netcmd: Disallow device‐specific attributes and operators for allowed‐to‐authenticate...

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Thu Nov  9 09:01:25 UTC 2023 on atb-devel-224

diff --git a/python/samba/netcmd/domain/models/auth_policy.py b/python/samba/netcmd/domain/models/auth_policy.py
index df9f936ffa881f9b944ea39a22f02f940eb331e2..c56966c8e5141d5c8b370b37d954222d5221c209 100644 (file)
--- a/python/samba/netcmd/domain/models/auth_policy.py
+++ b/python/samba/netcmd/domain/models/auth_policy.py
@@ -58,11 +58,11 @@ class AuthenticationPolicy(Model):
     service_tgt_lifetime = IntegerField("msDS-ServiceTGTLifetime")
     computer_tgt_lifetime = IntegerField("msDS-ComputerTGTLifetime")
     user_allowed_to_authenticate_from = SDDLField(
-        "msDS-UserAllowedToAuthenticateFrom")
+        "msDS-UserAllowedToAuthenticateFrom", allow_device_in_sddl=False)
     user_allowed_to_authenticate_to = SDDLField(
         "msDS-UserAllowedToAuthenticateTo")
     service_allowed_to_authenticate_from = SDDLField(
-        "msDS-ServiceAllowedToAuthenticateFrom")
+        "msDS-ServiceAllowedToAuthenticateFrom", allow_device_in_sddl=False)
     service_allowed_to_authenticate_to = SDDLField(
         "msDS-ServiceAllowedToAuthenticateTo")
     computer_allowed_to_authenticate_to = SDDLField(

diff --git a/selftest/knownfail.d/device-in-sddl b/selftest/knownfail.d/device-in-sddl
deleted file mode 100644 (file)
index 60dfaf2..0000000
--- a/selftest/knownfail.d/device-in-sddl
+++ /dev/null
@@ -1,2 +0,0 @@
-^samba\.tests\.samba_tool\.domain_auth_policy\.samba\.tests\.samba_tool\.domain_auth_policy\.AuthPolicyCmdTestCase\.test_create__device_attribute_in_sddl_allowed_from\(ad_dc_default\)$
-^samba\.tests\.samba_tool\.domain_auth_policy\.samba\.tests\.samba_tool\.domain_auth_policy\.AuthPolicyCmdTestCase\.test_create__device_operator_in_sddl_allowed_from\(ad_dc_default\)$