Fc:3ddlZddlZejdddejd<ddlmZmZddlZddlZddl Z ddl Z ddl m Z ddl m Z ddlZddlmZdd lmZdd lmZdd lmZmZmZmZdd lmZmZmZmZmZmZdd l m!Z!m"Z"ddl#m$Z$m%Z%m&Z&m'Z'm(Z(m)Z)m*Z*m+Z+m,Z,m-Z-m.Z.m/Z/m0Z0ddl1m2Z2m3Z3m4Z4ddl5m6Z6ddl7m8Z8m9Z9ddlm:Z:ddl;mZ?ej@ZAddlBmCZCddlDmEcmFcmGZGddlHmIZImJZJmKZKddlLmEcmFcmMZNddlOmPZPmQZQmRZRmSZSmTZTmUZUmVZVmWZWmXZXmYZYmZZZm[Z[m\Z\m]Z]m^Z^m_Z_m`Z`maZadZbdZcGddeKZddS)Nz bin/python1PYTHONUNBUFFERED)datetimetimezone)Enum) namedtuple) SCOPE_BASE)generate_random_password)system_session) Credentials SPECIFIEDDONT_USE_KERBEROSMUST_USE_KERBEROS)drsblobsdrsuapimisckrb5pac krb5ccachesecurity) drs_Replicatedrsuapi_connect) DSDB_SYNTAX_BINARY_DNDS_DOMAIN_FUNCTION_2000DS_DOMAIN_FUNCTION_2008DS_GUID_COMPUTERS_CONTAINER$DS_GUID_DOMAIN_CONTROLLERS_CONTAINERDS_GUID_USERS_CONTAINERUF_WORKSTATION_TRUST_ACCOUNTUF_NO_AUTH_DATA_REQUIREDUF_NORMAL_ACCOUNTUF_NOT_DELEGATEDUF_PARTIAL_SECRETS_ACCOUNTUF_SERVER_TRUST_ACCOUNT)UF_TRUSTED_TO_AUTHENTICATE_FOR_DELEGATION) SEC_CHAN_NULLSEC_CHAN_WKSTA SEC_CHAN_BDC) DCJoinContext)ndr_pack ndr_unpack)net)SamDBdsdb_Dn) delete_force)KerberosCredentialsKerberosTicketCredsRawKerberosTest)AD_IF_RELEVANT AD_WIN2K_PACAES256_CTS_HMAC_SHA1_96ARCFOUR_HMAC_MD5KDC_ERR_PREAUTH_REQUIREDKDC_ERR_TGT_REVOKED KRB_AS_REP KRB_TGS_REP KRB_ERRORKU_AS_REP_ENC_PARTKU_ENC_CHALLENGE_CLIENTKU_PA_ENC_TIMESTAMP KU_TICKET NT_PRINCIPAL NT_SRV_INSTPADATA_ENCRYPTED_CHALLENGEPADATA_ENC_TIMESTAMPPADATA_ETYPE_INFO2FceZdZdZGddeZefdZefdZfdZ dZ dZ d Z d Z d Zd Zd ZdFdZejddddddddf dZdZdZdZdZdGdZdZdFdZdZ dHdZ dIdZdGdZdZddd d!Z d"Z!d#Z" dJd$Z# dJd%Z$ dJd&Z% dKd'Z& dKd(Z' dKd)Z( dKd*Z) dKd+Z*dLd,Z+d-Z,dMd.Z-dMd/Z.dMd0Z/d1Z0d2Z1d3Z2d4Z3d5Z4d6Z5 dNd7Z6 dOd9Z7ddde8dddddddddddddddfd:Z9de8ddddddddf d;Z:e;dZ=d?Z>d@Z?dAZ@dBZAdCZBdDZC dPdEZDxZES)Q KDCBaseTestz Base class for KDC tests. c^eZdZeZeZeZeZdS)KDCBaseTest.AccountTypeN)__name__ __module__ __qualname__objectUSERCOMPUTERSERVERRODC@/usr/lib/python3/dist-packages/samba/tests/krb5/kdc_base_test.py AccountTyperGns:vxx688vxxrQrSc td|_d|_d|_d|_t jdd|_d|_ g|_ i|_ i|_ d|_ g|_dS)N_r)super setUpClass_lp_ldb _rodc_ldb_functional_levelsecrets token_hex account_base account_idaccounts account_cache tkt_cache _rodc_ctx ldb_cleanups)cls __class__s rRrXzKDCBaseTest.setUpClassts  $ &/22555   rQc|jst|jD]2} |j|#tj$rY/wxYwt|jD]}t|j||j|j dt dS)NT)force) rZreversedremodifyldbLdbErrorrar.rdcleanup_old_joinrW tearDownClass)rfcleanupdnrgs rRrozKDCBaseTest.tearDownClasss 8 #C$455  HOOG,,,,|Ds|,, + +SXr**** = $ M * * * 6 6 6 s;A  A cxtt|_t|_dSN)rWsetUpglobal_asn1_print do_asn1_printglobal_hexdump do_hexdump)selfrgs rRrtzKDCBaseTest.setUps'  .(rQcj|j&|t|_|jSrs)rY get_loadparmtyperys rRget_lpzKDCBaseTest.get_lps* 8 !..00DJJNxrQc|jc|}|}t}t d|jz|||t |_|jS)N ldap://%surl session_info credentialslp)rZget_admin_credsr~r r,dc_hostr|rycredsrsessions rR get_samdbzKDCBaseTest.get_samdbsk 9 ((**EB$&&G# dl(B1805')+++DJJO yrQc|jd|}|}t}t d|jz|||dt |_|jS)NrT)rrrram_rodc)r[rr~r r,hostr|rs rRget_rodc_samdbzKDCBaseTest.get_rodc_samdbso > !((**EB$&&G#([49-D6=5:,.15 $7$7$7DJJ ~rQc|}||tjdg}tj||dddd}|S)NserverReferencebasescopeattrsrutf8)get_serverNamesearchrlr Dndecode)rysamdbserverresrqs rR get_server_dnzKDCBaseTest.get_server_dnsm%%''ll!$"3!466VE3q6"34Q7>>vFF G G rQc "|j|}|}|}d}t |j||||dd}|||t|_|jS)NzDefault-First-Site-Name)rrrsite netbios_name targetdirdomain)rdrr~get_new_usernamer(r create_rodcr|)ry admin_credsr rodc_name site_namerodc_ctxs rRget_mock_rodc_ctxzKDCBaseTest.get_mock_rodc_ctxs > !..00KB--//I1I$DL+6(**32;/3,0 222H   X & & &#+DJJ ~rQc|jg|jdtdg} t|ddd}n#t$r t }YnwxYw|t |_|jS)NdomainFunctionalityrr)r\rr intKeyErrorrr|)ryrlrfunctional_levels rRget_domain_functional_levelz'KDCBaseTest.get_domain_functional_levels  ! )#*"#-$9#:<<z-KDCBaseTest.create_account..Ps1HHqAHH\H::HHHHHHrQservicePrincipalNameuserPrincipalName0 pwdLastSet)rT) newpasswordr domain_name force_samr_18rmsDS-KeyVersionNumberrridx)8rSrMrrNrrrrr.r%rLr rr&r#r'failr encodestrr isinstancetupleupdaterarrrr~r+Netrdomain_netbios_nameupper set_password Exceptionr/guess set_realmdomain_dns_name set_domain set_usernameset_workstationset_secure_channel_typeset_dnrlrset_upnset_spncreds_set_enctypesrr get assertEqualrset_kvno)ryrr account_typespnupnadditional_detailsraccount_control add_dollarexpired_passwordforce_nt4_hashguidrqsecure_schannel_type object_classpasswordutf16pwr expected_kvnorrnet_ctxrerrkvnors @rRcreate_accountzKDCBaseTest.create_accounts :t/8882!1!888;.''(@(@(B(BDIIB44 $ UB , 4+0 0 0!L 0 0OO%L $# t/888#??'5$$!1!888#::'3$$ +B33H$,,[99'*"%o"6"6! ## ?**\*22C ?#s## Ijjj66HHHHCHHHHH.1G* + ?+.G' (  ($'GL !  ) NN- . . . R    '  ..00KBgk2dlCCCG..006688F/B77H(00==G $$2>1737%999"     !  $%% DKKMM""" --//5577888 2244::<<=== 8$$$ <((( 4+0 0 0  ! !" % % % %  ! !$ ' ' ' %%&:;;; SVE2&&''' c c &&&ll!$"9!:<<1vzz1qz99     SYY 6 6 6 }%%%r{sJ%% K/K  Kc|}|||}tjtj}tj}tj|_tj||_tj }tj |_ |g|_ d|_ tj}|xjtjzc_||_||_t'|SNr)r get_objectSidrdom_sidSID_BUILTIN_ADMINISTRATORSaceSEC_ADS_CONTROL_ACCESS access_masktrusteeaclSECURITY_ACL_REVISION_ADSrevisionacesnum_aces descriptorr|SEC_DESC_DACL_PRESENT owner_siddaclr))ryrqrsidrrr security_descs rRget_security_descriptorz#KDCBaseTest.get_security_descriptors    ++$X%HII lnn"9&s++ |~~ : E   +-- h<<"+ !  &&&rQc|j|j|jg|_|j|j|jg|_d|jd|j|_d|jdtj ddtj ddtj ddtj ddtj dg|_d|jdtjd|_|}d|d}||_t&t(zt*z|_d|j|_t2j|_d|_t:jt:jzt:j zt:j!zt:j"z|_#|j#t:j$z|_%|&|' |(dS#tR$r*|*|'wxYw)Nz CN=krbtgt_z ,CN=Users,zzCN=RODC Connection (FRS),T)+base_dn config_dn schema_dnnc_list full_nc_listmyname krbtgt_dndomsidrDOMAIN_RID_RODC_DENYrSID_BUILTIN_SERVER_OPERATORSSID_BUILTIN_BACKUP_OPERATORSSID_BUILTIN_ACCOUNT_OPERATORSnever_reveal_sidDOMAIN_RID_RODC_ALLOW reveal_sid get_mysid managedbyrr$r"rntds_dn connection_dnr SEC_CHAN_RODCsecure_channel_typerOrDRSUAPI_DRS_INIT_SYNCDRSUAPI_DRS_PER_SYNCDRSUAPI_DRS_GET_ANCDRSUAPI_DRS_NEVER_SYNCED%DRSUAPI_DRS_SPECIAL_SECRET_PROCESSING replica_flagsDRSUAPI_DRS_CRITICAL_ONLYdomain_replica_flagsbuild_nc_listsrnjoin_add_objectsrrefresh_ldb_connection)ryctxmysidadmin_dns rRrzKDCBaseTest.create_rodcs {CM3=A K FHSZHH3;HH U U UX5R U U U N(K N N N P(M P P P P(M P P P Q(N Q Q Q  S POOh.LOOO #5###  ">"K#L"<#=F EE"&"4$:$9:$89%=>%J K $'#4w7X#X      " " " " "     & & ( ( (  " " "   s ,G4G6c|}|}|d|d}tj}tj|d|_tj|tjd|d< | |dS#tj $r5}|j \}}| |tj |d||} t!} | | | | t'dt)| | } t+j| } t1d|jd| | | | } t+j|j}| ||| t8jd Yd}~dSd}~wwxYw) N:z :SECRETS_ONLYrreplicateSingleObjectz,rootdse_modify: unknown attribute to change!rz ncacn_ip_tcp:z[seal]T)exoprodc)rrget_dsServiceNamerlMessagerrqMessageElementFLAG_MOD_REPLACErkrmargsrERR_UNWILLING_TO_PERFORMassertInr~r rset_machine_accountr,r rGUID get_ntds_GUIDrr invocation_id replicaterDRSUAPI_EXOP_REPL_SECRET)ryrqr rodc_samdbrepl_valmsgerrenumestrr rodc_creds local_samdbdestination_dsa_guidreplsource_dsa_invocation_ids rRreplicate_account_to_rodcz%KDCBaseTest.replicate_account_to_rodcs  ((** --//CC"CCCkmm B'''*'9   #(%(% #$ " &   c " " " " "| & & &JD$   T3#? @ @ @ MMH   B$J   R  * *2 . . .D~7G7G,62???K$(9[-F-F-H-H#I#I  !E!E!E!E!#Z!,.BDDD(,y1D'E'E $ NN23/ ' @ $  & & & & & & & & &5 &sB++G0;D*G++G0c|}|}||||jt j|jdS)Nrcre)rr get_secrets ntds_guidrrVrX)ryrqrrs rRreveal_account_to_mock_rodcz'KDCBaseTest.reveal_account_to_mock_rodcsj  ))++   !)!3%)Yu/B%C%C  E E E E ErQc||tjdg}|dd}|||dSt fd|D}|r%|t||dS| t||dS)NzmsDS-RevealedUsersrrc 3K|]:}ttt|tjV;dS)) syntax_oidN)rr-rrq)rrrs rRrz-KDCBaseTest.check_revealed..sg77#wuc$ii2G I I IIKMM777777rQ) rrrlr r assertFalsesetrTr assertNotIn)ryrqrodc_dnrevealedrrevealed_users revealed_dnsrs @rRcheck_revealedzKDCBaseTest.check_revealed s  ll!$"6!799Q$899  !   X & & & F7777'577777   4 MM#b''< 0 0 0 0 0   SWWl 3 3 3 3 3rQc|}|}t||||j\}}} t j} || _|| _t j } || _ | | _ t j } d| _ d| _d| _| | _d| _d| _d| _d| _t j| _t jt jt jg} t j}d|_| |_t;| |_|| _d| _ d| j!_"d| j!_#|$|d| \} }|%d|j&|j'j(j)}|j'j(j*j+}|%||j |||fS)N)iprri"),r host_dns_namerr~rrDsGetNCChangesRequest8rcreDsReplicaObjectIdentifierrqnaming_contextDsReplicaHighWaterMarktmp_highest_usn reserved_usn highest_usn highwatermarkuptodateness_vectorr@max_object_count max_ndr_sizerZ extended_op%DRSUAPI_ATTID_supplementalCredentialsDRSUAPI_ATTID_unicodePwdDRSUAPI_ATTID_ntPwdHistoryDsPartialAttributeSetversionattidslen num_attidspartial_attribute_setpartial_attribute_set_ex mapping_ctr num_mappingsmappingsDsGetNCChangesr object_count first_objectrK identifier attribute_ctr attributes)ryrrqrcrer dns_hostnamebindhandlerVreqr}hwmrrctrrrs rRrizKDCBaseTest.get_secretss**,, **,, +L,0KKMM,7/3|===vq ,..#7 '?$ :<<+,.."& !!:?246!( = ? ?()%'-$+.v;;($9!'+$'($#' $$VQ443 C,---%,7 %,:E  Z]+++Z++rQc|}||t|tj|tj\}}}|jd}tj |} i} |D]} | j tj kr| || || jjdkr@| jjdj} t%t&j| } | jjD]}|jdkrt1j|j}t%t&j|}|jjD]I}|j}|t>j j!t>j j"fvr|j#$| |<J| j tj%krd| || || jjdkr=| jjdj}|$| t>j j&<||'}|(|| | S)NrhrrzPrimary:Kerberos-Newer-Keys))rrirrrVrWr splitr+rattidrrreplicate_decrypt value_ctr num_valuesvaluesblobr*rsupplementalCredentialsBlobsubpackagesrbinasciia2b_hexdatapackage_PrimaryKerberosBlobrkeyskeytyperrrrvaluehexrrrassertCountEqual)ryrrqexpected_etypesrrrrridr rattrattr_valsplpkgkrb5_new_keys_raw krb5_new_keyskeyrpwds rRget_keyszKDCBaseTest.get_keys[sG**,, '+'7'7  GG!%5+>+>+@+@!A!A%)Y[[ (8(2(2$j* n""$$Q''+&& : :DzWJJJ))$c:::>,11>038 !E!)++7+ @ @Cx#@@@,4,,q00./27C03 D,-  ""7799O ot444 rQcn|0|D]\}}|||dSdSrs)itemsset_forced_key)ryrrenctypers rRcreds_set_keyszKDCBaseTest.creds_set_keyssN   $  3 3 $$Wc2222   3 3rQc|}||tjdg}|ddd}||j}|>|}|d}|dkrttz}t|}|||z}|||z}| || || |dS)NmsDS-SupportedEncryptionTypesrrrrz%kdc default domain supported enctypes)rrget_dnrlr rdefault_etypesr~rc4_bit aes256_sk_bitrset_as_supported_enctypesset_tgs_supported_enctypesset_ap_supported_enctypes)ryr extra_bits remove_bitsrrsupported_enctypesrs rRrzKDCBaseTest.creds_set_enctypess$  ll5<<>>!$"A!BDD!VZZ(GQZOO  %!%!4   %B!#(O!P!P !Q&&%,}%<" !344  ! * ,   " ;, .  ''(:;;; (();<<< ''(:;;;;;rQc:|}tj|}|r|tjz}|r|tjz}|r|tjz}||||| |dSrs) rr/etypes_to_bitsrKERB_ENCTYPE_FAST_SUPPORTEDKERB_ENCTYPE_CLAIMS_SUPPORTED(KERB_ENCTYPE_COMPOUND_IDENTITY_SUPPORTEDrrr)ryr fast_supportclaims_supportcompound_id_supportrrs rRcreds_set_default_enctypesz&KDCBaseTest.creds_set_default_enctypess 44660?   G ("F F   I ("H H   C A C  ''(:;;; (();<<< ''(:;;;;;rQc|} ||tj|g}nL#tj$r:}|j\}} |tjkr||Yd}~nd}~wwxYw|d} | |} |r| | n| d} t| } | |tj } || _ tj| tj|| |<|| | } |j | || | S)NrrrP)rrrlr rmrRERR_NO_SUCH_OBJECTrrassertIsNotNonelistrrOrqrPrQmsg_diffrerk)ry account_dngroup_dn group_attr expect_attrrrr^numrVorig_msgmembersr]rps rR add_to_groupzKDCBaseTest.add_to_groupsl   ,,H%(^&0\33CC|   XFCc,,, IIcNNNNNNNN  q6,,z**     ) ) ) ) _Gw--z"""kmm,W-0-A-799J..h//   ))) Ss#:B 0A>>Bcx|}||tjdg}|d}|d|t |d}t |d}|||||tj }||_ tj |tj d|d<| ||}|j||||S)Nmemberrrzutf-8)rrrlr rTrrrremoverOrqrPrQrrerrk) ryrrrrrrr]rps rRremove_from_groupzKDCBaseTest.remove_from_groups  ll!$"*--q6 h)))x)**__++G44  j'***z"""kmm*7+.+?+355H ..h//   ))) SrQ)opts use_cachec l|i}idddddddddddddd d d d d d d d d dd dd dd dddd dddd d ddddd d}d|i||}tt|}|r|j|}||S|jdi|}|r ||j|<|S)N name_prefix name_suffixrTrrrallowed_replicationFallowed_replication_mockdenied_replicationdenied_replication_mockrevealed_to_rodcrevealed_to_mock_rodcno_auth_data_requiredrr not_delegateddelegation_to_spn)delegation_from_dntrusted_to_auth_for_delegationr member_ofkerberos_enabledr:idrrrP)rsortedrrbrcreate_account_opts)ryrrr opts_default account_opts cache_keyrs rRget_cached_credszKDCBaseTest.get_cached_credss <D 4 4  $  4  4  !$   "5  '  !%  &u    $U  $U    !$ U! " # $#'.3! $#'#3   : L   &!3!3!5!56677  &**955E  ((88<88  2,1D y ) rQc ||jjurU||||||||n|||}|}|||z}|||z }d}|r |t z}|r |tz}|r |tz}|r d|D}ni}|}|r|pd}|tj z}|t||d<|r||d<|r| |} | |d<|||jjurd|z}| |||||||||| \}!}"d}#|rtjjh}#|||"|#}$||!|$|s| r|}%||%}&||"|&d }'| r||"|s||'||"|&| | r@|}%||%}&||"|&d | s| r|}(t5j||(j})||"|)d }*| r||"| s||*||"|)| | rE|}(t5j||(j})||"|)d |1|D].}+||"t5j||+d d /|r|!t>n|!t@||!!||!S)Nrci|]\}}|| SrPrP)rkvs rR z3KDCBaseTest.create_account_opts..ks;;;1q!;;;rQrzmsDS-AllowedToDelegateToz(msDS-AllowedToActOnBehalfOfOtherIdentityzhost/)rrrrrrrr)rzmsDS-RevealOnDemandGroup)rszmsDS-NeverRevealGrouprF)r)"rSrL assertIsNonerorrr$r!rr/fast_supported_bitsrr"r rrrrrrrrrfrkrvrrlracct_dnrkset_kerberos_staterrr),ryrrrrrrrrrrrrrrrrrrrrrrrr:rrr user_nameuser_account_controlrenctypessecurity_descriptorrrqrrr[rrallowed_cleanupr mock_rodc_dnallowed_mock_cleanuprs, rRrzKDCBaseTest.create_account_opts7s6 4+0 0 0   c " " "   / 0 0 0   0 1 1 1   ; < < < <   ] + + +  ))++  "#i/I  "  $I  ) N $M M  5 $4 4  = $< <  ;;(:;;;GGG%  @}1H +? ?H  7:8}}G3 4  D2CG. /  %"&">">"#$#$ $ > ? ;  @ @ @ # I--//H6%)9::L   b,0G H H H  % 5 5!!"cfUH&=&=x.3"5555  8  $ $%6 7 7 7 7  $ $%6 7 7 7  *  ) )*= > > > rQcx|jt|jz}t|xjdz c_|Sr)r_rr`r|)ryr s rRrzKDCBaseTest.get_new_usernames9%DO(<(<<  T "rQcDfd}d|||}|S)NcDjjS)N)r)rrSrLr}srRcreate_client_accountz;KDCBaseTest.get_client_creds..create_client_accounts ((d6F6K(LL LrQCLIENTprefixallow_missing_passwordallow_missing_keysfallback_creds_fn_get_krb5_creds)ryrrrcs` rRget_client_credszKDCBaseTest.get_client_credssQ M M M M M  8N4F3H ! J JrQcDfd}d|||}|S)NczjjdtjtjzdS)NT)rrrrrrSrMrKERB_ENCTYPE_RC4_HMAC_MD5'KERB_ENCTYPE_AES256_CTS_HMAC_SHA1_96_SKr}srRcreate_mach_accountz7KDCBaseTest.get_mach_creds..create_mach_accountsH((!-6$( : HI) rQMACrr)ryrrr(r s` rRget_mach_credszKDCBaseTest.get_mach_credssL       8N4F3F ! H HrQcDfd}d|||}|S)Nc|jjddtjtjzdS)NT)rrrr$r%r}srRcreate_service_accountz=KDCBaseTest.get_service_creds..create_service_account sK((!-66:$( : HI )   rQSERVICErr)ryrrr-r s` rRget_service_credszKDCBaseTest.get_service_creds sL       8N4F3I ! K KrQcv|r|fd}dd| ||}|S)Nc } } |}||tjdg}|ddd}||tjgd}|dj}t|dd}t}| dd| dd| |t|dd d}t|dd d}|d z|z} || || ||} ||  | j j j |S) NzmsDS-KrbTgtLinkrr)rrmsDS-SecondaryKrbTgtNumberrDOMAIN RODC_KRBTGTREALMrr2rrr)rrrrrlr rqrr/r env_get_varrrrrrrrrkdc_fast_supportkdc_claims_supportkdc_compound_id_support) rr[rrrr,usernamerr  krbtgt_number rodc_kvnorrys rRdownload_rodc_krbtgt_credszEKDCBaseTest.get_rodc_krbtgt_creds..download_rodc_krbtgt_creds%sNN$$E,,..J((44G,,w%(^&7%8::CA01!4I,,y%(^&D&D&DEEC A I3q6"2344H'))E   T--h FF G G G OOD,,WmDD E E E   x ( ( (s1v56q9::DA'C DQ GHHM%+d2I NN9 % % % LL # # #== 22D   t , , ,  + +!2#6$($@ , B B B LrQr4Trrrrequire_strongest_keyr assertTruer)ry require_keysrAr?r s` rRget_rodc_krbtgt_credsz!KDCBaseTest.get_rodc_krbtgt_credsso ! * OOL ) ) )+ + + + + Z  8<8D4D7L3M ! O O rQcv|r|fd}dd| ||}|S)Nc } }|j}|t j||tjddg}|dj}t|j }t}| dd| dd||t|ddd}t|ddd}|dz|z} || || ||} || t(jt(jz} t(jt(jz} || | |S) Nrr2rrr3r4r5r6rr)rr new_krbtgt_dnrrlrr rqr krbtgt_namer/rr8rrrrrrrr$KERB_ENCTYPE_AES128_CTS_HMAC_SHA1_96$KERB_ENCTYPE_AES256_CTS_HMAC_SHA1_96r'r&r)rrr,rrqr<rr r=r>rrrrys rRcreate_rodc_krbtgt_accountzJKDCBaseTest.get_mock_rodc_krbtgt_creds..create_rodc_krbtgt_account_sNN$$E--//H .I,,CF5)$<$<%(^&=&B&DEECQB8/00H'))E   T--h FF G G G OOD,,WmDD E E E   x ( ( (s1v56q9::DA'C DQ GHHM%+d2I NN9 % % % LL   ==++D   t , , ,"G"GHJ#K#=>K  # #E/90; $ = = =LrQMOCK_RODC_KRBTGTTr@rB)ryrDrArMr s` rRget_mock_rodc_krbtgt_credsz&KDCBaseTest.get_mock_rodc_krbtgt_credsYsp ! * OOL ) ) )% % % % % N  (:8<8D4D7L3M ! O O rQcx|r|fd}ddd| ||}|S)Nc@ }tj}d||fz}|d|zt jddg}|dj}t|dd}t}| dd| d d| |t|ddd}|||| ||} || | j j j |S) N%s-%drrrrr3KRBTGTr5r7)rrDOMAIN_RID_KRBTGTget_domain_sidrrlr rqrr/rr8rrrrrrrrr9r:r;) r krbtgt_rid krbtgt_sidrrqr<rr rrys rRdownload_krbtgt_credsz;KDCBaseTest.get_krbtgt_creds..download_krbtgt_credssNN$$E!3J E$8$8$:$:J#GGJ,,J$;%(^&6&=&?@@CQB3q6"2344H'))E   T--hAA B B B OOD,,Wh?? @ @ @   x ( ( (s1v56q9::D NN4 LL   ==++D   t , , ,  + +!2#6$($@ , B B B LrQrTkrbtgtT)rdefault_usernamerrrArrB)ryrDrArYr s` rRget_krbtgt_credszKDCBaseTest.get_krbtgt_credssr ! * OOL ) ) )" " " " " H  2:8<8D4D7L3H ! J J rQcv|r|fd}dd| ||}|S)Nc }d}d||fz}|d|ztjddg}|dj}t |dd}t}| dd | d d | |t|ddd}| |||dd || ||} ||t$jt$jz} t$j} || | |S) NirRrSrrrrr3DCr5rH)rrVrrlr rqrr/rr8rrrrrrrrrrKrLr'r) rdc_riddc_sidrrqr<rr rrrrys rRdownload_dc_credsz3KDCBaseTest.get_dc_creds..download_dc_credssNN$$EF 4 4 6 6??F,,J$7%(^&6&=&?@@CQB3q6"2344H'))E   T--h== > > > OOD,,Wd;; < < <   x ( ( (s1v56q9::D NN4  ! !(3B3- 0 0 0 LL   ==++D   t , , ,"G"GHJ"JK  # #E/90; $ = = =LrQr_Tr@rB)ryrDrArcr s` rR get_dc_credszKDCBaseTest.get_dc_credsso ! * OOL ) ) )! ! ! ! ! F  8<8D4D7L3D ! F F rQcv|r|fd}dd| ||}|S)Nc }||d jd jdtjddg} dt||dj}t|dd}t}| d d | d d ||t|ddd}|||| ||} ||t(jt(jz}t(j} ||| |S) Nz(|(sAMAccountName=z*)(dNSHostName=z))rr)r expressionrrrrr3rNr5rH)rrrrrl SCOPE_SUBTREErrrqrr/rr8rrrrrrrrrKrLr'r) rrrqr<rr rrrrys rRdownload_server_credsz;KDCBaseTest.get_server_creds..download_server_credssNN$$E,,E$<$<$>$>,I ,I,I;?9,I,I,I%(%6&6&=&? @@C   QC ) ) )QB3q6"2344H'))E   T--hAA B B B OOD,,Wh?? @ @ @   x ( ( (s1v56q9::D NN4 LL   ==++D   t , , ,"G"GHJ"JK  # #E/90; $ = = =LrQrNTr@rB)ryrDrArir s` rRget_server_credszKDCBaseTest.get_server_credsso ! * OOL ) ) )     D  8<8D4D7L3H ! J J rQc|d}||t||||d|dd|dd }||} | S)z?Send a Kerberos AS_REQ, returns the undecoded response 頌offsetNi) padata kdc_optionscnamerealmsname from_time till_time renew_timenonceetypes addressesadditional_tickets)get_KerberosTime AS_REQ_creatersend_recv_transaction) ryrqrsrrrxrorptillrreps rRas_reqzKDCBaseTest.as_reqsy$$E$22  -0-=-=',',',+/+/,0'1(.+/48! : :((-- rQcz||dtj}|D]}|dtkr |d}n|d||tj}|||d|}|S)z/Extract the session key from an AS-REP ze-dataasn1Specz padata-typez padata-valuezexpected to find ETYPE-INFO2r) der_decode krb5_asn1 METHOD_DATArCr ETYPE_INFO2PasswordKey_from_etype_info2get_kvno)ryrr rep_padatapa padata_value etype_info2rs rRget_as_rep_keyzKDCBaseTest.get_as_rep_key3s__ M*,,%..  6 6B- $666!.1 7 II4 5 5 5oo 9#8#:#:&<< //{1~050@0@BB rQc\|||}|||S)z8generate the pa_data data element for an AS-REQ )skew)r"get_enc_timestamp_pa_data_from_key)ryrrrrs rRget_enc_timestamp_pa_dataz%KDCBaseTest.get_enc_timestamp_pa_dataHs2!!%--66s6FFFrQcr||\}}|||}||tj}||t |}||tj}|t|}|SNrmr) get_KerberosTimeWithUsecPA_ENC_TS_ENC_create der_encoder PA_ENC_TS_ENCEncryptedData_creater= EncryptedDataPA_DATA_createrB)ryrrpatimepausecros rRrz.KDCBaseTest.get_enc_timestamp_pa_data_from_keyPs888EE**66::)2I2K2KLL**30CVLL)2I2K2KLL$$%96BB rQcr||\}}|||}||tj}||t |}||tj}|t|}|Sr) rrrrrrr<rrrA)ryclient_challenge_keyrrrros rRget_challenge_pa_dataz!KDCBaseTest.get_challenge_pa_data\s66d6CC**66::*3*A*C*C!EE**+?+B+133*3*A*C*C!EE$$%?%+-- rQc|t|dd} ||tj}n8#t $r+||tj}YnwxYw|S)z< Decrypt and Decode the encrypted data in an AS-REP enc-partcipherr)decryptr;rr EncASRepPartr EncTGSRepPart)ryrrenc_parts rRget_as_rep_enc_datazKDCBaseTest.get_as_rep_enc_datams;;13z?83LMM >9#9#;#;'==HH > > >9#:#<#<'>>HHH >s(A2BBc<||tdS)zE Check that the kdc response was pre-authentication required N)check_error_repr6ryrs rRcheck_pre_authenticationz$KDCBaseTest.check_pre_authentication|s! S":;;;;;rQc>||tdS)z Check that the kdc response is an AS-REP and that the values for: msg-type pvno tkt-pvno kvno match the expected values msg_typeN) check_replyr8rs rRcheck_as_replyzKDCBaseTest.check_as_replys# z22222rQc>||tdS)z Check that the kdc response is an TGS-REP and that the values for: msg-type pvno tkt-pvno kvno match the expected values rN)rr9rs rRcheck_tgs_replyzKDCBaseTest.check_tgs_replys# {33333rQc||||d|d|zt|d}|d|d|zt|dd}|d|d|zd|dvr:t|dd}|d |d zd|zdSdS) Nmsg-type rep = {%s}pvnoticketztkt-vnor rrl)rrr)ryrrrtkt_vnor s rRrzKDCBaseTest.check_replys S!!! Z(L34FGGG3v; D,"4555c(mI.// G\C%7888 S_ $ $s:v.//D   Qz 1<#3E F F F F F % $rQc<||||dtd|zt|tjjr"||d|d|zdS||d|d|zdS)zg Check that the reply is an error message, with the expected error-code specified. rrz error-codeN)rrr:r collectionsabc ContainerrT)ryrexpecteds rRrzKDCBaseTest.check_error_reps S!!! Z)\C5GHHH h  9 : : N MM#l+X|c7I J J J J J   S.,:L M M M M MrQc||j}|\}}t||||}| || }| j}nd}d}|s d}|j}n |j}d}fd}||||||||||||j ||nd||t| | | | }| |d|||}|rd}n|d}|j }||fS)z_Send a TGS-REQ, returns the response and the decrypted and decoded enc-part )crealmrqNc |fSrsrP)_kdc_exchange_dict_callback_dictreq_bodyros rRgenerate_padataz,KDCBaseTest.tgs_req..generate_padatas8# #rQ)expected_crealmexpected_cnameexpected_srealmexpected_snameexpected_error_modeexpected_flagsunexpected_flagsexpected_supported_etypescheck_error_fn check_rep_fncheck_kdc_private_fnticket_decryption_keygenerate_padata_fntgtauthenticator_subkeyrp expect_edata expect_pacto_rodcrqrrrsrxrep_ticket_creds) RandomKeyetyperr0TicketDecryptionKey_from_credstgs_supported_enctypesgeneric_check_kdc_repgeneric_check_kdc_errortgs_exchange_dictgeneric_check_kdc_privater_generic_kdc_exchangeencpart_private)ryrqrsrrrrrxrrorpr service_credsrrrrsubkeyctimecusecrdecryption_keyrrrrkdc_exchange_dictrr ticket_credss ` rRtgs_reqzKDCBaseTest.tgs_reqs **6688!&"%).(-///  $!@@N(5(L % %!N(, %" !N5LL!9NL $ $ $ $ $ !22! ! 3)-&?)%!%!?"0282D$!'K((%!'3*(():/3/4/406 )88  4HH,-?@L#3HH}rQrcf|jdd}|j}||dd}|||||| t| t| ||t|| f }| s|j|}||St tf}|d}ttj |}| t||g}| }| tjj}||}||j|j|||j| | ||j|j|||| | ||}||d||||}|||d}|r|}n|}||}||}|jo| }|jo| }|||d | || ||j|<|S) N name-stringrr`r name_typenames)rrrrrrrrrrrrrp pac_requestr rc4_supportr)rqrrrsrurxrT)service_ticketrexpect_ticket_checksumexpect_full_checksum)rqrs get_usernamerrcrr4r5r KDCOptionsPrincipalName_creater? get_realmrrrrrrrrrrrrrEr\is_tgs_principaltkt_sig_supportfull_sig_support verify_ticket)ryr target_credsservice target_namer~rrrprrrrfreshr  ticket_snamerrrrssrealmrrrrservice_ticket_creds krbtgt_creds krbtgt_key is_tgs_princrrs rRget_service_ticketzKDCBaseTest.get_service_tickets Im,Q/ y  &3355crc:K Wg{ #n"5"5s;K7L7L;&& !  ^'' 22F! (*:;  K).{;;<< ))L18+0F*HH''))#~~go.DEE<<\JJ 22J9" &2&I)-"03!%!?!5##!##3&(():/3/5/43705 )77 S!!!01CD  35577LL0022L88FF ,,U33 "&"6#7*6&6  $ 5!5(4$4  /*.:2H0D  F F F %9y!##rQcj||}n|}|||||t|t||| | t| t| t| |||||f}|s|j|}||S| |} |}t tf}||| d}| O|td| g} |td| g}n| }| |} | d}|r| }n|}||}|j}|d}t#j|}d} |jd)id|d | d | d |d |d t(d| d| d| d| d|d| d| d|d|d|d|d|ddd|ddd|d|d| d |d!|d"|d#|d$|d%|\}!}"||!|"d&}#|||#d'|}$||$}%|%g}&| }'|jd)id|d | d | d |d |d d'd|'d| d|'d|d|d| d| d|d|d|d|d|d|&d|d|$d|d|d| d |d!|d"|d#|d$|d%|\}!}"||!|"d(}(|(|j|<|(S)*N/rrZrlrmz/forwardable,renewable,canonicalize,renewable-okrrqrrrsr~client_as_etypesrrrrrexpected_account_nameexpected_upn_name expected_sid expected_saltrrrrxrorp preauth_keyrr pac_optionsrexpect_pac_attrsexpect_pac_attrs_pac_requestexpect_requester_sidrrpreauth_etype_info2rrrP)rrrcrrget_saltr4r5rrr@rr{rEr\rrrr_test_as_exchanger6rrrrr))ryrrrpclient_accountclient_name_typerrr rrrrsrrrrrrrrrr rrsaltrrqrr~rrrrrrrr ts_enc_padataroexpected_realmrs) rRget_tgtzKDCBaseTest.get_tgtUs  %&II**,,Ik%((#.>*?*?*,=|ZZU(( !113GI  .$$Y//C =OO%%E~~(*:;))4D090D0D*FF =-- 5=u4E.GGE!66%h -F7HHNN#N  !"N$$E$22  35577LL0022L  / / = = '=  *K *;77  !7!7"""%"%"%" " #U " !9 8 ""E"*>""E"!5"#8"7"0/"&"$"*>" .-!""'6o#"$5%"&4'"($ )"*+",#8"7-".$ /"0$ 1"2"z3"4.-5"6*F)E7"8"6!59":$ ;"<G=" > %%c***'(=> 778CA8=8H8HJJ ?? LL !7!7"""%"%"%" " #U " !" "+N"*>"+N"*>"#8"7"0/"&"$"*>" .-!""'6o#"$5%"&6'"($ )"*$ +",#8"7-".$ /"0$ 1"2"z3"4.-5"6*F)E7"8"6!59":$ ;"<G=" > C   ();< $0y!rQcV||}|||d}|}|t|g}|}|}| |} |}|}|j}t tf}|d}ttj |}| |}| tjj}| r| }|durt }|j}d}n d}d}|j}||| ||| | | |||||j||||||d}||||||}| r|||dS||t0|d S) Nr r canonicalizeTrF)rrrrr rrrrrrrrrrrprrrrr)rrrr?rrr4r5rrrrrrrrr7rrrrrrrr9)ry client_credsrrrrrprr expect_errorrr rrrqservice_accountrsrrrrrrrxtarget_decryption_keyrrrrrrs rR_make_tgs_requestzKDCBaseTest._make_tgs_requests#  !)6688N))4D0>0D0DS0I0I*KK(4466))L1@0A*CC''))  !"N$1$H!)+;<  (K).{;;<< $ C C !! $~~go.DEE  6". "d**&9#!9NLL"# !N5L 22+)+)"7/%&?"7)%!%!? 3!5##!'3  *(():/4/4/406 )88  9  &9 : : :4   S+ . . .$%78 8rQPacDataz3account_name account_sid logon_name upn domain_namecd}d}d}d}d}d|D}|D]@}||dtj} d| DD]} ttj| d} | jD]} | jtjkrp| j j j j j }t| j j j j jdzt| j j j j jz}| jtjkr | j j }| jtjkr| j j}| j j}אB||||||S)zKDecode the PAC element contained in the authorization-data element Nc3<K|]}|dtk|VdSzad-typeN)r2rxs rRrz+KDCBaseTest.get_pac_data..Vs=#M#MQy\^-K-KA-K-K-K-K#M#MrQzad-datarc3<K|]}|dtk|VdSr))r3r*s rRrz+KDCBaseTest.get_pac_data..\s0FFQ9)E)Eq)E)E)E)EFFrQr$)rrr2r*rPAC_DATAbuffersr|PAC_TYPE_LOGON_INFOinfoinfo3rrr domain_sidrPAC_TYPE_LOGON_NAMEPAC_TYPE_UPN_DNS_INFOupn_namedns_domain_namer&) ryauthorization_dataruser_sid logon_namerrad_if_relevant_elementsdtbufadpbpacs rR get_pac_datazKDCBaseTest.get_pac_dataLs   #M#M)#M#M#M) ? ?B//9 (@(B(B"DDCGF#FFF ? ? 0"Y-@@: ? ?Cx7#>>>HM/4A%  3 8 CDD!"$' (;(@(D$E$EF!W%@@@%(X%: W%BBB!h/&)h&>  ? ?||       rQc|}|dr |dd}|}|d|d|}||dd|||dd}|t|dd }| |tj }|S) z,Decrypt and decode a service ticket rNr`.@rrr rr) rendswithrlowerrPasswordKey_create get_passwordrr>rr EncTicketPart) ryrrrrrrrrenc_ticket_parts rRdecode_service_ticketz!KDCBaseTest.decode_service_ticketrs!!## ==   9D!!!TT5;;====%++---@%% : w '     : v & (( ;;y&*||?|S)zi Lay out a version 4 on-disk credentials cache, to be read using the FILE: protocol. rrrQrz name-typerrrsrrkeyvaluerauthtime starttimeendtimei,z1Ticket not yet valid - clocks may be out of sync.izCTicket already expired/about to expire - clocks may be out of sync.rLrrUF)dirdelete)@r DELTATIME_TAGkdc_sec_offsetkdc_usec_offsetV4TAGtagfieldV4TAGS further_tagsV4HEADERv4tags PRINCIPALrrcomponent_countrr componentsEncryptionKey_import export_objKEYBLOCKrr ADDRESSEScountAUTHDATArrTicketr CREDENTIALclientrkeyblockget_EpochFromKerberosTimerarbrc assertLessrnowrutc timestamp assertGreater renew_tillis_skeyr ticket_flagsryauthdatar second_ticketCCACHErroptional_header principalcredr)tempfileNamedTemporaryFiletempdirwriteclose)ryrqrrrlv4tagrpr cname_string cprincipalrs sname_string sprincipalrkey_datar}ryr ticket_datararbrcrccacheresult cachefiles rR create_ccachezKDCBaseTest.create_ccaches (**  ! ""  "$$ !$-//!']+ )++ $[1 %(%6%6 "!'?  , w]+ )++ $[1 %(%6%6 "!'?  , ''88>>##&((#I. , (**   &(( oofy7G7I7IoJJ J'LLh77 9%$&&      66x@@ 77 BB55g>>   . X\22<<>>K M M M / X\22<<>>K M M M 4<'1#< 55??AA8 9 9 9 ,  1155"  !  "$$ !0% &!!/DLOOO rQcz|}|}|t|g}||} || |||} |s|| d} ||| j| j } t} | t| |t| || | jt|| | fS)Nr)rrT) exclude_pac)rrrr?rr modified_ticketrrrr r rrr rset_named_ccacherr~) ryuser_credentialsmach_credentialsrrr?r rrrqrrrrs rRcreate_ccache_with_userz#KDCBaseTest.create_ccache_with_usersA %1133  **,,))L1: *==ll+,,((.>185@)BB D))&d)CCF&&ufm'-'=??     !2333 9i000  y~y$++--HHHy!!rQrs)T)NN)FFF)FT)TF)Nr)r) rNrFNTNNN) rNNTFNNNTTF)rNT)FrHrIrJ__doc__rrS classmethodrXrortr~rrrrrrrrLr r"rrfrkrvrirrrrrrrrrr!r*r/rErOr\rdrjrrrrrrrrrrrrr r?rr%rr&r@rJrTrr\r^rr __classcell__)rgs@rRrErEjsd [2    [ &)))))       * & & &    ,8C7GTdd(-eqqqqf'''0)))V/&/&/&bEEE4444*;,;,;,z....`333 '+'+<<<<@16277<<<<<(""""H8##'44444lkkkZ16,0    /4*.*27-1,,0498888v159>2222j'+/40000f#'+0....b#'+0----^**GGGG    "   <<< 3 3 3 4 4 4GGG, N N NAB>BIMGGGGR=CDH6:AEDI R$R$R$R$h&+#l#d&*d#!$ T!%D%) ZZZZz*.+7&*&*t',)-04,0'+T9T9T9T9nj=??G$$$L*   """      fffRGK""""""""""""""""rQrE)esysospathinsertenvironrrrrrr]r_rrrlr sambar samba.authr samba.credentialsr r rr samba.dcerpcrrrrrrsamba.drs_utilsrr samba.dsdbrrrrrrrrr r!r"r#r$samba.dcerpc.miscr%r&r' samba.joinr( samba.ndrr)r*r+ samba.samdbr,r-r&rr'r samba.testsr.samba.tests.krb5.kcryptotestskrb5rsamba.tests.krb5.raw_testcaser/r0r1samba.tests.krb5.rfc4120_pyasn1rfc4120_pyasn1r"samba.tests.krb5.rfc4120_constantsr2r3r4r5r6r7r8r9r:r;r<r=r>r?r@rArBrCrurwrErPrQrRrs4& < !$ ''''''''"""""" ******%%%%%% POOOOOOOOOOOOOOO:::::::: %$$$$$********&&&&&&&&  ,@ $$$$$$************ 433333333333*V"V"V"V"V"/V"V"V"V"V"rQ