[PATCH] Protected storage/KB2992611 blocker - require GnuTLS for AD-DC builds
garming at catalyst.net.nz
Thu Feb 12 22:22:53 MST 2015
Andrew and I have come to the attention of an issue when using Samba
with Windows clients patched with KB2992611 from last year concerning
their schannel security issue.
Unless the Windows patch was reverted, clients were unable to use
protected_storage (BackupKey) and couldn't open the credentials manager
or were unable to access their Outlook profiles for instance.
In order to allow clients to be able to use protected_storage, we've
tried to implement the remaining half of the BackupKey protocol, known
as the ServerWrap subprotocol. The use of the older ServerWrap protocol
is suspicious so we're working with Microsoft to understand why it is
suddenly in use.
There's an allegation that Samba classic (samba3) DC domain member
clients are affected, but we haven't looked into it.
Please review these changes. In particular, we've forced key generation
to use GnuTLS (since the original Heimdal code was not particularly
suitable) and so we'd like to gather thoughts on requiring GnuTLS to be
available when building the AD-DC.
We've also filed a bug for this issue:
More information about the samba-technical