mirror of
https://github.com/samba-team/samba.git
synced 2024-12-22 13:34:15 +03:00
CVE-2022-38023 selftest:Samba4: avoid global 'allow nt4 crypto = yes' and 'reject md5 clients = no'
Instead of using the generic deprecated option use the specific allow nt4 crypto:COMPUTERACCOUNT = yes and server reject md5 schannel:COMPUTERACCOUNT = no in order to allow legacy tests for pass. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Ralph Boehme <slow@samba.org>
This commit is contained in:
parent
43df4be359
commit
7ae3735810
@ -1610,7 +1610,6 @@ sub provision_ad_dc_ntvfs($$$)
|
||||
my $extra_conf_options = "netbios aliases = localDC1-a
|
||||
server services = +winbind -winbindd
|
||||
ldap server require strong auth = allow_sasl_over_tls
|
||||
allow nt4 crypto = yes
|
||||
raw NTLMv2 auth = yes
|
||||
lsa over netlogon = yes
|
||||
rpc server port = 1027
|
||||
@ -1622,9 +1621,19 @@ sub provision_ad_dc_ntvfs($$$)
|
||||
client min protocol = CORE
|
||||
server min protocol = LANMAN1
|
||||
|
||||
reject md5 clients = no
|
||||
|
||||
CVE_2020_1472:warn_about_unused_debug_level = 3
|
||||
CVE_2022_38023:warn_about_unused_debug_level = 3
|
||||
allow nt4 crypto:torturetest\$ = yes
|
||||
server reject md5 schannel:schannel2\$ = no
|
||||
server reject md5 schannel:schannel3\$ = no
|
||||
server reject md5 schannel:schannel8\$ = no
|
||||
server reject md5 schannel:schannel9\$ = no
|
||||
server reject md5 schannel:torturetest\$ = no
|
||||
server reject md5 schannel:tests4u2proxywk\$ = no
|
||||
server reject md5 schannel:tests4u2selfbdc\$ = no
|
||||
server reject md5 schannel:tests4u2selfwk\$ = no
|
||||
server reject md5 schannel:torturepacbdc\$ = no
|
||||
server reject md5 schannel:torturepacwksta\$ = no
|
||||
server require schannel:schannel0\$ = no
|
||||
server require schannel:schannel1\$ = no
|
||||
server require schannel:schannel2\$ = no
|
||||
@ -1679,6 +1688,13 @@ sub provision_fl2000dc($$)
|
||||
kdc enable fast = no
|
||||
spnego:simulate_w2k=yes
|
||||
ntlmssp_server:force_old_spnego=yes
|
||||
|
||||
CVE_2022_38023:warn_about_unused_debug_level = 3
|
||||
server reject md5 schannel:tests4u2proxywk\$ = no
|
||||
server reject md5 schannel:tests4u2selfbdc\$ = no
|
||||
server reject md5 schannel:tests4u2selfwk\$ = no
|
||||
server reject md5 schannel:torturepacbdc\$ = no
|
||||
server reject md5 schannel:torturepacwksta\$ = no
|
||||
";
|
||||
my $extra_provision_options = ["--base-schema=2008_R2"];
|
||||
# This environment uses plain text secrets
|
||||
@ -1719,11 +1735,23 @@ sub provision_fl2003dc($$$)
|
||||
my $ip_addr2 = Samba::get_ipv6_addr("fakednsforwarder2");
|
||||
|
||||
print "PROVISIONING DC WITH FOREST LEVEL 2003...\n";
|
||||
my $extra_conf_options = "allow dns updates = nonsecure and secure
|
||||
my $extra_conf_options = "
|
||||
allow dns updates = nonsecure and secure
|
||||
|
||||
kdc enable fast = no
|
||||
dcesrv:header signing = no
|
||||
dcesrv:max auth states = 0
|
||||
dns forwarder = $ip_addr1 [$ip_addr2]:54";
|
||||
|
||||
dns forwarder = $ip_addr1 [$ip_addr2]:54
|
||||
|
||||
CVE_2022_38023:warn_about_unused_debug_level = 3
|
||||
server reject md5 schannel:tests4u2proxywk\$ = no
|
||||
server reject md5 schannel:tests4u2selfbdc\$ = no
|
||||
server reject md5 schannel:tests4u2selfwk\$ = no
|
||||
server reject md5 schannel:torturepacbdc\$ = no
|
||||
server reject md5 schannel:torturepacwksta\$ = no
|
||||
";
|
||||
|
||||
my $extra_provision_options = ["--base-schema=2008_R2"];
|
||||
my $ret = $self->provision($prefix,
|
||||
"domain controller",
|
||||
@ -1778,6 +1806,13 @@ sub provision_fl2008r2dc($$$)
|
||||
ldap server require strong auth = no
|
||||
# delay by 10 seconds, 10^7 usecs
|
||||
ldap_server:delay_expire_disconnect = 10000
|
||||
|
||||
CVE_2022_38023:warn_about_unused_debug_level = 3
|
||||
server reject md5 schannel:tests4u2proxywk\$ = no
|
||||
server reject md5 schannel:tests4u2selfbdc\$ = no
|
||||
server reject md5 schannel:tests4u2selfwk\$ = no
|
||||
server reject md5 schannel:torturepacbdc\$ = no
|
||||
server reject md5 schannel:torturepacwksta\$ = no
|
||||
";
|
||||
my $extra_provision_options = ["--base-schema=2008_R2"];
|
||||
my $ret = $self->provision($prefix,
|
||||
@ -1989,9 +2024,20 @@ sub provision_ad_dc($$$$$$$)
|
||||
lpq cache time = 0
|
||||
print notify backchannel = yes
|
||||
|
||||
reject md5 clients = no
|
||||
|
||||
CVE_2020_1472:warn_about_unused_debug_level = 3
|
||||
CVE_2022_38023:warn_about_unused_debug_level = 3
|
||||
CVE_2022_38023:error_debug_level = 2
|
||||
server reject md5 schannel:schannel2\$ = no
|
||||
server reject md5 schannel:schannel3\$ = no
|
||||
server reject md5 schannel:schannel8\$ = no
|
||||
server reject md5 schannel:schannel9\$ = no
|
||||
server reject md5 schannel:torturetest\$ = no
|
||||
server reject md5 schannel:tests4u2proxywk\$ = no
|
||||
server reject md5 schannel:tests4u2selfbdc\$ = no
|
||||
server reject md5 schannel:tests4u2selfwk\$ = no
|
||||
server reject md5 schannel:torturepacbdc\$ = no
|
||||
server reject md5 schannel:torturepacwksta\$ = no
|
||||
server reject md5 schannel:samlogontest\$ = no
|
||||
server require schannel:schannel0\$ = no
|
||||
server require schannel:schannel1\$ = no
|
||||
server require schannel:schannel2\$ = no
|
||||
|
Loading…
Reference in New Issue
Block a user