From: Stefan Metzmacher <metze@samba.org>
Date: Fri, 22 Oct 2021 14:20:36 +0000 (+0200)
Subject: CVE-2020-25719 CVE-2020-25717: selftest: remove "gensec:require_pac" settings
X-Git-Tag: ldb-2.5.0~265
X-Git-Url: http://git.ipfire.org/gitweb/gitweb.cgi?a=commitdiff_plain;h=f9b16272d2879812011c5642019fd33ae72a6b91;p=thirdparty%2Fsamba.git

CVE-2020-25719 CVE-2020-25717: selftest: remove "gensec:require_pac" settings

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14799
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14556
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14561

[jsutton@samba.org Added knownfail entries]

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
---

diff --git a/selftest/knownfail.d/no-pac b/selftest/knownfail.d/no-pac
new file mode 100644
index 00000000000..9723d581c2a
--- /dev/null
+++ b/selftest/knownfail.d/no-pac
@@ -0,0 +1,4 @@
+^samba.tests.krb5.test_ccache.samba.tests.krb5.test_ccache.CcacheTests.test_ccache_no_pac
+^samba.tests.krb5.test_ldap.samba.tests.krb5.test_ldap.LdapTests.test_ldap_no_pac
+^samba.tests.krb5.test_rpc.samba.tests.krb5.test_rpc.RpcTests.test_rpc_no_pac
+^samba.tests.krb5.test_smb.samba.tests.krb5.test_smb.SmbTests.test_smb_no_pac
diff --git a/selftest/selftest.pl b/selftest/selftest.pl
index 9d4462323f5..75763ef3838 100755
--- a/selftest/selftest.pl
+++ b/selftest/selftest.pl
@@ -586,8 +586,6 @@ sub write_clientconf($$$)
 	client min protocol = CORE
 	log level = $client_loglevel
 	torture:basedir = $clientdir
-#We don't want to pass our self-tests if the PAC code is wrong
-	gensec:require_pac = true
 #We don't want to run 'speed' tests for very long
         torture:timelimit = 1
         winbind separator = /
diff --git a/selftest/target/Samba4.pm b/selftest/target/Samba4.pm
index 4b302aa19de..aafe183dced 100755
--- a/selftest/target/Samba4.pm
+++ b/selftest/target/Samba4.pm
@@ -785,8 +785,6 @@ sub provision_raw_step1($$)
 	notify:inotify = false
 	ldb:nosync = true
 	ldap server require strong auth = yes
-#We don't want to pass our self-tests if the PAC code is wrong
-	gensec:require_pac = true
 	log file = $ctx->{logdir}/log.\%m
 	log level = $ctx->{server_loglevel}
 	lanman auth = Yes