From: Samuel Cabrero Date: Tue, 5 Oct 2021 10:31:29 +0000 (+0200) Subject: CVE-2020-25717: selftest: Add ad_member_no_nss_wb environment X-Git-Tag: samba-4.13.14~154 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=37c2f73cc958003fbba479d6d4d7c003f5d88fd6;p=thirdparty%2Fsamba.git CVE-2020-25717: selftest: Add ad_member_no_nss_wb environment This environment creates an AD member that doesn't have 'nss_winbind' configured, while winbindd is still started. For testing we map a DOMAIN\root user to the local root account and unix token of the local root user. BUG: https://bugzilla.samba.org/show_bug.cgi?id=14801 BUG: https://bugzilla.samba.org/show_bug.cgi?id=14556 Pair-Programmed-With: Stefan Metzmacher Signed-off-by: Samuel Cabrero Signed-off-by: Stefan Metzmacher [abartlet@samba.org backported to Samba 4.14 without offline tests in Samba3.pm] --- diff --git a/selftest/target/Samba.pm b/selftest/target/Samba.pm index 1e3b321258f..6caeb932e28 100644 --- a/selftest/target/Samba.pm +++ b/selftest/target/Samba.pm @@ -579,6 +579,7 @@ sub get_interface($) lclnt4dc2smb1 => 55, fipsdc => 56, fipsadmember => 57, + admemnonsswb => 60, rootdnsforwarder => 64, diff --git a/selftest/target/Samba3.pm b/selftest/target/Samba3.pm index 9481d189616..0410e36ffa9 100755 --- a/selftest/target/Samba3.pm +++ b/selftest/target/Samba3.pm @@ -238,6 +238,7 @@ sub check_env($$) ad_member_idmap_rid => ["ad_dc"], ad_member_idmap_ad => ["fl2008r2dc"], ad_member_fips => ["ad_dc_fips"], + ad_member_no_nss_wb => ["ad_dc"], clusteredmember_smb1 => ["nt4_dc"], ); @@ -652,7 +653,9 @@ sub provision_ad_member $dcvars, $trustvars_f, $trustvars_e, - $force_fips_mode) = @_; + $extra_member_options, + $force_fips_mode, + $no_nss_winbind) = @_; my $prefix_abs = abs_path($prefix); my @dirs = (); @@ -690,6 +693,10 @@ sub provision_ad_member $netbios_aliases = "netbios aliases = foo bar"; } + unless (defined($extra_member_options)) { + $extra_member_options = ""; + } + my $member_options = " security = ads workgroup = $dcvars->{DOMAIN} @@ -713,6 +720,10 @@ sub provision_ad_member rpc_daemon:epmd = fork rpc_daemon:lsasd = fork + # Begin extra member options + $extra_member_options + # End extra member options + [sub_dug] path = $share_dir/D_%D/U_%U/G_%G writeable = yes @@ -791,12 +802,17 @@ sub provision_ad_member # access the share for tests. chmod 0777, "$prefix/share"; - if (not $self->check_or_start( - env_vars => $ret, - nmbd => "yes", - winbindd => "yes", - smbd => "yes")) { - return undef; + if (defined($no_nss_winbind)) { + $ret->{NSS_WRAPPER_MODULE_SO_PATH} = ""; + $ret->{NSS_WRAPPER_MODULE_FN_PREFIX} = ""; + } + + if (not $self->check_or_start( + env_vars => $ret, + nmbd => "yes", + winbindd => "yes", + smbd => "yes")) { + return undef; } $ret->{DC_SERVER} = $dcvars->{SERVER}; @@ -1174,9 +1190,47 @@ sub setup_ad_member_fips $dcvars, $trustvars_f, $trustvars_e, + undef, 1); } +sub setup_ad_member_no_nss_wb +{ + my ($self, + $prefix, + $dcvars, + $trustvars_f, + $trustvars_e) = @_; + + # If we didn't build with ADS, pretend this env was never available + if (not $self->have_ads()) { + return "UNKNOWN"; + } + + print "PROVISIONING AD MEMBER WITHOUT NSS WINBIND..."; + + my $extra_member_options = " + username map = $prefix/lib/username.map +"; + + my $ret = $self->provision_ad_member($prefix, + "ADMEMNONSSWB", + $dcvars, + $trustvars_f, + $trustvars_e, + $extra_member_options, + undef, + 1); + + open(USERMAP, ">$prefix/lib/username.map") or die("Unable to open $prefix/lib/username.map"); + print USERMAP " +root = $dcvars->{DOMAIN}/root +"; + close(USERMAP); + + return $ret; +} + sub setup_simpleserver { my ($self, $path) = @_;