From 62373eeef069a7631093f237b4ca95c3992fb346 Mon Sep 17 00:00:00 2001 From: Joseph Sutton Date: Thu, 2 Nov 2023 14:32:58 +1300 Subject: [PATCH] =?utf8?q?tests/krb5:=20Test=20RODC=E2=80=90issued=20TGTs?= =?utf8?q?=20that=20already=20contain=20device=20info/claims?= MIME-Version: 1.0 Content-Type: text/plain; charset=utf8 Content-Transfer-Encoding: 8bit Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett --- .../samba/tests/krb5/conditional_ace_tests.py | 127 ++++++++++++++++-- selftest/knownfail_heimdal_kdc | 14 ++ selftest/knownfail_mit_kdc | 15 +++ 3 files changed, 143 insertions(+), 13 deletions(-) diff --git a/python/samba/tests/krb5/conditional_ace_tests.py b/python/samba/tests/krb5/conditional_ace_tests.py index 017720338a8..de26a920ae0 100755 --- a/python/samba/tests/krb5/conditional_ace_tests.py +++ b/python/samba/tests/krb5/conditional_ace_tests.py @@ -4259,6 +4259,9 @@ class TgsReqServicePolicyTests(ConditionalAceBaseTests): target_policy = self.allow_if('Device_Member_of {{SID({device_0})}}') self._run_pac_device_info_test(target_policy=target_policy) + def test_pac_device_info_rodc_issued(self): + self._run_pac_device_info_test(rodc_issued=True) + def test_pac_device_info_existing_device_info(self): self._run_pac_device_info_test(existing_device_info=True) @@ -4267,6 +4270,10 @@ class TgsReqServicePolicyTests(ConditionalAceBaseTests): self._run_pac_device_info_test(target_policy=target_policy, existing_device_info=True) + def test_pac_device_info_existing_device_info_rodc_issued(self): + self._run_pac_device_info_test(rodc_issued=True, + existing_device_info=True) + def test_pac_device_info_existing_device_claims(self): self._run_pac_device_info_test(existing_device_claims=True) @@ -4275,6 +4282,10 @@ class TgsReqServicePolicyTests(ConditionalAceBaseTests): self._run_pac_device_info_test(target_policy=target_policy, existing_device_claims=True) + def test_pac_device_info_existing_device_claims_rodc_issued(self): + self._run_pac_device_info_test(rodc_issued=True, + existing_device_claims=True) + def test_pac_device_info_existing_device_info_and_claims(self): self._run_pac_device_info_test(existing_device_claims=True, existing_device_info=True) @@ -4285,6 +4296,11 @@ class TgsReqServicePolicyTests(ConditionalAceBaseTests): existing_device_claims=True, existing_device_info=True) + def test_pac_device_info_existing_device_info_and_claims_rodc_issued(self): + self._run_pac_device_info_test(rodc_issued=True, + existing_device_claims=True, + existing_device_info=True) + def test_pac_device_info_no_compound_id_support(self): self._run_pac_device_info_test(compound_id_support=False) @@ -4293,6 +4309,10 @@ class TgsReqServicePolicyTests(ConditionalAceBaseTests): self._run_pac_device_info_test(target_policy=target_policy, compound_id_support=False) + def test_pac_device_info_no_compound_id_support_rodc_issued(self): + self._run_pac_device_info_test(rodc_issued=True, + compound_id_support=False) + def test_pac_device_info_no_compound_id_support_existing_device_info(self): self._run_pac_device_info_test(compound_id_support=False, existing_device_info=True) @@ -4303,6 +4323,11 @@ class TgsReqServicePolicyTests(ConditionalAceBaseTests): compound_id_support=False, existing_device_info=True) + def test_pac_device_info_no_compound_id_support_existing_device_info_rodc_issued(self): + self._run_pac_device_info_test(rodc_issued=True, + compound_id_support=False, + existing_device_info=True) + def test_pac_device_info_no_compound_id_support_existing_device_claims(self): self._run_pac_device_info_test(compound_id_support=False, existing_device_claims=True) @@ -4313,6 +4338,11 @@ class TgsReqServicePolicyTests(ConditionalAceBaseTests): compound_id_support=False, existing_device_claims=True) + def test_pac_device_info_no_compound_id_support_existing_device_claims_rodc_issued(self): + self._run_pac_device_info_test(rodc_issued=True, + compound_id_support=False, + existing_device_claims=True) + def test_pac_device_info_no_compound_id_support_existing_device_info_and_claims(self): self._run_pac_device_info_test(compound_id_support=False, existing_device_claims=True, @@ -4325,6 +4355,12 @@ class TgsReqServicePolicyTests(ConditionalAceBaseTests): existing_device_claims=True, existing_device_info=True) + def test_pac_device_info_no_compound_id_support_existing_device_info_and_claims_rodc_issued(self): + self._run_pac_device_info_test(rodc_issued=True, + compound_id_support=False, + existing_device_claims=True, + existing_device_info=True) + def test_pac_device_info_no_compound_id_support_no_claims_valid_existing_device_info(self): self._run_pac_device_info_test(device_claims_valid=False, compound_id_support=False, @@ -4337,6 +4373,12 @@ class TgsReqServicePolicyTests(ConditionalAceBaseTests): compound_id_support=False, existing_device_info=True) + def test_pac_device_info_no_compound_id_support_no_claims_valid_existing_device_info_rodc_issued(self): + self._run_pac_device_info_test(rodc_issued=True, + device_claims_valid=False, + compound_id_support=False, + existing_device_info=True) + def test_pac_device_info_no_compound_id_support_no_claims_valid_existing_device_claims(self): self._run_pac_device_info_test(device_claims_valid=False, compound_id_support=False, @@ -4349,6 +4391,12 @@ class TgsReqServicePolicyTests(ConditionalAceBaseTests): compound_id_support=False, existing_device_claims=True) + def test_pac_device_info_no_compound_id_support_no_claims_valid_existing_device_claims_rodc_issued(self): + self._run_pac_device_info_test(rodc_issued=True, + device_claims_valid=False, + compound_id_support=False, + existing_device_claims=True) + def test_pac_device_info_no_compound_id_support_no_claims_valid_existing_device_info_and_claims(self): self._run_pac_device_info_test(device_claims_valid=False, compound_id_support=False, @@ -4363,6 +4411,13 @@ class TgsReqServicePolicyTests(ConditionalAceBaseTests): existing_device_claims=True, existing_device_info=True) + def test_pac_device_info_no_compound_id_support_no_claims_valid_existing_device_info_and_claims_rodc_issued(self): + self._run_pac_device_info_test(rodc_issued=True, + device_claims_valid=False, + compound_id_support=False, + existing_device_claims=True, + existing_device_info=True) + def test_pac_device_info_no_claims_valid(self): self._run_pac_device_info_test(device_claims_valid=False) @@ -4371,6 +4426,10 @@ class TgsReqServicePolicyTests(ConditionalAceBaseTests): self._run_pac_device_info_test(target_policy=target_policy, device_claims_valid=False) + def test_pac_device_info_no_claims_valid_rodc_issued(self): + self._run_pac_device_info_test(rodc_issued=True, + device_claims_valid=False) + def test_pac_device_info_no_claims_valid_existing_device_info(self): self._run_pac_device_info_test(device_claims_valid=False, existing_device_info=True) @@ -4381,6 +4440,11 @@ class TgsReqServicePolicyTests(ConditionalAceBaseTests): device_claims_valid=False, existing_device_info=True) + def test_pac_device_info_no_claims_valid_existing_device_info_rodc_issued(self): + self._run_pac_device_info_test(rodc_issued=True, + device_claims_valid=False, + existing_device_info=True) + def test_pac_device_info_no_claims_valid_existing_device_claims(self): self._run_pac_device_info_test(device_claims_valid=False, existing_device_claims=True) @@ -4391,6 +4455,11 @@ class TgsReqServicePolicyTests(ConditionalAceBaseTests): device_claims_valid=False, existing_device_claims=True) + def test_pac_device_info_no_claims_valid_existing_device_claims_rodc_issued(self): + self._run_pac_device_info_test(rodc_issued=True, + device_claims_valid=False, + existing_device_claims=True) + def test_pac_device_info_no_claims_valid_existing_device_info_and_claims(self): self._run_pac_device_info_test(device_claims_valid=False, existing_device_claims=True, @@ -4403,8 +4472,15 @@ class TgsReqServicePolicyTests(ConditionalAceBaseTests): existing_device_claims=True, existing_device_info=True) + def test_pac_device_info_no_claims_valid_existing_device_info_and_claims_rodc_issued(self): + self._run_pac_device_info_test(rodc_issued=True, + device_claims_valid=False, + existing_device_claims=True, + existing_device_info=True) + def _run_pac_device_info_test(self, *, target_policy=None, + rodc_issued=False, compound_id_support=True, device_claims_valid=True, existing_device_claims=False, @@ -4422,13 +4498,16 @@ class TgsReqServicePolicyTests(ConditionalAceBaseTests): ]), ] - expected_client_claims = { - client_claim_id: { - 'source_type': claims.CLAIMS_SOURCE_TYPE_AD, - 'type': claims.CLAIM_TYPE_STRING, - 'values': (client_claim_value,), - }, - } + if not rodc_issued: + expected_client_claims = { + client_claim_id: { + 'source_type': claims.CLAIMS_SOURCE_TYPE_AD, + 'type': claims.CLAIM_TYPE_STRING, + 'values': (client_claim_value,), + }, + } + else: + expected_client_claims = None device_claim_id = 'the name of the device’s client claim' device_claim_value = 'the value of the device’s client claim' @@ -4448,7 +4527,9 @@ class TgsReqServicePolicyTests(ConditionalAceBaseTests): ]), ] - if existing_device_info and existing_device_claims: + if rodc_issued: + expected_device_claims = None + elif existing_device_info and existing_device_claims: expected_device_claims = { existing_claim_id: { 'source_type': claims.CLAIMS_SOURCE_TYPE_CERTIFICATE, @@ -4500,6 +4581,8 @@ class TgsReqServicePolicyTests(ConditionalAceBaseTests): if device_claims_valid: device_sids.add((security.SID_CLAIMS_VALID, SidType.EXTRA_SID, self.default_attrs)) + checksum_key = self.get_krbtgt_checksum_key() + # Modify the machine account’s TGT to contain only the SID of the # machine account’s primary group. mach_tgt = self.modified_ticket( @@ -4509,10 +4592,15 @@ class TgsReqServicePolicyTests(ConditionalAceBaseTests): new_sids=device_sids), partial(self.set_pac_claims, client_claims=device_claims), ], - checksum_keys=self.get_krbtgt_checksum_key()) + checksum_keys=checksum_key) # Create a user account. - client_creds = self._get_creds(account_type=self.AccountType.USER) + client_creds = self.get_cached_creds( + account_type=self.AccountType.USER, + opts={ + 'allowed_replication_mock': rodc_issued, + 'revealed_to_mock_rodc': rodc_issued, + }) client_tgt = self.get_tgt(client_creds) client_modify_pac_fns = [ @@ -4544,12 +4632,20 @@ class TgsReqServicePolicyTests(ConditionalAceBaseTests): client_modify_pac_fns.append(partial( self.set_pac_device_sids, new_sids=existing_sids, user_rid=mach_creds.get_rid())) + if rodc_issued: + rodc_krbtgt_creds = self.get_mock_rodc_krbtgt_creds() + rodc_krbtgt_key = self.TicketDecryptionKey_from_creds(rodc_krbtgt_creds) + rodc_checksum_key = { + krb5pac.PAC_TYPE_KDC_CHECKSUM: rodc_krbtgt_key, + } + # Modify the client’s TGT to contain only the SID of the client’s # primary group. client_tgt = self.modified_ticket( client_tgt, modify_pac_fn=client_modify_pac_fns, - checksum_keys=self.get_krbtgt_checksum_key()) + new_ticket_key=rodc_krbtgt_key if rodc_issued else None, + checksum_keys=rodc_checksum_key if rodc_issued else checksum_key) if target_policy is None: policy = None @@ -4574,12 +4670,17 @@ class TgsReqServicePolicyTests(ConditionalAceBaseTests): expected_sids = { (security.DOMAIN_RID_USERS, SidType.BASE_SID, self.default_attrs), (security.DOMAIN_RID_USERS, SidType.PRIMARY_GID, None), - ('S-1-2-3-4', SidType.EXTRA_SID, self.default_attrs), # The client’s groups are not to include the Asserted Identity and # Claims Valid SIDs. } + if rodc_issued: + expected_sids.add((security.SID_CLAIMS_VALID, SidType.EXTRA_SID, self.default_attrs)) + else: + expected_sids.add(('S-1-2-3-4', SidType.EXTRA_SID, self.default_attrs)) - if existing_device_info: + if rodc_issued: + expected_device_sids = None + elif existing_device_info: expected_device_sids = { (security.DOMAIN_RID_USERS, SidType.BASE_SID, self.default_attrs), (security.DOMAIN_RID_USERS, SidType.PRIMARY_GID, None), diff --git a/selftest/knownfail_heimdal_kdc b/selftest/knownfail_heimdal_kdc index 5e9531a6a1f..52d6a10de1f 100644 --- a/selftest/knownfail_heimdal_kdc +++ b/selftest/knownfail_heimdal_kdc @@ -137,19 +137,33 @@ ^samba\.tests\.krb5\.conditional_ace_tests\.samba\.tests\.krb5\.conditional_ace_tests\.ConditionalAceTests\.test_device_in_network_group_rbcd\(ad_dc\)$ ^samba\.tests\.krb5\.conditional_ace_tests\.samba\.tests\.krb5\.conditional_ace_tests\.DeviceRestrictionTests\.test_device_in_network_group\(ad_dc\)$ ^samba\.tests\.krb5\.conditional_ace_tests\.samba\.tests\.krb5\.conditional_ace_tests\.TgsReqServicePolicyTests\.test_device_in_network_group\(ad_dc\)$ +^samba\.tests\.krb5\.conditional_ace_tests\.samba\.tests\.krb5\.conditional_ace_tests\.TgsReqServicePolicyTests\.test_pac_device_info_existing_device_claims_rodc_issued\(ad_dc\)$ ^samba\.tests\.krb5\.conditional_ace_tests\.samba\.tests\.krb5\.conditional_ace_tests\.TgsReqServicePolicyTests\.test_pac_device_info_existing_device_claims_target_policy\(ad_dc\)$ ^samba\.tests\.krb5\.conditional_ace_tests\.samba\.tests\.krb5\.conditional_ace_tests\.TgsReqServicePolicyTests\.test_pac_device_info_existing_device_claims\(ad_dc\)$ +^samba\.tests\.krb5\.conditional_ace_tests\.samba\.tests\.krb5\.conditional_ace_tests\.TgsReqServicePolicyTests\.test_pac_device_info_existing_device_info_and_claims_rodc_issued\(ad_dc\)$ ^samba\.tests\.krb5\.conditional_ace_tests\.samba\.tests\.krb5\.conditional_ace_tests\.TgsReqServicePolicyTests\.test_pac_device_info_existing_device_info_and_claims_target_policy\(ad_dc\)$ ^samba\.tests\.krb5\.conditional_ace_tests\.samba\.tests\.krb5\.conditional_ace_tests\.TgsReqServicePolicyTests\.test_pac_device_info_existing_device_info_and_claims\(ad_dc\)$ +^samba\.tests\.krb5\.conditional_ace_tests\.samba\.tests\.krb5\.conditional_ace_tests\.TgsReqServicePolicyTests\.test_pac_device_info_existing_device_info_rodc_issued\(ad_dc\)$ ^samba\.tests\.krb5\.conditional_ace_tests\.samba\.tests\.krb5\.conditional_ace_tests\.TgsReqServicePolicyTests\.test_pac_device_info_existing_device_info_target_policy\(ad_dc\)$ ^samba\.tests\.krb5\.conditional_ace_tests\.samba\.tests\.krb5\.conditional_ace_tests\.TgsReqServicePolicyTests\.test_pac_device_info_existing_device_info\(ad_dc\)$ +^samba\.tests\.krb5\.conditional_ace_tests\.samba\.tests\.krb5\.conditional_ace_tests\.TgsReqServicePolicyTests\.test_pac_device_info_no_claims_valid_existing_device_claims_rodc_issued\(ad_dc\)$ ^samba\.tests\.krb5\.conditional_ace_tests\.samba\.tests\.krb5\.conditional_ace_tests\.TgsReqServicePolicyTests\.test_pac_device_info_no_claims_valid_existing_device_claims_target_policy\(ad_dc\)$ ^samba\.tests\.krb5\.conditional_ace_tests\.samba\.tests\.krb5\.conditional_ace_tests\.TgsReqServicePolicyTests\.test_pac_device_info_no_claims_valid_existing_device_claims\(ad_dc\)$ +^samba\.tests\.krb5\.conditional_ace_tests\.samba\.tests\.krb5\.conditional_ace_tests\.TgsReqServicePolicyTests\.test_pac_device_info_no_claims_valid_existing_device_info_and_claims_rodc_issued\(ad_dc\)$ ^samba\.tests\.krb5\.conditional_ace_tests\.samba\.tests\.krb5\.conditional_ace_tests\.TgsReqServicePolicyTests\.test_pac_device_info_no_claims_valid_existing_device_info_and_claims_target_policy\(ad_dc\)$ ^samba\.tests\.krb5\.conditional_ace_tests\.samba\.tests\.krb5\.conditional_ace_tests\.TgsReqServicePolicyTests\.test_pac_device_info_no_claims_valid_existing_device_info_and_claims\(ad_dc\)$ +^samba\.tests\.krb5\.conditional_ace_tests\.samba\.tests\.krb5\.conditional_ace_tests\.TgsReqServicePolicyTests\.test_pac_device_info_no_claims_valid_existing_device_info_rodc_issued\(ad_dc\)$ ^samba\.tests\.krb5\.conditional_ace_tests\.samba\.tests\.krb5\.conditional_ace_tests\.TgsReqServicePolicyTests\.test_pac_device_info_no_claims_valid_existing_device_info_target_policy\(ad_dc\)$ ^samba\.tests\.krb5\.conditional_ace_tests\.samba\.tests\.krb5\.conditional_ace_tests\.TgsReqServicePolicyTests\.test_pac_device_info_no_claims_valid_existing_device_info\(ad_dc\)$ +^samba\.tests\.krb5\.conditional_ace_tests\.samba\.tests\.krb5\.conditional_ace_tests\.TgsReqServicePolicyTests\.test_pac_device_info_no_claims_valid_rodc_issued\(ad_dc\)$ +^samba\.tests\.krb5\.conditional_ace_tests\.samba\.tests\.krb5\.conditional_ace_tests\.TgsReqServicePolicyTests\.test_pac_device_info_no_compound_id_support_existing_device_claims_rodc_issued\(ad_dc\)$ ^samba\.tests\.krb5\.conditional_ace_tests\.samba\.tests\.krb5\.conditional_ace_tests\.TgsReqServicePolicyTests\.test_pac_device_info_no_compound_id_support_existing_device_claims_target_policy\(ad_dc\)$ ^samba\.tests\.krb5\.conditional_ace_tests\.samba\.tests\.krb5\.conditional_ace_tests\.TgsReqServicePolicyTests\.test_pac_device_info_no_compound_id_support_existing_device_claims\(ad_dc\)$ +^samba\.tests\.krb5\.conditional_ace_tests\.samba\.tests\.krb5\.conditional_ace_tests\.TgsReqServicePolicyTests\.test_pac_device_info_no_compound_id_support_existing_device_info_and_claims_rodc_issued\(ad_dc\)$ +^samba\.tests\.krb5\.conditional_ace_tests\.samba\.tests\.krb5\.conditional_ace_tests\.TgsReqServicePolicyTests\.test_pac_device_info_no_compound_id_support_existing_device_info_rodc_issued\(ad_dc\)$ +^samba\.tests\.krb5\.conditional_ace_tests\.samba\.tests\.krb5\.conditional_ace_tests\.TgsReqServicePolicyTests\.test_pac_device_info_no_compound_id_support_no_claims_valid_existing_device_claims_rodc_issued\(ad_dc\)$ ^samba\.tests\.krb5\.conditional_ace_tests\.samba\.tests\.krb5\.conditional_ace_tests\.TgsReqServicePolicyTests\.test_pac_device_info_no_compound_id_support_no_claims_valid_existing_device_claims_target_policy\(ad_dc\)$ ^samba\.tests\.krb5\.conditional_ace_tests\.samba\.tests\.krb5\.conditional_ace_tests\.TgsReqServicePolicyTests\.test_pac_device_info_no_compound_id_support_no_claims_valid_existing_device_claims\(ad_dc\)$ +^samba\.tests\.krb5\.conditional_ace_tests\.samba\.tests\.krb5\.conditional_ace_tests\.TgsReqServicePolicyTests\.test_pac_device_info_no_compound_id_support_no_claims_valid_existing_device_info_and_claims_rodc_issued\(ad_dc\)$ +^samba\.tests\.krb5\.conditional_ace_tests\.samba\.tests\.krb5\.conditional_ace_tests\.TgsReqServicePolicyTests\.test_pac_device_info_no_compound_id_support_no_claims_valid_existing_device_info_rodc_issued\(ad_dc\)$ +^samba\.tests\.krb5\.conditional_ace_tests\.samba\.tests\.krb5\.conditional_ace_tests\.TgsReqServicePolicyTests\.test_pac_device_info_rodc_issued\(ad_dc\)$ diff --git a/selftest/knownfail_mit_kdc b/selftest/knownfail_mit_kdc index 314f914bb61..d587abff363 100644 --- a/selftest/knownfail_mit_kdc +++ b/selftest/knownfail_mit_kdc @@ -4122,31 +4122,46 @@ samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_ ^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.TgsReqServicePolicyTests.test_device_in_network_group\(ad_dc\)$ ^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.TgsReqServicePolicyTests.test_device_in_service_asserted_identity\(ad_dc\)$ ^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.TgsReqServicePolicyTests.test_device_in_world_group\(ad_dc\)$ +^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.TgsReqServicePolicyTests.test_pac_device_info_existing_device_claims_rodc_issued\(ad_dc\)$ ^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.TgsReqServicePolicyTests.test_pac_device_info_existing_device_claims_target_policy\(ad_dc\)$ ^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.TgsReqServicePolicyTests.test_pac_device_info_existing_device_claims\(ad_dc\)$ +^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.TgsReqServicePolicyTests.test_pac_device_info_existing_device_info_and_claims_rodc_issued\(ad_dc\)$ ^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.TgsReqServicePolicyTests.test_pac_device_info_existing_device_info_and_claims_target_policy\(ad_dc\)$ ^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.TgsReqServicePolicyTests.test_pac_device_info_existing_device_info_and_claims\(ad_dc\)$ +^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.TgsReqServicePolicyTests.test_pac_device_info_existing_device_info_rodc_issued\(ad_dc\)$ ^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.TgsReqServicePolicyTests.test_pac_device_info_existing_device_info_target_policy\(ad_dc\)$ ^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.TgsReqServicePolicyTests.test_pac_device_info_existing_device_info\(ad_dc\)$ +^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.TgsReqServicePolicyTests.test_pac_device_info_no_claims_valid_existing_device_claims_rodc_issued\(ad_dc\)$ ^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.TgsReqServicePolicyTests.test_pac_device_info_no_claims_valid_existing_device_claims_target_policy\(ad_dc\)$ ^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.TgsReqServicePolicyTests.test_pac_device_info_no_claims_valid_existing_device_claims\(ad_dc\)$ +^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.TgsReqServicePolicyTests.test_pac_device_info_no_claims_valid_existing_device_info_and_claims_rodc_issued\(ad_dc\)$ ^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.TgsReqServicePolicyTests.test_pac_device_info_no_claims_valid_existing_device_info_and_claims_target_policy\(ad_dc\)$ ^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.TgsReqServicePolicyTests.test_pac_device_info_no_claims_valid_existing_device_info_and_claims\(ad_dc\)$ +^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.TgsReqServicePolicyTests.test_pac_device_info_no_claims_valid_existing_device_info_rodc_issued\(ad_dc\)$ ^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.TgsReqServicePolicyTests.test_pac_device_info_no_claims_valid_existing_device_info_target_policy\(ad_dc\)$ ^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.TgsReqServicePolicyTests.test_pac_device_info_no_claims_valid_existing_device_info\(ad_dc\)$ +^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.TgsReqServicePolicyTests.test_pac_device_info_no_claims_valid_rodc_issued\(ad_dc\)$ ^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.TgsReqServicePolicyTests.test_pac_device_info_no_claims_valid_target_policy\(ad_dc\)$ +^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.TgsReqServicePolicyTests.test_pac_device_info_no_compound_id_support_existing_device_claims_rodc_issued\(ad_dc\)$ ^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.TgsReqServicePolicyTests.test_pac_device_info_no_compound_id_support_existing_device_claims_target_policy\(ad_dc\)$ ^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.TgsReqServicePolicyTests.test_pac_device_info_no_compound_id_support_existing_device_claims\(ad_dc\)$ +^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.TgsReqServicePolicyTests.test_pac_device_info_no_compound_id_support_existing_device_info_and_claims_rodc_issued\(ad_dc\)$ ^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.TgsReqServicePolicyTests.test_pac_device_info_no_compound_id_support_existing_device_info_and_claims_target_policy\(ad_dc\)$ ^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.TgsReqServicePolicyTests.test_pac_device_info_no_compound_id_support_existing_device_info_and_claims\(ad_dc\)$ +^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.TgsReqServicePolicyTests.test_pac_device_info_no_compound_id_support_existing_device_info_rodc_issued\(ad_dc\)$ ^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.TgsReqServicePolicyTests.test_pac_device_info_no_compound_id_support_existing_device_info_target_policy\(ad_dc\)$ ^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.TgsReqServicePolicyTests.test_pac_device_info_no_compound_id_support_existing_device_info\(ad_dc\)$ +^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.TgsReqServicePolicyTests.test_pac_device_info_no_compound_id_support_no_claims_valid_existing_device_claims_rodc_issued\(ad_dc\)$ ^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.TgsReqServicePolicyTests.test_pac_device_info_no_compound_id_support_no_claims_valid_existing_device_claims_target_policy\(ad_dc\)$ ^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.TgsReqServicePolicyTests.test_pac_device_info_no_compound_id_support_no_claims_valid_existing_device_claims\(ad_dc\)$ +^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.TgsReqServicePolicyTests.test_pac_device_info_no_compound_id_support_no_claims_valid_existing_device_info_and_claims_rodc_issued\(ad_dc\)$ ^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.TgsReqServicePolicyTests.test_pac_device_info_no_compound_id_support_no_claims_valid_existing_device_info_and_claims_target_policy\(ad_dc\)$ ^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.TgsReqServicePolicyTests.test_pac_device_info_no_compound_id_support_no_claims_valid_existing_device_info_and_claims\(ad_dc\)$ +^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.TgsReqServicePolicyTests.test_pac_device_info_no_compound_id_support_no_claims_valid_existing_device_info_rodc_issued\(ad_dc\)$ ^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.TgsReqServicePolicyTests.test_pac_device_info_no_compound_id_support_no_claims_valid_existing_device_info_target_policy\(ad_dc\)$ ^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.TgsReqServicePolicyTests.test_pac_device_info_no_compound_id_support_no_claims_valid_existing_device_info\(ad_dc\)$ +^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.TgsReqServicePolicyTests.test_pac_device_info_no_compound_id_support_rodc_issued\(ad_dc\)$ ^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.TgsReqServicePolicyTests.test_pac_device_info_no_compound_id_support_target_policy\(ad_dc\)$ +^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.TgsReqServicePolicyTests.test_pac_device_info_rodc_issued\(ad_dc\)$ ^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.TgsReqServicePolicyTests.test_pac_device_info_target_policy\(ad_dc\)$ ^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.TgsReqServicePolicyTests.test_simple_as_req_client_and_target_policy\(ad_dc\) -- 2.34.1