From b5b8b16a50ecb7225fe1bfa31d3a839efdd9f7d0 Mon Sep 17 00:00:00 2001 From: Joseph Sutton Date: Tue, 17 Oct 2023 13:34:29 +1300 Subject: [PATCH] =?UTF-8?q?tests/krb5:=20Don=E2=80=99t=20consider=20RODC?= =?UTF-8?q?=E2=80=90issued=20tickets=20to=20be=20banned=20with=20RBCD?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit If we’re verifying that a ticket was permitted to be issued by an RODC, and not trusting the group SIDs in the ticket, is there any reason to ban its use with RBCD? A client with a ticket issued by an RODC that happens to select a DC to direct an RBCD request at should not have the request mysteriously fail. Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett --- python/samba/tests/krb5/conditional_ace_tests.py | 15 +++------------ selftest/knownfail_heimdal_kdc | 3 --- 2 files changed, 3 insertions(+), 15 deletions(-) diff --git a/python/samba/tests/krb5/conditional_ace_tests.py b/python/samba/tests/krb5/conditional_ace_tests.py index 5c5616ce1f1..4d006d5bc5a 100755 --- a/python/samba/tests/krb5/conditional_ace_tests.py +++ b/python/samba/tests/krb5/conditional_ace_tests.py @@ -2150,7 +2150,6 @@ class ConditionalAceTests(ConditionalAceBaseTests): def test_rbcd_service_from_rodc(self): self._rbcd('Member_of SID({service_sid})', service_from_rodc=True, - code=KDC_ERR_BADOPTION, edata=self.expect_padata_outer) def test_rbcd_device_and_service_from_rodc(self): @@ -2162,7 +2161,6 @@ class ConditionalAceTests(ConditionalAceBaseTests): def test_rbcd_client_from_rodc(self): self._rbcd('Member_of SID({service_sid})', client_from_rodc=True, - code=KDC_ERR_MODIFIED, edata=self.expect_padata_outer) def test_rbcd_client_and_device_from_rodc(self): @@ -2175,7 +2173,6 @@ class ConditionalAceTests(ConditionalAceBaseTests): self._rbcd('Member_of SID({service_sid})', client_from_rodc=True, service_from_rodc=True, - code=KDC_ERR_BADOPTION, edata=self.expect_padata_outer) def test_rbcd_all_from_rodc(self): @@ -2455,9 +2452,7 @@ class ConditionalAceTests(ConditionalAceBaseTests): self._tgs(f'Member_of SID({self.aa_asserted_identity})', client_from_rodc=True, client_sids=client_sids, - expected_groups=client_sids, - code=KDC_ERR_POLICY, - edata=self.expect_padata_outer) + expected_groups=client_sids) def test_tgs_with_aa_asserted_identity_device_from_rodc(self): client_sids = { @@ -2560,9 +2555,7 @@ class ConditionalAceTests(ConditionalAceBaseTests): self._tgs(f'Member_of SID({self.service_asserted_identity})', client_from_rodc=True, client_sids=client_sids, - expected_groups=client_sids, - code=KDC_ERR_POLICY, - edata=self.expect_padata_outer) + expected_groups=client_sids) def test_tgs_with_service_asserted_identity_device_from_rodc(self): client_sids = { @@ -2665,9 +2658,7 @@ class ConditionalAceTests(ConditionalAceBaseTests): self._tgs(f'Member_of SID({security.SID_CLAIMS_VALID})', client_from_rodc=True, client_sids=client_sids, - expected_groups=client_sids, - code=KDC_ERR_POLICY, - edata=self.expect_padata_outer) + expected_groups=client_sids) def test_tgs_with_claims_valid_device_from_rodc(self): client_sids = { diff --git a/selftest/knownfail_heimdal_kdc b/selftest/knownfail_heimdal_kdc index 2ef041b6a29..143206a450a 100644 --- a/selftest/knownfail_heimdal_kdc +++ b/selftest/knownfail_heimdal_kdc @@ -131,7 +131,6 @@ ^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_pac_claim_cmp__1_zero_uint_2_0___zero_uint_\(ad_dc\) ^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_rbcd_all_from_rodc\(ad_dc\) ^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_rbcd_client_and_device_from_rodc\(ad_dc\) -^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_rbcd_client_and_service_from_rodc\(ad_dc\) ^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_rbcd_client_from_rodc\(ad_dc\) ^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_rbcd_device_and_service_from_rodc\(ad_dc\) ^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_rbcd_device_from_rodc\(ad_dc\) @@ -139,9 +138,7 @@ ^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_rbcd_device_with_claims_valid\(ad_dc\) ^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_rbcd_device_with_compounded_auth\(ad_dc\) ^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_rbcd_device_with_service_asserted_identity\(ad_dc\) -^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_rbcd_service_from_rodc\(ad_dc\) ^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_tgs_with_aa_asserted_identity_both_from_rodc\(ad_dc\) -^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_tgs_with_aa_asserted_identity_client_from_rodc\(ad_dc\) ^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_tgs_with_aa_asserted_identity_device_from_rodc\(ad_dc\) ^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_tgs_with_claims_valid_both_from_rodc\(ad_dc\) ^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_tgs_with_claims_valid_client_from_rodc\(ad_dc\)