samba 4.6.6 Unknown dependency 'kdc' in 'service_kdc.objlist'
Daniele Dario
d.dario76 at gmail.com
Fri Jul 28 10:21:28 UTC 2017
On ven, 2017-07-28 at 10:57 +0100, Rowland Penny via samba-technical
wrote:
> On Fri, 28 Jul 2017 12:44:43 +0300
> Alexander Bokovoy <ab at samba.org> wrote:
>
> > >
> > If you want to compile against MIT Kerberos, in all released versions
> > prior to 4.7.0 (which is only at a release candidate phase right now)
> > you have to pass --without-ad-dc because this is the only supported
> > combination: '--without-ad-dc --with-system-mitkrb5'. Starting with
> > 4.7.0, --with-system-mitkrb5 can be used without and with AD DC
> > build. However, the latter will require very recent MIT Kerberos
> > version.
> >
>
> Thanks Alexander for clarifying that, so it seems we were both right ;-)
>
> Rowland
>
I'm more confused than before :-(
There's a security release for 4.6.6 that states
Release Announcements
---------------------
These are security releases in order to address the following defect:
o CVE-2017-11103 (Orpheus' Lyre mutual authentication validation
bypass)
=======
Details
=======
o CVE-2017-11103 (Heimdal):
All versions of Samba from 4.0.0 onwards using embedded Heimdal
Kerberos are vulnerable to a man-in-the-middle attack impersonating
a trusted server, who may gain elevated access to the domain by
returning malicious replication or authorization data.
Samba binaries built against MIT Kerberos are not vulnerable.
...
>From that info I thought it was intended to ask/tell people that
upgrading to 4.6.6 and enabling system mit would be a good idea.
I'm building on an Ubuntu 16.04LTS x64 and samba is a member of my AD
domain. Actually, I just use winbindd from samba 4.6.5 suite on this
server. I built Kerberos 5 release 1.15.1 and cifs-utils 6.4 in order
allow some users part of domain to login through ssh and auto-mount some
shares (from another DM server).
So actually cifs-utils uses MIT krb and winbindd Heimdal. I thought this
server to be a good candidate on my env to see what happens upgrading
and gave it a shot.
So, my question: is it possible to build 4.6.6 with system MIT Krb5
1.15.1 to work as a domain member of an AD domain or did I just
misunderstood the release announcement?
Daniele.
More information about the samba-technical
mailing list