The Samba-Bugzilla – Attachment 17586 Details for
Bug 15197
Windows 11 22H2 and Samba-AD 4.15 Kerberos login issue
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
a test for Samba 4.15 that reproduces the issue
windows-kerberos-login-test-4.15.patch (text/plain), 4.26 KB, created by
Jennifer Sutton
on 2022-10-19 23:47:16 UTC
(
hide
)
Description:
a test for Samba 4.15 that reproduces the issue
Filename:
MIME Type:
Creator:
Jennifer Sutton
Created:
2022-10-19 23:47:16 UTC
Size:
4.26 KB
patch
obsolete
>From 2015578f80a54a26111991fa474a6da1b1bfb5d2 Mon Sep 17 00:00:00 2001 >From: Joseph Sutton <josephsutton@catalyst.net.nz> >Date: Tue, 4 Oct 2022 12:25:08 +1300 >Subject: [PATCH 1/2] tests/krb5: Add test requesting a service ticket expiring > post-2038 > >Windows 11 22H2 performs such requests. The test fails with >KDC_ERR_BAD_INTEGRITY on older Heimdal versions, which are unable to >verify a checksum over the modified request body. > >BUG: https://bugzilla.samba.org/show_bug.cgi?id=15197 > >Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> >--- > python/samba/tests/krb5/kdc_tgs_tests.py | 14 ++++++++++++++ > 1 file changed, 14 insertions(+) > >diff --git a/python/samba/tests/krb5/kdc_tgs_tests.py b/python/samba/tests/krb5/kdc_tgs_tests.py >index e52f46152fa..a4bc48e587a 100755 >--- a/python/samba/tests/krb5/kdc_tgs_tests.py >+++ b/python/samba/tests/krb5/kdc_tgs_tests.py >@@ -2099,6 +2099,18 @@ class KdcTgsTests(KDCBaseTest): > self._run_tgs(tgt, expected_error=(KDC_ERR_TGT_REVOKED, > KDC_ERR_C_PRINCIPAL_UNKNOWN)) > >+ # Test making a TGS request for a ticket expiring post-2038. >+ def test_tgs_req_future_till(self): >+ creds = self._get_creds() >+ tgt = self._get_tgt(creds) >+ >+ target_creds = self.get_service_creds() >+ self._tgs_req( >+ tgt=tgt, >+ expected_error=0, >+ target_creds=target_creds, >+ till='99990913024805Z') >+ > def _modify_renewable(self, enc_part): > # Set the renewable flag. > enc_part = self.modify_ticket_flag(enc_part, 'renewable', value=True) >@@ -2469,6 +2481,7 @@ class KdcTgsTests(KDCBaseTest): > sname=None, > srealm=None, > use_fast=False, >+ till=None, > expect_claims=True, > expect_pac=True, > expect_pac_attrs=None, >@@ -2580,6 +2593,7 @@ class KdcTgsTests(KDCBaseTest): > cname=None, > realm=srealm, > sname=sname, >+ till_time=till, > etypes=etypes, > additional_tickets=additional_tickets) > if expected_error: >-- >2.35.0 > > >From 0f56b38fff223859ea48ef5357f47de53e29de14 Mon Sep 17 00:00:00 2001 >From: Joseph Sutton <josephsutton@catalyst.net.nz> >Date: Thu, 20 Oct 2022 12:36:44 +1300 >Subject: [PATCH 2/2] tests/krb5: Add test requesting a TGT expiring post-2038 > >BUG: https://bugzilla.samba.org/show_bug.cgi?id=15197 > >Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> >--- > python/samba/tests/krb5/as_req_tests.py | 13 +++++++++++-- > 1 file changed, 11 insertions(+), 2 deletions(-) > >diff --git a/python/samba/tests/krb5/as_req_tests.py b/python/samba/tests/krb5/as_req_tests.py >index 054a49b64aa..aa4bc2370c4 100755 >--- a/python/samba/tests/krb5/as_req_tests.py >+++ b/python/samba/tests/krb5/as_req_tests.py >@@ -42,7 +42,7 @@ global_hexdump = False > > class AsReqBaseTest(KDCBaseTest): > def _run_as_req_enc_timestamp(self, client_creds, sname=None, >- expected_error=None): >+ expected_error=None, till=None): > client_account = client_creds.get_username() > client_as_etypes = self.get_default_enctypes() > client_kvno = client_creds.get_kvno() >@@ -62,7 +62,8 @@ class AsReqBaseTest(KDCBaseTest): > expected_sname = sname > expected_salt = client_creds.get_salt() > >- till = self.get_KerberosTime(offset=36000) >+ if till is None: >+ till = self.get_KerberosTime(offset=36000) > > initial_etypes = client_as_etypes > initial_kdc_options = krb5_asn1.KDCOptions('forwardable') >@@ -241,6 +242,14 @@ class AsReqKerberosTests(AsReqBaseTest): > sname=wrong_krbtgt_princ, > expected_error=KDC_ERR_S_PRINCIPAL_UNKNOWN) > >+ # Test that we can make a request for a ticket expiring post-2038. >+ def test_future_till(self): >+ client_creds = self.get_client_creds() >+ >+ self._run_as_req_enc_timestamp( >+ client_creds, >+ till='99990913024805Z') >+ > > if __name__ == "__main__": > global_asn1_print = False >-- >2.35.0 >
You cannot view the attachment while viewing its details because your browser does not support IFRAMEs.
View the attachment on a separate page
.
View Attachment As Raw
Actions:
View
Attachments on
bug 15197
:
17586
|
17587
|
17588
|
17591
|
17592
|
17593
|
17594
|
17595
|
17596
|
17701