tests/krb5: Test that the Service Asserted Identity SID is not regarded from an RODC...

author Joseph Sutton <josephsutton@catalyst.net.nz>

Mon, 30 Oct 2023 02:20:59 +0000 (15:20 +1300)

committer Andrew Bartlett <abartlet@samba.org>

Wed, 1 Nov 2023 20:10:45 +0000 (20:10 +0000)
author Joseph Sutton <josephsutton@catalyst.net.nz>
Mon, 30 Oct 2023 02:20:59 +0000 (15:20 +1300)
committer Andrew Bartlett <abartlet@samba.org>
Wed, 1 Nov 2023 20:10:45 +0000 (20:10 +0000)
diff --git a/python/samba/tests/krb5/conditional_ace_tests.py b/python/samba/tests/krb5/conditional_ace_tests.py

index b72bbb25093a56063fd70de4a8c84a39fb320bd1..c69ce9db0c39194c260577bf041b3e8875d4d010 100755 (executable)
--- a/python/samba/tests/krb5/conditional_ace_tests.py
+++ b/python/samba/tests/krb5/conditional_ace_tests.py
@@ -2793,7 +2793,11 @@ class ConditionalAceTests(ConditionalAceBaseTests):
          self._tgs(f'Member_of SID({self.service_asserted_identity})',
                    client_from_rodc=True,
                    client_sids=client_sids,
-                  expected_groups=client_sids)
+                  code=KDC_ERR_POLICY,
+                  status=ntstatus.NT_STATUS_AUTHENTICATION_FIREWALL_FAILED,
+                  event=AuditEvent.KERBEROS_SERVER_RESTRICTION,
+                  reason=AuditReason.ACCESS_DENIED,
+                  edata=self.expect_padata_outer)
  
      def test_tgs_with_service_asserted_identity_device_from_rodc(self):
          client_sids = {
@@ -2819,8 +2823,11 @@ class ConditionalAceTests(ConditionalAceBaseTests):
                    client_from_rodc=True,
                    device_from_rodc=True,
                    client_sids=client_sids,
-                  expected_groups=client_sids,
-                  code=(0, CRASHES_WINDOWS))
+                  code=(KDC_ERR_POLICY, CRASHES_WINDOWS),
+                  status=ntstatus.NT_STATUS_AUTHENTICATION_FIREWALL_FAILED,
+                  event=AuditEvent.KERBEROS_SERVER_RESTRICTION,
+                  reason=AuditReason.ACCESS_DENIED,
+                  edata=self.expect_padata_outer)
  
      def test_tgs_without_claims_valid(self):
          client_sids = {
diff --git a/selftest/knownfail_heimdal_kdc b/selftest/knownfail_heimdal_kdc

index d59a8cff84d35310372f03f236ffbdfffb0b954f..d55d2bc00ab866645d855c8984d28286f76ee4ea 100644 (file)
--- a/selftest/knownfail_heimdal_kdc
+++ b/selftest/knownfail_heimdal_kdc
@@ -127,8 +127,6 @@
  ^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_pac_claim_cmp__1_zero_uint_2_0___zero_uint_\(ad_dc\)
  ^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_tgs_with_claims_valid_both_from_rodc\(ad_dc\)
  ^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_tgs_with_claims_valid_client_from_rodc\(ad_dc\)
-^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_tgs_with_service_asserted_identity_both_from_rodc\(ad_dc\)
-^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_tgs_with_service_asserted_identity_client_from_rodc\(ad_dc\)
  ^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_tgs_without_aa_asserted_identity_both_from_rodc\(ad_dc\)
  ^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_tgs_without_aa_asserted_identity_client_from_rodc\(ad_dc\)
  ^samba\.tests\.krb5\.conditional_ace_tests\.samba\.tests\.krb5\.conditional_ace_tests\.ConditionalAceTests\.test_delegating_proxy_in_network_group_rbcd\(ad_dc\)$
author	Joseph Sutton <josephsutton@catalyst.net.nz>
	Mon, 30 Oct 2023 02:20:59 +0000 (15:20 +1300)
committer	Andrew Bartlett <abartlet@samba.org>
	Wed, 1 Nov 2023 20:10:45 +0000 (20:10 +0000)
python/samba/tests/krb5/conditional_ace_tests.py		patch \| blob \| blame \| history
selftest/knownfail_heimdal_kdc		patch \| blob \| blame \| history