tests/krb5: Don’t consider RODC‐issued tickets to be banned with RBCD

If we’re verifying that a ticket was permitted to be issued by an RODC,
and not trusting the group SIDs in the ticket, is there any reason to
ban its use with RBCD?

A client with a ticket issued by an RODC that happens to select a DC to
direct an RBCD request at should not have the request mysteriously fail.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

diff --git a/python/samba/tests/krb5/conditional_ace_tests.py b/python/samba/tests/krb5/conditional_ace_tests.py
index 5c5616ce1f1891862fe6903142aebfe655b542a8..4d006d5bc5a0183eac8e07b9794e1d352ac47767 100755 (executable)
--- a/python/samba/tests/krb5/conditional_ace_tests.py
+++ b/python/samba/tests/krb5/conditional_ace_tests.py
@@ -2150,7 +2150,6 @@ class ConditionalAceTests(ConditionalAceBaseTests):
     def test_rbcd_service_from_rodc(self):
         self._rbcd('Member_of SID({service_sid})',
                    service_from_rodc=True,
-                   code=KDC_ERR_BADOPTION,
                    edata=self.expect_padata_outer)
 
     def test_rbcd_device_and_service_from_rodc(self):
@@ -2162,7 +2161,6 @@ class ConditionalAceTests(ConditionalAceBaseTests):
     def test_rbcd_client_from_rodc(self):
         self._rbcd('Member_of SID({service_sid})',
                    client_from_rodc=True,
-                   code=KDC_ERR_MODIFIED,
                    edata=self.expect_padata_outer)
 
     def test_rbcd_client_and_device_from_rodc(self):
@@ -2175,7 +2173,6 @@ class ConditionalAceTests(ConditionalAceBaseTests):
         self._rbcd('Member_of SID({service_sid})',
                    client_from_rodc=True,
                    service_from_rodc=True,
-                   code=KDC_ERR_BADOPTION,
                    edata=self.expect_padata_outer)
 
     def test_rbcd_all_from_rodc(self):
@@ -2455,9 +2452,7 @@ class ConditionalAceTests(ConditionalAceBaseTests):
         self._tgs(f'Member_of SID({self.aa_asserted_identity})',
                   client_from_rodc=True,
                   client_sids=client_sids,
-                  expected_groups=client_sids,
-                  code=KDC_ERR_POLICY,
-                  edata=self.expect_padata_outer)
+                  expected_groups=client_sids)
 
     def test_tgs_with_aa_asserted_identity_device_from_rodc(self):
         client_sids = {
@@ -2560,9 +2555,7 @@ class ConditionalAceTests(ConditionalAceBaseTests):
         self._tgs(f'Member_of SID({self.service_asserted_identity})',
                   client_from_rodc=True,
                   client_sids=client_sids,
-                  expected_groups=client_sids,
-                  code=KDC_ERR_POLICY,
-                  edata=self.expect_padata_outer)
+                  expected_groups=client_sids)
 
     def test_tgs_with_service_asserted_identity_device_from_rodc(self):
         client_sids = {
@@ -2665,9 +2658,7 @@ class ConditionalAceTests(ConditionalAceBaseTests):
         self._tgs(f'Member_of SID({security.SID_CLAIMS_VALID})',
                   client_from_rodc=True,
                   client_sids=client_sids,
-                  expected_groups=client_sids,
-                  code=KDC_ERR_POLICY,
-                  edata=self.expect_padata_outer)
+                  expected_groups=client_sids)
 
     def test_tgs_with_claims_valid_device_from_rodc(self):
         client_sids = {

diff --git a/selftest/knownfail_heimdal_kdc b/selftest/knownfail_heimdal_kdc
index 2ef041b6a29785e284357d39cb53229a5bac53e5..143206a450a3e088157e5e6576e3e707d648558f 100644 (file)
--- a/selftest/knownfail_heimdal_kdc
+++ b/selftest/knownfail_heimdal_kdc
@@ -131,7 +131,6 @@
 ^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_pac_claim_cmp__1_zero_uint_2_0___zero_uint_\(ad_dc\)
 ^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_rbcd_all_from_rodc\(ad_dc\)
 ^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_rbcd_client_and_device_from_rodc\(ad_dc\)
-^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_rbcd_client_and_service_from_rodc\(ad_dc\)
 ^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_rbcd_client_from_rodc\(ad_dc\)
 ^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_rbcd_device_and_service_from_rodc\(ad_dc\)
 ^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_rbcd_device_from_rodc\(ad_dc\)
@@ -139,9 +138,7 @@
 ^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_rbcd_device_with_claims_valid\(ad_dc\)
 ^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_rbcd_device_with_compounded_auth\(ad_dc\)
 ^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_rbcd_device_with_service_asserted_identity\(ad_dc\)
-^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_rbcd_service_from_rodc\(ad_dc\)
 ^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_tgs_with_aa_asserted_identity_both_from_rodc\(ad_dc\)
-^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_tgs_with_aa_asserted_identity_client_from_rodc\(ad_dc\)
 ^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_tgs_with_aa_asserted_identity_device_from_rodc\(ad_dc\)
 ^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_tgs_with_claims_valid_both_from_rodc\(ad_dc\)
 ^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_tgs_with_claims_valid_client_from_rodc\(ad_dc\)