From: Gary Lockyer <gary@catalyst.net.nz>
Date: Thu, 26 Mar 2026 00:39:45 +0000 (+1300)
Subject: tests:krb5 expired password handling
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=f9ca5b75f82e8efbeebdc8520114a5d89dcbbf00;p=thirdparty%2Fsamba.git

tests:krb5 expired password handling

The windows ADDC checks password validity before password expiry. So an
incorrect expired password will return KDC_ERR_PREAUTH_REQUIRED not
KDC_ERR_KEY_EXPIRED.

The KDC behaviour fixes will be made to lorikeet-heimdal and then imported to
samba.

Bug: https://bugzilla.samba.org/show_bug.cgi?id=15746

Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Jennifer Sutton <jennifersutton@catalyst.net.nz>
---

diff --git a/python/samba/tests/krb5/as_req_tests.py b/python/samba/tests/krb5/as_req_tests.py
index e4e677223d5..23a1a13a3a6 100755
--- a/python/samba/tests/krb5/as_req_tests.py
+++ b/python/samba/tests/krb5/as_req_tests.py
@@ -707,8 +707,7 @@ class AsReqKerberosTests(AsReqBaseTest):
             # the uncanonicalized client is going to be found first.
             expected_error = KDC_ERR_C_PRINCIPAL_UNKNOWN
         else:
-            expected_error = (KDC_ERR_KEY_EXPIRED,
-                              KDC_ERR_PREAUTH_FAILED,
+            expected_error = (KDC_ERR_PREAUTH_FAILED,
                               KDC_ERR_PREAUTH_REQUIRED)
 
         self._run_as_req_enc_timestamp(
diff --git a/selftest/knownfail.d/bug-15746 b/selftest/knownfail.d/bug-15746
new file mode 100644
index 00000000000..54a5719f6fd
--- /dev/null
+++ b/selftest/knownfail.d/bug-15746
@@ -0,0 +1,2 @@
+^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_pw_expired_wrong_password\(fl2008r2dc\)
+^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_pw_expired_wrong_password\(ad_dc_ntvfs\)
diff --git a/selftest/knownfail_mit_kdc.d/as-req b/selftest/knownfail_mit_kdc.d/as-req
index c2f1aa366cb..46cc5c29723 100644
--- a/selftest/knownfail_mit_kdc.d/as-req
+++ b/selftest/knownfail_mit_kdc.d/as-req
@@ -39,6 +39,8 @@
 ^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_dummy_aes128_aes256_pac_None\(fl2003dc\)
 ^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_dummy_aes128_aes256_pac_True\(fl2003dc\)
 ^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_pw_expired_wrong_password\(fl2003dc\)
+^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_pw_expired_wrong_password\(fl2008r2dc\)
+^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_pw_expired_wrong_password\(ad_dc_ntvfs\)
 #
 # MIT currently fails some as_req_no_preauth tests.
 #