diff options
| author | Joseph Sutton <josephsutton@catalyst.net.nz> | 2023-10-17 12:01:34 +1300 |
|---|---|---|
| committer | Andrew Bartlett <abartlet@samba.org> | 2023-11-07 21:54:32 +0000 |
| commit | c277a4d3631f2c1b5cd0a32bc5dfcccaafef9cb9 (patch) | |
| tree | 8f41c659a007c1e46174eaccc75de9c376c9d27e /python | |
| parent | 64806f37ab08c51d2fac23d7f153c3b2f0c5d984 (diff) | |
| download | samba-c277a4d3631f2c1b5cd0a32bc5dfcccaafef9cb9.tar.gz samba-c277a4d3631f2c1b5cd0a32bc5dfcccaafef9cb9.tar.bz2 samba-c277a4d3631f2c1b5cd0a32bc5dfcccaafef9cb9.zip | |
tests/krb5: Add test for an authentication policy that allows a specific account
This is a counterpart to ‘test_conditional_ace_allowed_from_user_deny’.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Diffstat (limited to 'python')
| -rwxr-xr-x | python/samba/tests/krb5/conditional_ace_tests.py | 28 |
1 files changed, 28 insertions, 0 deletions
diff --git a/python/samba/tests/krb5/conditional_ace_tests.py b/python/samba/tests/krb5/conditional_ace_tests.py index 64ea865dfb3..d43e6f9c141 100755 --- a/python/samba/tests/krb5/conditional_ace_tests.py +++ b/python/samba/tests/krb5/conditional_ace_tests.py @@ -3294,6 +3294,34 @@ class ConditionalAceTests(ConditionalAceBaseTests): event=event, reason=reason) + def test_conditional_ace_allowed_from_user_allow(self): + # Create a machine account with which to perform FAST. + mach_creds = self.get_cached_creds( + account_type=self.AccountType.COMPUTER) + mach_tgt = self.get_tgt(mach_creds) + + # Create an authentication policy that explicitly allows the machine + # account for a user. + allowed = (f'O:SYD:(XA;;CR;;;{mach_creds.get_sid()};' + f'(Member_of SID({mach_creds.get_sid()})))') + denied = 'O:SYD:(D;;CR;;;WD)' + policy = self.create_authn_policy(enforced=True, + user_allowed_from=allowed, + service_allowed_from=denied) + + # Create a user account with the assigned policy. + client_creds = self._get_creds(account_type=self.AccountType.USER, + assigned_policy=policy) + + # Show that authentication succeeds. + self._get_tgt(client_creds, armor_tgt=mach_tgt, + expected_error=0) + + self.check_as_log( + client_creds, + armor_creds=mach_creds, + client_policy=policy) + def test_conditional_ace_allowed_from_user_deny(self): # Create a machine account with which to perform FAST. mach_creds = self.get_cached_creds( |