tests/krb5: Test that the Claims Valid SID is added to RODC‐issued PACs

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
author: Joseph Sutton <josephsutton@catalyst.net.nz> 2023-10-30 16:12:36 +1300
committer: Andrew Bartlett <abartlet@samba.org> 2023-11-01 20:10:45 +0000
commit: dc1e2b41ca4bbd9882c2bcf5aa0bca217002fb80 (patch)
tree: 12d02f3a5864fa86fcc820ef45b37b8c29dd285c /python/samba
parent: 947d3e5932e128fdbe782477e981087d8cf5bc26 (diff)
download: samba-dc1e2b41ca4bbd9882c2bcf5aa0bca217002fb80.tar.gz
samba-dc1e2b41ca4bbd9882c2bcf5aa0bca217002fb80.tar.bz2
samba-dc1e2b41ca4bbd9882c2bcf5aa0bca217002fb80.zip
2 files changed, 25 insertions, 20 deletions
diff --git a/python/samba/tests/krb5/authn_policy_tests.py b/python/samba/tests/krb5/authn_policy_tests.py
index 3d70e9a730c..43a975fac8e 100755
--- a/python/samba/tests/krb5/authn_policy_tests.py
+++ b/python/samba/tests/krb5/authn_policy_tests.py
@@ -4432,16 +4432,11 @@ class AuthnPolicyTests(AuthnPolicyBaseTests):
         target_creds = self._get_creds(account_type=self.AccountType.COMPUTER,
                                        assigned_policy=policy)
 
-        # Show that obtaining a service ticket is not allowed.
-        self._tgs_req(tgt, KDC_ERR_POLICY, client_creds, target_creds,
+        # Show that obtaining a service ticket is allowed.
+        self._tgs_req(tgt, 0, client_creds, target_creds,
                       armor_tgt=mach_tgt)
 
-        self.check_tgs_log(
-            client_creds, target_creds,
-            policy=policy,
-            status=ntstatus.NT_STATUS_AUTHENTICATION_FIREWALL_FAILED,
-            event=AuditEvent.KERBEROS_SERVER_RESTRICTION,
-            reason=AuditReason.ACCESS_DENIED)
+        self.check_tgs_log(client_creds, target_creds, policy=policy)
 
     def test_authn_policy_allowed_to_computer_allow_compounded_authn_from_rodc(self):
         # Create a machine account with which to perform FAST.
diff --git a/python/samba/tests/krb5/conditional_ace_tests.py b/python/samba/tests/krb5/conditional_ace_tests.py
index c69ce9db0c3..c5fc8a6ae76 100755
--- a/python/samba/tests/krb5/conditional_ace_tests.py
+++ b/python/samba/tests/krb5/conditional_ace_tests.py
@@ -2680,10 +2680,14 @@ class ConditionalAceTests(ConditionalAceBaseTests):
             (self.aa_asserted_identity, SidType.EXTRA_SID, self.default_attrs),
         }
 
+        expected_groups = client_sids | {
+            (security.SID_CLAIMS_VALID, SidType.EXTRA_SID, self.default_attrs),
+        }
+
         self._tgs(f'Member_of SID({self.aa_asserted_identity})',
                   client_from_rodc=True,
                   client_sids=client_sids,
-                  expected_groups=client_sids)
+                  expected_groups=expected_groups)
 
     def test_tgs_with_aa_asserted_identity_device_from_rodc(self):
         client_sids = {
@@ -2705,11 +2709,15 @@ class ConditionalAceTests(ConditionalAceBaseTests):
             (self.aa_asserted_identity, SidType.EXTRA_SID, self.default_attrs),
         }
 
+        expected_groups = client_sids | {
+            (security.SID_CLAIMS_VALID, SidType.EXTRA_SID, self.default_attrs),
+        }
+
         self._tgs(f'Member_of SID({self.aa_asserted_identity})',
                   client_from_rodc=True,
                   device_from_rodc=True,
                   client_sids=client_sids,
-                  expected_groups=client_sids,
+                  expected_groups=expected_groups,
                   code=(0, CRASHES_WINDOWS))
 
     def test_tgs_without_service_asserted_identity(self):
@@ -2849,14 +2857,15 @@ class ConditionalAceTests(ConditionalAceBaseTests):
             (security.DOMAIN_RID_USERS, SidType.PRIMARY_GID, None),
         }
 
+        expected_groups = client_sids | {
+            (security.SID_CLAIMS_VALID, SidType.EXTRA_SID, self.default_attrs),
+        }
+
         self._tgs(f'Member_of SID({security.SID_CLAIMS_VALID})',
                   client_from_rodc=True,
                   client_sids=client_sids,
-                  code=KDC_ERR_POLICY,
-                  status=ntstatus.NT_STATUS_AUTHENTICATION_FIREWALL_FAILED,
-                  event=AuditEvent.KERBEROS_SERVER_RESTRICTION,
-                  reason=AuditReason.ACCESS_DENIED,
-                  edata=self.expect_padata_outer)
+                  expected_groups=expected_groups,
+                  code=0)
 
     def test_tgs_without_claims_valid_device_from_rodc(self):
         client_sids = {
@@ -2879,15 +2888,16 @@ class ConditionalAceTests(ConditionalAceBaseTests):
             (security.DOMAIN_RID_USERS, SidType.PRIMARY_GID, None),
         }
 
+        expected_groups = client_sids | {
+            (security.SID_CLAIMS_VALID, SidType.EXTRA_SID, self.default_attrs),
+        }
+
         self._tgs(f'Member_of SID({security.SID_CLAIMS_VALID})',
                   client_from_rodc=True,
                   device_from_rodc=True,
                   client_sids=client_sids,
-                  code=(KDC_ERR_POLICY, CRASHES_WINDOWS),
-                  status=ntstatus.NT_STATUS_AUTHENTICATION_FIREWALL_FAILED,
-                  event=AuditEvent.KERBEROS_SERVER_RESTRICTION,
-                  reason=AuditReason.ACCESS_DENIED,
-                  edata=self.expect_padata_outer)
+                  expected_groups=expected_groups,
+                  code=(0, CRASHES_WINDOWS))
 
     def test_tgs_with_claims_valid(self):
         client_sids = {
author	Joseph Sutton <josephsutton@catalyst.net.nz>	2023-10-30 16:12:36 +1300
committer	Andrew Bartlett <abartlet@samba.org>	2023-11-01 20:10:45 +0000
commit	dc1e2b41ca4bbd9882c2bcf5aa0bca217002fb80 (patch)
tree	12d02f3a5864fa86fcc820ef45b37b8c29dd285c /python/samba
parent	947d3e5932e128fdbe782477e981087d8cf5bc26 (diff)
download	samba-dc1e2b41ca4bbd9882c2bcf5aa0bca217002fb80.tar.gz samba-dc1e2b41ca4bbd9882c2bcf5aa0bca217002fb80.tar.bz2 samba-dc1e2b41ca4bbd9882c2bcf5aa0bca217002fb80.zip