samba 4.6.6 Unknown dependency 'kdc' in 'service_kdc.objlist'

Rowland Penny rpenny at samba.org
Fri Jul 28 10:36:23 UTC 2017 

On Fri, 28 Jul 2017 12:21:28 +0200
Daniele Dario <d.dario76 at gmail.com> wrote:

> 
> 
> 
> On ven, 2017-07-28 at 10:57 +0100, Rowland Penny via samba-technical
> wrote:
> > On Fri, 28 Jul 2017 12:44:43 +0300
> > Alexander Bokovoy <ab at samba.org> wrote:
> > 
> > > > 
> > > If you want to compile against MIT Kerberos, in all released
> > > versions prior to 4.7.0 (which is only at a release candidate
> > > phase right now) you have to pass --without-ad-dc because this is
> > > the only supported combination: '--without-ad-dc
> > > --with-system-mitkrb5'. Starting with 4.7.0,
> > > --with-system-mitkrb5 can be used without and with AD DC build.
> > > However, the latter will require very recent MIT Kerberos version.
> > > 
> > 
> > Thanks Alexander for clarifying that, so it seems we were both
> > right ;-)
> > 
> > Rowland
> > 
> 
> I'm more confused than before :-(
> 
> There's a security release for 4.6.6 that states
> 
> Release Announcements
> ---------------------
> 
> These are security releases in order to address the following defect:
> 
> o  CVE-2017-11103 (Orpheus' Lyre mutual authentication validation
> bypass)
> 
> =======
> Details
> =======
> 
> o  CVE-2017-11103 (Heimdal):
>    All versions of Samba from 4.0.0 onwards using embedded Heimdal
>    Kerberos are vulnerable to a man-in-the-middle attack impersonating
>    a trusted server, who may gain elevated access to the domain by
>    returning malicious replication or authorization data.
> 
>    Samba binaries built against MIT Kerberos are not vulnerable.
> ...
> 
> From that info I thought it was intended to ask/tell people that
> upgrading to 4.6.6 and enabling system mit would be a good idea.
> 
> I'm building on an Ubuntu 16.04LTS x64 and samba is a member of my AD
> domain. Actually, I just use winbindd from samba 4.6.5 suite on this
> server. I built Kerberos 5 release 1.15.1 and cifs-utils 6.4 in order
> allow some users part of domain to login through ssh and auto-mount
> some shares (from another DM server).
> 
> So actually cifs-utils uses MIT krb and winbindd Heimdal. I thought
> this server to be a good candidate on my env to see what happens
> upgrading and gave it a shot.
> 
> So, my question: is it possible to build 4.6.6 with system MIT Krb5
> 1.15.1 to work as a domain member of an AD domain or did I just
> misunderstood the release announcement?
> 
> Daniele.
> 
> 

From my understanding, both ;-)

Yes you can build 4.6.6 with MIT, but only without the DC

Yes, I think you did misunderstand the release announcement

The patches applied to create the release should have fixed the
potential problem, so you should just build Samba in the normal way for
your distro.

Rowland

More information about the samba-technical mailing list