From: Joseph Sutton <josephsutton@catalyst.net.nz>
Date: Tue, 20 Jun 2023 04:48:58 +0000 (+1200)
Subject: tests/krb5: Adjust authentication policy RBCD tests to expect appropriate failure... 
X-Git-Tag: talloc-2.4.1~165
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=fc33033bacfe9f800678bd41977d3a20f5072bc0;p=thirdparty%2Fsamba.git

tests/krb5: Adjust authentication policy RBCD tests to expect appropriate failure statuses

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
---

diff --git a/python/samba/tests/krb5/authn_policy_tests.py b/python/samba/tests/krb5/authn_policy_tests.py
index 5ffdba41e99..b2625cc4013 100755
--- a/python/samba/tests/krb5/authn_policy_tests.py
+++ b/python/samba/tests/krb5/authn_policy_tests.py
@@ -5382,18 +5382,24 @@ class AuthnPolicyTests(AuthLogTestBase, KdcTgsBaseTests):
         self.discardMessages()
 
         # Show that obtaining a service ticket with RBCD is not allowed.
-        self._tgs_req(service_tgt, KDC_ERR_POLICY, service_creds, target_creds,
-                      armor_tgt=mach_tgt,
-                      kdc_options=kdc_options,
-                      pac_options='1001',  # supports claims, RBCD
-                      additional_ticket=client_service_tkt,
-                      decryption_key=target_decryption_key,
-                      expect_edata=self.expect_padata_outer,
-                      check_patypes=False)
+        self._tgs_req(
+            service_tgt, KDC_ERR_POLICY, service_creds, target_creds,
+            armor_tgt=mach_tgt,
+            kdc_options=kdc_options,
+            pac_options='1001',  # supports claims, RBCD
+            additional_ticket=client_service_tkt,
+            decryption_key=target_decryption_key,
+            expect_edata=self.expect_padata_outer,
+            expected_status=ntstatus.NT_STATUS_AUTHENTICATION_FIREWALL_FAILED,
+            check_patypes=False)
 
-        self.check_tgs_log(client_creds, target_creds,
-                           policy=policy,
-                           checked_creds=service_creds)
+        self.check_tgs_log(
+            service_creds, target_creds,
+            policy=policy,
+            checked_creds=service_creds,
+            status=ntstatus.NT_STATUS_AUTHENTICATION_FIREWALL_FAILED,
+            event=AuditEvent.KERBEROS_SERVER_RESTRICTION,
+            reason=AuditReason.ACCESS_DENIED)
 
     def test_authn_policy_allowed_to_user_allow_rbcd_wrong_sname(self):
         samdb = self.get_samdb()
@@ -5460,8 +5466,9 @@ class AuthnPolicyTests(AuthLogTestBase, KdcTgsBaseTests):
                       expect_edata=self.expect_padata_outer,
                       check_patypes=False)
 
-        self.check_tgs_log(client_creds, target_creds,
-                           checked_creds=service_creds)
+        self.check_tgs_log(service_creds, target_creds,
+                           checked_creds=service_creds,
+                           status=ntstatus.NT_STATUS_UNSUCCESSFUL)
 
     def test_authn_policy_allowed_to_user_allow_constrained_delegation_to_self(self):
         samdb = self.get_samdb()
@@ -5974,8 +5981,11 @@ class AuthnPolicyTests(AuthLogTestBase, KdcTgsBaseTests):
                       expect_edata=self.expect_padata_outer,
                       check_patypes=False)
 
-        self.check_tgs_log(client_creds, service_creds,
-                           policy=policy,
+        self.check_tgs_log(service_creds, service_creds,
+                           # The failure is not due to a policy error, so no
+                           # policy appears in the logs.
+                           policy=None,
+                           status=ntstatus.NT_STATUS_UNSUCCESSFUL,
                            checked_creds=service_creds)
 
     def test_authn_policy_allowed_to_computer_allow_user2user(self):
diff --git a/selftest/knownfail_heimdal_kdc b/selftest/knownfail_heimdal_kdc
index 180b2efbf99..4ffeb5ab6a4 100644
--- a/selftest/knownfail_heimdal_kdc
+++ b/selftest/knownfail_heimdal_kdc
@@ -80,8 +80,6 @@
 ^samba.tests.krb5.authn_policy_tests.samba.tests.krb5.authn_policy_tests.AuthnPolicyTests.test_authn_policy_allowed_to_empty.ad_dc
 ^samba.tests.krb5.authn_policy_tests.samba.tests.krb5.authn_policy_tests.AuthnPolicyTests.test_authn_policy_allowed_to_user_allow_rbcd.ad_dc
 ^samba.tests.krb5.authn_policy_tests.samba.tests.krb5.authn_policy_tests.AuthnPolicyTests.test_authn_policy_allowed_to_user_allow_rbcd_to_self.ad_dc
-^samba.tests.krb5.authn_policy_tests.samba.tests.krb5.authn_policy_tests.AuthnPolicyTests.test_authn_policy_allowed_to_user_allow_rbcd_wrong_sname.ad_dc
 ^samba.tests.krb5.authn_policy_tests.samba.tests.krb5.authn_policy_tests.AuthnPolicyTests.test_authn_policy_allowed_to_user_deny_rbcd.ad_dc
 ^samba.tests.krb5.authn_policy_tests.samba.tests.krb5.authn_policy_tests.AuthnPolicyTests.test_authn_policy_allowed_to_user_deny_rbcd_to_self.ad_dc
-^samba.tests.krb5.authn_policy_tests.samba.tests.krb5.authn_policy_tests.AuthnPolicyTests.test_authn_policy_allowed_to_user_not_allowed_rbcd_to_self.ad_dc
 ^samba.tests.krb5.authn_policy_tests.samba.tests.krb5.authn_policy_tests.AuthnPolicyTests.test_authn_policy_rbcd_not_allowed_from.ad_dc