From 64806f37ab08c51d2fac23d7f153c3b2f0c5d984 Mon Sep 17 00:00:00 2001 From: Joseph Sutton Date: Fri, 3 Nov 2023 13:51:27 +1300 Subject: [PATCH] tests/krb5: Correct authentication policy SDDL MIME-Version: 1.0 Content-Type: text/plain; charset=utf8 Content-Transfer-Encoding: 8bit There is no claim called ‘abc’, so the condition ‘(abc)’ is always going to fail. Replace this with a condition using ‘Member_of’. Furthermore, an ACL containing only Deny ACEs will only ever deny. Add a trailing Allow ACE so that the ACL might allow other principals. Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett --- python/samba/tests/krb5/conditional_ace_tests.py | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/python/samba/tests/krb5/conditional_ace_tests.py b/python/samba/tests/krb5/conditional_ace_tests.py index 8d7f8b768a0..64ea865dfb3 100755 --- a/python/samba/tests/krb5/conditional_ace_tests.py +++ b/python/samba/tests/krb5/conditional_ace_tests.py @@ -3303,7 +3303,9 @@ class ConditionalAceTests(ConditionalAceBaseTests): # Create an authentication policy that explicitly denies the machine # account for a user. allowed = 'O:SYD:(A;;CR;;;WD)' - denied = f'O:SYD:(XD;;CR;;;{mach_creds.get_sid()};(abc))' + denied = (f'O:SYD:(XD;;CR;;;{mach_creds.get_sid()};' + f'(Member_of SID({mach_creds.get_sid()})))' + f'(A;;CR;;;WD)') policy = self.create_authn_policy(enforced=True, user_allowed_from=denied, service_allowed_from=allowed) -- 2.47.3