The branch, master has been updated
via e5e1759057a s3: spoolss: Make parameters in call to user_ok_token()
match all other uses.
via 1e1d8b9c83f tests python krb5: Add python kerberos compatability
tests
via 5cb5134377f selftest: add heimdal kdc specific known fail
via a5052c73c3f lib: talloc: More tests for realloc when used with
memlimited pools
via 4566ee91b8c lib: talloc: Fix memlimit on pool realloc.
via 30a8bea8a34 lib: talloc: Add more debugging text for existing
memlimit + pool tests
via 6e0aab0b403 lib: talloc: Fix pool object accounting when doing
talloc_realloc() in the ALWAYS_REALLOC compiled case.
via 86eb6423bdc lib: talloc: Cleanup. Use consistent preprocessor logic
macros.
from 710196f0cc5 doc: improve --with-shared-modules documentation
https://git.samba.org/?p=samba.git;a=shortlog;h=master
- Log -----------------------------------------------------------------
commit e5e1759057a767f517bf480a2172a36623df2799
Author: Jeremy Allison <j...@samba.org>
Date: Thu Nov 5 15:48:08 2020 -0800
s3: spoolss: Make parameters in call to user_ok_token() match all other
uses.
We already have p->session_info->unix_info->unix_name, we don't
need to go through a legacy call to
uidtoname(p->session_info->unix_token->uid).
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14568
Signed-off-by: Jeremy Allison <j...@samba.org>
Reviewed-by: Andrew Bartlett <abart...@samba.org>
Autobuild-User(master): Andrew Bartlett <abart...@samba.org>
Autobuild-Date(master): Mon Nov 9 04:10:45 UTC 2020 on sn-devel-184
commit 1e1d8b9c83f32c06ecab31214a20b77529ee038e
Author: Gary Lockyer <g...@catalyst.net.nz>
Date: Wed Nov 4 13:58:24 2020 +1300
tests python krb5: Add python kerberos compatability tests
Add new python test to document the differences between the MIT and
Heimdal Kerberos implementations.
Signed-off-by: Gary Lockyer <g...@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abart...@samba.org>
commit 5cb5134377f099353e0f91c44cc11e45d548d40f
Author: Gary Lockyer <g...@catalyst.net.nz>
Date: Wed Nov 4 13:54:46 2020 +1300
selftest: add heimdal kdc specific known fail
Add a heimdal kerberos specific known fail, will be needed by subsequent
commits.
Signed-off-by: Gary Lockyer <g...@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abart...@samba.org>
commit a5052c73c3ffdca6b30194223e69a26430f3f989
Author: Arran Cudbard-Bell <a.cudba...@freeradius.org>
Date: Tue Oct 20 14:12:17 2020 -0500
lib: talloc: More tests for realloc when used with memlimited pools
This requires the previous patch.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14540
Signed-off-by: Arran Cudbard-Bell <a.cudba...@freeradius.org>
Reviewed-by: Jeremy Allison <j...@samba.org>
Reviewed-by: Andrew Bartlett <abart...@samba.org>
commit 4566ee91b8c37f62e8b56242a48230db59cd5ff0
Author: Jeremy Allison <j...@samba.org>
Date: Tue Oct 20 10:52:55 2020 -0700
lib: talloc: Fix memlimit on pool realloc.
We only have to do the memlimit check before any
real malloc or realloc. Allocations out of a
memory pool have already been counted in the
memory limit, so don't check in those cases.
This is an application-visible change (although
fixing a bug) so bump the ABI to 2.3.1 -> 2.3.2.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14540
Signed-off-by: Jeremy Allison <j...@samba.org>
Signed-off-by: Arran Cudbard-Bell <a.cudba...@freeradius.org>
Reviewed-by: Andrew Bartlett <abart...@samba.org>
commit 30a8bea8a340dcf9a3120f5ee8041e62fb129d8d
Author: Arran Cudbard-Bell <a.cudba...@freeradius.org>
Date: Tue Oct 20 14:10:30 2020 -0500
lib: talloc: Add more debugging text for existing memlimit + pool tests
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14540
Signed-off-by: Arran Cudbard-Bell <a.cudba...@freeradius.org>
Reviewed-by: Jeremy Allison <j...@samba.org>
Reviewed-by: Andrew Bartlett <abart...@samba.org>
commit 6e0aab0b4038255b2d63e8687924a21d77bace91
Author: Jeremy Allison <j...@samba.org>
Date: Tue Oct 20 12:14:58 2020 -0700
lib: talloc: Fix pool object accounting when doing talloc_realloc() in the
ALWAYS_REALLOC compiled case.
tc_alloc_pool() or the fallback malloc can return NULL.
Wait until we know we are returning a valid pointer
before decrementing pool_hdr->object_count due to
reallocing out of the talloc_pool.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14540
Signed-off-by: Jeremy Allison <j...@samba.org>
Reviewed-by: Andrew Bartlett <abart...@samba.org>
commit 86eb6423bdcedf3433f3dbcf026573a238cf0d87
Author: Jeremy Allison <j...@samba.org>
Date: Tue Oct 20 12:18:10 2020 -0700
lib: talloc: Cleanup. Use consistent preprocessor logic macros.
Match other use of ALWAYS_REALLOC.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14540
Signed-off-by: Jeremy Allison <j...@samba.org>
Reviewed-by: Andrew Bartlett <abart...@samba.org>
-----------------------------------------------------------------------
Summary of changes:
...oc-util-2.3.0.sigs => pytalloc-util-2.3.2.sigs} | 0
.../ABI/{talloc-2.1.10.sigs => talloc-2.3.2.sigs} | 0
lib/talloc/talloc.c | 78 ++++++++++++--
lib/talloc/testsuite.c | 117 ++++++++++++++++++++
lib/talloc/wscript | 2 +-
.../{simple_tests.py => compatability_tests.py} | 120 ++++++++++-----------
python/samba/tests/usage.py | 1 +
selftest/knownfail_heimdal_kdc | 4 +
selftest/knownfail_mit_kdc | 4 +
selftest/wscript | 3 +
source3/rpc_server/spoolss/srv_spoolss_nt.c | 3 +-
source4/selftest/tests.py | 1 +
12 files changed, 260 insertions(+), 73 deletions(-)
copy lib/talloc/ABI/{pytalloc-util-2.3.0.sigs => pytalloc-util-2.3.2.sigs}
(100%)
copy lib/talloc/ABI/{talloc-2.1.10.sigs => talloc-2.3.2.sigs} (100%)
copy python/samba/tests/krb5/{simple_tests.py => compatability_tests.py} (59%)
create mode 100644 selftest/knownfail_heimdal_kdc
Changeset truncated at 500 lines:
diff --git a/lib/talloc/ABI/pytalloc-util-2.3.0.sigs
b/lib/talloc/ABI/pytalloc-util-2.3.2.sigs
similarity index 100%
copy from lib/talloc/ABI/pytalloc-util-2.3.0.sigs
copy to lib/talloc/ABI/pytalloc-util-2.3.2.sigs
diff --git a/lib/talloc/ABI/talloc-2.1.10.sigs
b/lib/talloc/ABI/talloc-2.3.2.sigs
similarity index 100%
copy from lib/talloc/ABI/talloc-2.1.10.sigs
copy to lib/talloc/ABI/talloc-2.3.2.sigs
diff --git a/lib/talloc/talloc.c b/lib/talloc/talloc.c
index e476f3e2d05..078e58ca352 100644
--- a/lib/talloc/talloc.c
+++ b/lib/talloc/talloc.c
@@ -1833,13 +1833,6 @@ _PUBLIC_ void *_talloc_realloc(const void *context, void
*ptr, size_t size, cons
return NULL;
}
- if (tc->limit && (size > tc->size)) {
- if (!talloc_memlimit_check(tc->limit, (size - tc->size))) {
- errno = ENOMEM;
- return NULL;
- }
- }
-
/* handle realloc inside a talloc_pool */
if (unlikely(tc->flags & TALLOC_FLAG_POOLMEM)) {
pool_hdr = tc->pool;
@@ -1898,12 +1891,29 @@ _PUBLIC_ void *_talloc_realloc(const void *context,
void *ptr, size_t size, cons
*/
_talloc_chunk_set_free(tc, NULL);
-#if ALWAYS_REALLOC
+#if (ALWAYS_REALLOC != 0)
if (pool_hdr) {
new_ptr = tc_alloc_pool(tc, size + TC_HDR_SIZE, 0);
- pool_hdr->object_count--;
-
if (new_ptr == NULL) {
+ /*
+ * Couldn't allocate from pool (pool size
+ * counts as already allocated for memlimit
+ * purposes). We must check memory limit
+ * before any real malloc.
+ */
+ if (tc->limit) {
+ /*
+ * Note we're doing an extra malloc,
+ * on top of the pool size, so account
+ * for size only, not the difference
+ * between old and new size.
+ */
+ if (!talloc_memlimit_check(tc->limit, size)) {
+ _talloc_chunk_set_not_free(tc);
+ errno = ENOMEM;
+ return NULL;
+ }
+ }
new_ptr = malloc(TC_HDR_SIZE+size);
malloced = true;
new_size = size;
@@ -1912,11 +1922,28 @@ _PUBLIC_ void *_talloc_realloc(const void *context,
void *ptr, size_t size, cons
if (new_ptr) {
memcpy(new_ptr, tc, MIN(tc->size,size) + TC_HDR_SIZE);
TC_INVALIDATE_FULL_CHUNK(tc);
+ /*
+ * Only decrement the object count in the pool once
+ * we know we're returning a valid new_ptr.
+ */
+ pool_hdr->object_count--;
}
} else {
/* We're doing malloc then free here, so record the difference.
*/
old_size = tc->size;
new_size = size;
+ /*
+ * We must check memory limit
+ * before any real malloc.
+ */
+ if (tc->limit && (size > old_size)) {
+ if (!talloc_memlimit_check(tc->limit,
+ (size - old_size))) {
+ _talloc_chunk_set_not_free(tc);
+ errno = ENOMEM;
+ return NULL;
+ }
+ }
new_ptr = malloc(size + TC_HDR_SIZE);
if (new_ptr) {
memcpy(new_ptr, tc, MIN(tc->size, size) + TC_HDR_SIZE);
@@ -2020,6 +2047,25 @@ _PUBLIC_ void *_talloc_realloc(const void *context, void
*ptr, size_t size, cons
new_ptr = tc_alloc_pool(tc, size + TC_HDR_SIZE, 0);
if (new_ptr == NULL) {
+ /*
+ * Couldn't allocate from pool (pool size
+ * counts as already allocated for memlimit
+ * purposes). We must check memory limit
+ * before any real malloc.
+ */
+ if (tc->limit) {
+ /*
+ * Note we're doing an extra malloc,
+ * on top of the pool size, so account
+ * for size only, not the difference
+ * between old and new size.
+ */
+ if (!talloc_memlimit_check(tc->limit, size)) {
+ _talloc_chunk_set_not_free(tc);
+ errno = ENOMEM;
+ return NULL;
+ }
+ }
new_ptr = malloc(TC_HDR_SIZE+size);
malloced = true;
new_size = size;
@@ -2035,6 +2081,18 @@ _PUBLIC_ void *_talloc_realloc(const void *context, void
*ptr, size_t size, cons
/* We're doing realloc here, so record the difference. */
old_size = tc->size;
new_size = size;
+ /*
+ * We must check memory limit
+ * before any real realloc.
+ */
+ if (tc->limit && (size > old_size)) {
+ if (!talloc_memlimit_check(tc->limit,
+ (size - old_size))) {
+ _talloc_chunk_set_not_free(tc);
+ errno = ENOMEM;
+ return NULL;
+ }
+ }
new_ptr = realloc(tc, size + TC_HDR_SIZE);
}
got_new_ptr:
diff --git a/lib/talloc/testsuite.c b/lib/talloc/testsuite.c
index 6c9bf203b7c..6f23ad4e18a 100644
--- a/lib/talloc/testsuite.c
+++ b/lib/talloc/testsuite.c
@@ -1767,28 +1767,145 @@ static bool test_memlimit(void)
talloc_free(root);
/* Test memlimits with pools. */
+ printf("==== talloc_pool(NULL, 10*1024)\n");
pool = talloc_pool(NULL, 10*1024);
torture_assert("memlimit", pool != NULL,
"failed: alloc should not fail due to memory limit\n");
+
+ printf("==== talloc_set_memlimit(pool, 10*1024)\n");
talloc_set_memlimit(pool, 10*1024);
for (i = 0; i < 9; i++) {
+ printf("==== talloc_size(pool, 1024) %i/10\n", i + 1);
l1 = talloc_size(pool, 1024);
torture_assert("memlimit", l1 != NULL,
"failed: alloc should not fail due to memory limit\n");
+ talloc_report_full(pool, stdout);
}
/* The next alloc should fail. */
+ printf("==== talloc_size(pool, 1024) 10/10\n");
l2 = talloc_size(pool, 1024);
torture_assert("memlimit", l2 == NULL,
"failed: alloc should fail due to memory limit\n");
+ talloc_report_full(pool, stdout);
+
/* Moving one of the children shouldn't change the limit,
as it's still inside the pool. */
+
+ printf("==== talloc_new(NULL)\n");
root = talloc_new(NULL);
+
+ printf("==== talloc_steal(root, l1)\n");
talloc_steal(root, l1);
+
+ printf("==== talloc_size(pool, 1024)\n");
l2 = talloc_size(pool, 1024);
torture_assert("memlimit", l2 == NULL,
"failed: alloc should fail due to memory limit\n");
+ printf("==== talloc_free_children(pool)\n");
+ talloc_free(l1);
+ talloc_free_children(pool);
+
+ printf("==== talloc_size(pool, 1024)\n");
+ l1 = talloc_size(pool, 1024);
+
+ /* try reallocs of increasing size */
+ for (i = 1; i < 9; i++) {
+ printf("==== talloc_realloc_size(NULL, l1, %i*1024) %i/10\n",
i, i + 1);
+ l1 = talloc_realloc_size(NULL, l1, i*1024);
+ torture_assert("memlimit", l1 != NULL,
+ "failed: realloc should not fail due to memory
limit\n");
+ talloc_report_full(pool, stdout);
+ }
+ /* The next alloc should fail. */
+ printf("==== talloc_realloc_size(NULL, l1, 10*1024) 10/10\n");
+ l2 = talloc_realloc_size(NULL, l1, 10*1024);
+ torture_assert("memlimit", l2 == NULL,
+ "failed: realloc should fail due to memory limit\n");
+
+ /* Increase the memlimit */
+ printf("==== talloc_set_memlimit(pool, 11*1024)\n");
+ talloc_set_memlimit(pool, 11*1024);
+
+ /* The final realloc should still fail
+ as the entire realloced chunk needs to be moved out of the pool */
+ printf("==== talloc_realloc_size(NULL, l1, 10*1024) 10/10\n");
+ l2 = talloc_realloc_size(NULL, l1, 10*1024);
+ torture_assert("memlimit", l2 == NULL,
+ "failed: realloc should fail due to memory limit\n");
+
+ talloc_report_full(pool, stdout);
+
+ printf("==== talloc_set_memlimit(pool, 21*1024)\n");
+ talloc_set_memlimit(pool, 21*1024);
+
+ /* There's now sufficient space to move the chunk out of the pool */
+ printf("==== talloc_realloc_size(NULL, l1, 10*1024) 10/10\n");
+ l2 = talloc_realloc_size(NULL, l1, 10*1024);
+ torture_assert("memlimit", l2 != NULL,
+ "failed: realloc should not fail due to memory
limit\n");
+
+ talloc_report_full(pool, stdout);
+
+ /* ...which should mean smaller allocations can now occur within the
pool */
+ printf("==== talloc_size(pool, 9*1024)\n");
+ l1 = talloc_size(pool, 9*1024);
+ torture_assert("memlimit", l1 != NULL,
+ "failed: new allocations should be allowed in the
pool\n");
+
+ talloc_report_full(pool, stdout);
+
+ /* But reallocs bigger than the pool will still fail */
+ printf("==== talloc_realloc_size(NULL, l1, 10*1024)\n");
+ l2 = talloc_realloc_size(NULL, l1, 10*1024);
+ torture_assert("memlimit", l2 == NULL,
+ "failed: realloc should fail due to memory limit\n");
+
+ talloc_report_full(pool, stdout);
+
+ /* ..as well as allocs */
+ printf("==== talloc_size(pool, 1024)\n");
+ l1 = talloc_size(pool, 1024);
+ torture_assert("memlimit", l1 == NULL,
+ "failed: alloc should fail due to memory limit\n");
+
+ talloc_report_full(pool, stdout);
+
+ printf("==== talloc_free_children(pool)\n");
+ talloc_free_children(pool);
+
+ printf("==== talloc_set_memlimit(pool, 1024)\n");
+ talloc_set_memlimit(pool, 1024);
+
+ /* We should still be able to allocate up to the pool limit
+ because the memlimit only applies to new heap allocations */
+ printf("==== talloc_size(pool, 9*1024)\n");
+ l1 = talloc_size(pool, 9*1024);
+ torture_assert("memlimit", l1 != NULL,
+ "failed: alloc should not fail due to memory limit\n");
+
+ talloc_report_full(pool, stdout);
+
+ l1 = talloc_size(pool, 1024);
+ torture_assert("memlimit", l1 == NULL,
+ "failed: alloc should fail due to memory limit\n");
+
+ talloc_report_full(pool, stdout);
+
+ printf("==== talloc_free_children(pool)\n");
+ talloc_free_children(pool);
+
+ printf("==== talloc_set_memlimit(pool, 10*1024)\n");
+ talloc_set_memlimit(pool, 10*1024);
+
+ printf("==== talloc_size(pool, 1024)\n");
+ l1 = talloc_size(pool, 1024);
+ torture_assert("memlimit", l1 != NULL,
+ "failed: alloc should not fail due to memory limit\n");
+
+ talloc_report_full(pool, stdout);
+
talloc_free(pool);
talloc_free(root);
printf("success: memlimit\n");
diff --git a/lib/talloc/wscript b/lib/talloc/wscript
index b955d215b80..a767477357f 100644
--- a/lib/talloc/wscript
+++ b/lib/talloc/wscript
@@ -1,7 +1,7 @@
#!/usr/bin/env python
APPNAME = 'talloc'
-VERSION = '2.3.1'
+VERSION = '2.3.2'
import os
import sys
diff --git a/python/samba/tests/krb5/simple_tests.py
b/python/samba/tests/krb5/compatability_tests.py
similarity index 59%
copy from python/samba/tests/krb5/simple_tests.py
copy to python/samba/tests/krb5/compatability_tests.py
index 236fbda1cd5..63bd5269c2b 100755
--- a/python/samba/tests/krb5/simple_tests.py
+++ b/python/samba/tests/krb5/compatability_tests.py
@@ -1,6 +1,7 @@
#!/usr/bin/env python3
# Unix SMB/CIFS implementation.
# Copyright (C) Stefan Metzmacher 2020
+# Copyright (C) Catalyst.Net Ltd 2020
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
@@ -28,6 +29,7 @@ import samba.tests.krb5.rfc4120_pyasn1 as krb5_asn1
global_asn1_print = False
global_hexdump = False
+
class SimpleKerberosTests(RawKerberosTest):
def setUp(self):
@@ -35,10 +37,52 @@ class SimpleKerberosTests(RawKerberosTest):
self.do_asn1_print = global_asn1_print
self.do_hexdump = global_hexdump
- def test_simple(self):
- user_creds = self.get_user_creds()
- user = user_creds.get_username()
- realm = user_creds.get_realm()
+ def test_mit_EncASRepPart_tag(self):
+ creds = self.get_user_creds()
+ (enc, _) = self.as_req(creds)
+ self.assertEqual(0x7a, enc[0])
+
+ def test_heimdal_EncASRepPart_tag(self):
+ creds = self.get_user_creds()
+ (enc, _) = self.as_req(creds)
+ self.assertEqual(0x79, enc[0])
+
+ def test_mit_EncryptedData_kvno(self):
+ creds = self.get_user_creds()
+ (_, enc) = self.as_req(creds)
+ if 'kvno' in enc:
+ self.fail("kvno present in EncryptedData")
+
+ def test_heimdal_EncryptedData_kvno(self):
+ creds = self.get_user_creds()
+ (_, enc) = self.as_req(creds)
+ if 'kvno' not in enc:
+ self.fail("kvno absent in EncryptedData")
+
+ def test_mit_EncASRepPart_FAST_support(self):
+ creds = self.get_user_creds()
+ (enc, _) = self.as_req(creds)
+ self.assertEqual(0x7A, enc[0])
+ as_rep = self.der_decode(enc, asn1Spec=krb5_asn1.EncTGSRepPart())
+ flags = int(as_rep['flags'], base=2)
+ # MIT sets enc-pa-rep, flag bit 15
+ # RFC 6806 11. Negotiation of FAST and Detecting Modified Requests
+ self.assertTrue(0x00010000 & flags)
+
+ def test_heimdal_EncASRepPart_FAST_support(self):
+ creds = self.get_user_creds()
+ (enc, _) = self.as_req(creds)
+ self.assertEqual(0x79, enc[0])
+ as_rep = self.der_decode(enc, asn1Spec=krb5_asn1.EncASRepPart())
+ flags = as_rep['flags']
+ flags = int(as_rep['flags'], base=2)
+ # Heimdal does not set enc-pa-rep, flag bit 15
+ # RFC 6806 11. Negotiation of FAST and Detecting Modified Requests
+ self.assertFalse(0x00010000 & flags)
+
+ def as_req(self, creds):
+ user = creds.get_username()
+ realm = creds.get_realm()
cname = self.PrincipalName_create(name_type=1, names=[user])
sname = self.PrincipalName_create(name_type=2, names=["krbtgt", realm])
@@ -48,7 +92,7 @@ class SimpleKerberosTests(RawKerberosTest):
kdc_options = krb5_asn1.KDCOptions('forwardable')
padata = None
- etypes=(18,17,23)
+ etypes = (18, 17, 23)
req = self.AS_REQ_create(padata=padata,
kdc_options=str(kdc_options),
@@ -69,16 +113,20 @@ class SimpleKerberosTests(RawKerberosTest):
self.assertEqual(rep['msg-type'], 30)
self.assertEqual(rep['error-code'], 25)
- rep_padata = self.der_decode(rep['e-data'],
asn1Spec=krb5_asn1.METHOD_DATA())
+ rep_padata = self.der_decode(
+ rep['e-data'],
+ asn1Spec=krb5_asn1.METHOD_DATA())
for pa in rep_padata:
if pa['padata-type'] == 19:
etype_info2 = pa['padata-value']
break
- etype_info2 = self.der_decode(etype_info2,
asn1Spec=krb5_asn1.ETYPE_INFO2())
+ etype_info2 = self.der_decode(
+ etype_info2,
+ asn1Spec=krb5_asn1.ETYPE_INFO2())
- key = self.PasswordKey_from_etype_info2(user_creds, etype_info2[0])
+ key = self.PasswordKey_from_etype_info2(creds, etype_info2[0])
(patime, pausec) = self.get_KerberosTimeWithUsec()
pa_ts = self.PA_ENC_TS_ENC_create(patime, pausec)
@@ -114,59 +162,9 @@ class SimpleKerberosTests(RawKerberosTest):
self.assertEqual(msg_type, 11)
usage = 3
- enc_part2 = key.decrypt(usage, rep['enc-part']['cipher'])
-
- # MIT KDC encodes both EncASRepPart and EncTGSRepPart with application
tag 26
- try:
- enc_part2 = self.der_decode(enc_part2,
asn1Spec=krb5_asn1.EncASRepPart())
- except Exception:
- enc_part2 = self.der_decode(enc_part2,
asn1Spec=krb5_asn1.EncTGSRepPart())
-
- # TGS Request
- service_creds = self.get_service_creds(allow_missing_password=True)
- service_name = service_creds.get_username()
-
- sname = self.PrincipalName_create(name_type=2, names=["host",
service_name])
- kdc_options = krb5_asn1.KDCOptions('forwardable')
- till = self.get_KerberosTime(offset=36000)
- ticket = rep['ticket']
- ticket_session_key = self.EncryptionKey_import(enc_part2['key'])
- padata = []
-
- subkey = self.RandomKey(ticket_session_key.etype)
- subkey_usage = 9
-
- (ctime, cusec) = self.get_KerberosTimeWithUsec()
-
- req = self.TGS_REQ_create(padata=padata,
- cusec=cusec,
- ctime=ctime,
- ticket=ticket,
- kdc_options=str(kdc_options),
- cname=cname,
- realm=realm,
- sname=sname,
- from_time=None,
- till_time=till,
- renew_time=None,
- nonce=0x7ffffffe,
- etypes=etypes,
- addresses=None,
- EncAuthorizationData=None,
- EncAuthorizationData_key=None,
- additional_tickets=None,
- ticket_session_key=ticket_session_key,
- authenticator_subkey=subkey)
- rep = self.send_recv_transaction(req)
- self.assertIsNotNone(rep)
-
- msg_type = rep['msg-type']
- self.assertEqual(msg_type, 13)
-
- enc_part2 = subkey.decrypt(subkey_usage, rep['enc-part']['cipher'])
- enc_part2 = self.der_decode(enc_part2,
asn1Spec=krb5_asn1.EncTGSRepPart())
-
- return
+ enc_part = rep['enc-part']
+ enc_as_rep_part = key.decrypt(usage, rep['enc-part']['cipher'])
+ return (enc_as_rep_part, enc_part)
if __name__ == "__main__":
diff --git a/python/samba/tests/usage.py b/python/samba/tests/usage.py
index 2f813760814..fbb9a06d99e 100644
--- a/python/samba/tests/usage.py
+++ b/python/samba/tests/usage.py
@@ -90,6 +90,7 @@ EXCLUDE_USAGE = {
'python/samba/tests/krb5/s4u_tests.py',
'python/samba/tests/krb5/xrealm_tests.py',
'python/samba/tests/krb5/as_canonicalization_tests.py',
+ 'python/samba/tests/krb5/compatability_tests.py',
}
EXCLUDE_HELP = {
diff --git a/selftest/knownfail_heimdal_kdc b/selftest/knownfail_heimdal_kdc
new file mode 100644
index 00000000000..7ab56b6721b
--- /dev/null
+++ b/selftest/knownfail_heimdal_kdc
@@ -0,0 +1,4 @@
+#
+# We expect all the MIT specific compatability tests to fail on heimdal
+# kerberos
+^samba.tests.krb5.compatability_tests.samba.tests.krb5.compatability_tests.SimpleKerberosTests.test_mit_
diff --git a/selftest/knownfail_mit_kdc b/selftest/knownfail_mit_kdc
index 96d3e51da5c..68eecd1bbfc 100644
--- a/selftest/knownfail_mit_kdc
+++ b/selftest/knownfail_mit_kdc
@@ -1,4 +1,8 @@
#
--
Samba Shared Repository
