s4:kdc: Use device claims to evaluate client authentication policy

author Joseph Sutton <josephsutton@catalyst.net.nz>

Mon, 9 Oct 2023 06:27:59 +0000 (19:27 +1300)

committer Andrew Bartlett <abartlet@samba.org>

Thu, 12 Oct 2023 23:13:32 +0000 (23:13 +0000)
author Joseph Sutton <josephsutton@catalyst.net.nz>
Mon, 9 Oct 2023 06:27:59 +0000 (19:27 +1300)
committer Andrew Bartlett <abartlet@samba.org>
Thu, 12 Oct 2023 23:13:32 +0000 (23:13 +0000)
diff --git a/selftest/knownfail_heimdal_kdc b/selftest/knownfail_heimdal_kdc

index b14fd88fa4219d2862404abeea6daa44d950231e..404e660124e8df2d6b5b0a52d339c3073638a16e 100644 (file)
--- a/selftest/knownfail_heimdal_kdc
+++ b/selftest/knownfail_heimdal_kdc
@@ -83,96 +83,19 @@
  #
  # Conditional ACE tests
  #
-^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_allowed_from_claim_equals_claim\(ad_dc\)
-^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_allowed_from_enforced_silo_equals\(ad_dc\)
-^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_allowed_from_enforced_silo_not_equals_deny\(ad_dc\)
-^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_allowed_from_unenforced_silo_equals_deny\(ad_dc\)
-^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_allowed_from_unenforced_silo_not_equals\(ad_dc\)
  ^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_allowed_to_device_equals\(ad_dc\)
-^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_cmp_42_equals_literal__42_\(ad_dc\)
  ^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_cmp_A_is_less_than__\(ad_dc\)
-^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_cmp__123_456__equals_literal__123_456_\(ad_dc\)
-^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_cmp__apple_banana__equals_literal__APPLE_BANANA_\(ad_dc\)
-^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_cmp__apple_banana__equals_literal__BANANA_APPLE_\(ad_dc\)
  ^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_cmp__apple_banana__equals_literal__apple_banana_apple_\(ad_dc\)
-^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_cmp__foo_bar__contains_FOO\(ad_dc\)
-^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_cmp__foo_bar__contains__foo_bar_\(ad_dc\)
-^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_cmp__foo_bar__contains__foo_bar_baz_\(ad_dc\)
-^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_cmp__foo_bar__contains_literal__foo_bar_\(ad_dc\)
-^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_cmp__foo_bar__contains_literal__foo_bar_bar_\(ad_dc\)
-^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_cmp__foo_bar__contains_literal__foo_bar_baz_\(ad_dc\)
-^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_cmp__foo_bar__does_not_contain__foo_bar_\(ad_dc\)
-^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_cmp__foo_bar__does_not_contain__foo_bar_baz_\(ad_dc\)
-^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_cmp__foo_bar__does_not_contain_literal__foo_\(ad_dc\)
-^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_cmp__foo_bar__does_not_equal__foo_bar_baz_\(ad_dc\)
  ^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_cmp__foo_bar__does_not_equal_foo\(ad_dc\)
-^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_cmp__foo_bar__equals__FOO_BAR_\(ad_dc\)
-^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_cmp__foo_bar__equals__bar_foo_\(ad_dc\)
-^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_cmp__foo_bar__equals__foo_bar_\(ad_dc\)
-^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_cmp__foo_bar__equals__foo_baz_\(ad_dc\)
-^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_cmp__foo_bar__matches_any_of_BAR\(ad_dc\)
-^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_cmp__foo_bar__matches_any_of__bar_baz_\(ad_dc\)
-^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_cmp__foo_bar__matches_any_of_baz\(ad_dc\)
-^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_cmp__foo_bar__matches_any_of_literal__bar_baz_\(ad_dc\)
-^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_cmp__foo_bar__matches_any_of_literal__baz_\(ad_dc\)
-^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_cmp__foo_bar__matches_none_of__bar_baz_\(ad_dc\)
-^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_cmp__foo_bar__matches_none_of_baz\(ad_dc\)
+^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_cmp__foo_bar__matches_none_of_literal__baz_\(ad_dc\)
  ^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_cmp_a_is_less_than__\(ad_dc\)
-^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_cmp_bar_contains_literal__bar_\(ad_dc\)
  ^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_cmp_bar_equals_literal__bar_\(ad_dc\)
-^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_cmp_bar_matches_any_of_literal__bar_\(ad_dc\)
-^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_cmp_cat_exceeds_dog\(ad_dc\)
-^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_cmp_cat_exceeds_or_equals_dog\(ad_dc\)
-^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_cmp_cat_is_less_than_dog\(ad_dc\)
-^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_cmp_cat_is_less_than_or_equals_dog\(ad_dc\)
-^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_cmp_cat_is_less_than_ćàț\(ad_dc\)
-^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_cmp_foo_bar_equals_Foo_BAR\(ad_dc\)
-^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_cmp_foo_bar_equals_literal__foo_bar_\(ad_dc\)
-^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_cmp_foo_bar_exceeds_foo\(ad_dc\)
-^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_cmp_foo_contains_literal__foo_\(ad_dc\)
-^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_cmp_foo_does_not_equal_bar\(ad_dc\)
-^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_cmp_foo_does_not_equal_foo\(ad_dc\)
-^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_cmp_foo_equals_bar\(ad_dc\)
-^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_cmp_foo_equals_foo\(ad_dc\)
-^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_cmp_foo_exceeds_or_equals_foo\(ad_dc\)
-^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_cmp_foo_is_less_than_foo_bar\(ad_dc\)
-^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_cmp_foo_is_less_than_or_equals_foo\(ad_dc\)
-^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_cmp_foo_is_less_than_ｆｏｏ\(ad_dc\)
-^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_cmp_foo_matches_any_of_foo\(ad_dc\)
-^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_cmp_ß_exceeds_SS\(ad_dc\)
-^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_cmp_ß_is_less_than_ẞ\(ad_dc\)
-^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_cmp_ćàș_is_less_than_ĆÀȚ\(ad_dc\)
+^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_cmp_foo_matches_any_of_literal__foo_\(ad_dc\)
  ^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_cmp_ćàț_equals_ĆÀȚ\(ad_dc\)
-^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_cmp_ɜ_is_less_than_Ɜ\(ad_dc\)
-^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_cmp_ʞ_is_less_than_ʟ\(ad_dc\)
-^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_cmp_ʞ_is_less_than_Ʞ\(ad_dc\)
  ^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_cmp_ԛԣ_equals_ԚԢ\(ad_dc\)
-^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_cmp_ḽ_equals_Ḽ\(ad_dc\)
-^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_cmp_ⅸ_equals_Ⅸ\(ad_dc\)
  ^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_cmp_ⱦ_equals_Ⱦ\(ad_dc\)
-^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_cmp_ⳬ_exceeds_Ⳬ\(ad_dc\)
  ^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_cmp_ꙭ_equals_Ꙭ\(ad_dc\)
-^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_cmp_ꞧ_exceeds_Ꞧ\(ad_dc\)
-^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_cmp_ퟻ_is_less_than_豈\(ad_dc\)
-^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_cmp_ퟻ_is_less_than_𐀀\(ad_dc\)
-^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_cmp_ｆｏｏ_ｂａｒ_equals_ＦＯＯ_ＢＡＲ\(ad_dc\)
  ^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_cmp_𐀀_is_less_than_豈\(ad_dc\)
-^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_pac_claim_cmp__1_1000_unicode_3_a___1000_unicode_equals_a
-^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_pac_claim_cmp__1_a_1_180388626432___a_equals_180388626432\(ad_dc\)
-^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_pac_claim_cmp__1_a_1_42_42_42___a_equals_a_\(ad_dc\)
-^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_pac_claim_cmp__1_a_1_42___a_equals_42\(ad_dc\)
-^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_pac_claim_cmp__1_a_2_0___a_equals_3\(ad_dc\)
-^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_pac_claim_cmp__1_a_2_1_2_3___a_equals_1_2_3_\(ad_dc\)
-^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_pac_claim_cmp__1_a_2_4294967296___a_exceeds_0\(ad_dc\)
-^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_pac_claim_cmp__1_a_2_42_42___a_equals_a_\(ad_dc\)
-^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_pac_claim_cmp__1_a_2_42___a_equals_42\(ad_dc\)
-^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_pac_claim_cmp__1_a_2_4_5_6___a_does_not_equal_1_2_3_\(ad_dc\)
-^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_pac_claim_cmp__1_a_3_FOO_foo___a_equals_a_\(ad_dc\)
-^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_pac_claim_cmp__1_a_3_foo_bar___a_equals_foo_bar_\(ad_dc\)
-^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_pac_claim_cmp__1_a_3_foo_bar_b_3_FOO_BAR___a_equals_b_\(ad_dc\)
-^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_pac_claim_cmp__1_a_3_foo_foo___a_equals_a_\(ad_dc\)
-^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_pac_claim_cmp__1_a_3_this_is_not_the_value_a_3
-^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_pac_claim_cmp__1_a_6_0_0___a_equals_a_\(ad_dc\)
  ^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_pac_claim_cmp__1_a_6_0__not_a_\(ad_dc\)
  ^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_pac_claim_cmp__1_a_6_0__not_a_and_a_\(ad_dc\)
  ^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_pac_claim_cmp__1_a_6_0__not_a_or_not_a_\(ad_dc\)
@@ -180,29 +103,21 @@
  ^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_pac_claim_cmp__1_a_6_0_b_6_0___a_and_b_\(ad_dc\)
  ^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_pac_claim_cmp__1_a_6_0_b_6_0___a_or_b_\(ad_dc\)
  ^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_pac_claim_cmp__1_a_6_0_b_6_1___a_and_b_\(ad_dc\)
+^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_pac_claim_cmp__1_a_6_1___a_equals_42\(ad_dc\)
  ^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_pac_claim_cmp__1_a_6_1___a_or_a_or_a_\(ad_dc\)
  ^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_pac_claim_cmp__1_a_6_1__not_a_or_a_\(ad_dc\)
  ^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_pac_claim_cmp__1_a_6_1_b_6_0___a_and_not_b_or_b_\(ad_dc\)
  ^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_pac_claim_cmp__1_a_6_1_b_6_0___a_or_b_\(ad_dc\)
  ^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_pac_claim_cmp__1_a_6_1_b_6_1___a_and_b_\(ad_dc\)
-^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_pac_claim_cmp__1_a_6_1_b_6_1___a_equals_b_\(ad_dc\)
  ^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_pac_claim_cmp__1_a_6_1_b_6_1___a_or_b_\(ad_dc\)
  ^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_pac_claim_cmp__1_a_6_2_b_6_3___a_equals_b_\(ad_dc\)
-^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_pac_claim_cmp__1_b_3_FOO_BAR_BAZ_a_3_foo_bar_baz___a_does_not_equal_b_\(ad_dc\)
  ^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_pac_claim_cmp__1_b_6_1___b_or_b_or_b_\(ad_dc\)
-^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_pac_claim_cmp__1_dotty_claim_3_a___dotty_claim_equals_a___dotty_claim_\(ad_dc\)
-^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_pac_claim_cmp__1_dup_3_foo_dup_3_foo_2_dup_2_42_dup_2_42_2_dup_3_foo_dup_3_foo_dup_3_foo_bar_dup_3_foo_bar___dup_equals_dup_\(ad_dc\)
  ^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_pac_claim_cmp__1_empty_string_3___empty_string_\(ad_dc\)
-^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_pac_claim_cmp__1_escaped_claim_3_claim_value___escaped_claim_equals_claim_value___escaped_claim_foo_bar_\(ad_dc\)
  ^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_pac_claim_cmp__1_false_and_true_boolean_6_0_1___false_and_true_boolean_\(ad_dc\)
  ^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_pac_claim_cmp__1_false_boolean_6_0___false_boolean_\(ad_dc\)
-^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_pac_claim_cmp__1_false_booleans_6_0_0___false_booleans_\(ad_dc\)
-^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_pac_claim_cmp__1_higher_unicode_3_a___higher_unicode_equals_a
  ^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_pac_claim_cmp__1_invalid_octet_string_16___invalid_octet_string_equals_invalid_octet_string_\(ad_dc\)
  ^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_pac_claim_cmp__1_invalid_sid_5___invalid_sid_equals_invalid_sid_\(ad_dc\)
-^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_pac_claim_cmp__1_large_claim_3_zzzzzzzzzzzzzzzzzzzz
  ^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_pac_claim_cmp__1_larger_claim_3_zzzzzzzzzzzzzzzzzzz
-^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_pac_claim_cmp__1_long_name_3_a___long_name_equals_a
  ^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_pac_claim_cmp__1_many_claims_2_0_1_2_3_4_5_6_7_8_9_10
  ^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_pac_claim_cmp__1_non_empty_string_3_foo_bar___non_empty_string_\(ad_dc\)
  ^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_pac_claim_cmp__1_nonzero_int_1_1___nonzero_int_\(ad_dc\)
@@ -214,10 +129,7 @@
  ^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_pac_claim_cmp__1_zero_and_one_int_1_0_1___zero_and_one_int_\(ad_dc\)
  ^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_pac_claim_cmp__1_zero_and_one_uint_2_0_1___zero_and_one_uint_\(ad_dc\)
  ^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_pac_claim_cmp__1_zero_int_1_0___zero_int_\(ad_dc\)
-^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_pac_claim_cmp__1_zero_ints_1_0_0___zero_ints_\(ad_dc\)
  ^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_pac_claim_cmp__1_zero_uint_2_0___zero_uint_\(ad_dc\)
-^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_pac_claim_cmp__1_zero_uints_2_0_0___zero_uints_\(ad_dc\)
-^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_pac_claim_cmp__2_a_3_foo___a_equals_foo_\(ad_dc\)
  ^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_rbcd_all_from_rodc\(ad_dc\)
  ^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_rbcd_client_and_device_from_rodc\(ad_dc\)
  ^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_rbcd_client_and_service_from_rodc\(ad_dc\)
diff --git a/source4/kdc/pac-glue.c b/source4/kdc/pac-glue.c

index 4dee101e858c720f130aeb685186c4fb47b31302..010087b0b68d3f9a856ecd7bcec22cb896ebd597 100644 (file)
--- a/source4/kdc/pac-glue.c
+++ b/source4/kdc/pac-glue.c
@@ -3109,6 +3109,7 @@ krb5_error_code samba_kdc_check_device(TALLOC_CTX *mem_ctx,
         const struct auth_user_info_dc *device_info_const = NULL;
         struct auth_user_info_dc *device_info_shallow_copy = NULL;
         struct authn_audit_info *client_audit_info = NULL;
+       struct auth_claims auth_claims = {};
  
         if (status_out != NULL) {
                 *status_out = NT_STATUS_OK;
@@ -3183,11 +3184,24 @@ krb5_error_code samba_kdc_check_device(TALLOC_CTX *mem_ctx,
                 device_info_const = device_info_shallow_copy;
         }
  
+       /*
+        * The device claims become the *user* claims for the purpose of
+        * evaluating a conditional ACE expression.
+        */
+       code = samba_kdc_get_claims_data(frame,
+                                        context,
+                                        samdb,
+                                        device,
+                                        &auth_claims.user_claims);
+       if (code) {
+               goto out;
+       }
+
         nt_status = authn_policy_authenticate_from_device(frame,
                                                           samdb,
                                                           lp_ctx,
                                                           device_info_const,
-                                                         (struct auth_claims) {},
+                                                         auth_claims,
                                                           client_policy,
                                                           &client_audit_info);
         if (client_audit_info != NULL) {
author	Joseph Sutton <josephsutton@catalyst.net.nz>
	Mon, 9 Oct 2023 06:27:59 +0000 (19:27 +1300)
committer	Andrew Bartlett <abartlet@samba.org>
	Thu, 12 Oct 2023 23:13:32 +0000 (23:13 +0000)
selftest/knownfail_heimdal_kdc		patch \| blob \| history
source4/kdc/pac-glue.c		patch \| blob \| history