s4:testprogs Show that we no longer delete the old keytab entries

By using a CCACHE obtained while the old password was still valid, we
can tell if the server still accepts incoming Kerberos connections
with the old password.

Andrew Bartlett

1 files changed, 5 insertions, 3 deletions

diff --git a/testprogs/blackbox/test_chgdcpass.sh b/testprogs/blackbox/test_chgdcpass.sh
index 24708adaa8..7b89e5dcdd 100755
--- a/testprogs/blackbox/test_chgdcpass.sh
+++ b/testprogs/blackbox/test_chgdcpass.sh
@@ -49,11 +49,13 @@ KRB5CCNAME="$PREFIX/tmpccache"
 export KRB5CCNAME
 rm -f $KRB5CCNAME
 testit "kinit with keytab" $samba4kinit $enctype -t $PROVDIR/private/secrets.keytab --use-keytab $USERNAME   || failed=`expr $failed + 1`
-testit "change dc password" ./scripting/devel/chgtdcpass -s $PROVDIR/etc/smb.conf || failed=`expr $failed + 1`
-test_smbclient "Test login with kerberos ccache after password change" 'ls' -k yes || failed=`expr $failed + 1`
 
+#This is important because it puts the ticket for the old KVNO and password into a local ccache
+test_smbclient "Test login with kerberos ccache before password change" 'ls' -k yes || failed=`expr $failed + 1`
+testit "change dc password" ./scripting/devel/chgtdcpass -s $PROVDIR/etc/smb.conf || failed=`expr $failed + 1`
 
-#This is important because it shows that the old password remains valid (as it must) for incoming connections after the DC password is changed
+#This is important because it shows that the old ticket remains valid (as it must) for incoming connections after the DC password is changed
+test_smbclient "Test login with kerberos ccache after password change" 'ls' -k yes || failed=`expr $failed + 1`
 
 #This confirms that the DC password is valid for a kinit too
 testit "kinit with keytab" $samba4kinit $enctype -t $PROVDIR/private/secrets.keytab --use-keytab $USERNAME   || failed=`expr $failed + 1`