From f9ca5b75f82e8efbeebdc8520114a5d89dcbbf00 Mon Sep 17 00:00:00 2001
From: Gary Lockyer <gary@catalyst.net.nz>
Date: Thu, 26 Mar 2026 13:39:45 +1300
Subject: tests:krb5 expired password handling

The windows ADDC checks password validity before password expiry. So an
incorrect expired password will return KDC_ERR_PREAUTH_REQUIRED not
KDC_ERR_KEY_EXPIRED.

The KDC behaviour fixes will be made to lorikeet-heimdal and then imported to
samba.

Bug: https://bugzilla.samba.org/show_bug.cgi?id=15746

Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Jennifer Sutton <jennifersutton@catalyst.net.nz>
---
 python/samba/tests/krb5/as_req_tests.py | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

(limited to 'python/samba')

diff --git a/python/samba/tests/krb5/as_req_tests.py b/python/samba/tests/krb5/as_req_tests.py
index e4e677223d5..23a1a13a3a6 100755
--- a/python/samba/tests/krb5/as_req_tests.py
+++ b/python/samba/tests/krb5/as_req_tests.py
@@ -707,8 +707,7 @@ class AsReqKerberosTests(AsReqBaseTest):
             # the uncanonicalized client is going to be found first.
             expected_error = KDC_ERR_C_PRINCIPAL_UNKNOWN
         else:
-            expected_error = (KDC_ERR_KEY_EXPIRED,
-                              KDC_ERR_PREAUTH_FAILED,
+            expected_error = (KDC_ERR_PREAUTH_FAILED,
                               KDC_ERR_PREAUTH_REQUIRED)
 
         self._run_as_req_enc_timestamp(
-- 
cgit v1.2.3