]> git.ipfire.org Git - thirdparty/samba.git/commitdiff
CVE-2020-25717: selftest: turn ad_member_no_nss_wb into ad_member_idmap_nss
authorJoseph Sutton <josephsutton@catalyst.net.nz>
Fri, 12 Nov 2021 01:20:45 +0000 (14:20 +1300)
committerRalph Boehme <slow@samba.org>
Mon, 15 Nov 2021 18:10:28 +0000 (18:10 +0000)
In reality environments without 'nss_winbind' make use of 'idmap_nss'.

For testing, DOMAIN/bob is mapped to the local 'bob',
while DOMAIN/jane gets the uid based on the local 'jane'
vis idmap_nss.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14901

Pair-Programmed-With: Stefan Metzmacher <metze@samba.org>

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Signed-off-by: Stefan Metzmacher <metze@samba.org>
[metze@samba.org avoid to create a new ad_member_idmap_nss environment
and merge it with ad_member_no_nss_wb instead]
Reviewed-by: Ralph Boehme <slow@samba.org>
selftest/target/Samba.pm
selftest/target/Samba3.pm
source4/selftest/tests.py

index 69e6dcee591003354f0ed7e77049d6360cb93f27..c4f8eb5d4f9ebcd14c3a9022e9bab7457546f8ec 100644 (file)
@@ -610,7 +610,7 @@ sub get_interface($)
                fipsadmember      => 57,
                offlineadmem      => 58,
                s2kmember         => 59,
-               admemnonsswb      => 60,
+               admemidmapnss     => 60,
 
                rootdnsforwarder  => 64,
 
index c0ed379bf3fe8679bb6416aff6587a9bb5db7442..d1ac5c16c264141d4f32b04f7e018c1ae13225ac 100755 (executable)
@@ -240,7 +240,7 @@ sub check_env($$)
        ad_member_fips      => ["ad_dc_fips"],
        ad_member_offlogon  => ["ad_dc"],
        ad_member_oneway    => ["fl2000dc"],
-       ad_member_no_nss_wb => ["ad_dc"],
+       ad_member_idmap_nss => ["ad_dc"],
 
        clusteredmember => ["nt4_dc"],
 );
@@ -1448,7 +1448,7 @@ sub setup_ad_member_offlogon
                                          1);
 }
 
-sub setup_ad_member_no_nss_wb
+sub setup_ad_member_idmap_nss
 {
        my ($self,
            $prefix,
@@ -1461,14 +1461,23 @@ sub setup_ad_member_no_nss_wb
                return "UNKNOWN";
        }
 
-       print "PROVISIONING AD MEMBER WITHOUT NSS WINBIND...";
+       print "PROVISIONING AD MEMBER WITHOUT NSS WINBIND WITH idmap_nss config...";
 
        my $extra_member_options = "
+       # bob:x:65521:65531:localbob gecos:/:/bin/false
+       # jane:x:65520:65531:localjane gecos:/:/bin/false
+       idmap config $dcvars->{DOMAIN} : backend = nss
+       idmap config $dcvars->{DOMAIN} : range = 65520-65521
+
+       # Support SMB1 so that we can use posix_whoami().
+       client min protocol = CORE
+       server min protocol = LANMAN1
+
        username map = $prefix/lib/username.map
 ";
 
        my $ret = $self->provision_ad_member($prefix,
-                                            "ADMEMNONSSWB",
+                                            "ADMEMIDMAPNSS",
                                             $dcvars,
                                             $trustvars_f,
                                             $trustvars_e,
@@ -1480,6 +1489,7 @@ sub setup_ad_member_no_nss_wb
        open(USERMAP, ">$prefix/lib/username.map") or die("Unable to open $prefix/lib/username.map");
        print USERMAP "
 root = $dcvars->{DOMAIN}/root
+bob = $dcvars->{DOMAIN}/bob
 ";
        close(USERMAP);
 
@@ -2528,6 +2538,8 @@ sub provision($$)
        my ($uid_gooduser);
        my ($uid_eviluser);
        my ($uid_slashuser);
+       my ($uid_localbob);
+       my ($uid_localjane);
 
        if ($unix_uid < 0xffff - 13) {
                $max_uid = 0xffff;
@@ -2548,6 +2560,8 @@ sub provision($$)
        $uid_gooduser = $max_uid - 11;
        $uid_eviluser = $max_uid - 12;
        $uid_slashuser = $max_uid - 13;
+       $uid_localbob = $max_uid - 14;
+       $uid_localjane = $max_uid - 15;
 
        if ($unix_gids[0] < 0xffff - 8) {
                $max_gid = 0xffff;
@@ -3289,6 +3303,8 @@ user2:x:$uid_user2:$gid_nogroup:user2 gecos:$prefix_abs:/bin/false
 gooduser:x:$uid_gooduser:$gid_domusers:gooduser gecos:$prefix_abs:/bin/false
 eviluser:x:$uid_eviluser:$gid_domusers:eviluser gecos::/bin/false
 slashuser:x:$uid_slashuser:$gid_domusers:slashuser gecos:/:/bin/false
+bob:x:$uid_localbob:$gid_domusers:localbob gecos:/:/bin/false
+jane:x:$uid_localjane:$gid_domusers:localjane gecos:/:/bin/false
 ";
        if ($unix_uid != 0) {
                print PASSWD "root:x:$uid_root:$gid_root:root gecos:$prefix_abs:/bin/false
index 276c05acb32d65694d294e8195385bc00caf1229..9b78296828b75af9e9d5db99629e2fe457c7c548 100755 (executable)
@@ -981,7 +981,7 @@ planoldpythontestsuite("ad_dc_smb1", "samba.tests.krb5.test_smb",
                            'TKT_SIG_SUPPORT': tkt_sig_support,
                            'EXPECT_PAC': expect_pac
                        })
-planoldpythontestsuite("ad_member_no_nss_wb:local",
+planoldpythontestsuite("ad_member_idmap_nss:local",
                        "samba.tests.krb5.test_min_domain_uid",
                        environ={
                            'ADMIN_USERNAME': '$DC_USERNAME',