The branch, master has been updated
via aecbfe52183 python/samba/tests/krb5: Add tests for password expiry
with krb5 ENC-TS
via ef87f0be600 python/samba/tests/krb5: Add check to confirm
UF_SMARCARD_REQUIRED password is expired on NTLM
from 43802f1bedd python: remove string_to_byte_array()
https://git.samba.org/?p=samba.git;a=shortlog;h=master
- Log -----------------------------------------------------------------
commit aecbfe5218326c2b4eb9a4e6c6b05719035585f9
Author: Andrew Bartlett <abart...@samba.org>
Date: Wed Jun 12 10:24:18 2024 +1200
python/samba/tests/krb5: Add tests for password expiry with krb5 ENC-TS
This augments the PKINIT based tests to show this is correctly handled
for the fare more usual case.
Signed-off-by: Andrew Bartlett <abart...@samba.org>
Reviewed-by: David Mulder <dmul...@samba.org>
Autobuild-User(master): Andrew Bartlett <abart...@samba.org>
Autobuild-Date(master): Thu Jun 13 00:45:36 UTC 2024 on atb-devel-224
commit ef87f0be6009dcb95316dbfd71ce9834e7a5a8ed
Author: Andrew Bartlett <abart...@samba.org>
Date: Wed Jun 12 08:51:54 2024 +1200
python/samba/tests/krb5: Add check to confirm UF_SMARCARD_REQUIRED password
is expired on NTLM
8944a10b145e99eb6372cace8225e4c5e9d6160e broke password expiry
checking on NTLM, but that is fixed after CID 1603594 triggered
815d696d4471f1b3a4267eb774eb80b07576031b. In the past we could
not have password expiry times small enough to test expiry
(unlike "must change now"), but having no test was not good.
As we are already doing the sleep() here, add a test to the
password rotation test.
Signed-off-by: Andrew Bartlett <abart...@samba.org>
Reviewed-by: David Mulder <dmul...@samba.org>
-----------------------------------------------------------------------
Summary of changes:
python/samba/tests/krb5/as_req_tests.py | 80 ++++++++++++++++++++++++++++-
python/samba/tests/krb5/pkinit_tests.py | 14 +++++
python/samba/tests/krb5/raw_testcase.py | 3 +-
selftest/expectedfail.d/kdc_test_pw_expired | 2 +
selftest/knownfail_mit_kdc | 2 +
5 files changed, 99 insertions(+), 2 deletions(-)
create mode 100644 selftest/expectedfail.d/kdc_test_pw_expired
Changeset truncated at 500 lines:
diff --git a/python/samba/tests/krb5/as_req_tests.py
b/python/samba/tests/krb5/as_req_tests.py
index 4d0940caa46..55c27a2bed3 100755
--- a/python/samba/tests/krb5/as_req_tests.py
+++ b/python/samba/tests/krb5/as_req_tests.py
@@ -22,8 +22,12 @@ import os
sys.path.insert(0, "bin/python")
os.environ["PYTHONUNBUFFERED"] = "1"
-from samba import ntstatus
+import time
+
+from samba import credentials, ntstatus
+from samba.dcerpc import netlogon
from samba.tests import DynamicTestCase
+from samba.tests.pso import PasswordSettings
from samba.tests.krb5.kdc_base_test import KDCBaseTest
import samba.tests.krb5.kcrypto as kcrypto
import samba.tests.krb5.rfc4120_pyasn1 as krb5_asn1
@@ -33,6 +37,8 @@ from samba.tests.krb5.rfc4120_constants import (
KDC_ERR_S_PRINCIPAL_UNKNOWN,
KDC_ERR_ETYPE_NOSUPP,
KDC_ERR_PREAUTH_REQUIRED,
+ KDC_ERR_PREAUTH_FAILED,
+ KDC_ERR_KEY_EXPIRED,
KU_PA_ENC_TIMESTAMP,
NT_ENTERPRISE_PRINCIPAL,
NT_PRINCIPAL,
@@ -150,6 +156,7 @@ class AsReqBaseTest(KDCBaseTest):
etypes,
preauth_padata,
kdc_options,
+ creds=client_creds,
expected_supported_etypes=krbtgt_supported_etypes,
expected_account_name=user_name,
expect_edata=expect_pa_edata,
@@ -591,6 +598,77 @@ class AsReqKerberosTests(AsReqBaseTest):
expected_pa_error=KDC_ERR_CLIENT_REVOKED,
expect_pa_status=ntstatus.NT_STATUS_INVALID_LOGON_HOURS)
+ def test_pw_expired(self):
+ """Test making an AS-REQ with an expired password."""
+
+ client_creds = self.get_cached_creds(
+ account_type=self.AccountType.USER)
+ client_creds.set_kerberos_state(credentials.AUTO_USE_KERBEROS)
+
+ userdn = str(client_creds.get_dn())
+ samdb = self.get_samdb()
+
+ # create a PSO setting password_age_max to 1 second
+ #
+ # The first parameter is not a username, just a new unique name for
the PSO
+ short_expiry_pso = PasswordSettings(self.get_new_username(), samdb,
+ precedence=200,
+ password_age_max=1)
+ self.addCleanup(samdb.delete, short_expiry_pso.dn)
+ short_expiry_pso.apply_to(userdn)
+
+ time.sleep(1)
+
+ # Expect to get a CLIENT_REVOKED error.
+ self._run_as_req_enc_timestamp(
+ client_creds,
+ expected_error=(KDC_ERR_KEY_EXPIRED, KDC_ERR_PREAUTH_FAILED,
KDC_ERR_PREAUTH_REQUIRED),
+ expect_status=ntstatus.NT_STATUS_PASSWORD_EXPIRED,
+ expected_pa_error=KDC_ERR_KEY_EXPIRED,
+ expect_pa_status=ntstatus.NT_STATUS_PASSWORD_EXPIRED)
+
+ self._test_samlogon(creds=client_creds,
+ logon_type=netlogon.NetlogonNetworkInformation,
+ expect_error=ntstatus.NT_STATUS_PASSWORD_EXPIRED)
+
+ def test_pw_expired_wrong_password(self):
+ """Test making an AS-REQ with an expired, wrong password"""
+
+ # Use a non-cached account so that it is not locked out for other
+ # tests.
+ client_creds = self.get_cached_creds(
+ account_type=self.AccountType.USER,
+ use_cache=False)
+ client_creds.set_kerberos_state(credentials.AUTO_USE_KERBEROS)
+
+ userdn = str(client_creds.get_dn())
+ samdb = self.get_samdb()
+
+ # create a PSO setting password_age_max to 1 second
+ #
+ # The first parameter is not a username, just a new unique name for
the PSO
+ short_expiry_pso = PasswordSettings(self.get_new_username(), samdb,
+ precedence=200,
+ password_age_max=1)
+ self.addCleanup(samdb.delete, short_expiry_pso.dn)
+ short_expiry_pso.apply_to(userdn)
+
+ time.sleep(1)
+
+ client_creds.set_password('wrong password')
+
+ # Expect to get a CLIENT_REVOKED error.
+ self._run_as_req_enc_timestamp(
+ client_creds,
+ expected_error=(KDC_ERR_KEY_EXPIRED, KDC_ERR_PREAUTH_FAILED,
KDC_ERR_PREAUTH_REQUIRED),
+ expect_status=ntstatus.NT_STATUS_PASSWORD_EXPIRED,
+ expected_pa_error=KDC_ERR_PREAUTH_FAILED,
+ expect_pa_status=ntstatus.NT_STATUS_PASSWORD_EXPIRED)
+
+ self._test_samlogon(creds=client_creds,
+ logon_type=netlogon.NetlogonNetworkInformation,
+ expect_error=ntstatus.NT_STATUS_WRONG_PASSWORD)
+
def test_as_req_unicode(self):
client_creds = self.get_cached_creds(
account_type=self.AccountType.USER,
diff --git a/python/samba/tests/krb5/pkinit_tests.py
b/python/samba/tests/krb5/pkinit_tests.py
index 0c92801cbce..1c87b041ad2 100755
--- a/python/samba/tests/krb5/pkinit_tests.py
+++ b/python/samba/tests/krb5/pkinit_tests.py
@@ -1204,6 +1204,20 @@ class PkInitTests(KDCBaseTest):
self.assertEqual(expired, server_uac_expired)
+ # Check NTLM also saw this as expired
+ self._test_samlogon(
+ creds=client_creds,
+ logon_type=netlogon.NetlogonInteractiveInformation,
+ expect_error=ntstatus.NT_STATUS_SMARTCARD_LOGON_REQUIRED)
+
+ if expired:
+ self._test_samlogon(creds=client_creds,
+ logon_type=netlogon.NetlogonNetworkInformation,
+
expect_error=ntstatus.NT_STATUS_PASSWORD_EXPIRED)
+ else:
+ self._test_samlogon(creds=client_creds,
+ logon_type=netlogon.NetlogonNetworkInformation)
+
pwd_last_set = int(res[0]["pwdLastSet"][0])
self.assertGreater(pwd_last_set, 0)
diff --git a/python/samba/tests/krb5/raw_testcase.py
b/python/samba/tests/krb5/raw_testcase.py
index cb033472069..61a666a2b1f 100644
--- a/python/samba/tests/krb5/raw_testcase.py
+++ b/python/samba/tests/krb5/raw_testcase.py
@@ -5100,7 +5100,8 @@ class RawKerberosTest(TestCase):
if sent_freshness:
expected_patypes += PADATA_AS_FRESHNESS,
- if (self.kdc_fast_support
+ if (error_code != KDC_ERR_PREAUTH_FAILED
+ and self.kdc_fast_support
and not sent_fast
and not sent_enc_challenge):
expected_patypes += (PADATA_FX_FAST,)
diff --git a/selftest/expectedfail.d/kdc_test_pw_expired
b/selftest/expectedfail.d/kdc_test_pw_expired
new file mode 100644
index 00000000000..979330faacf
--- /dev/null
+++ b/selftest/expectedfail.d/kdc_test_pw_expired
@@ -0,0 +1,2 @@
+# This tests needs Password Settings Objects to work, so is expected to fail
in this environment
+^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_pw_expired\(fl2003dc\)
diff --git a/selftest/knownfail_mit_kdc b/selftest/knownfail_mit_kdc
index 76cdaf55f2d..725dc5fef77 100644
--- a/selftest/knownfail_mit_kdc
+++ b/selftest/knownfail_mit_kdc
@@ -42,6 +42,8 @@
^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_dummy_aes256_aes128_pac_False\(fl2003dc\)
^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_dummy_aes256_aes128_pac_None\(fl2003dc\)
^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_dummy_aes256_aes128_pac_True\(fl2003dc\)
+^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_pw_expired_wrong_password\(fl2008r2dc\)
+^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_pw_expired_wrong_password\(fl2003dc\)
#
# Currently MOST but not quite all the Canonicalization tests fail on the
# MIT KDC
--
Samba Shared Repository
