samba 4.6.6 Unknown dependency 'kdc' in 'service_kdc.objlist'

Daniele Dario d.dario76 at gmail.com
Fri Jul 28 10:21:28 UTC 2017 



On ven, 2017-07-28 at 10:57 +0100, Rowland Penny via samba-technical
wrote:
> On Fri, 28 Jul 2017 12:44:43 +0300
> Alexander Bokovoy <ab at samba.org> wrote:
> 
> > > 
> > If you want to compile against MIT Kerberos, in all released versions
> > prior to 4.7.0 (which is only at a release candidate phase right now)
> > you have to pass --without-ad-dc because this is the only supported
> > combination: '--without-ad-dc --with-system-mitkrb5'. Starting with
> > 4.7.0, --with-system-mitkrb5 can be used without and with AD DC
> > build. However, the latter will require very recent MIT Kerberos
> > version.
> > 
> 
> Thanks Alexander for clarifying that, so it seems we were both right ;-)
> 
> Rowland
> 

I'm more confused than before :-(

There's a security release for 4.6.6 that states

Release Announcements
---------------------

These are security releases in order to address the following defect:

o  CVE-2017-11103 (Orpheus' Lyre mutual authentication validation
bypass)

=======
Details
=======

o  CVE-2017-11103 (Heimdal):
   All versions of Samba from 4.0.0 onwards using embedded Heimdal
   Kerberos are vulnerable to a man-in-the-middle attack impersonating
   a trusted server, who may gain elevated access to the domain by
   returning malicious replication or authorization data.

   Samba binaries built against MIT Kerberos are not vulnerable.
...

>From that info I thought it was intended to ask/tell people that
upgrading to 4.6.6 and enabling system mit would be a good idea.

I'm building on an Ubuntu 16.04LTS x64 and samba is a member of my AD
domain. Actually, I just use winbindd from samba 4.6.5 suite on this
server. I built Kerberos 5 release 1.15.1 and cifs-utils 6.4 in order
allow some users part of domain to login through ssh and auto-mount some
shares (from another DM server).

So actually cifs-utils uses MIT krb and winbindd Heimdal. I thought this
server to be a good candidate on my env to see what happens upgrading
and gave it a shot.

So, my question: is it possible to build 4.6.6 with system MIT Krb5
1.15.1 to work as a domain member of an AD domain or did I just
misunderstood the release announcement?

Daniele.

More information about the samba-technical mailing list