tests/krb5: Test that the Claims Valid SID is added to RODC‐issued PACs

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

3 files changed, 30 insertions, 20 deletions

diff --git a/python/samba/tests/krb5/authn_policy_tests.py b/python/samba/tests/krb5/authn_policy_tests.py
index 3d70e9a730c..43a975fac8e 100755
--- a/python/samba/tests/krb5/authn_policy_tests.py
+++ b/python/samba/tests/krb5/authn_policy_tests.py
@@ -4432,16 +4432,11 @@ class AuthnPolicyTests(AuthnPolicyBaseTests):
         target_creds = self._get_creds(account_type=self.AccountType.COMPUTER,
                                        assigned_policy=policy)
 
-        # Show that obtaining a service ticket is not allowed.
-        self._tgs_req(tgt, KDC_ERR_POLICY, client_creds, target_creds,
+        # Show that obtaining a service ticket is allowed.
+        self._tgs_req(tgt, 0, client_creds, target_creds,
                       armor_tgt=mach_tgt)
 
-        self.check_tgs_log(
-            client_creds, target_creds,
-            policy=policy,
-            status=ntstatus.NT_STATUS_AUTHENTICATION_FIREWALL_FAILED,
-            event=AuditEvent.KERBEROS_SERVER_RESTRICTION,
-            reason=AuditReason.ACCESS_DENIED)
+        self.check_tgs_log(client_creds, target_creds, policy=policy)
 
     def test_authn_policy_allowed_to_computer_allow_compounded_authn_from_rodc(self):
         # Create a machine account with which to perform FAST.
diff --git a/python/samba/tests/krb5/conditional_ace_tests.py b/python/samba/tests/krb5/conditional_ace_tests.py
index c69ce9db0c3..c5fc8a6ae76 100755
--- a/python/samba/tests/krb5/conditional_ace_tests.py
+++ b/python/samba/tests/krb5/conditional_ace_tests.py
@@ -2680,10 +2680,14 @@ class ConditionalAceTests(ConditionalAceBaseTests):
             (self.aa_asserted_identity, SidType.EXTRA_SID, self.default_attrs),
         }
 
+        expected_groups = client_sids | {
+            (security.SID_CLAIMS_VALID, SidType.EXTRA_SID, self.default_attrs),
+        }
+
         self._tgs(f'Member_of SID({self.aa_asserted_identity})',
                   client_from_rodc=True,
                   client_sids=client_sids,
-                  expected_groups=client_sids)
+                  expected_groups=expected_groups)
 
     def test_tgs_with_aa_asserted_identity_device_from_rodc(self):
         client_sids = {
@@ -2705,11 +2709,15 @@ class ConditionalAceTests(ConditionalAceBaseTests):
             (self.aa_asserted_identity, SidType.EXTRA_SID, self.default_attrs),
         }
 
+        expected_groups = client_sids | {
+            (security.SID_CLAIMS_VALID, SidType.EXTRA_SID, self.default_attrs),
+        }
+
         self._tgs(f'Member_of SID({self.aa_asserted_identity})',
                   client_from_rodc=True,
                   device_from_rodc=True,
                   client_sids=client_sids,
-                  expected_groups=client_sids,
+                  expected_groups=expected_groups,
                   code=(0, CRASHES_WINDOWS))
 
     def test_tgs_without_service_asserted_identity(self):
@@ -2849,14 +2857,15 @@ class ConditionalAceTests(ConditionalAceBaseTests):
             (security.DOMAIN_RID_USERS, SidType.PRIMARY_GID, None),
         }
 
+        expected_groups = client_sids | {
+            (security.SID_CLAIMS_VALID, SidType.EXTRA_SID, self.default_attrs),
+        }
+
         self._tgs(f'Member_of SID({security.SID_CLAIMS_VALID})',
                   client_from_rodc=True,
                   client_sids=client_sids,
-                  code=KDC_ERR_POLICY,
-                  status=ntstatus.NT_STATUS_AUTHENTICATION_FIREWALL_FAILED,
-                  event=AuditEvent.KERBEROS_SERVER_RESTRICTION,
-                  reason=AuditReason.ACCESS_DENIED,
-                  edata=self.expect_padata_outer)
+                  expected_groups=expected_groups,
+                  code=0)
 
     def test_tgs_without_claims_valid_device_from_rodc(self):
         client_sids = {
@@ -2879,15 +2888,16 @@ class ConditionalAceTests(ConditionalAceBaseTests):
             (security.DOMAIN_RID_USERS, SidType.PRIMARY_GID, None),
         }
 
+        expected_groups = client_sids | {
+            (security.SID_CLAIMS_VALID, SidType.EXTRA_SID, self.default_attrs),
+        }
+
         self._tgs(f'Member_of SID({security.SID_CLAIMS_VALID})',
                   client_from_rodc=True,
                   device_from_rodc=True,
                   client_sids=client_sids,
-                  code=(KDC_ERR_POLICY, CRASHES_WINDOWS),
-                  status=ntstatus.NT_STATUS_AUTHENTICATION_FIREWALL_FAILED,
-                  event=AuditEvent.KERBEROS_SERVER_RESTRICTION,
-                  reason=AuditReason.ACCESS_DENIED,
-                  edata=self.expect_padata_outer)
+                  expected_groups=expected_groups,
+                  code=(0, CRASHES_WINDOWS))
 
     def test_tgs_with_claims_valid(self):
         client_sids = {
diff --git a/selftest/knownfail_heimdal_kdc b/selftest/knownfail_heimdal_kdc
index d55d2bc00ab..6bfde1aa536 100644
--- a/selftest/knownfail_heimdal_kdc
+++ b/selftest/knownfail_heimdal_kdc
@@ -63,6 +63,7 @@
 #
 ^samba.tests.krb5.authn_policy_tests.samba.tests.krb5.authn_policy_tests.AuthnPolicyTests.test_authn_policy_allowed_from_empty.ad_dc
 ^samba.tests.krb5.authn_policy_tests.samba.tests.krb5.authn_policy_tests.AuthnPolicyTests.test_authn_policy_allowed_to_empty.ad_dc
+^samba\.tests\.krb5\.authn_policy_tests\.samba\.tests\.krb5\.authn_policy_tests\.AuthnPolicyTests\.test_authn_policy_allowed_to_computer_allow_claims_valid_from_rodc\(ad_dc\)$
 #
 # This test fails; but that is acceptable, for we have an alternative test
 # (test_authn_policy_protected_flags_with_policy_error) that expects to receive
@@ -131,5 +132,9 @@
 ^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_tgs_without_aa_asserted_identity_client_from_rodc\(ad_dc\)
 ^samba\.tests\.krb5\.conditional_ace_tests\.samba\.tests\.krb5\.conditional_ace_tests\.ConditionalAceTests\.test_delegating_proxy_in_network_group_rbcd\(ad_dc\)$
 ^samba\.tests\.krb5\.conditional_ace_tests\.samba\.tests\.krb5\.conditional_ace_tests\.ConditionalAceTests\.test_device_in_network_group_rbcd\(ad_dc\)$
+^samba\.tests\.krb5\.conditional_ace_tests\.samba\.tests\.krb5\.conditional_ace_tests\.ConditionalAceTests\.test_tgs_with_aa_asserted_identity_both_from_rodc\(ad_dc\)$
+^samba\.tests\.krb5\.conditional_ace_tests\.samba\.tests\.krb5\.conditional_ace_tests\.ConditionalAceTests\.test_tgs_with_aa_asserted_identity_client_from_rodc\(ad_dc\)$
+^samba\.tests\.krb5\.conditional_ace_tests\.samba\.tests\.krb5\.conditional_ace_tests\.ConditionalAceTests\.test_tgs_without_claims_valid_both_from_rodc\(ad_dc\)$
+^samba\.tests\.krb5\.conditional_ace_tests\.samba\.tests\.krb5\.conditional_ace_tests\.ConditionalAceTests\.test_tgs_without_claims_valid_client_from_rodc\(ad_dc\)$
 ^samba\.tests\.krb5\.conditional_ace_tests\.samba\.tests\.krb5\.conditional_ace_tests\.DeviceRestrictionTests\.test_device_in_network_group\(ad_dc\)$
 ^samba\.tests\.krb5\.conditional_ace_tests\.samba\.tests\.krb5\.conditional_ace_tests\.TgsReqServicePolicyTests\.test_device_in_network_group\(ad_dc\)$