samba.git/python/samba/tests/krb5, branch master Unnamed repository; edit this file 'description' to name the repository. tests:krb5 expired password handling 2026-03-30T23:37:36+00:00 Gary Lockyer gary@catalyst.net.nz 2026-03-26T00:39:45+00:00 f9ca5b75f82e8efbeebdc8520114a5d89dcbbf00 The windows ADDC checks password validity before password expiry. So an incorrect expired password will return KDC_ERR_PREAUTH_REQUIRED not KDC_ERR_KEY_EXPIRED. The KDC behaviour fixes will be made to lorikeet-heimdal and then imported to samba. Bug: https://bugzilla.samba.org/show_bug.cgi?id=15746 Signed-off-by: Gary Lockyer <gary@catalyst.net.nz> Reviewed-by: Jennifer Sutton <jennifersutton@catalyst.net.nz> 
The windows ADDC checks password validity before password expiry. So an
incorrect expired password will return KDC_ERR_PREAUTH_REQUIRED not
KDC_ERR_KEY_EXPIRED.

The KDC behaviour fixes will be made to lorikeet-heimdal and then imported to
samba.

Bug: https://bugzilla.samba.org/show_bug.cgi?id=15746

Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Jennifer Sutton <jennifersutton@catalyst.net.nz>
python:tests/krb5: Make PADATA_PK_AS_REP optional in non-strict mode 2026-03-30T10:41:07+00:00 Andreas Schneider asn@samba.org 2026-03-25T11:44:02+00:00 b79df27457e78ec2e8e301865c553fb76a596f9d Commit c1433f821f7 added PADATA_PK_AS_REP (PA-PK-AS-REP, type 17) to the expected padata list when check_rep_padata sees KDC_ERR_KEY_EXPIRED. This reflects Samba's Heimdal KDC behaviour, which includes PKINIT hints in expired-password error responses. Samba with MIT KDC does not include PADATA_PK_AS_REP in KDC_ERR_KEY_EXPIRED responses; it returns a METHOD-DATA with just the NTSTATUS payload (type 3) and the FX-COOKIE (type 133). This causes test_pw_expired to fail intermittently when the expired-password code path is exercised against MIT KDC. Add PADATA_PK_AS_REP to the require_strict set alongside PADATA_PK_AS_REP_19, so it is treated as optional in non-strict checking mode (STRICT_CHECKING=0) while still being enforced in strict mode. Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Jennifer Sutton <jennifersutton@catalyst.net.nz> Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org> Autobuild-Date(master): Mon Mar 30 10:41:07 UTC 2026 on atb-devel-224 
Commit c1433f821f7 added PADATA_PK_AS_REP (PA-PK-AS-REP, type 17) to
the expected padata list when check_rep_padata sees KDC_ERR_KEY_EXPIRED.
This reflects Samba's Heimdal KDC behaviour, which includes PKINIT hints
in expired-password error responses.

Samba with MIT KDC does not include PADATA_PK_AS_REP in KDC_ERR_KEY_EXPIRED
responses; it returns a METHOD-DATA with just the NTSTATUS payload (type 3) and
the FX-COOKIE (type 133).  This causes test_pw_expired to fail intermittently
when the expired-password code path is exercised against MIT KDC.

Add PADATA_PK_AS_REP to the require_strict set alongside PADATA_PK_AS_REP_19,
so it is treated as optional in non-strict checking mode (STRICT_CHECKING=0)
while still being enforced in strict mode.

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Jennifer Sutton <jennifersutton@catalyst.net.nz>

Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Mon Mar 30 10:41:07 UTC 2026 on atb-devel-224
test:heimdal:pkinit fixes for SHA1-PUKEY calculation 2026-02-23T20:16:34+00:00 Gary Lockyer gary@catalyst.net.nz 2026-02-19T22:55:59+00:00 76bf9214239759169ff4688b035c3f531e0db1bc The SHA1 hash for KB5014754 SHA1-PUKEY is calculate over the entire certificate not just the public key. BUG https://bugzilla.samba.org/show_bug.cgi?id=16001 Signed-off-by: Gary Lockyer <gary@catalyst.net.nz> Reviewed-by: Jennifer Sutton <jennifersutton@catalyst.net.nz> 
The SHA1 hash for KB5014754 SHA1-PUKEY is calculate over the entire
certificate not just the public key.

BUG https://bugzilla.samba.org/show_bug.cgi?id=16001

Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Jennifer Sutton <jennifersutton@catalyst.net.nz>
s4:kdc:db-glue altSecurityIdentities DN and serial reversed 2026-02-23T20:16:34+00:00 Gary Lockyer gary@catalyst.net.nz 2026-02-18T23:18:38+00:00 580051e5686d9a26d2502eb969f7a80e13519afb When altSecurityIdentities is set by RSAT / ADUC they store the Issuer and Subject DN in last to first order i.e. CN=Common Name, O=Organization, C=Country Need to reverse that to first to last order, i.e. C=Country, O=Organization, CN=Common name Which is how they're stored on the X509 certificates. Also the serial number is stored in reverse order. BUG: https://bugzilla.samba.org/show_bug.cgi?id=16001 Signed-off-by: Gary Lockyer <gary@catalyst.net.nz> Reviewed-by: Jennifer Sutton <jennifersutton@catalyst.net.nz> 
When altSecurityIdentities is set by RSAT / ADUC they store the
Issuer and Subject DN in last to first order i.e.
       CN=Common Name, O=Organization, C=Country
Need to reverse that to first to last order, i.e.
       C=Country, O=Organization, CN=Common name
Which is how they're stored on the X509 certificates.

Also the serial number is stored in reverse order.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=16001

Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Jennifer Sutton <jennifersutton@catalyst.net.nz>
CVE-2026-20833: s4:kdc: Make default domain supported enctypes AES by default 2026-02-18T00:49:34+00:00 Jennifer Sutton jennifersutton@catalyst.net.nz 2026-01-30T02:03:42+00:00 802649fa35ed37de69f6ca0593a39399575ac6e4 If AES keys are available in the domain, assume that service accounts support AES by default. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15998 Signed-off-by: Jennifer Sutton <jennifersutton@catalyst.net.nz> Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> 
If AES keys are available in the domain, assume that service accounts support
AES by default.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15998

Signed-off-by: Jennifer Sutton <jennifersutton@catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
pytest:krb5:as_req: adjust for 'require canonicalization' 2026-01-15T01:48:37+00:00 Douglas Bagnall douglas.bagnall@catalyst.net.nz 2025-12-12T03:14:02+00:00 5d0a4d78034c0afc8a9f144eca11edd10336023a Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> Reviewed-by: Gary Lockyer <gary@catalyst.net.nz> 
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>
pytest:krb5:ms_kile: adjust for 'require canonicalization' 2026-01-15T01:48:37+00:00 Douglas Bagnall douglas.bagnall@catalyst.net.nz 2025-12-17T02:19:55+00:00 e1757704e5d2563bcc0e32138c5ea10d28bba9e3 Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> Reviewed-by: Gary Lockyer <gary@catalyst.net.nz> 
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>
pytest:krb5: as_canonicalization recognises require canon option 2026-01-15T01:48:37+00:00 Douglas Bagnall douglas.bagnall@catalyst.net.nz 2026-01-07T22:53:58+00:00 25da167403fbe1cfcb64561885da8894a04c3d45 If the test is run against a require canonicalization = yes server, requests that do not use the canonicalize flag will be rejected at the preauth stage, so we check that and nothing more. Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> Reviewed-by: Gary Lockyer <gary@catalyst.net.nz> 
If the test is run against a

  require canonicalization = yes

server, requests that do not use the canonicalize flag will be
rejected at the preauth stage, so we check that and nothing more.

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>
pytest:krb5: notice require canonicalization option 2026-01-15T01:48:37+00:00 Douglas Bagnall douglas.bagnall@catalyst.net.nz 2025-12-17T02:19:47+00:00 ef4160280d22f4b994be71e4f0284832a0c5a81e Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> Reviewed-by: Gary Lockyer <gary@catalyst.net.nz> 
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>
pytest:krb5 as_canonicalization checks no implicit $ return code 2026-01-15T01:48:37+00:00 Douglas Bagnall douglas.bagnall@catalyst.net.nz 2025-12-11T20:35:44+00:00 f0666d9196448e90a928502a7535fd732bd8ac2a We check here instead of selftest/expectedfail.d/* in part because on MIT some of these cases will fail to fail to ask for preauth. Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> Reviewed-by: Gary Lockyer <gary@catalyst.net.nz> 
We check here instead of selftest/expectedfail.d/* in part because
on MIT some of these cases will fail to fail to ask for preauth.

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>