rpc_client: Adapt rpc_write_send() to tevent_req conventions

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

rpc_client: Adapt rpc_api_pipe_send() to recent coding conventions

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

rpc_client: Use ndr_syntax_id_equal() in check_bind_response()

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

rpc_client: Use struct init/assignment

Don't leave structures/unions partially uninitialized

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

rpc_client: Adapt rpc_pipe_bind_send() to talloc_req conventions

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

rpc_client: Avoid ZERO_STRUCTP in prepare_verification_trailer()

Direct struct assignments are easier to read for me, but YMMV.

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

rpc_client: Adapt rpc_api_pipe_req_send() to talloc_req conventions

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

rpc_client: Slightly simplify rpc_api_pipe_req_send()

tevent_req_create() zero-initializes "state"

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

rpc_client: Early TALLOC_FREE() in prepare_verification_trailer()

We don't need "t" from here on anymore

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

rpc_client: Fix a small memleak

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

libsmb: Fix a typo

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

rpc_client: Slightly simplify rpc_transport_np_init_pipe_open()

Avoid an unnecessary else, use tevent_req_nterror() in if-clause

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

lib: Improve comment wording

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

rpc_server: Fix a comment

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

rpc_server: Simplify _samr_CreateUser2()

Use a variable that we just set a line before, don't duplicate the
priv name.

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

rpc_server: Align integer types

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

rpc_server: Remove an unused function declaration

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

rpc_server: Slightly simplify set_user_info_18()

Instead of adding the NULL check to data_blob_talloc_zero() put "out"
on the stack.

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

rpc_server: Slightly simplify set_user_info_21()

Instead of adding the NULL check to data_blob_talloc_zero() put "out"
on the stack.

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

rpc_server: Simplify open_np_file()

No need to go via a string to create the SID describing the SMB3
encryption, we can directly use sid_append_rid().

This by the way fixes a bug: SID_MAX_SIZE is the maximum length of the
binary SID, not the maximum string length for a SID.

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

librpc: Simplify GUID_hexstring()

A temporary talloc context seems unnecessary to me.

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

librpc: Simplify GUID_string2() by using GUID_buf_string()

Avoid unnecessary talloc

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

librpc: Simplify GUID_zero() with a direct struct return

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

samba-tool domain backup: Use tdbbackup on metadata.tdb

metadata.tdb is inside sam.ldb.d/ but should be backed up with tdbbackup.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Tue Aug 24 13:22:04 UTC 2021 on sn-devel-184

samba-tool: Rework transations/locks to hold a lock during mdb backup

We now also get sidForRestore under that lock, rather than
after the backup.

This avoids using the database again after the backup process

While not entirely clear how/why this matters with LMDB
as seen in Fedora 34, likely due to the same issues
seen with 0.9.26 or later fixed by commmit
bb3dcd403ced922574a89011dd3814c4fe87dd76.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14676

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

samba-tool domain backup offline: Use passed in samdb when backing up sam.ldb

This avoids opening the database again by having the caller pass in
the DB open

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14676

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

selftest: Add python path for compiled python modules like ldb

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

s3: smbd: Ensure all returns from OpenDir() correctly set errno.

Complex code paths inside open_internal_dirfsp() can return an
NTSTATUS, but trample on the matching errno. We need to make
sure if open_internal_dirfsp() fails, errno matches the NTSTATUS
return.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14805

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Noel Power <npower@samba.org>
Autobuild-User(master): Noel Power <npower@samba.org>
Autobuild-Date(master): Fri Aug 20 09:56:49 UTC 2021 on sn-devel-184

s3: VFS: streams_depot: Allow "streams directory" outside of share path to work again.

As we're dealing with absolute paths here, we just need
to temporarily replace the connectpath whilst enumerating
streams.

Remove knownfail file.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14760

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Noel Power <noel.power@suse.com>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Thu Aug 19 17:04:44 UTC 2021 on sn-devel-184

s3: VFS: vfs_streams_depot: Factor out the code that gets the absolute stream rootdir into a function.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14760

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Noel Power <noel.power@suse.com>

s3: selftest: Add a test for vfs_streams_depot with the target path outside of the share.

Mark as knownfail.d/simpleserver_streams

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14760

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Noel Power <noel.power@suse.com>

s4: torture: CHECK ret value and fail if false

If we reach 'done' with ret == false without setting
the torture result we get unexpected results e.g.

Exception: Exception: Unknown error/failure. Missing torture_fail() or torture_assert_*() call?

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14760

Signed-off-by: Noel Power <noel.power@suse.com>
Reviewed-by: Jeremy Allison <jra@samba.org>

tests/krb5: Add FAST tests

Example command:

SERVER=addc STRICT_CHECKING=0 SMB_CONF_PATH=/dev/null \
KRB5_CONFIG=krb5.conf DOMAIN=ADDOMAIN REALM=ADDOM.SAMBA.EXAMPLE.COM \
ADMIN_USERNAME=Administrator ADMIN_PASSWORD=locDCpass1 \
PYTHONPATH=bin/python python/samba/tests/krb5/fast_tests.py

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Wed Aug 18 23:20:14 UTC 2021 on sn-devel-184

initial FAST tests

Currently incomplete, and tested only against MIT Kerberos.

[abartlet@samba.org
 Originally "WIP inital FAST tests"

 Samba's general policy that we don't push WIP patches, we polish
 into a 'perfect' patch stream.

 However, I think there are good reasons to keep this patch distinct
 in this particular case.

 Gary is being modest in titling this WIP (now removed from the title
 to avoid confusion). They are not WIP in the normal sense of
 partially or untested code or random unfinished thoughts. The primary
 issue is that at that point where Gary had to finish up he had
 trouble getting FAST support enabled on Windows, so couldn't test
 against our standard reference. They are instead good, working
 initial tests written against the RFC and tested against Samba's AD DC
 in the mode backed by MIT Kerberos.

 This preserves clear authorship for the two distinct bodies of work,
 as in the next patch Joseph was able to extend and improve the tests
 significantly. ]

Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

tests/krb5: Check PADATA-FX-ERROR in reply

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

tests/krb5: Allow generic_check_kdc_error() to check inner FAST errors

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

tests/krb5: Check PADATA-PAC-OPTIONS in reply

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

tests/krb5: Make generic_check_kdc_error() also work for checking TGS replies

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

tests/krb5: Make check_rep_padata() also work for checking TGS replies

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

tests/krb5: Check PADATA-FX-COOKIE in reply

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

tests/krb5: Check PADATA-ENCRYPTED-CHALLENGE in reply

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

tests/krb5: Adjust reply padata checking depending on whether FAST was sent

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

tests/krb5: Check reply FAST padata if request included FAST

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

tests/krb5: Check sname is krbtgt for FAST generic error

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

tests/krb5: Add get_krbtgt_sname() method

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

tests/krb5: Remove unused variables

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

tests/krb5: Don't expect RC4 in ETYPE-INFO2 for a non-error reply

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

tests/krb5: Add check_rep_padata() method to check padata in reply

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

tests/krb5: Add generate_simple_fast() method to generate FX-FAST padata

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

tests/krb5: Include authdata in kdc_exchange_dict

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

tests/krb5: Add expected_cname_private parameter to kdc_exchange_dict

This is useful for testing the 'hide client names' FAST option.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

tests/krb5: Check encrypted-pa-data

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

tests/krb5: Add methods to determine whether elements were included in the request

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

tests/krb5: Add functions to get dicts of request padata

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

tests/krb5: Check FAST response

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

tests/krb5: Add method to verify ticket checksum for FAST

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

tests/krb5: Add method to check PA-FX-FAST-REPLY

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

tests/krb5: Allow specifying parameters specific to the outer request body

This is useful for testing FAST.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

tests/krb5: Add FAST armor generation to _generic_kdc_exchange()

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

tests/krb5: Modify generate_ap_req() to also generate FAST armor AP-REQ

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

tests/krb5: Include authenticator_subkey in AS-REQ exchange dict

This is needed for FAST.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

tests/krb5: Rename generic_check_as_error() to generic_check_kdc_error()

This method will also be useful in checking TGS-REP error replies.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

tests/krb5: Add methods to calculate keys for FAST

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

tests/krb5: Add method to generate FAST encrypted challenge padata

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

tests/krb5: Add more methods to create ASN1 objects for FAST

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

tests/krb5: Add more ASN1 definitions for FAST

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

tests/krb5: Generate AP-REQ for TGS request in _generic_kdc_exchange()

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

tests/krb5: Ensure generated padata is not None

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

tests/krb5: Add generate_ap_req() method

This method will be useful to generate an AP-REQ for use as FAST armor.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

tests/krb5: Check nonce in EncKDCRepPart

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

tests/krb5: Make checking less strict

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

tests/krb5: Check version number of obtained ticket

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

tests/krb5: Assert that more variables are not None

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

tests/krb5: Ensure in assertElementPresent() that container elements are not empty

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

tests/krb5: Only allow specifying one of check_rep_fn and check_error_fn

This means that there can no longer be surprises where a test receives a
reply when it was expecting an error, or vice versa.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

tests/krb5: Include kdc_options in kdc_exchange_dict

Make kdc_options an element of kdc_exchange_dict instead of a parameter
to _generic_kdc_exchange(). This allows testing code to adjust the reply
checking based on the options that were specified in the request.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

tests/krb5: Always specify expected error code

Now the expected error code is always determined by the test code itself
rather than by generic_check_as_error().

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

tests/krb5: Add check_reply() method to check for AS or TGS reply

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

tests/krb5: Add method to calculate account salt

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

tests/krb5: Add more methods for obtaining machine and service credentials

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

tests/krb5: Allow specifying additional details when creating an account

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

tests/krb5: Use encryption with admin credentials

This ensures that account creation using admin credentials succeeds.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

tests/krb5: Add get_EpochFromKerberosTime()

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

tests/krb5: Make _test_as_exchange() return value more consistent

Always return the reply and the kdc_exchange_dict so that the caller has
more potentially useful information.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

tests/krb5: Add method to return dict containing padata elements

This makes checking multiple padata elements easier.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

tests/krb5: Add get_enc_timestamp_pa_data_from_key()

This makes it easier to create encrypted timestamp padata when the key
has already been obtained.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

tests/krb5: Refactor get_pa_data()

The function now returns a single padata object rather than a list,
making it easier to combine multiple padata elements into a request. The
new name 'get_enc_timestamp_pa_data' also makes it clearer as to what
the method generates.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

tests/krb5: Allow cf2 to automatically use the enctype of the first key

RFC6113 states: "Unless otherwise specified, the resulting enctype of
KRB-FX-CF2 is the enctype of k1." This change means the enctype no
longer has to be specified manually.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

tests/krb5: Use credentials kvno when creating password key

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

tests/krb5: Check Kerberos protocol version number

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

tests/krb5: Expect e-data except when the error code is KDC_ERR_GENERIC

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

tests/krb5: Fix encpart_decryption_key with MIT KDC

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

tests/krb5: Fix callback_dict parameter

Items contained in a default-created callback_dict should not be carried
over between unrelated calls to {as,tgs}_as_exchange_dict().

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

tests/krb5: Fix including enc-authorization-data

Remove the EncAuthorizationData parameters from AS_REQ_create(), since
it should only be present in the TGS-REQ form. Also, fix a call to
EncryptedData_create() to supply the key usage when creating
enc-authorization-data.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

tests/krb5: Remove magic constants

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

tests/krb5: Simplify Python syntax

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

tests/krb5: Use more compact dict lookup

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

tests/krb5: Remove unneeded statements

A return statement is redundant as the last statement in a method, as
methods will otherwise return None. Also, code blocks consisting of a
single 'pass' statement can be safely omitted.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

tests/krb5: formatting

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

tests/krb5: Fix method name typo

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>