From 3ed0e5b924f77e0f92867cf93892e974e21542e5 Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze@samba.org>
Date: Tue, 5 Oct 2021 17:14:01 +0200
Subject: [PATCH] CVE-2020-25717: selftest: configure 'ktest' env with winbindd
 and idmap_autorid

The 'ktest' environment was/is designed to test kerberos in an active
directory member setup. It was created at a time we wanted to test
smbd/winbindd with kerberos without having the source4 ad dc available.

This still applies to testing the build with system krb5 libraries
but without relying on a running ad dc.

As a domain member setup requires a running winbindd, we should test it
that way, in order to reflect a valid setup.

As a side effect it provides a way to demonstrate that we can accept
smb connections authenticated via kerberos, but no connection to
a domain controller! In order get this working offline, we need an
idmap backend with ID_TYPE_BOTH support, so we use 'autorid', which
should be the default choice.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14646
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14556

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
---
 selftest/knownfail.d/ktest | 26 --------------------------
 selftest/target/Samba3.pm  | 12 +++++-------
 2 files changed, 5 insertions(+), 33 deletions(-)
 delete mode 100644 selftest/knownfail.d/ktest

diff --git a/selftest/knownfail.d/ktest b/selftest/knownfail.d/ktest
deleted file mode 100644
index 809612ba0b9..00000000000
--- a/selftest/knownfail.d/ktest
+++ /dev/null
@@ -1,26 +0,0 @@
-^samba3.rpc.lsa.lookupsids.krb5.with.old.ccache.ncacn_np.with..smb2...lsa.LookupSidsReply.ktest
-^samba3.rpc.lsa.lookupsids.krb5.ncacn_np.with..smb2...lsa.LookupSidsReply.ktest
-^samba3.blackbox.rpcclient.krb5.ncacn_np.with..krb5...rpcclient.ktest:local
-^samba3.blackbox.rpcclient.krb5.ncacn_np.with..spnego,krb5...rpcclient.ktest:local
-^samba3.rpc.lsa.lookupsids.krb5.with.old.ccache.ncacn_np.with..smb2,connect...lsa.LookupSidsReply.ktest
-^samba3.rpc.lsa.lookupsids.krb5.ncacn_np.with..smb2,connect...lsa.LookupSidsReply.ktest
-^samba3.rpc.lsa.lookupsids.krb5.with.old.ccache.ncacn_np.with..smb2,packet...lsa.LookupSidsReply.ktest
-^samba3.rpc.lsa.lookupsids.krb5.ncacn_np.with..smb2,packet...lsa.LookupSidsReply.ktest
-^samba3.blackbox.rpcclient.krb5.ncacn_np.with..krb5,packet...rpcclient.ktest:local
-^samba3.blackbox.rpcclient.krb5.ncacn_np.with..spnego,krb5,packet...rpcclient.ktest:local
-^samba3.rpc.lsa.lookupsids.krb5.with.old.ccache.ncacn_np.with..smb2,sign...lsa.LookupSidsReply.ktest
-^samba3.rpc.lsa.lookupsids.krb5.ncacn_np.with..smb2,sign...lsa.LookupSidsReply.ktest
-^samba3.blackbox.rpcclient.krb5.ncacn_np.with..krb5,sign...rpcclient.ktest:local
-^samba3.blackbox.rpcclient.krb5.ncacn_np.with..spnego,krb5,sign...rpcclient.ktest:local
-^samba3.rpc.lsa.lookupsids.krb5.with.old.ccache.ncacn_np.with..smb2,seal...lsa.LookupSidsReply.ktest
-^samba3.rpc.lsa.lookupsids.krb5.ncacn_np.with..smb2,seal...lsa.LookupSidsReply.ktest
-^samba3.blackbox.rpcclient.krb5.ncacn_np.with..krb5,seal...rpcclient.ktest:local
-^samba3.blackbox.rpcclient.krb5.ncacn_np.with..spnego,krb5,seal...rpcclient.ktest:local
-^samba3.blackbox.smbclient_krb5.old.ccache..smbclient.ktest:local
-^samba3.blackbox.smbclient_krb5.new.ccache..smbclient.ktest:local
-^samba3.blackbox.smbclient_large_file..krb5.smbclient.large.posix.write.read.ktest:local
-^samba3.blackbox.smbclient_large_file..krb5.cmp.of.read.and.written.files.ktest:local
-^samba3.blackbox.smbclient_krb5.old.ccache.--client-protection=encrypt.smbclient.ktest:local
-^samba3.blackbox.smbclient_krb5.new.ccache.--client-protection=encrypt.smbclient.ktest:local
-^samba3.blackbox.smbclient_large_file.--client-protection=encrypt.krb5.smbclient.large.posix.write.read.ktest:local
-^samba3.blackbox.smbclient_large_file.--client-protection=encrypt.krb5.cmp.of.read.and.written.files.ktest:local
diff --git a/selftest/target/Samba3.pm b/selftest/target/Samba3.pm
index a04df4e7ae6..c0ed379bf3f 100755
--- a/selftest/target/Samba3.pm
+++ b/selftest/target/Samba3.pm
@@ -1974,7 +1974,6 @@ sub setup_ktest
         workgroup = KTEST
         realm = ktest.samba.example.com
 	security = ads
-        username map = $prefix/lib/username.map
         server signing = required
 	server min protocol = SMB3_00
 	client max protocol = SMB3
@@ -1982,6 +1981,10 @@ sub setup_ktest
         # This disables NTLM auth against the local SAM, which
         # we use can then test this setting by.
         ntlm auth = disabled
+
+        idmap config * : backend = autorid
+        idmap config * : range = 1000000-1999999
+        idmap config * : rangesize = 100000
 ";
 
 	my $ret = $self->provision(
@@ -2007,12 +2010,6 @@ sub setup_ktest
 
 	$ret->{KRB5_CONFIG} = $ctx->{krb5_conf};
 
-	open(USERMAP, ">$prefix/lib/username.map") or die("Unable to open $prefix/lib/username.map");
-	print USERMAP "
-$ret->{USERNAME} = KTEST\\Administrator
-";
-	close(USERMAP);
-
 #This is the secrets.tdb created by 'net ads join' from Samba3 to a
 #Samba4 DC with the same parameters as are being used here.  The
 #domain SID is S-1-5-21-1071277805-689288055-3486227160
@@ -2064,6 +2061,7 @@ $ret->{USERNAME} = KTEST\\Administrator
 	if (not $self->check_or_start(
 		env_vars => $ret,
 		nmbd => "yes",
+		winbindd => "offline",
 		smbd => "yes")) {
 	       return undef;
 	}
-- 
2.34.1