mirror of
https://github.com/samba-team/samba.git
synced 2025-01-12 09:18:10 +03:00
tests/krb5/kdc_base_test.py: Add methods to determine supported encryption types
This is done based on the domain functional level, which corresponds to the logic Samba uses to decide whether or not to generate a Primary:Kerberos-Newer-Keys element for the supplementalCredentials attribute. Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org>
This commit is contained in:
parent
210e544016
commit
7d4a0ed21b
@ -29,8 +29,13 @@ from ldb import SCOPE_BASE
|
|||||||
from samba import generate_random_password
|
from samba import generate_random_password
|
||||||
from samba.auth import system_session
|
from samba.auth import system_session
|
||||||
from samba.credentials import Credentials, SPECIFIED, MUST_USE_KERBEROS
|
from samba.credentials import Credentials, SPECIFIED, MUST_USE_KERBEROS
|
||||||
from samba.dcerpc import krb5pac, krb5ccache
|
from samba.dcerpc import krb5pac, krb5ccache, security
|
||||||
from samba.dsdb import UF_WORKSTATION_TRUST_ACCOUNT, UF_NORMAL_ACCOUNT
|
from samba.dsdb import (
|
||||||
|
DS_DOMAIN_FUNCTION_2000,
|
||||||
|
DS_DOMAIN_FUNCTION_2008,
|
||||||
|
UF_WORKSTATION_TRUST_ACCOUNT,
|
||||||
|
UF_NORMAL_ACCOUNT
|
||||||
|
)
|
||||||
from samba.ndr import ndr_pack, ndr_unpack
|
from samba.ndr import ndr_pack, ndr_unpack
|
||||||
from samba.samdb import SamDB
|
from samba.samdb import SamDB
|
||||||
|
|
||||||
@ -71,6 +76,8 @@ class KDCBaseTest(RawKerberosTest):
|
|||||||
|
|
||||||
cls._ldb = None
|
cls._ldb = None
|
||||||
|
|
||||||
|
cls._functional_level = None
|
||||||
|
|
||||||
# A set containing DNs of accounts created as part of testing.
|
# A set containing DNs of accounts created as part of testing.
|
||||||
cls.accounts = set()
|
cls.accounts = set()
|
||||||
|
|
||||||
@ -108,6 +115,33 @@ class KDCBaseTest(RawKerberosTest):
|
|||||||
|
|
||||||
return self._ldb
|
return self._ldb
|
||||||
|
|
||||||
|
def get_domain_functional_level(self, ldb):
|
||||||
|
if self._functional_level is None:
|
||||||
|
res = ldb.search(base='',
|
||||||
|
scope=SCOPE_BASE,
|
||||||
|
attrs=['domainFunctionality'])
|
||||||
|
try:
|
||||||
|
functional_level = int(res[0]['domainFunctionality'][0])
|
||||||
|
except KeyError:
|
||||||
|
functional_level = DS_DOMAIN_FUNCTION_2000
|
||||||
|
|
||||||
|
type(self)._functional_level = functional_level
|
||||||
|
|
||||||
|
return self._functional_level
|
||||||
|
|
||||||
|
def get_default_enctypes(self):
|
||||||
|
samdb = self.get_samdb()
|
||||||
|
functional_level = self.get_domain_functional_level(samdb)
|
||||||
|
|
||||||
|
# RC4 should always be supported
|
||||||
|
default_enctypes = security.KERB_ENCTYPE_RC4_HMAC_MD5
|
||||||
|
if functional_level >= DS_DOMAIN_FUNCTION_2008:
|
||||||
|
# AES is only supported at functional level 2008 or higher
|
||||||
|
default_enctypes |= security.KERB_ENCTYPE_AES256_CTS_HMAC_SHA1_96
|
||||||
|
default_enctypes |= security.KERB_ENCTYPE_AES128_CTS_HMAC_SHA1_96
|
||||||
|
|
||||||
|
return default_enctypes
|
||||||
|
|
||||||
def create_account(self, ldb, name, machine_account=False,
|
def create_account(self, ldb, name, machine_account=False,
|
||||||
spn=None, upn=None):
|
spn=None, upn=None):
|
||||||
'''Create an account for testing.
|
'''Create an account for testing.
|
||||||
|
Loading…
Reference in New Issue
Block a user