diff options
author | Stefan Metzmacher <metze@samba.org> | 2022-11-30 14:57:20 +0100 |
---|---|---|
committer | Stefan Metzmacher <metze@samba.org> | 2022-12-14 00:48:48 +0100 |
commit | 08b69ca61f747a74c5a6634d25ce35e43e145ecd (patch) | |
tree | 2f7d762272dbe765b87c46a8e95a3459b531f601 | |
parent | ba1482a18a807a5db4d1bd84640a0d5d83fcd9c3 (diff) | |
download | samba-08b69ca61f747a74c5a6634d25ce35e43e145ecd.tar.gz |
CVE-2022-38023 selftest:Samba4: avoid global 'allow nt4 crypto = yes' and 'reject md5 clients = no'
Instead of using the generic deprecated option use the specific
allow nt4 crypto:COMPUTERACCOUNT = yes and
server reject md5 schannel:COMPUTERACCOUNT = no
in order to allow legacy tests for pass.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
(cherry picked from commit 7ae3735810c2db32fa50f309f8af3c76ffa29768)
[metze@samba.org fixed conflict in 4.15]
-rwxr-xr-x | selftest/target/Samba4.pm | 55 |
1 files changed, 49 insertions, 6 deletions
diff --git a/selftest/target/Samba4.pm b/selftest/target/Samba4.pm index f452248db8d..a1f29ebe3c6 100755 --- a/selftest/target/Samba4.pm +++ b/selftest/target/Samba4.pm @@ -1617,7 +1617,6 @@ sub provision_ad_dc_ntvfs($$$) my $extra_conf_options = "netbios aliases = localDC1-a server services = +winbind -winbindd ldap server require strong auth = allow_sasl_over_tls - allow nt4 crypto = yes raw NTLMv2 auth = yes lsa over netlogon = yes rpc server port = 1027 @@ -1629,9 +1628,19 @@ sub provision_ad_dc_ntvfs($$$) client min protocol = CORE server min protocol = LANMAN1 - reject md5 clients = no - CVE_2020_1472:warn_about_unused_debug_level = 3 + CVE_2022_38023:warn_about_unused_debug_level = 3 + allow nt4 crypto:torturetest\$ = yes + server reject md5 schannel:schannel2\$ = no + server reject md5 schannel:schannel3\$ = no + server reject md5 schannel:schannel8\$ = no + server reject md5 schannel:schannel9\$ = no + server reject md5 schannel:torturetest\$ = no + server reject md5 schannel:tests4u2proxywk\$ = no + server reject md5 schannel:tests4u2selfbdc\$ = no + server reject md5 schannel:tests4u2selfwk\$ = no + server reject md5 schannel:torturepacbdc\$ = no + server reject md5 schannel:torturepacwksta\$ = no server require schannel:schannel0\$ = no server require schannel:schannel1\$ = no server require schannel:schannel2\$ = no @@ -1685,6 +1694,13 @@ sub provision_fl2000dc($$) my $extra_conf_options = " spnego:simulate_w2k=yes ntlmssp_server:force_old_spnego=yes + + CVE_2022_38023:warn_about_unused_debug_level = 3 + server reject md5 schannel:tests4u2proxywk\$ = no + server reject md5 schannel:tests4u2selfbdc\$ = no + server reject md5 schannel:tests4u2selfwk\$ = no + server reject md5 schannel:torturepacbdc\$ = no + server reject md5 schannel:torturepacwksta\$ = no "; my $extra_provision_options = ["--base-schema=2008_R2"]; # This environment uses plain text secrets @@ -1728,7 +1744,16 @@ sub provision_fl2003dc($$$) my $extra_conf_options = "allow dns updates = nonsecure and secure dcesrv:header signing = no dcesrv:max auth states = 0 - dns forwarder = $ip_addr1 $ip_addr2"; + dns forwarder = $ip_addr1 $ip_addr2 + + CVE_2022_38023:warn_about_unused_debug_level = 3 + server reject md5 schannel:tests4u2proxywk\$ = no + server reject md5 schannel:tests4u2selfbdc\$ = no + server reject md5 schannel:tests4u2selfwk\$ = no + server reject md5 schannel:torturepacbdc\$ = no + server reject md5 schannel:torturepacwksta\$ = no +"; + my $extra_provision_options = ["--base-schema=2008_R2"]; my $ret = $self->provision($prefix, "domain controller", @@ -1783,6 +1808,13 @@ sub provision_fl2008r2dc($$$) ldap server require strong auth = no # delay by 10 seconds, 10^7 usecs ldap_server:delay_expire_disconnect = 10000 + + CVE_2022_38023:warn_about_unused_debug_level = 3 + server reject md5 schannel:tests4u2proxywk\$ = no + server reject md5 schannel:tests4u2selfbdc\$ = no + server reject md5 schannel:tests4u2selfwk\$ = no + server reject md5 schannel:torturepacbdc\$ = no + server reject md5 schannel:torturepacwksta\$ = no "; my $extra_provision_options = ["--base-schema=2008_R2"]; my $ret = $self->provision($prefix, @@ -1994,9 +2026,20 @@ sub provision_ad_dc($$$$$$$) lpq cache time = 0 print notify backchannel = yes - reject md5 clients = no - CVE_2020_1472:warn_about_unused_debug_level = 3 + CVE_2022_38023:warn_about_unused_debug_level = 3 + CVE_2022_38023:error_debug_level = 2 + server reject md5 schannel:schannel2\$ = no + server reject md5 schannel:schannel3\$ = no + server reject md5 schannel:schannel8\$ = no + server reject md5 schannel:schannel9\$ = no + server reject md5 schannel:torturetest\$ = no + server reject md5 schannel:tests4u2proxywk\$ = no + server reject md5 schannel:tests4u2selfbdc\$ = no + server reject md5 schannel:tests4u2selfwk\$ = no + server reject md5 schannel:torturepacbdc\$ = no + server reject md5 schannel:torturepacwksta\$ = no + server reject md5 schannel:samlogontest\$ = no server require schannel:schannel0\$ = no server require schannel:schannel1\$ = no server require schannel:schannel2\$ = no |