From dc1e2b41ca4bbd9882c2bcf5aa0bca217002fb80 Mon Sep 17 00:00:00 2001
From: Joseph Sutton <josephsutton@catalyst.net.nz>
Date: Mon, 30 Oct 2023 16:12:36 +1300
Subject: =?UTF-8?q?tests/krb5:=20Test=20that=20the=20Claims=20Valid=20SID?=
 =?UTF-8?q?=20is=20added=20to=20RODC=E2=80=90issued=20PACs?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
---
 python/samba/tests/krb5/authn_policy_tests.py    | 11 +++-----
 python/samba/tests/krb5/conditional_ace_tests.py | 34 +++++++++++++++---------
 2 files changed, 25 insertions(+), 20 deletions(-)

(limited to 'python/samba')

diff --git a/python/samba/tests/krb5/authn_policy_tests.py b/python/samba/tests/krb5/authn_policy_tests.py
index 3d70e9a730c..43a975fac8e 100755
--- a/python/samba/tests/krb5/authn_policy_tests.py
+++ b/python/samba/tests/krb5/authn_policy_tests.py
@@ -4432,16 +4432,11 @@ class AuthnPolicyTests(AuthnPolicyBaseTests):
         target_creds = self._get_creds(account_type=self.AccountType.COMPUTER,
                                        assigned_policy=policy)
 
-        # Show that obtaining a service ticket is not allowed.
-        self._tgs_req(tgt, KDC_ERR_POLICY, client_creds, target_creds,
+        # Show that obtaining a service ticket is allowed.
+        self._tgs_req(tgt, 0, client_creds, target_creds,
                       armor_tgt=mach_tgt)
 
-        self.check_tgs_log(
-            client_creds, target_creds,
-            policy=policy,
-            status=ntstatus.NT_STATUS_AUTHENTICATION_FIREWALL_FAILED,
-            event=AuditEvent.KERBEROS_SERVER_RESTRICTION,
-            reason=AuditReason.ACCESS_DENIED)
+        self.check_tgs_log(client_creds, target_creds, policy=policy)
 
     def test_authn_policy_allowed_to_computer_allow_compounded_authn_from_rodc(self):
         # Create a machine account with which to perform FAST.
diff --git a/python/samba/tests/krb5/conditional_ace_tests.py b/python/samba/tests/krb5/conditional_ace_tests.py
index c69ce9db0c3..c5fc8a6ae76 100755
--- a/python/samba/tests/krb5/conditional_ace_tests.py
+++ b/python/samba/tests/krb5/conditional_ace_tests.py
@@ -2680,10 +2680,14 @@ class ConditionalAceTests(ConditionalAceBaseTests):
             (self.aa_asserted_identity, SidType.EXTRA_SID, self.default_attrs),
         }
 
+        expected_groups = client_sids | {
+            (security.SID_CLAIMS_VALID, SidType.EXTRA_SID, self.default_attrs),
+        }
+
         self._tgs(f'Member_of SID({self.aa_asserted_identity})',
                   client_from_rodc=True,
                   client_sids=client_sids,
-                  expected_groups=client_sids)
+                  expected_groups=expected_groups)
 
     def test_tgs_with_aa_asserted_identity_device_from_rodc(self):
         client_sids = {
@@ -2705,11 +2709,15 @@ class ConditionalAceTests(ConditionalAceBaseTests):
             (self.aa_asserted_identity, SidType.EXTRA_SID, self.default_attrs),
         }
 
+        expected_groups = client_sids | {
+            (security.SID_CLAIMS_VALID, SidType.EXTRA_SID, self.default_attrs),
+        }
+
         self._tgs(f'Member_of SID({self.aa_asserted_identity})',
                   client_from_rodc=True,
                   device_from_rodc=True,
                   client_sids=client_sids,
-                  expected_groups=client_sids,
+                  expected_groups=expected_groups,
                   code=(0, CRASHES_WINDOWS))
 
     def test_tgs_without_service_asserted_identity(self):
@@ -2849,14 +2857,15 @@ class ConditionalAceTests(ConditionalAceBaseTests):
             (security.DOMAIN_RID_USERS, SidType.PRIMARY_GID, None),
         }
 
+        expected_groups = client_sids | {
+            (security.SID_CLAIMS_VALID, SidType.EXTRA_SID, self.default_attrs),
+        }
+
         self._tgs(f'Member_of SID({security.SID_CLAIMS_VALID})',
                   client_from_rodc=True,
                   client_sids=client_sids,
-                  code=KDC_ERR_POLICY,
-                  status=ntstatus.NT_STATUS_AUTHENTICATION_FIREWALL_FAILED,
-                  event=AuditEvent.KERBEROS_SERVER_RESTRICTION,
-                  reason=AuditReason.ACCESS_DENIED,
-                  edata=self.expect_padata_outer)
+                  expected_groups=expected_groups,
+                  code=0)
 
     def test_tgs_without_claims_valid_device_from_rodc(self):
         client_sids = {
@@ -2879,15 +2888,16 @@ class ConditionalAceTests(ConditionalAceBaseTests):
             (security.DOMAIN_RID_USERS, SidType.PRIMARY_GID, None),
         }
 
+        expected_groups = client_sids | {
+            (security.SID_CLAIMS_VALID, SidType.EXTRA_SID, self.default_attrs),
+        }
+
         self._tgs(f'Member_of SID({security.SID_CLAIMS_VALID})',
                   client_from_rodc=True,
                   device_from_rodc=True,
                   client_sids=client_sids,
-                  code=(KDC_ERR_POLICY, CRASHES_WINDOWS),
-                  status=ntstatus.NT_STATUS_AUTHENTICATION_FIREWALL_FAILED,
-                  event=AuditEvent.KERBEROS_SERVER_RESTRICTION,
-                  reason=AuditReason.ACCESS_DENIED,
-                  edata=self.expect_padata_outer)
+                  expected_groups=expected_groups,
+                  code=(0, CRASHES_WINDOWS))
 
     def test_tgs_with_claims_valid(self):
         client_sids = {
-- 
cgit v1.2.3