From 6a1549a49557fa1149b30d3a626f6833e673b229 Mon Sep 17 00:00:00 2001
From: Joseph Sutton <josephsutton@catalyst.net.nz>
Date: Tue, 5 Oct 2021 15:39:11 +1300
Subject: [PATCH] tests/krb5: Require ticket checksums if decryption key is
 available

We perform this check conditionally, because MIT doesn't currently add
ticket checksums.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14881

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit bf63221722903665e7b20991021fb5cdf4e4327e)
---
 python/samba/tests/krb5/raw_testcase.py | 5 ++---
 1 file changed, 2 insertions(+), 3 deletions(-)

diff --git a/python/samba/tests/krb5/raw_testcase.py b/python/samba/tests/krb5/raw_testcase.py
index 1f7c51c07a5..2e289c90ce7 100644
--- a/python/samba/tests/krb5/raw_testcase.py
+++ b/python/samba/tests/krb5/raw_testcase.py
@@ -2493,15 +2493,14 @@ class RawKerberosTest(TestCaseInTempDir):
             ticket_private=ticket_private,
             encpart_private=encpart_private)
 
-        # TODO: This parameter should be removed when all service tickets are
-        # issued with ticket checksums.
         expect_ticket_checksum = kdc_exchange_dict['expect_ticket_checksum']
         if expect_ticket_checksum:
             self.assertIsNotNone(ticket_decryption_key)
 
         if ticket_decryption_key is not None:
             self.verify_ticket(ticket_creds, krbtgt_key, expect_pac=expect_pac,
-                               expect_ticket_checksum=expect_ticket_checksum)
+                               expect_ticket_checksum=expect_ticket_checksum
+                               or self.tkt_sig_support)
 
         kdc_exchange_dict['rep_ticket_creds'] = ticket_creds
 
-- 
2.11.4.GIT