From: Joseph Sutton <josephsutton@catalyst.net.nz>
Date: Wed, 15 Mar 2023 23:15:46 +0000 (+1300)
Subject: tests/krb5: Only add AES enctype bits at domain functional level 2008 and above
X-Git-Tag: talloc-2.4.1~1401
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=addfef3d582102805a38d5ad67ad8b11dee1bf04;p=thirdparty%2Fsamba.git

tests/krb5: Only add AES enctype bits at domain functional level 2008 and above

At lower levels we should not expect these bits to be present.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
---

diff --git a/python/samba/tests/krb5/kdc_base_test.py b/python/samba/tests/krb5/kdc_base_test.py
index 18ee8f8bd98..223ab4ea513 100644
--- a/python/samba/tests/krb5/kdc_base_test.py
+++ b/python/samba/tests/krb5/kdc_base_test.py
@@ -1691,8 +1691,11 @@ class KDCBaseTest(RawKerberosTest):
             keys = self.get_keys(dn)
             self.creds_set_keys(creds, keys)
 
-            extra_bits = (security.KERB_ENCTYPE_AES128_CTS_HMAC_SHA1_96 |
-                          security.KERB_ENCTYPE_AES256_CTS_HMAC_SHA1_96)
+            if self.get_domain_functional_level() >= DS_DOMAIN_FUNCTION_2008:
+                extra_bits = (security.KERB_ENCTYPE_AES128_CTS_HMAC_SHA1_96 |
+                              security.KERB_ENCTYPE_AES256_CTS_HMAC_SHA1_96)
+            else:
+                extra_bits = 0
             remove_bits = (security.KERB_ENCTYPE_AES256_CTS_HMAC_SHA1_96_SK |
                            security.KERB_ENCTYPE_RC4_HMAC_MD5)
             self.creds_set_enctypes(creds,
@@ -1790,8 +1793,11 @@ class KDCBaseTest(RawKerberosTest):
             keys = self.get_keys(dn)
             self.creds_set_keys(creds, keys)
 
-            extra_bits = (security.KERB_ENCTYPE_AES128_CTS_HMAC_SHA1_96 |
-                          security.KERB_ENCTYPE_AES256_CTS_HMAC_SHA1_96)
+            if self.get_domain_functional_level() >= DS_DOMAIN_FUNCTION_2008:
+                extra_bits = (security.KERB_ENCTYPE_AES128_CTS_HMAC_SHA1_96 |
+                              security.KERB_ENCTYPE_AES256_CTS_HMAC_SHA1_96)
+            else:
+                extra_bits = 0
             remove_bits = security.KERB_ENCTYPE_AES256_CTS_HMAC_SHA1_96_SK
             self.creds_set_enctypes(creds,
                                     extra_bits=extra_bits,
@@ -1837,8 +1843,11 @@ class KDCBaseTest(RawKerberosTest):
             keys = self.get_keys(dn)
             self.creds_set_keys(creds, keys)
 
-            extra_bits = (security.KERB_ENCTYPE_AES128_CTS_HMAC_SHA1_96 |
-                          security.KERB_ENCTYPE_AES256_CTS_HMAC_SHA1_96)
+            if self.get_domain_functional_level() >= DS_DOMAIN_FUNCTION_2008:
+                extra_bits = (security.KERB_ENCTYPE_AES128_CTS_HMAC_SHA1_96 |
+                              security.KERB_ENCTYPE_AES256_CTS_HMAC_SHA1_96)
+            else:
+                extra_bits = 0
             remove_bits = security.KERB_ENCTYPE_AES256_CTS_HMAC_SHA1_96_SK
             self.creds_set_enctypes(creds,
                                     extra_bits=extra_bits,