sin/samba-mirror
1
0
Fork 0
mirror of https://github.com/samba-team/samba.git synced 2024-12-23 17:34:34 +03:00
Code

tests/krb5: Correct authentication policy SDDL

Browse Source 
There is no claim called ‘abc’, so the condition ‘(abc)’ is always going
to fail. Replace this with a condition using ‘Member_of’.

Furthermore, an ACL containing only Deny ACEs will only ever deny. Add a
trailing Allow ACE so that the ACL might allow other principals.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
This commit is contained in:
Joseph Sutton 2023-11-03 13:51:27 +13:00 committed by Andrew Bartlett
parent 6b2de47488
commit 64806f37ab
1 changed files with 3 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
python/samba/tests/krb5/conditional_ace_tests.py
View File

@ -3303,7 +3303,9 @@ class ConditionalAceTests(ConditionalAceBaseTests):
# Create an authentication policy that explicitly denies the machine
# account for a user.
allowed = 'O:SYD:(A;;CR;;;WD)'
denied = f'O:SYD:(XD;;CR;;;{mach_creds.get_sid()};(abc))'
denied = (f'O:SYD:(XD;;CR;;;{mach_creds.get_sid()};'
f'(Member_of SID({mach_creds.get_sid()})))'
f'(A;;CR;;;WD)')
policy = self.create_authn_policy(enforced=True,
user_allowed_from=denied,
service_allowed_from=allowed)