From c79dff2e9b7c0c07ae5845ddc3b2c06f7996dfd1 Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Thu, 28 Aug 2008 16:28:47 +1000 Subject: Heimdal provides Kerberos PAC parsing routines. Use them. This uses Heimdal's PAC parsing code in the: - LOCAL-PAC test - gensec_gssapi server - KDC (where is was already used, the support code refactored from here) In addition, the service and KDC checksums are recorded in the struct auth_serversupplied_info, allowing them to be extracted for validation across NETLOGON. Andrew Bartlett (This used to be commit 418b440a7b8cdb53035045f3981d47b078be6c1e) --- source4/torture/auth/pac.c | 69 ++++++++++++++++++++++++++++++++++++++++++++-- 1 file changed, 66 insertions(+), 3 deletions(-) (limited to 'source4/torture/auth/pac.c') diff --git a/source4/torture/auth/pac.c b/source4/torture/auth/pac.c index 4e51c66950..42901f1eff 100644 --- a/source4/torture/auth/pac.c +++ b/source4/torture/auth/pac.c @@ -139,7 +139,7 @@ static bool torture_pac_self_check(struct torture_context *tctx) dump_data(10,tmp_blob.data,tmp_blob.length); - /* Now check that we can read it back */ + /* Now check that we can read it back (using full decode and validate) */ nt_status = kerberos_decode_pac(mem_ctx, lp_iconv_convenience(tctx->lp_ctx), &pac_data, @@ -163,7 +163,31 @@ static bool torture_pac_self_check(struct torture_context *tctx) nt_errstr(nt_status))); } - /* Now check that we can read it back */ + /* Now check we can read it back (using Heimdal's pac parsing) */ + nt_status = kerberos_pac_blob_to_server_info(mem_ctx, + lp_iconv_convenience(tctx->lp_ctx), + tmp_blob, + smb_krb5_context->krb5_context, + &server_info_out); + + if (!dom_sid_equal(server_info->account_sid, + server_info_out->account_sid)) { + krb5_free_keyblock_contents(smb_krb5_context->krb5_context, + &krbtgt_keyblock); + krb5_free_keyblock_contents(smb_krb5_context->krb5_context, + &server_keyblock); + krb5_free_principal(smb_krb5_context->krb5_context, + client_principal); + + torture_fail(tctx, + talloc_asprintf(tctx, + "(self test) PAC Decode resulted in *different* domain SID: %s != %s", + dom_sid_string(mem_ctx, server_info->account_sid), + dom_sid_string(mem_ctx, server_info_out->account_sid))); + } + talloc_free(server_info_out); + + /* Now check that we can read it back (yet again) */ nt_status = kerberos_pac_logon_info(mem_ctx, lp_iconv_convenience(tctx->lp_ctx), &logon_info, @@ -196,6 +220,7 @@ static bool torture_pac_self_check(struct torture_context *tctx) krb5_free_principal(smb_krb5_context->krb5_context, client_principal); + /* And make a server info from the samba-parsed PAC */ validation.sam3 = &logon_info->info3; nt_status = make_server_info_netlogon_validation(mem_ctx, "", @@ -403,7 +428,45 @@ static bool torture_pac_saved_check(struct torture_context *tctx) nt_errstr(nt_status))); } - /* Parse the PAC again, for the logon info this time */ + /* Now check we can read it back (using Heimdal's pac parsing) */ + nt_status = kerberos_pac_blob_to_server_info(mem_ctx, + lp_iconv_convenience(tctx->lp_ctx), + tmp_blob, + smb_krb5_context->krb5_context, + &server_info_out); + + if (!NT_STATUS_IS_OK(nt_status)) { + krb5_free_keyblock_contents(smb_krb5_context->krb5_context, + krbtgt_keyblock_p); + krb5_free_keyblock_contents(smb_krb5_context->krb5_context, + &server_keyblock); + krb5_free_principal(smb_krb5_context->krb5_context, client_principal); + + torture_fail(tctx, talloc_asprintf(tctx, + "(saved test) Heimdal PAC decoding failed: %s", + nt_errstr(nt_status))); + } + + if (!pac_file && + !dom_sid_equal(dom_sid_parse_talloc(mem_ctx, + "S-1-5-21-3048156945-3961193616-3706469200-1005"), + server_info_out->account_sid)) { + krb5_free_keyblock_contents(smb_krb5_context->krb5_context, + krbtgt_keyblock_p); + krb5_free_keyblock_contents(smb_krb5_context->krb5_context, + &server_keyblock); + krb5_free_principal(smb_krb5_context->krb5_context, client_principal); + + torture_fail(tctx, + talloc_asprintf(tctx, + "(saved test) Heimdal PAC Decode resulted in *different* domain SID: %s != %s", + "S-1-5-21-3048156945-3961193616-3706469200-1005", + dom_sid_string(mem_ctx, server_info_out->account_sid))); + } + + talloc_free(server_info_out); + + /* Parse the PAC again, for the logon info this time (using Samba4's parsing) */ nt_status = kerberos_pac_logon_info(mem_ctx, lp_iconv_convenience(tctx->lp_ctx), &logon_info, -- cgit