mirror of
https://github.com/samba-team/samba.git
synced 2024-12-24 21:34:56 +03:00
tests/krb5/kdc_base_test.py: Add methods to determine supported encryption types
This is done based on the domain functional level, which corresponds to the logic Samba uses to decide whether or not to generate a Primary:Kerberos-Newer-Keys element for the supplementalCredentials attribute. Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org>
This commit is contained in:
parent
210e544016
commit
7d4a0ed21b
@ -29,8 +29,13 @@ from ldb import SCOPE_BASE
|
||||
from samba import generate_random_password
|
||||
from samba.auth import system_session
|
||||
from samba.credentials import Credentials, SPECIFIED, MUST_USE_KERBEROS
|
||||
from samba.dcerpc import krb5pac, krb5ccache
|
||||
from samba.dsdb import UF_WORKSTATION_TRUST_ACCOUNT, UF_NORMAL_ACCOUNT
|
||||
from samba.dcerpc import krb5pac, krb5ccache, security
|
||||
from samba.dsdb import (
|
||||
DS_DOMAIN_FUNCTION_2000,
|
||||
DS_DOMAIN_FUNCTION_2008,
|
||||
UF_WORKSTATION_TRUST_ACCOUNT,
|
||||
UF_NORMAL_ACCOUNT
|
||||
)
|
||||
from samba.ndr import ndr_pack, ndr_unpack
|
||||
from samba.samdb import SamDB
|
||||
|
||||
@ -71,6 +76,8 @@ class KDCBaseTest(RawKerberosTest):
|
||||
|
||||
cls._ldb = None
|
||||
|
||||
cls._functional_level = None
|
||||
|
||||
# A set containing DNs of accounts created as part of testing.
|
||||
cls.accounts = set()
|
||||
|
||||
@ -108,6 +115,33 @@ class KDCBaseTest(RawKerberosTest):
|
||||
|
||||
return self._ldb
|
||||
|
||||
def get_domain_functional_level(self, ldb):
|
||||
if self._functional_level is None:
|
||||
res = ldb.search(base='',
|
||||
scope=SCOPE_BASE,
|
||||
attrs=['domainFunctionality'])
|
||||
try:
|
||||
functional_level = int(res[0]['domainFunctionality'][0])
|
||||
except KeyError:
|
||||
functional_level = DS_DOMAIN_FUNCTION_2000
|
||||
|
||||
type(self)._functional_level = functional_level
|
||||
|
||||
return self._functional_level
|
||||
|
||||
def get_default_enctypes(self):
|
||||
samdb = self.get_samdb()
|
||||
functional_level = self.get_domain_functional_level(samdb)
|
||||
|
||||
# RC4 should always be supported
|
||||
default_enctypes = security.KERB_ENCTYPE_RC4_HMAC_MD5
|
||||
if functional_level >= DS_DOMAIN_FUNCTION_2008:
|
||||
# AES is only supported at functional level 2008 or higher
|
||||
default_enctypes |= security.KERB_ENCTYPE_AES256_CTS_HMAC_SHA1_96
|
||||
default_enctypes |= security.KERB_ENCTYPE_AES128_CTS_HMAC_SHA1_96
|
||||
|
||||
return default_enctypes
|
||||
|
||||
def create_account(self, ldb, name, machine_account=False,
|
||||
spn=None, upn=None):
|
||||
'''Create an account for testing.
|
||||
|
Loading…
Reference in New Issue
Block a user