diff options
author | Andrew Bartlett <abartlet@samba.org> | 2022-11-01 12:34:57 +1300 |
---|---|---|
committer | Stefan Metzmacher <metze@samba.org> | 2022-12-14 00:48:48 +0100 |
commit | e24512a20ae479ee1dce33d9e3587cc1e58ff4c2 (patch) | |
tree | 35fd332cc0d130e7393dcff96ae3081d36e69aad | |
parent | e2ac180984e36f54999e970eafb0f05ed90b0fd4 (diff) | |
download | samba-e24512a20ae479ee1dce33d9e3587cc1e58ff4c2.tar.gz |
CVE-2022-37966 selftest: Allow krb5 tests to run against an IP by using the target_hostname binding string
This makes it easier to test against a server that is not accessible via DNS.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
(cherry picked from commit c7cd6889177e8c705bb637172a60a5cf26734a3f)
-rw-r--r-- | python/samba/drs_utils.py | 12 | ||||
-rw-r--r-- | python/samba/tests/krb5/kdc_base_test.py | 3 |
2 files changed, 12 insertions, 3 deletions
diff --git a/python/samba/drs_utils.py b/python/samba/drs_utils.py index feab89b0d8e..a124a5fd3a0 100644 --- a/python/samba/drs_utils.py +++ b/python/samba/drs_utils.py @@ -41,12 +41,13 @@ class drsException(Exception): return "drsException: " + self.value -def drsuapi_connect(server, lp, creds): +def drsuapi_connect(server, lp, creds, ip=None): """Make a DRSUAPI connection to the server. :param server: the name of the server to connect to :param lp: a samba line parameter object :param creds: credential used for the connection + :param ip: Forced target server name :return: A tuple with the drsuapi bind object, the drsuapi handle and the supported extensions. :raise drsException: if the connection fails @@ -55,7 +56,14 @@ def drsuapi_connect(server, lp, creds): binding_options = "seal" if lp.log_level() >= 9: binding_options += ",print" - binding_string = "ncacn_ip_tcp:%s[%s]" % (server, binding_options) + + # Allow forcing the IP + if ip is not None: + binding_options += f",target_hostname={server}" + binding_string = f"ncacn_ip_tcp:{ip}[{binding_options}]" + else: + binding_string = "ncacn_ip_tcp:%s[%s]" % (server, binding_options) + try: drsuapiBind = drsuapi.drsuapi(binding_string, lp, creds) (drsuapiHandle, bindSupportedExtensions) = drs_DsBind(drsuapiBind) diff --git a/python/samba/tests/krb5/kdc_base_test.py b/python/samba/tests/krb5/kdc_base_test.py index 367d3de2636..9971840b4ca 100644 --- a/python/samba/tests/krb5/kdc_base_test.py +++ b/python/samba/tests/krb5/kdc_base_test.py @@ -485,7 +485,8 @@ class KDCBaseTest(RawKerberosTest): dns_hostname = samdb.host_dns_name() (bind, handle, _) = drsuapi_connect(dns_hostname, self.get_lp(), - admin_creds) + admin_creds, + ip=self.dc_host) req = drsuapi.DsGetNCChangesRequest8() |