From 15686fec9819267f69a600cff859e52f77a64cef Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Tue, 4 Jun 2024 11:36:53 +1200 Subject: [PATCH] python/samba/tests/krb5: Expand test without UF_SMARTCARD_REQUIRED to show rotation is not done This makes sense as otherwise the user would suddenly not know their password for use when they do not use their smartcard. Signed-off-by: Andrew Bartlett Reviewed-by: Jo Sutton --- python/samba/tests/krb5/pkinit_tests.py | 29 ++++++++++++++++++++++--- selftest/knownfail_heimdal_kdc | 1 + 2 files changed, 27 insertions(+), 3 deletions(-) diff --git a/python/samba/tests/krb5/pkinit_tests.py b/python/samba/tests/krb5/pkinit_tests.py index e8e88126613..f9a625a4e75 100755 --- a/python/samba/tests/krb5/pkinit_tests.py +++ b/python/samba/tests/krb5/pkinit_tests.py @@ -741,11 +741,28 @@ class PkInitTests(KDCBaseTest): self._test_samlogon(creds=client_creds, logon_type=netlogon.NetlogonNetworkInformation) - def test_pkinit_ntlm_from_pac_must_change_now(self): - """Test public-key PK-INIT to get an NT hash and confirm NTLM - authentication is possible with it.""" + def _test_pkinit_ntlm_from_pac_must_change_now(self, smartcard_pw_expire): + """Test public-key PK-INIT on an account set to 'must change now'. + This shows that PKINIT is not available for these accounts and no + auto-rollover happens because UF_SMARTCARD_REQUIRED is not set""" samdb = self.get_samdb() + msgs = samdb.search(base=samdb.get_default_basedn(), + scope=ldb.SCOPE_BASE, + attrs=["msDS-ExpirePasswordsOnSmartCardOnlyAccounts"]) + msg = msgs[0] + + try: + old_ExpirePasswordsOnSmartCardOnlyAccounts = msg["msDS-ExpirePasswordsOnSmartCardOnlyAccounts"] + except KeyError: + old_ExpirePasswordsOnSmartCardOnlyAccounts = None + + self.addCleanup(set_ExpirePasswordsOnSmartCardOnlyAccounts, + samdb, old_ExpirePasswordsOnSmartCardOnlyAccounts) + + # Enable auto-rotation for this test + set_ExpirePasswordsOnSmartCardOnlyAccounts(samdb, smartcard_pw_expire) + client_creds = self._get_creds() client_creds.set_kerberos_state(credentials.AUTO_USE_KERBEROS) @@ -793,6 +810,12 @@ class PkInitTests(KDCBaseTest): logon_type=netlogon.NetlogonNetworkInformation, expect_error=ntstatus.NT_STATUS_PASSWORD_MUST_CHANGE) + def test_pkinit_ntlm_from_pac_must_change_now(self): + self._test_pkinit_ntlm_from_pac_must_change_now(smartcard_pw_expire=True) + + def test_pkinit_ntlm_from_pac_must_change_now_rotate_disabled(self): + self._test_pkinit_ntlm_from_pac_must_change_now(smartcard_pw_expire=False) + def _test_pkinit_ntlm_from_pac_smartcard_required_must_change_now(self, smartcard_pw_expire): """Test public-key PK-INIT to get the user's NT hash for an account that is restricted by UF_SMARTCARD_REQUIRED. diff --git a/selftest/knownfail_heimdal_kdc b/selftest/knownfail_heimdal_kdc index 1f52f48d6c8..e10b12757cc 100644 --- a/selftest/knownfail_heimdal_kdc +++ b/selftest/knownfail_heimdal_kdc @@ -73,6 +73,7 @@ # ^samba.tests.krb5.pkinit_tests.samba.tests.krb5.pkinit_tests.PkInitTests.test_pkinit_no_des3.ad_dc ^samba.tests.krb5.pkinit_tests.samba.tests.krb5.pkinit_tests.PkInitTests.test_pkinit_ntlm_from_pac_must_change_now\( +^samba.tests.krb5.pkinit_tests.samba.tests.krb5.pkinit_tests.PkInitTests.test_pkinit_ntlm_from_pac_must_change_now_rotate_disabled # # Windows 2000 PK-INIT tests # -- 2.47.3