diff options
author | Stefan Metzmacher <metze@samba.org> | 2022-11-30 12:26:01 +0100 |
---|---|---|
committer | Stefan Metzmacher <metze@samba.org> | 2022-12-13 21:37:58 +0100 |
commit | 0be35930722530e5befa16a65a16232393258057 (patch) | |
tree | 8f796b6ef3510cfc363d0b67773ad43d6720606c | |
parent | e02e8ad46b02a4c16f575b6371eea8ea66dee067 (diff) | |
download | samba-0be35930722530e5befa16a65a16232393258057.tar.gz |
CVE-2022-38023 selftest:Samba4: avoid global 'server schannel = auto'
Instead of using the generic deprecated option use the specific
server require schannel:COMPUTERACCOUNT = no in order to allow
legacy tests for pass.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
(cherry picked from commit 63c96ea6c02981795e67336401143f2a8836992c)
-rwxr-xr-x | selftest/target/Samba4.pm | 40 |
1 files changed, 37 insertions, 3 deletions
diff --git a/selftest/target/Samba4.pm b/selftest/target/Samba4.pm index 5c324c500fe..5568e399da5 100755 --- a/selftest/target/Samba4.pm +++ b/selftest/target/Samba4.pm @@ -1625,10 +1625,27 @@ sub provision_ad_dc_ntvfs($$$) dsdb event notification = true dsdb password event notification = true dsdb group change notification = true - server schannel = auto # override the new SMB2 only default client min protocol = CORE server min protocol = LANMAN1 + + CVE_2020_1472:warn_about_unused_debug_level = 3 + server require schannel:schannel0\$ = no + server require schannel:schannel1\$ = no + server require schannel:schannel2\$ = no + server require schannel:schannel3\$ = no + server require schannel:schannel4\$ = no + server require schannel:schannel5\$ = no + server require schannel:schannel6\$ = no + server require schannel:schannel7\$ = no + server require schannel:schannel8\$ = no + server require schannel:schannel9\$ = no + server require schannel:schannel10\$ = no + server require schannel:schannel11\$ = no + server require schannel:torturetest\$ = no + + # needed for 'samba.tests.auth_log' tests + server require schannel:LOCALDC\$ = no "; push (@{$extra_provision_options}, "--use-ntvfs"); my $ret = $self->provision($prefix, @@ -1975,8 +1992,22 @@ sub provision_ad_dc($$$$$$$) lpq cache time = 0 print notify backchannel = yes - server schannel = auto - auth event notification = true + CVE_2020_1472:warn_about_unused_debug_level = 3 + server require schannel:schannel0\$ = no + server require schannel:schannel1\$ = no + server require schannel:schannel2\$ = no + server require schannel:schannel3\$ = no + server require schannel:schannel4\$ = no + server require schannel:schannel5\$ = no + server require schannel:schannel6\$ = no + server require schannel:schannel7\$ = no + server require schannel:schannel8\$ = no + server require schannel:schannel9\$ = no + server require schannel:schannel10\$ = no + server require schannel:schannel11\$ = no + server require schannel:torturetest\$ = no + + auth event notification = true dsdb event notification = true dsdb password event notification = true dsdb group change notification = true @@ -2653,6 +2684,9 @@ sub setup_ad_dc_smb1 [global] client min protocol = CORE server min protocol = LANMAN1 + + # needed for 'samba.tests.auth_log' tests + server require schannel:ADDCSMB1\$ = no "; return _setup_ad_dc($self, $path, $conf_opts, "addcsmb1", "addom2.samba.example.com"); } |