tests/krb5: Only add AES enctype bits at domain functional level 2008 and above

author Joseph Sutton <josephsutton@catalyst.net.nz>

Wed, 15 Mar 2023 23:15:46 +0000 (12:15 +1300)

committer Andrew Bartlett <abartlet@samba.org>

Mon, 20 Mar 2023 00:22:32 +0000 (00:22 +0000)
author Joseph Sutton <josephsutton@catalyst.net.nz>
Wed, 15 Mar 2023 23:15:46 +0000 (12:15 +1300)
committer Andrew Bartlett <abartlet@samba.org>
Mon, 20 Mar 2023 00:22:32 +0000 (00:22 +0000)
diff --git a/python/samba/tests/krb5/kdc_base_test.py b/python/samba/tests/krb5/kdc_base_test.py

index 18ee8f8bd98b8a633f4345f74750109d9aa0c84e..223ab4ea5130cfcc9857eeafa0adca3ac4729446 100644 (file)
--- a/python/samba/tests/krb5/kdc_base_test.py
+++ b/python/samba/tests/krb5/kdc_base_test.py
@@ -1691,8 +1691,11 @@ class KDCBaseTest(RawKerberosTest):
              keys = self.get_keys(dn)
              self.creds_set_keys(creds, keys)
  
-            extra_bits = (security.KERB_ENCTYPE_AES128_CTS_HMAC_SHA1_96 |
-                          security.KERB_ENCTYPE_AES256_CTS_HMAC_SHA1_96)
+            if self.get_domain_functional_level() >= DS_DOMAIN_FUNCTION_2008:
+                extra_bits = (security.KERB_ENCTYPE_AES128_CTS_HMAC_SHA1_96 |
+                              security.KERB_ENCTYPE_AES256_CTS_HMAC_SHA1_96)
+            else:
+                extra_bits = 0
              remove_bits = (security.KERB_ENCTYPE_AES256_CTS_HMAC_SHA1_96_SK |
                             security.KERB_ENCTYPE_RC4_HMAC_MD5)
              self.creds_set_enctypes(creds,
@@ -1790,8 +1793,11 @@ class KDCBaseTest(RawKerberosTest):
              keys = self.get_keys(dn)
              self.creds_set_keys(creds, keys)
  
-            extra_bits = (security.KERB_ENCTYPE_AES128_CTS_HMAC_SHA1_96 |
-                          security.KERB_ENCTYPE_AES256_CTS_HMAC_SHA1_96)
+            if self.get_domain_functional_level() >= DS_DOMAIN_FUNCTION_2008:
+                extra_bits = (security.KERB_ENCTYPE_AES128_CTS_HMAC_SHA1_96 |
+                              security.KERB_ENCTYPE_AES256_CTS_HMAC_SHA1_96)
+            else:
+                extra_bits = 0
              remove_bits = security.KERB_ENCTYPE_AES256_CTS_HMAC_SHA1_96_SK
              self.creds_set_enctypes(creds,
                                      extra_bits=extra_bits,
@@ -1837,8 +1843,11 @@ class KDCBaseTest(RawKerberosTest):
              keys = self.get_keys(dn)
              self.creds_set_keys(creds, keys)
  
-            extra_bits = (security.KERB_ENCTYPE_AES128_CTS_HMAC_SHA1_96 |
-                          security.KERB_ENCTYPE_AES256_CTS_HMAC_SHA1_96)
+            if self.get_domain_functional_level() >= DS_DOMAIN_FUNCTION_2008:
+                extra_bits = (security.KERB_ENCTYPE_AES128_CTS_HMAC_SHA1_96 |
+                              security.KERB_ENCTYPE_AES256_CTS_HMAC_SHA1_96)
+            else:
+                extra_bits = 0
              remove_bits = security.KERB_ENCTYPE_AES256_CTS_HMAC_SHA1_96_SK
              self.creds_set_enctypes(creds,
                                      extra_bits=extra_bits,
author	Joseph Sutton <josephsutton@catalyst.net.nz>
	Wed, 15 Mar 2023 23:15:46 +0000 (12:15 +1300)
committer	Andrew Bartlett <abartlet@samba.org>
	Mon, 20 Mar 2023 00:22:32 +0000 (00:22 +0000)