From: Andrew Bartlett <abartlet@samba.org>
Date: Tue, 11 Jun 2024 22:24:18 +0000 (+1200)
Subject: python/samba/tests/krb5: Add tests for password expiry with krb5 ENC-TS
X-Git-Tag: tdb-1.4.11~367
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=aecbfe5218326c2b4eb9a4e6c6b05719035585f9;p=thirdparty%2Fsamba.git

python/samba/tests/krb5: Add tests for password expiry with krb5 ENC-TS

This augments the PKINIT based tests to show this is correctly handled
for the fare more usual case.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: David Mulder <dmulder@samba.org>

Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Thu Jun 13 00:45:36 UTC 2024 on atb-devel-224
---

diff --git a/python/samba/tests/krb5/as_req_tests.py b/python/samba/tests/krb5/as_req_tests.py
index 4d0940caa46..55c27a2bed3 100755
--- a/python/samba/tests/krb5/as_req_tests.py
+++ b/python/samba/tests/krb5/as_req_tests.py
@@ -22,8 +22,12 @@ import os
 sys.path.insert(0, "bin/python")
 os.environ["PYTHONUNBUFFERED"] = "1"
 
-from samba import ntstatus
+import time
+
+from samba import credentials, ntstatus
+from samba.dcerpc import netlogon
 from samba.tests import DynamicTestCase
+from samba.tests.pso import PasswordSettings
 from samba.tests.krb5.kdc_base_test import KDCBaseTest
 import samba.tests.krb5.kcrypto as kcrypto
 import samba.tests.krb5.rfc4120_pyasn1 as krb5_asn1
@@ -33,6 +37,8 @@ from samba.tests.krb5.rfc4120_constants import (
     KDC_ERR_S_PRINCIPAL_UNKNOWN,
     KDC_ERR_ETYPE_NOSUPP,
     KDC_ERR_PREAUTH_REQUIRED,
+    KDC_ERR_PREAUTH_FAILED,
+    KDC_ERR_KEY_EXPIRED,
     KU_PA_ENC_TIMESTAMP,
     NT_ENTERPRISE_PRINCIPAL,
     NT_PRINCIPAL,
@@ -150,6 +156,7 @@ class AsReqBaseTest(KDCBaseTest):
             etypes,
             preauth_padata,
             kdc_options,
+            creds=client_creds,
             expected_supported_etypes=krbtgt_supported_etypes,
             expected_account_name=user_name,
             expect_edata=expect_pa_edata,
@@ -591,6 +598,77 @@ class AsReqKerberosTests(AsReqBaseTest):
             expected_pa_error=KDC_ERR_CLIENT_REVOKED,
             expect_pa_status=ntstatus.NT_STATUS_INVALID_LOGON_HOURS)
 
+    def test_pw_expired(self):
+        """Test making an AS-REQ with an expired password."""
+
+        client_creds = self.get_cached_creds(
+            account_type=self.AccountType.USER)
+        client_creds.set_kerberos_state(credentials.AUTO_USE_KERBEROS)
+
+        userdn = str(client_creds.get_dn())
+        samdb = self.get_samdb()
+
+        # create a PSO setting password_age_max to 1 second
+        #
+        # The first parameter is not a username, just a new unique name for the PSO
+        short_expiry_pso = PasswordSettings(self.get_new_username(), samdb,
+                                            precedence=200,
+                                            password_age_max=1)
+        self.addCleanup(samdb.delete, short_expiry_pso.dn)
+        short_expiry_pso.apply_to(userdn)
+
+        time.sleep(1)
+
+        # Expect to get a CLIENT_REVOKED error.
+        self._run_as_req_enc_timestamp(
+            client_creds,
+            expected_error=(KDC_ERR_KEY_EXPIRED, KDC_ERR_PREAUTH_FAILED, KDC_ERR_PREAUTH_REQUIRED),
+            expect_status=ntstatus.NT_STATUS_PASSWORD_EXPIRED,
+            expected_pa_error=KDC_ERR_KEY_EXPIRED,
+            expect_pa_status=ntstatus.NT_STATUS_PASSWORD_EXPIRED)
+
+        self._test_samlogon(creds=client_creds,
+                            logon_type=netlogon.NetlogonNetworkInformation,
+                            expect_error=ntstatus.NT_STATUS_PASSWORD_EXPIRED)
+
+    def test_pw_expired_wrong_password(self):
+        """Test making an AS-REQ with an expired, wrong password"""
+
+        # Use a non-cached account so that it is not locked out for other
+        # tests.
+        client_creds = self.get_cached_creds(
+            account_type=self.AccountType.USER,
+            use_cache=False)
+        client_creds.set_kerberos_state(credentials.AUTO_USE_KERBEROS)
+
+        userdn = str(client_creds.get_dn())
+        samdb = self.get_samdb()
+
+        # create a PSO setting password_age_max to 1 second
+        #
+        # The first parameter is not a username, just a new unique name for the PSO
+        short_expiry_pso = PasswordSettings(self.get_new_username(), samdb,
+                                            precedence=200,
+                                            password_age_max=1)
+        self.addCleanup(samdb.delete, short_expiry_pso.dn)
+        short_expiry_pso.apply_to(userdn)
+
+        time.sleep(1)
+
+        client_creds.set_password('wrong password')
+
+        # Expect to get a CLIENT_REVOKED error.
+        self._run_as_req_enc_timestamp(
+            client_creds,
+            expected_error=(KDC_ERR_KEY_EXPIRED, KDC_ERR_PREAUTH_FAILED, KDC_ERR_PREAUTH_REQUIRED),
+            expect_status=ntstatus.NT_STATUS_PASSWORD_EXPIRED,
+            expected_pa_error=KDC_ERR_PREAUTH_FAILED,
+            expect_pa_status=ntstatus.NT_STATUS_PASSWORD_EXPIRED)
+
+        self._test_samlogon(creds=client_creds,
+                            logon_type=netlogon.NetlogonNetworkInformation,
+                            expect_error=ntstatus.NT_STATUS_WRONG_PASSWORD)
+
     def test_as_req_unicode(self):
         client_creds = self.get_cached_creds(
             account_type=self.AccountType.USER,
diff --git a/python/samba/tests/krb5/raw_testcase.py b/python/samba/tests/krb5/raw_testcase.py
index cb033472069..61a666a2b1f 100644
--- a/python/samba/tests/krb5/raw_testcase.py
+++ b/python/samba/tests/krb5/raw_testcase.py
@@ -5100,7 +5100,8 @@ class RawKerberosTest(TestCase):
                 if sent_freshness:
                     expected_patypes += PADATA_AS_FRESHNESS,
 
-                if (self.kdc_fast_support
+                if (error_code != KDC_ERR_PREAUTH_FAILED
+                        and self.kdc_fast_support
                         and not sent_fast
                         and not sent_enc_challenge):
                     expected_patypes += (PADATA_FX_FAST,)
diff --git a/selftest/expectedfail.d/kdc_test_pw_expired b/selftest/expectedfail.d/kdc_test_pw_expired
new file mode 100644
index 00000000000..979330faacf
--- /dev/null
+++ b/selftest/expectedfail.d/kdc_test_pw_expired
@@ -0,0 +1,2 @@
+# This tests needs Password Settings Objects to work, so is expected to fail in this environment
+^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_pw_expired\(fl2003dc\)
diff --git a/selftest/knownfail_mit_kdc b/selftest/knownfail_mit_kdc
index 76cdaf55f2d..725dc5fef77 100644
--- a/selftest/knownfail_mit_kdc
+++ b/selftest/knownfail_mit_kdc
@@ -42,6 +42,8 @@
 ^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_dummy_aes256_aes128_pac_False\(fl2003dc\)
 ^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_dummy_aes256_aes128_pac_None\(fl2003dc\)
 ^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_dummy_aes256_aes128_pac_True\(fl2003dc\)
+^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_pw_expired_wrong_password\(fl2008r2dc\)
+^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_pw_expired_wrong_password\(fl2003dc\)
 #
 # Currently MOST but not quite all the Canonicalization tests fail on the
 # MIT KDC