From: Jo Sutton <josutton@catalyst.net.nz>
Date: Fri, 26 Apr 2024 00:50:51 +0000 (+1200)
Subject: tests/krb5: Test that computers (and, by extension, gMSAs) cannot perform interactive... 
X-Git-Tag: tdb-1.4.11~663
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=f9cbda9cf0e6e5dfe9403d2f26edda640e52e88a;p=thirdparty%2Fsamba.git

tests/krb5: Test that computers (and, by extension, gMSAs) cannot perform interactive logons

Signed-off-by: Jo Sutton <josutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
---

diff --git a/python/samba/tests/krb5/gmsa_tests.py b/python/samba/tests/krb5/gmsa_tests.py
index fa77e198abf..1ce6add5284 100755
--- a/python/samba/tests/krb5/gmsa_tests.py
+++ b/python/samba/tests/krb5/gmsa_tests.py
@@ -1520,6 +1520,22 @@ class GmsaTests(GkdiBaseTest, KDCBaseTest):
             validation_level=netlogon.NetlogonValidationSamInfo4,
         )
 
+    def test_computer_cannot_perform_interactive_logon(self):
+        self._test_samlogon(
+            self.get_mach_creds(),
+            netlogon.NetlogonInteractiveInformation,
+            expect_error=ntstatus.NT_STATUS_NO_SUCH_USER,
+            validation_level=netlogon.NetlogonValidationSamInfo4,
+        )
+
+    def test_gmsa_cannot_perform_interactive_logon(self):
+        self._test_samlogon(
+            self.gmsa_account(kerberos_enabled=False),
+            netlogon.NetlogonInteractiveInformation,
+            expect_error=ntstatus.NT_STATUS_NO_SUCH_USER,
+            validation_level=netlogon.NetlogonValidationSamInfo4,
+        )
+
     def _gmsa_can_perform_as_req(self, *, enctype: kcrypto.Enctype) -> None:
         self._as_req(self.gmsa_account(), self.get_service_creds(), enctype)