selftest: allow EncASRepPart to be encoded as EncTGSRepPart

that's how MIT kdc encodes it, clients accept both.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14233

Signed-off-by: Isaac Boukris <iboukris@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

diff --git a/python/samba/tests/krb5/simple_tests.py b/python/samba/tests/krb5/simple_tests.py
index c9998c4d2db4aea38590d5d156638b704c4a7b66..236fbda1cd5f4670ffb9a61d39d8d8526e99d394 100755 (executable)
--- a/python/samba/tests/krb5/simple_tests.py
+++ b/python/samba/tests/krb5/simple_tests.py
@@ -115,7 +115,12 @@ class SimpleKerberosTests(RawKerberosTest):
 
         usage = 3
         enc_part2 = key.decrypt(usage, rep['enc-part']['cipher'])
-        enc_part2 = self.der_decode(enc_part2, asn1Spec=krb5_asn1.EncASRepPart())
+
+        # MIT KDC encodes both EncASRepPart and EncTGSRepPart with application tag 26
+        try:
+            enc_part2 = self.der_decode(enc_part2, asn1Spec=krb5_asn1.EncASRepPart())
+        except Exception:
+            enc_part2 = self.der_decode(enc_part2, asn1Spec=krb5_asn1.EncTGSRepPart())
 
         # TGS Request
         service_creds = self.get_service_creds(allow_missing_password=True)