From: Samuel Cabrero Date: Tue, 5 Oct 2021 10:31:29 +0000 (+0200) Subject: CVE-2020-25717: selftest: Add ad_member_no_nss_wb environment X-Git-Tag: ldb-2.5.0~252 X-Git-Url: http://git.ipfire.org/gitweb/gitweb.cgi?a=commitdiff_plain;h=6771b2f211f6f5ae08d94a75afb7c6109f65497d;p=thirdparty%2Fsamba.git CVE-2020-25717: selftest: Add ad_member_no_nss_wb environment This environment creates an AD member that doesn't have 'nss_winbind' configured, while winbindd is still started. For testing we map a DOMAIN\root user to the local root account and unix token of the local root user. BUG: https://bugzilla.samba.org/show_bug.cgi?id=14801 BUG: https://bugzilla.samba.org/show_bug.cgi?id=14556 Pair-Programmed-With: Stefan Metzmacher Signed-off-by: Samuel Cabrero Signed-off-by: Stefan Metzmacher Reviewed-by: Andrew Bartlett --- diff --git a/selftest/target/Samba.pm b/selftest/target/Samba.pm index 10353008b88..69e6dcee591 100644 --- a/selftest/target/Samba.pm +++ b/selftest/target/Samba.pm @@ -610,6 +610,7 @@ sub get_interface($) fipsadmember => 57, offlineadmem => 58, s2kmember => 59, + admemnonsswb => 60, rootdnsforwarder => 64, diff --git a/selftest/target/Samba3.pm b/selftest/target/Samba3.pm index 8ecfc1aaf82..a04df4e7ae6 100755 --- a/selftest/target/Samba3.pm +++ b/selftest/target/Samba3.pm @@ -240,6 +240,7 @@ sub check_env($$) ad_member_fips => ["ad_dc_fips"], ad_member_offlogon => ["ad_dc"], ad_member_oneway => ["fl2000dc"], + ad_member_no_nss_wb => ["ad_dc"], clusteredmember => ["nt4_dc"], ); @@ -653,8 +654,15 @@ sub provision_ad_member $dcvars, $trustvars_f, $trustvars_e, + $extra_member_options, $force_fips_mode, - $offline_logon) = @_; + $offline_logon, + $no_nss_winbind) = @_; + + if (defined($offline_logon) && defined($no_nss_winbind)) { + warn ("Offline logon incompatible with no nss winbind\n"); + return undef; + } my $prefix_abs = abs_path($prefix); my @dirs = (); @@ -696,6 +704,10 @@ sub provision_ad_member $netbios_aliases = "netbios aliases = foo bar"; } + unless (defined($extra_member_options)) { + $extra_member_options = ""; + } + my $member_options = " security = ads workgroup = $dcvars->{DOMAIN} @@ -719,6 +731,10 @@ sub provision_ad_member rpc_daemon:epmd = fork rpc_daemon:lsasd = fork + # Begin extra member options + $extra_member_options + # End extra member options + [sub_dug] path = $share_dir/D_%D/U_%U/G_%G writeable = yes @@ -920,6 +936,11 @@ sub provision_ad_member $ENV{SOCKET_WRAPPER_DIR} = $swrap_env; } else { + if (defined($no_nss_winbind)) { + $ret->{NSS_WRAPPER_MODULE_SO_PATH} = ""; + $ret->{NSS_WRAPPER_MODULE_FN_PREFIX} = ""; + } + if (not $self->check_or_start( env_vars => $ret, nmbd => "yes", @@ -1398,6 +1419,7 @@ sub setup_ad_member_fips $dcvars, $trustvars_f, $trustvars_e, + undef, 1); } @@ -1422,9 +1444,48 @@ sub setup_ad_member_offlogon $trustvars_f, $trustvars_e, undef, + undef, 1); } +sub setup_ad_member_no_nss_wb +{ + my ($self, + $prefix, + $dcvars, + $trustvars_f, + $trustvars_e) = @_; + + # If we didn't build with ADS, pretend this env was never available + if (not $self->have_ads()) { + return "UNKNOWN"; + } + + print "PROVISIONING AD MEMBER WITHOUT NSS WINBIND..."; + + my $extra_member_options = " + username map = $prefix/lib/username.map +"; + + my $ret = $self->provision_ad_member($prefix, + "ADMEMNONSSWB", + $dcvars, + $trustvars_f, + $trustvars_e, + $extra_member_options, + undef, + undef, + 1); + + open(USERMAP, ">$prefix/lib/username.map") or die("Unable to open $prefix/lib/username.map"); + print USERMAP " +root = $dcvars->{DOMAIN}/root +"; + close(USERMAP); + + return $ret; +} + sub setup_simpleserver { my ($self, $path) = @_;