From: Tim Beale Date: Thu, 22 Nov 2018 00:22:19 +0000 (+1300) Subject: selftest: Designate one testenv as having SMBv1 disabled X-Git-Tag: tdb-1.3.17~639 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=160031f7b7e4e14a1b9ff9316b166fd52b7d401d;p=thirdparty%2Fsamba.git selftest: Designate one testenv as having SMBv1 disabled We recommend users disable SMBv1 to avoid potential security holes. However, none of the AD DC testenvs have SMBv1 disabled. This patch disables SMBv1 on an arbitrarily-chosen testenv (restoredc). I chose restoredc as we'll want to run the backup tool tests against this target, and it might be useful to check we can backup a DC if it's already been restored once. Note that SMBv2 doesn't support POSIX extensions (only SMBv1 does), which is why we haven't just disabled SMBv1 on *all* testenvs. BUG: https://bugzilla.samba.org/show_bug.cgi?id=13676 Signed-off-by: Tim Beale Reviewed-by: Andrew Bartlett --- diff --git a/selftest/target/README b/selftest/target/README index 3fd283ed266..b25dbab97da 100644 --- a/selftest/target/README +++ b/selftest/target/README @@ -67,6 +67,7 @@ are separate testenvs for each one. exist. - restoredc: tests the 'backup online' option. Online backups are similar to doing a DC join. + Restoredc's other unique feature is that is has SMBv1 disabled. - offlinebackupdc: tests the 'backup offline' option. Offline backups capture the raw DB files on disk (safely). - renamedc: tests the 'backup rename' option, where the domain and realm are diff --git a/selftest/target/Samba4.pm b/selftest/target/Samba4.pm index 7fa323451cd..0a6c85d1ba7 100755 --- a/selftest/target/Samba4.pm +++ b/selftest/target/Samba4.pm @@ -2816,7 +2816,8 @@ sub restore_backup_file # (without actually doing a 'domain join') sub prepare_dc_testenv { - my ($self, $prefix, $dcname, $domain, $realm, $password) = @_; + my ($self, $prefix, $dcname, $domain, $realm, + $password, $conf_options) = @_; my $ctx = $self->provision_raw_prepare($prefix, "domain controller", $dcname, @@ -2837,6 +2838,7 @@ sub prepare_dc_testenv push(@{$ctx->{directories}}, "$ctx->{share}"); $ctx->{smb_conf_extra_options} = " + $conf_options max xmit = 32K server max protocol = SMB2 @@ -2879,10 +2881,16 @@ sub setup_restoredc my ($self, $prefix, $dcvars) = @_; print "Preparing RESTORE DC...\n"; + # we arbitrarily designate the restored DC as having SMBv1 disabled + my $extra_conf = " + server min protocol = SMB2 + client min protocol = SMB2"; + my ($env, $ctx) = $self->prepare_dc_testenv($prefix, "restoredc", $dcvars->{DOMAIN}, $dcvars->{REALM}, - $dcvars->{PASSWORD}); + $dcvars->{PASSWORD}, + $extra_conf); # create a backup of the 'backupfromdc' my $backupdir = File::Temp->newdir(); @@ -2923,7 +2931,7 @@ sub setup_renamedc my $realm = "renamedom.samba.example.com"; my ($env, $ctx) = $self->prepare_dc_testenv($prefix, "renamedc", "RENAMEDOMAIN", $realm, - $dcvars->{PASSWORD}); + $dcvars->{PASSWORD}, ""); # create a backup of the 'backupfromdc' which renames the domain my $backupdir = File::Temp->newdir(); @@ -2970,7 +2978,7 @@ sub setup_offlinebackupdc my ($env, $ctx) = $self->prepare_dc_testenv($prefix, "offlinebackupdc", $dcvars->{DOMAIN}, $dcvars->{REALM}, - $dcvars->{PASSWORD}); + $dcvars->{PASSWORD}, ""); # create an offline backup of the 'backupfromdc' target my $backupdir = File::Temp->newdir(); @@ -3014,7 +3022,7 @@ sub setup_labdc my ($env, $ctx) = $self->prepare_dc_testenv($prefix, "labdc", "LABDOMAIN", "labdom.samba.example.com", - $dcvars->{PASSWORD}); + $dcvars->{PASSWORD}, ""); # create a backup of the 'backupfromdc' which renames the domain and uses # the --no-secrets option to scrub any sensitive info @@ -3120,7 +3128,7 @@ sub setup_customdc # create a placeholder directory and smb.conf, as well as the env vars. my ($env, $ctx) = $self->prepare_dc_testenv($prefix, $dc_name, - $domain, $realm, $password); + $domain, $realm, $password, ""); # restore the specified backup file to populate the testenv my $restore_dir = abs_path($prefix);