[PATCH] Protected storage/KB2992611 blocker - require GnuTLS for AD-DC builds
Andrew Bartlett
abartlet at samba.org
Sun Feb 15 15:42:06 MST 2015
On Fri, 2015-02-13 at 07:26 -0500, Simo wrote:
> On Fri, 2015-02-13 at 18:22 +1300, Garming Sam wrote:
> > Hi,
> >
> > Andrew and I have come to the attention of an issue when using Samba
> > with Windows clients patched with KB2992611 from last year concerning
> > their schannel security issue.
> >
> > Unless the Windows patch was reverted, clients were unable to use
> > protected_storage (BackupKey) and couldn't open the credentials manager
> > or were unable to access their Outlook profiles for instance.
> >
> > In order to allow clients to be able to use protected_storage, we've
> > tried to implement the remaining half of the BackupKey protocol, known
> > as the ServerWrap subprotocol. The use of the older ServerWrap protocol
> > is suspicious so we're working with Microsoft to understand why it is
> > suddenly in use.
> >
> > There's an allegation that Samba classic (samba3) DC domain member
> > clients are affected, but we haven't looked into it.
> >
> > Please review these changes. In particular, we've forced key generation
> > to use GnuTLS (since the original Heimdal code was not particularly
> > suitable) and so we'd like to gather thoughts on requiring GnuTLS to be
> > available when building the AD-DC.
>
> IT would be nice to avoid the proliferation of use of multiple crypto
> libraries in the same code base.
> Can you please point out exactly (explanation and pointer to the code)
> what operation requires you to use GnuTLS and why ?
The choice to go down this route was not made lightly, and the attached
patch documents the rationale here a bit more.
Neither Heimdal nor GnuTLS fully meet the needs of this code, so we have
had to use both.
I hope this addresses your concerns.
I've updated
https://git.samba.org/?p=abartlet/samba.git/.git;a=shortlog;h=refs/heads/backupkey
Thanks,
Andrew Bartlett
--
Andrew Bartlett
http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
Samba Developer, Catalyst IT http://catalyst.net.nz/services/samba
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0001-backupkey-Explain-more-why-we-use-GnuTLS-here.patch
Type: text/x-patch
Size: 2041 bytes
Desc: not available
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20150216/82deca57/attachment.bin>
More information about the samba-technical
mailing list