python:tests/krb5: let netlogon.py test strong key without arcfour

author Stefan Metzmacher <metze@samba.org>

Tue, 26 Nov 2024 17:51:07 +0000 (18:51 +0100)

committer Andreas Schneider <asn@cryptomilk.org>

Thu, 12 Dec 2024 13:59:29 +0000 (13:59 +0000)
author Stefan Metzmacher <metze@samba.org>
Tue, 26 Nov 2024 17:51:07 +0000 (18:51 +0100)
committer Andreas Schneider <asn@cryptomilk.org>
Thu, 12 Dec 2024 13:59:29 +0000 (13:59 +0000)
diff --git a/python/samba/tests/krb5/netlogon.py b/python/samba/tests/krb5/netlogon.py

index 238c34e3ade0f9ab61b6abc80761134d145e1b5f..859d80a5fbc6adedfd05a5d8780e1b6c8164839d 100755 (executable)
--- a/python/samba/tests/krb5/netlogon.py
+++ b/python/samba/tests/krb5/netlogon.py
@@ -66,7 +66,7 @@ class NetlogonSchannel(KDCBaseTest):
              for trust in ["wks", "bdc"]:
                  for auth3_flags in [0x603fffff, 0x613fffff]:
                      setup_test(test, trust, "auth3", auth3_flags)
-                for auth3_flags in [0x00004004, 0x01000000]:
+                for auth3_flags in [0x00004004, 0x00004000, 0x01000000]:
                      setup_test(test, trust, "auth3", auth3_flags)
  
      def setUp(self):
@@ -939,6 +939,10 @@ class NetlogonSchannel(KDCBaseTest):
              expect_set2_encrypted = expect_encrypted
              encryption_set2_ncreds = ncreds
  
+        if not (ncreds.negotiate_flags & 0x01000004):
+            # Without aes or arcfour this uses no encryption
+            expect_set2_encrypted = False
+
          if ncreds.secure_channel_type == misc.SEC_CHAN_WKSTA:
              expect_get_error = ntstatus.NT_STATUS_ACCESS_DENIED
          else:
@@ -1063,6 +1067,10 @@ class NetlogonSchannel(KDCBaseTest):
  
          expect_broken_crypto = False
  
+        if not (ncreds.negotiate_flags & 0x01000004):
+            # Without aes or arcfour this uses no encryption
+            expect_encrypted = False
+
          opaque_buffer = b'invalid_opaque_buffer'
          if ncreds.secure_channel_type == misc.SEC_CHAN_WKSTA:
              expect_invalid_error = ntstatus.NT_STATUS_ACCESS_DENIED
@@ -1359,6 +1367,10 @@ class NetlogonSchannel(KDCBaseTest):
          else:
              expect_error = None
  
+        if not (ncreds.negotiate_flags & 0x01000004):
+            # Without aes or arcfour this uses no encryption
+            expect_encrypted = False
+
          krbtgt_creds = self.get_krbtgt_creds()
          krbtgt_key = self.TicketDecryptionKey_from_creds(krbtgt_creds)
  
diff --git a/selftest/knownfail.d/samba.tests.krb5.netlogon b/selftest/knownfail.d/samba.tests.krb5.netlogon

index ce9255442db41030b11b2f2ed0e4953118435580..abd962fa76d58e39c70f1806a7d1af2d31ca087b 100644 (file)
--- a/selftest/knownfail.d/samba.tests.krb5.netlogon
+++ b/selftest/knownfail.d/samba.tests.krb5.netlogon
@@ -1,4 +1,5 @@
  # Without AES we currently get DOWNGRADE_DETECTED
+^samba.tests.krb5.netlogon.*.NetlogonSchannel.test_.*_auth3_00004000
  ^samba.tests.krb5.netlogon.*.NetlogonSchannel.test_.*_auth3_00004004
  ^samba.tests.krb5.netlogon.*.NetlogonSchannel.test_.*_auth3_603fffff
  # This is not implemented yet
author	Stefan Metzmacher <metze@samba.org>
	Tue, 26 Nov 2024 17:51:07 +0000 (18:51 +0100)
committer	Andreas Schneider <asn@cryptomilk.org>
	Thu, 12 Dec 2024 13:59:29 +0000 (13:59 +0000)
python/samba/tests/krb5/netlogon.py		patch \| blob \| blame \| history
selftest/knownfail.d/samba.tests.krb5.netlogon		patch \| blob \| blame \| history