tests/krb5: Add a couple of authentication policy tests

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
author: Joseph Sutton <josephsutton@catalyst.net.nz> 2023-06-14 10:58:12 +1200
committer: Andrew Bartlett <abartlet@samba.org> 2023-06-14 22:57:35 +0000
commit: 117bba98a119d57f7591e2fa0c776333288da063 (patch)
tree: 46eafe67a6246b2283c67ca8b7ba686cb5f6d04d /python/samba
parent: f1c24f4bc98213999c282fb318977a53e19c81fc (diff)
download: samba-117bba98a119d57f7591e2fa0c776333288da063.tar.gz
samba-117bba98a119d57f7591e2fa0c776333288da063.tar.bz2
samba-117bba98a119d57f7591e2fa0c776333288da063.zip
1 files changed, 38 insertions, 0 deletions
diff --git a/python/samba/tests/krb5/authn_policy_tests.py b/python/samba/tests/krb5/authn_policy_tests.py
index e08ca0c4d51..0fc83726127 100755
--- a/python/samba/tests/krb5/authn_policy_tests.py
+++ b/python/samba/tests/krb5/authn_policy_tests.py
@@ -1565,6 +1565,44 @@ class AuthnPolicyTests(KdcTgsBaseTests):
                       expect_status=True,
                       expected_status=ntstatus.NT_STATUS_INVALID_WORKSTATION)
 
+    def test_authn_policy_allowed_from_no_fast_negative_lifetime(self):
+        # Create an authentication policy that restricts
+        # authentication. Include some negative TGT lifetimes for testing what
+        # gets logged.
+        allowed_from = 'O:SY'
+        policy_id = self.get_new_username()
+        policy = self.create_authn_policy(policy_id,
+                                          enforced=True,
+                                          user_allowed_from=allowed_from,
+                                          user_tgt_lifetime=-115,
+                                          computer_tgt_lifetime=-235,
+                                          service_tgt_lifetime=-355)
+
+        # Create a user account with the assigned policy.
+        client_creds = self._get_creds(account_type=self.AccountType.USER,
+                                       assigned_policy=policy)
+
+        # Show that we cannot authenticate without using an armor ticket.
+        self._get_tgt(client_creds, expected_error=KDC_ERR_POLICY,
+                      expect_status=True,
+                      expected_status=ntstatus.NT_STATUS_INVALID_WORKSTATION)
+
+    def test_authn_policy_allowed_from_no_fast_unenforced(self):
+        # Create an unenforced authentication policy that restricts
+        # authentication.
+        allowed_from = 'O:SY'
+        policy_id = self.get_new_username()
+        policy = self.create_authn_policy(policy_id,
+                                          enforced=False,
+                                          user_allowed_from=allowed_from)
+
+        # Create a user account with the assigned policy.
+        client_creds = self._get_creds(account_type=self.AccountType.USER,
+                                       assigned_policy=policy)
+
+        # Show that we don’t get an error when the policy is unenforced.
+        self._get_tgt(client_creds)
+
     def test_authn_policy_allowed_from_user_allow_group_not_a_member(self):
         samdb = self.get_samdb()
author	Joseph Sutton <josephsutton@catalyst.net.nz>	2023-06-14 10:58:12 +1200
committer	Andrew Bartlett <abartlet@samba.org>	2023-06-14 22:57:35 +0000
commit	117bba98a119d57f7591e2fa0c776333288da063 (patch)
tree	46eafe67a6246b2283c67ca8b7ba686cb5f6d04d /python/samba
parent	f1c24f4bc98213999c282fb318977a53e19c81fc (diff)
download	samba-117bba98a119d57f7591e2fa0c776333288da063.tar.gz samba-117bba98a119d57f7591e2fa0c776333288da063.tar.bz2 samba-117bba98a119d57f7591e2fa0c776333288da063.zip