The branch, master has been updated
via 19d9504b1b3 s4:kdc: improve DEBUG messages in samba_wdc_reget_pac2()
via 84b76270ceb s4:auth: debug make_user_info_dc_pac() failures in
kerberos_pac_to_user_info_dc()
via 879eba2740a s4:torture: check for pac_blob==NULL in
test_generate_session_info_pac() functions
via 12154b981c4 s4:heimdal_build: make version_script optional to
HEIMDAL_LIBRARY()
via 6fc5f22978b kdc: Fix leak
via e9caa1edef8 tests/krb5: Update supported enctype checking
via 775bfc72509 tests/krb5: Add AS-REQ PAC tests
via f94bdb41fcc tests/krb5: Check encrypted-pa-data if present
via 48362a706f8 tests/krb5: Add FAST enc-pa-rep tests
via c51805f90c0 tests/krb5: Adjust expected error codes
via a107bb8b0d4 tests/krb5: Generate unique UPNs for AS-REQ enterprise
tests
via 492d9f083dc s4:torture: Remove netbios realm and lowercase realm
tests
via 3b26c714d42 s4:torture: Make etype list variables static
from 493fe1a4315 build: reduce printf() calls in generated
build_options.c
https://git.samba.org/?p=samba.git;a=shortlog;h=master
- Log -----------------------------------------------------------------
commit 19d9504b1b34ec7c52eaaf663d5ecf4f05066b6d
Author: Stefan Metzmacher <me...@samba.org>
Date: Thu Dec 23 22:44:10 2021 +0100
s4:kdc: improve DEBUG messages in samba_wdc_reget_pac2()
Signed-off-by: Stefan Metzmacher <me...@samba.org>
Reviewed-by: Joseph Sutton <josephsut...@catalyst.net.nz>
Autobuild-User(master): Joseph Sutton <jsut...@samba.org>
Autobuild-Date(master): Mon Jan 17 20:55:41 UTC 2022 on sn-devel-184
commit 84b76270ceb38cbb0263f415f4089bafa751b3a3
Author: Stefan Metzmacher <me...@samba.org>
Date: Thu Dec 23 22:53:13 2021 +0100
s4:auth: debug make_user_info_dc_pac() failures in
kerberos_pac_to_user_info_dc()
Signed-off-by: Stefan Metzmacher <me...@samba.org>
Reviewed-by: Joseph Sutton <josephsut...@catalyst.net.nz>
commit 879eba2740ac5e5f456b93a3b47e9a6b70355415
Author: Stefan Metzmacher <me...@samba.org>
Date: Fri Dec 24 15:21:21 2021 +0100
s4:torture: check for pac_blob==NULL in test_generate_session_info_pac()
functions
We should return an error instead of crashing for tickets without a PAC.
Signed-off-by: Stefan Metzmacher <me...@samba.org>
Reviewed-by: Joseph Sutton <josephsut...@catalyst.net.nz>
commit 12154b981c40d619e4ddb53aceee9f86368a75fb
Author: Stefan Metzmacher <me...@samba.org>
Date: Thu Dec 23 19:29:06 2021 +0100
s4:heimdal_build: make version_script optional to HEIMDAL_LIBRARY()
Signed-off-by: Stefan Metzmacher <me...@samba.org>
Reviewed-by: Joseph Sutton <josephsut...@catalyst.net.nz>
commit 6fc5f22978bd77e4775856359d116492eccc9be6
Author: Joseph Sutton <josephsut...@catalyst.net.nz>
Date: Thu Dec 30 16:20:46 2021 +1300
kdc: Fix leak
Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <me...@samba.org>
commit e9caa1edef846cdea2a719976ee0fd5bd8531048
Author: Joseph Sutton <josephsut...@catalyst.net.nz>
Date: Thu Dec 23 15:59:21 2021 +1300
tests/krb5: Update supported enctype checking
We now do not expect the claims or compound ID bits to be set unless
explicitly specified, nor the DES bits.
Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <me...@samba.org>
commit 775bfc72509bf98f3c637ca22cc5edf0e7fae794
Author: Joseph Sutton <josephsut...@catalyst.net.nz>
Date: Wed Dec 29 17:35:09 2021 +1300
tests/krb5: Add AS-REQ PAC tests
Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <me...@samba.org>
commit f94bdb41fccdb085d8f8f5a1a5e4a56581839e8e
Author: Joseph Sutton <josephsut...@catalyst.net.nz>
Date: Tue Nov 30 09:45:13 2021 +1300
tests/krb5: Check encrypted-pa-data if present
Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <me...@samba.org>
commit 48362a706f8a6c35a17ecbf625bbf29802143185
Author: Joseph Sutton <josephsut...@catalyst.net.nz>
Date: Tue Nov 30 09:42:10 2021 +1300
tests/krb5: Add FAST enc-pa-rep tests
Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <me...@samba.org>
commit c51805f90c09b40236765c9594693fcb66a55715
Author: Joseph Sutton <josephsut...@catalyst.net.nz>
Date: Thu Dec 16 14:21:18 2021 +1300
tests/krb5: Adjust expected error codes
Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <me...@samba.org>
commit a107bb8b0d424bb1f8ee6df34e8f8e81dd499333
Author: Joseph Sutton <josephsut...@catalyst.net.nz>
Date: Thu Dec 16 10:18:42 2021 +1300
tests/krb5: Generate unique UPNs for AS-REQ enterprise tests
This helps to avoid problems with account creation due to UPN uniqueness
constraints.
Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <me...@samba.org>
commit 492d9f083dc23aff2c1fa12e21765861df1c1b38
Author: Joseph Sutton <josephsut...@catalyst.net.nz>
Date: Wed Dec 22 16:08:43 2021 +1300
s4:torture: Remove netbios realm and lowercase realm tests
Tests for these are already present in
samba.tests.krb5.as_canonicalization_tests. These tests cause problems
with an upgraded Heimdal version, and we want to stop supporting
non-canonical realm names, so this commit removes them.
Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <me...@samba.org>
commit 3b26c714d42fc5e4ab7d4138db987171edda6463
Author: Joseph Sutton <josephsut...@catalyst.net.nz>
Date: Thu Dec 16 21:06:55 2021 +1300
s4:torture: Make etype list variables static
If they are not made static, these variables end up being used by the
Kerberos libraries after they have gone out of scope.
Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <me...@samba.org>
-----------------------------------------------------------------------
Summary of changes:
python/samba/tests/krb5/as_req_tests.py | 24 ++-
python/samba/tests/krb5/fast_tests.py | 227 ++++++++++++++++++++++++++-
python/samba/tests/krb5/kdc_base_test.py | 25 ++-
python/samba/tests/krb5/kdc_tgs_tests.py | 5 +-
python/samba/tests/krb5/raw_testcase.py | 109 ++++++++++---
python/samba/tests/krb5/rfc4120.asn1 | 4 +-
python/samba/tests/krb5/rfc4120_constants.py | 3 +
python/samba/tests/krb5/rfc4120_pyasn1.py | 17 +-
selftest/knownfail_heimdal_kdc | 6 +
selftest/knownfail_mit_kdc | 4 +
source4/auth/kerberos/kerberos_pac.c | 8 +-
source4/heimdal_build/wscript_build | 7 +-
source4/kdc/wdc-samba4.c | 11 +-
source4/torture/krb5/kdc-canon-heimdal.c | 112 ++-----------
source4/torture/krb5/kdc-heimdal.c | 8 +-
source4/torture/rpc/remote_pac.c | 5 +
source4/torture/winbind/winbind.c | 5 +
17 files changed, 419 insertions(+), 161 deletions(-)
Changeset truncated at 500 lines:
diff --git a/python/samba/tests/krb5/as_req_tests.py
b/python/samba/tests/krb5/as_req_tests.py
index 263e77d4812..b52937530e6 100755
--- a/python/samba/tests/krb5/as_req_tests.py
+++ b/python/samba/tests/krb5/as_req_tests.py
@@ -345,9 +345,10 @@ class AsReqKerberosTests(AsReqBaseTest):
expect_edata=False)
def test_as_req_enterprise_canon(self):
+ upn = self.get_new_username()
client_creds = self.get_cached_creds(
account_type=self.AccountType.USER,
- opts={'upn': 'krb5_enterprise0'})
+ opts={'upn': upn})
user_name = client_creds.get_username()
realm = client_creds.get_realm()
@@ -365,9 +366,10 @@ class AsReqKerberosTests(AsReqBaseTest):
kdc_options=krb5_asn1.KDCOptions('canonicalize'))
def test_as_req_enterprise_canon_case(self):
+ upn = self.get_new_username()
client_creds = self.get_cached_creds(
account_type=self.AccountType.USER,
- opts={'upn': 'krb5_enterprise1'})
+ opts={'upn': upn})
user_name = client_creds.get_username()
realm = client_creds.get_realm().lower()
@@ -385,9 +387,10 @@ class AsReqKerberosTests(AsReqBaseTest):
kdc_options=krb5_asn1.KDCOptions('canonicalize'))
def test_as_req_enterprise_canon_mac(self):
+ upn = self.get_new_username()
client_creds = self.get_cached_creds(
account_type=self.AccountType.COMPUTER,
- opts={'upn': 'krb5_enterprise2'})
+ opts={'upn': upn})
user_name = client_creds.get_username()
realm = client_creds.get_realm()
@@ -405,9 +408,10 @@ class AsReqKerberosTests(AsReqBaseTest):
kdc_options=krb5_asn1.KDCOptions('canonicalize'))
def test_as_req_enterprise_canon_mac_case(self):
+ upn = self.get_new_username()
client_creds = self.get_cached_creds(
account_type=self.AccountType.COMPUTER,
- opts={'upn': 'krb5_enterprise3'})
+ opts={'upn': upn})
user_name = client_creds.get_username()
realm = client_creds.get_realm().lower()
@@ -425,9 +429,10 @@ class AsReqKerberosTests(AsReqBaseTest):
kdc_options=krb5_asn1.KDCOptions('canonicalize'))
def test_as_req_enterprise_no_canon(self):
+ upn = self.get_new_username()
client_creds = self.get_cached_creds(
account_type=self.AccountType.USER,
- opts={'upn': 'krb5_enterprise4'})
+ opts={'upn': upn})
user_name = client_creds.get_username()
realm = client_creds.get_realm()
@@ -440,9 +445,10 @@ class AsReqKerberosTests(AsReqBaseTest):
kdc_options=0)
def test_as_req_enterprise_no_canon_case(self):
+ upn = self.get_new_username()
client_creds = self.get_cached_creds(
account_type=self.AccountType.USER,
- opts={'upn': 'krb5_enterprise5'})
+ opts={'upn': upn})
user_name = client_creds.get_username()
realm = client_creds.get_realm().lower()
@@ -455,9 +461,10 @@ class AsReqKerberosTests(AsReqBaseTest):
kdc_options=0)
def test_as_req_enterprise_no_canon_mac(self):
+ upn = self.get_new_username()
client_creds = self.get_cached_creds(
account_type=self.AccountType.COMPUTER,
- opts={'upn': 'krb5_enterprise6'})
+ opts={'upn': upn})
user_name = client_creds.get_username()
realm = client_creds.get_realm()
@@ -470,9 +477,10 @@ class AsReqKerberosTests(AsReqBaseTest):
kdc_options=0)
def test_as_req_enterprise_no_canon_mac_case(self):
+ upn = self.get_new_username()
client_creds = self.get_cached_creds(
account_type=self.AccountType.COMPUTER,
- opts={'upn': 'krb5_enterprise7'})
+ opts={'upn': upn})
user_name = client_creds.get_username()
realm = client_creds.get_realm().lower()
diff --git a/python/samba/tests/krb5/fast_tests.py
b/python/samba/tests/krb5/fast_tests.py
index 6a6fdfa786e..7e69d6c83df 100755
--- a/python/samba/tests/krb5/fast_tests.py
+++ b/python/samba/tests/krb5/fast_tests.py
@@ -53,6 +53,7 @@ from samba.tests.krb5.rfc4120_constants import (
NT_SRV_INST,
PADATA_FX_COOKIE,
PADATA_FX_FAST,
+ PADATA_REQ_ENC_PA_REP,
)
import samba.tests.krb5.rfc4120_pyasn1 as krb5_asn1
import samba.tests.krb5.kcrypto as kcrypto
@@ -112,6 +113,84 @@ class FAST_Tests(KDCBaseTest):
}
], client_account=self.AccountType.COMPUTER)
+ def test_simple_as_req_self_no_auth_data(self):
+ self._run_test_sequence(
+ [
+ {
+ 'rep_type': KRB_AS_REP,
+ 'expected_error_mode': KDC_ERR_PREAUTH_REQUIRED,
+ 'use_fast': False,
+ 'as_req_self': True
+ },
+ {
+ 'rep_type': KRB_AS_REP,
+ 'expected_error_mode': 0,
+ 'use_fast': False,
+ 'gen_padata_fn': self.generate_enc_timestamp_padata,
+ 'as_req_self': True,
+ 'expect_pac': True
+ }
+ ],
+ client_account=self.AccountType.COMPUTER,
+ client_opts={'no_auth_data_required': True})
+
+ def test_simple_as_req_self_pac_request_false(self):
+ self._run_test_sequence([
+ {
+ 'rep_type': KRB_AS_REP,
+ 'expected_error_mode': KDC_ERR_PREAUTH_REQUIRED,
+ 'use_fast': False,
+ 'as_req_self': True
+ },
+ {
+ 'rep_type': KRB_AS_REP,
+ 'expected_error_mode': 0,
+ 'use_fast': False,
+ 'gen_padata_fn': self.generate_enc_timestamp_padata,
+ 'as_req_self': True,
+ 'pac_request': False,
+ 'expect_pac': False
+ }
+ ], client_account=self.AccountType.COMPUTER)
+
+ def test_simple_as_req_self_pac_request_none(self):
+ self._run_test_sequence([
+ {
+ 'rep_type': KRB_AS_REP,
+ 'expected_error_mode': KDC_ERR_PREAUTH_REQUIRED,
+ 'use_fast': False,
+ 'as_req_self': True
+ },
+ {
+ 'rep_type': KRB_AS_REP,
+ 'expected_error_mode': 0,
+ 'use_fast': False,
+ 'gen_padata_fn': self.generate_enc_timestamp_padata,
+ 'as_req_self': True,
+ 'pac_request': None,
+ 'expect_pac': True
+ }
+ ], client_account=self.AccountType.COMPUTER)
+
+ def test_simple_as_req_self_pac_request_true(self):
+ self._run_test_sequence([
+ {
+ 'rep_type': KRB_AS_REP,
+ 'expected_error_mode': KDC_ERR_PREAUTH_REQUIRED,
+ 'use_fast': False,
+ 'as_req_self': True
+ },
+ {
+ 'rep_type': KRB_AS_REP,
+ 'expected_error_mode': 0,
+ 'use_fast': False,
+ 'gen_padata_fn': self.generate_enc_timestamp_padata,
+ 'as_req_self': True,
+ 'pac_request': True,
+ 'expect_pac': True
+ }
+ ], client_account=self.AccountType.COMPUTER)
+
def test_simple_tgs(self):
self._run_test_sequence([
{
@@ -122,6 +201,35 @@ class FAST_Tests(KDCBaseTest):
}
])
+ def test_simple_enc_pa_rep(self):
+ self._run_test_sequence([
+ {
+ 'rep_type': KRB_AS_REP,
+ 'expected_error_mode': KDC_ERR_PREAUTH_REQUIRED,
+ 'use_fast': False
+ },
+ {
+ 'rep_type': KRB_AS_REP,
+ 'expected_error_mode': 0,
+ 'use_fast': False,
+ 'gen_padata_fn': self.generate_enc_pa_rep_timestamp_padata,
+ 'expected_flags': 'enc-pa-rep'
+ }
+ ])
+
+ # Currently we only send PADATA-REQ-ENC-PA-REP for AS-REQ requests.
+ def test_simple_tgs_enc_pa_rep(self):
+ self._run_test_sequence([
+ {
+ 'rep_type': KRB_TGS_REP,
+ 'expected_error_mode': 0,
+ 'use_fast': False,
+ 'gen_tgt_fn': self.get_user_tgt,
+ 'gen_padata_fn': self.generate_enc_pa_rep_padata,
+ 'expected_flags': 'enc-pa-rep'
+ }
+ ])
+
def test_simple_no_sname(self):
expected_sname = self.get_krbtgt_sname()
@@ -422,6 +530,7 @@ class FAST_Tests(KDCBaseTest):
}
])
+ # Expected to fail against Windows - Windows does not produce an error.
def test_fast_unknown_critical_option(self):
self._run_test_sequence([
{
@@ -572,6 +681,7 @@ class FAST_Tests(KDCBaseTest):
}
])
+ # Expected to fail against Windows - Windows does not produce an error.
def test_fast_encrypted_challenge_clock_skew(self):
# The KDC is supposed to confirm that the timestamp is within its
# current clock skew, and return KRB_APP_ERR_SKEW if it is not (RFC6113
@@ -605,7 +715,8 @@ class FAST_Tests(KDCBaseTest):
self._run_test_sequence([
{
'rep_type': KRB_AS_REP,
- 'expected_error_mode': KDC_ERR_POLICY,
+ 'expected_error_mode': (KDC_ERR_POLICY,
+ KDC_ERR_S_PRINCIPAL_UNKNOWN),
'use_fast': True,
'fast_armor': FX_FAST_ARMOR_AP_REQUEST,
'gen_armor_tgt_fn': self.get_user_service_ticket
@@ -620,7 +731,8 @@ class FAST_Tests(KDCBaseTest):
self._run_test_sequence([
{
'rep_type': KRB_AS_REP,
- 'expected_error_mode': KDC_ERR_POLICY,
+ 'expected_error_mode': (KDC_ERR_POLICY,
+ KDC_ERR_S_PRINCIPAL_UNKNOWN),
'use_fast': True,
'fast_armor': FX_FAST_ARMOR_AP_REQUEST,
'gen_armor_tgt_fn': self.get_mach_service_ticket
@@ -637,7 +749,8 @@ class FAST_Tests(KDCBaseTest):
self._run_test_sequence([
{
'rep_type': KRB_AS_REP,
- 'expected_error_mode': KDC_ERR_POLICY,
+ 'expected_error_mode': (KDC_ERR_POLICY,
+ KDC_ERR_S_PRINCIPAL_UNKNOWN),
'use_fast': True,
'fast_armor': FX_FAST_ARMOR_AP_REQUEST,
'gen_armor_tgt_fn': self.get_service_ticket_invalid_checksum
@@ -657,7 +770,8 @@ class FAST_Tests(KDCBaseTest):
},
{
'rep_type': KRB_AS_REP,
- 'expected_error_mode': KDC_ERR_PREAUTH_REQUIRED,
+ 'expected_error_mode': (KDC_ERR_PREAUTH_REQUIRED,
+ KDC_ERR_POLICY),
'use_fast': True,
'gen_padata_fn': self.generate_enc_timestamp_padata,
'fast_armor': FX_FAST_ARMOR_AP_REQUEST,
@@ -743,6 +857,56 @@ class FAST_Tests(KDCBaseTest):
}
])
+ def test_fast_enc_pa_rep(self):
+ self._run_test_sequence([
+ {
+ 'rep_type': KRB_AS_REP,
+ 'expected_error_mode': KDC_ERR_PREAUTH_REQUIRED,
+ 'use_fast': True,
+ 'fast_armor': FX_FAST_ARMOR_AP_REQUEST,
+ 'gen_armor_tgt_fn': self.get_mach_tgt,
+ 'expected_flags': 'enc-pa-rep'
+ },
+ {
+ 'rep_type': KRB_AS_REP,
+ 'expected_error_mode': 0,
+ 'use_fast': True,
+ 'gen_padata_fn': self.generate_enc_pa_rep_challenge_padata,
+ 'fast_armor': FX_FAST_ARMOR_AP_REQUEST,
+ 'gen_armor_tgt_fn': self.get_mach_tgt,
+ 'expected_flags': 'enc-pa-rep'
+ }
+ ])
+
+ # Currently we only send PADATA-REQ-ENC-PA-REP for AS-REQ requests.
+ def test_fast_tgs_enc_pa_rep(self):
+ self._run_test_sequence([
+ {
+ 'rep_type': KRB_TGS_REP,
+ 'expected_error_mode': 0,
+ 'use_fast': True,
+ 'gen_tgt_fn': self.get_user_tgt,
+ 'fast_armor': None,
+ 'gen_padata_fn': self.generate_enc_pa_rep_padata,
+ 'expected_flags': 'enc-pa-rep'
+ }
+ ])
+
+ # Currently we only send PADATA-REQ-ENC-PA-REP for AS-REQ requests.
+ def test_fast_tgs_armor_enc_pa_rep(self):
+ self._run_test_sequence([
+ {
+ 'rep_type': KRB_TGS_REP,
+ 'expected_error_mode': 0,
+ 'use_fast': True,
+ 'gen_tgt_fn': self.get_user_tgt,
+ 'gen_armor_tgt_fn': self.get_mach_tgt,
+ 'fast_armor': FX_FAST_ARMOR_AP_REQUEST,
+ 'gen_padata_fn': self.generate_enc_pa_rep_padata,
+ 'expected_flags': 'enc-pa-rep'
+ }
+ ])
+
def test_fast_outer_wrong_realm(self):
self._run_test_sequence([
{
@@ -1295,14 +1459,16 @@ class FAST_Tests(KDCBaseTest):
return fast_padata
def _run_test_sequence(self, test_sequence,
- client_account=KDCBaseTest.AccountType.USER):
+ client_account=KDCBaseTest.AccountType.USER,
+ client_opts=None):
if self.strict_checking:
self.check_kdc_fast_support()
kdc_options_default = str(krb5_asn1.KDCOptions('forwardable,'
'canonicalize'))
- client_creds = self.get_cached_creds(account_type=client_account)
+ client_creds = self.get_cached_creds(account_type=client_account,
+ opts=client_opts)
target_creds = self.get_service_creds()
krbtgt_creds = self.get_krbtgt_creds()
@@ -1478,6 +1644,9 @@ class FAST_Tests(KDCBaseTest):
padata):
return list(padata), req_body
+ pac_request = kdc_dict.pop('pac_request', None)
+ expect_pac = kdc_dict.pop('expect_pac', True)
+
pac_options = kdc_dict.pop('pac_options', '1') # claims support
kdc_options = kdc_dict.pop('kdc_options', kdc_options_default)
@@ -1580,7 +1749,8 @@ class FAST_Tests(KDCBaseTest):
kdc_options=kdc_options,
inner_req=inner_req,
outer_req=outer_req,
- pac_request=True,
+ expect_pac=expect_pac,
+ pac_request=pac_request,
pac_options=pac_options,
fast_ap_options=fast_ap_options,
strict_edata_checking=strict_edata_checking,
@@ -1616,7 +1786,8 @@ class FAST_Tests(KDCBaseTest):
kdc_options=kdc_options,
inner_req=inner_req,
outer_req=outer_req,
- pac_request=None,
+ expect_pac=expect_pac,
+ pac_request=pac_request,
pac_options=pac_options,
fast_ap_options=fast_ap_options,
strict_edata_checking=strict_edata_checking,
@@ -1638,6 +1809,14 @@ class FAST_Tests(KDCBaseTest):
fast_cookie = None
preauth_etype_info2 = None
+
+ # Check whether the ticket contains a PAC.
+ ticket = kdc_exchange_dict['rep_ticket_creds']
+ pac = self.get_ticket_pac(ticket, expect_pac=expect_pac)
+ if expect_pac:
+ self.assertIsNotNone(pac)
+ else:
+ self.assertIsNone(pac)
else:
self.check_error_rep(rep, expected_error_mode)
@@ -1656,6 +1835,38 @@ class FAST_Tests(KDCBaseTest):
# Ensure we used all the parameters given to us.
self.assertEqual({}, kdc_dict)
+ def generate_enc_pa_rep_padata(self,
+ kdc_exchange_dict,
+ callback_dict,
+ req_body):
+ padata = self.PA_DATA_create(PADATA_REQ_ENC_PA_REP, b'')
+
+ return [padata], req_body
+
+ def generate_enc_pa_rep_challenge_padata(self,
+ kdc_exchange_dict,
+ callback_dict,
+ req_body):
+ padata, req_body =
self.generate_enc_challenge_padata(kdc_exchange_dict,
+ callback_dict,
+ req_body)
+
+ padata.append(self.PA_DATA_create(PADATA_REQ_ENC_PA_REP, b''))
+
+ return padata, req_body
+
+ def generate_enc_pa_rep_timestamp_padata(self,
+ kdc_exchange_dict,
+ callback_dict,
+ req_body):
+ padata, req_body =
self.generate_enc_timestamp_padata(kdc_exchange_dict,
+ callback_dict,
+ req_body)
+
+ padata.append(self.PA_DATA_create(PADATA_REQ_ENC_PA_REP, b''))
+
+ return padata, req_body
+
def generate_fast_armor_auth_data(self):
auth_data = self.AuthorizationData_create(AD_FX_FAST_ARMOR, b'')
diff --git a/python/samba/tests/krb5/kdc_base_test.py
b/python/samba/tests/krb5/kdc_base_test.py
index d6cbaac60e0..9c79411d487 100644
--- a/python/samba/tests/krb5/kdc_base_test.py
+++ b/python/samba/tests/krb5/kdc_base_test.py
@@ -598,13 +598,21 @@ class KDCBaseTest(RawKerberosTest):
creds.set_tgs_supported_enctypes(supported_enctypes)
creds.set_ap_supported_enctypes(supported_enctypes)
- def creds_set_default_enctypes(self, creds, fast_support=False):
+ def creds_set_default_enctypes(self, creds,
+ fast_support=False,
+ claims_support=False,
+ compound_id_support=False):
default_enctypes = self.get_default_enctypes()
supported_enctypes = KerberosCredentials.etypes_to_bits(
default_enctypes)
if fast_support:
- supported_enctypes |= KerberosCredentials.fast_supported_bits
+ supported_enctypes |= security.KERB_ENCTYPE_FAST_SUPPORTED
+ if claims_support:
+ supported_enctypes |= security.KERB_ENCTYPE_CLAIMS_SUPPORTED
+ if compound_id_support:
+ supported_enctypes |= (
+ security.KERB_ENCTYPE_COMPOUND_IDENTITY_SUPPORTED)
creds.set_as_supported_enctypes(supported_enctypes)
creds.set_tgs_supported_enctypes(supported_enctypes)
@@ -919,7 +927,11 @@ class KDCBaseTest(RawKerberosTest):
# The RODC krbtgt account should support the default enctypes,
# although it might not have the msDS-SupportedEncryptionTypes
# attribute.
- self.creds_set_default_enctypes(creds)
+ self.creds_set_default_enctypes(
+ creds,
+ fast_support=self.kdc_fast_support,
+ claims_support=self.kdc_claims_support,
+ compound_id_support=self.kdc_compound_id_support)
return creds
@@ -1010,8 +1022,11 @@ class KDCBaseTest(RawKerberosTest):
# The krbtgt account should support the default enctypes, although
# it might not (on Samba) have the msDS-SupportedEncryptionTypes
# attribute.
- self.creds_set_default_enctypes(creds,
- fast_support=self.kdc_fast_support)
+ self.creds_set_default_enctypes(
+ creds,
+ fast_support=self.kdc_fast_support,
+ claims_support=self.kdc_claims_support,
--
Samba Shared Repository
