CVE-2016-2112: selftest: servers with explicit "ldap server require strong auth"...

The default is "ldap server require strong auth = yes",
ad_dc_ntvfs uses "ldap server require strong auth = allow_sasl_over_tls",
fl2008r2dc uses "ldap server require strong auth = no".

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11644

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>

diff --git a/selftest/target/Samba4.pm b/selftest/target/Samba4.pm
index eb9c572192af5256525ce2a73c16089e4f2c0fb0..4b9f158eb993efb00cf658b9c50b32837685dd96 100755 (executable)
--- a/selftest/target/Samba4.pm
+++ b/selftest/target/Samba4.pm
@@ -430,6 +430,7 @@ sub provision_raw_step1($$)
         dcerpc endpoint servers = +winreg +srvsvc
        notify:inotify = false
        ldb:nosync = true
+       ldap server require strong auth = yes
 #We don't want to pass our self-tests if the PAC code is wrong
        gensec:require_pac = true
        log file = $ctx->{logdir}/log.\%m
@@ -1105,7 +1106,9 @@ sub provision_dc($$)
 
        print "PROVISIONING DC...";
         my $extra_conf_options = "netbios aliases = localDC1-a
-        server services = +winbind -winbindd";
+        server services = +winbind -winbindd
+       ldap server require strong auth = allow_sasl_over_tls
+       ";
        my $ret = $self->provision($prefix,
                                   "domain controller",
                                   "localdc",
@@ -1211,6 +1214,7 @@ sub provision_fl2008r2dc($$)
        my ($self, $prefix) = @_;
 
        print "PROVISIONING DC...";
+       my $extra_conf_options = "ldap server require strong auth = no";
        my $ret = $self->provision($prefix,
                                   "domain controller",
                                   "dc7",
@@ -1218,7 +1222,8 @@ sub provision_fl2008r2dc($$)
                                   "samba2008R2.example.com",
                                   "2008_R2",
                                   "locDCpass7",
-                                  undef, "", "", undef);
+                                  undef, $extra_conf_options,
+                                  "", undef);
 
        unless ($self->add_wins_config("$prefix/private")) {
                warn("Unable to add wins configuration");