diff options
| author | Joseph Sutton <josephsutton@catalyst.net.nz> | 2023-06-20 16:46:03 +1200 |
|---|---|---|
| committer | Stefan Metzmacher <metze@samba.org> | 2023-06-27 05:45:36 +0000 |
| commit | fcfdb44381f60007679b5cdcff44b4aaf866b376 (patch) | |
| tree | 2d3a84fcaa1dd35638ac0ca3ab6c949d2396806d /python/samba | |
| parent | 0e43d11e39bf57dccebd661e028a717be2b8803c (diff) | |
| download | samba-fcfdb44381f60007679b5cdcff44b4aaf866b376.tar.gz samba-fcfdb44381f60007679b5cdcff44b4aaf866b376.tar.bz2 samba-fcfdb44381f60007679b5cdcff44b4aaf866b376.zip | |
tests/krb5: Be less strict regarding acceptable delegation error codes
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Diffstat (limited to 'python/samba')
| -rwxr-xr-x | python/samba/tests/krb5/s4u_tests.py | 36 |
1 files changed, 24 insertions, 12 deletions
diff --git a/python/samba/tests/krb5/s4u_tests.py b/python/samba/tests/krb5/s4u_tests.py index fbd32d00dd1..d91c06c418f 100755 --- a/python/samba/tests/krb5/s4u_tests.py +++ b/python/samba/tests/krb5/s4u_tests.py @@ -1018,7 +1018,8 @@ class S4UKerberosTests(KDCBaseTest): self._run_delegation_test( { 'expected_error_mode': (KDC_ERR_MODIFIED, - KDC_ERR_BADOPTION), + KDC_ERR_BADOPTION, + KDC_ERR_TGT_REVOKED), 'allow_delegation': True, 'modify_client_tkt_fn': self.remove_ticket_pac, 'expect_edata': False, @@ -1128,7 +1129,8 @@ class S4UKerberosTests(KDCBaseTest): # contain a PAC, and an empty msDS-AllowedToDelegateTo attribute. self._run_delegation_test( { - 'expected_error_mode': KDC_ERR_MODIFIED, + 'expected_error_mode': (KDC_ERR_MODIFIED, + KDC_ERR_TGT_REVOKED), # We aren’t particular about whether or not we get an NTSTATUS. 'expect_status': None, 'expected_status': ntstatus.NT_STATUS_NOT_SUPPORTED, @@ -1144,7 +1146,8 @@ class S4UKerberosTests(KDCBaseTest): # contain a PAC, and a non-empty msDS-AllowedToDelegateTo attribute. self._run_delegation_test( { - 'expected_error_mode': KDC_ERR_MODIFIED, + 'expected_error_mode': (KDC_ERR_MODIFIED, + KDC_ERR_TGT_REVOKED), # We aren’t particular about whether or not we get an NTSTATUS. 'expect_status': None, 'expected_status': ntstatus.NT_STATUS_NO_MATCH, @@ -1177,7 +1180,8 @@ class S4UKerberosTests(KDCBaseTest): # contain a PAC, and an empty msDS-AllowedToDelegateTo attribute. self._run_delegation_test( { - 'expected_error_mode': KDC_ERR_MODIFIED, + 'expected_error_mode': (KDC_ERR_MODIFIED, + KDC_ERR_TGT_REVOKED), # We aren’t particular about whether or not we get an NTSTATUS. 'expect_status': None, 'expected_status': ntstatus.NT_STATUS_NOT_SUPPORTED, @@ -1196,7 +1200,8 @@ class S4UKerberosTests(KDCBaseTest): # contain a PAC, and a non-empty msDS-AllowedToDelegateTo attribute. self._run_delegation_test( { - 'expected_error_mode': KDC_ERR_MODIFIED, + 'expected_error_mode': (KDC_ERR_MODIFIED, + KDC_ERR_TGT_REVOKED), # We aren’t particular about whether or not we get an NTSTATUS. 'expect_status': None, 'expected_status': ntstatus.NT_STATUS_NO_MATCH, @@ -1356,7 +1361,8 @@ class S4UKerberosTests(KDCBaseTest): for checksum in self.pac_checksum_types: with self.subTest(checksum=checksum): if checksum == krb5pac.PAC_TYPE_TICKET_CHECKSUM: - expected_error_mode = KDC_ERR_MODIFIED + expected_error_mode = (KDC_ERR_MODIFIED, + KDC_ERR_BADOPTION) else: expected_error_mode = KDC_ERR_GENERIC @@ -1443,7 +1449,8 @@ class S4UKerberosTests(KDCBaseTest): with self.subTest(checksum=checksum): self._run_delegation_test( { - 'expected_error_mode': KDC_ERR_MODIFIED, + 'expected_error_mode': (KDC_ERR_MODIFIED, + KDC_ERR_BAD_INTEGRITY), # We aren’t particular about whether or not we get an # NTSTATUS. 'expect_status': None, @@ -1462,7 +1469,8 @@ class S4UKerberosTests(KDCBaseTest): for checksum in self.pac_checksum_types: with self.subTest(checksum=checksum): if checksum == krb5pac.PAC_TYPE_SRV_CHECKSUM: - expected_error_mode = KDC_ERR_MODIFIED + expected_error_mode = (KDC_ERR_MODIFIED, + KDC_ERR_BAD_INTEGRITY) # We aren’t particular about whether or not we get an # NTSTATUS. expect_status = None @@ -1551,9 +1559,11 @@ class S4UKerberosTests(KDCBaseTest): with self.subTest(checksum=checksum, ctype=ctype): if (checksum == krb5pac.PAC_TYPE_SRV_CHECKSUM and ctype == Cksumtype.SHA1): - expected_error_mode = KDC_ERR_SUMTYPE_NOSUPP + expected_error_mode = (KDC_ERR_SUMTYPE_NOSUPP, + KDC_ERR_INAPP_CKSUM) else: - expected_error_mode = KDC_ERR_GENERIC + expected_error_mode = (KDC_ERR_GENERIC, + KDC_ERR_INAPP_CKSUM) self._run_delegation_test( { @@ -1582,10 +1592,12 @@ class S4UKerberosTests(KDCBaseTest): # NTSTATUS. expect_status = None if ctype == Cksumtype.SHA1: - expected_error_mode = KDC_ERR_SUMTYPE_NOSUPP + expected_error_mode = (KDC_ERR_SUMTYPE_NOSUPP, + KDC_ERR_INAPP_CKSUM) expected_status = ntstatus.NT_STATUS_LOGON_FAILURE else: - expected_error_mode = KDC_ERR_GENERIC + expected_error_mode = (KDC_ERR_GENERIC, + KDC_ERR_INAPP_CKSUM) expected_status = ( ntstatus.NT_STATUS_INSUFFICIENT_RESOURCES) else: |