tests/krb5: Expect a status code with policy errors

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

diff --git a/python/samba/tests/krb5/conditional_ace_tests.py b/python/samba/tests/krb5/conditional_ace_tests.py
index 4d006d5bc5a0183eac8e07b9794e1d352ac47767..cb8fce74efdf3da101051bdc15df16343f429cf1 100755 (executable)
--- a/python/samba/tests/krb5/conditional_ace_tests.py
+++ b/python/samba/tests/krb5/conditional_ace_tests.py
@@ -2404,6 +2404,9 @@ class ConditionalAceTests(ConditionalAceBaseTests):
                   client_sids=client_sids,
                   expected_groups=client_sids,
                   code=KDC_ERR_POLICY,
+                  status=ntstatus.NT_STATUS_AUTHENTICATION_FIREWALL_FAILED,
+                  event=AuditEvent.KERBEROS_SERVER_RESTRICTION,
+                  reason=AuditReason.ACCESS_DENIED,
                   edata=self.expect_padata_outer)
 
     def test_tgs_without_aa_asserted_identity_device_from_rodc(self):
@@ -2507,6 +2510,9 @@ class ConditionalAceTests(ConditionalAceBaseTests):
                   client_sids=client_sids,
                   expected_groups=client_sids,
                   code=KDC_ERR_POLICY,
+                  status=ntstatus.NT_STATUS_AUTHENTICATION_FIREWALL_FAILED,
+                  event=AuditEvent.KERBEROS_SERVER_RESTRICTION,
+                  reason=AuditReason.ACCESS_DENIED,
                   edata=self.expect_padata_outer)
 
     def test_tgs_without_service_asserted_identity_device_from_rodc(self):
@@ -2610,6 +2616,9 @@ class ConditionalAceTests(ConditionalAceBaseTests):
                   client_sids=client_sids,
                   expected_groups=client_sids,
                   code=KDC_ERR_POLICY,
+                  status=ntstatus.NT_STATUS_AUTHENTICATION_FIREWALL_FAILED,
+                  event=AuditEvent.KERBEROS_SERVER_RESTRICTION,
+                  reason=AuditReason.ACCESS_DENIED,
                   edata=self.expect_padata_outer)
 
     def test_tgs_without_claims_valid_device_from_rodc(self):

diff --git a/selftest/knownfail_heimdal_kdc b/selftest/knownfail_heimdal_kdc
index 143206a450a3e088157e5e6576e3e707d648558f..15f1ba75d3e467ed85ba1c878d7becf9e0464c33 100644 (file)
--- a/selftest/knownfail_heimdal_kdc
+++ b/selftest/knownfail_heimdal_kdc
@@ -150,10 +150,8 @@
 ^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_tgs_without_aa_asserted_identity_client_from_rodc\(ad_dc\)
 ^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_tgs_without_aa_asserted_identity_device_from_rodc\(ad_dc\)
 ^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_tgs_without_claims_valid_both_from_rodc\(ad_dc\)
-^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_tgs_without_claims_valid_client_from_rodc\(ad_dc\)
 ^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_tgs_without_claims_valid_device_from_rodc\(ad_dc\)
 ^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_tgs_without_service_asserted_identity_both_from_rodc\(ad_dc\)
-^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_tgs_without_service_asserted_identity_client_from_rodc\(ad_dc\)
 ^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_tgs_without_service_asserted_identity_device_from_rodc\(ad_dc\)
 #
 # Conditional ACE device restrictions