diff --git a/authentik/sources/kerberos/signals.py b/authentik/sources/kerberos/signals.py index d535984a95d5..34ac7a0f36f2 100644 --- a/authentik/sources/kerberos/signals.py +++ b/authentik/sources/kerberos/signals.py @@ -33,7 +33,7 @@ def kerberos_sync_password(sender, user: User, password: str, **_): """Connect to kerberos and update password.""" user_source_connections = UserKerberosSourceConnection.objects.select_related( "source__kerberossource" - ).filter(user=user, source__kerberossource__sync_users_password=True) + ).filter(user=user, source__kerberossource__sync_users=True, source__kerberossource__sync_users_password=True) for user_source_connection in user_source_connections: source = user_source_connection.source.kerberossource with Krb5ConfContext(source): diff --git a/authentik/sources/kerberos/tests/test_auth.py b/authentik/sources/kerberos/tests/test_auth.py index b8f350531778..e11555a7084d 100644 --- a/authentik/sources/kerberos/tests/test_auth.py +++ b/authentik/sources/kerberos/tests/test_auth.py @@ -1,5 +1,6 @@ """Kerberos Source Auth tests""" +from django.contrib.auth.hashers import is_password_usable from authentik.core.models import User from authentik.lib.generators import generate_id from authentik.sources.kerberos.auth import KerberosBackend @@ -16,8 +17,11 @@ def setUp(self): slug="kerberos", realm=self.realm.realm, sync_users=False, + sync_users_password=False, + password_login_update_internal_password=True, ) self.user = User.objects.create(username=generate_id()) + self.user.set_unusable_password() UserKerberosSourceConnection.objects.create( source=self.source, user=self.user, identifier=self.realm.user_princ ) @@ -41,3 +45,12 @@ def test_auth_principal(self): ), self.user, ) + + def test_internal_password_update(self): + """Test internal password update""" + backend = KerberosBackend() + backend.authenticate( + None, username=self.realm.user_princ, password=self.realm.password("user") + ) + self.user.refresh_from_db() + self.assertTrue(is_password_usable(self.user.password))