2 files changed, 27 insertions, 0 deletions

diff --git a/selftest/knownfail.d/acl-spn-delete b/selftest/knownfail.d/acl-spn-delete
new file mode 100644
index 00000000000..32018413c49
--- /dev/null
+++ b/selftest/knownfail.d/acl-spn-delete
@@ -0,0 +1 @@
+^samba4.ldap.acl.python.*__main__.AclSPNTests.test_delete_disallowed_spn\(
diff --git a/source4/dsdb/tests/python/acl.py b/source4/dsdb/tests/python/acl.py
index df0fe12bf29..d90d3b3923f 100755
--- a/source4/dsdb/tests/python/acl.py
+++ b/source4/dsdb/tests/python/acl.py
@@ -2286,6 +2286,32 @@ class AclSPNTests(AclTests):
         else:
             self.fail(f'able to add disallowed SPN {not_allowed_spn}')
 
+    def test_delete_disallowed_spn(self):
+        # Grant Validated-SPN property.
+        mod = f'(OA;;SW;{security.GUID_DRS_VALIDATE_SPN};;{self.user_sid1})'
+        self.sd_utils.dacl_add_ace(self.computerdn, mod)
+
+        spn_base = f'HOST/{self.computername}'
+
+        not_allowed_spn = f'{spn_base}/{self.dcctx.get_domain_name()}'
+
+        # Add a disallowed SPN as admin.
+        msg = Message(Dn(self.ldb_admin, self.computerdn))
+        msg['servicePrincipalName'] = MessageElement(not_allowed_spn,
+                                                     FLAG_MOD_ADD,
+                                                     'servicePrincipalName')
+        self.ldb_admin.modify(msg)
+
+        # Ensure we are able to delete a disallowed SPN.
+        msg = Message(Dn(self.ldb_user1, self.computerdn))
+        msg['servicePrincipalName'] = MessageElement(not_allowed_spn,
+                                                     FLAG_MOD_DELETE,
+                                                     'servicePrincipalName')
+        try:
+            self.ldb_user1.modify(msg)
+        except LdbError:
+            self.fail(f'unable to delete disallowed SPN {not_allowed_spn}')
+
 
 # tests SEC_ADS_LIST vs. SEC_ADS_LIST_OBJECT
 @DynamicTestCase