From: Andrew Bartlett Date: Tue, 26 Mar 2024 01:29:49 +0000 (+1300) Subject: python/tests/krb5: Prepare to allow tests that use the PAC returned NT hash X-Git-Tag: tdb-1.4.11~1311 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=f29693d1311a9675034dc7010076309ba2535d64;p=thirdparty%2Fsamba.git python/tests/krb5: Prepare to allow tests that use the PAC returned NT hash We want to use the PAC returned NT hash in the UF_SMARTCARD_REQUIRED case as it will usually be random bytes so we can not just assert on the value any more. Signed-off-by: Andrew Bartlett Reviewed-by: Jo Sutton --- diff --git a/python/samba/tests/krb5/pkinit_tests.py b/python/samba/tests/krb5/pkinit_tests.py index ac54d8e8900..998fe86d534 100755 --- a/python/samba/tests/krb5/pkinit_tests.py +++ b/python/samba/tests/krb5/pkinit_tests.py @@ -584,7 +584,11 @@ class PkInitTests(KDCBaseTest): send_enc_ts=False, ): if send_enc_ts: - preauth_key = self.PasswordKey_from_creds(creds, kcrypto.Enctype.AES256) + if creds.get_password() is None: + # Try the NT hash if there isn't a password + preauth_key = self.PasswordKey_from_creds(creds, kcrypto.Enctype.RC4) + else: + preauth_key = self.PasswordKey_from_creds(creds, kcrypto.Enctype.AES256) else: preauth_key = None @@ -1235,7 +1239,7 @@ class PkInitTests(KDCBaseTest): return None self.check_as_reply(rep) - return kdc_exchange_dict['rep_ticket_creds'] + return kdc_exchange_dict if __name__ == '__main__': diff --git a/python/samba/tests/krb5/raw_testcase.py b/python/samba/tests/krb5/raw_testcase.py index 72e5f41cfaa..1a821632597 100644 --- a/python/samba/tests/krb5/raw_testcase.py +++ b/python/samba/tests/krb5/raw_testcase.py @@ -4785,6 +4785,8 @@ class RawKerberosTest(TestCase): else: self.assertEqual(creds.get_nt_hash(), nt_password) + kdc_exchange_dict['nt_hash_from_pac'] = ntlm_package.nt_password + lm_password = bytes(ntlm_package.lm_password.hash) self.assertEqual(bytes(16), lm_password)