1
0
mirror of https://github.com/samba-team/samba.git synced 2024-12-23 17:34:34 +03:00
Commit Graph

1141 Commits

Author SHA1 Message Date
Stefan Metzmacher
41bccb5ae5 CVE-2016-2118: s3:rpc_server/{samr,lsa,netlogon}: reject DCERPC_AUTH_LEVEL_CONNECT by default
This prevents man in the middle downgrade attacks.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11616

Pair-Programmed-With: Günther Deschner <gd@samba.org>

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Signed-off-by: Günther Deschner <gd@samba.org>
2016-04-12 19:25:28 +02:00
Stefan Metzmacher
398a21c57c CVE-2016-2118: s4:rpc_server/samr: reject DCERPC_AUTH_LEVEL_CONNECT by default
This prevents man in the middle downgrade attacks.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11616

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
2016-04-12 19:25:27 +02:00
Stefan Metzmacher
80dae9afda CVE-2016-2118: s4:rpc_server/drsuapi: require DCERPC_AUTH_LEVEL_PRIVACY
This matches windows and prevents man in the middle downgrade attacks.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11616

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
2016-04-12 19:25:27 +02:00
Stefan Metzmacher
7cf3318fa9 CVE-2016-2113: selftest: use "tls verify peer = no_check"
Individual tests will check the more secure values.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11752

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
2016-04-12 19:25:25 +02:00
Stefan Metzmacher
942e4ed851 CVE-2016-2113: selftest: test all "tls verify peer" combinations with ldaps
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11752

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
2016-04-12 19:25:25 +02:00
Stefan Metzmacher
2b40fb8509 CVE-2016-2112: s4:selftest: run some ldap test against ad_dc_ntvfs, fl2008r2dc and fl2003dc
We want to test against all "ldap server require strong auth" combinations.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11644

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
2016-04-12 19:25:25 +02:00
Stefan Metzmacher
e71be8099a CVE-2016-2112: selftest: servers with explicit "ldap server require strong auth" options
The default is "ldap server require strong auth = yes",
ad_dc_ntvfs uses "ldap server require strong auth = allow_sasl_over_tls",
fl2008r2dc uses "ldap server require strong auth = no".

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11644

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
2016-04-12 19:25:25 +02:00
Stefan Metzmacher
5ab1db006e CVE-2016-2111: selftest:Samba3: use "raw NTLMv2 auth = yes" for nt4_dc
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11749

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
2016-04-12 19:25:24 +02:00
Stefan Metzmacher
e4bab3a828 Revert "selftest: dbcheck should not be marked flapping"
This reverts commit a7b242aa61.
2016-04-12 19:25:22 +02:00
Christof Schmitt
6eba42f927 selftest: Load time_audit and full_audit
This triggers the check for missing VFS functions in these modules.

Signed-off-by: Christof Schmitt <cs@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2016-04-06 00:15:17 +02:00
Stefan Metzmacher
5dccb19801 selftest/Samba3: use the correct "SELFTEST_WINBINDD_SOCKET_DIR" for "net join"
This avoids picking up a gid from the DC's winbind when
creating BUILTIN\Administrators

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>

Autobuild-User(master): Volker Lendecke <vl@samba.org>
Autobuild-Date(master): Thu Mar 24 22:15:44 CET 2016 on sn-devel-144
2016-03-24 22:15:44 +01:00
Uri Simchoni
099c6f3252 seltest: add test for "ignore system acls" in vfs_acl_xattr.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11806

Signed-off-by: Uri Simchoni <uri@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2016-03-24 03:06:16 +01:00
Michael Adam
e9586a653c torture:smb2: add durable-v2-open.reopen1a-lease
Lease variant of the reopen1a test which tests the
relevance of the client guid.

Signed-off-by: Michael Adam <obnox@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Tue Mar 22 03:47:02 CET 2016 on sn-devel-144
2016-03-22 03:47:02 +01:00
Michael Adam
3e90abe670 torture:smb2: add durable-open.reopen1a-lease
Lease variant of the reopen1a test which tests the
relevance of the client guid.

Signed-off-by: Michael Adam <obnox@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2016-03-22 00:23:22 +01:00
Günther Deschner
2b799880b9 torture:smb2: add test for checking sequence number wrap around.
Guenther

Signed-off-by: Guenther Deschner <gd@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2016-03-22 00:23:21 +01:00
Stefan Metzmacher
b00c38afc6 selftest: setup information of new samba.example.com CA in the client environment
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
2016-03-17 17:17:16 +01:00
Stefan Metzmacher
b2c0f71db0 selftest: set tls crlfile if it exist
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
2016-03-17 17:17:16 +01:00
Stefan Metzmacher
c321a59f26 selftest: use Samba::prepare_keyblobs() and use the certs from the new CA
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
2016-03-17 17:17:15 +01:00
Stefan Metzmacher
a6447fd6d0 selftest: add Samba::prepare_keyblobs() helper function
This copies the certificates from the samba.example.com CA if they
exist.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
2016-03-17 17:17:15 +01:00
Stefan Metzmacher
2a96885ac7 selftest: mark commands in manage-CA-samba.example.com.sh as DONE
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
2016-03-17 17:17:15 +01:00
Stefan Metzmacher
1928f08106 selftest: add CA-samba.example.com binary files (currently unused by Samba)
This patch can be skipped, when it causes problems with tools like 'patch'.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
2016-03-17 17:17:15 +01:00
Stefan Metzmacher
520c85a15f selftest: add CA-samba.example.com (non-binary) files
The binary files will follow in the next, this allows the next
commit to be skipped as the binary files are not used by samba yet.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
2016-03-17 17:17:15 +01:00
Stefan Metzmacher
bdc1f036a8 selftest: add config and script to create a samba.example.com CA
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
2016-03-17 17:17:15 +01:00
Stefan Metzmacher
b0bdbeeef4 selftest: add some helper scripts to mange a CA
This is partly based on the SmartCard HowTo from:
https://wiki.samba.org/index.php/Samba_AD_Smart_Card_Login

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
2016-03-17 17:17:15 +01:00
Stefan Metzmacher
c561a42ff6 selftest: s!addc.samba.example.com!addom.samba.example.com!
It's confusing to have addc.samba.example.com as domain name
and addc.addc.samba.example.com as hostname.

We now have addom.samba.example.com as domain name
and addc.addom.samba.example.com as hostname.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
2016-03-17 17:17:15 +01:00
Stefan Metzmacher
2ef0eed07e selftest: mark samba4.winbind.struct.domain_info.ad_member as flapping
See https://lists.samba.org/archive/samba-technical/2016-March/112861.html

  found 517 lines matching '^UNEXPECTED' in 641 files matching 'samba.stdout$'
   175 UNEXPECTED(failure): samba4.winbind.struct.domain_info(ad_member:local)
    19 UNEXPECTED(failure): samba4.winbind.struct.domain_info(s3member:local)
    12 UNEXPECTED(failure): samba4.rpc.backupkey with seal.backupkey.server_wrap_encrypt_decrypt_wrong_key(ad_dc_ntvfs)
    12 UNEXPECTED(failure): samba4.drs.delete_object.python(promoted_dc).delete_object.DrsDeleteObjectTestCase.test_ReplicateDeletedObject1(promoted_dc)
    12 UNEXPECTED(failure): samba4.rpc.backupkey with seal.backupkey.server_wrap_decrypt_wrong_r2(ad_dc_ntvfs)
    11 UNEXPECTED(failure): samba4.ldap.notification.python(ad_dc_ntvfs).__main__.LDAPNotificationTest.test_max_search(ad_dc_ntvfs)

We'll see if we also need to add
samba4.winbind.struct.domain_info.s3member
before we're able to identify and fix the problem.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Sat Mar 12 02:14:39 CET 2016 on sn-devel-144
2016-03-12 02:14:39 +01:00
Stefan Metzmacher
5a397216d4 s4:librpc/rpc: dcerpc_generic_session_key() should only be available on local transports
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2016-03-10 06:52:31 +01:00
Garming Sam
8cee2c8146 CVE-2016-0771: tests: rename test getopt to get_opt
This avoids any conflicts in this directory with the original toplevel
getopt.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11128
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11686

Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2016-03-10 06:52:25 +01:00
Jeremy Allison
841ae4a2e2 CVE-2015-7560: s3: torture3: Add new POSIX-SYMLINK-EA test.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11648

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
2016-03-10 06:52:23 +01:00
Jeremy Allison
19eb1c9311 CVE-2015-7560: s3: torture3: Add new POSIX-SYMLINK-ACL test.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11648

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
2016-03-10 06:52:23 +01:00
Douglas Bagnall
b797baaa60 Add python server sort tests
The tests are repeated twice: once properly with complex Unicode
strings, and again in a simplified ASCII subset. We only expect Samba
to pass the simplified version. The hard tests are aspirational and
show what Active Directory does.

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
2016-03-09 10:32:17 +01:00
Andrew Bartlett
13e62b2e35 selftest: Allow 4 hours for the test to run (ouch!)
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
2016-03-08 01:58:30 +01:00
Andrew Bartlett
a7b242aa61 selftest: dbcheck should not be marked flapping
The primary cause of the flapping was due to the objectclass
sort routine being non-deterministic.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
2016-03-08 01:58:29 +01:00
Michael Adam
2fd54b5332 smbd:smb2: implement create replay
Signed-off-by: Michael Adam <obnox@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2016-03-03 13:09:24 +01:00
Michael Adam
1b804d6f93 torture:smb2: add smb2.replay.replay-dhv2-lease3
create with a lease, and replay with lease
with a different lease key.

Signed-off-by: Michael Adam <obnox@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2016-03-03 13:09:24 +01:00
Michael Adam
1c772984c6 torture:smb2: add smb2.replay.replay-oplock-lease
create with an oplock, and replay with a lease.

Signed-off-by: Michael Adam <obnox@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2016-03-03 13:09:24 +01:00
Michael Adam
2036e1d27b torture:smb2: add smb2.replay.replay-dhv2-lease-oplock
Open with a lease and replay with an oplock.

Signed-off-by: Michael Adam <obnox@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2016-03-03 13:09:24 +01:00
Michael Adam
6eeabe43a2 torture:smb2: add smb2.replay.replay-dhv2-lease2
Signed-off-by: Michael Adam <obnox@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2016-03-03 13:09:24 +01:00
Michael Adam
de678ebcdf torture:smb2: add smb2.replay.replay-dhv2-lease1
This is a variant of the replay-dhv2-oplock1 test for leases
instead of for oplocks.

Signed-off-by: Michael Adam <obnox@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2016-03-03 13:09:24 +01:00
Michael Adam
9ac9d286b4 torture:smb2: split rename2 into multiple tests and extend these
- replay-regular
- replay-dhv2-oplock1
- replay-dhv2-oplock2
- replay-dhv2-oplock3

Signed-off-by: Michael Adam <obnox@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2016-03-03 13:09:23 +01:00
Michael Adam
9ebf079b00 torture:smb2: rename replay1 -> replay-commands
Signed-off-by: Michael Adam <obnox@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2016-03-03 13:09:23 +01:00
Uri Simchoni
9c67ff461d selftest: test access based share enum parameter
BUG: https://bugzilla.samba.org/show_bug.cgi?id=8093

Signed-off-by: Uri Simchoni <uri@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

Autobuild-User(master): Uri Simchoni <uri@samba.org>
Autobuild-Date(master): Wed Mar  2 23:51:56 CET 2016 on sn-devel-144
2016-03-02 23:51:55 +01:00
Christian Ambach
39081afbe5 selftest: Add a blackbox test for smbget
Signed-off-by: Christian Ambach <ambi@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

Autobuild-User(master): Christian Ambach <ambi@samba.org>
Autobuild-Date(master): Fri Feb 26 14:40:55 CET 2016 on sn-devel-144
2016-02-26 14:40:54 +01:00
Christian Ambach
6ceba4def6 selftest: add a helper for the smbget binary
Signed-off-by: Christian Ambach <ambi@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2016-02-26 11:31:33 +01:00
Christian Ambach
2588cf37c0 selftest: Reduce code duplication
Factor out a createuser sub.

Signed-off-by: Christian Ambach <ambi@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2016-02-26 11:31:33 +01:00
Volker Lendecke
e8b5a979ab selftest: "standard" process model for a few envs
This is needed as with source4/libcli/wbclient changed to nsswitch/libwbclient
we don't have a nested event loop here anymore.

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
2016-02-22 20:29:16 +01:00
Stefan Metzmacher
be704c8765 selftest: add dbwrap_tdb_require_mutexes:* = yes, when using dbwrap_tdb_mutexes:* = yes by default
export SELFTEST_DONT_REQUIRE_TDB_MUTEX_SUPPORT=1 can overwrite this.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>

Autobuild-User(master): Ralph Böhme <slow@samba.org>
Autobuild-Date(master): Tue Feb  9 01:42:14 CET 2016 on sn-devel-144
2016-02-09 01:42:14 +01:00
Robin Hack
e2699685ca samba3.blackbox.smbclient.forceuser_validusers: Add new test for force user option.
Test covers commit
cf0934caf2

BUG: https://bugzilla.samba.org/show_bug.cgi?id=9878
RH BUG: https://bugzilla.redhat.com/show_bug.cgi?id=1077651

How to test:
$ make -j test TESTS="samba3.blackbox.smbclient.forceuser_validusers"
RESULD: Should PASS
$ git revert cf0934caf2
$ make -j test TESTS="samba3.blackbox.smbclient.forceuser_validusers"
RESULT: Should FAIL

Signed-off-by: Robin Hack <rhack@redhat.com>
Reviewed-by: Uri Simchoni <uri@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

Autobuild-User(master): Uri Simchoni <uri@samba.org>
Autobuild-Date(master): Thu Feb  4 03:44:42 CET 2016 on sn-devel-144
2016-02-04 03:44:42 +01:00
Stefan Metzmacher
90cb84c905 selftest: specify a maximum runtime for 'make testenv' of 1 year
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>
2016-02-01 09:53:10 +01:00
Uri Simchoni
526a387838 selftest: un-flap samba3.blackbox.dfree_quota
Remove test from flapping list after fix.

Signed-off-by: Uri Simchoni <uri@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Thu Jan 28 01:10:54 CET 2016 on sn-devel-144
2016-01-28 01:10:54 +01:00