creds.set_tgs_supported_enctypes(supported_enctypes)
creds.set_ap_supported_enctypes(supported_enctypes)
- def creds_set_default_enctypes(self, creds, fast_support=False):
+ def creds_set_default_enctypes(self, creds,
+ fast_support=False,
+ claims_support=False,
+ compound_id_support=False):
default_enctypes = self.get_default_enctypes()
supported_enctypes = KerberosCredentials.etypes_to_bits(
default_enctypes)
if fast_support:
- supported_enctypes |= KerberosCredentials.fast_supported_bits
+ supported_enctypes |= security.KERB_ENCTYPE_FAST_SUPPORTED
+ if claims_support:
+ supported_enctypes |= security.KERB_ENCTYPE_CLAIMS_SUPPORTED
+ if compound_id_support:
+ supported_enctypes |= (
+ security.KERB_ENCTYPE_COMPOUND_IDENTITY_SUPPORTED)
creds.set_as_supported_enctypes(supported_enctypes)
creds.set_tgs_supported_enctypes(supported_enctypes)
# The RODC krbtgt account should support the default enctypes,
# although it might not have the msDS-SupportedEncryptionTypes
# attribute.
- self.creds_set_default_enctypes(creds)
+ self.creds_set_default_enctypes(
+ creds,
+ fast_support=self.kdc_fast_support,
+ claims_support=self.kdc_claims_support,
+ compound_id_support=self.kdc_compound_id_support)
return creds
# The krbtgt account should support the default enctypes, although
# it might not (on Samba) have the msDS-SupportedEncryptionTypes
# attribute.
- self.creds_set_default_enctypes(creds,
- fast_support=self.kdc_fast_support)
+ self.creds_set_default_enctypes(
+ creds,
+ fast_support=self.kdc_fast_support,
+ claims_support=self.kdc_claims_support,
+ compound_id_support=self.kdc_compound_id_support)
return creds
kdc_fast_support = '0'
cls.kdc_fast_support = bool(int(kdc_fast_support))
+ kdc_claims_support = samba.tests.env_get_var_value('CLAIMS_SUPPORT',
+ allow_missing=True)
+ if kdc_claims_support is None:
+ kdc_claims_support = '0'
+ cls.kdc_claims_support = bool(int(kdc_claims_support))
+
+ kdc_compound_id_support = samba.tests.env_get_var_value(
+ 'COMPOUND_ID_SUPPORT',
+ allow_missing=True)
+ if kdc_compound_id_support is None:
+ kdc_compound_id_support = '0'
+ cls.kdc_compound_id_support = bool(int(kdc_compound_id_support))
+
tkt_sig_support = samba.tests.env_get_var_value('TKT_SIG_SUPPORT',
allow_missing=True)
if tkt_sig_support is None:
'<L',
enc_pa_dict[PADATA_SUPPORTED_ETYPES])
- self.assertEqual(supported_etypes,
- expected_supported_etypes)
+ ignore_bits = (security.KERB_ENCTYPE_DES_CBC_CRC |
+ security.KERB_ENCTYPE_DES_CBC_MD5)
+
+ self.assertEqual(
+ supported_etypes & ~ignore_bits,
+ expected_supported_etypes & ~ignore_bits,
+ f'got: {supported_etypes}, '
+ f'expected: {expected_supported_etypes}')
if PADATA_PAC_OPTIONS in enc_pa_dict:
pac_options = self.der_decode(