CVE-2022-38023 selftest:Samba4: avoid global 'server schannel = auto'

Instead of using the generic deprecated option use the specific
server require schannel:COMPUTERACCOUNT = no in order to allow
legacy tests for pass.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
(cherry picked from commit 63c96ea6c02981795e67336401143f2a8836992c)

diff --git a/selftest/target/Samba4.pm b/selftest/target/Samba4.pm
index 5c324c500fe906382dc1cf67e796bf7987c26683..5568e399da57a47bead3158049a0a15f86f5b7a9 100755 (executable)
--- a/selftest/target/Samba4.pm
+++ b/selftest/target/Samba4.pm
@@ -1625,10 +1625,27 @@ sub provision_ad_dc_ntvfs($$$)
        dsdb event notification = true
        dsdb password event notification = true
        dsdb group change notification = true
-       server schannel = auto
        # override the new SMB2 only default
        client min protocol = CORE
        server min protocol = LANMAN1
+
+       CVE_2020_1472:warn_about_unused_debug_level = 3
+       server require schannel:schannel0\$ = no
+       server require schannel:schannel1\$ = no
+       server require schannel:schannel2\$ = no
+       server require schannel:schannel3\$ = no
+       server require schannel:schannel4\$ = no
+       server require schannel:schannel5\$ = no
+       server require schannel:schannel6\$ = no
+       server require schannel:schannel7\$ = no
+       server require schannel:schannel8\$ = no
+       server require schannel:schannel9\$ = no
+       server require schannel:schannel10\$ = no
+       server require schannel:schannel11\$ = no
+       server require schannel:torturetest\$ = no
+
+       # needed for 'samba.tests.auth_log' tests
+       server require schannel:LOCALDC\$ = no
        ";
        push (@{$extra_provision_options}, "--use-ntvfs");
        my $ret = $self->provision($prefix,
@@ -1975,8 +1992,22 @@ sub provision_ad_dc($$$$$$$)
        lpq cache time = 0
        print notify backchannel = yes
 
-       server schannel = auto
-        auth event notification = true
+       CVE_2020_1472:warn_about_unused_debug_level = 3
+       server require schannel:schannel0\$ = no
+       server require schannel:schannel1\$ = no
+       server require schannel:schannel2\$ = no
+       server require schannel:schannel3\$ = no
+       server require schannel:schannel4\$ = no
+       server require schannel:schannel5\$ = no
+       server require schannel:schannel6\$ = no
+       server require schannel:schannel7\$ = no
+       server require schannel:schannel8\$ = no
+       server require schannel:schannel9\$ = no
+       server require schannel:schannel10\$ = no
+       server require schannel:schannel11\$ = no
+       server require schannel:torturetest\$ = no
+
+       auth event notification = true
        dsdb event notification = true
        dsdb password event notification = true
        dsdb group change notification = true
@@ -2653,6 +2684,9 @@ sub setup_ad_dc_smb1
 [global]
        client min protocol = CORE
        server min protocol = LANMAN1
+
+       # needed for 'samba.tests.auth_log' tests
+       server require schannel:ADDCSMB1\$ = no
 ";
        return _setup_ad_dc($self, $path, $conf_opts, "addcsmb1", "addom2.samba.example.com");
 }