1 files changed, 23 insertions, 6 deletions

diff --git a/python/samba/tests/krb5/raw_testcase.py b/python/samba/tests/krb5/raw_testcase.py
index bda5f31a203..4b9a468777e 100644
--- a/python/samba/tests/krb5/raw_testcase.py
+++ b/python/samba/tests/krb5/raw_testcase.py
@@ -360,6 +360,10 @@ class KerberosCredentials(Credentials):
                            security.KERB_ENCTYPE_COMPOUND_IDENTITY_SUPPORTED |
                            security.KERB_ENCTYPE_CLAIMS_SUPPORTED)
 
+    non_etype_bits = fast_supported_bits | (
+        security.KERB_ENCTYPE_RESOURCE_SID_COMPRESSION_DISABLED) | (
+        security.KERB_ENCTYPE_AES256_CTS_HMAC_SHA1_96_SK)
+
     def __init__(self):
         super(KerberosCredentials, self).__init__()
         all_enc_types = 0
@@ -421,7 +425,7 @@ class KerberosCredentials(Credentials):
                 bits &= ~bit
                 etypes += (etype,)
 
-        bits &= ~cls.fast_supported_bits
+        bits &= ~cls.non_etype_bits
         if bits != 0:
             raise ValueError(f'Unsupported etype bits: {bits}')
 
@@ -548,6 +552,8 @@ class RawKerberosTest(TestCaseInTempDir):
         {"value": kcrypto.Enctype.RC4, "name": "rc4", },
     )
 
+    expect_padata_outer = object()
+
     setup_etype_test_permutations_done = False
 
     @classmethod
@@ -652,6 +658,18 @@ class RawKerberosTest(TestCaseInTempDir):
             expect_extra_pac_buffers = '1'
         cls.expect_extra_pac_buffers = bool(int(expect_extra_pac_buffers))
 
+        default_etypes = samba.tests.env_get_var_value('DEFAULT_ETYPES',
+                                                       allow_missing=True)
+        if default_etypes is not None:
+            default_etypes = int(default_etypes)
+        cls.default_etypes = default_etypes
+
+        forced_rc4 = samba.tests.env_get_var_value('FORCED_RC4',
+                                                   allow_missing=True)
+        if forced_rc4 is None:
+            forced_rc4 = '0'
+        cls.forced_rc4 = bool(int(forced_rc4))
+
     def setUp(self):
         super().setUp()
         self.do_asn1_print = False
@@ -1255,7 +1273,8 @@ class RawKerberosTest(TestCaseInTempDir):
 
         if etype is None:
             etypes = creds.get_tgs_krb5_etypes()
-            if etypes:
+            if etypes and etypes[0] not in (kcrypto.Enctype.DES_CRC,
+                                            kcrypto.Enctype.DES_MD5):
                 etype = etypes[0]
             else:
                 etype = kcrypto.Enctype.RC4
@@ -2920,10 +2939,6 @@ class RawKerberosTest(TestCaseInTempDir):
                     if PADATA_SUPPORTED_ETYPES in enc_pa_dict:
                         expected_supported_etypes = kdc_exchange_dict[
                             'expected_supported_etypes']
-                        expected_supported_etypes |= (
-                            security.KERB_ENCTYPE_DES_CBC_CRC |
-                            security.KERB_ENCTYPE_DES_CBC_MD5 |
-                            security.KERB_ENCTYPE_RC4_HMAC_MD5)
 
                         (supported_etypes,) = struct.unpack(
                             '<L',
@@ -3233,6 +3248,8 @@ class RawKerberosTest(TestCaseInTempDir):
                             and (not sent_fast or fast_armor_type is None
                                  or fast_armor_type == FX_FAST_ARMOR_AP_REQUEST)
                             and not inner)
+        if inner and expect_edata is self.expect_padata_outer:
+            expect_edata = False
         if not expect_edata:
             self.assertIsNone(expected_status)
             self.assertElementMissing(rep, 'e-data')