samba.git/python/samba/tests/krb5/raw_testcase.py, branch master Unnamed repository; edit this file 'description' to name the repository. python:tests/krb5: Make PADATA_PK_AS_REP optional in non-strict mode 2026-03-30T10:41:07+00:00 Andreas Schneider asn@samba.org 2026-03-25T11:44:02+00:00 b79df27457e78ec2e8e301865c553fb76a596f9d Commit c1433f821f7 added PADATA_PK_AS_REP (PA-PK-AS-REP, type 17) to the expected padata list when check_rep_padata sees KDC_ERR_KEY_EXPIRED. This reflects Samba's Heimdal KDC behaviour, which includes PKINIT hints in expired-password error responses. Samba with MIT KDC does not include PADATA_PK_AS_REP in KDC_ERR_KEY_EXPIRED responses; it returns a METHOD-DATA with just the NTSTATUS payload (type 3) and the FX-COOKIE (type 133). This causes test_pw_expired to fail intermittently when the expired-password code path is exercised against MIT KDC. Add PADATA_PK_AS_REP to the require_strict set alongside PADATA_PK_AS_REP_19, so it is treated as optional in non-strict checking mode (STRICT_CHECKING=0) while still being enforced in strict mode. Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Jennifer Sutton <jennifersutton@catalyst.net.nz> Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org> Autobuild-Date(master): Mon Mar 30 10:41:07 UTC 2026 on atb-devel-224 
Commit c1433f821f7 added PADATA_PK_AS_REP (PA-PK-AS-REP, type 17) to
the expected padata list when check_rep_padata sees KDC_ERR_KEY_EXPIRED.
This reflects Samba's Heimdal KDC behaviour, which includes PKINIT hints
in expired-password error responses.

Samba with MIT KDC does not include PADATA_PK_AS_REP in KDC_ERR_KEY_EXPIRED
responses; it returns a METHOD-DATA with just the NTSTATUS payload (type 3) and
the FX-COOKIE (type 133).  This causes test_pw_expired to fail intermittently
when the expired-password code path is exercised against MIT KDC.

Add PADATA_PK_AS_REP to the require_strict set alongside PADATA_PK_AS_REP_19,
so it is treated as optional in non-strict checking mode (STRICT_CHECKING=0)
while still being enforced in strict mode.

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Jennifer Sutton <jennifersutton@catalyst.net.nz>

Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Mon Mar 30 10:41:07 UTC 2026 on atb-devel-224
pytest:krb5: notice require canonicalization option 2026-01-15T01:48:37+00:00 Douglas Bagnall douglas.bagnall@catalyst.net.nz 2025-12-17T02:19:47+00:00 ef4160280d22f4b994be71e4f0284832a0c5a81e Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> Reviewed-by: Gary Lockyer <gary@catalyst.net.nz> 
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>
pytests: krb5 raw tests use TestCase.get_server_param() 2025-11-20T21:25:39+00:00 Douglas Bagnall douglas.bagnall@catalyst.net.nz 2025-11-13T03:44:33+00:00 d776d39c83520d2c7a1197402edab378ddc6bca5 Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> Reviewed-by: Jennifer Sutton <jennifersutton@catalyst.net.nz> 
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Jennifer Sutton <jennifersutton@catalyst.net.nz>
pytest: krb5 tests remember implicit dollar option 2025-11-20T21:25:39+00:00 Douglas Bagnall douglas.bagnall@catalyst.net.nz 2025-11-14T07:10:01+00:00 5436532c7f5e7f745b348252d847364a6680fc5f Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> Reviewed-by: Jennifer Sutton <jennifersutton@catalyst.net.nz> 
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Jennifer Sutton <jennifersutton@catalyst.net.nz>
pytest:krb5: errcode errors include names 2025-11-20T21:25:39+00:00 Douglas Bagnall douglas.bagnall@catalyst.net.nz 2025-11-04T23:50:31+00:00 e90184fbdaa2ac1c438548e98dd4953779cb3a60 Before: > AssertionError: 6 not found in (20,) After: > AssertionError: 6 not found in (20,) : KDC_ERR_C_PRINCIPAL_UNKNOWN not in ['KDC_ERR_TGT_REVOKED'] Useful for people who don't know the codes off by heart. Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> Reviewed-by: Jennifer Sutton <jennifersutton@catalyst.net.nz> 
Before:

> AssertionError: 6 not found in (20,)

After:

> AssertionError: 6 not found in (20,) : KDC_ERR_C_PRINCIPAL_UNKNOWN not in ['KDC_ERR_TGT_REVOKED']

Useful for people who don't know the codes off by heart.

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Jennifer Sutton <jennifersutton@catalyst.net.nz>
tests/krb5: Construct signed_attrs correctly 2025-11-19T00:32:31+00:00 Jennifer Sutton jennifersutton@catalyst.net.nz 2025-11-18T03:42:03+00:00 8a6004b7b3fa9b8540ed0f285697ddda4e015b32 signed_attrs is supposed to be a list of key‐value pairs, but we forgot the values. Because the field was not constructed correctly, the pyasn1 encoder simply stripped it out. Also properly separate the signature algorithm and digest algorithms. Signed-off-by: Jennifer Sutton <jennifersutton@catalyst.net.nz> Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> Autobuild-User(master): Douglas Bagnall <dbagnall@samba.org> Autobuild-Date(master): Wed Nov 19 00:32:31 UTC 2025 on atb-devel-224 
signed_attrs is supposed to be a list of key‐value pairs, but we forgot the
values. Because the field was not constructed correctly, the pyasn1 encoder
simply stripped it out.

Also properly separate the signature algorithm and digest algorithms.

Signed-off-by: Jennifer Sutton <jennifersutton@catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>

Autobuild-User(master): Douglas Bagnall <dbagnall@samba.org>
Autobuild-Date(master): Wed Nov 19 00:32:31 UTC 2025 on atb-devel-224
tests/krb5: Add TD_CMS_DIGEST_ALGORITHMS constant 2025-11-18T23:28:40+00:00 Jennifer Sutton jennifersutton@catalyst.net.nz 2025-11-18T03:36:31+00:00 ed9e1c38790631302a2277209346f2ae24091b9d Signed-off-by: Jennifer Sutton <jennifersutton@catalyst.net.nz> Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> 
Signed-off-by: Jennifer Sutton <jennifersutton@catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
s4:kdc:tests: support "kdc always generate pac" 2025-11-13T22:09:33+00:00 Gary Lockyer gary@catalyst.net.nz 2025-10-30T19:31:33+00:00 b71282b05daf413da02660119181c07c4d5bda28 Update the tests to check the "kdc always generate pac" configuration and expect the presence of a PAC accordingly. Signed-off-by: Gary Lockyer <gary@catalyst.net.nz> Reviewed-by: Jennifer Sutton <jennifersutton@catalyst.net.nz> 
Update the tests to check the "kdc always generate pac" configuration and
expect the presence of a PAC accordingly.

Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Jennifer Sutton <jennifersutton@catalyst.net.nz>
python: Factor out asn.1 methods into their own module 2025-11-05T04:08:40+00:00 Jennifer Sutton jennifersutton@catalyst.net.nz 2025-11-02T21:45:44+00:00 dbdd6952b6eed586e502d7c26af0b3e233e188a9 Signed-off-by: Jennifer Sutton <jennifersutton@catalyst.net.nz> Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> Reviewed-by: Gary Lockyer <gary@catalyst.net.nz> 
Signed-off-by: Jennifer Sutton <jennifersutton@catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>
python:tests/krb5: let check_device_info() allow an empty rid array 2025-04-03T09:36:31+00:00 Stefan Metzmacher metze@samba.org 2025-03-12T13:14:51+00:00 7b4b9ae0ea2a5f533cf249c9bdd5159f832f40a0 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Ralph Boehme <slow@samba.org> 
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>