From: Andrew Bartlett Date: Tue, 11 Jun 2024 20:51:54 +0000 (+1200) Subject: python/samba/tests/krb5: Add check to confirm UF_SMARCARD_REQUIRED password is expire... X-Git-Tag: tdb-1.4.11~368 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=ef87f0be6009dcb95316dbfd71ce9834e7a5a8ed;p=thirdparty%2Fsamba.git python/samba/tests/krb5: Add check to confirm UF_SMARCARD_REQUIRED password is expired on NTLM 8944a10b145e99eb6372cace8225e4c5e9d6160e broke password expiry checking on NTLM, but that is fixed after CID 1603594 triggered 815d696d4471f1b3a4267eb774eb80b07576031b. In the past we could not have password expiry times small enough to test expiry (unlike "must change now"), but having no test was not good. As we are already doing the sleep() here, add a test to the password rotation test. Signed-off-by: Andrew Bartlett Reviewed-by: David Mulder --- diff --git a/python/samba/tests/krb5/pkinit_tests.py b/python/samba/tests/krb5/pkinit_tests.py index 0c92801cbce..1c87b041ad2 100755 --- a/python/samba/tests/krb5/pkinit_tests.py +++ b/python/samba/tests/krb5/pkinit_tests.py @@ -1204,6 +1204,20 @@ class PkInitTests(KDCBaseTest): self.assertEqual(expired, server_uac_expired) + # Check NTLM also saw this as expired + self._test_samlogon( + creds=client_creds, + logon_type=netlogon.NetlogonInteractiveInformation, + expect_error=ntstatus.NT_STATUS_SMARTCARD_LOGON_REQUIRED) + + if expired: + self._test_samlogon(creds=client_creds, + logon_type=netlogon.NetlogonNetworkInformation, + expect_error=ntstatus.NT_STATUS_PASSWORD_EXPIRED) + else: + self._test_samlogon(creds=client_creds, + logon_type=netlogon.NetlogonNetworkInformation) + pwd_last_set = int(res[0]["pwdLastSet"][0]) self.assertGreater(pwd_last_set, 0)