python/samba/tests/krb5: Expand test without UF_SMARTCARD_REQUIRED to show rotation...

This makes sense as otherwise the user would suddenly not know their password
for use when they do not use their smartcard.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Jo Sutton <josutton@catalyst.net.nz>

diff --git a/python/samba/tests/krb5/pkinit_tests.py b/python/samba/tests/krb5/pkinit_tests.py
index e8e88126613042eb73bdea64c7757e0a63ed16cc..f9a625a4e754dd2b76898748b06ecdc66d70a5c3 100755 (executable)
--- a/python/samba/tests/krb5/pkinit_tests.py
+++ b/python/samba/tests/krb5/pkinit_tests.py
@@ -741,11 +741,28 @@ class PkInitTests(KDCBaseTest):
         self._test_samlogon(creds=client_creds,
                             logon_type=netlogon.NetlogonNetworkInformation)
 
-    def test_pkinit_ntlm_from_pac_must_change_now(self):
-        """Test public-key PK-INIT to get an NT hash and confirm NTLM
-           authentication is possible with it."""
+    def _test_pkinit_ntlm_from_pac_must_change_now(self, smartcard_pw_expire):
+        """Test public-key PK-INIT on an account set to 'must change now'.
+        This shows that PKINIT is not available for these accounts and no
+        auto-rollover happens because UF_SMARTCARD_REQUIRED is not set"""
         samdb = self.get_samdb()
 
+        msgs = samdb.search(base=samdb.get_default_basedn(),
+                            scope=ldb.SCOPE_BASE,
+                            attrs=["msDS-ExpirePasswordsOnSmartCardOnlyAccounts"])
+        msg = msgs[0]
+
+        try:
+            old_ExpirePasswordsOnSmartCardOnlyAccounts = msg["msDS-ExpirePasswordsOnSmartCardOnlyAccounts"]
+        except KeyError:
+            old_ExpirePasswordsOnSmartCardOnlyAccounts = None
+
+        self.addCleanup(set_ExpirePasswordsOnSmartCardOnlyAccounts,
+                        samdb, old_ExpirePasswordsOnSmartCardOnlyAccounts)
+
+        # Enable auto-rotation for this test
+        set_ExpirePasswordsOnSmartCardOnlyAccounts(samdb, smartcard_pw_expire)
+
         client_creds = self._get_creds()
         client_creds.set_kerberos_state(credentials.AUTO_USE_KERBEROS)
 
@@ -793,6 +810,12 @@ class PkInitTests(KDCBaseTest):
                             logon_type=netlogon.NetlogonNetworkInformation,
                             expect_error=ntstatus.NT_STATUS_PASSWORD_MUST_CHANGE)
 
+    def test_pkinit_ntlm_from_pac_must_change_now(self):
+        self._test_pkinit_ntlm_from_pac_must_change_now(smartcard_pw_expire=True)
+
+    def test_pkinit_ntlm_from_pac_must_change_now_rotate_disabled(self):
+        self._test_pkinit_ntlm_from_pac_must_change_now(smartcard_pw_expire=False)
+
     def _test_pkinit_ntlm_from_pac_smartcard_required_must_change_now(self, smartcard_pw_expire):
         """Test public-key PK-INIT to get the user's NT hash for an account
            that is restricted by UF_SMARTCARD_REQUIRED.

diff --git a/selftest/knownfail_heimdal_kdc b/selftest/knownfail_heimdal_kdc
index 1f52f48d6c8a9e3946bc56e70b14ca5a6c958c3d..e10b12757cc119110afb4dc171588c7012726d17 100644 (file)
--- a/selftest/knownfail_heimdal_kdc
+++ b/selftest/knownfail_heimdal_kdc
@@ -73,6 +73,7 @@
 #
 ^samba.tests.krb5.pkinit_tests.samba.tests.krb5.pkinit_tests.PkInitTests.test_pkinit_no_des3.ad_dc
 ^samba.tests.krb5.pkinit_tests.samba.tests.krb5.pkinit_tests.PkInitTests.test_pkinit_ntlm_from_pac_must_change_now\(
+^samba.tests.krb5.pkinit_tests.samba.tests.krb5.pkinit_tests.PkInitTests.test_pkinit_ntlm_from_pac_must_change_now_rotate_disabled
 #
 # Windows 2000 PK-INIT tests
 #