diff options
-rw-r--r-- | selftest/knownfail.d/acl-spn-delete | 1 | ||||
-rwxr-xr-x | source4/dsdb/tests/python/acl.py | 26 |
2 files changed, 27 insertions, 0 deletions
diff --git a/selftest/knownfail.d/acl-spn-delete b/selftest/knownfail.d/acl-spn-delete new file mode 100644 index 00000000000..32018413c49 --- /dev/null +++ b/selftest/knownfail.d/acl-spn-delete @@ -0,0 +1 @@ +^samba4.ldap.acl.python.*__main__.AclSPNTests.test_delete_disallowed_spn\( diff --git a/source4/dsdb/tests/python/acl.py b/source4/dsdb/tests/python/acl.py index df0fe12bf29..d90d3b3923f 100755 --- a/source4/dsdb/tests/python/acl.py +++ b/source4/dsdb/tests/python/acl.py @@ -2286,6 +2286,32 @@ class AclSPNTests(AclTests): else: self.fail(f'able to add disallowed SPN {not_allowed_spn}') + def test_delete_disallowed_spn(self): + # Grant Validated-SPN property. + mod = f'(OA;;SW;{security.GUID_DRS_VALIDATE_SPN};;{self.user_sid1})' + self.sd_utils.dacl_add_ace(self.computerdn, mod) + + spn_base = f'HOST/{self.computername}' + + not_allowed_spn = f'{spn_base}/{self.dcctx.get_domain_name()}' + + # Add a disallowed SPN as admin. + msg = Message(Dn(self.ldb_admin, self.computerdn)) + msg['servicePrincipalName'] = MessageElement(not_allowed_spn, + FLAG_MOD_ADD, + 'servicePrincipalName') + self.ldb_admin.modify(msg) + + # Ensure we are able to delete a disallowed SPN. + msg = Message(Dn(self.ldb_user1, self.computerdn)) + msg['servicePrincipalName'] = MessageElement(not_allowed_spn, + FLAG_MOD_DELETE, + 'servicePrincipalName') + try: + self.ldb_user1.modify(msg) + except LdbError: + self.fail(f'unable to delete disallowed SPN {not_allowed_spn}') + # tests SEC_ADS_LIST vs. SEC_ADS_LIST_OBJECT @DynamicTestCase |