CVE-2022-37966 param: let "kdc default domain supportedenctypes = 0" mean the default

In order to allow better upgrades we need the default value for smb.conf to the
same even if the effective default value of the software changes in future.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit fa64f8fa8d92167ed15d1109af65bbb4daab4bad)

[jsutton@samba.org Fixed conflicts]

1 files changed, 5 insertions, 1 deletions

diff --git a/python/samba/tests/krb5/kdc_base_test.py b/python/samba/tests/krb5/kdc_base_test.py
index 44ebd6cb61b..1a554016b1e 100644
--- a/python/samba/tests/krb5/kdc_base_test.py
+++ b/python/samba/tests/krb5/kdc_base_test.py
@@ -58,6 +58,9 @@ from samba.ndr import ndr_pack, ndr_unpack
 from samba import net
 from samba.samdb import SamDB, dsdb_Dn
 
+rc4_bit = security.KERB_ENCTYPE_RC4_HMAC_MD5
+aes256_sk_bit = security.KERB_ENCTYPE_AES256_CTS_HMAC_SHA1_96_SK
+
 from samba.tests import delete_force
 import samba.tests.krb5.kcrypto as kcrypto
 from samba.tests.krb5.raw_testcase import (
@@ -633,7 +636,8 @@ class KDCBaseTest(RawKerberosTest):
         if supported_enctypes is None:
             lp = self.get_lp()
             supported_enctypes = lp.get('kdc default domain supported enctypes')
-
+            if supported_enctypes == 0:
+                supported_enctypes = rc4_bit | aes256_sk_bit
         supported_enctypes = int(supported_enctypes)
 
         if extra_bits is not None: