[PATCH] Protected storage/KB2992611 blocker - require GnuTLS for AD-DC builds

Simo simo at samba.org
Fri Feb 13 05:26:12 MST 2015

On Fri, 2015-02-13 at 18:22 +1300, Garming Sam wrote:
> Hi,
> Andrew and I have come to the attention of an issue when using Samba 
> with Windows clients patched with KB2992611 from last year concerning 
> their schannel security issue.
> Unless the Windows patch was reverted, clients were unable to use 
> protected_storage (BackupKey) and couldn't open the credentials manager 
> or were unable to access their Outlook profiles for instance.
> In order to allow clients to be able to use protected_storage, we've 
> tried to implement the remaining half of the BackupKey protocol, known 
> as the ServerWrap subprotocol. The use of the older ServerWrap protocol 
> is suspicious so we're working with Microsoft to understand why it is 
> suddenly in use.
> There's an allegation that Samba classic (samba3) DC domain member 
> clients are affected, but we haven't looked into it.
> Please review these changes. In particular, we've forced key generation 
> to use GnuTLS (since the original Heimdal code was not particularly 
> suitable) and so we'd like to gather thoughts on requiring GnuTLS to be 
> available when building the AD-DC.

IT would be nice to avoid the proliferation of use of multiple crypto
libraries in the same code base.
Can you please point out exactly (explanation and pointer to the code)
what operation requires you to use GnuTLS and why ?


> We've also filed a bug for this issue:
> https://bugzilla.samba.org/show_bug.cgi?id=11097
> http://git.catalyst.net.nz/gitweb?p=samba.git;a=shortlog;h=refs/heads/abartlet-backupkey-1
> git://git.catalyst.net.nz/samba.git abartlet-backupkey-1
> Thanks,
> Garming Sam

Simo Sorce

More information about the samba-technical mailing list