CVE-2020-25717: selftest: Add ad_member_no_nss_wb environment

This environment creates an AD member that doesn't have
'nss_winbind' configured, while winbindd is still started.

For testing we map a DOMAIN\root user to the local root
account and unix token of the local root user.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14801
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14556

Pair-Programmed-With: Stefan Metzmacher <metze@samba.org>

Signed-off-by: Samuel Cabrero <scabrero@samba.org>
Signed-off-by: Stefan Metzmacher <metze@samba.org>
[abartlet@samba.org backported to Samba 4.14 without offline
 tests in Samba3.pm]

diff --git a/selftest/target/Samba.pm b/selftest/target/Samba.pm
index 1e3b321258fbda08c442db327204f905dfbf8389..6caeb932e28a51fef89f54c7e8b90792d8ac87f7 100644 (file)
--- a/selftest/target/Samba.pm
+++ b/selftest/target/Samba.pm
@@ -579,6 +579,7 @@ sub get_interface($)
                lclnt4dc2smb1     => 55,
                fipsdc            => 56,
                fipsadmember      => 57,
+               admemnonsswb      => 60,
 
                rootdnsforwarder  => 64,
 

diff --git a/selftest/target/Samba3.pm b/selftest/target/Samba3.pm
index 9481d18961623e86f36af7879e711196a18398bd..0410e36ffa922adeaf0fd1bcd6a382b4a995ec8b 100755 (executable)
--- a/selftest/target/Samba3.pm
+++ b/selftest/target/Samba3.pm
@@ -238,6 +238,7 @@ sub check_env($$)
        ad_member_idmap_rid => ["ad_dc"],
        ad_member_idmap_ad  => ["fl2008r2dc"],
        ad_member_fips      => ["ad_dc_fips"],
+       ad_member_no_nss_wb => ["ad_dc"],
 
        clusteredmember_smb1 => ["nt4_dc"],
 );
@@ -652,7 +653,9 @@ sub provision_ad_member
            $dcvars,
            $trustvars_f,
            $trustvars_e,
-           $force_fips_mode) = @_;
+           $extra_member_options,
+           $force_fips_mode,
+           $no_nss_winbind) = @_;
 
        my $prefix_abs = abs_path($prefix);
        my @dirs = ();
@@ -690,6 +693,10 @@ sub provision_ad_member
                $netbios_aliases = "netbios aliases = foo bar";
        }
 
+       unless (defined($extra_member_options)) {
+               $extra_member_options = "";
+       }
+
        my $member_options = "
        security = ads
         workgroup = $dcvars->{DOMAIN}
@@ -713,6 +720,10 @@ sub provision_ad_member
        rpc_daemon:epmd = fork
        rpc_daemon:lsasd = fork
 
+       # Begin extra member options
+       $extra_member_options
+       # End extra member options
+
 [sub_dug]
        path = $share_dir/D_%D/U_%U/G_%G
        writeable = yes
@@ -791,12 +802,17 @@ sub provision_ad_member
        # access the share for tests.
        chmod 0777, "$prefix/share";
 
-       if (not $self->check_or_start(
-               env_vars => $ret,
-               nmbd => "yes",
-               winbindd => "yes",
-               smbd => "yes")) {
-           return undef;
+        if (defined($no_nss_winbind)) {
+               $ret->{NSS_WRAPPER_MODULE_SO_PATH} = "";
+               $ret->{NSS_WRAPPER_MODULE_FN_PREFIX} = "";
+        }
+
+        if (not $self->check_or_start(
+                       env_vars => $ret,
+                       nmbd => "yes",
+                       winbindd => "yes",
+                       smbd => "yes")) {
+                       return undef;
        }
 
        $ret->{DC_SERVER} = $dcvars->{SERVER};
@@ -1174,9 +1190,47 @@ sub setup_ad_member_fips
                                          $dcvars,
                                          $trustvars_f,
                                          $trustvars_e,
+                                         undef,
                                          1);
 }
 
+sub setup_ad_member_no_nss_wb
+{
+       my ($self,
+           $prefix,
+           $dcvars,
+           $trustvars_f,
+           $trustvars_e) = @_;
+
+       # If we didn't build with ADS, pretend this env was never available
+       if (not $self->have_ads()) {
+               return "UNKNOWN";
+       }
+
+       print "PROVISIONING AD MEMBER WITHOUT NSS WINBIND...";
+
+       my $extra_member_options = "
+       username map = $prefix/lib/username.map
+";
+
+       my $ret = $self->provision_ad_member($prefix,
+                                            "ADMEMNONSSWB",
+                                            $dcvars,
+                                            $trustvars_f,
+                                            $trustvars_e,
+                                            $extra_member_options,
+                                            undef,
+                                            1);
+
+       open(USERMAP, ">$prefix/lib/username.map") or die("Unable to open $prefix/lib/username.map");
+       print USERMAP "
+root = $dcvars->{DOMAIN}/root
+";
+       close(USERMAP);
+
+       return $ret;
+}
+
 sub setup_simpleserver
 {
        my ($self, $path) = @_;