From: Joseph Sutton <josephsutton@catalyst.net.nz>
Date: Tue, 7 Nov 2023 02:44:21 +0000 (+1300)
Subject: netcmd: Disallow device‐specific attributes and operators for allowed‐to‐authenticate... 
X-Git-Tag: talloc-2.4.2~786
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=fb867873d872f78c652099637d3ee74d09426821;p=thirdparty%2Fsamba.git

netcmd: Disallow device‐specific attributes and operators for allowed‐to‐authenticate‐from fields

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Thu Nov  9 09:01:25 UTC 2023 on atb-devel-224
---

diff --git a/python/samba/netcmd/domain/models/auth_policy.py b/python/samba/netcmd/domain/models/auth_policy.py
index df9f936ffa8..c56966c8e51 100644
--- a/python/samba/netcmd/domain/models/auth_policy.py
+++ b/python/samba/netcmd/domain/models/auth_policy.py
@@ -58,11 +58,11 @@ class AuthenticationPolicy(Model):
     service_tgt_lifetime = IntegerField("msDS-ServiceTGTLifetime")
     computer_tgt_lifetime = IntegerField("msDS-ComputerTGTLifetime")
     user_allowed_to_authenticate_from = SDDLField(
-        "msDS-UserAllowedToAuthenticateFrom")
+        "msDS-UserAllowedToAuthenticateFrom", allow_device_in_sddl=False)
     user_allowed_to_authenticate_to = SDDLField(
         "msDS-UserAllowedToAuthenticateTo")
     service_allowed_to_authenticate_from = SDDLField(
-        "msDS-ServiceAllowedToAuthenticateFrom")
+        "msDS-ServiceAllowedToAuthenticateFrom", allow_device_in_sddl=False)
     service_allowed_to_authenticate_to = SDDLField(
         "msDS-ServiceAllowedToAuthenticateTo")
     computer_allowed_to_authenticate_to = SDDLField(
diff --git a/selftest/knownfail.d/device-in-sddl b/selftest/knownfail.d/device-in-sddl
deleted file mode 100644
index 60dfaf2ed06..00000000000
--- a/selftest/knownfail.d/device-in-sddl
+++ /dev/null
@@ -1,2 +0,0 @@
-^samba\.tests\.samba_tool\.domain_auth_policy\.samba\.tests\.samba_tool\.domain_auth_policy\.AuthPolicyCmdTestCase\.test_create__device_attribute_in_sddl_allowed_from\(ad_dc_default\)$
-^samba\.tests\.samba_tool\.domain_auth_policy\.samba\.tests\.samba_tool\.domain_auth_policy\.AuthPolicyCmdTestCase\.test_create__device_operator_in_sddl_allowed_from\(ad_dc_default\)$