From: Joseph Sutton Date: Wed, 1 Nov 2023 00:07:54 +0000 (+1300) Subject: tests/krb5: No longer pass two‐component form of TGS principal X-Git-Tag: talloc-2.4.2~866 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=51a4443b04490d412b018f3ef303f77cb7304d10;p=thirdparty%2Fsamba.git tests/krb5: No longer pass two‐component form of TGS principal Samba now handles one‐component TGS principals more correctly. Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett --- diff --git a/python/samba/tests/krb5/conditional_ace_tests.py b/python/samba/tests/krb5/conditional_ace_tests.py index 320fe0dc916..3f316d6c120 100755 --- a/python/samba/tests/krb5/conditional_ace_tests.py +++ b/python/samba/tests/krb5/conditional_ace_tests.py @@ -3419,16 +3419,10 @@ class DeviceRestrictionTests(ConditionalAceBaseTests): client_creds = self._get_creds(account_type=self.AccountType.USER, assigned_policy=client_policy) - # FIXME: we need to pass this parameter only because Samba doesn’t - # handle ‘krbtgt@REALM’ principals correctly (see - # https://bugzilla.samba.org/show_bug.cgi?id=15482). - krbtgt_sname = self.get_krbtgt_sname() - # Show that authentication succeeds. self._armored_as_req(client_creds, self.get_krbtgt_creds(), - mach_tgt, - target_sname=krbtgt_sname) + mach_tgt) self.check_as_log(client_creds, armor_creds=mach_creds, @@ -3807,16 +3801,10 @@ class DeviceRestrictionTests(ConditionalAceBaseTests): client_creds = self._get_creds(account_type=self.AccountType.USER, assigned_policy=client_policy) - # FIXME: we need to pass this parameter only because Samba doesn’t - # handle ‘krbtgt@REALM’ principals correctly (see - # https://bugzilla.samba.org/show_bug.cgi?id=15482). - krbtgt_sname = self.get_krbtgt_sname() - # Show that authentication succeeds. self._armored_as_req(client_creds, self.get_krbtgt_creds(), - mach_tgt, - target_sname=krbtgt_sname) + mach_tgt) self.check_as_log(client_creds, armor_creds=mach_creds, @@ -3933,17 +3921,11 @@ class DeviceRestrictionTests(ConditionalAceBaseTests): krbtgt_creds = self.get_krbtgt_creds() - # FIXME: we need to pass this parameter only because Samba doesn’t - # handle ‘krbtgt@REALM’ principals correctly (see - # https://bugzilla.samba.org/show_bug.cgi?id=15482). - krbtgt_sname = self.get_krbtgt_sname() - # Test whether authentication succeeds or fails. self._armored_as_req( client_creds, krbtgt_creds, mach_tgt, - target_sname=krbtgt_sname, expected_error=0 if expect_in_group else KDC_ERR_POLICY) policy_success_args = {} @@ -3975,7 +3957,6 @@ class DeviceRestrictionTests(ConditionalAceBaseTests): client_creds, krbtgt_creds, mach_tgt, - target_sname=krbtgt_sname, expected_error=KDC_ERR_POLICY if expect_in_group else 0) self.check_as_log(client_creds, @@ -5019,16 +5000,10 @@ class TgsReqServicePolicyTests(ConditionalAceBaseTests): (security.SID_CLAIMS_VALID, SidType.EXTRA_SID, self.default_attrs), } - # FIXME: we need to pass this parameter only because Samba doesn’t - # handle ‘krbtgt@REALM’ principals correctly (see - # https://bugzilla.samba.org/show_bug.cgi?id=15482). - krbtgt_sname = self.get_krbtgt_sname() - # Show that obtaining a service ticket with an AS‐REQ is allowed. self._armored_as_req(client_creds, self.get_krbtgt_creds(), mach_tgt, - target_sname=krbtgt_sname, expected_groups=expected_groups) self.check_as_log(client_creds,