CVE-2016-2113: selftest: use "tls verify peer = no_check"

[samba.git] / selftest / target / Samba4.pm

diff --git a/selftest/target/Samba4.pm b/selftest/target/Samba4.pm
index 6fb2c7a958589e7d46b4f440c9daddc7435d1f95..eddcfa6cd52a2e0930295703180d5b5b0673a232 100755 (executable)
--- a/selftest/target/Samba4.pm
+++ b/selftest/target/Samba4.pm
@@ -516,6 +516,8 @@ sub provision_raw_step1($$)
        }
 
        Samba::prepare_keyblobs($ctx);
+       my $crlfile = "$ctx->{tlsdir}/crl.pem";
+       $crlfile = "" unless -e ${crlfile};
 
        print CONFFILE "
 [global]
@@ -535,6 +537,8 @@ sub provision_raw_step1($$)
        winbind separator = /
        interfaces = $ctx->{interfaces}
        tls dh params file = $ctx->{tlsdir}/dhparms.pem
+       tls crlfile = ${crlfile}
+       tls verify peer = no_check
        panic action = $RealBin/gdb_backtrace \%d
        wins support = yes
        server role = $ctx->{server_role}
@@ -542,6 +546,7 @@ sub provision_raw_step1($$)
         dcerpc endpoint servers = +winreg +srvsvc
        notify:inotify = false
        ldb:nosync = true
+       ldap server require strong auth = yes
 #We don't want to pass our self-tests if the PAC code is wrong
        gensec:require_pac = true
        log file = $ctx->{logdir}/log.\%m
@@ -1331,7 +1336,9 @@ sub provision_ad_dc_ntvfs($$)
 
        print "PROVISIONING AD DC (NTVFS)...";
         my $extra_conf_options = "netbios aliases = localDC1-a
-        server services = +winbind -winbindd";
+        server services = +winbind -winbindd
+       ldap server require strong auth = allow_sasl_over_tls
+       ";
        my $ret = $self->provision($prefix,
                                   "domain controller",
                                   "localdc",
@@ -1449,6 +1456,7 @@ sub provision_fl2008r2dc($$$)
        my ($self, $prefix, $dcvars) = @_;
 
        print "PROVISIONING DC WITH FOREST LEVEL 2008r2...";
+        my $extra_conf_options = "ldap server require strong auth = no";
        my $ret = $self->provision($prefix,
                                   "domain controller",
                                   "dc7",
@@ -1458,7 +1466,7 @@ sub provision_fl2008r2dc($$$)
                                   "locDCpass7",
                                   undef,
                                   undef,
-                                  "",
+                                  $extra_conf_options,
                                   "",
                                   undef);