[PATCH] Protected storage/KB2992611 blocker - require GnuTLS for AD-DC builds

Andrew Bartlett abartlet at samba.org
Sun Feb 15 15:42:06 MST 2015

On Fri, 2015-02-13 at 07:26 -0500, Simo wrote:
> On Fri, 2015-02-13 at 18:22 +1300, Garming Sam wrote:
> > Hi,
> > 
> > Andrew and I have come to the attention of an issue when using Samba 
> > with Windows clients patched with KB2992611 from last year concerning 
> > their schannel security issue.
> > 
> > Unless the Windows patch was reverted, clients were unable to use 
> > protected_storage (BackupKey) and couldn't open the credentials manager 
> > or were unable to access their Outlook profiles for instance.
> > 
> > In order to allow clients to be able to use protected_storage, we've 
> > tried to implement the remaining half of the BackupKey protocol, known 
> > as the ServerWrap subprotocol. The use of the older ServerWrap protocol 
> > is suspicious so we're working with Microsoft to understand why it is 
> > suddenly in use.
> > 
> > There's an allegation that Samba classic (samba3) DC domain member 
> > clients are affected, but we haven't looked into it.
> > 
> > Please review these changes. In particular, we've forced key generation 
> > to use GnuTLS (since the original Heimdal code was not particularly 
> > suitable) and so we'd like to gather thoughts on requiring GnuTLS to be 
> > available when building the AD-DC.
> IT would be nice to avoid the proliferation of use of multiple crypto
> libraries in the same code base.
> Can you please point out exactly (explanation and pointer to the code)
> what operation requires you to use GnuTLS and why ?

The choice to go down this route was not made lightly, and the attached
patch documents the rationale here a bit more. 

Neither Heimdal nor GnuTLS fully meet the needs of this code, so we have
had to use both. 

I hope this addresses your concerns. 

I've updated


Andrew Bartlett

Andrew Bartlett
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba

-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0001-backupkey-Explain-more-why-we-use-GnuTLS-here.patch
Type: text/x-patch
Size: 2041 bytes
Desc: not available
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20150216/82deca57/attachment.bin>

More information about the samba-technical mailing list