From: Andrew Bartlett <abartlet@samba.org>
Date: Tue, 4 Jun 2024 01:26:18 +0000 (+1200)
Subject: python/samba/tests/krb5: Allow PkInitTests.test_pkinit_ntlm_from_pac_must_change_now... 
X-Git-Tag: tdb-1.4.11~395
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=469b22b849aa6a76739dc21d8a2d80907cdf8d73;p=thirdparty%2Fsamba.git

python/samba/tests/krb5: Allow PkInitTests.test_pkinit_ntlm_from_pac_must_change_now to pass on Samba/Heimdal

This flexiblity in the tests avoids requiring Samba/Heimdal to omit an NTSTATUS error
return and just be consistent between the different authentication paths.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Jo Sutton <josutton@catalyst.net.nz>

Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Mon Jun 10 05:32:54 UTC 2024 on atb-devel-224
---

diff --git a/python/samba/tests/krb5/pkinit_tests.py b/python/samba/tests/krb5/pkinit_tests.py
index f9a625a4e75..0c92801cbce 100755
--- a/python/samba/tests/krb5/pkinit_tests.py
+++ b/python/samba/tests/krb5/pkinit_tests.py
@@ -783,10 +783,16 @@ class PkInitTests(KDCBaseTest):
 
         freshness_token = self.create_freshness_token()
 
+        # Windows does not send an NTSTATUS in this case for an
+        # expired password against PKINIT, but will for ENC-TS,
+        # However Samba on Heimdal is consistent between both, so we
+        # must set expect_status=None to allow the test to pass
+        # against both.
         self._pkinit_req(client_creds, krbtgt_creds,
                          freshness_token=freshness_token,
                          expect_error=KDC_ERR_KEY_EXPIRED,
-                         expect_edata=True
+                         expect_edata=True,
+                         expected_status=ntstatus.NT_STATUS_PASSWORD_MUST_CHANGE,
         )
 
         # AS-REQ will not succeed, password is still expired
@@ -1683,6 +1689,7 @@ class PkInitTests(KDCBaseTest):
                     certificate=None,
                     expect_error=0,
                     expect_edata=False,
+                    expected_status=None,
                     using_pkinit=PkInit.PUBLIC_KEY,
                     etypes=None,
                     pk_nonce=None,
@@ -1954,6 +1961,7 @@ class PkInitTests(KDCBaseTest):
             using_pkinit=using_pkinit,
             pk_nonce=pk_nonce,
             expect_edata=expect_edata,
+            expected_status=expected_status,
             expect_matching_nt_hash_in_pac=expect_matching_nt_hash_in_pac)
 
         till = self.get_KerberosTime(offset=36000)
diff --git a/selftest/knownfail_heimdal_kdc b/selftest/knownfail_heimdal_kdc
index e10b12757cc..811d3202729 100644
--- a/selftest/knownfail_heimdal_kdc
+++ b/selftest/knownfail_heimdal_kdc
@@ -72,8 +72,6 @@
 # PK-INIT tests
 #
 ^samba.tests.krb5.pkinit_tests.samba.tests.krb5.pkinit_tests.PkInitTests.test_pkinit_no_des3.ad_dc
-^samba.tests.krb5.pkinit_tests.samba.tests.krb5.pkinit_tests.PkInitTests.test_pkinit_ntlm_from_pac_must_change_now\(
-^samba.tests.krb5.pkinit_tests.samba.tests.krb5.pkinit_tests.PkInitTests.test_pkinit_ntlm_from_pac_must_change_now_rotate_disabled
 #
 # Windows 2000 PK-INIT tests
 #