From: Joseph Sutton Date: Tue, 13 Jun 2023 22:58:12 +0000 (+1200) Subject: tests/krb5: Add a couple of authentication policy tests X-Git-Tag: talloc-2.4.1~383 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=117bba98a119d57f7591e2fa0c776333288da063;p=thirdparty%2Fsamba.git tests/krb5: Add a couple of authentication policy tests Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett --- diff --git a/python/samba/tests/krb5/authn_policy_tests.py b/python/samba/tests/krb5/authn_policy_tests.py index e08ca0c4d51..0fc83726127 100755 --- a/python/samba/tests/krb5/authn_policy_tests.py +++ b/python/samba/tests/krb5/authn_policy_tests.py @@ -1565,6 +1565,44 @@ class AuthnPolicyTests(KdcTgsBaseTests): expect_status=True, expected_status=ntstatus.NT_STATUS_INVALID_WORKSTATION) + def test_authn_policy_allowed_from_no_fast_negative_lifetime(self): + # Create an authentication policy that restricts + # authentication. Include some negative TGT lifetimes for testing what + # gets logged. + allowed_from = 'O:SY' + policy_id = self.get_new_username() + policy = self.create_authn_policy(policy_id, + enforced=True, + user_allowed_from=allowed_from, + user_tgt_lifetime=-115, + computer_tgt_lifetime=-235, + service_tgt_lifetime=-355) + + # Create a user account with the assigned policy. + client_creds = self._get_creds(account_type=self.AccountType.USER, + assigned_policy=policy) + + # Show that we cannot authenticate without using an armor ticket. + self._get_tgt(client_creds, expected_error=KDC_ERR_POLICY, + expect_status=True, + expected_status=ntstatus.NT_STATUS_INVALID_WORKSTATION) + + def test_authn_policy_allowed_from_no_fast_unenforced(self): + # Create an unenforced authentication policy that restricts + # authentication. + allowed_from = 'O:SY' + policy_id = self.get_new_username() + policy = self.create_authn_policy(policy_id, + enforced=False, + user_allowed_from=allowed_from) + + # Create a user account with the assigned policy. + client_creds = self._get_creds(account_type=self.AccountType.USER, + assigned_policy=policy) + + # Show that we don’t get an error when the policy is unenforced. + self._get_tgt(client_creds) + def test_authn_policy_allowed_from_user_allow_group_not_a_member(self): samdb = self.get_samdb() diff --git a/selftest/knownfail_heimdal_kdc b/selftest/knownfail_heimdal_kdc index c00fc68ac12..737e952b0da 100644 --- a/selftest/knownfail_heimdal_kdc +++ b/selftest/knownfail_heimdal_kdc @@ -77,6 +77,7 @@ # Authentication policy tests # ^samba.tests.krb5.authn_policy_tests.samba.tests.krb5.authn_policy_tests.AuthnPolicyTests.test_authn_policy_allowed_from_no_fast.ad_dc +^samba.tests.krb5.authn_policy_tests.samba.tests.krb5.authn_policy_tests.AuthnPolicyTests.test_authn_policy_allowed_from_no_fast_negative_lifetime.ad_dc ^samba.tests.krb5.authn_policy_tests.samba.tests.krb5.authn_policy_tests.AuthnPolicyTests.test_authn_policy_allowed_from_no_owner.ad_dc ^samba.tests.krb5.authn_policy_tests.samba.tests.krb5.authn_policy_tests.AuthnPolicyTests.test_authn_policy_allowed_from_service_deny.ad_dc ^samba.tests.krb5.authn_policy_tests.samba.tests.krb5.authn_policy_tests.AuthnPolicyTests.test_authn_policy_allowed_from_service_deny_from_rodc.ad_dc diff --git a/selftest/knownfail_mit_kdc_1_20 b/selftest/knownfail_mit_kdc_1_20 index 4338f636f76..1a3f1c6fd37 100644 --- a/selftest/knownfail_mit_kdc_1_20 +++ b/selftest/knownfail_mit_kdc_1_20 @@ -67,3 +67,7 @@ ^samba.tests.krb5.group_tests.samba.tests.krb5.group_tests.GroupTests.test_group_primary_domain_local_no_compression_as_req_to_service.ad_dc ^samba.tests.krb5.group_tests.samba.tests.krb5.group_tests.GroupTests.test_group_primary_universal_as_req_to_service.ad_dc ^samba.tests.krb5.group_tests.samba.tests.krb5.group_tests.GroupTests.test_group_universal_as_req_to_service.ad_dc +# +# Authentication policy tests +# +^samba.tests.krb5.authn_policy_tests.samba.tests.krb5.authn_policy_tests.AuthnPolicyTests.test_authn_policy_allowed_from_no_fast_negative_lifetime.ad_dc