From fe693e9148cdd9faf3525289a97373a5989e5416 Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Thu, 29 Dec 2011 11:46:41 +1100 Subject: s4-torture: Demonstrate handling of the PAC in a custom auth_context This demonstrates how a different function pointer can be supplied to handle the PAC blob, without depending on the provisioned samdb etc. Andrew Bartlett --- source4/torture/rpc/remote_pac.c | 83 ++++++++++++++++++++++++++++++++++++++-- 1 file changed, 80 insertions(+), 3 deletions(-) (limited to 'source4/torture') diff --git a/source4/torture/rpc/remote_pac.c b/source4/torture/rpc/remote_pac.c index 22fcd73cb4..aca518799d 100644 --- a/source4/torture/rpc/remote_pac.c +++ b/source4/torture/rpc/remote_pac.c @@ -42,6 +42,71 @@ #define TEST_MACHINE_NAME_S2U4SELF_BDC "tests2u4selfbdc" #define TEST_MACHINE_NAME_S2U4SELF_WKSTA "tests2u4selfwk" +/* A helper function which avoids touching the local databases to + * generate the session info, as we just want to verify the PAC + * details, not the full local token */ +static NTSTATUS test_generate_session_info_pac(struct auth4_context *auth_ctx, + TALLOC_CTX *mem_ctx_out, + struct smb_krb5_context *smb_krb5_context, + DATA_BLOB *pac_blob, + const char *principal_name, + const struct tsocket_address *remote_address, + uint32_t session_info_flags, + struct auth_session_info **session_info) +{ + NTSTATUS nt_status; + struct auth_user_info_dc *user_info_dc; + struct PAC_SIGNATURE_DATA *pac_srv_sig = NULL; + struct PAC_SIGNATURE_DATA *pac_kdc_sig = NULL; + TALLOC_CTX *mem_ctx; + + mem_ctx = talloc_named(mem_ctx_out, 0, "gensec_gssapi_session_info context"); + NT_STATUS_HAVE_NO_MEMORY(mem_ctx); + + pac_srv_sig = talloc(mem_ctx, struct PAC_SIGNATURE_DATA); + if (!pac_srv_sig) { + talloc_free(mem_ctx); + return NT_STATUS_NO_MEMORY; + } + pac_kdc_sig = talloc(mem_ctx, struct PAC_SIGNATURE_DATA); + if (!pac_kdc_sig) { + talloc_free(mem_ctx); + return NT_STATUS_NO_MEMORY; + } + + nt_status = kerberos_pac_blob_to_user_info_dc(mem_ctx, + *pac_blob, + smb_krb5_context->krb5_context, + &user_info_dc, + pac_srv_sig, + pac_kdc_sig); + if (!NT_STATUS_IS_OK(nt_status)) { + talloc_free(mem_ctx); + return nt_status; + } + + session_info_flags |= AUTH_SESSION_INFO_SIMPLE_PRIVILEGES; + nt_status = auth_generate_session_info(mem_ctx_out, + NULL, + NULL, + user_info_dc, session_info_flags, + session_info); + if (!NT_STATUS_IS_OK(nt_status)) { + talloc_free(mem_ctx); + return nt_status; + } + + if ((*session_info)->torture) { + (*session_info)->torture->pac_srv_sig + = talloc_steal((*session_info)->torture, pac_srv_sig); + (*session_info)->torture->pac_kdc_sig + = talloc_steal((*session_info)->torture, pac_kdc_sig); + } + + talloc_free(mem_ctx); + return nt_status; +} + /* Check to see if we can pass the PAC across to the NETLOGON server for validation */ /* Also happens to be a really good one-step verfication of our Kerberos stack */ @@ -73,6 +138,7 @@ static bool test_PACVerify(struct torture_context *tctx, enum ndr_err_code ndr_err; + struct auth4_context *auth_context; struct auth_session_info *session_info; struct dcerpc_binding_handle *b = p->binding_handle; @@ -85,6 +151,11 @@ static bool test_PACVerify(struct torture_context *tctx, return false; } + auth_context = talloc_zero(tmp_ctx, struct auth4_context); + torture_assert(tctx, auth_context != NULL, "talloc_new() failed"); + + auth_context->generate_session_info_pac = test_generate_session_info_pac; + status = gensec_client_start(tctx, &gensec_client_context, lpcfg_gensec_settings(tctx, tctx->lp_ctx)); torture_assert_ntstatus_ok(tctx, status, "gensec_client_start (client) failed"); @@ -99,7 +170,7 @@ static bool test_PACVerify(struct torture_context *tctx, status = gensec_server_start(tctx, lpcfg_gensec_settings(tctx, tctx->lp_ctx), - NULL, &gensec_server_context); + auth_context, &gensec_server_context); torture_assert_ntstatus_ok(tctx, status, "gensec_server_start (server) failed"); status = gensec_set_credentials(gensec_server_context, credentials); @@ -407,6 +478,7 @@ static bool test_S2U4Self(struct torture_context *tctx, struct gensec_security *gensec_client_context; struct gensec_security *gensec_server_context; + struct auth4_context *auth_context; struct auth_session_info *kinit_session_info; struct auth_session_info *s2u4self_session_info; struct auth_user_info_dc *netlogon_user_info_dc; @@ -422,6 +494,11 @@ static bool test_S2U4Self(struct torture_context *tctx, torture_assert(tctx, tmp_ctx != NULL, "talloc_new() failed"); + auth_context = talloc_zero(tmp_ctx, struct auth4_context); + torture_assert(tctx, auth_context != NULL, "talloc_new() failed"); + + auth_context->generate_session_info_pac = test_generate_session_info_pac; + /* First, do a normal Kerberos connection */ status = gensec_client_start(tctx, &gensec_client_context, @@ -438,7 +515,7 @@ static bool test_S2U4Self(struct torture_context *tctx, status = gensec_server_start(tctx, lpcfg_gensec_settings(tctx, tctx->lp_ctx), - NULL, &gensec_server_context); + auth_context, &gensec_server_context); torture_assert_ntstatus_ok(tctx, status, "gensec_server_start (server) failed"); status = gensec_set_credentials(gensec_server_context, credentials); @@ -495,7 +572,7 @@ static bool test_S2U4Self(struct torture_context *tctx, status = gensec_server_start(tctx, lpcfg_gensec_settings(tctx, tctx->lp_ctx), - NULL, &gensec_server_context); + auth_context, &gensec_server_context); torture_assert_ntstatus_ok(tctx, status, "gensec_server_start (server) failed"); status = gensec_set_credentials(gensec_server_context, credentials); -- cgit