The branch, master has been updated via be2ade2d88b netcmd: fix broken shell command missing Model via bcae4c2dbea python: lint: fix pylint R1720 unnecessary "raise" after "else" via 3dd49b9f567 python: lint: remove unused imports in claims and gmsa commands via 8f7ff1c7ef4 python: tests: type check should always use "is" or "is not" via e388bf4b4a2 python: tests: fix closing quote in docstring example via a18c53a9b98 libcli/http: Detect unsupported Transfer-encoding type via 93709d31590 selftest: Add new test for testing non-chunk transfer encoding via efdbf0511e0 selftest: fix potential reference before assigned error via 8e931fce126 Do not fail checksums for RFC8009 types via 2ecb69d9b7f python:tests: Improve keytab comparison of dckeytab from 814ae222ca1 s3:winbindd: use better debug messages than 'talloc_strdup failed'
https://git.samba.org/?p=samba.git;a=shortlog;h=master - Log ----------------------------------------------------------------- commit be2ade2d88bb89763fce2a34f8f68941424ad9ee Author: Rob van der Linde <r...@catalyst.net.nz> Date: Thu Mar 28 16:06:05 2024 +1300 netcmd: fix broken shell command missing Model This is already in MODELS which is populated in ModelMeta Signed-off-by: Rob van der Linde <r...@catalyst.net.nz> Reviewed-by: Douglas Bagnall <douglas.bagn...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> Autobuild-User(master): Andrew Bartlett <abart...@samba.org> Autobuild-Date(master): Mon Apr 8 04:07:22 UTC 2024 on atb-devel-224 commit bcae4c2dbea7067932e931456998b1ada20d615c Author: Rob van der Linde <r...@catalyst.net.nz> Date: Thu Mar 28 16:15:06 2024 +1300 python: lint: fix pylint R1720 unnecessary "raise" after "else" Signed-off-by: Rob van der Linde <r...@catalyst.net.nz> Reviewed-by: Douglas Bagnall <douglas.bagn...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit 3dd49b9f567fdf14e7a616351805d1aac9a3083a Author: Rob van der Linde <r...@catalyst.net.nz> Date: Thu Mar 28 16:09:44 2024 +1300 python: lint: remove unused imports in claims and gmsa commands Signed-off-by: Rob van der Linde <r...@catalyst.net.nz> Reviewed-by: Douglas Bagnall <douglas.bagn...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit 8f7ff1c7ef4a570193faa2e3181a757bc98c3e08 Author: Rob van der Linde <r...@catalyst.net.nz> Date: Thu Mar 28 15:59:33 2024 +1300 python: tests: type check should always use "is" or "is not" Signed-off-by: Rob van der Linde <r...@catalyst.net.nz> Reviewed-by: Douglas Bagnall <douglas.bagn...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit e388bf4b4a2012bd1fdde7e63b957b32c1a69c75 Author: Rob van der Linde <r...@catalyst.net.nz> Date: Thu Mar 28 15:58:34 2024 +1300 python: tests: fix closing quote in docstring example Signed-off-by: Rob van der Linde <r...@catalyst.net.nz> Reviewed-by: Douglas Bagnall <douglas.bagn...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit a18c53a9b98e2e8dea08cf0ef08efc59e58ec137 Author: Noel Power <noel.po...@suse.com> Date: Thu Mar 28 10:48:58 2024 +0000 libcli/http: Detect unsupported Transfer-encoding type Also removes knownfail for test that now passes BUG: https://bugzilla.samba.org/show_bug.cgi?id=15611 Signed-off-by: Noel Power <noel.po...@suse.com> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit 93709d31590d4ca25fbac813b9e499755b81ddb5 Author: Noel Power <noel.po...@suse.com> Date: Thu Mar 28 09:16:33 2024 +0000 selftest: Add new test for testing non-chunk transfer encoding And add a known fail because there is a bug :-( BUG: https://bugzilla.samba.org/show_bug.cgi?id=15611 Signed-off-by: Noel Power <noel.po...@suse.com> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit efdbf0511e0a89f865210170001fbebf17a45278 Author: Noel Power <noel.po...@suse.com> Date: Thu Mar 28 09:09:02 2024 +0000 selftest: fix potential reference before assigned error This would only happen if the test failed (but the message would be incorrect as 'e' the exception to be stringified doesn't exist. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15611 Signed-off-by: Noel Power <noel.po...@suse.com> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit 8e931fce126e8c1128da893c806702731c08758a Author: Alexander Bokovoy <a...@samba.org> Date: Thu Jun 22 09:56:12 2023 +0300 Do not fail checksums for RFC8009 types While Active Directory does not support yet RFC 8009 encryption and checksum types, it is possible to verify these checksums when running with both MIT Kerberos and Heimdal Kerberos. This matters for FreeIPA domain controller which uses them by default. [2023/06/16 21:51:04.923873, 10, pid=51149, effective(0, 0), real(0, 0)] ../../lib/krb5_wrap/krb5_samba.c:1496(smb_krb5_kt_open_relative) smb_krb5_open_keytab: resolving: FILE:/etc/samba/samba.keytab [2023/06/16 21:51:04.924196, 2, pid=51149, effective(0, 0), real(0, 0), class=auth] ../../auth/kerberos/kerberos_pac.c:66(check_pac_checksum) check_pac_checksum: Checksum Type 20 is not supported [2023/06/16 21:51:04.924228, 5, pid=51149, effective(0, 0), real(0, 0), class=auth] ../../auth/kerberos/kerberos_pac.c:353(kerberos_decode_pac) PAC Decode: Failed to verify the service signature: Invalid argument Signed-off-by: Alexander Bokovoy <a...@samba.org> Reviewed-by: Andreas Schneider <a...@samba.org> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit 2ecb69d9b7f26777d45b6921ccc9d3bfffa3af0a Author: Andreas Schneider <a...@samba.org> Date: Fri Apr 5 14:33:04 2024 +0200 python:tests: Improve keytab comparison of dckeytab This will give better output on failure as it compares strings instead of bytes. Signed-off-by: Andreas Schneider <a...@samba.org> Reviewed-by: Andrew Bartlett <abart...@samba.org> ----------------------------------------------------------------------- Summary of changes: auth/kerberos/kerberos_pac.c | 47 ++++++++++++--------- lib/krb5_wrap/krb5_samba.h | 28 +++++++++++++ libcli/http/http.c | 48 +++++++++++++++------- python/samba/netcmd/domain/auth/policy/policy.py | 7 ++-- python/samba/netcmd/domain/auth/silo/silo.py | 4 +- python/samba/netcmd/domain/claim/claim_type.py | 6 +-- .../netcmd/service_account/group_msa_membership.py | 2 +- .../netcmd/service_account/service_account.py | 4 +- python/samba/netcmd/shell.py | 1 - python/samba/tests/blackbox/http_chunk.py | 17 +++++++- python/samba/tests/blackbox/http_content.py | 2 +- python/samba/tests/dckeytab.py | 23 +++++++++-- python/samba/tests/token_factory.py | 4 +- 13 files changed, 137 insertions(+), 56 deletions(-) Changeset truncated at 500 lines: diff --git a/auth/kerberos/kerberos_pac.c b/auth/kerberos/kerberos_pac.c index ae4557bbd6f..b6272ac15eb 100644 --- a/auth/kerberos/kerberos_pac.c +++ b/auth/kerberos/kerberos_pac.c @@ -33,6 +33,7 @@ #include "librpc/gen_ndr/auth.h" #include "auth/common_auth.h" #include "auth/kerberos/pac_utils.h" +#include "lib/krb5_wrap/krb5_samba.h" krb5_error_code check_pac_checksum(DATA_BLOB pac_data, struct PAC_SIGNATURE_DATA *sig, @@ -44,26 +45,34 @@ krb5_error_code check_pac_checksum(DATA_BLOB pac_data, krb5_keyusage usage = 0; krb5_boolean checksum_valid = false; krb5_data input; - - switch (sig->type) { - case CKSUMTYPE_HMAC_MD5: - /* ignores the key type */ - break; - case CKSUMTYPE_HMAC_SHA1_96_AES_256: - if (KRB5_KEY_TYPE(keyblock) != ENCTYPE_AES256_CTS_HMAC_SHA1_96) { - return EINVAL; - } - /* ok */ - break; - case CKSUMTYPE_HMAC_SHA1_96_AES_128: - if (KRB5_KEY_TYPE(keyblock) != ENCTYPE_AES128_CTS_HMAC_SHA1_96) { - return EINVAL; + size_t idx = 0; + struct { + krb5_cksumtype cksum_type; + krb5_enctype enc_type; + } supported_types[] = { + {CKSUMTYPE_HMAC_SHA1_96_AES_256, ENCTYPE_AES256_CTS_HMAC_SHA1_96}, + {CKSUMTYPE_HMAC_SHA1_96_AES_128, ENCTYPE_AES128_CTS_HMAC_SHA1_96}, + /* RFC8009 types. Not supported by AD yet but used by FreeIPA and MIT Kerberos */ + {CKSUMTYPE_HMAC_SHA256_128_AES128, ENCTYPE_AES128_CTS_HMAC_SHA256_128}, + {CKSUMTYPE_HMAC_SHA384_192_AES256, ENCTYPE_AES256_CTS_HMAC_SHA384_192}, + {0, 0}, + }; + + for(idx = 0; supported_types[idx].cksum_type != 0; idx++) { + if (sig->type == supported_types[idx].cksum_type) { + if (KRB5_KEY_TYPE(keyblock) != supported_types[idx].enc_type) { + return EINVAL; + } + /* ok */ + break; } - /* ok */ - break; - default: - DEBUG(2,("check_pac_checksum: Checksum Type %"PRIu32" is not supported\n", - sig->type)); + } + + /* do not do key type check for HMAC-MD5 */ + if ((sig->type != CKSUMTYPE_HMAC_MD5) && + (supported_types[idx].cksum_type == 0)) { + DEBUG(2,("check_pac_checksum: Checksum Type %d is not supported\n", + (int)sig->type)); return EINVAL; } diff --git a/lib/krb5_wrap/krb5_samba.h b/lib/krb5_wrap/krb5_samba.h index 05546f8a2eb..df6d392c020 100644 --- a/lib/krb5_wrap/krb5_samba.h +++ b/lib/krb5_wrap/krb5_samba.h @@ -88,6 +88,34 @@ #define CKSUMTYPE_HMAC_SHA1_96_AES_256 CKSUMTYPE_HMAC_SHA1_96_AES256 #endif +/* + * RFC8009 encryption types' defines have different names: + * + * KRB5_ENCTYPE_AES128_CTS_HMAC_SHA256_128 in Heimdal + * ENCTYPE_AES128_CTS_HMAC_SHA256_128 in MIT + * + * and + * + * KRB5_ENCTYPE_AES256_CTS_HMAC_SHA384_192 in Heimdal + * ENCTYPE_AES256_CTS_HMAC_SHA384_192 in MIT + */ +#if !defined(ENCTYPE_AES128_CTS_HMAC_SHA256_128) +#define ENCTYPE_AES128_CTS_HMAC_SHA256_128 KRB5_ENCTYPE_AES128_CTS_HMAC_SHA256_128 +#endif +#if !defined(ENCTYPE_AES256_CTS_HMAC_SHA384_192) +#define ENCTYPE_AES256_CTS_HMAC_SHA384_192 KRB5_ENCTYPE_AES256_CTS_HMAC_SHA384_192 +#endif + +/* + * Same for older encryption types, rename to have the same defines + */ +#if !defined(ENCTYPE_AES128_CTS_HMAC_SHA1_96) +#define ENCTYPE_AES128_CTS_HMAC_SHA1_96 KRB5_ENCTYPE_AES128_CTS_HMAC_SHA1_96 +#endif +#if !defined(ENCTYPE_AES256_CTS_HMAC_SHA1_96) +#define ENCTYPE_AES256_CTS_HMAC_SHA1_96 KRB5_ENCTYPE_AES256_CTS_HMAC_SHA1_96 +#endif + /* * KRB5_KU_OTHER_ENCRYPTED in Heimdal * KRB5_KEYUSAGE_APP_DATA_ENCRYPT in MIT diff --git a/libcli/http/http.c b/libcli/http/http.c index 3681500f194..6f22214f706 100644 --- a/libcli/http/http.c +++ b/libcli/http/http.c @@ -28,16 +28,28 @@ #undef strcasecmp +enum http_body_type { + BODY_NONE = 0, + BODY_CONTENT_LENGTH, + BODY_CHUNKED, + BODY_ERROR = -1 +}; + /** * Determines if a response should have a body. - * @return 1 if the response MUST have a body; 0 if the response MUST NOT have - * a body. Returns -1 on error. + * @return 2 if response MUST use chunked encoding, + * 1 if the response MUST have a body; + * 0 if the response MUST NOT have a body. + * Returns -1 on error. */ -static int http_response_needs_body(struct http_request *req) +static enum http_body_type http_response_needs_body( + struct http_request *req) { struct http_header *h = NULL; - if (!req) return -1; + if (!req) { + return BODY_ERROR; + } for (h = req->headers; h != NULL; h = h->next) { int cmp; @@ -48,7 +60,13 @@ static int http_response_needs_body(struct http_request *req) cmp = strcasecmp(h->key, "Transfer-Encoding"); if (cmp == 0) { cmp = strcasecmp(h->value, "chunked"); - return 2; + if (cmp == 0) { + return BODY_CHUNKED; + } + /* unsupported Transfer-Encoding type */ + DBG_ERR("Unsupported transfer encoding type %s\n", + h->value); + return BODY_ERROR; } cmp = strcasecmp(h->key, "Content-Length"); @@ -58,19 +76,19 @@ static int http_response_needs_body(struct http_request *req) n = sscanf(h->value, "%llu%c", &v, &c); if (n != 1) { - return -1; + return BODY_ERROR; } req->remaining_content_length = v; if (v != 0) { - return 1; + return BODY_CONTENT_LENGTH; } - return 0; + return BODY_NONE; } - return 0; + return BODY_NONE; } struct http_chunk { @@ -98,7 +116,7 @@ static enum http_read_status http_parse_headers(struct http_read_response_state char *key = NULL; char *value = NULL; int n = 0; - int ret; + enum http_body_type ret; /* Sanity checks */ if (!state || !state->response) { @@ -131,24 +149,24 @@ static enum http_read_status http_parse_headers(struct http_read_response_state ret = http_response_needs_body(state->response); switch (ret) { - case 2: + case BODY_CHUNKED: DEBUG(11, ("%s: need to process chunks... %d\n", __func__, state->response->response_code)); state->parser_state = HTTP_READING_CHUNK_SIZE; break; - case 1: + case BODY_CONTENT_LENGTH: if (state->response->remaining_content_length <= state->max_content_length) { DEBUG(11, ("%s: Start of read body\n", __func__)); state->parser_state = HTTP_READING_BODY; break; } FALL_THROUGH; - case 0: + case BODY_NONE: DEBUG(11, ("%s: Skipping body for code %d\n", __func__, state->response->response_code)); state->parser_state = HTTP_READING_DONE; break; - case -1: + case BODY_ERROR: DEBUG(0, ("%s_: Error in http_response_needs_body\n", __func__)); TALLOC_FREE(line); return HTTP_DATA_CORRUPTED; @@ -854,7 +872,7 @@ static void http_read_response_done(struct tevent_req *subreq) { NTSTATUS status; struct tevent_req *req; - int ret; + enum http_body_type ret; int sys_errno; if (!subreq) { diff --git a/python/samba/netcmd/domain/auth/policy/policy.py b/python/samba/netcmd/domain/auth/policy/policy.py index fc06fd27705..207aa33c8d3 100644 --- a/python/samba/netcmd/domain/auth/policy/policy.py +++ b/python/samba/netcmd/domain/auth/policy/policy.py @@ -22,8 +22,7 @@ import samba.getopt as options from samba.domain.models import (MAX_TGT_LIFETIME, MIN_TGT_LIFETIME, - AuthenticationPolicy, AuthenticationSilo, - Group, StrongNTLMPolicy) + AuthenticationPolicy, StrongNTLMPolicy) from samba.domain.models.exceptions import ModelError from samba.netcmd import Command, CommandError, Option from samba.netcmd.validators import Range @@ -438,8 +437,8 @@ class cmd_domain_auth_policy_delete(Command): if not force: raise CommandError( f"{e}\nTry --force to delete protected authentication policies.") - else: - raise CommandError(e) + + raise CommandError(e) # Authentication policy deleted successfully. print(f"Deleted authentication policy: {name}", file=self.outf) diff --git a/python/samba/netcmd/domain/auth/silo/silo.py b/python/samba/netcmd/domain/auth/silo/silo.py index 028581a61c7..2963ede64d4 100644 --- a/python/samba/netcmd/domain/auth/silo/silo.py +++ b/python/samba/netcmd/domain/auth/silo/silo.py @@ -378,8 +378,8 @@ class cmd_domain_auth_silo_delete(Command): if not force: raise CommandError( f"{e}\nTry --force to delete protected authentication silos.") - else: - raise CommandError(e) + + raise CommandError(e) # Authentication silo deleted successfully. print(f"Deleted authentication silo: {name}", file=self.outf) diff --git a/python/samba/netcmd/domain/claim/claim_type.py b/python/samba/netcmd/domain/claim/claim_type.py index 312742fede6..3bd91e13a6a 100644 --- a/python/samba/netcmd/domain/claim/claim_type.py +++ b/python/samba/netcmd/domain/claim/claim_type.py @@ -21,7 +21,7 @@ # import samba.getopt as options -from samba.domain.models import AttributeSchema, ClaimType, ClassSchema, ValueType +from samba.domain.models import AttributeSchema, ClaimType, ClassSchema from samba.domain.models.exceptions import ModelError from samba.netcmd import Command, CommandError, Option, SuperCommand @@ -244,8 +244,8 @@ class cmd_domain_claim_claim_type_delete(Command): if not force: raise CommandError( f"{e}\nTry --force to delete protected claim types.") - else: - raise CommandError(e) + + raise CommandError(e) # Claim type deleted successfully. print(f"Deleted claim type: {name}", file=self.outf) diff --git a/python/samba/netcmd/service_account/group_msa_membership.py b/python/samba/netcmd/service_account/group_msa_membership.py index 34e7fa45b59..5a8291b4556 100644 --- a/python/samba/netcmd/service_account/group_msa_membership.py +++ b/python/samba/netcmd/service_account/group_msa_membership.py @@ -19,7 +19,7 @@ # You should have received a copy of the GNU General Public License # along with this program. If not, see <http://www.gnu.org/licenses/>. -from samba.domain.models import Group, GroupManagedServiceAccount, Model, User +from samba.domain.models import GroupManagedServiceAccount, Model, User from samba.domain.models.exceptions import ModelError from samba.getopt import CredentialsOptions, HostOptions, Option, SambaOptions from samba.netcmd import Command, CommandError, SuperCommand diff --git a/python/samba/netcmd/service_account/service_account.py b/python/samba/netcmd/service_account/service_account.py index f492c6ba1d7..8ad6cdd7225 100644 --- a/python/samba/netcmd/service_account/service_account.py +++ b/python/samba/netcmd/service_account/service_account.py @@ -20,9 +20,7 @@ # along with this program. If not, see <http://www.gnu.org/licenses/>. # -from samba.domain.models import (AccountType, Computer, Group, - GroupManagedServiceAccount, - SupportedEncryptionTypes, User) +from samba.domain.models import GroupManagedServiceAccount from samba.domain.models.exceptions import ModelError from samba.getopt import CredentialsOptions, HostOptions, Option, SambaOptions from samba.netcmd import Command, CommandError diff --git a/python/samba/netcmd/shell.py b/python/samba/netcmd/shell.py index 5df3aa11336..54c4019df36 100644 --- a/python/samba/netcmd/shell.py +++ b/python/samba/netcmd/shell.py @@ -50,7 +50,6 @@ class cmd_shell(Command): context.update({ "samdb": samdb, "ldb": ldb, - "Model": Model, }) context.update({model.__name__: model for model in MODELS.values()}) diff --git a/python/samba/tests/blackbox/http_chunk.py b/python/samba/tests/blackbox/http_chunk.py index 175c60d98a2..6745c8cb392 100644 --- a/python/samba/tests/blackbox/http_chunk.py +++ b/python/samba/tests/blackbox/http_chunk.py @@ -46,7 +46,10 @@ class ChunkHTTPRequestHandler(BaseHTTPRequestHandler): self.send_response(200) self.send_header('content-type', 'application/json; charset=UTF-8') - self.send_header('Transfer-Encoding', 'chunked') + if self.path == "usegziptransferencoding": + self.send_header('Transfer-Encoding', 'gzip') + else: + self.send_header('Transfer-Encoding', 'chunked') self.end_headers() resp = bytes() for chunk in chunks: @@ -99,7 +102,7 @@ class HttpChunkBlackboxTests(BlackboxTestCase): try: msg = "snglechunksnglechunksnglechunksnglechunksnglechunk" resp = self.check_output("%s -d11 -U%% -I%s --rsize 49 --uri %s" % (COMMAND, os.getenv("SERVER_IP", "localhost"), msg)) - self.fail(str(e)) + self.fail("unexpected success") except BlackboxProcessError as e: if "http_read_chunk: size 50 exceeds max content len 49 skipping body" not in e.stderr.decode('utf-8'): self.fail(str(e)) @@ -114,3 +117,13 @@ class HttpChunkBlackboxTests(BlackboxTestCase): except BlackboxProcessError as e: print("Failed with: %s" % e) self.fail(str(e)) + + def test_gzip_transfer_encoding(self): + try: + msg = "usegziptransferencoding" + resp = self.check_output("%s -U%% -I%s --rsize 50 --uri %s" % (COMMAND, os.getenv("SERVER_IP", "localhost"), msg)) + self.assertEqual(msg, resp.decode('utf-8')) + self.fail("unexpected success") + except BlackboxProcessError as e: + if "http_response_needs_body: Unsupported transfer encoding type gzip" not in e.stderr.decode('utf-8'): + self.fail(str(e)) diff --git a/python/samba/tests/blackbox/http_content.py b/python/samba/tests/blackbox/http_content.py index 9ecb6ffe279..3d674aa8db7 100644 --- a/python/samba/tests/blackbox/http_content.py +++ b/python/samba/tests/blackbox/http_content.py @@ -77,7 +77,7 @@ class HttpContentBlackboxTests(BlackboxTestCase): msg = "012345678" # 9 bytes # limit response to 8 bytes resp = self.check_output("%s -d11 -U%% -I%s --rsize 8 --uri %s" % (COMMAND, os.getenv("SERVER_IP", "localhost"), msg)) - self.fail(str(e)) + self.fail("unexpected success") except BlackboxProcessError as e: if "unexpected 0 len response" not in e.stdout.decode('utf-8'): self.fail(str(e)) diff --git a/python/samba/tests/dckeytab.py b/python/samba/tests/dckeytab.py index 978e3753cc7..090f53332c8 100644 --- a/python/samba/tests/dckeytab.py +++ b/python/samba/tests/dckeytab.py @@ -17,12 +17,11 @@ # import os -import sys -import string +import subprocess from samba.net import Net from samba import enable_net_export_keytab -from samba import credentials, dsdb, ntstatus, NTSTATUSError, tests +from samba import credentials, dsdb, ntstatus, NTSTATUSError from samba.dcerpc import krb5ccache, security from samba.dsdb import UF_WORKSTATION_TRUST_ACCOUNT from samba.ndr import ndr_unpack, ndr_pack @@ -153,10 +152,28 @@ class DCKeytabTests(TestCaseInTempDir): net.export_keytab(keytab=self.ktfile, principal=new_principal) self.assertTrue(os.path.exists(self.ktfile), 'keytab was not created') + cmd = ['klist', '-K', '-C', '-t', '-k', self.ktfile] + keytab_orig_content = subprocess.Popen( + cmd, + shell=False, + stdout=subprocess.PIPE, + stderr=subprocess.STDOUT, + ).communicate()[0] + with open(self.ktfile, 'rb') as bytes_kt: keytab_orig_bytes = bytes_kt.read() net.export_keytab(keytab=self.ktfile, principal=new_principal) + self.assertTrue(os.path.exists(self.ktfile), 'keytab was not created') + + keytab_content = subprocess.Popen( + cmd, + shell=False, + stdout=subprocess.PIPE, + stderr=subprocess.STDOUT, + ).communicate()[0] + + self.assertEqual(keytab_orig_content, keytab_content) # Parse the first entry in the keytab with open(self.ktfile, 'rb') as bytes_kt: diff --git a/python/samba/tests/token_factory.py b/python/samba/tests/token_factory.py index 22f87f0f489..e4e5d87df01 100644 --- a/python/samba/tests/token_factory.py +++ b/python/samba/tests/token_factory.py @@ -47,7 +47,7 @@ def list_to_claim(k, v, case_sensitive=False): t = type(v[0]) c.value_type = CLAIM_VAL_TYPES[t] for val in v[1:]: - if type(val) != t: + if type(val) is not t: raise TypeError(f"claim values for '{k}' " "should all be the same type") else: @@ -216,7 +216,7 @@ def token(sids=None, **kwargs): To add claims and device SIDs you do something like this: - >>> t = token(["AA", WD"], + >>> t = token(["AA", "WD"], device_sids=["WD"], user_claims={"Title": ["PM"], "ClearanceLevel": [1]} -- Samba Shared Repository