diff options
| author | Joseph Sutton <josephsutton@catalyst.net.nz> | 2021-11-12 14:20:45 +1300 |
|---|---|---|
| committer | Jule Anger <janger@samba.org> | 2021-11-17 14:35:14 +0000 |
| commit | a40c007fb5574cc781b60ab948477dcd9dd05aab (patch) | |
| tree | 41cfdd43af14faf99015cb4f1a32ec7861127cfb | |
| parent | 0a56d233bfdb48bb2222891f7abfe054769b2ef2 (diff) | |
| download | samba-a40c007fb5574cc781b60ab948477dcd9dd05aab.tar.gz | |
CVE-2020-25717: selftest: turn ad_member_no_nss_wb into ad_member_idmap_nss
In reality environments without 'nss_winbind' make use of 'idmap_nss'.
For testing, DOMAIN/bob is mapped to the local 'bob',
while DOMAIN/jane gets the uid based on the local 'jane'
vis idmap_nss.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14901
Pair-Programmed-With: Stefan Metzmacher <metze@samba.org>
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Signed-off-by: Stefan Metzmacher <metze@samba.org>
[metze@samba.org avoid to create a new ad_member_idmap_nss environment
and merge it with ad_member_no_nss_wb instead]
Reviewed-by: Ralph Boehme <slow@samba.org>
(cherry picked from commit 8a9f2aa2c1cdfa72ad50d7c4f879220fe37654cd)
| -rw-r--r-- | selftest/target/Samba.pm | 2 | ||||
| -rwxr-xr-x | selftest/target/Samba3.pm | 24 | ||||
| -rwxr-xr-x | source4/selftest/tests.py | 2 |
3 files changed, 22 insertions, 6 deletions
diff --git a/selftest/target/Samba.pm b/selftest/target/Samba.pm index 6caeb932e28..7ed10020aa1 100644 --- a/selftest/target/Samba.pm +++ b/selftest/target/Samba.pm @@ -579,7 +579,7 @@ sub get_interface($) lclnt4dc2smb1 => 55, fipsdc => 56, fipsadmember => 57, - admemnonsswb => 60, + admemidmapnss => 60, rootdnsforwarder => 64, diff --git a/selftest/target/Samba3.pm b/selftest/target/Samba3.pm index 39327964569..e726b7a15df 100755 --- a/selftest/target/Samba3.pm +++ b/selftest/target/Samba3.pm @@ -238,7 +238,7 @@ sub check_env($$) ad_member_idmap_rid => ["ad_dc"], ad_member_idmap_ad => ["fl2008r2dc"], ad_member_fips => ["ad_dc_fips"], - ad_member_no_nss_wb => ["ad_dc"], + ad_member_idmap_nss => ["ad_dc"], clusteredmember_smb1 => ["nt4_dc"], ); @@ -1194,7 +1194,7 @@ sub setup_ad_member_fips 1); } -sub setup_ad_member_no_nss_wb +sub setup_ad_member_idmap_nss { my ($self, $prefix, @@ -1207,14 +1207,23 @@ sub setup_ad_member_no_nss_wb return "UNKNOWN"; } - print "PROVISIONING AD MEMBER WITHOUT NSS WINBIND..."; + print "PROVISIONING AD MEMBER WITHOUT NSS WINBIND WITH idmap_nss config..."; my $extra_member_options = " + # bob:x:65521:65531:localbob gecos:/:/bin/false + # jane:x:65520:65531:localjane gecos:/:/bin/false + idmap config $dcvars->{DOMAIN} : backend = nss + idmap config $dcvars->{DOMAIN} : range = 65520-65521 + + # Support SMB1 so that we can use posix_whoami(). + client min protocol = CORE + server min protocol = LANMAN1 + username map = $prefix/lib/username.map "; my $ret = $self->provision_ad_member($prefix, - "ADMEMNONSSWB", + "ADMEMIDMAPNSS", $dcvars, $trustvars_f, $trustvars_e, @@ -1225,6 +1234,7 @@ sub setup_ad_member_no_nss_wb open(USERMAP, ">$prefix/lib/username.map") or die("Unable to open $prefix/lib/username.map"); print USERMAP " root = $dcvars->{DOMAIN}/root +bob = $dcvars->{DOMAIN}/bob "; close(USERMAP); @@ -2246,6 +2256,8 @@ sub provision($$) my ($uid_gooduser); my ($uid_eviluser); my ($uid_slashuser); + my ($uid_localbob); + my ($uid_localjane); if ($unix_uid < 0xffff - 13) { $max_uid = 0xffff; @@ -2266,6 +2278,8 @@ sub provision($$) $uid_gooduser = $max_uid - 11; $uid_eviluser = $max_uid - 12; $uid_slashuser = $max_uid - 13; + $uid_localbob = $max_uid - 14; + $uid_localjane = $max_uid - 15; if ($unix_gids[0] < 0xffff - 8) { $max_gid = 0xffff; @@ -2974,6 +2988,8 @@ user2:x:$uid_user2:$gid_nogroup:user2 gecos:$prefix_abs:/bin/false gooduser:x:$uid_gooduser:$gid_domusers:gooduser gecos:$prefix_abs:/bin/false eviluser:x:$uid_eviluser:$gid_domusers:eviluser gecos::/bin/false slashuser:x:$uid_slashuser:$gid_domusers:slashuser gecos:/:/bin/false +bob:x:$uid_localbob:$gid_domusers:localbob gecos:/:/bin/false +jane:x:$uid_localjane:$gid_domusers:localjane gecos:/:/bin/false "; if ($unix_uid != 0) { print PASSWD "root:x:$uid_root:$gid_root:root gecos:$prefix_abs:/bin/false diff --git a/source4/selftest/tests.py b/source4/selftest/tests.py index cdc7bc77c0a..b7f0976a1ee 100755 --- a/source4/selftest/tests.py +++ b/source4/selftest/tests.py @@ -854,7 +854,7 @@ planoldpythontestsuite("ad_dc_smb1", "samba.tests.krb5.test_smb", 'TKT_SIG_SUPPORT': tkt_sig_support, 'EXPECT_PAC': expect_pac }) -planoldpythontestsuite("ad_member_no_nss_wb:local", +planoldpythontestsuite("ad_member_idmap_nss:local", "samba.tests.krb5.test_min_domain_uid", environ={ 'ADMIN_USERNAME': '$DC_USERNAME', |