Why the MIT KDC is marked 'not supported'
Andrew Bartlett
abartlet at samba.org
Wed Feb 14 21:33:05 UTC 2024
On Wed, 2024-02-14 at 20:48 +0200, Alexander Bokovoy wrote:
> I think that statement of 'not supported' added more damage than
> helped.
The reason the MIT KDC was marked by
07c49d25cdca605bd84294603713d51f913a7ed2 as not-supported is because of
these things:
- very strange bugs (computer GPOs not working), now long-gone, but
that just couldn't be explained and which were not getting worked on
- an MIT specific security that was not getting worked on at the time
https://www.samba.org/samba/security/CVE-2018-16853.html https://bugzil
la.samba.org/show_bug.cgi?id=13571
- No viable path to delivering security fixes for new AD KDC security
issues when the require matching changes in the MIT KDC
The latter is a remaining blocker. We have no viable way to deploy a
security update that requires changes in the MIT KDC.
As an example, CVE-2022-37967 (KrbtgtFullPacSignature) was published by
us in November 2022 but the commit to require MIT 1.21 and so close
that hole for users was in July 2023.
I hope this clarifies the situation,
Andrew Bartlett
--
Andrew Bartlett (he/him) https://samba.org/~abartlet/
Samba Team Member (since 2001) https://samba.org
Samba Team Lead https://catalyst.net.nz/services/samba
Catalyst.Net Ltd
Proudly developing Samba for Catalyst.Net Ltd - a Catalyst IT group
company
Samba Development and Support: https://catalyst.net.nz/services/samba
Catalyst IT - Expert Open Source Solutions
More information about the samba-technical
mailing list