1
0
mirror of https://github.com/samba-team/samba.git synced 2025-01-05 09:18:06 +03:00

tests/krb5: Don’t consider RODC‐issued tickets to be banned with RBCD

If we’re verifying that a ticket was permitted to be issued by an RODC,
and not trusting the group SIDs in the ticket, is there any reason to
ban its use with RBCD?

A client with a ticket issued by an RODC that happens to select a DC to
direct an RBCD request at should not have the request mysteriously fail.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
This commit is contained in:
Joseph Sutton 2023-10-17 13:34:29 +13:00 committed by Andrew Bartlett
parent 35c7061f97
commit b5b8b16a50
2 changed files with 3 additions and 15 deletions

View File

@ -2150,7 +2150,6 @@ class ConditionalAceTests(ConditionalAceBaseTests):
def test_rbcd_service_from_rodc(self): def test_rbcd_service_from_rodc(self):
self._rbcd('Member_of SID({service_sid})', self._rbcd('Member_of SID({service_sid})',
service_from_rodc=True, service_from_rodc=True,
code=KDC_ERR_BADOPTION,
edata=self.expect_padata_outer) edata=self.expect_padata_outer)
def test_rbcd_device_and_service_from_rodc(self): def test_rbcd_device_and_service_from_rodc(self):
@ -2162,7 +2161,6 @@ class ConditionalAceTests(ConditionalAceBaseTests):
def test_rbcd_client_from_rodc(self): def test_rbcd_client_from_rodc(self):
self._rbcd('Member_of SID({service_sid})', self._rbcd('Member_of SID({service_sid})',
client_from_rodc=True, client_from_rodc=True,
code=KDC_ERR_MODIFIED,
edata=self.expect_padata_outer) edata=self.expect_padata_outer)
def test_rbcd_client_and_device_from_rodc(self): def test_rbcd_client_and_device_from_rodc(self):
@ -2175,7 +2173,6 @@ class ConditionalAceTests(ConditionalAceBaseTests):
self._rbcd('Member_of SID({service_sid})', self._rbcd('Member_of SID({service_sid})',
client_from_rodc=True, client_from_rodc=True,
service_from_rodc=True, service_from_rodc=True,
code=KDC_ERR_BADOPTION,
edata=self.expect_padata_outer) edata=self.expect_padata_outer)
def test_rbcd_all_from_rodc(self): def test_rbcd_all_from_rodc(self):
@ -2455,9 +2452,7 @@ class ConditionalAceTests(ConditionalAceBaseTests):
self._tgs(f'Member_of SID({self.aa_asserted_identity})', self._tgs(f'Member_of SID({self.aa_asserted_identity})',
client_from_rodc=True, client_from_rodc=True,
client_sids=client_sids, client_sids=client_sids,
expected_groups=client_sids, expected_groups=client_sids)
code=KDC_ERR_POLICY,
edata=self.expect_padata_outer)
def test_tgs_with_aa_asserted_identity_device_from_rodc(self): def test_tgs_with_aa_asserted_identity_device_from_rodc(self):
client_sids = { client_sids = {
@ -2560,9 +2555,7 @@ class ConditionalAceTests(ConditionalAceBaseTests):
self._tgs(f'Member_of SID({self.service_asserted_identity})', self._tgs(f'Member_of SID({self.service_asserted_identity})',
client_from_rodc=True, client_from_rodc=True,
client_sids=client_sids, client_sids=client_sids,
expected_groups=client_sids, expected_groups=client_sids)
code=KDC_ERR_POLICY,
edata=self.expect_padata_outer)
def test_tgs_with_service_asserted_identity_device_from_rodc(self): def test_tgs_with_service_asserted_identity_device_from_rodc(self):
client_sids = { client_sids = {
@ -2665,9 +2658,7 @@ class ConditionalAceTests(ConditionalAceBaseTests):
self._tgs(f'Member_of SID({security.SID_CLAIMS_VALID})', self._tgs(f'Member_of SID({security.SID_CLAIMS_VALID})',
client_from_rodc=True, client_from_rodc=True,
client_sids=client_sids, client_sids=client_sids,
expected_groups=client_sids, expected_groups=client_sids)
code=KDC_ERR_POLICY,
edata=self.expect_padata_outer)
def test_tgs_with_claims_valid_device_from_rodc(self): def test_tgs_with_claims_valid_device_from_rodc(self):
client_sids = { client_sids = {

View File

@ -131,7 +131,6 @@
^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_pac_claim_cmp__1_zero_uint_2_0___zero_uint_\(ad_dc\) ^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_pac_claim_cmp__1_zero_uint_2_0___zero_uint_\(ad_dc\)
^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_rbcd_all_from_rodc\(ad_dc\) ^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_rbcd_all_from_rodc\(ad_dc\)
^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_rbcd_client_and_device_from_rodc\(ad_dc\) ^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_rbcd_client_and_device_from_rodc\(ad_dc\)
^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_rbcd_client_and_service_from_rodc\(ad_dc\)
^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_rbcd_client_from_rodc\(ad_dc\) ^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_rbcd_client_from_rodc\(ad_dc\)
^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_rbcd_device_and_service_from_rodc\(ad_dc\) ^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_rbcd_device_and_service_from_rodc\(ad_dc\)
^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_rbcd_device_from_rodc\(ad_dc\) ^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_rbcd_device_from_rodc\(ad_dc\)
@ -139,9 +138,7 @@
^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_rbcd_device_with_claims_valid\(ad_dc\) ^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_rbcd_device_with_claims_valid\(ad_dc\)
^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_rbcd_device_with_compounded_auth\(ad_dc\) ^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_rbcd_device_with_compounded_auth\(ad_dc\)
^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_rbcd_device_with_service_asserted_identity\(ad_dc\) ^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_rbcd_device_with_service_asserted_identity\(ad_dc\)
^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_rbcd_service_from_rodc\(ad_dc\)
^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_tgs_with_aa_asserted_identity_both_from_rodc\(ad_dc\) ^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_tgs_with_aa_asserted_identity_both_from_rodc\(ad_dc\)
^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_tgs_with_aa_asserted_identity_client_from_rodc\(ad_dc\)
^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_tgs_with_aa_asserted_identity_device_from_rodc\(ad_dc\) ^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_tgs_with_aa_asserted_identity_device_from_rodc\(ad_dc\)
^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_tgs_with_claims_valid_both_from_rodc\(ad_dc\) ^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_tgs_with_claims_valid_both_from_rodc\(ad_dc\)
^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_tgs_with_claims_valid_client_from_rodc\(ad_dc\) ^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_tgs_with_claims_valid_client_from_rodc\(ad_dc\)