tests/krb5: No longer pass two‐component form of TGS principal

Samba now handles one‐component TGS principals more correctly.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

diff --git a/python/samba/tests/krb5/conditional_ace_tests.py b/python/samba/tests/krb5/conditional_ace_tests.py
index 320fe0dc9163fc9ef8502c0a61bdece91d2751ea..3f316d6c120f73612757d48ce2e0e02f4591be1e 100755 (executable)
--- a/python/samba/tests/krb5/conditional_ace_tests.py
+++ b/python/samba/tests/krb5/conditional_ace_tests.py
@@ -3419,16 +3419,10 @@ class DeviceRestrictionTests(ConditionalAceBaseTests):
         client_creds = self._get_creds(account_type=self.AccountType.USER,
                                        assigned_policy=client_policy)
 
-        # FIXME: we need to pass this parameter only because Samba doesn’t
-        # handle ‘krbtgt@REALM’ principals correctly (see
-        # https://bugzilla.samba.org/show_bug.cgi?id=15482).
-        krbtgt_sname = self.get_krbtgt_sname()
-
         # Show that authentication succeeds.
         self._armored_as_req(client_creds,
                              self.get_krbtgt_creds(),
-                             mach_tgt,
-                             target_sname=krbtgt_sname)
+                             mach_tgt)
 
         self.check_as_log(client_creds,
                           armor_creds=mach_creds,
@@ -3807,16 +3801,10 @@ class DeviceRestrictionTests(ConditionalAceBaseTests):
         client_creds = self._get_creds(account_type=self.AccountType.USER,
                                        assigned_policy=client_policy)
 
-        # FIXME: we need to pass this parameter only because Samba doesn’t
-        # handle ‘krbtgt@REALM’ principals correctly (see
-        # https://bugzilla.samba.org/show_bug.cgi?id=15482).
-        krbtgt_sname = self.get_krbtgt_sname()
-
         # Show that authentication succeeds.
         self._armored_as_req(client_creds,
                              self.get_krbtgt_creds(),
-                             mach_tgt,
-                             target_sname=krbtgt_sname)
+                             mach_tgt)
 
         self.check_as_log(client_creds,
                           armor_creds=mach_creds,
@@ -3933,17 +3921,11 @@ class DeviceRestrictionTests(ConditionalAceBaseTests):
 
         krbtgt_creds = self.get_krbtgt_creds()
 
-        # FIXME: we need to pass this parameter only because Samba doesn’t
-        # handle ‘krbtgt@REALM’ principals correctly (see
-        # https://bugzilla.samba.org/show_bug.cgi?id=15482).
-        krbtgt_sname = self.get_krbtgt_sname()
-
         # Test whether authentication succeeds or fails.
         self._armored_as_req(
             client_creds,
             krbtgt_creds,
             mach_tgt,
-            target_sname=krbtgt_sname,
             expected_error=0 if expect_in_group else KDC_ERR_POLICY)
 
         policy_success_args = {}
@@ -3975,7 +3957,6 @@ class DeviceRestrictionTests(ConditionalAceBaseTests):
             client_creds,
             krbtgt_creds,
             mach_tgt,
-            target_sname=krbtgt_sname,
             expected_error=KDC_ERR_POLICY if expect_in_group else 0)
 
         self.check_as_log(client_creds,
@@ -5019,16 +5000,10 @@ class TgsReqServicePolicyTests(ConditionalAceBaseTests):
             (security.SID_CLAIMS_VALID, SidType.EXTRA_SID, self.default_attrs),
         }
 
-        # FIXME: we need to pass this parameter only because Samba doesn’t
-        # handle ‘krbtgt@REALM’ principals correctly (see
-        # https://bugzilla.samba.org/show_bug.cgi?id=15482).
-        krbtgt_sname = self.get_krbtgt_sname()
-
         # Show that obtaining a service ticket with an AS‐REQ is allowed.
         self._armored_as_req(client_creds,
                           self.get_krbtgt_creds(),
                           mach_tgt,
-                          target_sname=krbtgt_sname,
                           expected_groups=expected_groups)
 
         self.check_as_log(client_creds,