samba 4.6.6 Unknown dependency 'kdc' in 'service_kdc.objlist'

Daniele Dario d.dario76 at gmail.com
Fri Jul 28 11:12:20 UTC 2017 



On ven, 2017-07-28 at 11:36 +0100, Rowland Penny via samba-technical
wrote:
> On Fri, 28 Jul 2017 12:21:28 +0200
> Daniele Dario <d.dario76 at gmail.com> wrote:
> 
> > 
> > 
> > 
> > On ven, 2017-07-28 at 10:57 +0100, Rowland Penny via samba-technical
> > wrote:
> > > On Fri, 28 Jul 2017 12:44:43 +0300
> > > Alexander Bokovoy <ab at samba.org> wrote:
> > > 
> > > > > 
> > > > If you want to compile against MIT Kerberos, in all released
> > > > versions prior to 4.7.0 (which is only at a release candidate
> > > > phase right now) you have to pass --without-ad-dc because this is
> > > > the only supported combination: '--without-ad-dc
> > > > --with-system-mitkrb5'. Starting with 4.7.0,
> > > > --with-system-mitkrb5 can be used without and with AD DC build.
> > > > However, the latter will require very recent MIT Kerberos version.
> > > > 
> > > 
> > > Thanks Alexander for clarifying that, so it seems we were both
> > > right ;-)
> > > 
> > > Rowland
> > > 
> > 
> > I'm more confused than before :-(
> > 
> > There's a security release for 4.6.6 that states
> > 
> > Release Announcements
> > ---------------------
> > 
> > These are security releases in order to address the following defect:
> > 
> > o  CVE-2017-11103 (Orpheus' Lyre mutual authentication validation
> > bypass)
> > 
> > =======
> > Details
> > =======
> > 
> > o  CVE-2017-11103 (Heimdal):
> >    All versions of Samba from 4.0.0 onwards using embedded Heimdal
> >    Kerberos are vulnerable to a man-in-the-middle attack impersonating
> >    a trusted server, who may gain elevated access to the domain by
> >    returning malicious replication or authorization data.
> > 
> >    Samba binaries built against MIT Kerberos are not vulnerable.
> > ...
> > 
> > From that info I thought it was intended to ask/tell people that
> > upgrading to 4.6.6 and enabling system mit would be a good idea.
> > 
> > I'm building on an Ubuntu 16.04LTS x64 and samba is a member of my AD
> > domain. Actually, I just use winbindd from samba 4.6.5 suite on this
> > server. I built Kerberos 5 release 1.15.1 and cifs-utils 6.4 in order
> > allow some users part of domain to login through ssh and auto-mount
> > some shares (from another DM server).
> > 
> > So actually cifs-utils uses MIT krb and winbindd Heimdal. I thought
> > this server to be a good candidate on my env to see what happens
> > upgrading and gave it a shot.
> > 
> > So, my question: is it possible to build 4.6.6 with system MIT Krb5
> > 1.15.1 to work as a domain member of an AD domain or did I just
> > misunderstood the release announcement?
> > 
> > Daniele.
> > 
> > 
> 
> From my understanding, both ;-)
> 
> Yes you can build 4.6.6 with MIT, but only without the DC
> 
> Yes, I think you did misunderstand the release announcement
> 
> The patches applied to create the release should have fixed the
> potential problem, so you should just build Samba in the normal way for
> your distro.
> 
> Rowland
> 

Sorry for being just a dumb end user :-(

Let me try to say it with my words:
      * if I build samba in the normal way I can use the suite to run a
        DC or a DM (no difference in build)
      * if I build 4.6.6 specifying --with-system-mitkrb5 I have to also
        add --without-ad-dc or it won't build.

The question is: can I build 4.6.6 --with-system-mitkrb5 --without-ad-dc
and run it as DM part of my AD domain as well as if I'd have built it in
the normal way (so using heimdal krb5 and the with ad dc)?

Daniele.

More information about the samba-technical mailing list