knowing if we can skip DES tests in smbtorture
abartlet at samba.org
Sun May 20 16:11:26 MDT 2012
On Sun, 2012-05-20 at 13:55 +0300, Alexander Bokovoy wrote:
> Look into source4/torture/rpc/remote_pac.c,
> test_PACVerify_workstation_des(). The test there attempts to see if
> krb5.conf [libdefaults] section contains reference to
> 'allow_weak_crypto' to test DES. krb5_config_get_bool_default() is not
> supported in MIT krb5 and appropriate values should be fetched with
> use of libprofile library. That library was supposed to be portable
> across multiple implementations of Kerberos and also used in other
> libraries so it ended up being separate from libkrb5/libkrb5support in
> MIT krb5. However, it is not implemented in Heimdal.
> We can solve this by making a helper in krb5samba,
> smb_krb5_is_weak_crypto_enabled_by_default() which uses either profile
> library or krb5_config_get_bool_default(). I just haven't found time
> to do that yet. This is the only place where it is used, in
> remote_pac.c, and our selftest code enforces 'allow_weak_crypto = yes'
> in generated krb5.conf. So removing this check affects only a
> standalone version of smbtorture.
Given you do not implement the KDC, it seems you should just skip remote
DES PAC testing against MIT kerberos, or (better) look for whatever
error is given when DES isn't available locally and exit with 'skip'.
Andrew Bartlett http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
More information about the samba-technical