[PATCH] Protected storage/KB2992611 blocker - require GnuTLS for AD-DC builds

Garming Sam garming at catalyst.net.nz
Thu Feb 12 22:22:53 MST 2015


Andrew and I have come to the attention of an issue when using Samba 
with Windows clients patched with KB2992611 from last year concerning 
their schannel security issue.

Unless the Windows patch was reverted, clients were unable to use 
protected_storage (BackupKey) and couldn't open the credentials manager 
or were unable to access their Outlook profiles for instance.

In order to allow clients to be able to use protected_storage, we've 
tried to implement the remaining half of the BackupKey protocol, known 
as the ServerWrap subprotocol. The use of the older ServerWrap protocol 
is suspicious so we're working with Microsoft to understand why it is 
suddenly in use.

There's an allegation that Samba classic (samba3) DC domain member 
clients are affected, but we haven't looked into it.

Please review these changes. In particular, we've forced key generation 
to use GnuTLS (since the original Heimdal code was not particularly 
suitable) and so we'd like to gather thoughts on requiring GnuTLS to be 
available when building the AD-DC.

We've also filed a bug for this issue:


git://git.catalyst.net.nz/samba.git abartlet-backupkey-1


Garming Sam

More information about the samba-technical mailing list