python/samba/tests/krb5: Add check to confirm UF_SMARCARD_REQUIRED password is expire...

8944a10b145e99eb6372cace8225e4c5e9d6160e broke password expiry
checking on NTLM, but that is fixed after CID 1603594 triggered
815d696d4471f1b3a4267eb774eb80b07576031b.  In the past we could
not have password expiry times small enough to test expiry
(unlike "must change now"), but having no test was not good.

As we are already doing the sleep() here, add a test to the
password rotation test.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: David Mulder <dmulder@samba.org>

diff --git a/python/samba/tests/krb5/pkinit_tests.py b/python/samba/tests/krb5/pkinit_tests.py
index 0c92801cbcea386289c25149a8c596b0c95ddab2..1c87b041ad269750ea6c319771f6de03fe6f7223 100755 (executable)
--- a/python/samba/tests/krb5/pkinit_tests.py
+++ b/python/samba/tests/krb5/pkinit_tests.py
@@ -1204,6 +1204,20 @@ class PkInitTests(KDCBaseTest):
 
         self.assertEqual(expired, server_uac_expired)
 
+        # Check NTLM also saw this as expired
+        self._test_samlogon(
+            creds=client_creds,
+            logon_type=netlogon.NetlogonInteractiveInformation,
+            expect_error=ntstatus.NT_STATUS_SMARTCARD_LOGON_REQUIRED)
+
+        if expired:
+            self._test_samlogon(creds=client_creds,
+                                logon_type=netlogon.NetlogonNetworkInformation,
+                                expect_error=ntstatus.NT_STATUS_PASSWORD_EXPIRED)
+        else:
+            self._test_samlogon(creds=client_creds,
+                                logon_type=netlogon.NetlogonNetworkInformation)
+
         pwd_last_set = int(res[0]["pwdLastSet"][0])
         self.assertGreater(pwd_last_set, 0)