[SCM] Samba Shared Repository - branch master updated
Andrew Bartlett
abartlet at samba.org
Thu Nov 12 22:55:03 UTC 2020
The branch, master has been updated
via 2ba6d596ff0 tests python krb5: add arcfour salt tests
via d492355f293 tests python krb5: refactor compatability tests
via a00a1c97450 tests python krb5: Convert kdc-heimdal to python
via 1bab87c50ba tests python krb5: raw_testcase permit RC4 salts
via 82a413f48b7 tests python krb5: Refactor compatability test constants
via 97b830cbcac tests python krb5: Refactor canonicalization test constants
via 532c941fbb8 tests python krb5: Add constants module
from e9e06a11daf vfs_shadow_copy2: Preserve all open flags assuming ROFS
https://git.samba.org/?p=samba.git;a=shortlog;h=master
- Log -----------------------------------------------------------------
commit 2ba6d596ff0a3580eca9285fd83569bcb147ce77
Author: Gary Lockyer <gary at catalyst.net.nz>
Date: Tue Nov 10 16:57:11 2020 +1300
tests python krb5: add arcfour salt tests
MIT kerberos returns a salt when ARCFOUR_HMAC_MD5 encryption selected,
Heimdal does not.
Signed-off-by: Gary Lockyer <gary at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Autobuild-User(master): Andrew Bartlett <abartlet at samba.org>
Autobuild-Date(master): Thu Nov 12 22:54:22 UTC 2020 on sn-devel-184
commit d492355f293e2da400318665035b056dfaba852c
Author: Gary Lockyer <gary at catalyst.net.nz>
Date: Tue Nov 10 16:56:46 2020 +1300
tests python krb5: refactor compatability tests
Refactor to aid the adding of tests for the inclusion of a salt when
ARCFOUR_HMAC_MD5 encryption selected
Signed-off-by: Gary Lockyer <gary at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit a00a1c9745033dae05eee17cfa4e2c5354a81e68
Author: Gary Lockyer <gary at catalyst.net.nz>
Date: Fri Nov 6 09:07:04 2020 +1300
tests python krb5: Convert kdc-heimdal to python
Implement the tests in source4/torture/krb5/kdc-heimdal.c in python.
The following tests were not re-implemented as they are client side
tests for the "Orpheus Lyre" attack:
TORTURE_KRB5_TEST_CHANGE_SERVER_OUT
TORTURE_KRB5_TEST_CHANGE_SERVER_IN
TORTURE_KRB5_TEST_CHANGE_SERVER_BOTH
Signed-off-by: Gary Lockyer <gary at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 1bab87c50baf0fecb5d4cd09e1a9896730c6377e
Author: Gary Lockyer <gary at catalyst.net.nz>
Date: Tue Nov 10 13:51:39 2020 +1300
tests python krb5: raw_testcase permit RC4 salts
MIT kerberos returns a salt when ARCFOUR_HMAC_MD5, this commit removes
the check that a salt is not returned. A test for the difference
between MIT and Heimdal will be added in the subsequent commits.
Signed-off-by: Gary Lockyer <gary at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 82a413f48b7ef71feb68fc34f7ca753d45eb8974
Author: Gary Lockyer <gary at catalyst.net.nz>
Date: Tue Nov 10 11:20:58 2020 +1300
tests python krb5: Refactor compatability test constants
Modify tests to use the constants defined in rfc4120_constants.py
Signed-off-by: Gary Lockyer <gary at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 97b830cbcac53fcf49bbcd272812d1ba019bac51
Author: Gary Lockyer <gary at catalyst.net.nz>
Date: Tue Nov 10 11:20:03 2020 +1300
tests python krb5: Refactor canonicalization test constants
Modify tests to use the constants defined in rfc4120_constants.py
Signed-off-by: Gary Lockyer <gary at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 532c941fbb8fc5fc5da4aa2d0e170229076e9aa7
Author: Gary Lockyer <gary at catalyst.net.nz>
Date: Tue Nov 10 11:19:02 2020 +1300
tests python krb5: Add constants module
Extract the constants used in the tests into a separate module.
To reduce code duplication
Signed-off-by: Gary Lockyer <gary at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
-----------------------------------------------------------------------
Summary of changes:
.../samba/tests/krb5/as_canonicalization_tests.py | 30 +--
python/samba/tests/krb5/compatability_tests.py | 76 +++++--
python/samba/tests/krb5/kdc_tests.py | 219 +++++++++++++++++++++
python/samba/tests/krb5/raw_testcase.py | 1 -
python/samba/tests/krb5/rfc4120_constants.py | 49 +++++
python/samba/tests/usage.py | 2 +
source4/selftest/tests.py | 1 +
7 files changed, 333 insertions(+), 45 deletions(-)
create mode 100755 python/samba/tests/krb5/kdc_tests.py
create mode 100644 python/samba/tests/krb5/rfc4120_constants.py
Changeset truncated at 500 lines:
diff --git a/python/samba/tests/krb5/as_canonicalization_tests.py b/python/samba/tests/krb5/as_canonicalization_tests.py
index caa186bed41..303788b672e 100755
--- a/python/samba/tests/krb5/as_canonicalization_tests.py
+++ b/python/samba/tests/krb5/as_canonicalization_tests.py
@@ -41,6 +41,7 @@ from samba.dsdb import (
UF_NORMAL_ACCOUNT)
from samba.samdb import SamDB
from samba.tests import delete_force, DynamicTestCase
+from samba.tests.krb5.rfc4120_constants import *
global_asn1_print = False
global_hexdump = False
@@ -123,35 +124,6 @@ class TestData:
MACHINE_NAME = "tstkrb5cnnmch"
USER_NAME = "tstkrb5cnnusr"
-# Encryption types
-AES256_CTS_HMAC_SHA1_96 = int(
- krb5_asn1.EncryptionTypeValues('kRB5-ENCTYPE-AES256-CTS-HMAC-SHA1-96'))
-AES128_CTS_HMAC_SHA1_96 = int(
- krb5_asn1.EncryptionTypeValues('kRB5-ENCTYPE-AES128-CTS-HMAC-SHA1-96'))
-ARCFOUR_HMAC_MD5 = int(
- krb5_asn1.EncryptionTypeValues('kRB5-ENCTYPE-ARCFOUR-HMAC-MD5'))
-
-# Message types
-KRB_ERROR = int(krb5_asn1.MessageTypeValues('krb-error'))
-KRB_AS_REP = int(krb5_asn1.MessageTypeValues('krb-as-rep'))
-
-# PAData types
-PADATA_ENC_TIMESTAMP = int(
- krb5_asn1.PADataTypeValues('kRB5-PADATA-ENC-TIMESTAMP'))
-PADATA_ETYPE_INFO2 = int(
- krb5_asn1.PADataTypeValues('kRB5-PADATA-ETYPE-INFO2'))
-
-# Error codes
-KDC_ERR_C_PRINCIPAL_UNKNOWN = 6
-KDC_ERR_PREAUTH_REQUIRED = 25
-
-# Name types
-NT_UNKNOWN = int(krb5_asn1.NameTypeValues('kRB5-NT-UNKNOWN'))
-NT_PRINCIPAL = int(krb5_asn1.NameTypeValues('kRB5-NT-PRINCIPAL'))
-NT_SRV_INST = int(krb5_asn1.NameTypeValues('kRB5-NT-SRV-INST'))
-NT_ENTERPRISE_PRINCIPAL = int(krb5_asn1.NameTypeValues('kRB5-NT-ENTERPRISE-PRINCIPAL'))
-
-
@DynamicTestCase
class KerberosASCanonicalizationTests(RawKerberosTest):
diff --git a/python/samba/tests/krb5/compatability_tests.py b/python/samba/tests/krb5/compatability_tests.py
index 63bd5269c2b..e4b1453e712 100755
--- a/python/samba/tests/krb5/compatability_tests.py
+++ b/python/samba/tests/krb5/compatability_tests.py
@@ -25,10 +25,17 @@ os.environ["PYTHONUNBUFFERED"] = "1"
from samba.tests.krb5.raw_testcase import RawKerberosTest
import samba.tests.krb5.rfc4120_pyasn1 as krb5_asn1
+from samba.tests.krb5.rfc4120_constants import *
global_asn1_print = False
global_hexdump = False
+HIEMDAL_ENC_AS_REP_PART_TYPE_TAG = 0x79
+# MIT uses the EncTGSRepPart tag for the EncASRepPart
+MIT_ENC_AS_REP_PART_TYPE_TAG = 0x7A
+
+ENC_PA_REP_FLAG = 0x00010000
+
class SimpleKerberosTests(RawKerberosTest):
@@ -40,12 +47,12 @@ class SimpleKerberosTests(RawKerberosTest):
def test_mit_EncASRepPart_tag(self):
creds = self.get_user_creds()
(enc, _) = self.as_req(creds)
- self.assertEqual(0x7a, enc[0])
+ self.assertEqual(MIT_ENC_AS_REP_PART_TYPE_TAG, enc[0])
def test_heimdal_EncASRepPart_tag(self):
creds = self.get_user_creds()
(enc, _) = self.as_req(creds)
- self.assertEqual(0x79, enc[0])
+ self.assertEqual(HIEMDAL_ENC_AS_REP_PART_TYPE_TAG, enc[0])
def test_mit_EncryptedData_kvno(self):
creds = self.get_user_creds()
@@ -62,37 +69,60 @@ class SimpleKerberosTests(RawKerberosTest):
def test_mit_EncASRepPart_FAST_support(self):
creds = self.get_user_creds()
(enc, _) = self.as_req(creds)
- self.assertEqual(0x7A, enc[0])
+ self.assertEqual(MIT_ENC_AS_REP_PART_TYPE_TAG, enc[0])
as_rep = self.der_decode(enc, asn1Spec=krb5_asn1.EncTGSRepPart())
flags = int(as_rep['flags'], base=2)
# MIT sets enc-pa-rep, flag bit 15
# RFC 6806 11. Negotiation of FAST and Detecting Modified Requests
- self.assertTrue(0x00010000 & flags)
+ self.assertTrue(ENC_PA_REP_FLAG & flags)
def test_heimdal_EncASRepPart_FAST_support(self):
creds = self.get_user_creds()
(enc, _) = self.as_req(creds)
- self.assertEqual(0x79, enc[0])
+ self.assertEqual(HIEMDAL_ENC_AS_REP_PART_TYPE_TAG, enc[0])
as_rep = self.der_decode(enc, asn1Spec=krb5_asn1.EncASRepPart())
flags = as_rep['flags']
flags = int(as_rep['flags'], base=2)
# Heimdal does not set enc-pa-rep, flag bit 15
# RFC 6806 11. Negotiation of FAST and Detecting Modified Requests
- self.assertFalse(0x00010000 & flags)
+ self.assertFalse(ENC_PA_REP_FLAG & flags)
- def as_req(self, creds):
+ def test_mit_arcfour_salt(self):
+ creds = self.get_user_creds()
+ etypes = (ARCFOUR_HMAC_MD5,)
+ (rep, *_) = self.as_pre_auth_req(creds, etypes)
+ self.check_preauth_rep(rep)
+ etype_info2 = self.get_etype_info2(rep)
+ if 'salt' not in etype_info2[0]:
+ self.fail(
+ "(MIT) Salt not populated for ARCFOUR_HMAC_MD5 encryption")
+
+ def test_heimdal_arcfour_salt(self):
+ creds = self.get_user_creds()
+ etypes = (ARCFOUR_HMAC_MD5,)
+ (rep, *_) = self.as_pre_auth_req(creds, etypes)
+ self.check_preauth_rep(rep)
+ etype_info2 = self.get_etype_info2(rep)
+ if 'salt' in etype_info2[0]:
+ self.fail(
+ "(Heimdal) Salt populated for ARCFOUR_HMAC_MD5 encryption")
+
+ def as_pre_auth_req(self, creds, etypes):
user = creds.get_username()
realm = creds.get_realm()
- cname = self.PrincipalName_create(name_type=1, names=[user])
- sname = self.PrincipalName_create(name_type=2, names=["krbtgt", realm])
+ cname = self.PrincipalName_create(
+ name_type=NT_PRINCIPAL,
+ names=[user])
+ sname = self.PrincipalName_create(
+ name_type=NT_SRV_INST,
+ names=["krbtgt", realm])
till = self.get_KerberosTime(offset=36000)
kdc_options = krb5_asn1.KDCOptions('forwardable')
padata = None
- etypes = (18, 17, 23)
req = self.AS_REQ_create(padata=padata,
kdc_options=str(kdc_options),
@@ -109,23 +139,39 @@ class SimpleKerberosTests(RawKerberosTest):
EncAuthorizationData_key=None,
additional_tickets=None)
rep = self.send_recv_transaction(req)
+
+ return (rep, cname, sname, realm, till)
+
+ def check_preauth_rep(self, rep):
self.assertIsNotNone(rep)
+ self.assertEqual(rep['msg-type'], KRB_ERROR)
+ self.assertEqual(rep['error-code'], KDC_ERR_PREAUTH_REQUIRED)
+
+ def get_etype_info2(self, rep):
- self.assertEqual(rep['msg-type'], 30)
- self.assertEqual(rep['error-code'], 25)
rep_padata = self.der_decode(
rep['e-data'],
asn1Spec=krb5_asn1.METHOD_DATA())
for pa in rep_padata:
- if pa['padata-type'] == 19:
+ if pa['padata-type'] == PADATA_ETYPE_INFO2:
etype_info2 = pa['padata-value']
break
etype_info2 = self.der_decode(
etype_info2,
asn1Spec=krb5_asn1.ETYPE_INFO2())
+ return etype_info2
+ def as_req(self, creds):
+ etypes = (
+ AES256_CTS_HMAC_SHA1_96,
+ AES128_CTS_HMAC_SHA1_96,
+ ARCFOUR_HMAC_MD5)
+ (rep, cname, sname, realm, till) = self.as_pre_auth_req(creds, etypes)
+ self.check_preauth_rep(rep)
+
+ etype_info2 = self.get_etype_info2(rep)
key = self.PasswordKey_from_etype_info2(creds, etype_info2[0])
(patime, pausec) = self.get_KerberosTimeWithUsec()
@@ -136,7 +182,7 @@ class SimpleKerberosTests(RawKerberosTest):
pa_ts = self.EncryptedData_create(key, enc_pa_ts_usage, pa_ts)
pa_ts = self.der_encode(pa_ts, asn1Spec=krb5_asn1.EncryptedData())
- pa_ts = self.PA_DATA_create(2, pa_ts)
+ pa_ts = self.PA_DATA_create(PADATA_ENC_TIMESTAMP, pa_ts)
kdc_options = krb5_asn1.KDCOptions('forwardable')
padata = [pa_ts]
@@ -159,7 +205,7 @@ class SimpleKerberosTests(RawKerberosTest):
self.assertIsNotNone(rep)
msg_type = rep['msg-type']
- self.assertEqual(msg_type, 11)
+ self.assertEqual(msg_type, KRB_AS_REP)
usage = 3
enc_part = rep['enc-part']
diff --git a/python/samba/tests/krb5/kdc_tests.py b/python/samba/tests/krb5/kdc_tests.py
new file mode 100755
index 00000000000..57a25448965
--- /dev/null
+++ b/python/samba/tests/krb5/kdc_tests.py
@@ -0,0 +1,219 @@
+#!/usr/bin/env python3
+# Unix SMB/CIFS implementation.
+# Copyright (C) Stefan Metzmacher 2020
+# Copyright (C) 2020 Catalyst.Net Ltd
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program. If not, see <http://www.gnu.org/licenses/>.
+#
+
+import sys
+import os
+
+sys.path.insert(0, "bin/python")
+os.environ["PYTHONUNBUFFERED"] = "1"
+
+from samba.tests.krb5.raw_testcase import RawKerberosTest
+import samba.tests.krb5.rfc4120_pyasn1 as krb5_asn1
+from samba.tests.krb5.rfc4120_constants import *
+
+global_asn1_print = False
+global_hexdump = False
+
+
+class KdcTests(RawKerberosTest):
+ """ Port of the tests in source4/torture/krb5/kdc-heimdal.c
+ To python.
+ """
+
+ def setUp(self):
+ super(KdcTests, self).setUp()
+ self.do_asn1_print = global_asn1_print
+ self.do_hexdump = global_hexdump
+
+ def as_req(self, creds, etypes, padata=None):
+ user = creds.get_username()
+ realm = creds.get_realm()
+
+ cname = self.PrincipalName_create(
+ name_type=NT_PRINCIPAL,
+ names=[user])
+ sname = self.PrincipalName_create(
+ name_type=NT_SRV_INST,
+ names=["krbtgt", realm])
+ till = self.get_KerberosTime(offset=36000)
+
+ kdc_options = 0
+
+ req = self.AS_REQ_create(padata=padata,
+ kdc_options=str(kdc_options),
+ cname=cname,
+ realm=realm,
+ sname=sname,
+ from_time=None,
+ till_time=till,
+ renew_time=None,
+ nonce=0x7fffffff,
+ etypes=etypes,
+ addresses=None,
+ EncAuthorizationData=None,
+ EncAuthorizationData_key=None,
+ additional_tickets=None)
+ rep = self.send_recv_transaction(req)
+ return rep
+
+ def get_pa_data(self, creds, rep, skew=0):
+ rep_padata = self.der_decode(
+ rep['e-data'],
+ asn1Spec=krb5_asn1.METHOD_DATA())
+
+ for pa in rep_padata:
+ if pa['padata-type'] == PADATA_ETYPE_INFO2:
+ etype_info2 = pa['padata-value']
+ break
+
+ etype_info2 = self.der_decode(
+ etype_info2, asn1Spec=krb5_asn1.ETYPE_INFO2())
+
+ key = self.PasswordKey_from_etype_info2(creds, etype_info2[0])
+
+ (patime, pausec) = self.get_KerberosTimeWithUsec(offset=skew)
+ pa_ts = self.PA_ENC_TS_ENC_create(patime, pausec)
+ pa_ts = self.der_encode(pa_ts, asn1Spec=krb5_asn1.PA_ENC_TS_ENC())
+
+ enc_pa_ts_usage = 1
+ pa_ts = self.EncryptedData_create(key, enc_pa_ts_usage, pa_ts)
+ pa_ts = self.der_encode(pa_ts, asn1Spec=krb5_asn1.EncryptedData())
+
+ pa_ts = self.PA_DATA_create(PADATA_ENC_TIMESTAMP, pa_ts)
+
+ padata = [pa_ts]
+ return padata
+
+ def check_pre_authenication(self, rep):
+ """ Check that the kdc response was pre-authentication required
+ """
+ self.check_error_rep(rep, KDC_ERR_PREAUTH_REQUIRED)
+
+ def check_as_reply(self, rep):
+ """ Check that the kdc response is an AS-REP and that the
+ values for:
+ msg-type
+ pvno
+ tkt-pvno
+ kvno
+ match the expected values
+ """
+
+ # Should have a reply, and it should an AS-REP message.
+ self.assertIsNotNone(rep)
+ self.assertEqual(rep['msg-type'], KRB_AS_REP)
+
+ # Protocol version number should be 5
+ pvno = int(rep['pvno'])
+ self.assertEqual(5, pvno)
+
+ # The ticket version number should be 5
+ tkt_vno = int(rep['ticket']['tkt-vno'])
+ self.assertEqual(5, tkt_vno)
+
+ # Check that the kvno is not an RODC kvno
+ # MIT kerberos does not provide the kvno, so we treat it as optional.
+ # This is tested in compatability_test.py
+ if 'kvno' in rep['enc-part']:
+ kvno = int(rep['enc-part']['kvno'])
+ # If the high order bits are set this is an RODC kvno.
+ self.assertEqual(0, kvno & 0xFFFF0000)
+
+ def check_error_rep(self, rep, expected):
+ """ Check that the reply is an error message, with the expected
+ error-code specified.
+ """
+ self.assertIsNotNone(rep)
+ self.assertEqual(rep['msg-type'], KRB_ERROR)
+ self.assertEqual(rep['error-code'], expected)
+
+ def test_aes256_cts_hmac_sha1_96(self):
+ creds = self.get_user_creds()
+ etype = (AES256_CTS_HMAC_SHA1_96,)
+
+ rep = self.as_req(creds, etype)
+ self.check_pre_authenication(rep)
+
+ padata = self.get_pa_data(creds, rep)
+ rep = self.as_req(creds, etype, padata=padata)
+ self.check_as_reply(rep)
+
+ etype = rep['enc-part']['etype']
+ self.assertEquals(AES256_CTS_HMAC_SHA1_96, etype)
+
+ def test_arc4_hmac_md5(self):
+ creds = self.get_user_creds()
+ etype = (ARCFOUR_HMAC_MD5,)
+
+ rep = self.as_req(creds, etype)
+ self.check_pre_authenication(rep)
+
+ padata = self.get_pa_data(creds, rep)
+ rep = self.as_req(creds, etype, padata=padata)
+ self.check_as_reply(rep)
+
+ etype = rep['enc-part']['etype']
+ self.assertEquals(ARCFOUR_HMAC_MD5, etype)
+
+ def test_aes_rc4(self):
+ creds = self.get_user_creds()
+ etype = (AES256_CTS_HMAC_SHA1_96, ARCFOUR_HMAC_MD5)
+
+ rep = self.as_req(creds, etype)
+ self.check_pre_authenication(rep)
+
+ padata = self.get_pa_data(creds, rep)
+ rep = self.as_req(creds, etype, padata=padata)
+ self.check_as_reply(rep)
+
+ etype = rep['enc-part']['etype']
+ self.assertEquals(AES256_CTS_HMAC_SHA1_96, etype)
+
+ def test_clock_skew(self):
+ creds = self.get_user_creds()
+ etype = (AES256_CTS_HMAC_SHA1_96, ARCFOUR_HMAC_MD5)
+
+ rep = self.as_req(creds, etype)
+ self.check_pre_authenication(rep)
+
+ padata = self.get_pa_data(creds, rep, skew=3600)
+ rep = self.as_req(creds, etype, padata=padata)
+
+ self.check_error_rep(rep, KDC_ERR_SKEW)
+
+ def test_invalid_password(self):
+ creds = self.insta_creds(template=self.get_user_creds())
+ creds.set_password("Not the correct password")
+
+ etype = (AES256_CTS_HMAC_SHA1_96,)
+
+ rep = self.as_req(creds, etype)
+ self.check_pre_authenication(rep)
+
+ padata = self.get_pa_data(creds, rep)
+ rep = self.as_req(creds, etype, padata=padata)
+
+ self.check_error_rep(rep, KDC_ERR_PREAUTH_FAILED)
+
+
+if __name__ == "__main__":
+ global_asn1_print = True
+ global_hexdump = True
+ import unittest
+ unittest.main()
diff --git a/python/samba/tests/krb5/raw_testcase.py b/python/samba/tests/krb5/raw_testcase.py
index 45e46e0b7ba..e67f5464e59 100644
--- a/python/samba/tests/krb5/raw_testcase.py
+++ b/python/samba/tests/krb5/raw_testcase.py
@@ -425,7 +425,6 @@ class RawKerberosTest(TestCase):
pass
if e == kcrypto.Enctype.RC4:
- self.assertIsNone(salt)
nthash = creds.get_nt_hash()
return self.SessionKey_create(etype=e, contents=nthash, kvno=kvno)
diff --git a/python/samba/tests/krb5/rfc4120_constants.py b/python/samba/tests/krb5/rfc4120_constants.py
new file mode 100644
index 00000000000..e939bb75e82
--- /dev/null
+++ b/python/samba/tests/krb5/rfc4120_constants.py
@@ -0,0 +1,49 @@
+# Unix SMB/CIFS implementation.
+# Copyright (C) 2020 Catalyst.Net Ltd
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program. If not, see <http://www.gnu.org/licenses/>.
+#
+
+import samba.tests.krb5.rfc4120_pyasn1 as krb5_asn1
+
+# Encryption types
+AES256_CTS_HMAC_SHA1_96 = int(
+ krb5_asn1.EncryptionTypeValues('kRB5-ENCTYPE-AES256-CTS-HMAC-SHA1-96'))
+AES128_CTS_HMAC_SHA1_96 = int(
+ krb5_asn1.EncryptionTypeValues('kRB5-ENCTYPE-AES128-CTS-HMAC-SHA1-96'))
+ARCFOUR_HMAC_MD5 = int(
+ krb5_asn1.EncryptionTypeValues('kRB5-ENCTYPE-ARCFOUR-HMAC-MD5'))
+
+# Message types
+KRB_ERROR = int(krb5_asn1.MessageTypeValues('krb-error'))
+KRB_AS_REP = int(krb5_asn1.MessageTypeValues('krb-as-rep'))
+
+# PAData types
+PADATA_ENC_TIMESTAMP = int(
+ krb5_asn1.PADataTypeValues('kRB5-PADATA-ENC-TIMESTAMP'))
+PADATA_ETYPE_INFO2 = int(
+ krb5_asn1.PADataTypeValues('kRB5-PADATA-ETYPE-INFO2'))
+
+# Error codes
+KDC_ERR_C_PRINCIPAL_UNKNOWN = 6
+KDC_ERR_PREAUTH_FAILED = 24
+KDC_ERR_PREAUTH_REQUIRED = 25
+KDC_ERR_SKEW = 37
--
Samba Shared Repository
More information about the samba-cvs
mailing list