mirror of
https://github.com/samba-team/samba.git
synced 2024-12-22 13:34:15 +03:00
tests/krb5: Check that updated NT hashes of gMSAs have the values we expect
Signed-off-by: Jo Sutton <josutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
This commit is contained in:
parent
1171589e35
commit
103ca0276f
@ -920,6 +920,9 @@ class GmsaTests(GkdiBaseTest, KDCBaseTest):
|
||||
res[0].get("supplementalCredentials", idx=0)
|
||||
)
|
||||
|
||||
# Check that the NT hash is the value we expect.
|
||||
self.assertEqual(creds.get_nt_hash(), previous_nt_hash)
|
||||
|
||||
# Search for the managed password over LDAP, triggering an update of the
|
||||
# keys in the database.
|
||||
res = samdb.search(dn, scope=ldb.SCOPE_BASE, attrs=["msDS-ManagedPassword"])
|
||||
@ -950,6 +953,16 @@ class GmsaTests(GkdiBaseTest, KDCBaseTest):
|
||||
"supplementalCredentials has not been updated (yet)",
|
||||
)
|
||||
|
||||
# Set the new password.
|
||||
managed_pwd = ndr_unpack(gmsa.MANAGEDPASSWORD_BLOB, managed_password)
|
||||
self.assertIsNotNone(
|
||||
managed_pwd.passwords.current, "current password must be present"
|
||||
)
|
||||
creds.set_utf16_password(managed_pwd.passwords.current)
|
||||
|
||||
# Check that the new NT hash is the value we expect.
|
||||
self.assertEqual(creds.get_nt_hash(), nt_hash)
|
||||
|
||||
def test_authentication_triggers_keys_update(self):
|
||||
# Create a root key with a start time early enough to be usable at the
|
||||
# time the gMSA is purported to be created. But don’t create it on a
|
||||
@ -984,6 +997,9 @@ class GmsaTests(GkdiBaseTest, KDCBaseTest):
|
||||
res[0].get("supplementalCredentials", idx=0)
|
||||
)
|
||||
|
||||
# Check that the NT hash is the value we expect.
|
||||
self.assertEqual(creds.get_nt_hash(), previous_nt_hash)
|
||||
|
||||
# Calculate the password with which to authenticate.
|
||||
managed_pwd = self.expected_current_gmsa_password_blob(
|
||||
samdb, creds, future_key_is_acceptable=False
|
||||
@ -1021,6 +1037,9 @@ class GmsaTests(GkdiBaseTest, KDCBaseTest):
|
||||
"supplementalCredentials has not been updated (yet)",
|
||||
)
|
||||
|
||||
# Check that the new NT hash is the value we expect.
|
||||
self.assertEqual(creds.get_nt_hash(), nt_hash)
|
||||
|
||||
def test_gmsa_can_perform_gensec_ntlmssp_logon(self):
|
||||
creds = self.gmsa_account(kerberos_enabled=False)
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user