res[0].get("supplementalCredentials", idx=0)
)
+ # Check that the NT hash is the value we expect.
+ self.assertEqual(creds.get_nt_hash(), previous_nt_hash)
+
# Search for the managed password over LDAP, triggering an update of the
# keys in the database.
res = samdb.search(dn, scope=ldb.SCOPE_BASE, attrs=["msDS-ManagedPassword"])
"supplementalCredentials has not been updated (yet)",
)
+ # Set the new password.
+ managed_pwd = ndr_unpack(gmsa.MANAGEDPASSWORD_BLOB, managed_password)
+ self.assertIsNotNone(
+ managed_pwd.passwords.current, "current password must be present"
+ )
+ creds.set_utf16_password(managed_pwd.passwords.current)
+
+ # Check that the new NT hash is the value we expect.
+ self.assertEqual(creds.get_nt_hash(), nt_hash)
+
def test_authentication_triggers_keys_update(self):
# Create a root key with a start time early enough to be usable at the
# time the gMSA is purported to be created. But don’t create it on a
res[0].get("supplementalCredentials", idx=0)
)
+ # Check that the NT hash is the value we expect.
+ self.assertEqual(creds.get_nt_hash(), previous_nt_hash)
+
# Calculate the password with which to authenticate.
managed_pwd = self.expected_current_gmsa_password_blob(
samdb, creds, future_key_is_acceptable=False
"supplementalCredentials has not been updated (yet)",
)
+ # Check that the new NT hash is the value we expect.
+ self.assertEqual(creds.get_nt_hash(), nt_hash)
+
def test_gmsa_can_perform_gensec_ntlmssp_logon(self):
creds = self.gmsa_account(kerberos_enabled=False)