'modify_client_tkt_fn': self.rc4_pac_checksums,
})
+ def test_constrained_delegation_rodc_issued(self):
+ self._run_delegation_test(
+ {
+ # Test that RODC-issued constrained delegation tickets are
+ # accepted.
+ 'expected_error_mode': 0,
+ 'allow_delegation': True,
+ # Both tickets must be signed by the same RODC.
+ 'modify_client_tkt_fn': self.signed_by_rodc,
+ 'modify_service_tgt_fn': self.issued_by_rodc,
+ 'client_opts': {
+ 'allowed_replication_mock': True,
+ 'revealed_to_mock_rodc': True,
+ },
+ 'service1_opts': {
+ 'allowed_replication_mock': True,
+ 'revealed_to_mock_rodc': True,
+ },
+ })
+
+ def test_rbcd_rodc_issued(self):
+ self.skip_unless_fl2008()
+
+ self._run_delegation_test(
+ {
+ # Test that RODC-issued constrained delegation tickets are
+ # accepted.
+ 'expected_error_mode': 0,
+ 'allow_rbcd': True,
+ 'pac_options': '0001', # supports RBCD
+ # Both tickets must be signed by the same RODC.
+ 'modify_client_tkt_fn': self.signed_by_rodc,
+ 'modify_service_tgt_fn': self.issued_by_rodc,
+ 'client_opts': {
+ 'allowed_replication_mock': True,
+ 'revealed_to_mock_rodc': True,
+ },
+ 'service1_opts': {
+ 'allowed_replication_mock': True,
+ 'revealed_to_mock_rodc': True,
+ },
+ })
+
def remove_pac_checksum(self, ticket, checksum):
checksum_keys = self.get_krbtgt_checksum_key()
^samba.tests.krb5.s4u_tests.samba.tests.krb5.s4u_tests.S4UKerberosTests.test_rbcd_no_auth_data_required
^samba.tests.krb5.s4u_tests.samba.tests.krb5.s4u_tests.S4UKerberosTests.test_rbcd_no_client_pac_no_auth_data_required_a
^samba.tests.krb5.s4u_tests.samba.tests.krb5.s4u_tests.S4UKerberosTests.test_rbcd_no_client_pac_no_auth_data_required_b
+^samba.tests.krb5.s4u_tests.samba.tests.krb5.s4u_tests.S4UKerberosTests.test_rbcd_rodc_issued
#
# https://bugzilla.samba.org/show_bug.cgi?id=14886: Tests for accounts not revealed to the RODC
#
#
^samba.tests.krb5.s4u_tests.samba.tests.krb5.s4u_tests.S4UKerberosTests.test_constrained_delegation_authentication_asserted_identity.fl2003dc:local
^samba.tests.krb5.s4u_tests.samba.tests.krb5.s4u_tests.S4UKerberosTests.test_constrained_delegation_rc4_client_checksum.fl2003dc:local
+^samba.tests.krb5.s4u_tests.samba.tests.krb5.s4u_tests.S4UKerberosTests.test_constrained_delegation_rodc_issued.fl2003dc:local
^samba.tests.krb5.s4u_tests.samba.tests.krb5.s4u_tests.S4UKerberosTests.test_constrained_delegation_service_asserted_identity.fl2003dc:local
^samba.tests.krb5.s4u_tests.samba.tests.krb5.s4u_tests.S4UKerberosTests.test_s4u2self_asserted_identity.fl2003dc:local
#
^samba.tests.krb5.s4u_tests.samba.tests.krb5.s4u_tests.S4UKerberosTests.test_rbcd\(
^samba.tests.krb5.s4u_tests.samba.tests.krb5.s4u_tests.S4UKerberosTests.test_rbcd_existing_delegation_info\(
^samba.tests.krb5.s4u_tests.samba.tests.krb5.s4u_tests.S4UKerberosTests.test_rbcd_no_auth_data_required\(
+^samba.tests.krb5.s4u_tests.samba.tests.krb5.s4u_tests.S4UKerberosTests.test_rbcd_rodc_issued\(
^samba.tests.krb5.s4u_tests.samba.tests.krb5.s4u_tests.S4UKerberosTests.test_rbcd_unkeyed_service_checksum\(
^samba.tests.krb5.s4u_tests.samba.tests.krb5.s4u_tests.S4UKerberosTests.test_rbcd_zeroed_service_checksum\(