diff options
author | Stefan Metzmacher <metze@samba.org> | 2021-10-05 17:14:01 +0200 |
---|---|---|
committer | Jule Anger <janger@samba.org> | 2021-11-09 19:45:33 +0000 |
commit | 3ed0e5b924f77e0f92867cf93892e974e21542e5 (patch) | |
tree | 50ab27453de51001a9c87360e697ff52d9c3cdb1 /selftest/target/Samba3.pm | |
parent | 566c2b296dd6826491958bf739673ca7b8d75be5 (diff) | |
download | samba-3ed0e5b924f77e0f92867cf93892e974e21542e5.tar.gz |
CVE-2020-25717: selftest: configure 'ktest' env with winbindd and idmap_autorid
The 'ktest' environment was/is designed to test kerberos in an active
directory member setup. It was created at a time we wanted to test
smbd/winbindd with kerberos without having the source4 ad dc available.
This still applies to testing the build with system krb5 libraries
but without relying on a running ad dc.
As a domain member setup requires a running winbindd, we should test it
that way, in order to reflect a valid setup.
As a side effect it provides a way to demonstrate that we can accept
smb connections authenticated via kerberos, but no connection to
a domain controller! In order get this working offline, we need an
idmap backend with ID_TYPE_BOTH support, so we use 'autorid', which
should be the default choice.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14646
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14556
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Diffstat (limited to 'selftest/target/Samba3.pm')
-rwxr-xr-x | selftest/target/Samba3.pm | 12 |
1 files changed, 5 insertions, 7 deletions
diff --git a/selftest/target/Samba3.pm b/selftest/target/Samba3.pm index a04df4e7ae6..c0ed379bf3f 100755 --- a/selftest/target/Samba3.pm +++ b/selftest/target/Samba3.pm @@ -1974,7 +1974,6 @@ sub setup_ktest workgroup = KTEST realm = ktest.samba.example.com security = ads - username map = $prefix/lib/username.map server signing = required server min protocol = SMB3_00 client max protocol = SMB3 @@ -1982,6 +1981,10 @@ sub setup_ktest # This disables NTLM auth against the local SAM, which # we use can then test this setting by. ntlm auth = disabled + + idmap config * : backend = autorid + idmap config * : range = 1000000-1999999 + idmap config * : rangesize = 100000 "; my $ret = $self->provision( @@ -2007,12 +2010,6 @@ sub setup_ktest $ret->{KRB5_CONFIG} = $ctx->{krb5_conf}; - open(USERMAP, ">$prefix/lib/username.map") or die("Unable to open $prefix/lib/username.map"); - print USERMAP " -$ret->{USERNAME} = KTEST\\Administrator -"; - close(USERMAP); - #This is the secrets.tdb created by 'net ads join' from Samba3 to a #Samba4 DC with the same parameters as are being used here. The #domain SID is S-1-5-21-1071277805-689288055-3486227160 @@ -2064,6 +2061,7 @@ $ret->{USERNAME} = KTEST\\Administrator if (not $self->check_or_start( env_vars => $ret, nmbd => "yes", + winbindd => "offline", smbd => "yes")) { return undef; } |