auth/credentials: Read managed_password.passwords.query_interval only after parsing

author Andrew Bartlett <abartlet@samba.org>

Tue, 9 Apr 2024 04:11:16 +0000 (16:11 +1200)

committer Andrew Bartlett <abartlet@samba.org>

Tue, 9 Apr 2024 23:59:54 +0000 (23:59 +0000)
author Andrew Bartlett <abartlet@samba.org>
Tue, 9 Apr 2024 04:11:16 +0000 (16:11 +1200)
committer Andrew Bartlett <abartlet@samba.org>
Tue, 9 Apr 2024 23:59:54 +0000 (23:59 +0000)
diff --git a/auth/credentials/credentials_gmsa.c b/auth/credentials/credentials_gmsa.c

index 86422624f1e72584879d65df70c215edb3e261f1..f85f9c65d706652222dbcd18fe141b513ad3f315 100644 (file)
--- a/auth/credentials/credentials_gmsa.c
+++ b/auth/credentials/credentials_gmsa.c
@@ -40,16 +40,7 @@ NTSTATUS cli_credentials_set_gmsa_passwords(struct cli_credentials *creds,
         DATA_BLOB previous_managed_pw_utf16;
         enum ndr_err_code ndr_err;
         TALLOC_CTX *frame = talloc_stackframe();
-
-       /*
-        * We check if this is 'for keytab' as a keytab wants to know
-        * about a near-future password as it will be on disk for some
-        * time
-        */
-       bool only_use_previous_pw =
-               managed_password.passwords.query_interval != NULL
-               && *managed_password.passwords.query_interval <= gkdi_max_clock_skew
-               && for_keytab == false;
+       bool only_use_previous_pw;
  
         /*
          * Group Managed Service Accounts are type
@@ -70,6 +61,16 @@ NTSTATUS cli_credentials_set_gmsa_passwords(struct cli_credentials *creds,
                 return NT_STATUS_ILL_FORMED_PASSWORD;
         }
  
+       /*
+        * We check if this is 'for keytab' as a keytab wants to know
+        * about a near-future password as it will be on disk for some
+        * time
+        */
+       only_use_previous_pw =
+               managed_password.passwords.query_interval != NULL
+               && *managed_password.passwords.query_interval <= gkdi_max_clock_skew
+               && for_keytab == false;
+
         /*
          * We look at the old password first as we might bail out
          * early if the new password is "too fresh"
diff --git a/python/samba/tests/blackbox/gmsa.py b/python/samba/tests/blackbox/gmsa.py

index 1017f75de6bb88a7c17da06daa53458726bb0e5e..eefa3799f6d41795fd156689324fa99ee6acd927 100644 (file)
--- a/python/samba/tests/blackbox/gmsa.py
+++ b/python/samba/tests/blackbox/gmsa.py
@@ -95,7 +95,7 @@ class GMSABlackboxTest(BlackboxTestCase):
          self.check_run(f"samba-tool service-account group-msa-membership remove --name={gmsa_account} --principal={machine_account} -H {HOST} {ADMIN_CREDS}")
  
          try:
-            self.assertRaises(KeyError, self.getpassword(gmsa_account, "unicodePwd", creds=machine_creds))
+            self.assertRaises(KeyError, self.getpassword, gmsa_account, "unicodePwd", creds=machine_creds)
          except BlackboxProcessError:
              self.fail("Unexpected subcommand failure retrieving unicodePwd")
author	Andrew Bartlett <abartlet@samba.org>
	Tue, 9 Apr 2024 04:11:16 +0000 (16:11 +1200)
committer	Andrew Bartlett <abartlet@samba.org>
	Tue, 9 Apr 2024 23:59:54 +0000 (23:59 +0000)
auth/credentials/credentials_gmsa.c		patch \| blob \| history
python/samba/tests/blackbox/gmsa.py		patch \| blob \| history