tests/krb5: Test that computers (and, by extension, gMSAs) cannot perform interactive...

[thirdparty/samba.git] / python / samba / tests / krb5 / gmsa_tests.py

diff --git a/python/samba/tests/krb5/gmsa_tests.py b/python/samba/tests/krb5/gmsa_tests.py
index fa77e198abf7fdd3b4381b3aef6f23a949ee4131..1ce6add528460961a652b2b715a7e9523301e4f7 100755 (executable)
--- a/python/samba/tests/krb5/gmsa_tests.py
+++ b/python/samba/tests/krb5/gmsa_tests.py
@@ -1520,6 +1520,22 @@ class GmsaTests(GkdiBaseTest, KDCBaseTest):
             validation_level=netlogon.NetlogonValidationSamInfo4,
         )
 
+    def test_computer_cannot_perform_interactive_logon(self):
+        self._test_samlogon(
+            self.get_mach_creds(),
+            netlogon.NetlogonInteractiveInformation,
+            expect_error=ntstatus.NT_STATUS_NO_SUCH_USER,
+            validation_level=netlogon.NetlogonValidationSamInfo4,
+        )
+
+    def test_gmsa_cannot_perform_interactive_logon(self):
+        self._test_samlogon(
+            self.gmsa_account(kerberos_enabled=False),
+            netlogon.NetlogonInteractiveInformation,
+            expect_error=ntstatus.NT_STATUS_NO_SUCH_USER,
+            validation_level=netlogon.NetlogonValidationSamInfo4,
+        )
+
     def _gmsa_can_perform_as_req(self, *, enctype: kcrypto.Enctype) -> None:
         self._as_req(self.gmsa_account(), self.get_service_creds(), enctype)