[PATCH] Protected storage/KB2992611 blocker - require GnuTLS for AD-DC builds

Stefan (metze) Metzmacher metze at samba.org
Fri Feb 13 02:36:38 MST 2015


Hi Garming,

> Andrew and I have come to the attention of an issue when using Samba
> with Windows clients patched with KB2992611 from last year concerning
> their schannel security issue.
> 
> Unless the Windows patch was reverted, clients were unable to use
> protected_storage (BackupKey) and couldn't open the credentials manager
> or were unable to access their Outlook profiles for instance.
> 
> In order to allow clients to be able to use protected_storage, we've
> tried to implement the remaining half of the BackupKey protocol, known
> as the ServerWrap subprotocol. The use of the older ServerWrap protocol
> is suspicious so we're working with Microsoft to understand why it is
> suddenly in use.
> 
> There's an allegation that Samba classic (samba3) DC domain member
> clients are affected, but we haven't looked into it.
> 
> Please review these changes. In particular, we've forced key generation
> to use GnuTLS (since the original Heimdal code was not particularly
> suitable) and so we'd like to gather thoughts on requiring GnuTLS to be
> available when building the AD-DC.

The sernet packages are all build with gnutls enabled,
so it's fine for us I guess.

Can we get rid of the heimdal dependency completely?

metze

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 181 bytes
Desc: OpenPGP digital signature
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20150213/a52a5e43/attachment.pgp>


More information about the samba-technical mailing list