tests/krb5: Correct authentication policy SDDL

There is no claim called ‘abc’, so the condition ‘(abc)’ is always going
to fail. Replace this with a condition using ‘Member_of’.

Furthermore, an ACL containing only Deny ACEs will only ever deny. Add a
trailing Allow ACE so that the ACL might allow other principals.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

diff --git a/python/samba/tests/krb5/conditional_ace_tests.py b/python/samba/tests/krb5/conditional_ace_tests.py
index 8d7f8b768a029e4f84579ccc263f9debb93f71d3..64ea865dfb3feefd901d3e60a97f5d189c7f6baa 100755 (executable)
--- a/python/samba/tests/krb5/conditional_ace_tests.py
+++ b/python/samba/tests/krb5/conditional_ace_tests.py
@@ -3303,7 +3303,9 @@ class ConditionalAceTests(ConditionalAceBaseTests):
         # Create an authentication policy that explicitly denies the machine
         # account for a user.
         allowed = 'O:SYD:(A;;CR;;;WD)'
-        denied = f'O:SYD:(XD;;CR;;;{mach_creds.get_sid()};(abc))'
+        denied = (f'O:SYD:(XD;;CR;;;{mach_creds.get_sid()};'
+                  f'(Member_of SID({mach_creds.get_sid()})))'
+                  f'(A;;CR;;;WD)')
         policy = self.create_authn_policy(enforced=True,
                                           user_allowed_from=denied,
                                           service_allowed_from=allowed)