Commit
c1433f821f7 added PADATA_PK_AS_REP (PA-PK-AS-REP, type 17) to
the expected padata list when check_rep_padata sees KDC_ERR_KEY_EXPIRED.
This reflects Samba's Heimdal KDC behaviour, which includes PKINIT hints
in expired-password error responses.
Samba with MIT KDC does not include PADATA_PK_AS_REP in KDC_ERR_KEY_EXPIRED
responses; it returns a METHOD-DATA with just the NTSTATUS payload (type 3) and
the FX-COOKIE (type 133). This causes test_pw_expired to fail intermittently
when the expired-password code path is exercised against MIT KDC.
Add PADATA_PK_AS_REP to the require_strict set alongside PADATA_PK_AS_REP_19,
so it is treated as optional in non-strict checking mode (STRICT_CHECKING=0)
while still being enforced in strict mode.
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Jennifer Sutton <jennifersutton@catalyst.net.nz>
Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Mon Mar 30 10:41:07 UTC 2026 on atb-devel-224
require_strict = {PADATA_FX_COOKIE,
PADATA_FX_FAST,
PADATA_PAC_OPTIONS,
+ PADATA_PK_AS_REP,
PADATA_PK_AS_REP_19,
PADATA_PK_AS_REQ,
PADATA_PKINIT_KX,
^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_dummy_aes128_aes256_pac_False\(fl2003dc\)
^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_dummy_aes128_aes256_pac_None\(fl2003dc\)
^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_dummy_aes128_aes256_pac_True\(fl2003dc\)
-^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_pw_expired_wrong_password\(fl2008r2dc\)
^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_pw_expired_wrong_password\(fl2003dc\)
#
# MIT currently fails some as_req_no_preauth tests.
^samba\.tests\.krb5\.as_req_tests\.samba\.tests\.krb5\.as_req_tests\.AsReqKerberosTests\.test_logon_hours\(ad_dc_ntvfs\)
^samba\.tests\.krb5\.as_req_tests\.samba\.tests\.krb5\.as_req_tests\.AsReqKerberosTests\.test_logon_hours_wrong_password\(ad_dc_ntvfs\)
-^samba\.tests\.krb5\.as_req_tests\.samba\.tests\.krb5\.as_req_tests\.AsReqKerberosTests\.test_pw_expired_wrong_password\(ad_dc_ntvfs\)
^samba\.tests\.krb5\.alias_tests\.samba\.tests\.krb5\.alias_tests\.AliasTests\.test_create_alias_delete\(ad_dc_ntvfs\)
^samba\.tests\.krb5\.alias_tests\.samba\.tests\.krb5\.alias_tests\.AliasTests\.test_create_alias_rename\(ad_dc_ntvfs\)
^samba\.tests\.krb5\.alias_tests\.samba\.tests\.krb5\.alias_tests\.AliasTests\.test_dc_alias_delete\(ad_dc_ntvfs\)
^samba\.tests\.krb5\.alias_tests\.samba\.tests\.krb5\.alias_tests\.AliasTests\.test_dc_alias_rename\(ad_dc_ntvfs\)
^samba\.tests\.krb5\.as_req_tests\.samba\.tests\.krb5\.as_req_tests\.AsReqKerberosTests\.test_logon_hours\(ad_dc_ntvfs\)
^samba\.tests\.krb5\.as_req_tests\.samba\.tests\.krb5\.as_req_tests\.AsReqKerberosTests\.test_logon_hours_wrong_password\(ad_dc_ntvfs\)
-^samba\.tests\.krb5\.as_req_tests\.samba\.tests\.krb5\.as_req_tests\.AsReqKerberosTests\.test_pw_expired_wrong_password\(ad_dc_ntvfs\)
projects / thirdparty / samba.git / commitdiff
