From a54dca4ea546c596740d1afab70b1cdd25e1721b Mon Sep 17 00:00:00 2001 From: Jo Sutton Date: Tue, 28 May 2024 16:59:30 +1200 Subject: [PATCH] tests/krb5: Calculate correct gMSA password to fix flapping test MIME-Version: 1.0 Content-Type: text/plain; charset=utf8 Content-Transfer-Encoding: 8bit If this test happens to be run in the five minute window prior to the next ten‐hour GKDI interval — about once every one hundred and twenty runs — the ‘current’ password requested from LDAP will actually be the future password, which won’t match what’s in the database. Instead of taking the password from LDAP, calculate it ourselves with expected_gmsa_password_blob(). [330(7038)/334 at 43m51s] samba.tests.krb5.gmsa_tests(ad_dc:local) UNEXPECTED(failure): samba.tests.krb5.gmsa_tests.samba.tests.krb5.gmsa_tests.GmsaTests.test_retrieving_managed_password_triggers_keys_update(ad_dc:local) REASON: Exception: Exception: Traceback (most recent call last): File "/builds/samba-testbase/samba-def-build/bin/python/samba/tests/krb5/gmsa_tests.py", line 1091, in test_retrieving_managed_password_triggers_keys_update self.assertEqual(creds.get_nt_hash(), nt_hash) AssertionError: b'\xcf[\xe8:\xc7-\xd4V\xce\t\xfc\xcd\x06.T\x8a' != b'c\xc5\x97k\x17"G\x1e\x81>\xacV\x9d.*\x14' Signed-off-by: Jo Sutton Reviewed-by: Andrew Bartlett Autobuild-User(master): Andrew Bartlett Autobuild-Date(master): Tue Jun 4 20:52:09 UTC 2024 on atb-devel-224 --- python/samba/tests/krb5/gmsa_tests.py | 12 +++++++++++- 1 file changed, 11 insertions(+), 1 deletion(-) diff --git a/python/samba/tests/krb5/gmsa_tests.py b/python/samba/tests/krb5/gmsa_tests.py index 341b3f6dd9b..f27e4235713 100755 --- a/python/samba/tests/krb5/gmsa_tests.py +++ b/python/samba/tests/krb5/gmsa_tests.py @@ -1079,8 +1079,18 @@ class GmsaTests(GkdiBaseTest, KDCBaseTest): "supplementalCredentials has not been updated (yet)", ) + # Calculate the password with which to authenticate. + current_series = self.gmsa_series_for_account( + local_samdb, creds, password_interval + ) + managed_pwd = self.expected_gmsa_password_blob( + local_samdb, + creds, + current_series.interval_gkid(0), + query_expiration_gkid=current_series.interval_gkid(1), + ) + # Set the new password. - managed_pwd = ndr_unpack(gmsa.MANAGEDPASSWORD_BLOB, managed_password) self.assertIsNotNone( managed_pwd.passwords.current, "current password must be present" ) -- 2.47.3