python/tests/krb5: Prepare to allow tests that use the PAC returned NT hash

We want to use the PAC returned NT hash in the UF_SMARTCARD_REQUIRED case
as it will usually be random bytes so we can not just assert on the
value any more.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Jo Sutton <josutton@catalyst.net.nz>

python/samba/tests/krb5/pkinit_tests.py

@@ -584,7 +584,11 @@ class PkInitTests(KDCBaseTest):
                 send_enc_ts=False,
                 ):
         if send_enc_ts:
-            preauth_key = self.PasswordKey_from_creds(creds, kcrypto.Enctype.AES256)
+            if creds.get_password() is None:
+                # Try the NT hash if there isn't a password
+                preauth_key = self.PasswordKey_from_creds(creds, kcrypto.Enctype.RC4)
+            else:
+                preauth_key = self.PasswordKey_from_creds(creds, kcrypto.Enctype.AES256)
         else:
             preauth_key = None
 
@@ -1235,7 +1239,7 @@ class PkInitTests(KDCBaseTest):
             return None
 
         self.check_as_reply(rep)
-        return kdc_exchange_dict['rep_ticket_creds']
+        return kdc_exchange_dict
 
 
 if __name__ == '__main__':

python/samba/tests/krb5/raw_testcase.py

@@ -4785,6 +4785,8 @@ class RawKerberosTest(TestCase):
                 else:
                     self.assertEqual(creds.get_nt_hash(), nt_password)
 
+                kdc_exchange_dict['nt_hash_from_pac'] = ntlm_package.nt_password
+
                 lm_password = bytes(ntlm_package.lm_password.hash)
                 self.assertEqual(bytes(16), lm_password)