[SCM] Samba Shared Repository - branch master updated

Isaac Boukris iboukris at samba.org
Tue Nov 19 16:13:02 UTC 2019


The branch, master has been updated
       via  d2b5aa16500 whatsnew: announce removal of DES encryption type in Kerberos
       via  389d1b979b8 heimdal: do not compile weak crypto
       via  a53fa8ffe3e selftest: allow any kdc error in mitm-s4u2self test
       via  151f8c0f31d selftest: mitm-s4u2self: use zlib for CRC32_checksum calc
       via  88bf0c57200 machine_account_secrets: do not generate single DES keys
       via  80f1901de0c kerberos_keytab: do not add single DES keys to keytab
       via  982aa328f65 password_hash: do not generate single DES keys
       via  e8015d8a348 kdc/db-glue: do not fetch single DES keys from db
       via  ad9016d579a kerberos: remove single DES enctypes from ENC_ALL_TYPES
       via  13655e59e2c selftest: exclude msDS-SupportedEncryptionType in ldapcmp
       via  41b40f0e557 selftest/remote_pac: remove test_PACVerify_workstation_des
      from  42ac80fb46c ndr: Include the caller location in ndr_{pull,push}_error() messages

https://git.samba.org/?p=samba.git;a=shortlog;h=master


- Log -----------------------------------------------------------------
commit d2b5aa16500835471692c8e1fe6cd1584da89785
Author: Isaac Boukris <iboukris at gmail.com>
Date:   Mon Nov 18 15:00:03 2019 +0100

    whatsnew: announce removal of DES encryption type in Kerberos
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=14202
    
    Signed-off-by: Isaac Boukris <iboukris at samba.org>
    Reviewed-by: Andrew Bartlett <abartlet at samba.org>
    
    Autobuild-User(master): Isaac Boukris <iboukris at samba.org>
    Autobuild-Date(master): Tue Nov 19 16:12:39 UTC 2019 on sn-devel-184

commit 389d1b979b8a4235033a298a56e6c10294a515fe
Author: Isaac Boukris <iboukris at gmail.com>
Date:   Sat Nov 16 23:03:34 2019 +0100

    heimdal: do not compile weak crypto
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=14202
    
    Signed-off-by: Isaac Boukris <iboukris at samba.org>
    Reviewed-by: Andrew Bartlett <abartlet at samba.org>

commit a53fa8ffe3e36f7921baf5d31a1052747f90aa7d
Author: Isaac Boukris <iboukris at gmail.com>
Date:   Sat Nov 16 22:46:19 2019 +0100

    selftest: allow any kdc error in mitm-s4u2self test
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=14202
    
    Signed-off-by: Isaac Boukris <iboukris at samba.org>
    Reviewed-by: Andrew Bartlett <abartlet at samba.org>

commit 151f8c0f31d3d17b9418db3793ec14ba7dbf2143
Author: Isaac Boukris <iboukris at gmail.com>
Date:   Tue Nov 12 12:00:34 2019 +0100

    selftest: mitm-s4u2self: use zlib for CRC32_checksum calc
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=14202
    
    Signed-off-by: Isaac Boukris <iboukris at samba.org>
    Reviewed-by: Andrew Bartlett <abartlet at samba.org>

commit 88bf0c572008ac9bc84f334e4c9373817499486b
Author: Isaac Boukris <iboukris at gmail.com>
Date:   Mon Sep 16 15:17:08 2019 +0300

    machine_account_secrets: do not generate single DES keys
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=14202
    
    Signed-off-by: Isaac Boukris <iboukris at samba.org>
    Reviewed-by: Andrew Bartlett <abartlet at samba.org>

commit 80f1901de0c34ba0f9993d304ccc193b88e89693
Author: Isaac Boukris <iboukris at gmail.com>
Date:   Thu Oct 24 19:04:51 2019 +0300

    kerberos_keytab: do not add single DES keys to keytab
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=14202
    
    Signed-off-by: Isaac Boukris <iboukris at samba.org>
    Reviewed-by: Andrew Bartlett <abartlet at samba.org>

commit 982aa328f6502f28cc117e15bf0f936a132ddeca
Author: Isaac Boukris <iboukris at gmail.com>
Date:   Thu Oct 24 18:32:37 2019 +0300

    password_hash: do not generate single DES keys
    
    Per RFC-6649 single DES enctypes should not be used.
    
    MIT has retired single DES encryption types, see:
    https://web.mit.edu/kerberos/krb5-1.12/doc/admin/advanced/retiring-des.html
    
    As a workaround, store random keys instead, making the usage of signle DES
    encryption types virtually impossible.
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=14202
    
    Signed-off-by: Isaac Boukris <iboukris at samba.org>
    Reviewed-by: Andrew Bartlett <abartlet at samba.org>

commit e8015d8a3485092e12d610e565c8c4ee2be937b6
Author: Isaac Boukris <iboukris at gmail.com>
Date:   Thu Oct 24 18:53:34 2019 +0300

    kdc/db-glue: do not fetch single DES keys from db
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=14202
    
    Signed-off-by: Isaac Boukris <iboukris at samba.org>
    Reviewed-by: Andrew Bartlett <abartlet at samba.org>

commit ad9016d579aa3f6d53c656fd539d821ccfbf592f
Author: Isaac Boukris <iboukris at gmail.com>
Date:   Thu Oct 24 12:20:05 2019 +0300

    kerberos: remove single DES enctypes from ENC_ALL_TYPES
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=14202
    
    Signed-off-by: Isaac Boukris <iboukris at samba.org>
    Reviewed-by: Andrew Bartlett <abartlet at samba.org>

commit 13655e59e2c76561155ded0f65a46ce34129dd7b
Author: Isaac Boukris <iboukris at gmail.com>
Date:   Thu Oct 31 19:41:46 2019 +0100

    selftest: exclude msDS-SupportedEncryptionType in ldapcmp
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=14202
    
    Pair-Programmed-With: Alexander Bokovoy <ab at samba.org>
    
    Signed-off-by: Isaac Boukris <iboukris at samba.org>
    Reviewed-by: Andrew Bartlett <abartlet at samba.org>

commit 41b40f0e557608403ff5b19704fd5363d149444a
Author: Isaac Boukris <iboukris at gmail.com>
Date:   Wed Nov 6 09:17:52 2019 +0100

    selftest/remote_pac: remove test_PACVerify_workstation_des
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=14202
    
    Signed-off-by: Isaac Boukris <iboukris at samba.org>
    Reviewed-by: Andrew Bartlett <abartlet at samba.org>

-----------------------------------------------------------------------

Summary of changes:
 WHATSNEW.txt                                      | 20 +++++++++
 selftest/target/Samba.pm                          |  1 -
 source3/libads/kerberos_keytab.c                  |  2 -
 source3/passdb/machine_account_secrets.c          | 36 -----------------
 source4/auth/kerberos/kerberos.h                  |  2 +-
 source4/dsdb/samdb/ldb_modules/password_hash.c    | 49 ++++-------------------
 source4/heimdal_build/roken.h                     |  3 --
 source4/kdc/db-glue.c                             |  4 +-
 source4/torture/krb5/kdc-canon-heimdal.c          | 33 ++++++++-------
 source4/torture/rpc/remote_pac.c                  | 37 -----------------
 testprogs/blackbox/dbcheck-oldrelease.sh          |  2 +-
 testprogs/blackbox/functionalprep.sh              |  2 +-
 testprogs/blackbox/test_export_keytab_heimdal.sh  | 16 ++++----
 testprogs/blackbox/upgradeprovision-oldrelease.sh |  2 +-
 14 files changed, 60 insertions(+), 149 deletions(-)


Changeset truncated at 500 lines:

diff --git a/WHATSNEW.txt b/WHATSNEW.txt
index 376cd2862f1..f84cfcf7623 100644
--- a/WHATSNEW.txt
+++ b/WHATSNEW.txt
@@ -93,6 +93,26 @@ make changes to the DNS Zone and nudging the 'named' server if a new
 DC was added to the domain.  Administrators using BIND9_FLATFILE will
 need to maintain this manually from now on.
 
+
+Retiring DES encryption types in Kerberos.
+------------------------------------------
+With this release, support for DES encryption types has been removed from
+Samba, and setting DES_ONLY flag for an account will cause Kerberos
+authentication to fail for that account (see RFC-6649).
+
+Samba-DC: DES keys no longer saved in DB.
+-----------------------------------------
+When a new password is set for an account, Samba DC will store random keys
+in DB instead of DES keys derived from the password.  If the account is being
+migrated to Windbows or to an older version of Samba in order to use DES keys,
+the password must be reset to make it work.
+
+Heimdal-DC: removal of weak-crypto.
+-----------------------------------
+Following removal of DES encryption types from Samba, the embedded Heimdal
+build has been updated to not compile weak crypto code (HEIM_WEAK_CRYPTO).
+
+
 smb.conf changes
 ================
 
diff --git a/selftest/target/Samba.pm b/selftest/target/Samba.pm
index c3a3a68b7b6..76f3ebb1fea 100644
--- a/selftest/target/Samba.pm
+++ b/selftest/target/Samba.pm
@@ -262,7 +262,6 @@ sub mk_krb5_conf($$)
  dns_lookup_kdc = true
  ticket_lifetime = 24h
  forwardable = yes
- allow_weak_crypto = yes
 
  name_canon_rules=as-is:realm=$ctx->{realm}
  name_canon_rules=as-is:realm=$ctx->{dnsname}
diff --git a/source3/libads/kerberos_keytab.c b/source3/libads/kerberos_keytab.c
index 97d5535041c..7d193e1a600 100644
--- a/source3/libads/kerberos_keytab.c
+++ b/source3/libads/kerberos_keytab.c
@@ -240,8 +240,6 @@ int ads_keytab_add_entry(ADS_STRUCT *ads, const char *srvPrinc, bool update_ads)
 	krb5_data password;
 	krb5_kvno kvno;
         krb5_enctype enctypes[6] = {
-		ENCTYPE_DES_CBC_CRC,
-		ENCTYPE_DES_CBC_MD5,
 #ifdef HAVE_ENCTYPE_AES128_CTS_HMAC_SHA1_96
 		ENCTYPE_AES128_CTS_HMAC_SHA1_96,
 #endif
diff --git a/source3/passdb/machine_account_secrets.c b/source3/passdb/machine_account_secrets.c
index dfc21f295a1..efba80f1474 100644
--- a/source3/passdb/machine_account_secrets.c
+++ b/source3/passdb/machine_account_secrets.c
@@ -1031,7 +1031,6 @@ static int secrets_domain_info_kerberos_keys(struct secrets_domain_info1_passwor
 	krb5_keyblock key;
 	DATA_BLOB aes_256_b = data_blob_null;
 	DATA_BLOB aes_128_b = data_blob_null;
-	DATA_BLOB des_md5_b = data_blob_null;
 	bool ok;
 #endif /* HAVE_ADS */
 	DATA_BLOB arc4_b = data_blob_null;
@@ -1177,32 +1176,6 @@ static int secrets_domain_info_kerberos_keys(struct secrets_domain_info1_passwor
 		return ENOMEM;
 	}
 
-	krb5_ret = smb_krb5_create_key_from_string(krb5_ctx,
-						   NULL,
-						   &salt,
-						   &cleartext_utf8,
-						   ENCTYPE_DES_CBC_MD5,
-						   &key);
-	if (krb5_ret != 0) {
-		DBG_ERR("generation of a des-cbc-md5 key failed: %s\n",
-			smb_get_krb5_error_message(krb5_ctx, krb5_ret, keys));
-		krb5_free_context(krb5_ctx);
-		TALLOC_FREE(keys);
-		TALLOC_FREE(salt_data);
-		return krb5_ret;
-	}
-	des_md5_b = data_blob_talloc(keys,
-				     KRB5_KEY_DATA(&key),
-				     KRB5_KEY_LENGTH(&key));
-	krb5_free_keyblock_contents(krb5_ctx, &key);
-	if (des_md5_b.data == NULL) {
-		DBG_ERR("data_blob_talloc failed for des-cbc-md5.\n");
-		krb5_free_context(krb5_ctx);
-		TALLOC_FREE(keys);
-		TALLOC_FREE(salt_data);
-		return ENOMEM;
-	}
-
 	krb5_free_context(krb5_ctx);
 no_kerberos:
 
@@ -1227,15 +1200,6 @@ no_kerberos:
 	keys[idx].value			= arc4_b;
 	idx += 1;
 
-#ifdef HAVE_ADS
-	if (des_md5_b.length != 0) {
-		keys[idx].keytype		= ENCTYPE_DES_CBC_MD5;
-		keys[idx].iteration_count	= 4096;
-		keys[idx].value			= des_md5_b;
-		idx += 1;
-	}
-#endif /* HAVE_ADS */
-
 	p->salt_data = salt_data;
 	p->default_iteration_count = 4096;
 	p->num_keys = idx;
diff --git a/source4/auth/kerberos/kerberos.h b/source4/auth/kerberos/kerberos.h
index 2ff9e3868af..1dd63acc838 100644
--- a/source4/auth/kerberos/kerberos.h
+++ b/source4/auth/kerberos/kerberos.h
@@ -50,7 +50,7 @@ struct keytab_container {
 #define TOK_ID_GSS_GETMIC	((const uint8_t *)"\x01\x01")
 #define TOK_ID_GSS_WRAP		((const uint8_t *)"\x02\x01")
 
-#define ENC_ALL_TYPES (ENC_CRC32 | ENC_RSA_MD5 | ENC_RC4_HMAC_MD5 |	\
+#define ENC_ALL_TYPES (ENC_RC4_HMAC_MD5 |	\
 		       ENC_HMAC_SHA1_96_AES128 | ENC_HMAC_SHA1_96_AES256)
 
 #ifndef HAVE_KRB5_SET_DEFAULT_TGS_KTYPES
diff --git a/source4/dsdb/samdb/ldb_modules/password_hash.c b/source4/dsdb/samdb/ldb_modules/password_hash.c
index 006e35c46d5..ffd48da616e 100644
--- a/source4/dsdb/samdb/ldb_modules/password_hash.c
+++ b/source4/dsdb/samdb/ldb_modules/password_hash.c
@@ -783,56 +783,21 @@ static int setup_kerberos_keys(struct setup_password_fields_io *io)
 	}
 
 	/*
-	 * create ENCTYPE_DES_CBC_MD5 key out of
-	 * the salt and the cleartext password
+	 * As per RFC-6649 single DES encryption types are no longer considered
+	 * secure to be used in Kerberos, we store random keys instead of the
+	 * ENCTYPE_DES_CBC_MD5 and ENCTYPE_DES_CBC_CRC keys.
 	 */
-	krb5_ret = smb_krb5_create_key_from_string(io->smb_krb5_context->krb5_context,
-						   NULL,
-						   &salt,
-						   &cleartext_data,
-						   ENCTYPE_DES_CBC_MD5,
-						   &key);
-	if (krb5_ret) {
-		ldb_asprintf_errstring(ldb,
-				       "setup_kerberos_keys: "
-				       "generation of a des-cbc-md5 key failed: %s",
-				       smb_get_krb5_error_message(io->smb_krb5_context->krb5_context,
-								  krb5_ret, io->ac));
-		return LDB_ERR_OPERATIONS_ERROR;
-	}
-	io->g.des_md5 = data_blob_talloc(io->ac,
-					 KRB5_KEY_DATA(&key),
-					 KRB5_KEY_LENGTH(&key));
-	krb5_free_keyblock_contents(io->smb_krb5_context->krb5_context, &key);
+	io->g.des_md5 = data_blob_talloc(io->ac, NULL, 8);
 	if (!io->g.des_md5.data) {
 		return ldb_oom(ldb);
 	}
+	generate_secret_buffer(io->g.des_md5.data, 8);
 
-	/*
-	 * create ENCTYPE_DES_CBC_CRC key out of
-	 * the salt and the cleartext password
-	 */
-	krb5_ret = smb_krb5_create_key_from_string(io->smb_krb5_context->krb5_context,
-						   NULL,
-						   &salt,
-						   &cleartext_data,
-						   ENCTYPE_DES_CBC_CRC,
-						   &key);
-	if (krb5_ret) {
-		ldb_asprintf_errstring(ldb,
-				       "setup_kerberos_keys: "
-				       "generation of a des-cbc-crc key failed: %s",
-				       smb_get_krb5_error_message(io->smb_krb5_context->krb5_context,
-								  krb5_ret, io->ac));
-		return LDB_ERR_OPERATIONS_ERROR;
-	}
-	io->g.des_crc = data_blob_talloc(io->ac,
-					 KRB5_KEY_DATA(&key),
-					 KRB5_KEY_LENGTH(&key));
-	krb5_free_keyblock_contents(io->smb_krb5_context->krb5_context, &key);
+	io->g.des_crc = data_blob_talloc(io->ac, NULL, 8);
 	if (!io->g.des_crc.data) {
 		return ldb_oom(ldb);
 	}
+	generate_secret_buffer(io->g.des_crc.data, 8);
 
 	return LDB_SUCCESS;
 }
diff --git a/source4/heimdal_build/roken.h b/source4/heimdal_build/roken.h
index 9752c04a741..559021c0a0e 100644
--- a/source4/heimdal_build/roken.h
+++ b/source4/heimdal_build/roken.h
@@ -6,9 +6,6 @@
 
 #include "config.h"
 
-/* Support 'weak' keys for now, it can't be worse than NTLM and we don't want to hard-code the behaviour at this point */
-#define HEIM_WEAK_CRYPTO 1
-
 /* path to sysconf - should we force this to samba LIBDIR ? */
 #define SYSCONFDIR "/etc"
 
diff --git a/source4/kdc/db-glue.c b/source4/kdc/db-glue.c
index f62a633c6c7..023ae7b580d 100644
--- a/source4/kdc/db-glue.c
+++ b/source4/kdc/db-glue.c
@@ -359,10 +359,10 @@ static krb5_error_code samba_kdc_message2entry_keys(krb5_context context,
 
 	/* If UF_USE_DES_KEY_ONLY has been set, then don't allow use of the newer enc types */
 	if (userAccountControl & UF_USE_DES_KEY_ONLY) {
-		supported_enctypes = ENC_CRC32|ENC_RSA_MD5;
+		supported_enctypes = 0;
 	} else {
 		/* Otherwise, add in the default enc types */
-		supported_enctypes |= ENC_CRC32 | ENC_RSA_MD5 | ENC_RC4_HMAC_MD5;
+		supported_enctypes |= ENC_RC4_HMAC_MD5;
 	}
 
 	/* Is this the krbtgt or a RODC krbtgt */
diff --git a/source4/torture/krb5/kdc-canon-heimdal.c b/source4/torture/krb5/kdc-canon-heimdal.c
index dffebd74038..700e1c2b37e 100644
--- a/source4/torture/krb5/kdc-canon-heimdal.c
+++ b/source4/torture/krb5/kdc-canon-heimdal.c
@@ -33,6 +33,7 @@
 #include "auth/auth_sam_reply.h"
 #include "auth/gensec/gensec.h"
 #include "param/param.h"
+#include "zlib.h"
 
 #define TEST_CANONICALIZE     0x0000001
 #define TEST_ENTERPRISE       0x0000002
@@ -214,6 +215,17 @@ static bool test_accept_ticket(struct torture_context *tctx,
 	return true;
 }
 
+static void
+zCRC32_checksum(const void *data,
+		size_t len,
+		Checksum *C)
+{
+	uint32_t *crc = C->checksum.data;
+	*crc = ~(crc32(0xffffffff, data, len));
+	C->checksum.length = 4;
+	C->cksumtype = 1;
+}
+
 krb5_error_code
 _krb5_s4u2self_to_checksumdata(krb5_context context,
 			       const PA_S4U2Self *self,
@@ -252,11 +264,7 @@ static bool change_for_user_principal(struct torture_krb5_context *test_context,
 	torture_assert_int_equal(test_context->tctx,
 				 _krb5_s4u2self_to_checksumdata(k5_ctx, &mod_self, &cksum_data),
 				 0, "_krb5_s4u2self_to_checksumdata() failed");
-	torture_assert_int_equal(test_context->tctx,
-				 krb5_create_checksum(k5_ctx, NULL, KRB5_KU_OTHER_CKSUM,
-						      CKSUMTYPE_CRC32, cksum_data.data,
-						      cksum_data.length, &mod_self.cksum),
-				 0, "krb5_create_checksum() failed");
+	zCRC32_checksum(cksum_data.data, cksum_data.length, &mod_self.cksum);
 
 	ASN1_MALLOC_ENCODE(PA_S4U2Self, for_user->padata_value.data, for_user->padata_value.length,
 			   &mod_self, &used, ret);
@@ -270,7 +278,6 @@ static bool change_for_user_principal(struct torture_krb5_context *test_context,
 
 	free_PA_S4U2Self(&self);
 	krb5_data_free(&cksum_data);
-	free_Checksum(&mod_self.cksum);
 
 	return true;
 }
@@ -730,13 +737,12 @@ static bool torture_krb5_post_recv_tgs_req_canon_test(struct torture_krb5_contex
 					 error.pvno, 5,
 					 "Got wrong error.pvno");
 		expected_error = KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN - KRB5KDC_ERR_NONE;
-		if (error.error_code != expected_error && test_context->test_data->mitm_s4u2self) {
-			expected_error = KRB5KRB_AP_ERR_INAPP_CKSUM - KRB5KDC_ERR_NONE;
+		if (!test_context->test_data->mitm_s4u2self) {
+			torture_assert_int_equal(test_context->tctx,
+						 error.error_code,
+						 expected_error,
+						 "Got wrong error.error_code");
 		}
-		torture_assert_int_equal(test_context->tctx,
-					 error.error_code,
-					 expected_error,
-					 "Got wrong error.error_code");
 	} else {
 		torture_assert_int_equal(test_context->tctx,
 					 decode_TGS_REP(recv_buf->data, recv_buf->length,
@@ -2083,8 +2089,7 @@ static bool torture_krb5_as_req_canon(struct torture_context *tctx, const void *
 			|| test_data->upn == false)) {
 
 			if (test_data->mitm_s4u2self) {
-				torture_assert_int_equal(tctx, k5ret, KRB5KRB_AP_ERR_INAPP_CKSUM,
-							 assertion_message);
+				torture_assert_int_not_equal(tctx, k5ret, 0, assertion_message);
 				/* Done testing mitm-s4u2self */
 				return true;
 			}
diff --git a/source4/torture/rpc/remote_pac.c b/source4/torture/rpc/remote_pac.c
index d0075d77745..c74746123fe 100644
--- a/source4/torture/rpc/remote_pac.c
+++ b/source4/torture/rpc/remote_pac.c
@@ -41,7 +41,6 @@
 
 #define TEST_MACHINE_NAME_BDC "torturepacbdc"
 #define TEST_MACHINE_NAME_WKSTA "torturepacwksta"
-#define TEST_MACHINE_NAME_WKSTA_DES "torturepacwkdes"
 #define TEST_MACHINE_NAME_S4U2SELF_BDC "tests4u2selfbdc"
 #define TEST_MACHINE_NAME_S4U2SELF_WKSTA "tests4u2selfwk"
 #define TEST_MACHINE_NAME_S4U2PROXY_WKSTA "tests4u2proxywk"
@@ -608,39 +607,6 @@ static bool test_PACVerify_workstation_aes(struct torture_context *tctx,
 			      NETLOGON_NEG_AUTH2_ADS_FLAGS | NETLOGON_NEG_SUPPORTS_AES);
 }
 
-static bool test_PACVerify_workstation_des(struct torture_context *tctx,
-					   struct dcerpc_pipe *p, struct cli_credentials *credentials, struct test_join *join_ctx)
-{
-	struct samr_SetUserInfo r;
-	union samr_UserInfo user_info;
-	struct dcerpc_pipe *samr_pipe = torture_join_samr_pipe(join_ctx);
-	struct smb_krb5_context *smb_krb5_context;
-	krb5_error_code ret;
-
-	ret = cli_credentials_get_krb5_context(popt_get_cmdline_credentials(),
-			tctx->lp_ctx, &smb_krb5_context);
-	torture_assert_int_equal(tctx, ret, 0, "cli_credentials_get_krb5_context() failed");
-
-	if (smb_krb5_get_allowed_weak_crypto(smb_krb5_context->krb5_context) == FALSE) {
-		torture_skip(tctx, "Cannot test DES without [libdefaults] allow_weak_crypto = yes");
-	}
-
-	/* Mark this workstation with DES-only */
-	user_info.info16.acct_flags = ACB_USE_DES_KEY_ONLY | ACB_WSTRUST;
-	r.in.user_handle = torture_join_samr_user_policy(join_ctx);
-	r.in.level = 16;
-	r.in.info = &user_info;
-
-	torture_assert_ntstatus_ok(tctx, dcerpc_samr_SetUserInfo_r(samr_pipe->binding_handle, tctx, &r),
-		"failed to set DES info account flags");
-	torture_assert_ntstatus_ok(tctx, r.out.result,
-		"failed to set DES into account flags");
-
-	return test_PACVerify(tctx, p, credentials, SEC_CHAN_WKSTA,
-			      TEST_MACHINE_NAME_WKSTA_DES,
-			      NETLOGON_NEG_AUTH2_ADS_FLAGS);
-}
-
 #ifdef SAMBA4_USES_HEIMDAL
 static NTSTATUS check_primary_group_in_validation(TALLOC_CTX *mem_ctx,
 						  uint16_t validation_level,
@@ -1248,9 +1214,6 @@ struct torture_suite *torture_rpc_remote_pac(TALLOC_CTX *mem_ctx)
 								      &ndr_table_netlogon, TEST_MACHINE_NAME_WKSTA);
 	torture_rpc_tcase_add_test_creds(tcase, "verify-sig-aes", test_PACVerify_workstation_aes);
 
-	tcase = torture_suite_add_machine_workstation_rpc_iface_tcase(suite, "netlogon-member-des",
-								      &ndr_table_netlogon, TEST_MACHINE_NAME_WKSTA_DES);
-	torture_rpc_tcase_add_test_join(tcase, "verify-sig", test_PACVerify_workstation_des);
 #ifdef SAMBA4_USES_HEIMDAL
 	tcase = torture_suite_add_machine_bdc_rpc_iface_tcase(suite, "netr-bdc-arcfour",
 							      &ndr_table_netlogon, TEST_MACHINE_NAME_S4U2SELF_BDC);
diff --git a/testprogs/blackbox/dbcheck-oldrelease.sh b/testprogs/blackbox/dbcheck-oldrelease.sh
index 3d0ee2c165a..41c55178d4e 100755
--- a/testprogs/blackbox/dbcheck-oldrelease.sh
+++ b/testprogs/blackbox/dbcheck-oldrelease.sh
@@ -388,7 +388,7 @@ referenceprovision() {
 
 ldapcmp() {
     if [ x$RELEASE = x"release-4-0-0" ]; then
-         $PYTHON $BINDIR/samba-tool ldapcmp tdb://$PREFIX_ABS/${RELEASE}_reference/private/sam.ldb tdb://$PREFIX_ABS/${RELEASE}/private/sam.ldb --two --skip-missing-dn --filter=dnsRecord,displayName
+         $PYTHON $BINDIR/samba-tool ldapcmp tdb://$PREFIX_ABS/${RELEASE}_reference/private/sam.ldb tdb://$PREFIX_ABS/${RELEASE}/private/sam.ldb --two --skip-missing-dn --filter=dnsRecord,displayName,msDS-SupportedEncryptionTypes
     fi
 }
 
diff --git a/testprogs/blackbox/functionalprep.sh b/testprogs/blackbox/functionalprep.sh
index 80e82252d45..1d37611ef7a 100755
--- a/testprogs/blackbox/functionalprep.sh
+++ b/testprogs/blackbox/functionalprep.sh
@@ -61,7 +61,7 @@ provision_2012r2() {
 ldapcmp_ignore() {
     # At some point we will need to ignore, but right now, it should be perfect
     IGNORE_ATTRS=$1
-    $PYTHON $BINDIR/samba-tool ldapcmp tdb://$PREFIX_ABS/$2/private/sam.ldb tdb://$PREFIX_ABS/$3/private/sam.ldb --two --skip-missing-dn
+    $PYTHON $BINDIR/samba-tool ldapcmp tdb://$PREFIX_ABS/$2/private/sam.ldb tdb://$PREFIX_ABS/$3/private/sam.ldb --two --skip-missing-dn --filter msDS-SupportedEncryptionTypes
 }
 
 ldapcmp() {
diff --git a/testprogs/blackbox/test_export_keytab_heimdal.sh b/testprogs/blackbox/test_export_keytab_heimdal.sh
index cfa245fd4de..6a2595cd684 100755
--- a/testprogs/blackbox/test_export_keytab_heimdal.sh
+++ b/testprogs/blackbox/test_export_keytab_heimdal.sh
@@ -43,7 +43,7 @@ test_keytab() {
 
 	echo "test: $testname"
 
-	NKEYS=$($VALGRIND $samba4ktutil $keytab | grep -i "$principal" | egrep -c "des|aes|arcfour")
+	NKEYS=$($VALGRIND $samba4ktutil $keytab | grep -i "$principal" | egrep -c "aes|arcfour")
 	status=$?
 	if [ x$status != x0 ]; then
 		echo "failure: $testname"
@@ -64,22 +64,22 @@ unc="//$SERVER/tmp"
 testit "create user locally" $VALGRIND $PYTHON $newuser nettestuser $USERPASS $@ || failed=`expr $failed + 1`
 
 testit "dump keytab from domain" $VALGRIND $PYTHON $samba_tool domain exportkeytab $PREFIX/tmpkeytab $@ || failed=`expr $failed + 1`
-test_keytab "read keytab from domain" "$PREFIX/tmpkeytab" "$SERVER\\\$" 5
+test_keytab "read keytab from domain" "$PREFIX/tmpkeytab" "$SERVER\\\$" 3
 testit "dump keytab from domain (2nd time)" $VALGRIND $PYTHON $samba_tool domain exportkeytab $PREFIX/tmpkeytab $@ || failed=`expr $failed + 1`
-test_keytab "read keytab from domain (2nd time)" "$PREFIX/tmpkeytab" "$SERVER\\\$" 5
+test_keytab "read keytab from domain (2nd time)" "$PREFIX/tmpkeytab" "$SERVER\\\$" 3
 
 testit "dump keytab from domain for cifs principal" $VALGRIND $PYTHON $samba_tool domain exportkeytab $PREFIX/tmpkeytab-server --principal=cifs/$SERVER_FQDN $@ || failed=`expr $failed + 1`
-test_keytab "read keytab from domain for cifs principal" "$PREFIX/tmpkeytab-server" "cifs/$SERVER_FQDN" 5
+test_keytab "read keytab from domain for cifs principal" "$PREFIX/tmpkeytab-server" "cifs/$SERVER_FQDN" 3
 testit "dump keytab from domain for cifs principal (2nd time)" $VALGRIND $PYTHON $samba_tool domain exportkeytab $PREFIX/tmpkeytab-server --principal=cifs/$SERVER_FQDN $@ || failed=`expr $failed + 1`
-test_keytab "read keytab from domain for cifs principal (2nd time)" "$PREFIX/tmpkeytab-server" "cifs/$SERVER_FQDN" 5
+test_keytab "read keytab from domain for cifs principal (2nd time)" "$PREFIX/tmpkeytab-server" "cifs/$SERVER_FQDN" 3
 
 testit "dump keytab from domain for user principal" $VALGRIND $PYTHON $samba_tool domain exportkeytab $PREFIX/tmpkeytab-2 --principal=nettestuser $@ || failed=`expr $failed + 1`
-test_keytab "dump keytab from domain for user principal" "$PREFIX/tmpkeytab-2" "nettestuser@$REALM" 5
+test_keytab "dump keytab from domain for user principal" "$PREFIX/tmpkeytab-2" "nettestuser@$REALM" 3
 testit "dump keytab from domain for user principal (2nd time)" $VALGRIND $PYTHON $samba_tool domain exportkeytab $PREFIX/tmpkeytab-2 --principal=nettestuser@$REALM $@ || failed=`expr $failed + 1`
-test_keytab "dump keytab from domain for user principal (2nd time)" "$PREFIX/tmpkeytab-2" "nettestuser@$REALM" 5
+test_keytab "dump keytab from domain for user principal (2nd time)" "$PREFIX/tmpkeytab-2" "nettestuser@$REALM" 3
 
 testit "dump keytab from domain for user principal with SPN as UPN" $VALGRIND $PYTHON $samba_tool domain exportkeytab $PREFIX/tmpkeytab-3 --principal=http/testupnspn.$DNSDOMAIN $@ || failed=`expr $failed + 1`
-test_keytab "dump keytab from domain for user principal" "$PREFIX/tmpkeytab-3" "http/testupnspn.$DNSDOMAIN@$REALM" 5
+test_keytab "dump keytab from domain for user principal" "$PREFIX/tmpkeytab-3" "http/testupnspn.$DNSDOMAIN@$REALM" 3
 
 KRB5CCNAME="$PREFIX/tmpuserccache"
 export KRB5CCNAME
diff --git a/testprogs/blackbox/upgradeprovision-oldrelease.sh b/testprogs/blackbox/upgradeprovision-oldrelease.sh
index 76276168011..208baa54a02 100755
--- a/testprogs/blackbox/upgradeprovision-oldrelease.sh
+++ b/testprogs/blackbox/upgradeprovision-oldrelease.sh
@@ -106,7 +106,7 @@ referenceprovision() {
 
 ldapcmp() {
     if [ x$RELEASE != x"alpha13" ]; then
-         $PYTHON $BINDIR/samba-tool ldapcmp tdb://$PREFIX_ABS/${RELEASE}_upgrade_reference/private/sam.ldb tdb://$PREFIX_ABS/${RELEASE}_upgrade/private/sam.ldb --two --skip-missing-dn --filter=dnsRecord,displayName
+         $PYTHON $BINDIR/samba-tool ldapcmp tdb://$PREFIX_ABS/${RELEASE}_upgrade_reference/private/sam.ldb tdb://$PREFIX_ABS/${RELEASE}_upgrade/private/sam.ldb --two --skip-missing-dn --filter=dnsRecord,displayName,msDS-SupportedEncryptionTypes
     fi
 }
 


-- 
Samba Shared Repository



More information about the samba-cvs mailing list