diff options
| author | Stefan Metzmacher <metze@samba.org> | 2024-03-15 16:31:22 +0100 |
|---|---|---|
| committer | Andrew Bartlett <abartlet@samba.org> | 2024-05-22 03:04:34 +0000 |
| commit | 2793ef3e1632c735f9caac015503aab06f53d543 (patch) | |
| tree | 290ebe9f6ac9bbed277acb029edc489813054dbf /python/samba | |
| parent | e2a5fbf5cf2b65db77e7c5a859c896acca69f432 (diff) | |
| download | samba-2793ef3e1632c735f9caac015503aab06f53d543.tar.gz samba-2793ef3e1632c735f9caac015503aab06f53d543.tar.bz2 samba-2793ef3e1632c735f9caac015503aab06f53d543.zip | |
samba.tests.dckeytab: add test_export_keytab_change3_update_only_current_keep()
This tests that only_current_keys=True works.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Diffstat (limited to 'python/samba')
| -rw-r--r-- | python/samba/tests/dckeytab.py | 49 |
1 files changed, 49 insertions, 0 deletions
diff --git a/python/samba/tests/dckeytab.py b/python/samba/tests/dckeytab.py index 7e47ab48898..9424c8e50ff 100644 --- a/python/samba/tests/dckeytab.py +++ b/python/samba/tests/dckeytab.py @@ -286,6 +286,55 @@ class DCKeytabTests(TestCaseInTempDir): # history in 2nd export, 3 enctypes) were exported self.assertGreaterEqual(len(keytab_as_set), 12) + def test_export_keytab_change3_update_only_current_keep(self): + new_principal=f"keytab_testuser@{self.creds.get_realm()}" + self.samdb.newuser("keytab_testuser", "4rfvBGT%") + self.addCleanup(self.samdb.deleteuser, "keytab_testuser") + net = Net(None, self.lp) + self.addCleanup(self.rm_files, self.ktfile) + net.export_keytab(keytab=self.ktfile, principal=new_principal) + self.assertTrue(os.path.exists(self.ktfile), 'keytab was not created') + + # Parse the first entry in the keytab + with open(self.ktfile, 'rb') as bytes_kt: + keytab_orig_bytes = bytes_kt.read() + + # By changing the password three times, we allow Samba to fill + # out current, old, older from supplementalCredentials and + # still have one password that must still be from the original + # keytab + self.samdb.setpassword(f"(userPrincipalName={new_principal})", "5rfvBGT%") + self.samdb.setpassword(f"(userPrincipalName={new_principal})", "6rfvBGT%") + self.samdb.setpassword(f"(userPrincipalName={new_principal})", "7rfvBGT%") + + net.export_keytab(keytab=self.ktfile, + principal=new_principal, + keep_stale_entries=True, + only_current_keys=True) + + with open(self.ktfile, 'rb') as bytes_kt: + keytab_change_bytes = bytes_kt.read() + + self.assertNotEqual(keytab_orig_bytes, keytab_change_bytes) + + # self.keytab_as_set() will also check we got each entry + # exactly once + keytab_as_set = self.keytab_as_set(keytab_change_bytes) + + # Look for the new principal, showing this was updated but the old kept + found = 0 + for entry in keytab_as_set: + (principal, enctype, kvno, key) = entry + if principal == new_principal and enctype == credentials.ENCTYPE_AES128_CTS_HMAC_SHA1_96: + found += 1 + + # By default previous keys are not exported into the keytab. + self.assertEqual(found, 2) + + # confirm at least 6 keys (1 change, 1 in orig export + # both with 3 enctypes) were exported + self.assertGreaterEqual(len(keytab_as_set), 6) + def test_export_keytab_change2_export2_update_keep(self): new_principal=f"keytab_testuser@{self.creds.get_realm()}" self.samdb.newuser("keytab_testuser", "4rfvBGT%") |