9D 08 k..[[."i .*..*... >+[03E0] B8 B0 40 77 D3 43 8B AF 40 DD 0C CB 45 E3 88 CB ..@w.C.. @...E... >+[03F0] 06 AA 63 38 EB DD 72 89 03 0E DC 3E 97 3F 16 D4 ..c8..r. ...>.?.. >+[0400] 1A 21 40 D8 30 BD B0 B4 04 C2 7A 22 43 15 A2 D8 .!@.0... ..z"C... >+[0410] 2F 08 28 3B 63 26 AA B3 1C B6 FC E4 0B 2A CD 0E /.(;c&.. .....*.. >+[0420] A8 7C E8 11 33 03 D3 C5 6C 35 6A 5D 3C 5A 80 1A .|..3... l5j]<Z.. >+[0430] BC 1C 54 DE 5C 6A E2 F3 A1 18 8E 47 88 8B 71 11 ..T.\j.. ...G..q. >+[0440] 09 2F 29 88 D9 BB DC 34 09 E1 2F 7E A7 E8 29 DC ./)....4 ../~..). >+[0450] F9 5A 1D 9E C8 A4 CC 52 8A E6 CB 4A 3F F9 77 F7 .Z.....R ...J?.w. >+[0460] 53 64 62 9E 5F E6 D7 F6 43 E6 9C 03 C9 55 B1 CB Sdb._... C....U.. >+[0470] 25 40 74 AA E9 AB 34 58 E1 E8 9B B3 1D 9E 83 FD %@t...4X ........ >+[0480] 7A BF DC 45 2D A8 9A F8 AF 9C 63 EF 1B 2B 9D CC z..E-... ..c..+.. >+[0490] F3 08 74 EC 6E 40 8E 18 62 BD F3 87 66 87 67 00 ..t.n@.. b...f.g. >+[04A0] 00 00 00 00 00 00 01 00 00 00 01 00 00 00 17 4B ........ .......K >+[04B0] 54 45 53 54 2E 53 41 4D 42 41 2E 45 58 41 4D 50 TEST.SAM BA.EXAMP >+[04C0] 4C 45 2E 43 4F 4D 00 00 00 0D 61 64 6D 69 6E 69 LE.COM.. ..admini >+[04D0] 73 74 72 61 74 6F 72 00 00 00 01 00 00 00 02 00 strator. ........ >+[04E0] 00 00 17 4B 54 45 53 54 2E 53 41 4D 42 41 2E 45 ...KTEST .SAMBA.E >+[04F0] 58 41 4D 50 4C 45 2E 43 4F 4D 00 00 00 04 63 69 XAMPLE.C OM....ci >+[0500] 66 73 00 00 00 0B 6C 6F 63 61 6C 6B 74 65 73 74 fs....lo calktest >+[0510] 36 00 17 00 00 00 10 92 C6 A1 91 6D 55 01 4E BE 6....... ...mU.N. >+[0520] E4 3F E3 36 B0 D3 28 4D 9B 90 45 4D 9B 90 5A 7D .?.6..(M ..EM..Z} >+[0530] 46 4C 43 00 00 00 00 00 40 28 00 00 00 00 00 00 FLC..... @(...... >+[0540] 00 00 00 00 00 00 03 FA 61 82 03 F6 30 82 03 F2 ........ a...0... >+[0550] A0 03 02 01 05 A1 19 1B 17 4B 54 45 53 54 2E 53 ........ .KTEST.S >+[0560] 41 4D 42 41 2E 45 58 41 4D 50 4C 45 2E 43 4F 4D AMBA.EXA MPLE.COM >+[0570] A2 1E 30 1C A0 03 02 01 01 A1 15 30 13 1B 04 63 ..0..... ...0...c >+[0580] 69 66 73 1B 0B 6C 6F 63 61 6C 6B 74 65 73 74 36 ifs..loc alktest6 >+[0590] A3 82 03 AE 30 82 03 AA A0 03 02 01 17 A1 03 02 ....0... ........ >+[05A0] 01 03 A2 82 03 9C 04 82 03 98 FE 09 00 80 36 35 ........ ......65 >+[05B0] D4 6E 71 0C 33 22 36 9E 89 88 32 E3 34 4A 4C BF .nq.3"6. ..2.4JL. >+[05C0] 80 19 81 CC A0 CB 96 DB 31 F7 2A 19 75 DE 0E DA ........ 1.*.u... >+[05D0] D0 18 FA 9E 75 E6 E4 13 C9 BE 3F C0 1B AD 5B 98 ....u... ..?...[. >+[05E0] E9 FC A3 9D 16 FF C8 91 03 AC 8B E6 2D 15 B3 F1 ........ ....-... >+[05F0] 23 4E 25 9E 45 3A F8 8A 19 B7 71 52 A6 92 1C FB #N%.E:.. ..qR.... >+[0600] 1F D4 4C 51 AF 9C 0E 73 D9 A8 D8 43 F2 64 71 BC ..LQ...s ...C.dq. >+[0610] AD B1 7B 8F BF 8D FF 72 89 0F 5E B6 C2 E3 C0 01 ..{....r ..^..... >+[0620] 98 41 AD 3F 6E DC 87 F5 9A E6 40 0C 17 0F 75 80 .A.?n... ..@...u. >+[0630] 0C 28 62 06 EB BF F8 69 8C 43 48 38 A8 AE F2 5E .(b....i .CH8...^ >+[0640] 45 11 23 FB 6B 85 83 54 BA 60 39 CE 08 00 D1 05 E.#.k..T .`9..... >+[0650] 5F 6F 79 96 30 28 06 DD C7 75 52 8E 3C C4 3F FC _oy.0(.. .uR.<.?. >+[0660] C1 31 28 2C 64 3B D1 7E 2F C2 DB B0 E8 A8 EF C5 .1(,d;.~ /....... >+[0670] F2 DC 43 D0 14 21 C8 D0 D3 15 45 8E 2A 3E 3B 4A ..C..!.. ..E.*>;J >+[0680] 60 25 3D 11 E4 F9 16 02 3E 55 8F CE D2 E9 95 E7 `%=..... >U...... >+[0690] B1 C4 8F C4 0B 3E 3C 14 15 28 1A 21 49 15 CE 8E .....><. .(.!I... >+[06A0] 91 5E 98 71 00 1F 29 D3 12 C8 D0 11 4F E7 14 E3 .^.q..). ....O... >+[06B0] 72 1B 61 6D 7B 8A 00 A6 5E 01 01 50 C2 CF 1A A9 r.am{... ^..P.... >+[06C0] 34 8C BA 33 9E 62 C5 69 97 6A 24 3D E0 C6 3F C6 4..3.b.i .j$=..?. >+[06D0] F4 36 B1 80 D6 5C 44 19 5B 65 C7 CA 47 DE 4B 65 .6...\D. [e..G.Ke >+[06E0] 41 29 9F F8 EA E8 E0 3B E2 C6 98 9D 58 A4 6C 62 A).....; ....X.lb >+[06F0] EF 25 12 C9 0E 97 CE 9D F0 D8 08 AD 13 73 A6 82 .%...... .....s.. >+[0700] C5 54 23 F4 A4 CB 91 35 91 BD 10 B4 04 DD 55 7E .T#....5 ......U~ >+[0710] C9 DE AE CB B0 8F C0 D8 28 AE BD 78 64 91 6C AB ........ (..xd.l. >+[0720] CA 36 EA 0E 0E 97 DC 40 ED 26 1D 09 17 28 30 D3 .6.....@ .&...(0. >+[0730] 78 DC F7 D2 9C 78 DA 6F 6F 57 00 B3 FD 8E 75 A1 x....x.o oW....u. >+[0740] 56 98 5C 4B D8 61 A6 0A 89 27 CD 11 BF 7F 79 53 V.\K.a.. .'....yS >+[0750] D9 50 9A 8D EC DD DB BB B8 23 27 0D 20 5B 53 51 .P...... .#'. [SQ >+[0760] 07 C4 26 31 3B D4 DF ED 3C 40 B4 1C 8B 46 E2 A6 ..&1;... <@...F.. >+[0770] B7 0F 97 D2 B3 1D 19 FD 13 60 7B 38 E6 37 0C 59 ........ .`{8.7.Y >+[0780] B0 A8 47 5D 32 A5 0C 57 76 EF 2C ED 40 9F BF 4B ..G]2..W v.,.@..K >+[0790] 43 99 3C 68 C4 DE 84 9C A1 36 8C CA CB 2A 08 36 C.<h.... .6...*.6 >+[07A0] 4E CD 43 06 9E F8 E7 1D 52 3B 59 37 4F 6F 65 D9 N.C..... R;Y7Ooe. >+[07B0] 2A F9 AD 5A 50 95 71 3F B1 5F C8 8E 2E E9 E4 FE *..ZP.q? ._...... >+[07C0] C8 A9 42 2C EE 18 E0 81 3C 00 E2 80 8D 8A 8B 71 ..B,.... <......q >+[07D0] C7 F5 AC 5C 36 1D E0 BC F0 11 57 67 CB 2C BE F6 ...\6... ..Wg.,.. >+[07E0] 90 4E F9 90 97 14 1F 0C 9D 5D 4D DF 0D D0 C0 C5 .N...... .]M..... >+[07F0] 08 E7 31 72 8E 35 63 17 8D 8B 3D 49 14 C8 A5 90 ..1r.5c. ..=I.... >+[0800] 88 24 AF 75 CA 0A CB 95 8A 2C 70 A6 CE 2F 3F B6 .$.u.... .,p../?. >+[0810] D7 1A 44 AC 05 93 EF 3D 03 C7 C2 8E 0F 31 9F 53 ..D....= .....1.S >+[0820] 67 CA 73 D3 B8 07 76 36 35 6F B5 32 30 38 86 7E g.s...v6 5o.208.~ >+[0830] 7E 95 3F DC F4 6F A9 67 0E 15 E8 4A CA 3F 18 0E ~.?..o.g ...J.?.. >+[0840] C6 E7 20 22 6B F1 39 6A 9C A6 47 64 81 E4 CB A8 .. "k.9j ..Gd.... >+[0850] 31 FF E2 97 13 41 89 45 79 53 2B A8 90 97 DE 7B 1....A.E yS+....{ >+[0860] 18 56 95 02 2A 94 D2 7E 5C D0 A0 BC A0 38 D2 BC .V..*..~ \....8.. >+[0870] 03 91 F7 35 FE 1A 5E 80 10 13 4E 83 CB F6 D7 8A ...5..^. ..N..... >+[0880] 02 A2 E8 1F D8 9B F1 76 F9 18 66 56 9C 4D 9E BF .......v ..fV.M.. >+[0890] 1D F4 66 86 E0 7B 88 EC 9C F7 50 13 7D 34 8A 54 ..f..{.. ..P.}4.T >+[08A0] 7A E1 EC F6 44 12 47 84 7D 16 B4 42 25 E5 A2 CC z...D.G. }..B%... >+[08B0] D8 CA 7A 38 21 85 A3 F8 41 6D 0D AC 1D FA 36 5D ..z8!... Am....6] >+[08C0] 23 EA 20 CC 43 A5 7E D9 25 97 BC 0E 74 F5 3D 98 #. .C.~. %...t.=. >+[08D0] B9 79 C2 65 50 0E 8D E7 7A F3 F3 88 37 A3 40 01 .y.eP... z...7.@. >+[08E0] 96 C6 FC 1D 6E 9E 06 A1 90 A0 78 3C DA 7F E9 C6 ....n... ..x<.... >+[08F0] 23 47 70 04 03 EE C2 4A C3 95 07 44 00 BD 29 2A #Gp....J ...D..)* >+[0900] B5 FA 17 1E D6 BC 00 A0 93 55 E0 82 0A AB 04 D4 ........ .U...... >+[0910] D5 56 84 2A B2 56 51 05 DB 30 E2 83 5A 75 D3 A8 .V.*.VQ. .0..Zu.. >+[0920] 30 B7 3E C4 25 70 A8 34 E4 A2 EB 3E FB D8 2D 10 0.>.%p.4 ...>..-. >+[0930] 72 8E DA 4D 2D 55 EC 49 66 5E 01 96 E4 C1 0C 23 r..M-U.I f^.....# >+[0940] 57 91 00 00 00 00 00 00 00 01 00 00 00 01 00 00 W....... ........ >+[0950] 00 17 4B 54 45 53 54 2E 53 41 4D 42 41 2E 45 58 ..KTEST. SAMBA.EX >+[0960] 41 4D 50 4C 45 2E 43 4F 4D 00 00 00 0D 61 64 6D AMPLE.CO M....adm >+[0970] 69 6E 69 73 74 72 61 74 6F 72 00 00 00 01 00 00 inistrat or...... >+[0980] 00 02 00 00 00 17 4B 54 45 53 54 2E 53 41 4D 42 ......KT EST.SAMB >+[0990] 41 2E 45 58 41 4D 50 4C 45 2E 43 4F 4D 00 00 00 A.EXAMPL E.COM... >+[09A0] 04 68 6F 73 74 00 00 00 0B 4C 4F 43 41 4C 4B 54 .host... .LOCALKT >+[09B0] 45 53 54 36 00 17 00 00 00 10 9D AE 06 BE 29 E0 EST6.... ......). >+[09C0] F7 9A 46 97 29 E0 69 8E 5A F0 4D 9B 90 45 4D 9B ..F.).i. Z.M..EM. >+[09D0] 90 61 7D 46 4C 43 00 00 00 00 00 40 28 00 00 00 .a}FLC.. ...@(... >+[09E0] 00 00 00 00 00 00 00 00 00 03 FA 61 82 03 F6 30 ........ ...a...0 >+[09F0] 82 03 F2 A0 03 02 01 05 A1 19 1B 17 4B 54 45 53 ........ ....KTES >+[0A00] 54 2E 53 41 4D 42 41 2E 45 58 41 4D 50 4C 45 2E T.SAMBA. EXAMPLE. >+[0A10] 43 4F 4D A2 1E 30 1C A0 03 02 01 01 A1 15 30 13 COM..0.. ......0. >+[0A20] 1B 04 68 6F 73 74 1B 0B 4C 4F 43 41 4C 4B 54 45 ..host.. LOCALKTE >+[0A30] 53 54 36 A3 82 03 AE 30 82 03 AA A0 03 02 01 17 ST6....0 ........ >+[0A40] A1 03 02 01 03 A2 82 03 9C 04 82 03 98 B9 C5 6E ........ .......n >+[0A50] 77 F9 59 6D 19 F0 A6 56 2F 14 B3 9A A3 17 06 A6 w.Ym...V /....... >+[0A60] AD F5 92 38 6A 1E EA 3D 53 BF 5E 95 13 FF 5D BB ...8j..= S.^...]. >+[0A70] 43 4F 51 AE FB 12 3B 06 67 36 91 B9 E0 C4 C4 F3 COQ...;. g6...... >+[0A80] 45 A0 48 E6 DC 49 E8 EA 6F 55 D2 3F 79 57 54 FF E.H..I.. oU.?yWT. >+[0A90] 10 8D 89 4A A4 E2 B2 80 FD EE 36 C5 D5 4C D0 97 ...J.... ..6..L.. >+[0AA0] B3 EC 96 8B E8 5A 05 F0 13 39 8B 1B B3 C4 32 2A .....Z.. .9....2* >+[0AB0] 9B BB EF 06 C4 1C 53 2F 0A F6 A8 C6 BE 09 57 26 ......S/ ......W& >+[0AC0] B9 39 7B 7B 50 13 2D 6C 52 FF C4 B5 83 28 A8 47 .9{{P.-l R....(.G >+[0AD0] 5A CD 1C DD A7 65 FD 8A 84 2A 10 E7 44 E6 83 E7 Z....e.. .*..D... >+[0AE0] E7 AA B8 E5 0A 8B 7E E1 87 7B 3D C4 9F 68 BD 19 ......~. .{=..h.. >+[0AF0] 2B 59 5E 5A 45 0D B5 71 CC A6 C7 03 3C B3 17 D3 +Y^ZE..q ....<... >+[0B00] AF 99 F6 A2 52 A0 99 F7 39 56 B4 33 B4 C5 F4 CC ....R... 9V.3.... >+[0B10] 74 34 4C 00 76 26 10 D1 3A 87 6E 6A 52 9B 7A BF t4L.v&.. :.njR.z. >+[0B20] 4E 59 36 32 C5 41 29 CF E1 BF 14 E0 54 BF 4A 25 NY62.A). ....T.J% >+[0B30] 1F 0B 6E 9A 8C 0E 5D 47 A9 64 1B A4 9D 99 A9 09 ..n...]G .d...... >+[0B40] 39 14 E7 41 22 98 8C 62 CC E2 B5 91 8E C1 31 EB 9..A"..b ......1. >+[0B50] B2 70 A6 3B 86 FC DD 19 0B 3F 5D C9 B5 1A 95 73 .p.;.... .?]....s >+[0B60] EB 97 89 BE 14 87 85 17 BE 40 F6 80 14 23 4D 66 ........ .@...#Mf >+[0B70] E4 B0 E5 51 46 34 DA 1C C8 CB FF C6 84 A3 DF D2 ...QF4.. ........ >+[0B80] DC 00 AF 7B 27 C8 78 44 CB 6E 7B CC 5C 94 1E 7A ...{'.xD .n{.\..z >+[0B90] 95 29 19 F4 14 BE 5C 23 C3 B9 A4 2C 5D 4D F3 61 .)....\# ...,]M.a >+[0BA0] 63 1F D4 FE 37 EE 44 14 06 B7 14 50 B6 74 37 75 c...7.D. ...P.t7u >+[0BB0] 2C AB 06 F0 93 F9 93 34 75 63 44 7E 12 48 D1 F1 ,......4 ucD~.H.. >+[0BC0] 06 55 14 11 B9 23 43 CE 01 16 3E 6B A3 BD 23 55 .U...#C. ..>k..#U >+[0BD0] DE 48 5D AF E1 2B 89 E8 E7 C2 E2 34 25 A2 09 4A .H]..+.. ...4%..J >+[0BE0] 1F BE 05 AA DE 4B 08 65 27 4C 9B C7 54 96 C2 FB .....K.e 'L..T... >+[0BF0] E2 CE 53 4A 32 93 8D 0B 44 77 8C D3 65 54 F9 0E ..SJ2... Dw..eT.. >+[0C00] 7F 74 1E FE 3D 74 83 0F 2F E7 9F BC A2 B0 2B 25 .t..=t.. /.....+% >+[0C10] BB D2 6F A8 49 C1 3E 9E B5 93 67 74 39 A4 FE 84 ..o.I.>. ..gt9... >+[0C20] 4C 45 5F 30 74 E0 CA 5F F6 46 EC 89 B5 2D C8 14 LE_0t.._ .F...-.. >+[0C30] 69 76 BC 93 15 F4 60 30 5F AB EB 02 DD 12 4C 62 iv....`0 _.....Lb >+[0C40] F9 73 F7 01 E1 7F 2A 6F 09 05 BF 3A 3A 7E 69 A3 .s....*o ...::~i. >+[0C50] 7B FC 20 2B D6 CE C0 74 4F BB 29 E4 BE CE 04 9D {. +...t O.)..... >+[0C60] 24 D4 98 4A ED 94 A8 81 CD 26 A0 63 EA 09 57 42 $..J.... .&.c..WB >+[0C70] 26 B7 B5 4E B5 CB 45 35 A7 84 D8 74 CA C3 9F FF &..N..E5 ...t.... >+[0C80] C8 1E 2A 75 34 01 C5 A7 B4 9D 6F A3 E1 BB 2B F8 ..*u4... ..o...+. >+[0C90] F0 21 D6 77 57 74 2E 80 DB 76 53 01 86 33 17 32 .!.wWt.. .vS..3.2 >+[0CA0] 2E 16 E1 8D 89 3A B2 67 ED A3 ED 39 82 87 26 A6 .....:.g ...9..&. >+[0CB0] DB CE 59 84 E4 0A A6 CA 7E 07 98 F7 02 91 6E 56 ..Y..... ~.....nV >+[0CC0] 9F 60 03 D3 88 B0 FF EB 20 CA 9E 5B 37 26 67 00 .`...... ..[7&g. >+[0CD0] CC BD 9D 53 15 31 53 14 FD 9C E1 28 08 CB C4 0B ...S.1S. ...(.... >+[0CE0] E3 50 D9 DB 0C E2 E4 F9 44 50 E9 28 6E 01 96 AA .P...... DP.(n... >+[0CF0] C1 D2 4E B2 DE 38 A2 F8 94 32 79 AE 49 64 FB 57 ..N..8.. .2y.Id.W >+[0D00] 50 F6 73 E8 98 43 C6 DD 67 3C 91 AC 97 C9 2E 8C P.s..C.. g<...... >+[0D10] 06 59 A1 FC 49 EC 2F BF 6F 64 21 63 ED C8 6C CE .Y..I./. od!c..l. >+[0D20] 37 28 7B 80 7F 5F 85 F6 98 93 C0 66 A8 D6 F1 2C 7({.._.. ...f..., >+[0D30] D8 01 68 B1 C8 EA 82 0D 5B 9B 35 4F 3D B3 47 19 ..h..... [.5O=.G. >+[0D40] 54 7A C6 9F AD D7 54 CF B0 DB 3E 18 BA 2A 39 08 Tz....T. ..>..*9. >+[0D50] 0C C4 98 4B 43 DE 53 68 25 B1 83 93 1D E1 6C BF ...KC.Sh %.....l. >+[0D60] F5 B4 A9 83 17 34 64 8C 2F 91 80 97 4A 48 EC 90 .....4d. /...JH.. >+[0D70] BB FA 92 2C 01 80 E4 99 91 0E 67 88 D5 75 AB 7C ...,.... ..g..u.| >+[0D80] 98 59 98 45 C9 11 A9 8C 02 98 91 DE AB A0 FF 45 .Y.E.... .......E >+[0D90] 11 66 6F C5 DE 61 6D C6 DB C9 CA A3 A0 2B B1 73 .fo..am. .....+.s >+[0DA0] 05 85 37 BF AB CA 43 7A 6F 38 C8 BE ED CE 12 49 ..7...Cz o8.....I >+[0DB0] 93 C7 7C 1A 33 60 52 7A 67 67 AA 60 57 7E C8 FF ..|.3`Rz gg.`W~.. >+[0DC0] DF 91 91 18 45 74 C0 9E 36 19 BC 42 F9 46 CC 84 ....Et.. 6..B.F.. >+[0DD0] 09 2E 8C 59 1A E3 65 51 F4 87 6F 4C 3E 29 38 E6 ...Y..eQ ..oL>)8. >+[0DE0] 77 E8 A9 B7 FA 00 00 00 00 00 00 00 01 00 00 00 w....... ........ >+[0DF0] 01 00 00 00 17 4B 54 45 53 54 2E 53 41 4D 42 41 .....KTE ST.SAMBA >+[0E00] 2E 45 58 41 4D 50 4C 45 2E 43 4F 4D 00 00 00 0D .EXAMPLE .COM.... >+[0E10] 61 64 6D 69 6E 69 73 74 72 61 74 6F 72 00 00 00 administ rator... >+[0E20] 01 00 00 00 02 00 00 00 17 4B 54 45 53 54 2E 53 ........ .KTEST.S >+[0E30] 41 4D 42 41 2E 45 58 41 4D 50 4C 45 2E 43 4F 4D AMBA.EXA MPLE.COM >+[0E40] 00 00 00 04 63 69 66 73 00 00 00 0B 4C 4F 43 41 ....cifs ....LOCA >+[0E50] 4C 4B 54 45 53 54 36 00 17 00 00 00 10 01 78 D0 LKTEST6. ......x. >+[0E60] 3B 9B FF F0 88 86 4B 3B FE 41 A9 6B 00 4D 9B 90 ;.....K; .A.k.M.. >+[0E70] 45 4D 9B 90 6B 7D 46 4C 43 00 00 00 00 00 40 28 EM..k}FL C.....@( >+[0E80] 00 00 00 00 00 00 00 00 00 00 00 00 03 FA 61 82 ........ ......a. >+[0E90] 03 F6 30 82 03 F2 A0 03 02 01 05 A1 19 1B 17 4B ..0..... .......K >+[0EA0] 54 45 53 54 2E 53 41 4D 42 41 2E 45 58 41 4D 50 TEST.SAM BA.EXAMP >+[0EB0] 4C 45 2E 43 4F 4D A2 1E 30 1C A0 03 02 01 01 A1 LE.COM.. 0....... >+[0EC0] 15 30 13 1B 04 63 69 66 73 1B 0B 4C 4F 43 41 4C .0...cif s..LOCAL >+[0ED0] 4B 54 45 53 54 36 A3 82 03 AE 30 82 03 AA A0 03 KTEST6.. ..0..... >+[0EE0] 02 01 17 A1 03 02 01 03 A2 82 03 9C 04 82 03 98 ........ ........ >+[0EF0] CA EA 4D 46 2D D1 E9 58 5D 25 8D 9F DF EA C9 01 ..MF-..X ]%...... >+[0F00] B6 08 27 CD 14 85 02 DC 20 C6 51 AA F9 6A B1 CE ..'..... .Q..j.. >+[0F10] F5 77 84 BF 9A AC 6B A7 B2 F2 1F 60 BF CB C6 FC .w....k. ...`.... >+[0F20] C7 14 B7 41 1C A8 C9 70 7B 86 BC 8E 70 2B 65 4B ...A...p {...p+eK >+[0F30] DC F5 B9 23 F8 08 BF 96 C9 A8 77 F4 54 67 25 F8 ...#.... ..w.Tg%. >+[0F40] 0F A8 C5 D6 D1 BB 46 5E A0 7E D2 98 9C CD AF E0 ......F^ .~...... >+[0F50] 82 62 ED 39 D2 FB F2 E8 9B 1B EE E5 B4 1B C9 0A .b.9.... ........ >+[0F60] 86 27 52 6E 11 8B D7 AD B4 54 F9 C6 69 8D E0 F1 .'Rn.... .T..i... >+[0F70] CD 63 1C 89 7C 8F B6 A0 71 53 A6 DA B1 66 D2 9D .c..|... qS...f.. >+[0F80] D3 4C A8 FB C6 9D 81 74 10 8E 84 D2 3D D8 1C BE .L.....t ....=... >+[0F90] BB 3F F7 BF 91 3E 89 66 43 A1 E0 90 1B 1A 97 FF .?...>.f C....... >+[0FA0] EF CC 35 75 14 62 4F 67 3A 29 F4 F9 C5 2E BE C5 ..5u.bOg :)...... >+[0FB0] C2 2B A8 35 22 D9 92 31 1D 49 2A A5 19 AA 08 0F .+.5"..1 .I*..... >+[0FC0] A8 22 0B 68 D2 A2 D7 07 7B 37 1E A3 AC 9B 4F 0A .".h.... {7....O. >+[0FD0] A4 FA 7F 37 6F 3E 35 79 4E 00 4B B6 28 A3 6A E4 ...7o>5y N.K.(.j. >+[0FE0] 0C 95 53 BA E8 41 07 DA BE E9 08 B9 51 24 91 49 ..S..A.. ....Q$.I >+[0FF0] 78 5D 44 12 BC 85 63 81 B8 E0 88 D5 95 0C D3 A8 x]D...c. ........ >+[1000] 1D 32 4B E4 A0 C8 A7 7D 3C 97 EE D8 59 AC 3A 21 .2K....} <...Y.:! >+[1010] 09 F2 7A CC D0 4A F3 50 10 DC FC 26 BB C2 6A 8E ..z..J.P ...&..j. >+[1020] 8B 14 2B 2D 50 2E B3 1E 9B D2 69 56 22 F2 48 BD ..+-P... ..iV".H. >+[1030] E9 2E 2F 28 DE 77 67 5F 68 AA 29 05 4B 36 58 40 ../(.wg_ h.).K6X@ >+[1040] E5 54 11 C5 4D 68 96 49 9D 53 37 87 5F D2 3A 9B .T..Mh.I .S7._.:. >+[1050] E9 8E 79 BE AE 11 B4 6B AB FD DB 8A F5 A0 9B 29 ..y....k .......) >+[1060] D9 F5 ED CA FA 3F FE 35 FC F4 69 7E E4 D0 44 29 .....?.5 ..i~..D) >+[1070] 48 FF 82 61 26 FC D3 E2 10 EE 14 F7 4A E3 CD F2 H..a&... ....J... >+[1080] 8B BC 8B 43 64 2C DE 40 6E BB E1 56 C0 B6 2C D0 ...Cd,.@ n..V..,. >+[1090] E5 1E E9 B3 FB 38 48 66 ED AF D2 25 D1 35 5C C6 .....8Hf ...%.5\. >+[10A0] F0 4D 36 19 0B EC 33 07 34 D0 27 8D 14 DC 01 45 .M6...3. 4.'....E >+[10B0] DE F8 73 A6 A0 F4 C1 91 9D BD 05 E3 70 25 E1 10 ..s..... ....p%.. >+[10C0] 44 F6 4B 46 F7 24 84 BF 20 96 AD 6A 96 94 81 58 D.KF.$.. ..j...X >+[10D0] 80 95 06 92 F5 7F 17 39 3B 32 47 B2 C5 CE 7B 73 .......9 ;2G...{s >+[10E0] CF 53 AE FA D1 9A 60 5A 98 EC 8C FA BD C0 CE 8D .S....`Z ........ >+[10F0] C5 27 E6 17 1A 4D 47 D8 3F 5D A9 7C FB 2C B3 05 .'...MG. ?].|.,.. >+[1100] 0C 69 20 48 99 80 11 DC 48 AB A7 EA 5B 98 C1 15 .i H.... H...[... >+[1110] 27 AE FA 3E 1E 1E E0 E1 F8 32 C0 54 13 D6 30 34 '..>.... .2.T..04 >+[1120] 71 98 26 61 6C 1C C4 C7 4E C4 A6 7E FE A8 B8 89 q.&al... N..~.... >+[1130] 2A 70 3C 19 58 8D 57 45 55 83 0A C2 B5 F7 89 0E *p<.X.WE U....... >+[1140] 7B 7A 17 0C CF 6E 08 A5 F7 21 4A 62 81 4F 49 CA {z...n.. .!Jb.OI. >+[1150] E2 ED C2 B4 C7 33 5C BC A1 A0 DE 4E 09 37 BE 24 .....3\. ...N.7.$ >+[1160] 62 22 94 55 75 AA 53 DE E0 74 5A B0 B8 E9 BF 2B b".Uu.S. .tZ....+ >+[1170] 12 65 2F 90 6B 84 ED 11 AD F7 CE 19 A1 96 E4 1E .e/.k... ........ >+[1180] 8C EA C8 81 1B 47 4F 5F B1 5D A5 8B E3 0D 5A 80 .....GO_ .]....Z. >+[1190] 89 EC 4B D9 CE ED E8 67 7F 96 FC 1B EF 65 C2 68 ..K....g .....e.h >+[11A0] 40 F7 20 36 83 58 62 F4 CA 02 F4 5C 0D 46 B1 CB @. 6.Xb. ...\.F.. >+[11B0] 50 D2 D8 3D B7 9A 96 48 8C CF EB E6 8C F4 B2 B4 P..=...H ........ >+[11C0] 47 C9 34 C9 DC 14 F1 33 1B 6F 9E 65 27 D7 9D 46 G.4....3 .o.e'..F >+[11D0] 1E 91 FF 2E FB 8E 97 5D 17 8F 48 54 7C 3C A0 11 .......] ..HT|<.. >+[11E0] 9C AA 77 E9 79 DE 26 D1 F0 7C EA 24 73 BE EC 60 ..w.y.&. .|.$s..` >+[11F0] B4 EE BD ED 0D 0A AB 74 60 6E 46 C0 35 5B 65 1A .......t `nF.5[e. >+[1200] A4 4A 5C 22 AC B9 CD B7 56 06 88 09 FC 48 68 55 .J\".... V....HhU >+[1210] B7 5E 39 72 DF 8A 4C CD 79 74 B0 84 0B 78 DA B2 .^9r..L. yt...x.. >+[1220] 55 F8 06 0B 5C 27 06 B3 CA 10 65 6B 04 A3 64 11 U...\'.. ..ek..d. >+[1230] 04 09 DC DF 67 00 70 B1 16 DF 24 E9 27 85 11 91 ....g.p. ..$.'... >+[1240] 31 CB 92 95 50 18 91 08 C2 A1 A3 76 C7 1A FC 64 1...P... ...v...d >+[1250] 9E 2C 3A E7 30 F4 16 0D A0 56 C0 BC D2 FE 2D A0 .,:.0... .V....-. >+[1260] 20 A4 E2 82 AD F0 C5 12 71 09 23 E1 66 52 53 D0 ....... q.#.fRS. >+[1270] 89 30 E7 BE B7 C2 89 F2 1C 7A F6 8E D7 28 F0 A4 .0...... .z...(.. >+[1280] 33 46 7C A2 79 66 DE 26 00 00 00 00 3F|.yf.& .... >+dump OK >-- >2.25.1 > > >From 7626691b06245f56949686878b0f7b70288b7711 Mon Sep 17 00:00:00 2001 >From: Joseph Sutton <josephsutton@catalyst.net.nz> >Date: Wed, 28 Apr 2021 11:02:47 +1200 >Subject: [PATCH 072/686] krb5: Add Python functions to create a credentials > cache containing a service ticket > >This is a FILE: format credentials cache readable by the MIT/Heimdal >Kerberos libraries. This allows us to glue the Python ASN1 Kerberos >system to the MIT/Heimdal one. > >Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> >Reviewed-by: Andrew Bartlett <abartlet@samba.org> >Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> >BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817 >(cherry picked from commit 2d88a6ff3dbcf650b09ef9c8c37170ca6663b533) >--- > python/samba/tests/krb5/kdc_base_test.py | 167 ++++++++++++++++++++++- > 1 file changed, 163 insertions(+), 4 deletions(-) > >diff --git a/python/samba/tests/krb5/kdc_base_test.py b/python/samba/tests/krb5/kdc_base_test.py >index 1c7f05dda6d..d8193ae9cdc 100644 >--- a/python/samba/tests/krb5/kdc_base_test.py >+++ b/python/samba/tests/krb5/kdc_base_test.py >@@ -1,6 +1,6 @@ > # Unix SMB/CIFS implementation. > # Copyright (C) Stefan Metzmacher 2020 >-# Copyright (C) 2020 Catalyst.Net Ltd >+# Copyright (C) 2020-2021 Catalyst.Net Ltd > # > # This program is free software; you can redistribute it and/or modify > # it under the terms of the GNU General Public License as published by >@@ -18,6 +18,8 @@ > > import sys > import os >+from datetime import datetime >+import tempfile > > sys.path.insert(0, "bin/python") > os.environ["PYTHONUNBUFFERED"] = "1" >@@ -26,10 +28,10 @@ import ldb > from ldb import SCOPE_BASE > from samba import generate_random_password > from samba.auth import system_session >-from samba.credentials import Credentials >-from samba.dcerpc import krb5pac >+from samba.credentials import Credentials, SPECIFIED, MUST_USE_KERBEROS >+from samba.dcerpc import krb5pac, krb5ccache > from samba.dsdb import UF_WORKSTATION_TRUST_ACCOUNT, UF_NORMAL_ACCOUNT >-from samba.ndr import ndr_unpack >+from samba.ndr import ndr_pack, ndr_unpack > from samba.samdb import SamDB > > from samba.tests import delete_force >@@ -38,6 +40,8 @@ import samba.tests.krb5.rfc4120_pyasn1 as krb5_asn1 > from samba.tests.krb5.rfc4120_constants import ( > AD_IF_RELEVANT, > AD_WIN2K_PAC, >+ AES256_CTS_HMAC_SHA1_96, >+ ARCFOUR_HMAC_MD5, > KDC_ERR_PREAUTH_REQUIRED, > KRB_AS_REP, > KRB_TGS_REP, >@@ -46,6 +50,8 @@ from samba.tests.krb5.rfc4120_constants import ( > KU_PA_ENC_TIMESTAMP, > KU_TGS_REP_ENC_PART_SUB_KEY, > KU_TICKET, >+ NT_PRINCIPAL, >+ NT_SRV_HST, > PADATA_ENC_TIMESTAMP, > PADATA_ETYPE_INFO2, > ) >@@ -445,3 +451,156 @@ class KDCBaseTest(RawKerberosTest): > msg = ldb.Message(dn) > msg[name] = ldb.MessageElement(values, flag, name) > self.ldb.modify(msg) >+ >+ def create_ccache(self, cname, ticket, enc_part): >+ """ Lay out a version 4 on-disk credentials cache, to be read using the >+ FILE: protocol. >+ """ >+ >+ field = krb5ccache.DELTATIME_TAG() >+ field.kdc_sec_offset = 0 >+ field.kdc_usec_offset = 0 >+ >+ v4tag = krb5ccache.V4TAG() >+ v4tag.tag = 1 >+ v4tag.field = field >+ >+ v4tags = krb5ccache.V4TAGS() >+ v4tags.tag = v4tag >+ v4tags.further_tags = b'' >+ >+ optional_header = krb5ccache.V4HEADER() >+ optional_header.v4tags = v4tags >+ >+ cname_string = cname['name-string'] >+ >+ cprincipal = krb5ccache.PRINCIPAL() >+ cprincipal.name_type = cname['name-type'] >+ cprincipal.component_count = len(cname_string) >+ cprincipal.realm = ticket['realm'] >+ cprincipal.components = cname_string >+ >+ sname = ticket['sname'] >+ sname_string = sname['name-string'] >+ >+ sprincipal = krb5ccache.PRINCIPAL() >+ sprincipal.name_type = sname['name-type'] >+ sprincipal.component_count = len(sname_string) >+ sprincipal.realm = ticket['realm'] >+ sprincipal.components = sname_string >+ >+ key = self.EncryptionKey_import(enc_part['key']) >+ >+ key_data = key.export_obj() >+ keyblock = krb5ccache.KEYBLOCK() >+ keyblock.enctype = key_data['keytype'] >+ keyblock.data = key_data['keyvalue'] >+ >+ addresses = krb5ccache.ADDRESSES() >+ addresses.count = 0 >+ addresses.data = [] >+ >+ authdata = krb5ccache.AUTHDATA() >+ authdata.count = 0 >+ authdata.data = [] >+ >+ # Re-encode the ticket, since it was decoded by another layer. >+ ticket_data = self.der_encode(ticket, asn1Spec=krb5_asn1.Ticket()) >+ >+ authtime = enc_part['authtime'] >+ try: >+ starttime = enc_part['starttime'] >+ except KeyError: >+ starttime = authtime >+ endtime = enc_part['endtime'] >+ >+ cred = krb5ccache.CREDENTIAL() >+ cred.client = cprincipal >+ cred.server = sprincipal >+ cred.keyblock = keyblock >+ cred.authtime = int(datetime.strptime(authtime.decode(), >+ "%Y%m%d%H%M%SZ").timestamp()) >+ cred.starttime = int(datetime.strptime(starttime.decode(), >+ "%Y%m%d%H%M%SZ").timestamp()) >+ cred.endtime = int(datetime.strptime(endtime.decode(), >+ "%Y%m%d%H%M%SZ").timestamp()) >+ cred.renew_till = cred.endtime >+ cred.is_skey = 0 >+ cred.ticket_flags = int(enc_part['flags'], 2) >+ cred.addresses = addresses >+ cred.authdata = authdata >+ cred.ticket = ticket_data >+ cred.second_ticket = b'' >+ >+ ccache = krb5ccache.CCACHE() >+ ccache.pvno = 5 >+ ccache.version = 4 >+ ccache.optional_header = optional_header >+ ccache.principal = cprincipal >+ ccache.cred = cred >+ >+ # Serialise the credentials cache structure. >+ result = ndr_pack(ccache) >+ >+ # Create a temporary file and write the credentials. >+ cachefile = tempfile.NamedTemporaryFile(dir=self.tempdir, delete=False) >+ cachefile.write(result) >+ cachefile.close() >+ >+ return cachefile >+ >+ def create_ccache_with_user(self, user_credentials, mach_name, >+ service="host"): >+ # Obtain a service ticket authorising the user and place it into a >+ # newly created credentials cache file. >+ >+ user_name = user_credentials.get_username() >+ realm = user_credentials.get_realm() >+ >+ # Do the initial AS-REQ, should get a pre-authentication required >+ # response >+ etype = (AES256_CTS_HMAC_SHA1_96, ARCFOUR_HMAC_MD5) >+ cname = self.PrincipalName_create(name_type=NT_PRINCIPAL, >+ names=[user_name]) >+ sname = self.PrincipalName_create(name_type=NT_SRV_HST, >+ names=["krbtgt", realm]) >+ >+ rep = self.as_req(cname, sname, realm, etype) >+ self.check_pre_authenication(rep) >+ >+ # Do the next AS-REQ >+ padata = self.get_pa_data(user_credentials, rep) >+ key = self.get_as_rep_key(user_credentials, rep) >+ rep = self.as_req(cname, sname, realm, etype, padata=padata) >+ self.check_as_reply(rep) >+ >+ # Request a ticket to the host service on the machine account >+ ticket = rep['ticket'] >+ enc_part = self.get_as_rep_enc_data(key, rep) >+ key = self.EncryptionKey_import(enc_part['key']) >+ cname = self.PrincipalName_create(name_type=NT_PRINCIPAL, >+ names=[user_name]) >+ sname = self.PrincipalName_create(name_type=NT_SRV_HST, >+ names=[service, mach_name]) >+ >+ (rep, enc_part) = self.tgs_req( >+ cname, sname, realm, ticket, key, etype) >+ self.check_tgs_reply(rep) >+ key = self.EncryptionKey_import(enc_part['key']) >+ >+ # Check the contents of the pac, and the ticket >+ ticket = rep['ticket'] >+ >+ # Write the ticket into a credentials cache file that can be ingested >+ # by the main credentials code. >+ cachefile = self.create_ccache(cname, ticket, enc_part) >+ >+ # Create a credentials object to reference the credentials cache. >+ creds = Credentials() >+ creds.set_kerberos_state(MUST_USE_KERBEROS) >+ creds.set_username(user_name, SPECIFIED) >+ creds.set_realm(realm) >+ creds.set_named_ccache(cachefile.name, SPECIFIED, self.lp) >+ >+ # Return the credentials along with the cache file. >+ return (creds, cachefile) >-- >2.25.1 > > >From ba7335006e1361534e023686cee49b3f87c03b8d Mon Sep 17 00:00:00 2001 >From: Joseph Sutton <josephsutton@catalyst.net.nz> >Date: Wed, 28 Apr 2021 11:06:33 +1200 >Subject: [PATCH 073/686] python: Add credentials cache test > >Test that we can use a credentials cache with a user's service ticket >obtained with our Python code to connect to a service using the normal >credentials system backed on to MIT/Heimdal Kerberos 5 libraries. This >will allow us to validate the output of the MIT/Heimdal libraries in the >future. > >Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> >Reviewed-by: Andrew Bartlett <abartlet@samba.org> >Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> >BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817 >(cherry picked from commit c15f26ec40860782b22e862f9bdf665745387718) >--- > python/samba/tests/krb5/raw_testcase.py | 8 +- > python/samba/tests/krb5/rfc4120_constants.py | 1 + > python/samba/tests/krb5/test_ccache.py | 127 +++++++++++++++++++ > python/samba/tests/usage.py | 1 + > source4/selftest/tests.py | 2 + > 5 files changed, 135 insertions(+), 4 deletions(-) > create mode 100755 python/samba/tests/krb5/test_ccache.py > >diff --git a/python/samba/tests/krb5/raw_testcase.py b/python/samba/tests/krb5/raw_testcase.py >index 82e68ee7019..27ab89ecf99 100644 >--- a/python/samba/tests/krb5/raw_testcase.py >+++ b/python/samba/tests/krb5/raw_testcase.py >@@ -25,7 +25,7 @@ import random > > import samba.tests > from samba.credentials import Credentials >-from samba.tests import TestCase >+from samba.tests import TestCaseInTempDir > import samba.tests.krb5.rfc4120_pyasn1 as krb5_asn1 > import samba.tests.krb5.kcrypto as kcrypto > >@@ -178,11 +178,11 @@ class Krb5EncryptionKey(object): > return EncryptionKey_obj > > >-class RawKerberosTest(TestCase): >+class RawKerberosTest(TestCaseInTempDir): > """A raw Kerberos Test case.""" > > def setUp(self): >- super(RawKerberosTest, self).setUp() >+ super().setUp() > self.do_asn1_print = False > self.do_hexdump = False > >@@ -192,7 +192,7 @@ class RawKerberosTest(TestCase): > > def tearDown(self): > self._disconnect("tearDown") >- super(TestCase, self).tearDown() >+ super().tearDown() > > def _disconnect(self, reason): > if self.s is None: >diff --git a/python/samba/tests/krb5/rfc4120_constants.py b/python/samba/tests/krb5/rfc4120_constants.py >index 5bbf1229d09..702f6084217 100644 >--- a/python/samba/tests/krb5/rfc4120_constants.py >+++ b/python/samba/tests/krb5/rfc4120_constants.py >@@ -46,6 +46,7 @@ KDC_ERR_SKEW = 37 > # Name types > NT_UNKNOWN = int(krb5_asn1.NameTypeValues('kRB5-NT-UNKNOWN')) > NT_PRINCIPAL = int(krb5_asn1.NameTypeValues('kRB5-NT-PRINCIPAL')) >+NT_SRV_HST = int(krb5_asn1.NameTypeValues('kRB5-NT-SRV-HST')) > NT_SRV_INST = int(krb5_asn1.NameTypeValues('kRB5-NT-SRV-INST')) > NT_ENTERPRISE_PRINCIPAL = int(krb5_asn1.NameTypeValues( > 'kRB5-NT-ENTERPRISE-PRINCIPAL')) >diff --git a/python/samba/tests/krb5/test_ccache.py b/python/samba/tests/krb5/test_ccache.py >new file mode 100755 >index 00000000000..e0998a4c43f >--- /dev/null >+++ b/python/samba/tests/krb5/test_ccache.py >@@ -0,0 +1,127 @@ >+#!/usr/bin/env python3 >+# Unix SMB/CIFS implementation. >+# Copyright (C) Stefan Metzmacher 2020 >+# Copyright (C) 2021 Catalyst.Net Ltd >+# >+# This program is free software; you can redistribute it and/or modify >+# it under the terms of the GNU General Public License as published by >+# the Free Software Foundation; either version 3 of the License, or >+# (at your option) any later version. >+# >+# This program is distributed in the hope that it will be useful, >+# but WITHOUT ANY WARRANTY; without even the implied warranty of >+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the >+# GNU General Public License for more details. >+# >+# You should have received a copy of the GNU General Public License >+# along with this program. If not, see <http://www.gnu.org/licenses/>. >+# >+ >+import sys >+import os >+ >+from ldb import SCOPE_SUBTREE >+from samba import gensec >+from samba.auth import AuthContext >+from samba.dcerpc import security >+from samba.ndr import ndr_unpack >+ >+from samba.tests.krb5.kdc_base_test import KDCBaseTest >+ >+sys.path.insert(0, "bin/python") >+os.environ["PYTHONUNBUFFERED"] = "1" >+ >+global_asn1_print = False >+global_hexdump = False >+ >+ >+class CcacheTests(KDCBaseTest): >+ """Test for authentication using Kerberos credentials stored in a >+ credentials cache file. >+ """ >+ >+ def test_ccache(self): >+ # Create a user account and a machine account, along with a Kerberos >+ # credentials cache file where the service ticket authenticating the >+ # user are stored. >+ >+ user_name = "ccacheusr" >+ mach_name = "ccachemac" >+ >+ # Create the user account. >+ (user_credentials, _) = self.create_account(user_name) >+ >+ # Create the machine account. >+ (mach_credentials, _) = self.create_account(mach_name, >+ machine_account=True) >+ >+ # Talk to the KDC to obtain the service ticket, which gets placed into >+ # the cache. The machine account name has to match the name in the >+ # ticket, to ensure that the krbtgt ticket doesn't also need to be >+ # stored. >+ (creds, cachefile) = self.create_ccache_with_user(user_credentials, >+ mach_name) >+ >+ # Authenticate in-process to the machine account using the user's >+ # cached credentials. >+ >+ settings = {} >+ settings["lp_ctx"] = self.lp >+ settings["target_hostname"] = mach_name >+ >+ gensec_client = gensec.Security.start_client(settings) >+ gensec_client.set_credentials(creds) >+ gensec_client.want_feature(gensec.FEATURE_SEAL) >+ gensec_client.start_mech_by_sasl_name("GSSAPI") >+ >+ auth_context = AuthContext(lp_ctx=self.lp, ldb=self.ldb, methods=[]) >+ >+ gensec_server = gensec.Security.start_server(settings, auth_context) >+ gensec_server.set_credentials(mach_credentials) >+ >+ gensec_server.start_mech_by_sasl_name("GSSAPI") >+ >+ client_finished = False >+ server_finished = False >+ server_to_client = b'' >+ >+ # Operate as both the client and the server to verify the user's >+ # credentials. >+ while not client_finished or not server_finished: >+ if not client_finished: >+ print("running client gensec_update") >+ (client_finished, client_to_server) = gensec_client.update( >+ server_to_client) >+ if not server_finished: >+ print("running server gensec_update") >+ (server_finished, server_to_client) = gensec_server.update( >+ client_to_server) >+ >+ # Ensure that the first SID contained within the obtained security >+ # token is the SID of the user we created. >+ >+ # Retrieve the user account's SID. >+ ldb_res = self.ldb.search(scope=SCOPE_SUBTREE, >+ expression="(sAMAccountName=%s)" % user_name, >+ attrs=["objectSid"]) >+ self.assertEqual(1, len(ldb_res)) >+ sid = ndr_unpack(security.dom_sid, ldb_res[0]["objectSid"][0]) >+ >+ # Retrieve the SIDs from the security token. >+ session = gensec_server.session_info() >+ token = session.security_token >+ token_sids = token.sids >+ self.assertGreater(len(token_sids), 0) >+ >+ # Ensure that they match. >+ self.assertEqual(sid, token_sids[0]) >+ >+ # Remove the cached credentials file. >+ os.remove(cachefile.name) >+ >+ >+if __name__ == "__main__": >+ global_asn1_print = True >+ global_hexdump = True >+ import unittest >+ unittest.main() >diff --git a/python/samba/tests/usage.py b/python/samba/tests/usage.py >index 14f7cbfd7cd..f97b30d68df 100644 >--- a/python/samba/tests/usage.py >+++ b/python/samba/tests/usage.py >@@ -93,6 +93,7 @@ EXCLUDE_USAGE = { > 'python/samba/tests/krb5/kdc_tests.py', > 'python/samba/tests/krb5/kdc_base_test.py', > 'python/samba/tests/krb5/kdc_tgs_tests.py', >+ 'python/samba/tests/krb5/test_ccache.py', > 'python/samba/tests/krb5/ms_kile_client_principal_lookup_tests.py', > } > >diff --git a/source4/selftest/tests.py b/source4/selftest/tests.py >index 3310d47f167..c2fe31bdb4d 100755 >--- a/source4/selftest/tests.py >+++ b/source4/selftest/tests.py >@@ -723,6 +723,8 @@ planoldpythontestsuite("ad_dc_default:local", "samba.tests.krb5.s4u_tests", > > planoldpythontestsuite("fl2008r2dc:local", "samba.tests.krb5.xrealm_tests") > >+planoldpythontestsuite("ad_dc_default", "samba.tests.krb5.test_ccache") >+ > for env in ["ad_dc", smbv1_disabled_testenv]: > planoldpythontestsuite(env, "samba.tests.smb", extra_args=['-U"$USERNAME%$PASSWORD"'], py3_compatible=True) > planoldpythontestsuite(env + ":local", "samba.tests.ntacls_backup", >-- >2.25.1 > > >From 1224fb0d2c4fb07b2078f6cf4a492b67666beb34 Mon Sep 17 00:00:00 2001 >From: Joseph Sutton <josephsutton@catalyst.net.nz> >Date: Thu, 29 Apr 2021 20:58:11 +1200 >Subject: [PATCH 074/686] python: Add LDAP credentials cache test > >Test that we can use a credentials cache with a user's service ticket >obtained with our Python code to connect to a service through LDAP. > >Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> >Reviewed-by: Andrew Bartlett <abartlet@samba.org> >Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> >BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817 >(cherry picked from commit 7663b5c37fa3413f7c67c018107322494e4a6fd9) >--- > python/samba/tests/krb5/test_ldap.py | 94 ++++++++++++++++++++++++++++ > python/samba/tests/usage.py | 1 + > source4/selftest/tests.py | 1 + > 3 files changed, 96 insertions(+) > create mode 100755 python/samba/tests/krb5/test_ldap.py > >diff --git a/python/samba/tests/krb5/test_ldap.py b/python/samba/tests/krb5/test_ldap.py >new file mode 100755 >index 00000000000..6a4bf52d77f >--- /dev/null >+++ b/python/samba/tests/krb5/test_ldap.py >@@ -0,0 +1,94 @@ >+#!/usr/bin/env python3 >+# Unix SMB/CIFS implementation. >+# Copyright (C) Stefan Metzmacher 2020 >+# Copyright (C) 2021 Catalyst.Net Ltd >+# >+# This program is free software; you can redistribute it and/or modify >+# it under the terms of the GNU General Public License as published by >+# the Free Software Foundation; either version 3 of the License, or >+# (at your option) any later version. >+# >+# This program is distributed in the hope that it will be useful, >+# but WITHOUT ANY WARRANTY; without even the implied warranty of >+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the >+# GNU General Public License for more details. >+# >+# You should have received a copy of the GNU General Public License >+# along with this program. If not, see <http://www.gnu.org/licenses/>. >+# >+ >+import sys >+import os >+ >+from ldb import SCOPE_BASE, SCOPE_SUBTREE >+from samba.dcerpc import security >+from samba.ndr import ndr_unpack >+from samba.samdb import SamDB >+ >+from samba.tests.krb5.kdc_base_test import KDCBaseTest >+ >+sys.path.insert(0, "bin/python") >+os.environ["PYTHONUNBUFFERED"] = "1" >+ >+global_asn1_print = False >+global_hexdump = False >+ >+ >+class LdapTests(KDCBaseTest): >+ """Test for LDAP authentication using Kerberos credentials stored in a >+ credentials cache file. >+ """ >+ >+ def test_ldap(self): >+ # Create a user account and a machine account, along with a Kerberos >+ # credentials cache file where the service ticket authenticating the >+ # user are stored. >+ >+ user_name = "ldapusr" >+ mach_name = self.dns_host_name >+ service = "ldap" >+ >+ # Create the user account. >+ (user_credentials, _) = self.create_account(user_name) >+ >+ # Talk to the KDC to obtain the service ticket, which gets placed into >+ # the cache. The machine account name has to match the name in the >+ # ticket, to ensure that the krbtgt ticket doesn't also need to be >+ # stored. >+ (creds, cachefile) = self.create_ccache_with_user(user_credentials, >+ mach_name, >+ service) >+ >+ # Authenticate in-process to the machine account using the user's >+ # cached credentials. >+ >+ # Retrieve the user account's SID. >+ ldb_res = self.ldb.search(scope=SCOPE_SUBTREE, >+ expression="(sAMAccountName=%s)" % user_name, >+ attrs=["objectSid"]) >+ self.assertEqual(1, len(ldb_res)) >+ sid = ndr_unpack(security.dom_sid, ldb_res[0]["objectSid"][0]) >+ >+ # Connect to the machine account and retrieve the user SID. >+ ldb_as_user = SamDB(url="ldap://%s" % mach_name, >+ credentials=creds, >+ lp=self.lp) >+ ldb_res = ldb_as_user.search('', >+ scope=SCOPE_BASE, >+ attrs=["tokenGroups"]) >+ self.assertEqual(1, len(ldb_res)) >+ >+ token_sid = ndr_unpack(security.dom_sid, ldb_res[0]["tokenGroups"][0]) >+ >+ # Ensure that they match. >+ self.assertEqual(sid, token_sid) >+ >+ # Remove the cached credentials file. >+ os.remove(cachefile.name) >+ >+ >+if __name__ == "__main__": >+ global_asn1_print = True >+ global_hexdump = True >+ import unittest >+ unittest.main() >diff --git a/python/samba/tests/usage.py b/python/samba/tests/usage.py >index f97b30d68df..919c800dee8 100644 >--- a/python/samba/tests/usage.py >+++ b/python/samba/tests/usage.py >@@ -94,6 +94,7 @@ EXCLUDE_USAGE = { > 'python/samba/tests/krb5/kdc_base_test.py', > 'python/samba/tests/krb5/kdc_tgs_tests.py', > 'python/samba/tests/krb5/test_ccache.py', >+ 'python/samba/tests/krb5/test_ldap.py', > 'python/samba/tests/krb5/ms_kile_client_principal_lookup_tests.py', > } > >diff --git a/source4/selftest/tests.py b/source4/selftest/tests.py >index c2fe31bdb4d..883212cc65e 100755 >--- a/source4/selftest/tests.py >+++ b/source4/selftest/tests.py >@@ -724,6 +724,7 @@ planoldpythontestsuite("ad_dc_default:local", "samba.tests.krb5.s4u_tests", > planoldpythontestsuite("fl2008r2dc:local", "samba.tests.krb5.xrealm_tests") > > planoldpythontestsuite("ad_dc_default", "samba.tests.krb5.test_ccache") >+planoldpythontestsuite("ad_dc_default", "samba.tests.krb5.test_ldap") > > for env in ["ad_dc", smbv1_disabled_testenv]: > planoldpythontestsuite(env, "samba.tests.smb", extra_args=['-U"$USERNAME%$PASSWORD"'], py3_compatible=True) >-- >2.25.1 > > >From aaaa1ce71e61326a8065a842bc860226178b6dce Mon Sep 17 00:00:00 2001 >From: Joseph Sutton <josephsutton@catalyst.net.nz> >Date: Thu, 29 Apr 2021 21:04:25 +1200 >Subject: [PATCH 075/686] python: Add RPC credentials cache test > >Test that we can use a credentials cache with a user's service ticket >obtained with our Python code to connect to a service through RPC. > >Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> >Reviewed-by: Andrew Bartlett <abartlet@samba.org> >Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> >BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817 >(cherry picked from commit 072451a033da07c0cdaa005dd1020ef1c7951e99) >--- > python/samba/tests/krb5/test_rpc.py | 77 +++++++++++++++++++++++++++++ > python/samba/tests/usage.py | 1 + > source4/selftest/tests.py | 1 + > 3 files changed, 79 insertions(+) > create mode 100755 python/samba/tests/krb5/test_rpc.py > >diff --git a/python/samba/tests/krb5/test_rpc.py b/python/samba/tests/krb5/test_rpc.py >new file mode 100755 >index 00000000000..da1c4eb88ac >--- /dev/null >+++ b/python/samba/tests/krb5/test_rpc.py >@@ -0,0 +1,77 @@ >+#!/usr/bin/env python3 >+# Unix SMB/CIFS implementation. >+# Copyright (C) Stefan Metzmacher 2020 >+# Copyright (C) 2021 Catalyst.Net Ltd >+# >+# This program is free software; you can redistribute it and/or modify >+# it under the terms of the GNU General Public License as published by >+# the Free Software Foundation; either version 3 of the License, or >+# (at your option) any later version. >+# >+# This program is distributed in the hope that it will be useful, >+# but WITHOUT ANY WARRANTY; without even the implied warranty of >+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the >+# GNU General Public License for more details. >+# >+# You should have received a copy of the GNU General Public License >+# along with this program. If not, see <http://www.gnu.org/licenses/>. >+# >+ >+import sys >+import os >+ >+from samba.dcerpc import lsa >+ >+from samba.tests.krb5.kdc_base_test import KDCBaseTest >+ >+sys.path.insert(0, "bin/python") >+os.environ["PYTHONUNBUFFERED"] = "1" >+ >+global_asn1_print = False >+global_hexdump = False >+ >+ >+class RpcTests(KDCBaseTest): >+ """Test for RPC authentication using Kerberos credentials stored in a >+ credentials cache file. >+ """ >+ >+ def test_rpc(self): >+ # Create a user account and a machine account, along with a Kerberos >+ # credentials cache file where the service ticket authenticating the >+ # user are stored. >+ >+ user_name = "rpcusr" >+ mach_name = self.dns_host_name >+ service = "cifs" >+ >+ # Create the user account. >+ (user_credentials, _) = self.create_account(user_name) >+ >+ # Talk to the KDC to obtain the service ticket, which gets placed into >+ # the cache. The machine account name has to match the name in the >+ # ticket, to ensure that the krbtgt ticket doesn't also need to be >+ # stored. >+ (creds, cachefile) = self.create_ccache_with_user(user_credentials, >+ mach_name, >+ service) >+ >+ # Authenticate in-process to the machine account using the user's >+ # cached credentials. >+ >+ binding_str = "ncacn_np:%s[\\pipe\\lsarpc]" % mach_name >+ conn = lsa.lsarpc(binding_str, self.lp, creds) >+ >+ (account_name, _) = conn.GetUserName(None, None, None) >+ >+ self.assertEqual(user_name, account_name.string) >+ >+ # Remove the cached credentials file. >+ os.remove(cachefile.name) >+ >+ >+if __name__ == "__main__": >+ global_asn1_print = True >+ global_hexdump = True >+ import unittest >+ unittest.main() >diff --git a/python/samba/tests/usage.py b/python/samba/tests/usage.py >index 919c800dee8..c0f8736a4e5 100644 >--- a/python/samba/tests/usage.py >+++ b/python/samba/tests/usage.py >@@ -95,6 +95,7 @@ EXCLUDE_USAGE = { > 'python/samba/tests/krb5/kdc_tgs_tests.py', > 'python/samba/tests/krb5/test_ccache.py', > 'python/samba/tests/krb5/test_ldap.py', >+ 'python/samba/tests/krb5/test_rpc.py', > 'python/samba/tests/krb5/ms_kile_client_principal_lookup_tests.py', > } > >diff --git a/source4/selftest/tests.py b/source4/selftest/tests.py >index 883212cc65e..84a78860d1d 100755 >--- a/source4/selftest/tests.py >+++ b/source4/selftest/tests.py >@@ -725,6 +725,7 @@ planoldpythontestsuite("fl2008r2dc:local", "samba.tests.krb5.xrealm_tests") > > planoldpythontestsuite("ad_dc_default", "samba.tests.krb5.test_ccache") > planoldpythontestsuite("ad_dc_default", "samba.tests.krb5.test_ldap") >+planoldpythontestsuite("ad_dc_default", "samba.tests.krb5.test_rpc") > > for env in ["ad_dc", smbv1_disabled_testenv]: > planoldpythontestsuite(env, "samba.tests.smb", extra_args=['-U"$USERNAME%$PASSWORD"'], py3_compatible=True) >-- >2.25.1 > > >From 8eb32a1ef013f2325df3b607cc3a0c1fded6bf44 Mon Sep 17 00:00:00 2001 >From: Joseph Sutton <josephsutton@catalyst.net.nz> >Date: Mon, 3 May 2021 15:55:01 +1200 >Subject: [PATCH 076/686] libsmb: Remove overflow check > >Pointer overflow is undefined, so this check does not accomplish >anything. > >Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> >Reviewed-by: Andrew Bartlett <abartlet@samba.org> >Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> >BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817 >(cherry picked from commit db5b34c7682e36630908356cf674fddd18d8fa1f) >--- > source3/libsmb/clifsinfo.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > >diff --git a/source3/libsmb/clifsinfo.c b/source3/libsmb/clifsinfo.c >index 09c0d9535f1..cc9f7382d49 100644 >--- a/source3/libsmb/clifsinfo.c >+++ b/source3/libsmb/clifsinfo.c >@@ -650,7 +650,7 @@ static void cli_posix_whoami_done(struct tevent_req *subreq) > * parsing network packets in C. > */ > >- if (num_rdata < 40 || rdata + num_rdata < rdata) { >+ if (num_rdata < 40) { > tevent_req_nterror(req, NT_STATUS_INVALID_NETWORK_RESPONSE); > return; > } >-- >2.25.1 > > >From b265c38c5ba632f8e4419610950a2b63d89da8d1 Mon Sep 17 00:00:00 2001 >From: Joseph Sutton <josephsutton@catalyst.net.nz> >Date: Mon, 3 May 2021 16:16:51 +1200 >Subject: [PATCH 077/686] libsmb: Avoid undefined behaviour when parsing whoami > state > >If num_gids is such that the gids array would overflow the rdata buffer, >'p + 8' could produce a result pointing outside the buffer, and thus >result in undefined behaviour. To avoid this, we check num_gids against >the size of the buffer beforehand. > >Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> >Reviewed-by: Andrew Bartlett <abartlet@samba.org> >Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> >BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817 >(cherry picked from commit 9d8aeed33d8edf7a5dc96dbe35e4e164e2baeeeb) >--- > source3/libsmb/clifsinfo.c | 12 +++++++----- > 1 file changed, 7 insertions(+), 5 deletions(-) > >diff --git a/source3/libsmb/clifsinfo.c b/source3/libsmb/clifsinfo.c >index cc9f7382d49..aca559d153b 100644 >--- a/source3/libsmb/clifsinfo.c >+++ b/source3/libsmb/clifsinfo.c >@@ -661,6 +661,13 @@ static void cli_posix_whoami_done(struct tevent_req *subreq) > state->num_gids = IVAL(rdata, 24); > state->num_sids = IVAL(rdata, 28); > >+ /* Ensure the gid array doesn't overflow */ >+ if (state->num_gids > (num_rdata - 40) / sizeof(uint64_t)) { >+ tevent_req_nterror(req, >+ NT_STATUS_INVALID_NETWORK_RESPONSE); >+ return; >+ } >+ > state->gids = talloc_array(state, uint64_t, state->num_gids); > if (tevent_req_nomem(state->gids, req)) { > return; >@@ -673,11 +680,6 @@ static void cli_posix_whoami_done(struct tevent_req *subreq) > p = rdata + 40; > > for (i = 0; i < state->num_gids; i++) { >- if (p + 8 > rdata + num_rdata) { >- tevent_req_nterror(req, >- NT_STATUS_INVALID_NETWORK_RESPONSE); >- return; >- } > state->gids[i] = BVAL(p, 0); > p += 8; > } >-- >2.25.1 > > >From f127ec82dde5676543db85d09f494e8952772eb7 Mon Sep 17 00:00:00 2001 >From: Joseph Sutton <josephsutton@catalyst.net.nz> >Date: Mon, 3 May 2021 16:22:43 +1200 >Subject: [PATCH 078/686] libsmb: Check to see that whoami is not receiving > more data than it requested > >Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> >Reviewed-by: Andrew Bartlett <abartlet@samba.org> >Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> >BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817 >(cherry picked from commit 9e414233c84d2f2fa4a9415be9ee975eca8b9bfd) >--- > source3/libsmb/clifsinfo.c | 6 ++++-- > 1 file changed, 4 insertions(+), 2 deletions(-) > >diff --git a/source3/libsmb/clifsinfo.c b/source3/libsmb/clifsinfo.c >index aca559d153b..6f3c07a8a7e 100644 >--- a/source3/libsmb/clifsinfo.c >+++ b/source3/libsmb/clifsinfo.c >@@ -570,6 +570,8 @@ struct posix_whoami_state { > > static void cli_posix_whoami_done(struct tevent_req *subreq); > >+static const uint32_t posix_whoami_max_rdata = 62*1024; >+ > struct tevent_req *cli_posix_whoami_send(TALLOC_CTX *mem_ctx, > struct tevent_context *ev, > struct cli_state *cli) >@@ -586,7 +588,7 @@ struct tevent_req *cli_posix_whoami_send(TALLOC_CTX *mem_ctx, > SSVAL(state->setup, 0, TRANSACT2_QFSINFO); > SSVAL(state->param, 0, SMB_QUERY_POSIX_WHOAMI); > >- state->max_rdata = 62*1024; >+ state->max_rdata = posix_whoami_max_rdata; > > subreq = cli_trans_send(state, /* mem ctx. */ > ev, /* event ctx. */ >@@ -650,7 +652,7 @@ static void cli_posix_whoami_done(struct tevent_req *subreq) > * parsing network packets in C. > */ > >- if (num_rdata < 40) { >+ if (num_rdata < 40 || num_rdata > posix_whoami_max_rdata) { > tevent_req_nterror(req, NT_STATUS_INVALID_NETWORK_RESPONSE); > return; > } >-- >2.25.1 > > >From 272693762f53179a43768da545237dc0ebc788cf Mon Sep 17 00:00:00 2001 >From: Joseph Sutton <josephsutton@catalyst.net.nz> >Date: Mon, 3 May 2021 16:24:42 +1200 >Subject: [PATCH 079/686] libsmb: Ensure that whoami parses all the data > provided to it > >Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> >Reviewed-by: Andrew Bartlett <abartlet@samba.org> >Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> >BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817 >(cherry picked from commit 9b96ebea5c6966b096cf1100a0895a9c41f2aa1d) >--- > source3/libsmb/clifsinfo.c | 7 +++++++ > 1 file changed, 7 insertions(+) > >diff --git a/source3/libsmb/clifsinfo.c b/source3/libsmb/clifsinfo.c >index 6f3c07a8a7e..f09428bdbcb 100644 >--- a/source3/libsmb/clifsinfo.c >+++ b/source3/libsmb/clifsinfo.c >@@ -714,6 +714,13 @@ static void cli_posix_whoami_done(struct tevent_req *subreq) > p += sid_size; > num_rdata -= sid_size; > } >+ >+ if (num_rdata != 0) { >+ tevent_req_nterror(req, >+ NT_STATUS_INVALID_NETWORK_RESPONSE); >+ return; >+ } >+ > tevent_req_done(req); > } > >-- >2.25.1 > > >From cf319349ca0028e864bfc3485d080ed8a81ee138 Mon Sep 17 00:00:00 2001 >From: Joseph Sutton <josephsutton@catalyst.net.nz> >Date: Fri, 30 Apr 2021 12:49:24 +1200 >Subject: [PATCH 080/686] pylibsmb: Add posix_whoami() > >Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> >Reviewed-by: Andrew Bartlett <abartlet@samba.org> >Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> >BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817 >BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817 > >[abartlet@samba.org backport from commit >482559436f12a85adb3409433aac3ab06baa82b1 as the 4.13 backport >doesn't have ealier pylibsmb changes including >752a8f870de2bb087802a1287d7fb6c7624ac631 >(s3:pylibsmb: remove unused SECINFO_DEFAULT_FLAGS)] >--- > source3/libsmb/pylibsmb.c | 138 +++++++++++++++++++++++++++++++++++++- > 1 file changed, 137 insertions(+), 1 deletion(-) > >diff --git a/source3/libsmb/pylibsmb.c b/source3/libsmb/pylibsmb.c >index b63101b85a0..7f5a07eac8a 100644 >--- a/source3/libsmb/pylibsmb.c >+++ b/source3/libsmb/pylibsmb.c >@@ -42,6 +42,8 @@ > SECINFO_DACL | SECINFO_PROTECTED_DACL | SECINFO_UNPROTECTED_DACL | \ > SECINFO_SACL | SECINFO_PROTECTED_SACL | SECINFO_UNPROTECTED_SACL) > >+static PyTypeObject *dom_sid_Type = NULL; >+ > static PyTypeObject *get_pytype(const char *module, const char *type) > { > PyObject *mod; >@@ -1357,6 +1359,123 @@ static PyObject *py_smb_mkdir(struct py_cli_state *self, PyObject *args) > Py_RETURN_NONE; > } > >+/* >+ * Does a whoami call >+ */ >+static PyObject *py_smb_posix_whoami(struct py_cli_state *self, >+ PyObject *Py_UNUSED(ignored)) >+{ >+ TALLOC_CTX *frame = talloc_stackframe(); >+ NTSTATUS status; >+ struct tevent_req *req = NULL; >+ uint64_t uid; >+ uint64_t gid; >+ uint32_t num_gids; >+ uint64_t *gids = NULL; >+ uint32_t num_sids; >+ struct dom_sid *sids = NULL; >+ bool guest; >+ PyObject *py_gids = NULL; >+ PyObject *py_sids = NULL; >+ PyObject *py_guest = NULL; >+ PyObject *py_ret = NULL; >+ Py_ssize_t i; >+ >+ req = cli_posix_whoami_send(frame, self->ev, self->cli); >+ if (!py_tevent_req_wait_exc(self, req)) { >+ goto fail; >+ } >+ status = cli_posix_whoami_recv(req, >+ frame, >+ &uid, >+ &gid, >+ &num_gids, >+ &gids, >+ &num_sids, >+ &sids, >+ &guest); >+ if (!NT_STATUS_IS_OK(status)) { >+ PyErr_SetNTSTATUS(status); >+ goto fail; >+ } >+ if (num_gids > PY_SSIZE_T_MAX) { >+ PyErr_SetString(PyExc_OverflowError, "posix_whoami: Too many GIDs"); >+ goto fail; >+ } >+ if (num_sids > PY_SSIZE_T_MAX) { >+ PyErr_SetString(PyExc_OverflowError, "posix_whoami: Too many SIDs"); >+ goto fail; >+ } >+ >+ py_gids = PyList_New(num_gids); >+ if (!py_gids) { >+ goto fail; >+ } >+ for (i = 0; i < num_gids; ++i) { >+ int ret; >+ PyObject *py_item = PyLong_FromUnsignedLongLong(gids[i]); >+ if (!py_item) { >+ goto fail2; >+ } >+ >+ ret = PyList_SetItem(py_gids, i, py_item); >+ if (ret) { >+ goto fail2; >+ } >+ } >+ py_sids = PyList_New(num_sids); >+ if (!py_sids) { >+ goto fail2; >+ } >+ for (i = 0; i < num_sids; ++i) { >+ int ret; >+ struct dom_sid *sid; >+ PyObject *py_item; >+ >+ sid = dom_sid_dup(frame, &sids[i]); >+ if (!sid) { >+ PyErr_NoMemory(); >+ goto fail3; >+ } >+ >+ py_item = pytalloc_steal(dom_sid_Type, sid); >+ if (!py_item) { >+ PyErr_NoMemory(); >+ goto fail3; >+ } >+ >+ ret = PyList_SetItem(py_sids, i, py_item); >+ if (ret) { >+ goto fail3; >+ } >+ } >+ >+ py_guest = guest ? Py_True : Py_False; >+ >+ py_ret = Py_BuildValue("KKNNO", >+ uid, >+ gid, >+ py_gids, >+ py_sids, >+ py_guest); >+ if (!py_ret) { >+ goto fail3; >+ } >+ >+ TALLOC_FREE(frame); >+ return py_ret; >+ >+fail3: >+ Py_CLEAR(py_sids); >+ >+fail2: >+ Py_CLEAR(py_gids); >+ >+fail: >+ TALLOC_FREE(frame); >+ return NULL; >+} >+ > /* > * Checks existence of a directory > */ >@@ -1612,6 +1731,8 @@ static PyMethodDef py_cli_state_methods[] = { > "unlink(path) -> None\n\n \t\tDelete a file." }, > { "mkdir", (PyCFunction)py_smb_mkdir, METH_VARARGS, > "mkdir(path) -> None\n\n \t\tCreate a directory." }, >+ { "posix_whoami", (PyCFunction)py_smb_posix_whoami, METH_NOARGS, >+ "posix_whoami() -> (uid, gid, gids, sids, guest)" }, > { "rmdir", (PyCFunction)py_smb_rmdir, METH_VARARGS, > "rmdir(path) -> None\n\n \t\tDelete a directory." }, > { "chkpath", (PyCFunction)py_smb_chkpath, METH_VARARGS, >@@ -1664,16 +1785,31 @@ static struct PyModuleDef moduledef = { > MODULE_INIT_FUNC(libsmb_samba_internal) > { > PyObject *m = NULL; >+ PyObject *mod = NULL; > > talloc_stackframe(); > >+ if (PyType_Ready(&py_cli_state_type) < 0) { >+ return NULL; >+ } >+ > m = PyModule_Create(&moduledef); > if (m == NULL) { > return m; > } >- if (PyType_Ready(&py_cli_state_type) < 0) { >+ >+ /* Import dom_sid type from dcerpc.security */ >+ mod = PyImport_ImportModule("samba.dcerpc.security"); >+ if (mod == NULL) { > return NULL; > } >+ >+ dom_sid_Type = (PyTypeObject *)PyObject_GetAttrString(mod, "dom_sid"); >+ if (dom_sid_Type == NULL) { >+ Py_DECREF(mod); >+ return NULL; >+ } >+ > Py_INCREF(&py_cli_state_type); > PyModule_AddObject(m, "Conn", (PyObject *)&py_cli_state_type); > >-- >2.25.1 > > >From 986d9b56eda1da4c309c96afdf1bf3d5addfa203 Mon Sep 17 00:00:00 2001 >From: Joseph Sutton <josephsutton@catalyst.net.nz> >Date: Fri, 30 Apr 2021 08:58:11 +1200 >Subject: [PATCH 081/686] python: Add SMB credentials cache test > >Test that we can use a credentials cache with a user's service ticket >obtained with our Python code to connect to a service through SMB. > >Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> >Reviewed-by: Andrew Bartlett <abartlet@samba.org> >Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> >BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817 >(cherry picked from commit 78a0b57b51642df07deed8aeb6e39e608fafda60) >--- > python/samba/tests/krb5/test_smb.py | 108 ++++++++++++++++++++++++++++ > python/samba/tests/usage.py | 1 + > source4/selftest/tests.py | 1 + > 3 files changed, 110 insertions(+) > create mode 100755 python/samba/tests/krb5/test_smb.py > >diff --git a/python/samba/tests/krb5/test_smb.py b/python/samba/tests/krb5/test_smb.py >new file mode 100755 >index 00000000000..0262a37ebb5 >--- /dev/null >+++ b/python/samba/tests/krb5/test_smb.py >@@ -0,0 +1,108 @@ >+#!/usr/bin/env python3 >+# Unix SMB/CIFS implementation. >+# Copyright (C) Stefan Metzmacher 2020 >+# Copyright (C) 2021 Catalyst.Net Ltd >+# >+# This program is free software; you can redistribute it and/or modify >+# it under the terms of the GNU General Public License as published by >+# the Free Software Foundation; either version 3 of the License, or >+# (at your option) any later version. >+# >+# This program is distributed in the hope that it will be useful, >+# but WITHOUT ANY WARRANTY; without even the implied warranty of >+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the >+# GNU General Public License for more details. >+# >+# You should have received a copy of the GNU General Public License >+# along with this program. If not, see <http://www.gnu.org/licenses/>. >+# >+ >+import sys >+import os >+ >+from ldb import SCOPE_SUBTREE >+from samba.dcerpc import security >+from samba.ndr import ndr_unpack >+from samba.samba3 import libsmb_samba_internal as libsmb >+from samba.samba3 import param as s3param >+ >+from samba.tests.krb5.kdc_base_test import KDCBaseTest >+ >+sys.path.insert(0, "bin/python") >+os.environ["PYTHONUNBUFFERED"] = "1" >+ >+global_asn1_print = False >+global_hexdump = False >+ >+ >+class SmbTests(KDCBaseTest): >+ """Test for SMB authentication using Kerberos credentials stored in a >+ credentials cache file. >+ """ >+ >+ def test_smb(self): >+ # Create a user account and a machine account, along with a Kerberos >+ # credentials cache file where the service ticket authenticating the >+ # user are stored. >+ >+ user_name = "smbusr" >+ mach_name = self.dns_host_name >+ service = "cifs" >+ share = "tmp" >+ >+ # Create the user account. >+ (user_credentials, _) = self.create_account(user_name) >+ >+ # Talk to the KDC to obtain the service ticket, which gets placed into >+ # the cache. The machine account name has to match the name in the >+ # ticket, to ensure that the krbtgt ticket doesn't also need to be >+ # stored. >+ (creds, cachefile) = self.create_ccache_with_user(user_credentials, >+ mach_name, >+ service) >+ >+ # Set the Kerberos 5 credentials cache environment variable. This is >+ # required because the codepath that gets run (gse_krb5) looks for it >+ # in here and not in the credentials object. >+ krb5_ccname = os.environ.get("KRB5CCNAME", "") >+ self.addCleanup(os.environ.__setitem__, "KRB5CCNAME", krb5_ccname) >+ os.environ["KRB5CCNAME"] = "FILE:" + cachefile.name >+ >+ # Authenticate in-process to the machine account using the user's >+ # cached credentials. >+ >+ # Retrieve the user account's SID. >+ ldb_res = self.ldb.search(scope=SCOPE_SUBTREE, >+ expression="(sAMAccountName=%s)" % user_name, >+ attrs=["objectSid"]) >+ self.assertEqual(1, len(ldb_res)) >+ sid = ndr_unpack(security.dom_sid, ldb_res[0]["objectSid"][0]) >+ >+ # Connect to a share and retrieve the user SID. >+ s3_lp = s3param.get_context() >+ s3_lp.load(self.lp.configfile) >+ >+ min_protocol = s3_lp.get("client min protocol") >+ self.addCleanup(s3_lp.set, "client min protocol", min_protocol) >+ s3_lp.set("client min protocol", "NT1") >+ >+ max_protocol = s3_lp.get("client max protocol") >+ self.addCleanup(s3_lp.set, "client max protocol", max_protocol) >+ s3_lp.set("client max protocol", "NT1") >+ >+ conn = libsmb.Conn(mach_name, share, lp=s3_lp, creds=creds) >+ >+ (uid, gid, gids, sids, guest) = conn.posix_whoami() >+ >+ # Ensure that they match. >+ self.assertEqual(sid, sids[0]) >+ >+ # Remove the cached credentials file. >+ os.remove(cachefile.name) >+ >+ >+if __name__ == "__main__": >+ global_asn1_print = True >+ global_hexdump = True >+ import unittest >+ unittest.main() >diff --git a/python/samba/tests/usage.py b/python/samba/tests/usage.py >index c0f8736a4e5..ad13012c9bb 100644 >--- a/python/samba/tests/usage.py >+++ b/python/samba/tests/usage.py >@@ -96,6 +96,7 @@ EXCLUDE_USAGE = { > 'python/samba/tests/krb5/test_ccache.py', > 'python/samba/tests/krb5/test_ldap.py', > 'python/samba/tests/krb5/test_rpc.py', >+ 'python/samba/tests/krb5/test_smb.py', > 'python/samba/tests/krb5/ms_kile_client_principal_lookup_tests.py', > } > >diff --git a/source4/selftest/tests.py b/source4/selftest/tests.py >index 84a78860d1d..68a51813e4f 100755 >--- a/source4/selftest/tests.py >+++ b/source4/selftest/tests.py >@@ -726,6 +726,7 @@ planoldpythontestsuite("fl2008r2dc:local", "samba.tests.krb5.xrealm_tests") > planoldpythontestsuite("ad_dc_default", "samba.tests.krb5.test_ccache") > planoldpythontestsuite("ad_dc_default", "samba.tests.krb5.test_ldap") > planoldpythontestsuite("ad_dc_default", "samba.tests.krb5.test_rpc") >+planoldpythontestsuite("ad_dc_smb1", "samba.tests.krb5.test_smb") > > for env in ["ad_dc", smbv1_disabled_testenv]: > planoldpythontestsuite(env, "samba.tests.smb", extra_args=['-U"$USERNAME%$PASSWORD"'], py3_compatible=True) >-- >2.25.1 > > >From 64f74cbf1aeb43864f723a680f14bc5d83c29225 Mon Sep 17 00:00:00 2001 >From: Joseph Sutton <josephsutton@catalyst.net.nz> >Date: Mon, 3 May 2021 14:42:10 +1200 >Subject: [PATCH 082/686] python: Ensure reference counts are properly > incremented > >Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> >Reviewed-by: Andrew Bartlett <abartlet@samba.org> >Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> >BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817 >(cherry picked from commit 290c1dc0975867a71c02e911708323d1f38b6f96) >--- > lib/talloc/pytalloc.c | 4 ++-- > libgpo/pygpo.c | 2 +- > source4/auth/gensec/pygensec.c | 4 ++-- > source4/librpc/ndr/py_security.c | 2 +- > source4/ntvfs/posix/python/pyposix_eadb.c | 2 +- > source4/ntvfs/posix/python/pyxattr_native.c | 4 ++-- > source4/ntvfs/posix/python/pyxattr_tdb.c | 2 +- > 7 files changed, 10 insertions(+), 10 deletions(-) > >diff --git a/lib/talloc/pytalloc.c b/lib/talloc/pytalloc.c >index 95dbb297a46..e583c05ea6f 100644 >--- a/lib/talloc/pytalloc.c >+++ b/lib/talloc/pytalloc.c >@@ -43,14 +43,14 @@ static PyObject *pytalloc_report_full(PyObject *self, PyObject *args) > } else { > talloc_report_full(pytalloc_get_mem_ctx(py_obj), stdout); > } >- return Py_None; >+ Py_RETURN_NONE; > } > > /* enable null tracking */ > static PyObject *pytalloc_enable_null_tracking(PyObject *self) > { > talloc_enable_null_tracking(); >- return Py_None; >+ Py_RETURN_NONE; > } > > /* return the number of talloc blocks */ >diff --git a/libgpo/pygpo.c b/libgpo/pygpo.c >index b8dfcd5572f..4cfd5720065 100644 >--- a/libgpo/pygpo.c >+++ b/libgpo/pygpo.c >@@ -40,7 +40,7 @@ static PyObject* GPO_get_##ATTR(PyObject *self, void *closure) \ > if (gpo_ptr->ATTR) \ > return PyStr_FromString(gpo_ptr->ATTR); \ > else \ >- return Py_None; \ >+ Py_RETURN_NONE; \ > } > GPO_getter(ds_path) > GPO_getter(file_sys_path) >diff --git a/source4/auth/gensec/pygensec.c b/source4/auth/gensec/pygensec.c >index ca60d3bdc5e..9ede11c9d8d 100644 >--- a/source4/auth/gensec/pygensec.c >+++ b/source4/auth/gensec/pygensec.c >@@ -414,9 +414,9 @@ static PyObject *py_gensec_have_feature(PyObject *self, PyObject *args) > return NULL; > > if (gensec_have_feature(security, feature)) { >- return Py_True; >+ Py_RETURN_TRUE; > } >- return Py_False; >+ Py_RETURN_FALSE; > } > > static PyObject *py_gensec_set_max_update_size(PyObject *self, PyObject *args) >diff --git a/source4/librpc/ndr/py_security.c b/source4/librpc/ndr/py_security.c >index 79a9fa5ac11..37c6a57e00e 100644 >--- a/source4/librpc/ndr/py_security.c >+++ b/source4/librpc/ndr/py_security.c >@@ -341,7 +341,7 @@ static PyObject *py_descriptor_richcmp( > break; > } > >- return Py_NotImplemented; >+ Py_RETURN_NOTIMPLEMENTED; > } > > static void py_descriptor_patch(PyTypeObject *type) >diff --git a/source4/ntvfs/posix/python/pyposix_eadb.c b/source4/ntvfs/posix/python/pyposix_eadb.c >index 646498225b3..18e240420a4 100644 >--- a/source4/ntvfs/posix/python/pyposix_eadb.c >+++ b/source4/ntvfs/posix/python/pyposix_eadb.c >@@ -31,7 +31,7 @@ > > static PyObject *py_is_xattr_supported(PyObject *self) > { >- return Py_True; >+ Py_RETURN_TRUE; > } > > static PyObject *py_wrap_setxattr(PyObject *self, PyObject *args) >diff --git a/source4/ntvfs/posix/python/pyxattr_native.c b/source4/ntvfs/posix/python/pyxattr_native.c >index b1fa2a208e5..6af48348a4b 100644 >--- a/source4/ntvfs/posix/python/pyxattr_native.c >+++ b/source4/ntvfs/posix/python/pyxattr_native.c >@@ -28,9 +28,9 @@ > static PyObject *py_is_xattr_supported(PyObject *self) > { > #if !defined(HAVE_XATTR_SUPPORT) >- return Py_False; >+ Py_RETURN_FALSE; > #else >- return Py_True; >+ Py_RETURN_TRUE; > #endif > } > >diff --git a/source4/ntvfs/posix/python/pyxattr_tdb.c b/source4/ntvfs/posix/python/pyxattr_tdb.c >index f9a1fa5fd80..9e4e73a4049 100644 >--- a/source4/ntvfs/posix/python/pyxattr_tdb.c >+++ b/source4/ntvfs/posix/python/pyxattr_tdb.c >@@ -35,7 +35,7 @@ > > static PyObject *py_is_xattr_supported(PyObject *self) > { >- return Py_True; >+ Py_RETURN_TRUE; > } > > static PyObject *py_wrap_setxattr(PyObject *self, PyObject *args) >-- >2.25.1 > > >From fcc2ae7822450cd5ef7cdb119ccf248c1c1b5c3c Mon Sep 17 00:00:00 2001 >From: Joseph Sutton <josephsutton@catalyst.net.nz> >Date: Mon, 3 May 2021 14:43:04 +1200 >Subject: [PATCH 083/686] python: Fix erroneous increments of reference counts > >Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> >Reviewed-by: Andrew Bartlett <abartlet@samba.org> >Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> >BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817 >(cherry picked from commit 66695f0f94775c4db24fb625fe78ff44d964b5ad) >--- > source3/passdb/py_passdb.c | 4 ---- > 1 file changed, 4 deletions(-) > >diff --git a/source3/passdb/py_passdb.c b/source3/passdb/py_passdb.c >index 40e3a4e13aa..0b5c720215c 100644 >--- a/source3/passdb/py_passdb.c >+++ b/source3/passdb/py_passdb.c >@@ -1915,8 +1915,6 @@ static PyObject *py_pdb_enum_group_mapping(PyObject *self, PyObject *args) > PyObject *py_gmap_list, *py_group_map; > int i; > >- Py_INCREF(Py_None); >- > if (!PyArg_ParseTuple(args, "|O!ii:enum_group_mapping", dom_sid_Type, &py_domain_sid, > &lsa_sidtype_value, &unix_only)) { > talloc_free(frame); >@@ -2604,8 +2602,6 @@ static PyObject *py_pdb_search_aliases(PyObject *self, PyObject *args) > PyObject *py_domain_sid = Py_None; > struct dom_sid *domain_sid = NULL; > >- Py_INCREF(Py_None); >- > if (!PyArg_ParseTuple(args, "|O!:search_aliases", dom_sid_Type, &py_domain_sid)) { > talloc_free(frame); > return NULL; >-- >2.25.1 > > >From ac295637596de9c8337d31d8a6c8831a4e774344 Mon Sep 17 00:00:00 2001 >From: Joseph Sutton <josephsutton@catalyst.net.nz> >Date: Mon, 10 May 2021 16:43:03 +1200 >Subject: [PATCH 084/686] python: Fix ticket timestamp conversion when local > timezone is not UTC > >Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> >Reviewed-by: Andrew Bartlett <abartlet@samba.org> >Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> >BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817 >(cherry picked from commit b9006f33343ba8bb82ef8ffe1fd90c780961b41e) >--- > python/samba/tests/krb5/kdc_base_test.py | 23 +++++++++++++++++++---- > 1 file changed, 19 insertions(+), 4 deletions(-) > >diff --git a/python/samba/tests/krb5/kdc_base_test.py b/python/samba/tests/krb5/kdc_base_test.py >index d8193ae9cdc..e345f739e1c 100644 >--- a/python/samba/tests/krb5/kdc_base_test.py >+++ b/python/samba/tests/krb5/kdc_base_test.py >@@ -18,7 +18,7 @@ > > import sys > import os >-from datetime import datetime >+from datetime import datetime, timezone > import tempfile > > sys.path.insert(0, "bin/python") >@@ -519,11 +519,26 @@ class KDCBaseTest(RawKerberosTest): > cred.server = sprincipal > cred.keyblock = keyblock > cred.authtime = int(datetime.strptime(authtime.decode(), >- "%Y%m%d%H%M%SZ").timestamp()) >+ "%Y%m%d%H%M%SZ") >+ .replace(tzinfo=timezone.utc).timestamp()) > cred.starttime = int(datetime.strptime(starttime.decode(), >- "%Y%m%d%H%M%SZ").timestamp()) >+ "%Y%m%d%H%M%SZ") >+ .replace(tzinfo=timezone.utc).timestamp()) > cred.endtime = int(datetime.strptime(endtime.decode(), >- "%Y%m%d%H%M%SZ").timestamp()) >+ "%Y%m%d%H%M%SZ") >+ .replace(tzinfo=timezone.utc).timestamp()) >+ >+ # Account for clock skew of up to five minutes. >+ self.assertLess(cred.authtime - 5*60, >+ datetime.now(timezone.utc).timestamp(), >+ "Ticket not yet valid - clocks may be out of sync.") >+ self.assertLess(cred.starttime - 5*60, >+ datetime.now(timezone.utc).timestamp(), >+ "Ticket not yet valid - clocks may be out of sync.") >+ self.assertGreater(cred.endtime - 60*60, >+ datetime.now(timezone.utc).timestamp(), >+ "Ticket already expired/about to expire - clocks may be out of sync.") >+ > cred.renew_till = cred.endtime > cred.is_skey = 0 > cred.ticket_flags = int(enc_part['flags'], 2) >-- >2.25.1 > > >From f8c88994a2d7a8967fa9cd7ab99d1700b7668a38 Mon Sep 17 00:00:00 2001 >From: Joseph Sutton <josephsutton@catalyst.net.nz> >Date: Mon, 10 May 2021 15:06:06 +1200 >Subject: [PATCH 085/686] python: Make credentials cache test run against > Windows > >Windows, unlike Samba, requires the service principal name to be set >when requesting a ticket to that service. > >Additionally, default_realm from the libdefaults section of krb5.conf >should be set so that the correct realm is used. > >Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> >Reviewed-by: Andrew Bartlett <abartlet@samba.org> >Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> >BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817 > >Autobuild-User(master): Jeremy Allison <jra@samba.org> >Autobuild-Date(master): Wed May 19 02:22:01 UTC 2021 on sn-devel-184 > >(cherry picked from commit 7791acb074b84ec7b571a81f15b56d33e2214ce9) >--- > python/samba/tests/krb5/test_ccache.py | 5 ++++- > 1 file changed, 4 insertions(+), 1 deletion(-) > >diff --git a/python/samba/tests/krb5/test_ccache.py b/python/samba/tests/krb5/test_ccache.py >index e0998a4c43f..32c9e3cce6b 100755 >--- a/python/samba/tests/krb5/test_ccache.py >+++ b/python/samba/tests/krb5/test_ccache.py >@@ -47,13 +47,16 @@ class CcacheTests(KDCBaseTest): > > user_name = "ccacheusr" > mach_name = "ccachemac" >+ service = "host" > > # Create the user account. > (user_credentials, _) = self.create_account(user_name) > > # Create the machine account. > (mach_credentials, _) = self.create_account(mach_name, >- machine_account=True) >+ machine_account=True, >+ spn="%s/%s" % (service, >+ mach_name)) > > # Talk to the KDC to obtain the service ticket, which gets placed into > # the cache. The machine account name has to match the name in the >-- >2.25.1 > > >From 9adbf463335c5214614212c0fc36ec7df5ac1492 Mon Sep 17 00:00:00 2001 >From: Stefan Metzmacher <metze@samba.org> >Date: Thu, 9 Apr 2020 21:04:44 +0200 >Subject: [PATCH 086/686] auth/credentials: allow credentials.Credentials to > act as base class > >In tests it's useful to add more details. > >Signed-off-by: Stefan Metzmacher <metze@samba.org> >Reviewed-by: Andrew Bartlett <abartlet@samba.org> >BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817 >(cherry picked from commit 1f413b2b2977687884781ca2399dadf6611ab461) >--- > auth/credentials/pycredentials.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > >diff --git a/auth/credentials/pycredentials.c b/auth/credentials/pycredentials.c >index a58859a70d8..b4239730818 100644 >--- a/auth/credentials/pycredentials.c >+++ b/auth/credentials/pycredentials.c >@@ -849,7 +849,7 @@ static struct PyModuleDef moduledef = { > PyTypeObject PyCredentials = { > .tp_name = "credentials.Credentials", > .tp_new = py_creds_new, >- .tp_flags = Py_TPFLAGS_DEFAULT, >+ .tp_flags = Py_TPFLAGS_DEFAULT | Py_TPFLAGS_BASETYPE, > .tp_methods = py_creds_methods, > }; > >-- >2.25.1 > > >From 4e0d4a12856ffaa967c7f73d81bff0ae2aad7f63 Mon Sep 17 00:00:00 2001 >From: Stefan Metzmacher <metze@samba.org> >Date: Wed, 15 Apr 2020 16:50:55 +0200 >Subject: [PATCH 087/686] Rename > python/samba/tests/krb5/{rfc4120_pyasn1_regen.sh => pyasn1_regen.sh} > >This is a clearer name for the script > >Signed-off-by: Stefan Metzmacher <metze@samba.org> >Reviewed-by: Andrew Bartlett <abartlet@samba.org> >BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817 >(cherry picked from commit fef08add9ec324fb0c3902e96c2a91c07646d499) >--- > .../samba/tests/krb5/{rfc4120_pyasn1_regen.sh => pyasn1_regen.sh} | 0 > 1 file changed, 0 insertions(+), 0 deletions(-) > rename python/samba/tests/krb5/{rfc4120_pyasn1_regen.sh => pyasn1_regen.sh} (100%) > >diff --git a/python/samba/tests/krb5/rfc4120_pyasn1_regen.sh b/python/samba/tests/krb5/pyasn1_regen.sh >similarity index 100% >rename from python/samba/tests/krb5/rfc4120_pyasn1_regen.sh >rename to python/samba/tests/krb5/pyasn1_regen.sh >-- >2.25.1 > > >From f7dbab94dccd187231e5597146e82969fdd46fbc Mon Sep 17 00:00:00 2001 >From: Stefan Metzmacher <metze@samba.org> >Date: Thu, 9 Apr 2020 11:10:11 +0200 >Subject: [PATCH 088/686] tests/krb5/rfc4120.asn1: Improve definitions to allow > expanded testing > >Update and re-generate the ASN.1 to allow an improved testsuite. > >Signed-off-by: Stefan Metzmacher <metze@samba.org> >Reviewed-by: Andrew Bartlett <abartlet@samba.org> >BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817 >(cherry picked from commit d4492a8aaaf70cbe81af7e6703b4ea9fc1f24162) >--- > python/samba/tests/krb5/rfc4120.asn1 | 70 ++++++++++- > python/samba/tests/krb5/rfc4120_pyasn1.py | 134 +++++++++++++++++++++- > 2 files changed, 199 insertions(+), 5 deletions(-) > >diff --git a/python/samba/tests/krb5/rfc4120.asn1 b/python/samba/tests/krb5/rfc4120.asn1 >index 654f9788ca7..d81d06ad6f7 100644 >--- a/python/samba/tests/krb5/rfc4120.asn1 >+++ b/python/samba/tests/krb5/rfc4120.asn1 >@@ -386,14 +386,14 @@ PA-ENC-TS-ENC ::= SEQUENCE { > } > > ETYPE-INFO-ENTRY ::= SEQUENCE { >- etype [0] Int32, >+ etype [0] EncryptionType, --Int32 EncryptionType -- > salt [1] OCTET STRING OPTIONAL > } > > ETYPE-INFO ::= SEQUENCE OF ETYPE-INFO-ENTRY > > ETYPE-INFO2-ENTRY ::= SEQUENCE { >- etype [0] Int32, >+ etype [0] EncryptionType, --Int32 EncryptionType -- > salt [1] KerberosString OPTIONAL, > s2kparams [2] OCTET STRING OPTIONAL > } >@@ -425,9 +425,48 @@ PA-S4U2Self ::= SEQUENCE { > auth [3] KerberosString > } > >+-- >+-- >+-- MS-KILE Start >+ >+KERB-ERROR-DATA ::= SEQUENCE { >+ data-type [1] KerbErrorDataType, >+ data-value [2] OCTET STRING OPTIONAL >+} >+ >+KerbErrorDataType ::= INTEGER >+ >+KERB-PA-PAC-REQUEST ::= SEQUENCE { >+ include-pac[0] BOOLEAN --If TRUE, and no pac present, include PAC. >+ --If FALSE, and PAC present, remove PAC >+} >+ >+KERB-LOCAL ::= OCTET STRING -- Implementation-specific data which MUST be >+ -- ignored if Kerberos client is not local. >+ >+KERB-AD-RESTRICTION-ENTRY ::= SEQUENCE { >+ restriction-type [0] Int32, >+ restriction [1] OCTET STRING -- LSAP_TOKEN_INFO_INTEGRITY structure >+} >+ >+PA-SUPPORTED-ENCTYPES ::= Int32 -- Supported Encryption Types Bit Field -- > >+PACOptionFlags ::= KerberosFlags -- Claims (0) >+ -- Branch Aware (1) >+ -- Forward to Full DC (2) >+ -- Resource Based Constrained Delegation (3) >+PA-PAC-OPTIONS ::= SEQUENCE { >+ options [0] PACOptionFlags >+} >+-- Note: KerberosFlags ::= BIT STRING (SIZE (32..MAX)) >+-- minimum number of bits shall be sent, but no fewer than 32 > >+KERB-KEY-LIST-REQ ::= SEQUENCE OF EncryptionType -- Int32 encryption type -- >+KERB-KEY-LIST-REP ::= SEQUENCE OF EncryptionKey > >+-- MS-KILE End >+-- >+-- > > -- > -- >@@ -504,6 +543,15 @@ KDCOptionsSequence ::= SEQUENCE { > dummy [0] KDCOptionsValues > } > >+APOptionsValues ::= BIT STRING { -- KerberosFlags >+ reserved(0), >+ use-session-key(1), >+ mutual-required(2) >+} >+APOptionsSequence ::= SEQUENCE { >+ dummy [0] APOptionsValues >+} >+ > MessageTypeValues ::= INTEGER { > krb-as-req(10), -- Request for initial authentication > krb-as-rep(11), -- Response to KRB_AS_REQ request >@@ -669,4 +717,22 @@ EncryptionTypeSequence ::= SEQUENCE { > dummy [0] EncryptionTypeValues > } > >+KerbErrorDataTypeValues ::= INTEGER { >+ kERB-AP-ERR-TYPE-SKEW-RECOVERY(2), >+ kERB-ERR-TYPE-EXTENDED(3) >+} >+KerbErrorDataTypeSequence ::= SEQUENCE { >+ dummy [0] KerbErrorDataTypeValues >+} >+ >+PACOptionFlagsValues ::= BIT STRING { -- KerberosFlags >+ claims(0), >+ branch-aware(1), >+ forward-to-full-dc(2), >+ resource-based-constrained-delegation(3) >+} >+PACOptionFlagsSequence ::= SEQUENCE { >+ dummy [0] PACOptionFlagsValues >+} >+ > END >diff --git a/python/samba/tests/krb5/rfc4120_pyasn1.py b/python/samba/tests/krb5/rfc4120_pyasn1.py >index 1d89f94adf1..56fe02a68f0 100644 >--- a/python/samba/tests/krb5/rfc4120_pyasn1.py >+++ b/python/samba/tests/krb5/rfc4120_pyasn1.py >@@ -1,5 +1,5 @@ > # Auto-generated by asn1ate v.0.6.1.dev0 from rfc4120.asn1 >-# (last modified on 2020-11-06 11:30:42.476808) >+# (last modified on 2021-06-16 08:54:13.969508) > > # KerberosV5Spec2 > from pyasn1.type import univ, char, namedtype, namedval, tag, constraint, useful >@@ -175,6 +175,26 @@ AP_REQ.componentType = namedtype.NamedTypes( > ) > > >+class APOptionsValues(univ.BitString): >+ pass >+ >+ >+APOptionsValues.namedValues = namedval.NamedValues( >+ ('reserved', 0), >+ ('use-session-key', 1), >+ ('mutual-required', 2) >+) >+ >+ >+class APOptionsSequence(univ.Sequence): >+ pass >+ >+ >+APOptionsSequence.componentType = namedtype.NamedTypes( >+ namedtype.NamedType('dummy', APOptionsValues().subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 0))) >+) >+ >+ > class PADataType(Int32): > pass > >@@ -384,7 +404,7 @@ class ETYPE_INFO_ENTRY(univ.Sequence): > > > ETYPE_INFO_ENTRY.componentType = namedtype.NamedTypes( >- namedtype.NamedType('etype', Int32().subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 0))), >+ namedtype.NamedType('etype', EncryptionType().subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 0))), > namedtype.OptionalNamedType('salt', univ.OctetString().subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 1))) > ) > >@@ -401,7 +421,7 @@ class ETYPE_INFO2_ENTRY(univ.Sequence): > > > ETYPE_INFO2_ENTRY.componentType = namedtype.NamedTypes( >- namedtype.NamedType('etype', Int32().subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 0))), >+ namedtype.NamedType('etype', EncryptionType().subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 0))), > namedtype.OptionalNamedType('salt', KerberosString().subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 1))), > namedtype.OptionalNamedType('s2kparams', univ.OctetString().subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 2))) > ) >@@ -636,6 +656,57 @@ KDCOptionsSequence.componentType = namedtype.NamedTypes( > ) > > >+class KERB_AD_RESTRICTION_ENTRY(univ.Sequence): >+ pass >+ >+ >+KERB_AD_RESTRICTION_ENTRY.componentType = namedtype.NamedTypes( >+ namedtype.NamedType('restriction-type', Int32().subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 0))), >+ namedtype.NamedType('restriction', univ.OctetString().subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 1))) >+) >+ >+ >+class KerbErrorDataType(univ.Integer): >+ pass >+ >+ >+class KERB_ERROR_DATA(univ.Sequence): >+ pass >+ >+ >+KERB_ERROR_DATA.componentType = namedtype.NamedTypes( >+ namedtype.NamedType('data-type', KerbErrorDataType().subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 1))), >+ namedtype.OptionalNamedType('data-value', univ.OctetString().subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 2))) >+) >+ >+ >+class KERB_KEY_LIST_REP(univ.SequenceOf): >+ pass >+ >+ >+KERB_KEY_LIST_REP.componentType = EncryptionKey() >+ >+ >+class KERB_KEY_LIST_REQ(univ.SequenceOf): >+ pass >+ >+ >+KERB_KEY_LIST_REQ.componentType = EncryptionType() >+ >+ >+class KERB_LOCAL(univ.OctetString): >+ pass >+ >+ >+class KERB_PA_PAC_REQUEST(univ.Sequence): >+ pass >+ >+ >+KERB_PA_PAC_REQUEST.componentType = namedtype.NamedTypes( >+ namedtype.NamedType('include-pac', univ.Boolean().subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 0))) >+) >+ >+ > class KRB_CRED(univ.Sequence): > pass > >@@ -710,6 +781,25 @@ KRB_SAFE.componentType = namedtype.NamedTypes( > ) > > >+class KerbErrorDataTypeValues(univ.Integer): >+ pass >+ >+ >+KerbErrorDataTypeValues.namedValues = namedval.NamedValues( >+ ('kERB-AP-ERR-TYPE-SKEW-RECOVERY', 2), >+ ('kERB-ERR-TYPE-EXTENDED', 3) >+) >+ >+ >+class KerbErrorDataTypeSequence(univ.Sequence): >+ pass >+ >+ >+KerbErrorDataTypeSequence.componentType = namedtype.NamedTypes( >+ namedtype.NamedType('dummy', KerbErrorDataTypeValues().subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 0))) >+) >+ >+ > class MessageTypeValues(univ.Integer): > pass > >@@ -781,6 +871,19 @@ PA_ENC_TS_ENC.componentType = namedtype.NamedTypes( > ) > > >+class PACOptionFlags(KerberosFlags): >+ pass >+ >+ >+class PA_PAC_OPTIONS(univ.Sequence): >+ pass >+ >+ >+PA_PAC_OPTIONS.componentType = namedtype.NamedTypes( >+ namedtype.NamedType('options', PACOptionFlags().subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 0))) >+) >+ >+ > class PA_S4U2Self(univ.Sequence): > pass > >@@ -793,6 +896,31 @@ PA_S4U2Self.componentType = namedtype.NamedTypes( > ) > > >+class PA_SUPPORTED_ENCTYPES(Int32): >+ pass >+ >+ >+class PACOptionFlagsValues(univ.BitString): >+ pass >+ >+ >+PACOptionFlagsValues.namedValues = namedval.NamedValues( >+ ('claims', 0), >+ ('branch-aware', 1), >+ ('forward-to-full-dc', 2), >+ ('resource-based-constrained-delegation', 3) >+) >+ >+ >+class PACOptionFlagsSequence(univ.Sequence): >+ pass >+ >+ >+PACOptionFlagsSequence.componentType = namedtype.NamedTypes( >+ namedtype.NamedType('dummy', PACOptionFlagsValues().subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 0))) >+) >+ >+ > class PADataTypeValues(univ.Integer): > pass > >-- >2.25.1 > > >From c8853c3e86263c255f829f450065e139df543a20 Mon Sep 17 00:00:00 2001 >From: Stefan Metzmacher <metze@samba.org> >Date: Thu, 9 Apr 2020 10:55:28 +0200 >Subject: [PATCH 089/686] tests/krb5/raw_testcase.py: Add > get_{client,server,krbtgt}_creds() > >These helpful functions allow us to build the various credentials >that we will use in validating the KDC responses in this test. > >Signed-off-by: Stefan Metzmacher <metze@samba.org> >Reviewed-by: Andrew Bartlett <abartlet@samba.org> >BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817 >(cherry picked from commit c3222870b92db7f867557c2896b7bf39915d469a) >--- > python/samba/tests/krb5/raw_testcase.py | 199 +++++++++++++++++++++--- > python/samba/tests/krb5/simple_tests.py | 6 +- > 2 files changed, 183 insertions(+), 22 deletions(-) > >diff --git a/python/samba/tests/krb5/raw_testcase.py b/python/samba/tests/krb5/raw_testcase.py >index 27ab89ecf99..b28939f0388 100644 >--- a/python/samba/tests/krb5/raw_testcase.py >+++ b/python/samba/tests/krb5/raw_testcase.py >@@ -22,10 +22,12 @@ import struct > import time > import datetime > import random >+import binascii > > import samba.tests > from samba.credentials import Credentials > from samba.tests import TestCaseInTempDir >+from samba.dcerpc import security > import samba.tests.krb5.rfc4120_pyasn1 as krb5_asn1 > import samba.tests.krb5.kcrypto as kcrypto > >@@ -177,6 +179,81 @@ class Krb5EncryptionKey(object): > } > return EncryptionKey_obj > >+class KerberosCredentials(Credentials): >+ def __init__(self): >+ super(KerberosCredentials, self).__init__() >+ all_enc_types = 0 >+ all_enc_types |= security.KERB_ENCTYPE_RC4_HMAC_MD5 >+ all_enc_types |= security.KERB_ENCTYPE_AES128_CTS_HMAC_SHA1_96 >+ all_enc_types |= security.KERB_ENCTYPE_AES256_CTS_HMAC_SHA1_96 >+ >+ self.as_supported_enctypes = all_enc_types >+ self.tgs_supported_enctypes = all_enc_types >+ self.ap_supported_enctypes = all_enc_types >+ >+ self.kvno = None >+ self.forced_keys = {} >+ >+ self.forced_salt = None >+ return >+ >+ def set_as_supported_enctypes(self, value): >+ self.as_supported_enctypes = int(value) >+ return >+ >+ def set_tgs_supported_enctypes(self, value): >+ self.tgs_supported_enctypes = int(value) >+ return >+ >+ def set_ap_supported_enctypes(self, value): >+ self.ap_supported_enctypes = int(value) >+ return >+ >+ def _get_krb5_etypes(self, supported_enctypes): >+ etypes = () >+ >+ if supported_enctypes & security.KERB_ENCTYPE_AES256_CTS_HMAC_SHA1_96: >+ etypes += (kcrypto.Enctype.AES256,) >+ if supported_enctypes & security.KERB_ENCTYPE_AES128_CTS_HMAC_SHA1_96: >+ etypes += (kcrypto.Enctype.AES128,) >+ if supported_enctypes & security.KERB_ENCTYPE_RC4_HMAC_MD5: >+ etypes += (kcrypto.Enctype.RC4,) >+ >+ return etypes >+ >+ def get_as_krb5_etypes(self): >+ return self._get_krb5_etypes(self.as_supported_enctypes) >+ >+ def get_tgs_krb5_etypes(self): >+ return self._get_krb5_etypes(self.tgs_supported_enctypes) >+ >+ def get_ap_krb5_etypes(self): >+ return self._get_krb5_etypes(self.ap_supported_enctypes) >+ >+ def set_kvno(self, kvno): >+ self.kvno = kvno >+ >+ def get_kvno(self): >+ return self.kvno >+ >+ def set_forced_key(self, etype, hexkey): >+ etype = int(etype) >+ contents = binascii.a2b_hex(hexkey) >+ key = kcrypto.Key(etype, contents) >+ self.forced_keys[etype] = Krb5EncryptionKey(key, self.kvno) >+ >+ def get_forced_key(self, etype): >+ etype = int(etype) >+ if etype in self.forced_keys: >+ return self.forced_keys[etype] >+ return None >+ >+ def set_forced_salt(self, salt): >+ self.forced_salt = bytes(salt) >+ return >+ >+ def get_forced_salt(self): >+ return self.forced_salt > > class RawKerberosTest(TestCaseInTempDir): > """A raw Kerberos Test case.""" >@@ -229,33 +306,113 @@ class RawKerberosTest(TestCaseInTempDir): > sys.stderr.write("connected[%s]\n" % self.host) > return > >- def get_user_creds(self): >- c = Credentials() >+ def _get_krb5_creds(self, prefix, >+ default_username=None, >+ allow_missing_password=False, >+ require_strongest_key=False): >+ c = KerberosCredentials() > c.guess() >- domain = samba.tests.env_get_var_value('DOMAIN') >- realm = samba.tests.env_get_var_value('REALM') >- username = samba.tests.env_get_var_value('USERNAME') >- password = samba.tests.env_get_var_value('PASSWORD') >- c.set_domain(domain) >- c.set_realm(realm) >- c.set_username(username) >- c.set_password(password) >- return c > >- def get_service_creds(self, allow_missing_password=False): >- c = Credentials() >- c.guess() >- domain = samba.tests.env_get_var_value('DOMAIN') >- realm = samba.tests.env_get_var_value('REALM') >- username = samba.tests.env_get_var_value('SERVICE_USERNAME') >- password = samba.tests.env_get_var_value( >- 'SERVICE_PASSWORD', >- allow_missing=allow_missing_password) >+ def env_get_var(varname, prefix, fallback_default=True, allow_missing=False): >+ val = None >+ if prefix is not None: >+ allow_missing_prefix = allow_missing >+ if fallback_default: >+ allow_missing_prefix = True >+ val = samba.tests.env_get_var_value('%s_%s' % (prefix, varname), >+ allow_missing=allow_missing_prefix) >+ else: >+ fallback_default = True >+ if val is None and fallback_default: >+ val = samba.tests.env_get_var_value(varname, >+ allow_missing=allow_missing) >+ return val >+ >+ domain = env_get_var('DOMAIN', prefix) >+ realm = env_get_var('REALM', prefix) >+ allow_missing_username = False >+ if default_username is not None: >+ allow_missing_username = True >+ username = env_get_var('USERNAME', prefix, >+ fallback_default=False, >+ allow_missing=allow_missing_username) >+ if username is None: >+ username = default_username >+ password = env_get_var('PASSWORD', prefix, >+ fallback_default=False, >+ allow_missing=allow_missing_password) > c.set_domain(domain) > c.set_realm(realm) > c.set_username(username) > if password is not None: > c.set_password(password) >+ as_supported_enctypes = env_get_var('AS_SUPPORTED_ENCTYPES', >+ prefix, allow_missing=True) >+ if as_supported_enctypes is not None: >+ c.set_as_supported_enctypes(as_supported_enctypes) >+ tgs_supported_enctypes = env_get_var('TGS_SUPPORTED_ENCTYPES', >+ prefix, allow_missing=True) >+ if tgs_supported_enctypes is not None: >+ c.set_tgs_supported_enctypes(tgs_supported_enctypes) >+ ap_supported_enctypes = env_get_var('AP_SUPPORTED_ENCTYPES', >+ prefix, allow_missing=True) >+ if ap_supported_enctypes is not None: >+ c.set_ap_supported_enctypes(ap_supported_enctypes) >+ >+ if require_strongest_key: >+ kvno_allow_missing = False >+ if password is None: >+ aes256_allow_missing = False >+ else: >+ aes256_allow_missing = True >+ else: >+ kvno_allow_missing = True >+ aes256_allow_missing = True >+ kvno = env_get_var('KVNO', prefix, >+ fallback_default=False, >+ allow_missing=kvno_allow_missing) >+ if kvno is not None: >+ c.set_kvno(kvno) >+ aes256_key = env_get_var('AES256_KEY_HEX', prefix, >+ fallback_default=False, >+ allow_missing=aes256_allow_missing) >+ if aes256_key is not None: >+ c.set_forced_key(kcrypto.Enctype.AES256, aes256_key) >+ aes128_key = env_get_var('AES128_KEY_HEX', prefix, >+ fallback_default=False, allow_missing=True) >+ if aes128_key is not None: >+ c.set_forced_key(kcrypto.Enctype.AES128, aes128_key) >+ rc4_key = env_get_var('RC4_KEY_HEX', prefix, >+ fallback_default=False, allow_missing=True) >+ if rc4_key is not None: >+ c.set_forced_key(kcrypto.Enctype.RC4, rc4_key) >+ return c >+ >+ def get_user_creds(self, allow_missing_password=False): >+ c = self._get_krb5_creds(prefix=None, >+ allow_missing_password=allow_missing_password) >+ return c >+ >+ def get_service_creds(self, allow_missing_password=False): >+ c = self._get_krb5_creds(prefix='SERVICE', >+ allow_missing_password=allow_missing_password) >+ return c >+ >+ def get_client_creds(self, allow_missing_password=False): >+ c = self._get_krb5_creds(prefix='CLIENT', >+ allow_missing_password=allow_missing_password) >+ return c >+ >+ def get_server_creds(self, allow_missing_password=False): >+ c = self._get_krb5_creds(prefix='SERVER', >+ allow_missing_password=allow_missing_password) >+ return c >+ >+ def get_krbtgt_creds(self, require_strongest_key=False): >+ c = self._get_krb5_creds(prefix='KRBTGT', >+ default_username='krbtgt', >+ allow_missing_password=True, >+ require_strongest_key=require_strongest_key) > return c > > def get_anon_creds(self): >@@ -473,6 +630,8 @@ class RawKerberosTest(TestCaseInTempDir): > return Krb5EncryptionKey(key, kvno) > > def PasswordKey_create(self, etype=None, pwd=None, salt=None, kvno=None): >+ self.assertIsNotNone(pwd) >+ self.assertIsNotNone(salt) > key = kcrypto.string_to_key(etype, pwd, salt) > return Krb5EncryptionKey(key, kvno) > >diff --git a/python/samba/tests/krb5/simple_tests.py b/python/samba/tests/krb5/simple_tests.py >index 889b91a9bf0..2da76a3cf5e 100755 >--- a/python/samba/tests/krb5/simple_tests.py >+++ b/python/samba/tests/krb5/simple_tests.py >@@ -44,10 +44,12 @@ class SimpleKerberosTests(RawKerberosTest): > def test_simple(self): > user_creds = self.get_user_creds() > user = user_creds.get_username() >- realm = user_creds.get_realm() >+ krbtgt_creds = self.get_krbtgt_creds() >+ krbtgt_account = krbtgt_creds.get_username() >+ realm = krbtgt_creds.get_realm() > > cname = self.PrincipalName_create(name_type=1, names=[user]) >- sname = self.PrincipalName_create(name_type=2, names=["krbtgt", realm]) >+ sname = self.PrincipalName_create(name_type=2, names=[krbtgt_account, realm]) > > till = self.get_KerberosTime(offset=36000) > >-- >2.25.1 > > >From 483fd0bfa4002eb436b36601805aed4de0652cc3 Mon Sep 17 00:00:00 2001 >From: Stefan Metzmacher <metze@samba.org> >Date: Thu, 9 Apr 2020 22:28:32 +0200 >Subject: [PATCH 090/686] tests/krb5/raw_testcase.py: introduce > STRICT_CHECKING=0 in order to relax the checks in future > >We should write tests as strict as possible in order to let them run >against Windows servers. > >But at the same time we want to allow tests to be useful for Samba >too... > >Signed-off-by: Stefan Metzmacher <metze@samba.org> >Reviewed-by: Andrew Bartlett <abartlet@samba.org> >BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817 >(cherry picked from commit dff611976d6a067614e37add99edae214815a68b) >--- > python/samba/tests/krb5/raw_testcase.py | 5 +++++ > 1 file changed, 5 insertions(+) > >diff --git a/python/samba/tests/krb5/raw_testcase.py b/python/samba/tests/krb5/raw_testcase.py >index b28939f0388..333aab70c8e 100644 >--- a/python/samba/tests/krb5/raw_testcase.py >+++ b/python/samba/tests/krb5/raw_testcase.py >@@ -263,6 +263,11 @@ class RawKerberosTest(TestCaseInTempDir): > self.do_asn1_print = False > self.do_hexdump = False > >+ strict_checking = samba.tests.env_get_var_value('STRICT_CHECKING', allow_missing=True) >+ if strict_checking is None: >+ strict_checking = '1' >+ self.strict_checking = bool(int(strict_checking)) >+ > self.host = samba.tests.env_get_var_value('SERVER') > > self.s = None >-- >2.25.1 > > >From 3267fe9a5d64ef8cb2a94c51ee1de88a860f66a7 Mon Sep 17 00:00:00 2001 >From: Stefan Metzmacher <metze@samba.org> >Date: Wed, 15 Apr 2020 13:49:52 +0200 >Subject: [PATCH 091/686] tests/krb5/raw_testcase.py: add assertElement*() > >These helper functions make writing subsequent Kerberos test >clearer. > >Signed-off-by: Stefan Metzmacher <metze@samba.org> >Reviewed-by: Andrew Bartlett <abartlet@samba.org> >BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817 >(cherry picked from commit 61e1b179812e48797146584998afc5bd0168beae) >--- > python/samba/tests/krb5/raw_testcase.py | 54 +++++++++++++++++++++++++ > 1 file changed, 54 insertions(+) > >diff --git a/python/samba/tests/krb5/raw_testcase.py b/python/samba/tests/krb5/raw_testcase.py >index 333aab70c8e..eb294a75a95 100644 >--- a/python/samba/tests/krb5/raw_testcase.py >+++ b/python/samba/tests/krb5/raw_testcase.py >@@ -605,6 +605,36 @@ class RawKerberosTest(TestCaseInTempDir): > self.assertIsNotNone(value) > return > >+ def getElementValue(self, obj, elem): >+ v = None >+ try: >+ v = obj[elem] >+ except KeyError: >+ pass >+ return v >+ >+ def assertElementMissing(self, obj, elem): >+ v = self.getElementValue(obj, elem) >+ self.assertIsNone(v) >+ return >+ >+ def assertElementPresent(self, obj, elem): >+ v = self.getElementValue(obj, elem) >+ self.assertIsNotNone(v) >+ return >+ >+ def assertElementEqual(self, obj, elem, value): >+ v = self.getElementValue(obj, elem) >+ self.assertIsNotNone(v) >+ self.assertEqual(v, value) >+ return >+ >+ def assertElementEqualUTF8(self, obj, elem, value): >+ v = self.getElementValue(obj, elem) >+ self.assertIsNotNone(v) >+ self.assertEqual(v, bytes(value, 'utf8')) >+ return >+ > def assertPrincipalEqual(self, princ1, princ2): > self.assertEqual(princ1['name-type'], princ2['name-type']) > self.assertEqual( >@@ -618,6 +648,30 @@ class RawKerberosTest(TestCaseInTempDir): > msg="princ1=%s != princ2=%s" % (princ1, princ2)) > return > >+ def assertElementEqualPrincipal(self, obj, elem, value): >+ v = self.getElementValue(obj, elem) >+ self.assertIsNotNone(v) >+ v = pyasn1_native_decode(v, asn1Spec=krb5_asn1.PrincipalName()) >+ self.assertPrincipalEqual(v, value) >+ return >+ >+ def assertElementKVNO(self, obj, elem, value): >+ v = self.getElementValue(obj, elem) >+ if value == "autodetect": >+ value = v >+ if value is not None: >+ self.assertIsNotNone(v) >+ # The value on the wire should never be 0 >+ self.assertNotEqual(v, 0) >+ # value == 0 means we don't know the kvno >+ # but enforce at any value != 0 is present >+ value = int(value) >+ if value != 0: >+ self.assertEqual(v, value) >+ else: >+ self.assertIsNone(v) >+ return >+ > def get_KerberosTimeWithUsec(self, epoch=None, offset=None): > if epoch is None: > epoch = time.time() >-- >2.25.1 > > >From 09fcc3d2cf6b6e28b0bf5de0fb374f85b3fb1fe1 Mon Sep 17 00:00:00 2001 >From: Stefan Metzmacher <metze@samba.org> >Date: Wed, 15 Apr 2020 17:50:00 +0200 >Subject: [PATCH 092/686] tests/krb5/raw_testcase.py: Allow prettyPrint of more > RFC-defined values > >By setting krb5_asn1.APOptions.prettyPrint = BitString_NamedValues_prettyPrint >we allow the BitString_NamedValues_prettyPrint() routine to show more named values. > >Signed-off-by: Stefan Metzmacher <metze@samba.org> >Reviewed-by: Andrew Bartlett <abartlet@samba.org> >BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817 >(cherry picked from commit 34e079ce9a232a765fb3a2b25441434df35df54c) >--- > python/samba/tests/krb5/raw_testcase.py | 6 ++++++ > 1 file changed, 6 insertions(+) > >diff --git a/python/samba/tests/krb5/raw_testcase.py b/python/samba/tests/krb5/raw_testcase.py >index eb294a75a95..29745fa4089 100644 >--- a/python/samba/tests/krb5/raw_testcase.py >+++ b/python/samba/tests/krb5/raw_testcase.py >@@ -111,6 +111,12 @@ krb5_asn1.KDCOptions.namedValues =\ > krb5_asn1.KDCOptionsValues.namedValues > krb5_asn1.KDCOptions.prettyPrint =\ > BitString_NamedValues_prettyPrint >+krb5_asn1.APOptions.prettyPrintNamedValues =\ >+ krb5_asn1.APOptionsValues.namedValues >+krb5_asn1.APOptions.namedValues =\ >+ krb5_asn1.APOptionsValues.namedValues >+krb5_asn1.APOptions.prettyPrint =\ >+ BitString_NamedValues_prettyPrint > > > def Integer_NamedValues_prettyPrint(self, scope=0): >-- >2.25.1 > > >From 63aa730c5132275aab132531d8058ecc8a530e84 Mon Sep 17 00:00:00 2001 >From: Stefan Metzmacher <metze@samba.org> >Date: Wed, 15 Apr 2020 17:57:37 +0200 >Subject: [PATCH 093/686] tests/krb5/raw_testcase.py: Allow prettyPrint of more > MS-KILE-defined values > >By setting krb5_asn1.APOptions.prettyPrint = BitString_NamedValues_prettyPrint >we allow the BitString_NamedValues_prettyPrint() routine to show more named values. > >Signed-off-by: Stefan Metzmacher <metze@samba.org> >Reviewed-by: Andrew Bartlett <abartlet@samba.org> >BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817 >(cherry picked from commit 3abb3b41368666535a216a98c3e7d15a5d498f7e) >--- > python/samba/tests/krb5/raw_testcase.py | 10 ++++++++++ > 1 file changed, 10 insertions(+) > >diff --git a/python/samba/tests/krb5/raw_testcase.py b/python/samba/tests/krb5/raw_testcase.py >index 29745fa4089..1ef15db9f8c 100644 >--- a/python/samba/tests/krb5/raw_testcase.py >+++ b/python/samba/tests/krb5/raw_testcase.py >@@ -117,6 +117,12 @@ krb5_asn1.APOptions.namedValues =\ > krb5_asn1.APOptionsValues.namedValues > krb5_asn1.APOptions.prettyPrint =\ > BitString_NamedValues_prettyPrint >+krb5_asn1.PACOptionFlags.prettyPrintNamedValues =\ >+ krb5_asn1.PACOptionFlagsValues.namedValues >+krb5_asn1.PACOptionFlags.namedValues =\ >+ krb5_asn1.PACOptionFlagsValues.namedValues >+krb5_asn1.PACOptionFlags.prettyPrint =\ >+ BitString_NamedValues_prettyPrint > > > def Integer_NamedValues_prettyPrint(self, scope=0): >@@ -149,6 +155,10 @@ krb5_asn1.ChecksumType.prettyPrintNamedValues =\ > krb5_asn1.ChecksumTypeValues.namedValues > krb5_asn1.ChecksumType.prettyPrint =\ > Integer_NamedValues_prettyPrint >+krb5_asn1.KerbErrorDataType.prettyPrintNamedValues =\ >+ krb5_asn1.KerbErrorDataTypeValues.namedValues >+krb5_asn1.KerbErrorDataType.prettyPrint =\ >+ Integer_NamedValues_prettyPrint > > > class Krb5EncryptionKey(object): >-- >2.25.1 > > >From e0d65be896b4f2b42a52da67ee3e60a7541c5f16 Mon Sep 17 00:00:00 2001 >From: Stefan Metzmacher <metze@samba.org> >Date: Tue, 21 Apr 2020 14:45:01 +0200 >Subject: [PATCH 094/686] tests/krb5/raw_testcase.py: split > KDC_REQ_BODY_create() from KDC_REQ_create() > >This allows us to reuse body in future and calculate checksums on it. > >Signed-off-by: Stefan Metzmacher <metze@samba.org> >Reviewed-by: Andrew Bartlett <abartlet@samba.org> >BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817 >(cherry picked from commit b03fcfeb6c005936818ce50d511e9f9cc75aa9fb) >--- > python/samba/tests/krb5/raw_testcase.py | 81 +++++++------------------ > 1 file changed, 23 insertions(+), 58 deletions(-) > >diff --git a/python/samba/tests/krb5/raw_testcase.py b/python/samba/tests/krb5/raw_testcase.py >index 1ef15db9f8c..71a4753717f 100644 >--- a/python/samba/tests/krb5/raw_testcase.py >+++ b/python/samba/tests/krb5/raw_testcase.py >@@ -872,19 +872,7 @@ class RawKerberosTest(TestCaseInTempDir): > def KDC_REQ_create(self, > msg_type, > padata, >- kdc_options, >- cname, >- realm, >- sname, >- from_time, >- till_time, >- renew_time, >- nonce, >- etypes, >- addresses, >- EncAuthorizationData, >- EncAuthorizationData_key, >- additional_tickets, >+ req_body, > asn1Spec=None, > asn1_print=None, > hexdump=None): >@@ -897,25 +885,10 @@ class RawKerberosTest(TestCaseInTempDir): > # req-body [4] KDC-REQ-BODY > # } > # >- KDC_REQ_BODY_obj = self.KDC_REQ_BODY_create(kdc_options, >- cname, >- realm, >- sname, >- from_time, >- till_time, >- renew_time, >- nonce, >- etypes, >- addresses, >- EncAuthorizationData, >- EncAuthorizationData_key, >- additional_tickets, >- asn1_print=asn1_print, >- hexdump=hexdump) > KDC_REQ_obj = { > 'pvno': 5, > 'msg-type': msg_type, >- 'req-body': KDC_REQ_BODY_obj, >+ 'req-body': req_body, > } > if padata is not None: > KDC_REQ_obj['padata'] = padata >@@ -974,22 +947,26 @@ class RawKerberosTest(TestCaseInTempDir): > # additional-tickets [11] SEQUENCE OF Ticket OPTIONAL > # -- NOTE: not empty > # } >+ KDC_REQ_BODY_obj = self.KDC_REQ_BODY_create( >+ kdc_options, >+ cname, >+ realm, >+ sname, >+ from_time, >+ till_time, >+ renew_time, >+ nonce, >+ etypes, >+ addresses, >+ EncAuthorizationData, >+ EncAuthorizationData_key, >+ additional_tickets, >+ asn1_print=asn1_print, >+ hexdump=hexdump) > obj, decoded = self.KDC_REQ_create( > msg_type=10, > padata=padata, >- kdc_options=kdc_options, >- cname=cname, >- realm=realm, >- sname=sname, >- from_time=from_time, >- till_time=till_time, >- renew_time=renew_time, >- nonce=nonce, >- etypes=etypes, >- addresses=addresses, >- EncAuthorizationData=EncAuthorizationData, >- EncAuthorizationData_key=EncAuthorizationData_key, >- additional_tickets=additional_tickets, >+ req_body=KDC_REQ_BODY_obj, > asn1Spec=krb5_asn1.AS_REQ(), > asn1_print=asn1_print, > hexdump=hexdump) >@@ -1115,11 +1092,11 @@ class RawKerberosTest(TestCaseInTempDir): > EncAuthorizationData=EncAuthorizationData, > EncAuthorizationData_key=EncAuthorizationData_key, > additional_tickets=additional_tickets) >- req_body = self.der_encode(req_body, asn1Spec=krb5_asn1.KDC_REQ_BODY(), >- asn1_print=asn1_print, hexdump=hexdump) >+ req_body_blob = self.der_encode(req_body, asn1Spec=krb5_asn1.KDC_REQ_BODY(), >+ asn1_print=asn1_print, hexdump=hexdump) > > req_body_checksum = self.Checksum_create( >- ticket_session_key, 6, req_body, ctype=body_checksum_type) >+ ticket_session_key, 6, req_body_blob, ctype=body_checksum_type) > > subkey_obj = None > if authenticator_subkey is not None: >@@ -1158,19 +1135,7 @@ class RawKerberosTest(TestCaseInTempDir): > obj, decoded = self.KDC_REQ_create( > msg_type=12, > padata=padata, >- kdc_options=kdc_options, >- cname=None, >- realm=realm, >- sname=sname, >- from_time=from_time, >- till_time=till_time, >- renew_time=renew_time, >- nonce=nonce, >- etypes=etypes, >- addresses=addresses, >- EncAuthorizationData=EncAuthorizationData, >- EncAuthorizationData_key=EncAuthorizationData_key, >- additional_tickets=additional_tickets, >+ req_body=req_body, > asn1Spec=krb5_asn1.TGS_REQ(), > asn1_print=asn1_print, > hexdump=hexdump) >-- >2.25.1 > > >From d1200e1f4784513724cdc72e02778d47b577ed9f Mon Sep 17 00:00:00 2001 >From: Stefan Metzmacher <metze@samba.org> >Date: Thu, 16 Apr 2020 10:43:54 +0200 >Subject: [PATCH 095/686] tests/krb5/raw_testcase.py: add > KERB_PA_PAC_REQUEST_create() > >This allows building the pre-authentication data that encodes >the request for the KDC (or more likely a request not to include) >the KRB5 PAC in the resulting ticket. > >Signed-off-by: Stefan Metzmacher <metze@samba.org> >Reviewed-by: Andrew Bartlett <abartlet@samba.org> >BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817 >(cherry picked from commit ee2ac2b8ccafe3e6d560d893a4135a28e393914d) >--- > python/samba/tests/krb5/raw_testcase.py | 15 +++++++++++++++ > 1 file changed, 15 insertions(+) > >diff --git a/python/samba/tests/krb5/raw_testcase.py b/python/samba/tests/krb5/raw_testcase.py >index 71a4753717f..f341911ef53 100644 >--- a/python/samba/tests/krb5/raw_testcase.py >+++ b/python/samba/tests/krb5/raw_testcase.py >@@ -799,6 +799,21 @@ class RawKerberosTest(TestCaseInTempDir): > } > return PA_ENC_TS_ENC_obj > >+ def KERB_PA_PAC_REQUEST_create(self, include_pac, pa_data_create=True): >+ #KERB-PA-PAC-REQUEST ::= SEQUENCE { >+ # include-pac[0] BOOLEAN --If TRUE, and no pac present, include PAC. >+ # --If FALSE, and PAC present, remove PAC >+ #} >+ KERB_PA_PAC_REQUEST_obj = { >+ 'include-pac': include_pac, >+ } >+ if not pa_data_create: >+ return KERB_PA_PAC_REQUEST_obj >+ pa_pac = self.der_encode(KERB_PA_PAC_REQUEST_obj, >+ asn1Spec=krb5_asn1.KERB_PA_PAC_REQUEST()) >+ pa_data = self.PA_DATA_create(128, pa_pac) # PA-PAC-REQUEST >+ return pa_data >+ > def KDC_REQ_BODY_create(self, > kdc_options, > cname, >-- >2.25.1 > > >From 18b9bd1717c2ee9fcdf939317cf018ff72586cd5 Mon Sep 17 00:00:00 2001 >From: Stefan Metzmacher <metze@samba.org> >Date: Mon, 20 Apr 2020 20:02:52 +0200 >Subject: [PATCH 096/686] tests/krb5/raw_testcase.py: add methods to iterate > over etype permutations > >It's often useful to run tests over a lot of input parameter >permutations. > >Signed-off-by: Stefan Metzmacher <metze@samba.org> >Reviewed-by: Andrew Bartlett <abartlet@samba.org> >BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817 >(cherry picked from commit e3905035847a5268c1a65366830cc739280ae437) >--- > python/samba/tests/krb5/raw_testcase.py | 58 +++++++++++++++++++++++++ > 1 file changed, 58 insertions(+) > >diff --git a/python/samba/tests/krb5/raw_testcase.py b/python/samba/tests/krb5/raw_testcase.py >index f341911ef53..a002a442d03 100644 >--- a/python/samba/tests/krb5/raw_testcase.py >+++ b/python/samba/tests/krb5/raw_testcase.py >@@ -23,6 +23,7 @@ import time > import datetime > import random > import binascii >+import itertools > > import samba.tests > from samba.credentials import Credentials >@@ -274,6 +275,63 @@ class KerberosCredentials(Credentials): > class RawKerberosTest(TestCaseInTempDir): > """A raw Kerberos Test case.""" > >+ etypes_to_test = ( >+ { "value": -1111, "name": "dummy", }, >+ { "value": kcrypto.Enctype.AES256, "name": "aes128", }, >+ { "value": kcrypto.Enctype.AES128, "name": "aes256", }, >+ { "value": kcrypto.Enctype.RC4, "name": "rc4", }, >+ ) >+ >+ setup_etype_test_permutations_done = False >+ >+ @classmethod >+ def setup_etype_test_permutations(cls): >+ if cls.setup_etype_test_permutations_done: >+ return >+ >+ res = [] >+ >+ num_idxs = len(cls.etypes_to_test) >+ permutations = [] >+ for num in range(1, num_idxs+1): >+ chunk = list(itertools.permutations(range(num_idxs), num)) >+ for e in chunk: >+ el = list(e) >+ permutations.append(el) >+ >+ for p in permutations: >+ name = None >+ etypes = () >+ for idx in p: >+ n = cls.etypes_to_test[idx]["name"] >+ if name is None: >+ name = n >+ else: >+ name += "_%s" % n >+ etypes += (cls.etypes_to_test[idx]["value"],) >+ >+ r = { "name": name, "etypes": etypes, } >+ res.append(r) >+ >+ cls.etype_test_permutations = res >+ cls.setup_etype_test_permutations_done = True >+ return >+ >+ @classmethod >+ def etype_test_permutation_name_idx(cls): >+ cls.setup_etype_test_permutations() >+ res = [] >+ idx = 0 >+ for e in cls.etype_test_permutations: >+ r = (e['name'], idx) >+ idx += 1 >+ res.append(r) >+ return res >+ >+ def etype_test_permutation_by_idx(self, idx): >+ e = self.etype_test_permutations[idx] >+ return (e['name'], e['etypes']) >+ > def setUp(self): > super().setUp() > self.do_asn1_print = False >-- >2.25.1 > > >From 23f8227d6d8a81ebda235a71d4d391f42bc589bb Mon Sep 17 00:00:00 2001 >From: Stefan Metzmacher <metze@samba.org> >Date: Thu, 16 Apr 2020 17:13:35 +0200 >Subject: [PATCH 097/686] tests/krb5/raw_testcase.py: Add > TicketDecryptionKey_from_creds() > >This will allow building test_as_req_enc_timestamp() > >It also introduces ways to specify keys in hex formated environment >variables ${PREFIX}_{AES256,AES128,RC4}_KEY_HEX. > >Signed-off-by: Stefan Metzmacher <metze@samba.org> >Reviewed-by: Andrew Bartlett <abartlet@samba.org> >BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817 >(cherry picked from commit 69ce2a6408f78d41eb865b89726021ad7643b065) >--- > python/samba/tests/krb5/raw_testcase.py | 29 +++++++++++++++++++++++++ > 1 file changed, 29 insertions(+) > >diff --git a/python/samba/tests/krb5/raw_testcase.py b/python/samba/tests/krb5/raw_testcase.py >index a002a442d03..7d0dc9c9609 100644 >--- a/python/samba/tests/krb5/raw_testcase.py >+++ b/python/samba/tests/krb5/raw_testcase.py >@@ -784,6 +784,35 @@ class RawKerberosTest(TestCaseInTempDir): > return self.PasswordKey_create( > etype=e, pwd=password, salt=salt, kvno=kvno) > >+ def TicketDecryptionKey_from_creds(self, creds, etype=None): >+ >+ if etype is None: >+ etypes = creds.get_tgs_krb5_etypes() >+ etype = etypes[0] >+ >+ forced_key = creds.get_forced_key(etype) >+ if forced_key is not None: >+ return forced_key >+ >+ kvno = creds.get_kvno() >+ >+ fail_msg = ("%s has no fixed key for etype[%s] kvno[%s] " >+ "nor a password specified, " % ( >+ creds.get_username(), etype, kvno)) >+ >+ if etype == kcrypto.Enctype.RC4: >+ nthash = creds.get_nt_hash() >+ self.assertIsNotNone(nthash, msg=fail_msg) >+ return self.SessionKey_create(etype=etype, contents=nthash, kvno=kvno) >+ >+ password = creds.get_password() >+ self.assertIsNotNone(password, msg=fail_msg) >+ salt = creds.get_forced_salt() >+ if salt is None: >+ salt = bytes("%s%s" % (creds.get_realm(), creds.get_username()), >+ encoding='utf-8') >+ return self.PasswordKey_create(etype=etype, pwd=password, salt=salt, kvno=kvno) >+ > def RandomKey(self, etype): > e = kcrypto._get_enctype_profile(etype) > contents = samba.generate_random_bytes(e.keysize) >-- >2.25.1 > > >From a3b6f91e45766e557c712f696c93a9c377c84903 Mon Sep 17 00:00:00 2001 >From: Stefan Metzmacher <metze@samba.org> >Date: Tue, 21 Apr 2020 11:07:45 +0200 >Subject: [PATCH 098/686] tests/krb5/raw_testcase.py: introduce a > _generic_kdc_exchange() infrastructure > >This will allow us to write tests, which will all cross check almost >every aspect of the KDC response (including encrypted parts). > >Signed-off-by: Stefan Metzmacher <metze@samba.org> >Reviewed-by: Andrew Bartlett <abartlet@samba.org> >BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817 >(cherry picked from commit 6e2f2adc8e825634780077e24a9e437bdc68155a) >--- > python/samba/tests/krb5/raw_testcase.py | 634 +++++++++++++++++++ > python/samba/tests/krb5/rfc4120_constants.py | 11 + > 2 files changed, 645 insertions(+) > >diff --git a/python/samba/tests/krb5/raw_testcase.py b/python/samba/tests/krb5/raw_testcase.py >index 7d0dc9c9609..8c8926b0ad2 100644 >--- a/python/samba/tests/krb5/raw_testcase.py >+++ b/python/samba/tests/krb5/raw_testcase.py >@@ -30,6 +30,27 @@ from samba.credentials import Credentials > from samba.tests import TestCaseInTempDir > from samba.dcerpc import security > import samba.tests.krb5.rfc4120_pyasn1 as krb5_asn1 >+from samba.tests.krb5.rfc4120_constants import ( >+ KDC_ERR_ETYPE_NOSUPP, >+ KDC_ERR_PREAUTH_REQUIRED, >+ KRB_AS_REP, >+ KRB_AS_REQ, >+ KRB_ERROR, >+ KRB_TGS_REP, >+ KRB_TGS_REQ, >+ KU_AS_REP_ENC_PART, >+ KU_TGS_REP_ENC_PART_SESSION, >+ KU_TGS_REP_ENC_PART_SUB_KEY, >+ KU_TGS_REQ_AUTH, >+ KU_TGS_REQ_AUTH_CKSUM, >+ KU_TICKET, >+ PADATA_ENC_TIMESTAMP, >+ PADATA_ETYPE_INFO, >+ PADATA_ETYPE_INFO2, >+ PADATA_KDC_REQ, >+ PADATA_PK_AS_REQ, >+ PADATA_PK_AS_REP_19 >+) > import samba.tests.krb5.kcrypto as kcrypto > > from pyasn1.codec.der.decoder import decode as pyasn1_der_decode >@@ -272,6 +293,24 @@ class KerberosCredentials(Credentials): > def get_forced_salt(self): > return self.forced_salt > >+class KerberosTicketCreds(object): >+ def __init__(self, ticket, session_key, >+ crealm=None, cname=None, >+ srealm=None, sname=None, >+ decryption_key=None, >+ ticket_private=None, >+ encpart_private=None): >+ self.ticket = ticket >+ self.session_key = session_key >+ self.crealm = crealm >+ self.cname = cname >+ self.srealm = srealm >+ self.sname = sname >+ self.decryption_key = decryption_key >+ self.ticket_private = ticket_private >+ self.encpart_private = encpart_private >+ return >+ > class RawKerberosTest(TestCaseInTempDir): > """A raw Kerberos Test case.""" > >@@ -758,6 +797,12 @@ class RawKerberosTest(TestCaseInTempDir): > (s, _) = self.get_KerberosTimeWithUsec(epoch=epoch, offset=offset) > return s > >+ def get_Nonce(self): >+ nonce_min=0x7f000000 >+ nonce_max=0x7fffffff >+ v = random.randint(nonce_min, nonce_max) >+ return v >+ > def SessionKey_create(self, etype, contents, kvno=None): > key = kcrypto.Key(etype, contents) > return Krb5EncryptionKey(key, kvno) >@@ -1268,3 +1313,592 @@ class RawKerberosTest(TestCaseInTempDir): > pa_s4u2self = self.der_encode( > PA_S4U2Self_obj, asn1Spec=krb5_asn1.PA_S4U2Self()) > return self.PA_DATA_create(129, pa_s4u2self) >+ >+ def _generic_kdc_exchange(self, >+ kdc_exchange_dict, # required >+ kdc_options=None, # required >+ cname=None, # optional >+ realm=None, # required >+ sname=None, # optional >+ from_time=None, # optional >+ till_time=None, # required >+ renew_time=None, # optional >+ nonce=None, # required >+ etypes=None, # required >+ addresses=None, # optional >+ EncAuthorizationData=None, # optional >+ EncAuthorizationData_key=None, # optional >+ additional_tickets=None): # optional >+ >+ check_error_fn = kdc_exchange_dict['check_error_fn'] >+ check_rep_fn = kdc_exchange_dict['check_rep_fn'] >+ generate_padata_fn = kdc_exchange_dict['generate_padata_fn'] >+ callback_dict = kdc_exchange_dict['callback_dict'] >+ req_msg_type = kdc_exchange_dict['req_msg_type'] >+ req_asn1Sp