1
0
mirror of https://github.com/samba-team/samba.git synced 2024-12-22 13:34:15 +03:00

tests/krb5: Check that updated NT hashes of gMSAs have the values we expect

Signed-off-by: Jo Sutton <josutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
This commit is contained in:
Jo Sutton 2024-04-22 10:53:30 +12:00 committed by Andrew Bartlett
parent 1171589e35
commit 103ca0276f

View File

@ -920,6 +920,9 @@ class GmsaTests(GkdiBaseTest, KDCBaseTest):
res[0].get("supplementalCredentials", idx=0)
)
# Check that the NT hash is the value we expect.
self.assertEqual(creds.get_nt_hash(), previous_nt_hash)
# Search for the managed password over LDAP, triggering an update of the
# keys in the database.
res = samdb.search(dn, scope=ldb.SCOPE_BASE, attrs=["msDS-ManagedPassword"])
@ -950,6 +953,16 @@ class GmsaTests(GkdiBaseTest, KDCBaseTest):
"supplementalCredentials has not been updated (yet)",
)
# Set the new password.
managed_pwd = ndr_unpack(gmsa.MANAGEDPASSWORD_BLOB, managed_password)
self.assertIsNotNone(
managed_pwd.passwords.current, "current password must be present"
)
creds.set_utf16_password(managed_pwd.passwords.current)
# Check that the new NT hash is the value we expect.
self.assertEqual(creds.get_nt_hash(), nt_hash)
def test_authentication_triggers_keys_update(self):
# Create a root key with a start time early enough to be usable at the
# time the gMSA is purported to be created. But dont create it on a
@ -984,6 +997,9 @@ class GmsaTests(GkdiBaseTest, KDCBaseTest):
res[0].get("supplementalCredentials", idx=0)
)
# Check that the NT hash is the value we expect.
self.assertEqual(creds.get_nt_hash(), previous_nt_hash)
# Calculate the password with which to authenticate.
managed_pwd = self.expected_current_gmsa_password_blob(
samdb, creds, future_key_is_acceptable=False
@ -1021,6 +1037,9 @@ class GmsaTests(GkdiBaseTest, KDCBaseTest):
"supplementalCredentials has not been updated (yet)",
)
# Check that the new NT hash is the value we expect.
self.assertEqual(creds.get_nt_hash(), nt_hash)
def test_gmsa_can_perform_gensec_ntlmssp_logon(self):
creds = self.gmsa_account(kerberos_enabled=False)