The branch, master has been updated
via be2ade2d88b netcmd: fix broken shell command missing Model
via bcae4c2dbea python: lint: fix pylint R1720 unnecessary "raise"
after "else"
via 3dd49b9f567 python: lint: remove unused imports in claims and gmsa
commands
via 8f7ff1c7ef4 python: tests: type check should always use "is" or "is
not"
via e388bf4b4a2 python: tests: fix closing quote in docstring example
via a18c53a9b98 libcli/http: Detect unsupported Transfer-encoding type
via 93709d31590 selftest: Add new test for testing non-chunk transfer
encoding
via efdbf0511e0 selftest: fix potential reference before assigned error
via 8e931fce126 Do not fail checksums for RFC8009 types
via 2ecb69d9b7f python:tests: Improve keytab comparison of dckeytab
from 814ae222ca1 s3:winbindd: use better debug messages than
'talloc_strdup failed'
https://git.samba.org/?p=samba.git;a=shortlog;h=master
- Log -----------------------------------------------------------------
commit be2ade2d88bb89763fce2a34f8f68941424ad9ee
Author: Rob van der Linde <r...@catalyst.net.nz>
Date: Thu Mar 28 16:06:05 2024 +1300
netcmd: fix broken shell command missing Model
This is already in MODELS which is populated in ModelMeta
Signed-off-by: Rob van der Linde <r...@catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagn...@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abart...@samba.org>
Autobuild-User(master): Andrew Bartlett <abart...@samba.org>
Autobuild-Date(master): Mon Apr 8 04:07:22 UTC 2024 on atb-devel-224
commit bcae4c2dbea7067932e931456998b1ada20d615c
Author: Rob van der Linde <r...@catalyst.net.nz>
Date: Thu Mar 28 16:15:06 2024 +1300
python: lint: fix pylint R1720 unnecessary "raise" after "else"
Signed-off-by: Rob van der Linde <r...@catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagn...@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abart...@samba.org>
commit 3dd49b9f567fdf14e7a616351805d1aac9a3083a
Author: Rob van der Linde <r...@catalyst.net.nz>
Date: Thu Mar 28 16:09:44 2024 +1300
python: lint: remove unused imports in claims and gmsa commands
Signed-off-by: Rob van der Linde <r...@catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagn...@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abart...@samba.org>
commit 8f7ff1c7ef4a570193faa2e3181a757bc98c3e08
Author: Rob van der Linde <r...@catalyst.net.nz>
Date: Thu Mar 28 15:59:33 2024 +1300
python: tests: type check should always use "is" or "is not"
Signed-off-by: Rob van der Linde <r...@catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagn...@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abart...@samba.org>
commit e388bf4b4a2012bd1fdde7e63b957b32c1a69c75
Author: Rob van der Linde <r...@catalyst.net.nz>
Date: Thu Mar 28 15:58:34 2024 +1300
python: tests: fix closing quote in docstring example
Signed-off-by: Rob van der Linde <r...@catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagn...@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abart...@samba.org>
commit a18c53a9b98e2e8dea08cf0ef08efc59e58ec137
Author: Noel Power <noel.po...@suse.com>
Date: Thu Mar 28 10:48:58 2024 +0000
libcli/http: Detect unsupported Transfer-encoding type
Also removes knownfail for test that now passes
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15611
Signed-off-by: Noel Power <noel.po...@suse.com>
Reviewed-by: Andrew Bartlett <abart...@samba.org>
commit 93709d31590d4ca25fbac813b9e499755b81ddb5
Author: Noel Power <noel.po...@suse.com>
Date: Thu Mar 28 09:16:33 2024 +0000
selftest: Add new test for testing non-chunk transfer encoding
And add a known fail because there is a bug :-(
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15611
Signed-off-by: Noel Power <noel.po...@suse.com>
Reviewed-by: Andrew Bartlett <abart...@samba.org>
commit efdbf0511e0a89f865210170001fbebf17a45278
Author: Noel Power <noel.po...@suse.com>
Date: Thu Mar 28 09:09:02 2024 +0000
selftest: fix potential reference before assigned error
This would only happen if the test failed (but the message would be
incorrect as 'e' the exception to be stringified doesn't exist.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15611
Signed-off-by: Noel Power <noel.po...@suse.com>
Reviewed-by: Andrew Bartlett <abart...@samba.org>
commit 8e931fce126e8c1128da893c806702731c08758a
Author: Alexander Bokovoy <a...@samba.org>
Date: Thu Jun 22 09:56:12 2023 +0300
Do not fail checksums for RFC8009 types
While Active Directory does not support yet RFC 8009 encryption and
checksum types, it is possible to verify these checksums when running
with both MIT Kerberos and Heimdal Kerberos. This matters for FreeIPA
domain controller which uses them by default.
[2023/06/16 21:51:04.923873, 10, pid=51149, effective(0, 0), real(0, 0)]
../../lib/krb5_wrap/krb5_samba.c:1496(smb_krb5_kt_open_relative)
smb_krb5_open_keytab: resolving: FILE:/etc/samba/samba.keytab
[2023/06/16 21:51:04.924196, 2, pid=51149, effective(0, 0), real(0, 0),
class=auth] ../../auth/kerberos/kerberos_pac.c:66(check_pac_checksum)
check_pac_checksum: Checksum Type 20 is not supported
[2023/06/16 21:51:04.924228, 5, pid=51149, effective(0, 0), real(0, 0),
class=auth] ../../auth/kerberos/kerberos_pac.c:353(kerberos_decode_pac)
PAC Decode: Failed to verify the service signature: Invalid argument
Signed-off-by: Alexander Bokovoy <a...@samba.org>
Reviewed-by: Andreas Schneider <a...@samba.org>
Reviewed-by: Andrew Bartlett <abart...@samba.org>
commit 2ecb69d9b7f26777d45b6921ccc9d3bfffa3af0a
Author: Andreas Schneider <a...@samba.org>
Date: Fri Apr 5 14:33:04 2024 +0200
python:tests: Improve keytab comparison of dckeytab
This will give better output on failure as it compares strings instead
of bytes.
Signed-off-by: Andreas Schneider <a...@samba.org>
Reviewed-by: Andrew Bartlett <abart...@samba.org>
-----------------------------------------------------------------------
Summary of changes:
auth/kerberos/kerberos_pac.c | 47 ++++++++++++---------
lib/krb5_wrap/krb5_samba.h | 28 +++++++++++++
libcli/http/http.c | 48 +++++++++++++++-------
python/samba/netcmd/domain/auth/policy/policy.py | 7 ++--
python/samba/netcmd/domain/auth/silo/silo.py | 4 +-
python/samba/netcmd/domain/claim/claim_type.py | 6 +--
.../netcmd/service_account/group_msa_membership.py | 2 +-
.../netcmd/service_account/service_account.py | 4 +-
python/samba/netcmd/shell.py | 1 -
python/samba/tests/blackbox/http_chunk.py | 17 +++++++-
python/samba/tests/blackbox/http_content.py | 2 +-
python/samba/tests/dckeytab.py | 23 +++++++++--
python/samba/tests/token_factory.py | 4 +-
13 files changed, 137 insertions(+), 56 deletions(-)
Changeset truncated at 500 lines:
diff --git a/auth/kerberos/kerberos_pac.c b/auth/kerberos/kerberos_pac.c
index ae4557bbd6f..b6272ac15eb 100644
--- a/auth/kerberos/kerberos_pac.c
+++ b/auth/kerberos/kerberos_pac.c
@@ -33,6 +33,7 @@
#include "librpc/gen_ndr/auth.h"
#include "auth/common_auth.h"
#include "auth/kerberos/pac_utils.h"
+#include "lib/krb5_wrap/krb5_samba.h"
krb5_error_code check_pac_checksum(DATA_BLOB pac_data,
struct PAC_SIGNATURE_DATA *sig,
@@ -44,26 +45,34 @@ krb5_error_code check_pac_checksum(DATA_BLOB pac_data,
krb5_keyusage usage = 0;
krb5_boolean checksum_valid = false;
krb5_data input;
-
- switch (sig->type) {
- case CKSUMTYPE_HMAC_MD5:
- /* ignores the key type */
- break;
- case CKSUMTYPE_HMAC_SHA1_96_AES_256:
- if (KRB5_KEY_TYPE(keyblock) != ENCTYPE_AES256_CTS_HMAC_SHA1_96)
{
- return EINVAL;
- }
- /* ok */
- break;
- case CKSUMTYPE_HMAC_SHA1_96_AES_128:
- if (KRB5_KEY_TYPE(keyblock) != ENCTYPE_AES128_CTS_HMAC_SHA1_96)
{
- return EINVAL;
+ size_t idx = 0;
+ struct {
+ krb5_cksumtype cksum_type;
+ krb5_enctype enc_type;
+ } supported_types[] = {
+ {CKSUMTYPE_HMAC_SHA1_96_AES_256,
ENCTYPE_AES256_CTS_HMAC_SHA1_96},
+ {CKSUMTYPE_HMAC_SHA1_96_AES_128,
ENCTYPE_AES128_CTS_HMAC_SHA1_96},
+ /* RFC8009 types. Not supported by AD yet but used by FreeIPA
and MIT Kerberos */
+ {CKSUMTYPE_HMAC_SHA256_128_AES128,
ENCTYPE_AES128_CTS_HMAC_SHA256_128},
+ {CKSUMTYPE_HMAC_SHA384_192_AES256,
ENCTYPE_AES256_CTS_HMAC_SHA384_192},
+ {0, 0},
+ };
+
+ for(idx = 0; supported_types[idx].cksum_type != 0; idx++) {
+ if (sig->type == supported_types[idx].cksum_type) {
+ if (KRB5_KEY_TYPE(keyblock) !=
supported_types[idx].enc_type) {
+ return EINVAL;
+ }
+ /* ok */
+ break;
}
- /* ok */
- break;
- default:
- DEBUG(2,("check_pac_checksum: Checksum Type %"PRIu32" is not
supported\n",
- sig->type));
+ }
+
+ /* do not do key type check for HMAC-MD5 */
+ if ((sig->type != CKSUMTYPE_HMAC_MD5) &&
+ (supported_types[idx].cksum_type == 0)) {
+ DEBUG(2,("check_pac_checksum: Checksum Type %d is not
supported\n",
+ (int)sig->type));
return EINVAL;
}
diff --git a/lib/krb5_wrap/krb5_samba.h b/lib/krb5_wrap/krb5_samba.h
index 05546f8a2eb..df6d392c020 100644
--- a/lib/krb5_wrap/krb5_samba.h
+++ b/lib/krb5_wrap/krb5_samba.h
@@ -88,6 +88,34 @@
#define CKSUMTYPE_HMAC_SHA1_96_AES_256 CKSUMTYPE_HMAC_SHA1_96_AES256
#endif
+/*
+ * RFC8009 encryption types' defines have different names:
+ *
+ * KRB5_ENCTYPE_AES128_CTS_HMAC_SHA256_128 in Heimdal
+ * ENCTYPE_AES128_CTS_HMAC_SHA256_128 in MIT
+ *
+ * and
+ *
+ * KRB5_ENCTYPE_AES256_CTS_HMAC_SHA384_192 in Heimdal
+ * ENCTYPE_AES256_CTS_HMAC_SHA384_192 in MIT
+ */
+#if !defined(ENCTYPE_AES128_CTS_HMAC_SHA256_128)
+#define ENCTYPE_AES128_CTS_HMAC_SHA256_128
KRB5_ENCTYPE_AES128_CTS_HMAC_SHA256_128
+#endif
+#if !defined(ENCTYPE_AES256_CTS_HMAC_SHA384_192)
+#define ENCTYPE_AES256_CTS_HMAC_SHA384_192
KRB5_ENCTYPE_AES256_CTS_HMAC_SHA384_192
+#endif
+
+/*
+ * Same for older encryption types, rename to have the same defines
+ */
+#if !defined(ENCTYPE_AES128_CTS_HMAC_SHA1_96)
+#define ENCTYPE_AES128_CTS_HMAC_SHA1_96 KRB5_ENCTYPE_AES128_CTS_HMAC_SHA1_96
+#endif
+#if !defined(ENCTYPE_AES256_CTS_HMAC_SHA1_96)
+#define ENCTYPE_AES256_CTS_HMAC_SHA1_96 KRB5_ENCTYPE_AES256_CTS_HMAC_SHA1_96
+#endif
+
/*
* KRB5_KU_OTHER_ENCRYPTED in Heimdal
* KRB5_KEYUSAGE_APP_DATA_ENCRYPT in MIT
diff --git a/libcli/http/http.c b/libcli/http/http.c
index 3681500f194..6f22214f706 100644
--- a/libcli/http/http.c
+++ b/libcli/http/http.c
@@ -28,16 +28,28 @@
#undef strcasecmp
+enum http_body_type {
+ BODY_NONE = 0,
+ BODY_CONTENT_LENGTH,
+ BODY_CHUNKED,
+ BODY_ERROR = -1
+};
+
/**
* Determines if a response should have a body.
- * @return 1 if the response MUST have a body; 0 if the response MUST NOT have
- * a body. Returns -1 on error.
+ * @return 2 if response MUST use chunked encoding,
+ * 1 if the response MUST have a body;
+ * 0 if the response MUST NOT have a body.
+ * Returns -1 on error.
*/
-static int http_response_needs_body(struct http_request *req)
+static enum http_body_type http_response_needs_body(
+ struct http_request *req)
{
struct http_header *h = NULL;
- if (!req) return -1;
+ if (!req) {
+ return BODY_ERROR;
+ }
for (h = req->headers; h != NULL; h = h->next) {
int cmp;
@@ -48,7 +60,13 @@ static int http_response_needs_body(struct http_request *req)
cmp = strcasecmp(h->key, "Transfer-Encoding");
if (cmp == 0) {
cmp = strcasecmp(h->value, "chunked");
- return 2;
+ if (cmp == 0) {
+ return BODY_CHUNKED;
+ }
+ /* unsupported Transfer-Encoding type */
+ DBG_ERR("Unsupported transfer encoding type %s\n",
+ h->value);
+ return BODY_ERROR;
}
cmp = strcasecmp(h->key, "Content-Length");
@@ -58,19 +76,19 @@ static int http_response_needs_body(struct http_request
*req)
n = sscanf(h->value, "%llu%c", &v, &c);
if (n != 1) {
- return -1;
+ return BODY_ERROR;
}
req->remaining_content_length = v;
if (v != 0) {
- return 1;
+ return BODY_CONTENT_LENGTH;
}
- return 0;
+ return BODY_NONE;
}
- return 0;
+ return BODY_NONE;
}
struct http_chunk
{
@@ -98,7 +116,7 @@ static enum http_read_status http_parse_headers(struct
http_read_response_state
char *key = NULL;
char *value = NULL;
int n = 0;
- int ret;
+ enum http_body_type ret;
/* Sanity checks */
if (!state || !state->response) {
@@ -131,24 +149,24 @@ static enum http_read_status http_parse_headers(struct
http_read_response_state
ret = http_response_needs_body(state->response);
switch (ret) {
- case 2:
+ case BODY_CHUNKED:
DEBUG(11, ("%s: need to process chunks... %d\n",
__func__,
state->response->response_code));
state->parser_state = HTTP_READING_CHUNK_SIZE;
break;
- case 1:
+ case BODY_CONTENT_LENGTH:
if (state->response->remaining_content_length <=
state->max_content_length) {
DEBUG(11, ("%s: Start of read body\n",
__func__));
state->parser_state = HTTP_READING_BODY;
break;
}
FALL_THROUGH;
- case 0:
+ case BODY_NONE:
DEBUG(11, ("%s: Skipping body for code %d\n", __func__,
state->response->response_code));
state->parser_state = HTTP_READING_DONE;
break;
- case -1:
+ case BODY_ERROR:
DEBUG(0, ("%s_: Error in http_response_needs_body\n",
__func__));
TALLOC_FREE(line);
return HTTP_DATA_CORRUPTED;
@@ -854,7 +872,7 @@ static void http_read_response_done(struct tevent_req
*subreq)
{
NTSTATUS status;
struct tevent_req *req;
- int ret;
+ enum http_body_type ret;
int sys_errno;
if (!subreq) {
diff --git a/python/samba/netcmd/domain/auth/policy/policy.py
b/python/samba/netcmd/domain/auth/policy/policy.py
index fc06fd27705..207aa33c8d3 100644
--- a/python/samba/netcmd/domain/auth/policy/policy.py
+++ b/python/samba/netcmd/domain/auth/policy/policy.py
@@ -22,8 +22,7 @@
import samba.getopt as options
from samba.domain.models import (MAX_TGT_LIFETIME, MIN_TGT_LIFETIME,
- AuthenticationPolicy, AuthenticationSilo,
- Group, StrongNTLMPolicy)
+ AuthenticationPolicy, StrongNTLMPolicy)
from samba.domain.models.exceptions import ModelError
from samba.netcmd import Command, CommandError, Option
from samba.netcmd.validators import Range
@@ -438,8 +437,8 @@ class cmd_domain_auth_policy_delete(Command):
if not force:
raise CommandError(
f"{e}\nTry --force to delete protected authentication
policies.")
- else:
- raise CommandError(e)
+
+ raise CommandError(e)
# Authentication policy deleted successfully.
print(f"Deleted authentication policy: {name}", file=self.outf)
diff --git a/python/samba/netcmd/domain/auth/silo/silo.py
b/python/samba/netcmd/domain/auth/silo/silo.py
index 028581a61c7..2963ede64d4 100644
--- a/python/samba/netcmd/domain/auth/silo/silo.py
+++ b/python/samba/netcmd/domain/auth/silo/silo.py
@@ -378,8 +378,8 @@ class cmd_domain_auth_silo_delete(Command):
if not force:
raise CommandError(
f"{e}\nTry --force to delete protected authentication
silos.")
- else:
- raise CommandError(e)
+
+ raise CommandError(e)
# Authentication silo deleted successfully.
print(f"Deleted authentication silo: {name}", file=self.outf)
diff --git a/python/samba/netcmd/domain/claim/claim_type.py
b/python/samba/netcmd/domain/claim/claim_type.py
index 312742fede6..3bd91e13a6a 100644
--- a/python/samba/netcmd/domain/claim/claim_type.py
+++ b/python/samba/netcmd/domain/claim/claim_type.py
@@ -21,7 +21,7 @@
#
import samba.getopt as options
-from samba.domain.models import AttributeSchema, ClaimType, ClassSchema,
ValueType
+from samba.domain.models import AttributeSchema, ClaimType, ClassSchema
from samba.domain.models.exceptions import ModelError
from samba.netcmd import Command, CommandError, Option, SuperCommand
@@ -244,8 +244,8 @@ class cmd_domain_claim_claim_type_delete(Command):
if not force:
raise CommandError(
f"{e}\nTry --force to delete protected claim types.")
- else:
- raise CommandError(e)
+
+ raise CommandError(e)
# Claim type deleted successfully.
print(f"Deleted claim type: {name}", file=self.outf)
diff --git a/python/samba/netcmd/service_account/group_msa_membership.py
b/python/samba/netcmd/service_account/group_msa_membership.py
index 34e7fa45b59..5a8291b4556 100644
--- a/python/samba/netcmd/service_account/group_msa_membership.py
+++ b/python/samba/netcmd/service_account/group_msa_membership.py
@@ -19,7 +19,7 @@
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
-from samba.domain.models import Group, GroupManagedServiceAccount, Model, User
+from samba.domain.models import GroupManagedServiceAccount, Model, User
from samba.domain.models.exceptions import ModelError
from samba.getopt import CredentialsOptions, HostOptions, Option, SambaOptions
from samba.netcmd import Command, CommandError, SuperCommand
diff --git a/python/samba/netcmd/service_account/service_account.py
b/python/samba/netcmd/service_account/service_account.py
index f492c6ba1d7..8ad6cdd7225 100644
--- a/python/samba/netcmd/service_account/service_account.py
+++ b/python/samba/netcmd/service_account/service_account.py
@@ -20,9 +20,7 @@
# along with this program. If not, see <http://www.gnu.org/licenses/>.
#
-from samba.domain.models import (AccountType, Computer, Group,
- GroupManagedServiceAccount,
- SupportedEncryptionTypes, User)
+from samba.domain.models import GroupManagedServiceAccount
from samba.domain.models.exceptions import ModelError
from samba.getopt import CredentialsOptions, HostOptions, Option, SambaOptions
from samba.netcmd import Command, CommandError
diff --git a/python/samba/netcmd/shell.py b/python/samba/netcmd/shell.py
index 5df3aa11336..54c4019df36 100644
--- a/python/samba/netcmd/shell.py
+++ b/python/samba/netcmd/shell.py
@@ -50,7 +50,6 @@ class cmd_shell(Command):
context.update({
"samdb": samdb,
"ldb": ldb,
- "Model": Model,
})
context.update({model.__name__: model for model in MODELS.values()})
diff --git a/python/samba/tests/blackbox/http_chunk.py
b/python/samba/tests/blackbox/http_chunk.py
index 175c60d98a2..6745c8cb392 100644
--- a/python/samba/tests/blackbox/http_chunk.py
+++ b/python/samba/tests/blackbox/http_chunk.py
@@ -46,7 +46,10 @@ class ChunkHTTPRequestHandler(BaseHTTPRequestHandler):
self.send_response(200)
self.send_header('content-type', 'application/json; charset=UTF-8')
- self.send_header('Transfer-Encoding', 'chunked')
+ if self.path == "usegziptransferencoding":
+ self.send_header('Transfer-Encoding', 'gzip')
+ else:
+ self.send_header('Transfer-Encoding', 'chunked')
self.end_headers()
resp = bytes()
for chunk in chunks:
@@ -99,7 +102,7 @@ class HttpChunkBlackboxTests(BlackboxTestCase):
try:
msg = "snglechunksnglechunksnglechunksnglechunksnglechunk"
resp = self.check_output("%s -d11 -U%% -I%s --rsize 49 --uri %s" %
(COMMAND, os.getenv("SERVER_IP", "localhost"), msg))
- self.fail(str(e))
+ self.fail("unexpected success")
except BlackboxProcessError as e:
if "http_read_chunk: size 50 exceeds max content len 49 skipping
body" not in e.stderr.decode('utf-8'):
self.fail(str(e))
@@ -114,3 +117,13 @@ class HttpChunkBlackboxTests(BlackboxTestCase):
except BlackboxProcessError as e:
print("Failed with: %s" % e)
self.fail(str(e))
+
+ def test_gzip_transfer_encoding(self):
+ try:
+ msg = "usegziptransferencoding"
+ resp = self.check_output("%s -U%% -I%s --rsize 50 --uri %s" %
(COMMAND, os.getenv("SERVER_IP", "localhost"), msg))
+ self.assertEqual(msg, resp.decode('utf-8'))
+ self.fail("unexpected success")
+ except BlackboxProcessError as e:
+ if "http_response_needs_body: Unsupported transfer encoding type
gzip" not in e.stderr.decode('utf-8'):
+ self.fail(str(e))
diff --git a/python/samba/tests/blackbox/http_content.py
b/python/samba/tests/blackbox/http_content.py
index 9ecb6ffe279..3d674aa8db7 100644
--- a/python/samba/tests/blackbox/http_content.py
+++ b/python/samba/tests/blackbox/http_content.py
@@ -77,7 +77,7 @@ class HttpContentBlackboxTests(BlackboxTestCase):
msg = "012345678" # 9 bytes
# limit response to 8 bytes
resp = self.check_output("%s -d11 -U%% -I%s --rsize 8 --uri %s" %
(COMMAND, os.getenv("SERVER_IP", "localhost"), msg))
- self.fail(str(e))
+ self.fail("unexpected success")
except BlackboxProcessError as e:
if "unexpected 0 len response" not in e.stdout.decode('utf-8'):
self.fail(str(e))
diff --git a/python/samba/tests/dckeytab.py b/python/samba/tests/dckeytab.py
index 978e3753cc7..090f53332c8 100644
--- a/python/samba/tests/dckeytab.py
+++ b/python/samba/tests/dckeytab.py
@@ -17,12 +17,11 @@
#
import os
-import sys
-import string
+import subprocess
from samba.net import Net
from samba import enable_net_export_keytab
-from samba import credentials, dsdb, ntstatus, NTSTATUSError, tests
+from samba import credentials, dsdb, ntstatus, NTSTATUSError
from samba.dcerpc import krb5ccache, security
from samba.dsdb import UF_WORKSTATION_TRUST_ACCOUNT
from samba.ndr import ndr_unpack, ndr_pack
@@ -153,10 +152,28 @@ class DCKeytabTests(TestCaseInTempDir):
net.export_keytab(keytab=self.ktfile, principal=new_principal)
self.assertTrue(os.path.exists(self.ktfile), 'keytab was not created')
+ cmd = ['klist', '-K', '-C', '-t', '-k', self.ktfile]
+ keytab_orig_content = subprocess.Popen(
+ cmd,
+ shell=False,
+ stdout=subprocess.PIPE,
+ stderr=subprocess.STDOUT,
+ ).communicate()[0]
+
with open(self.ktfile, 'rb') as bytes_kt:
keytab_orig_bytes = bytes_kt.read()
net.export_keytab(keytab=self.ktfile, principal=new_principal)
+ self.assertTrue(os.path.exists(self.ktfile), 'keytab was not created')
+
+ keytab_content = subprocess.Popen(
+ cmd,
+ shell=False,
+ stdout=subprocess.PIPE,
+ stderr=subprocess.STDOUT,
+ ).communicate()[0]
+
+ self.assertEqual(keytab_orig_content, keytab_content)
# Parse the first entry in the keytab
with open(self.ktfile, 'rb') as bytes_kt:
diff --git a/python/samba/tests/token_factory.py
b/python/samba/tests/token_factory.py
index 22f87f0f489..e4e5d87df01 100644
--- a/python/samba/tests/token_factory.py
+++ b/python/samba/tests/token_factory.py
@@ -47,7 +47,7 @@ def list_to_claim(k, v, case_sensitive=False):
t = type(v[0])
c.value_type = CLAIM_VAL_TYPES[t]
for val in v[1:]:
- if type(val) != t:
+ if type(val) is not t:
raise TypeError(f"claim values for '{k}' "
"should all be the same type")
else:
@@ -216,7 +216,7 @@ def token(sids=None, **kwargs):
To add claims and device SIDs you do something like this:
- >>> t = token(["AA", WD"],
+ >>> t = token(["AA", "WD"],
device_sids=["WD"],
user_claims={"Title": ["PM"],
"ClearanceLevel": [1]}
--
Samba Shared Repository
