python/samba/tests/krb5: Allow PkInitTests.test_pkinit_ntlm_from_pac_must_change_now...

author Andrew Bartlett <abartlet@samba.org>

Tue, 4 Jun 2024 01:26:18 +0000 (13:26 +1200)

committer Andrew Bartlett <abartlet@samba.org>

Mon, 10 Jun 2024 05:32:54 +0000 (05:32 +0000)
author Andrew Bartlett <abartlet@samba.org>
Tue, 4 Jun 2024 01:26:18 +0000 (13:26 +1200)
committer Andrew Bartlett <abartlet@samba.org>
Mon, 10 Jun 2024 05:32:54 +0000 (05:32 +0000)
diff --git a/python/samba/tests/krb5/pkinit_tests.py b/python/samba/tests/krb5/pkinit_tests.py

index f9a625a4e754dd2b76898748b06ecdc66d70a5c3..0c92801cbcea386289c25149a8c596b0c95ddab2 100755 (executable)
--- a/python/samba/tests/krb5/pkinit_tests.py
+++ b/python/samba/tests/krb5/pkinit_tests.py
@@ -783,10 +783,16 @@ class PkInitTests(KDCBaseTest):
  
          freshness_token = self.create_freshness_token()
  
+        # Windows does not send an NTSTATUS in this case for an
+        # expired password against PKINIT, but will for ENC-TS,
+        # However Samba on Heimdal is consistent between both, so we
+        # must set expect_status=None to allow the test to pass
+        # against both.
          self._pkinit_req(client_creds, krbtgt_creds,
                           freshness_token=freshness_token,
                           expect_error=KDC_ERR_KEY_EXPIRED,
-                         expect_edata=True
+                         expect_edata=True,
+                         expected_status=ntstatus.NT_STATUS_PASSWORD_MUST_CHANGE,
          )
  
          # AS-REQ will not succeed, password is still expired
@@ -1683,6 +1689,7 @@ class PkInitTests(KDCBaseTest):
                      certificate=None,
                      expect_error=0,
                      expect_edata=False,
+                    expected_status=None,
                      using_pkinit=PkInit.PUBLIC_KEY,
                      etypes=None,
                      pk_nonce=None,
@@ -1954,6 +1961,7 @@ class PkInitTests(KDCBaseTest):
              using_pkinit=using_pkinit,
              pk_nonce=pk_nonce,
              expect_edata=expect_edata,
+            expected_status=expected_status,
              expect_matching_nt_hash_in_pac=expect_matching_nt_hash_in_pac)
  
          till = self.get_KerberosTime(offset=36000)
diff --git a/selftest/knownfail_heimdal_kdc b/selftest/knownfail_heimdal_kdc

index e10b12757cc119110afb4dc171588c7012726d17..811d3202729016d649c90cb2623830b5088039bc 100644 (file)
--- a/selftest/knownfail_heimdal_kdc
+++ b/selftest/knownfail_heimdal_kdc
@@ -72,8 +72,6 @@
  # PK-INIT tests
  #
  ^samba.tests.krb5.pkinit_tests.samba.tests.krb5.pkinit_tests.PkInitTests.test_pkinit_no_des3.ad_dc
-^samba.tests.krb5.pkinit_tests.samba.tests.krb5.pkinit_tests.PkInitTests.test_pkinit_ntlm_from_pac_must_change_now\(
-^samba.tests.krb5.pkinit_tests.samba.tests.krb5.pkinit_tests.PkInitTests.test_pkinit_ntlm_from_pac_must_change_now_rotate_disabled
  #
  # Windows 2000 PK-INIT tests
  #
author	Andrew Bartlett <abartlet@samba.org>
	Tue, 4 Jun 2024 01:26:18 +0000 (13:26 +1200)
committer	Andrew Bartlett <abartlet@samba.org>
	Mon, 10 Jun 2024 05:32:54 +0000 (05:32 +0000)
python/samba/tests/krb5/pkinit_tests.py		patch \| blob \| blame \| history
selftest/knownfail_heimdal_kdc		patch \| blob \| blame \| history