From: Joseph Sutton Date: Mon, 16 Oct 2023 23:01:34 +0000 (+1300) Subject: tests/krb5: Add test for an authentication policy that allows a specific account X-Git-Tag: talloc-2.4.2~819 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=c277a4d3631f2c1b5cd0a32bc5dfcccaafef9cb9;p=thirdparty%2Fsamba.git tests/krb5: Add test for an authentication policy that allows a specific account This is a counterpart to ‘test_conditional_ace_allowed_from_user_deny’. Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett --- diff --git a/python/samba/tests/krb5/conditional_ace_tests.py b/python/samba/tests/krb5/conditional_ace_tests.py index 64ea865dfb3..d43e6f9c141 100755 --- a/python/samba/tests/krb5/conditional_ace_tests.py +++ b/python/samba/tests/krb5/conditional_ace_tests.py @@ -3294,6 +3294,34 @@ class ConditionalAceTests(ConditionalAceBaseTests): event=event, reason=reason) + def test_conditional_ace_allowed_from_user_allow(self): + # Create a machine account with which to perform FAST. + mach_creds = self.get_cached_creds( + account_type=self.AccountType.COMPUTER) + mach_tgt = self.get_tgt(mach_creds) + + # Create an authentication policy that explicitly allows the machine + # account for a user. + allowed = (f'O:SYD:(XA;;CR;;;{mach_creds.get_sid()};' + f'(Member_of SID({mach_creds.get_sid()})))') + denied = 'O:SYD:(D;;CR;;;WD)' + policy = self.create_authn_policy(enforced=True, + user_allowed_from=allowed, + service_allowed_from=denied) + + # Create a user account with the assigned policy. + client_creds = self._get_creds(account_type=self.AccountType.USER, + assigned_policy=policy) + + # Show that authentication succeeds. + self._get_tgt(client_creds, armor_tgt=mach_tgt, + expected_error=0) + + self.check_as_log( + client_creds, + armor_creds=mach_creds, + client_policy=policy) + def test_conditional_ace_allowed_from_user_deny(self): # Create a machine account with which to perform FAST. mach_creds = self.get_cached_creds(