CVE-2020-25717: selftest: Add ad_member_no_nss_wb environment

This environment creates an AD member that doesn't have
'nss_winbind' configured, while winbindd is still started.

For testing we map a DOMAIN\root user to the local root
account and unix token of the local root user.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14801
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14556

Pair-Programmed-With: Stefan Metzmacher <metze@samba.org>

Signed-off-by: Samuel Cabrero <scabrero@samba.org>
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

selftest/target/Samba.pm

@@ -610,6 +610,7 @@ sub get_interface($)
 		fipsadmember      => 57,
 		offlineadmem      => 58,
 		s2kmember         => 59,
+		admemnonsswb      => 60,
 
 		rootdnsforwarder  => 64,
 

selftest/target/Samba3.pm

@@ -240,6 +240,7 @@ sub check_env($$)
 	ad_member_fips      => ["ad_dc_fips"],
 	ad_member_offlogon  => ["ad_dc"],
 	ad_member_oneway    => ["fl2000dc"],
+	ad_member_no_nss_wb => ["ad_dc"],
 
 	clusteredmember => ["nt4_dc"],
 );
@@ -653,8 +654,15 @@ sub provision_ad_member
 	    $dcvars,
 	    $trustvars_f,
 	    $trustvars_e,
+	    $extra_member_options,
 	    $force_fips_mode,
-	    $offline_logon) = @_;
+	    $offline_logon,
+	    $no_nss_winbind) = @_;
+
+	if (defined($offline_logon) && defined($no_nss_winbind)) {
+		warn ("Offline logon incompatible with no nss winbind\n");
+		return undef;
+	}
 
 	my $prefix_abs = abs_path($prefix);
 	my @dirs = ();
@@ -696,6 +704,10 @@ sub provision_ad_member
 		$netbios_aliases = "netbios aliases = foo bar";
 	}
 
+	unless (defined($extra_member_options)) {
+		$extra_member_options = "";
+	}
+
 	my $member_options = "
 	security = ads
         workgroup = $dcvars->{DOMAIN}
@@ -719,6 +731,10 @@ sub provision_ad_member
 	rpc_daemon:epmd = fork
 	rpc_daemon:lsasd = fork
 
+	# Begin extra member options
+	$extra_member_options
+	# End extra member options
+
 [sub_dug]
 	path = $share_dir/D_%D/U_%U/G_%G
 	writeable = yes
@@ -920,6 +936,11 @@ sub provision_ad_member
 		$ENV{SOCKET_WRAPPER_DIR} = $swrap_env;
 
 	} else {
+		if (defined($no_nss_winbind)) {
+			$ret->{NSS_WRAPPER_MODULE_SO_PATH} = "";
+			$ret->{NSS_WRAPPER_MODULE_FN_PREFIX} = "";
+		}
+
 		if (not $self->check_or_start(
 			env_vars => $ret,
 			nmbd => "yes",
@@ -1398,6 +1419,7 @@ sub setup_ad_member_fips
 					  $dcvars,
 					  $trustvars_f,
 					  $trustvars_e,
+					  undef,
 					  1);
 }
 
@@ -1422,9 +1444,48 @@ sub setup_ad_member_offlogon
 					  $trustvars_f,
 					  $trustvars_e,
 					  undef,
+					  undef,
 					  1);
 }
 
+sub setup_ad_member_no_nss_wb
+{
+	my ($self,
+	    $prefix,
+	    $dcvars,
+	    $trustvars_f,
+	    $trustvars_e) = @_;
+
+	# If we didn't build with ADS, pretend this env was never available
+	if (not $self->have_ads()) {
+	        return "UNKNOWN";
+	}
+
+	print "PROVISIONING AD MEMBER WITHOUT NSS WINBIND...";
+
+	my $extra_member_options = "
+	username map = $prefix/lib/username.map
+";
+
+	my $ret = $self->provision_ad_member($prefix,
+					     "ADMEMNONSSWB",
+					     $dcvars,
+					     $trustvars_f,
+					     $trustvars_e,
+					     $extra_member_options,
+					     undef,
+					     undef,
+					     1);
+
+	open(USERMAP, ">$prefix/lib/username.map") or die("Unable to open $prefix/lib/username.map");
+	print USERMAP "
+root = $dcvars->{DOMAIN}/root
+";
+	close(USERMAP);
+
+	return $ret;
+}
+
 sub setup_simpleserver
 {
 	my ($self, $path) = @_;