sin/samba-mirror
1
0
Fork 0
mirror of https://github.com/samba-team/samba.git synced 2025-08-03 04:22:09 +03:00
Code Activity

s4-dsdb: Account for Claims Valid SID in tokenGroups

Browse Source 
More of these tests now pass against Windows. They still don't quite all
pass, but that's something to fix for another day.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
This commit is contained in:
Joseph Sutton
2023-03-29 15:54:26 +13:00
committed by Andrew Bartlett
parent 149a515f05
commit 2f53dd59a2
2 changed files with 10 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
selftest/knownfail.d/tokengroups-claims-valid Normal file
View File

@ -0,0 +1,4 @@
^samba4.tokengroups.krb5.python.__main__.DynamicTokenTest.test_pac_groups.ad_dc_default:local
^samba4.tokengroups.krb5.python.__main__.DynamicTokenTest.test_rootDSE_tokenGroups.ad_dc_default:local
^samba4.tokengroups.krb5.python.__main__.StaticTokenTest.test_pac_groups.ad_dc_default:local
^samba4.tokengroups.krb5.python.__main__.StaticTokenTest.test_rootDSE_tokenGroups.ad_dc_default:local

8
source4/dsdb/tests/python/token_group.py
View File

@ -87,9 +87,10 @@ class StaticTokenTest(samba.tests.TestCase):
for s in token.sids: for s in token.sids:
self.user_sids.append(str(s)) self.user_sids.append(str(s))
# Add asserted identity for Kerberos # Add asserted identity and Claims Valid for Kerberos
if creds.get_kerberos_state() == MUST_USE_KERBEROS: if creds.get_kerberos_state() == MUST_USE_KERBEROS:
self.user_sids.append(str(security.SID_AUTHENTICATION_AUTHORITY_ASSERTED_IDENTITY)) self.user_sids.append(str(security.SID_AUTHENTICATION_AUTHORITY_ASSERTED_IDENTITY))
self.user_sids.append(str(security.SID_CLAIMS_VALID))
def test_rootDSE_tokenGroups(self): def test_rootDSE_tokenGroups(self):
@ -145,6 +146,7 @@ class StaticTokenTest(samba.tests.TestCase):
extra_sids.append(security.SID_BUILTIN_PREW2K) extra_sids.append(security.SID_BUILTIN_PREW2K)
if creds.get_kerberos_state() == MUST_USE_KERBEROS: if creds.get_kerberos_state() == MUST_USE_KERBEROS:
extra_sids.append(security.SID_AUTHENTICATION_AUTHORITY_ASSERTED_IDENTITY) extra_sids.append(security.SID_AUTHENTICATION_AUTHORITY_ASSERTED_IDENTITY)
extra_sids.append(security.SID_CLAIMS_VALID)
if creds.get_kerberos_state() == DONT_USE_KERBEROS: if creds.get_kerberos_state() == DONT_USE_KERBEROS:
extra_sids.append(security.SID_NT_NTLM_AUTHENTICATION) extra_sids.append(security.SID_NT_NTLM_AUTHENTICATION)
@ -341,9 +343,10 @@ class DynamicTokenTest(samba.tests.TestCase):
for s in token.sids: for s in token.sids:
self.user_sids.append(str(s)) self.user_sids.append(str(s))
# Add asserted identity for Kerberos # Add asserted identity and Claims Valid for Kerberos
if creds.get_kerberos_state() == MUST_USE_KERBEROS: if creds.get_kerberos_state() == MUST_USE_KERBEROS:
self.user_sids.append(str(security.SID_AUTHENTICATION_AUTHORITY_ASSERTED_IDENTITY)) self.user_sids.append(str(security.SID_AUTHENTICATION_AUTHORITY_ASSERTED_IDENTITY))
self.user_sids.append(str(security.SID_CLAIMS_VALID))
def tearDown(self): def tearDown(self):
super(DynamicTokenTest, self).tearDown() super(DynamicTokenTest, self).tearDown()
@ -417,6 +420,7 @@ class DynamicTokenTest(samba.tests.TestCase):
extra_sids.append(security.SID_BUILTIN_PREW2K) extra_sids.append(security.SID_BUILTIN_PREW2K)
if creds.get_kerberos_state() == MUST_USE_KERBEROS: if creds.get_kerberos_state() == MUST_USE_KERBEROS:
extra_sids.append(security.SID_AUTHENTICATION_AUTHORITY_ASSERTED_IDENTITY) extra_sids.append(security.SID_AUTHENTICATION_AUTHORITY_ASSERTED_IDENTITY)
extra_sids.append(security.SID_CLAIMS_VALID)
if creds.get_kerberos_state() == DONT_USE_KERBEROS: if creds.get_kerberos_state() == DONT_USE_KERBEROS:
extra_sids.append(security.SID_NT_NTLM_AUTHENTICATION) extra_sids.append(security.SID_NT_NTLM_AUTHENTICATION)