If this test happens to be run in the five minute window prior to the
next ten‐hour GKDI interval — about once every one hundred and twenty
runs — the ‘current’ password requested from LDAP will actually be the
future password, which won’t match what’s in the database.
Instead of taking the password from LDAP, calculate it ourselves with
expected_gmsa_password_blob().
[330(7038)/334 at 43m51s] samba.tests.krb5.gmsa_tests(ad_dc:local)
UNEXPECTED(failure): samba.tests.krb5.gmsa_tests.samba.tests.krb5.gmsa_tests.GmsaTests.test_retrieving_managed_password_triggers_keys_update(ad_dc:local)
REASON: Exception: Exception: Traceback (most recent call last):
File "/builds/samba-testbase/samba-def-build/bin/python/samba/tests/krb5/gmsa_tests.py", line 1091, in test_retrieving_managed_password_triggers_keys_update
self.assertEqual(creds.get_nt_hash(), nt_hash)
AssertionError: b'\xcf[\xe8:\xc7-\xd4V\xce\t\xfc\xcd\x06.T\x8a' != b'c\xc5\x97k\x17"G\x1e\x81>\xacV\x9d.*\x14'
Signed-off-by: Jo Sutton <josutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Tue Jun 4 20:52:09 UTC 2024 on atb-devel-224
"supplementalCredentials has not been updated (yet)",
)
+ # Calculate the password with which to authenticate.
+ current_series = self.gmsa_series_for_account(
+ local_samdb, creds, password_interval
+ )
+ managed_pwd = self.expected_gmsa_password_blob(
+ local_samdb,
+ creds,
+ current_series.interval_gkid(0),
+ query_expiration_gkid=current_series.interval_gkid(1),
+ )
+
# Set the new password.
- managed_pwd = ndr_unpack(gmsa.MANAGEDPASSWORD_BLOB, managed_password)
self.assertIsNotNone(
managed_pwd.passwords.current, "current password must be present"
)
projects / thirdparty / samba.git / commitdiff
