heimdal 7.8 crash (in OpenLDAP) with spnego/ntlm, is this familiar?

ronnie sahlberg ronniesahlberg at gmail.com
Tue Nov 26 09:12:35 UTC 2024


Back to Heimdal.  Who maintains heimdal right now and who is
responsible to act on CVEs or other issues?
Far as I know Love went into Apple and was never heard of again.
There is someone that monitors and maintains it, right?

On Tue, 26 Nov 2024 at 19:09, Andrew Bartlett via samba-technical
<samba-technical at lists.samba.org> wrote:
>
> On Tue, 2024-11-26 at 08:39 +0000, Ondřej Kuzník wrote:
> > On Tue, Nov 26, 2024 at 10:41:12AM +1300, Andrew Bartlett wrote:
> > > On Mon, 2024-11-25 at 16:08 +0200, Nadezhda Ivanova via samba-technical
> > > wrote:
> > > > Hi team,
> > > > An OpenLDAP user encountered this issue, and since Samba also uses
> > > > Heimdal too, we were wondering if maybe it has happened in Samba as
> > > > well and was fixed? Do you think it is something that can affect
> > > > Samba? There are back traces in the issue but no steps to reproduce,
> > > > it seems to happen randomly in their environment, and we haven't had
> > > > any feedback from the Heimdal team yet.
> > > > I could not find a relevant issue in the Samba bugzilla or the
> > > > commits, but perhaps one of you remembers something?
> > > > https://github.com/heimdal/heimdal/issues/1189
> > >
> > > Samba strictly avoids using the Heimdal SPENGO and NTLM layers, only
> > > selecting the GSS-Krb5 mech to use our more mature internal
> > > implementation and so avoid this kind of issue
> >
> > Hi Andrew,
> > thanks for coming back to us, are you saying Samba got rid of the MEMORY
> > credential cache as well, the suspected culprit here[0]?
>
> No, just that because Samba has done NTLMSSP since almost forever, we
> always preferred our code that we closely tie to our credentials and
> authentication stack over outsourcing that to an external library.
>
> Any issues with the MEMORY credentials cache, if not just a matter of
> how it is used in NTLMSSP, could still bite us.
>
> > Also are you aware of a way to control what mechs are enabled/disabled
> > through configuration?
>
> No, we just don't call any of the mechs that can choose other mechs, we
> just call directly with the the gsskrb5 OIDs.
>
> Andrew Bartlett
> --
> Andrew Bartlett (he/him) https://samba.org/~abartlet/
> Samba Team Member (since 2001) https://samba.org
> Samba Developer, Catalyst IT https://catalyst.net.nz/services/samba
>



More information about the samba-technical mailing list