tests/krb5: Fix PK-INIT test framework to allow expired password keys

Signed-off-by: Jo Sutton <josutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit 7cc8f455191faacf32efc474c27e99d45ef2e024)
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15655

diff --git a/python/samba/tests/krb5/raw_testcase.py b/python/samba/tests/krb5/raw_testcase.py
index db4db9c9e85732b0d946fa7b61e32a528edbe05e..f3f7778c8415b83a819e5a5634eaba07c9a1783c 100644 (file)
--- a/python/samba/tests/krb5/raw_testcase.py
+++ b/python/samba/tests/krb5/raw_testcase.py
@@ -65,6 +65,7 @@ from samba.tests.krb5.rfc4120_constants import (
     FX_FAST_ARMOR_AP_REQUEST,
     KDC_ERR_CLIENT_REVOKED,
     KDC_ERR_GENERIC,
+    KDC_ERR_KEY_EXPIRED,
     KDC_ERR_POLICY,
     KDC_ERR_PREAUTH_FAILED,
     KDC_ERR_SKEW,
@@ -5031,6 +5032,8 @@ class RawKerberosTest(TestCase):
                 if ('1' in sent_pac_options
                         and error_code not in (0, KDC_ERR_GENERIC)):
                     expected_patypes += (PADATA_PAC_OPTIONS,)
+            elif error_code == KDC_ERR_KEY_EXPIRED:
+                expected_patypes += (PADATA_PK_AS_REP,)
             elif error_code != KDC_ERR_GENERIC:
                 if expect_etype_info:
                     expected_patypes += (PADATA_ETYPE_INFO,)

diff --git a/python/samba/tests/krb5/rfc4120_constants.py b/python/samba/tests/krb5/rfc4120_constants.py
index 583ffbaf6af5bf223dc8c7f434e8db27feccbd1c..a5dc83db7ab1539b234496d6979e6eb72e06cd7b 100644 (file)
--- a/python/samba/tests/krb5/rfc4120_constants.py
+++ b/python/samba/tests/krb5/rfc4120_constants.py
@@ -99,6 +99,7 @@ KDC_ERR_ETYPE_NOSUPP = 14
 KDC_ERR_SUMTYPE_NOSUPP = 15
 KDC_ERR_CLIENT_REVOKED = 18
 KDC_ERR_TGT_REVOKED = 20
+KDC_ERR_KEY_EXPIRED = 23
 KDC_ERR_PREAUTH_FAILED = 24
 KDC_ERR_PREAUTH_REQUIRED = 25
 KDC_ERR_BAD_INTEGRITY = 31