From fb0f65b0b5f140ee0dd8fc962c744f23162e9d46 Mon Sep 17 00:00:00 2001
From: Joseph Sutton <josephsutton@catalyst.net.nz>
Date: Tue, 1 Feb 2022 21:04:40 +1300
Subject: [PATCH] s4:provision_users.ldif: Add Protected Users group

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
---
 selftest/knownfail.d/protected_users |  8 --------
 selftest/knownfail_heimdal_kdc       | 24 ------------------------
 selftest/knownfail_mit_kdc           | 22 ----------------------
 source4/setup/provision_users.ldif   |  9 +++++++++
 4 files changed, 9 insertions(+), 54 deletions(-)

diff --git a/selftest/knownfail.d/protected_users b/selftest/knownfail.d/protected_users
index 9a230837cec..c0370381264 100644
--- a/selftest/knownfail.d/protected_users
+++ b/selftest/knownfail.d/protected_users
@@ -1,11 +1,3 @@
 ^samba4.ldap.password_lockout.python\(ad_dc_slowtests\).__main__.PasswordTestsWithoutSleep.test_ntlm_lockout_protected.ad_dc_slowtests
 ^samba4.ldap.password_lockout.python\(ad_dc_slowtests\).__main__.PasswordTestsWithoutSleep.test_samr_change_password_protected.ad_dc_slowtests
 ^samba4.ldap.password_lockout.python\(ad_dc_slowtests\).__main__.PasswordTestsWithoutSleep.test_samr_set_password_protected.ad_dc_slowtests
-^samba4.ldap.passwords.python\(fl2003dc\).__main__.PasswordTests.test_protected_unicodePwd_clear_change.fl2003dc
-^samba4.ldap.passwords.python\(fl2003dc\).__main__.PasswordTests.test_protected_unicodePwd_clear_set.fl2003dc
-^samba4.ldap.passwords.python\(fl2008dc\).__main__.PasswordTests.test_protected_unicodePwd_clear_change.fl2008dc
-^samba4.ldap.passwords.python\(fl2008dc\).__main__.PasswordTests.test_protected_unicodePwd_clear_set.fl2008dc
-^samba4.ldap.passwords.python\(fl2008r2dc\).__main__.PasswordTests.test_protected_unicodePwd_clear_change.fl2008r2dc
-^samba4.ldap.passwords.python\(fl2008r2dc\).__main__.PasswordTests.test_protected_unicodePwd_clear_set.fl2008r2dc
-^samba4.ldap.passwords.python\(schema_dc\).__main__.PasswordTests.test_protected_unicodePwd_clear_change.schema_dc
-^samba4.ldap.passwords.python\(schema_dc\).__main__.PasswordTests.test_protected_unicodePwd_clear_set.schema_dc
diff --git a/selftest/knownfail_heimdal_kdc b/selftest/knownfail_heimdal_kdc
index 040b1f9dabc..f6ac23894cb 100644
--- a/selftest/knownfail_heimdal_kdc
+++ b/selftest/knownfail_heimdal_kdc
@@ -53,40 +53,16 @@
 # This test fails, which is fine, as we have an alternate test that considers a policy error as successful.
 ^samba.tests.krb5.protected_users_tests.samba.tests.krb5.protected_users_tests.ProtectedUsersTests.test_proxiable_as_protected.ad_dc
 #
-^samba.tests.krb5.protected_users_tests.samba.tests.krb5.protected_users_tests.ProtectedUsersTests.test_aes128_protected.ad_dc
-^samba.tests.krb5.protected_users_tests.samba.tests.krb5.protected_users_tests.ProtectedUsersTests.test_aes128_rc4_mac_protected.ad_dc
-^samba.tests.krb5.protected_users_tests.samba.tests.krb5.protected_users_tests.ProtectedUsersTests.test_aes128_rc4_protected.ad_dc
-^samba.tests.krb5.protected_users_tests.samba.tests.krb5.protected_users_tests.ProtectedUsersTests.test_aes256_protected.ad_dc
-^samba.tests.krb5.protected_users_tests.samba.tests.krb5.protected_users_tests.ProtectedUsersTests.test_aes256_rc4_mac_protected.ad_dc
-^samba.tests.krb5.protected_users_tests.samba.tests.krb5.protected_users_tests.ProtectedUsersTests.test_aes256_rc4_protected.ad_dc
-^samba.tests.krb5.protected_users_tests.samba.tests.krb5.protected_users_tests.ProtectedUsersTests.test_des3_cbc_md5_protected.ad_dc
-^samba.tests.krb5.protected_users_tests.samba.tests.krb5.protected_users_tests.ProtectedUsersTests.test_des3_cbc_sha1_protected.ad_dc
-^samba.tests.krb5.protected_users_tests.samba.tests.krb5.protected_users_tests.ProtectedUsersTests.test_des_cbc_crc_protected.ad_dc
-^samba.tests.krb5.protected_users_tests.samba.tests.krb5.protected_users_tests.ProtectedUsersTests.test_des_cbc_md5_protected.ad_dc
 ^samba.tests.krb5.protected_users_tests.samba.tests.krb5.protected_users_tests.ProtectedUsersTests.test_forwardable_as_protected.ad_dc
-^samba.tests.krb5.protected_users_tests.samba.tests.krb5.protected_users_tests.ProtectedUsersTests.test_forwardable_tgs_protected.ad_dc
 ^samba.tests.krb5.protected_users_tests.samba.tests.krb5.protected_users_tests.ProtectedUsersTests.test_ntlm_protected.ad_dc
 ^samba.tests.krb5.protected_users_tests.samba.tests.krb5.protected_users_tests.ProtectedUsersTests.test_ntlm_protected_nested.ad_dc
-^samba.tests.krb5.protected_users_tests.samba.tests.krb5.protected_users_tests.ProtectedUsersTests.test_protected_nt_hash.ad_dc
 ^samba.tests.krb5.protected_users_tests.samba.tests.krb5.protected_users_tests.ProtectedUsersTests.test_proxiable_as_protected_policy_error.ad_dc
-^samba.tests.krb5.protected_users_tests.samba.tests.krb5.protected_users_tests.ProtectedUsersTests.test_proxiable_tgs_protected.ad_dc
-^samba.tests.krb5.protected_users_tests.samba.tests.krb5.protected_users_tests.ProtectedUsersTests.test_rc4_aes128_mac_protected.ad_dc
-^samba.tests.krb5.protected_users_tests.samba.tests.krb5.protected_users_tests.ProtectedUsersTests.test_rc4_aes128_protected.ad_dc
-^samba.tests.krb5.protected_users_tests.samba.tests.krb5.protected_users_tests.ProtectedUsersTests.test_rc4_aes256_mac_protected.ad_dc
-^samba.tests.krb5.protected_users_tests.samba.tests.krb5.protected_users_tests.ProtectedUsersTests.test_rc4_aes256_protected.ad_dc
 ^samba.tests.krb5.protected_users_tests.samba.tests.krb5.protected_users_tests.ProtectedUsersTests.test_rc4_mac_protected.ad_dc
 ^samba.tests.krb5.protected_users_tests.samba.tests.krb5.protected_users_tests.ProtectedUsersTests.test_rc4_protected.ad_dc
 ^samba.tests.krb5.protected_users_tests.samba.tests.krb5.protected_users_tests.ProtectedUsersTests.test_samlogon_interactive_protected.ad_dc
 ^samba.tests.krb5.protected_users_tests.samba.tests.krb5.protected_users_tests.ProtectedUsersTests.test_samlogon_network_protected.ad_dc
 ^samba.tests.krb5.protected_users_tests.samba.tests.krb5.protected_users_tests.ProtectedUsersTests.test_samr_change_password_protected.ad_dc
-^samba.tests.krb5.protected_users_tests.samba.tests.krb5.protected_users_tests.ProtectedUsersTests.test_service_rc4_only_protected.ad_dc
 ^samba.tests.krb5.protected_users_tests.samba.tests.krb5.protected_users_tests.ProtectedUsersTests.test_tgt_lifetime_longer_protected.ad_dc
-^samba.tests.krb5.protected_users_tests.samba.tests.krb5.protected_users_tests.ProtectedUsersTests.test_tgt_lifetime_shorter_protected.ad_dc
-^samba.tests.krb5.protected_users_tests.samba.tests.krb5.protected_users_tests.ProtectedUsersTests.test_ticket_lifetime_protected.ad_dc
-^samba.tests.krb5.protected_users_tests.samba.tests.krb5.protected_users_tests.ProtectedUsersTests.test_ts_aes128_mac_protected.ad_dc
-^samba.tests.krb5.protected_users_tests.samba.tests.krb5.protected_users_tests.ProtectedUsersTests.test_ts_aes128_protected.ad_dc
-^samba.tests.krb5.protected_users_tests.samba.tests.krb5.protected_users_tests.ProtectedUsersTests.test_ts_aes256_mac_protected.ad_dc
-^samba.tests.krb5.protected_users_tests.samba.tests.krb5.protected_users_tests.ProtectedUsersTests.test_ts_aes256_protected.ad_dc
 ^samba.tests.krb5.protected_users_tests.samba.tests.krb5.protected_users_tests.ProtectedUsersTests.test_ts_rc4_mac_protected.ad_dc
 ^samba.tests.krb5.protected_users_tests.samba.tests.krb5.protected_users_tests.ProtectedUsersTests.test_ts_rc4_protected.ad_dc
 ^samba.tests.krb5.protected_users_tests.samba.tests.krb5.protected_users_tests.ProtectedUsersTests.test_ts_rc4_protected_nested.ad_dc
diff --git a/selftest/knownfail_mit_kdc b/selftest/knownfail_mit_kdc
index 2bf45018cf7..c16a8de448b 100644
--- a/selftest/knownfail_mit_kdc
+++ b/selftest/knownfail_mit_kdc
@@ -427,43 +427,21 @@ samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_
 #
 # Protected Users tests
 #
-^samba.tests.krb5.protected_users_tests.samba.tests.krb5.protected_users_tests.ProtectedUsersTests.test_aes128_protected.ad_dc
-^samba.tests.krb5.protected_users_tests.samba.tests.krb5.protected_users_tests.ProtectedUsersTests.test_aes128_rc4_mac_protected.ad_dc
-^samba.tests.krb5.protected_users_tests.samba.tests.krb5.protected_users_tests.ProtectedUsersTests.test_aes128_rc4_protected.ad_dc
-^samba.tests.krb5.protected_users_tests.samba.tests.krb5.protected_users_tests.ProtectedUsersTests.test_aes256_protected.ad_dc
-^samba.tests.krb5.protected_users_tests.samba.tests.krb5.protected_users_tests.ProtectedUsersTests.test_aes256_rc4_mac_protected.ad_dc
-^samba.tests.krb5.protected_users_tests.samba.tests.krb5.protected_users_tests.ProtectedUsersTests.test_aes256_rc4_protected.ad_dc
-^samba.tests.krb5.protected_users_tests.samba.tests.krb5.protected_users_tests.ProtectedUsersTests.test_des3_cbc_md5_protected.ad_dc
-^samba.tests.krb5.protected_users_tests.samba.tests.krb5.protected_users_tests.ProtectedUsersTests.test_des3_cbc_sha1_protected.ad_dc
-^samba.tests.krb5.protected_users_tests.samba.tests.krb5.protected_users_tests.ProtectedUsersTests.test_des_cbc_crc_protected.ad_dc
-^samba.tests.krb5.protected_users_tests.samba.tests.krb5.protected_users_tests.ProtectedUsersTests.test_des_cbc_md5_protected.ad_dc
 ^samba.tests.krb5.protected_users_tests.samba.tests.krb5.protected_users_tests.ProtectedUsersTests.test_forwardable_as_protected.ad_dc
-^samba.tests.krb5.protected_users_tests.samba.tests.krb5.protected_users_tests.ProtectedUsersTests.test_forwardable_tgs_protected.ad_dc
 ^samba.tests.krb5.protected_users_tests.samba.tests.krb5.protected_users_tests.ProtectedUsersTests.test_ntlm_protected.ad_dc
 ^samba.tests.krb5.protected_users_tests.samba.tests.krb5.protected_users_tests.ProtectedUsersTests.test_ntlm_protected_nested.ad_dc
-^samba.tests.krb5.protected_users_tests.samba.tests.krb5.protected_users_tests.ProtectedUsersTests.test_protected_nt_hash.ad_dc
 ^samba.tests.krb5.protected_users_tests.samba.tests.krb5.protected_users_tests.ProtectedUsersTests.test_proxiable_as_protected.ad_dc
 ^samba.tests.krb5.protected_users_tests.samba.tests.krb5.protected_users_tests.ProtectedUsersTests.test_proxiable_as_protected_policy_error.ad_dc
-^samba.tests.krb5.protected_users_tests.samba.tests.krb5.protected_users_tests.ProtectedUsersTests.test_proxiable_tgs_protected.ad_dc
-^samba.tests.krb5.protected_users_tests.samba.tests.krb5.protected_users_tests.ProtectedUsersTests.test_rc4_aes128_mac_protected.ad_dc
-^samba.tests.krb5.protected_users_tests.samba.tests.krb5.protected_users_tests.ProtectedUsersTests.test_rc4_aes128_protected.ad_dc
-^samba.tests.krb5.protected_users_tests.samba.tests.krb5.protected_users_tests.ProtectedUsersTests.test_rc4_aes256_mac_protected.ad_dc
-^samba.tests.krb5.protected_users_tests.samba.tests.krb5.protected_users_tests.ProtectedUsersTests.test_rc4_aes256_protected.ad_dc
 ^samba.tests.krb5.protected_users_tests.samba.tests.krb5.protected_users_tests.ProtectedUsersTests.test_rc4_mac_protected.ad_dc
 ^samba.tests.krb5.protected_users_tests.samba.tests.krb5.protected_users_tests.ProtectedUsersTests.test_rc4_protected.ad_dc
 ^samba.tests.krb5.protected_users_tests.samba.tests.krb5.protected_users_tests.ProtectedUsersTests.test_samlogon_interactive_protected.ad_dc
 ^samba.tests.krb5.protected_users_tests.samba.tests.krb5.protected_users_tests.ProtectedUsersTests.test_samlogon_network_protected.ad_dc
 ^samba.tests.krb5.protected_users_tests.samba.tests.krb5.protected_users_tests.ProtectedUsersTests.test_samr_change_password_protected.ad_dc
-^samba.tests.krb5.protected_users_tests.samba.tests.krb5.protected_users_tests.ProtectedUsersTests.test_service_rc4_only_protected.ad_dc
 ^samba.tests.krb5.protected_users_tests.samba.tests.krb5.protected_users_tests.ProtectedUsersTests.test_tgt_lifetime_longer_protected.ad_dc
-^samba.tests.krb5.protected_users_tests.samba.tests.krb5.protected_users_tests.ProtectedUsersTests.test_tgt_lifetime_shorter_protected.ad_dc
-^samba.tests.krb5.protected_users_tests.samba.tests.krb5.protected_users_tests.ProtectedUsersTests.test_ticket_lifetime_protected.ad_dc
 ^samba.tests.krb5.protected_users_tests.samba.tests.krb5.protected_users_tests.ProtectedUsersTests.test_ts_aes128_mac_not_protected.ad_dc
 ^samba.tests.krb5.protected_users_tests.samba.tests.krb5.protected_users_tests.ProtectedUsersTests.test_ts_aes128_mac_protected.ad_dc
 ^samba.tests.krb5.protected_users_tests.samba.tests.krb5.protected_users_tests.ProtectedUsersTests.test_ts_aes128_not_protected.ad_dc
 ^samba.tests.krb5.protected_users_tests.samba.tests.krb5.protected_users_tests.ProtectedUsersTests.test_ts_aes128_protected.ad_dc
-^samba.tests.krb5.protected_users_tests.samba.tests.krb5.protected_users_tests.ProtectedUsersTests.test_ts_aes256_mac_protected.ad_dc
-^samba.tests.krb5.protected_users_tests.samba.tests.krb5.protected_users_tests.ProtectedUsersTests.test_ts_aes256_protected.ad_dc
 ^samba.tests.krb5.protected_users_tests.samba.tests.krb5.protected_users_tests.ProtectedUsersTests.test_ts_rc4_mac_not_protected.ad_dc
 ^samba.tests.krb5.protected_users_tests.samba.tests.krb5.protected_users_tests.ProtectedUsersTests.test_ts_rc4_mac_protected.ad_dc
 ^samba.tests.krb5.protected_users_tests.samba.tests.krb5.protected_users_tests.ProtectedUsersTests.test_ts_rc4_not_protected.ad_dc
diff --git a/source4/setup/provision_users.ldif b/source4/setup/provision_users.ldif
index 8136ae88d6b..efdf756f9c2 100644
--- a/source4/setup/provision_users.ldif
+++ b/source4/setup/provision_users.ldif
@@ -178,6 +178,15 @@ sAMAccountName: Denied RODC Password Replication Group
 groupType: -2147483644
 isCriticalSystemObject: TRUE
 
+dn: CN=Protected Users,CN=Users,${DOMAINDN}
+objectClass: top
+objectClass: group
+description: Members of this group are afforded additional protections against authentication security threats
+objectSid: ${DOMAINSID}-525
+sAMAccountName: Protected Users
+groupType: -2147483646
+isCriticalSystemObject: TRUE
+
 # NOTICE: Some other users and groups which rely on automatic SIDs are located
 # in "provision_self_join_modify.ldif"
 
-- 
2.34.1