From 83e503ed46352734721bff6e565d2b668d7af154 Mon Sep 17 00:00:00 2001
From: Nalin Dahyabhai <nalin@dahyabhai.net>
Date: Wed, 17 Jul 2013 13:03:59 -0400
Subject: [PATCH] Test that password preauth works without PKINIT

Before we test authenticated PKINIT, slip in a test to check that
password-based preauthentication still works when the KDC is offering
PKINIT, but the client has no PKINIT credentials.
---
 src/tests/t_authpkinit.py | 12 ++++++++++++
 1 file changed, 12 insertions(+)

diff --git a/src/tests/t_authpkinit.py b/src/tests/t_authpkinit.py
index a7ca66ab2d..ec7be5004e 100644
--- a/src/tests/t_authpkinit.py
+++ b/src/tests/t_authpkinit.py
@@ -61,6 +61,18 @@ def setup_dir_identities(realm):
     shutil.copy(user_pem, os.path.join(path, 'user.crt'))
     shutil.copy(user_pem, os.path.join(path_enc, 'user.crt'))
 
+# Sanity check - password-based preauth should still work.
+realm = K5Realm(krb5_conf=pkinit_krb5_conf, kdc_conf=pkinit_kdc_conf,
+                get_creds=False)
+realm.run(['./responder',
+           '-r', 'password=%s' % password('user'),
+           'user@%s' % realm.realm])
+realm.kinit('user@%s' % realm.realm,
+            password=password('user'))
+realm.klist('user@%s' % realm.realm)
+realm.run([kvno, realm.host_princ])
+realm.stop()
+
 # Run the basic test - PKINIT with FILE: identity, with no password on the key.
 realm = K5Realm(krb5_conf=pkinit_krb5_conf, kdc_conf=pkinit_kdc_conf,
                 get_creds=False)
-- 
2.47.2