]> git.ipfire.org Git - thirdparty/samba.git/commitdiff
projects / thirdparty / samba.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: b79df27)
tests:krb5 expired password handling
authorGary Lockyer <gary@catalyst.net.nz>
Thu, 26 Mar 2026 00:39:45 +0000 (13:39 +1300)
committerGary Lockyer <gary@samba.org>
Mon, 30 Mar 2026 23:37:36 +0000 (23:37 +0000)
The windows ADDC checks password validity before password expiry. So an
incorrect expired password will return KDC_ERR_PREAUTH_REQUIRED not
KDC_ERR_KEY_EXPIRED.

The KDC behaviour fixes will be made to lorikeet-heimdal and then imported to
samba.

Bug: https://bugzilla.samba.org/show_bug.cgi?id=15746

Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Jennifer Sutton <jennifersutton@catalyst.net.nz>
python/samba/tests/krb5/as_req_tests.py patch | blob | blame | history
selftest/knownfail.d/bug-15746 [new file with mode: 0644] patch | blob
selftest/knownfail_mit_kdc.d/as-req patch | blob | blame | history

diff --git a/python/samba/tests/krb5/as_req_tests.py b/python/samba/tests/krb5/as_req_tests.py
index e4e677223d5c454ceba342f24fbb325a8d63ca6c..23a1a13a3a6a8d06fd14feb0cbaf34ed21f0476d 100755 (executable)
--- a/python/samba/tests/krb5/as_req_tests.py
+++ b/python/samba/tests/krb5/as_req_tests.py
@@ -707,8 +707,7 @@ class AsReqKerberosTests(AsReqBaseTest):
             # the uncanonicalized client is going to be found first.
             expected_error = KDC_ERR_C_PRINCIPAL_UNKNOWN
         else:
-            expected_error = (KDC_ERR_KEY_EXPIRED,
-                              KDC_ERR_PREAUTH_FAILED,
+            expected_error = (KDC_ERR_PREAUTH_FAILED,
                               KDC_ERR_PREAUTH_REQUIRED)
 
         self._run_as_req_enc_timestamp(
diff --git a/selftest/knownfail.d/bug-15746 b/selftest/knownfail.d/bug-15746
new file mode 100644 (file)
index 0000000..54a5719
--- /dev/null
+++ b/selftest/knownfail.d/bug-15746
@@ -0,0 +1,2 @@
+^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_pw_expired_wrong_password\(fl2008r2dc\)
+^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_pw_expired_wrong_password\(ad_dc_ntvfs\)
diff --git a/selftest/knownfail_mit_kdc.d/as-req b/selftest/knownfail_mit_kdc.d/as-req
index c2f1aa366cb70ddaa07c184c0d4850c9e69a2d08..46cc5c2972386d0eeda9d6662fd0a902f9f520b7 100644 (file)
--- a/selftest/knownfail_mit_kdc.d/as-req
+++ b/selftest/knownfail_mit_kdc.d/as-req
@@ -39,6 +39,8 @@
 ^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_dummy_aes128_aes256_pac_None\(fl2003dc\)
 ^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_dummy_aes128_aes256_pac_True\(fl2003dc\)
 ^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_pw_expired_wrong_password\(fl2003dc\)
+^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_pw_expired_wrong_password\(fl2008r2dc\)
+^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_pw_expired_wrong_password\(ad_dc_ntvfs\)
 #
 # MIT currently fails some as_req_no_preauth tests.
 #
Mirror of https://github.com/samba-team/samba.git