From f5689bb8fab82d5fcbdbd3c63b86e7618834aac5 Mon Sep 17 00:00:00 2001
From: Joseph Sutton <josephsutton@catalyst.net.nz>
Date: Thu, 22 Jul 2021 16:22:09 +1200
Subject: tests/krb5: Add method to calculate account salt

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
---
 python/samba/tests/krb5/kdc_base_test.py |  2 ++
 python/samba/tests/krb5/raw_testcase.py  | 19 +++++++++++++++----
 2 files changed, 17 insertions(+), 4 deletions(-)

(limited to 'python')

diff --git a/python/samba/tests/krb5/kdc_base_test.py b/python/samba/tests/krb5/kdc_base_test.py
index 21e2c04cea1..0dbaeab4a0e 100644
--- a/python/samba/tests/krb5/kdc_base_test.py
+++ b/python/samba/tests/krb5/kdc_base_test.py
@@ -192,6 +192,8 @@ class KDCBaseTest(RawKerberosTest):
         creds.set_username(account_name)
         if machine_account:
             creds.set_workstation(name)
+        else:
+            creds.set_workstation('')
         #
         # Save the account name so it can be deleted in tearDownClass
         self.accounts.add(dn)
diff --git a/python/samba/tests/krb5/raw_testcase.py b/python/samba/tests/krb5/raw_testcase.py
index e48d501ad19..2dbcc39114a 100644
--- a/python/samba/tests/krb5/raw_testcase.py
+++ b/python/samba/tests/krb5/raw_testcase.py
@@ -295,6 +295,20 @@ class KerberosCredentials(Credentials):
     def get_forced_salt(self):
         return self.forced_salt
 
+    def get_salt(self):
+        if self.forced_salt is not None:
+            return self.forced_salt
+
+        if self.get_workstation():
+            salt_string = '%shost%s.%s' % (
+                self.get_realm().upper(),
+                self.get_username().lower().rsplit('$', 1)[0],
+                self.get_realm().lower())
+        else:
+            salt_string = self.get_realm().upper() + self.get_username()
+
+        return salt_string.encode('utf-8')
+
 
 class KerberosTicketCreds:
     def __init__(self, ticket, session_key,
@@ -940,10 +954,7 @@ class RawKerberosTest(TestCaseInTempDir):
 
         password = creds.get_password()
         self.assertIsNotNone(password, msg=fail_msg)
-        salt = creds.get_forced_salt()
-        if salt is None:
-            salt = bytes("%s%s" % (creds.get_realm(), creds.get_username()),
-                         encoding='utf-8')
+        salt = creds.get_salt()
         return self.PasswordKey_create(etype=etype,
                                        pwd=password,
                                        salt=salt,
-- 
cgit v1.2.1