heimdal 7.8 crash (in OpenLDAP) with spnego/ntlm, is this familiar?
Andrew Bartlett
abartlet at samba.org
Tue Nov 26 17:54:22 UTC 2024
There is a small team that reviews our patches from time to time, lead
by Jeffrey Altman.
Andrew Bartlett
On Tue, 2024-11-26 at 19:12 +1000, ronnie sahlberg wrote:
> Back to Heimdal. Who maintains heimdal right now and who is
> responsible to act on CVEs or other issues?
> Far as I know Love went into Apple and was never heard of again.
> There is someone that monitors and maintains it, right?
>
> On Tue, 26 Nov 2024 at 19:09, Andrew Bartlett via samba-technical
> <samba-technical at lists.samba.org> wrote:
> >
> > On Tue, 2024-11-26 at 08:39 +0000, Ondřej Kuzník wrote:
> > > On Tue, Nov 26, 2024 at 10:41:12AM +1300, Andrew Bartlett wrote:
> > > > On Mon, 2024-11-25 at 16:08 +0200, Nadezhda Ivanova via samba-technical
> > > > wrote:
> > > > > Hi team,
> > > > > An OpenLDAP user encountered this issue, and since Samba also uses
> > > > > Heimdal too, we were wondering if maybe it has happened in Samba as
> > > > > well and was fixed? Do you think it is something that can affect
> > > > > Samba? There are back traces in the issue but no steps to reproduce,
> > > > > it seems to happen randomly in their environment, and we haven't had
> > > > > any feedback from the Heimdal team yet.
> > > > > I could not find a relevant issue in the Samba bugzilla or the
> > > > > commits, but perhaps one of you remembers something?
> > > > > https://github.com/heimdal/heimdal/issues/1189
> > > >
> > > > Samba strictly avoids using the Heimdal SPENGO and NTLM layers, only
> > > > selecting the GSS-Krb5 mech to use our more mature internal
> > > > implementation and so avoid this kind of issue
> > >
> > > Hi Andrew,
> > > thanks for coming back to us, are you saying Samba got rid of the MEMORY
> > > credential cache as well, the suspected culprit here[0]?
> >
> > No, just that because Samba has done NTLMSSP since almost forever, we
> > always preferred our code that we closely tie to our credentials and
> > authentication stack over outsourcing that to an external library.
> >
> > Any issues with the MEMORY credentials cache, if not just a matter of
> > how it is used in NTLMSSP, could still bite us.
> >
> > > Also are you aware of a way to control what mechs are enabled/disabled
> > > through configuration?
> >
> > No, we just don't call any of the mechs that can choose other mechs, we
> > just call directly with the the gsskrb5 OIDs.
> >
> > Andrew Bartlett
> > --
> > Andrew Bartlett (he/him) https://samba.org/~abartlet/
> > Samba Team Member (since 2001) https://samba.org
> > Samba Developer, Catalyst IT https://catalyst.net.nz/services/samba
> >
--
Andrew Bartlett (he/him) https://samba.org/~abartlet/
Samba Team Member (since 2001) https://samba.org
Samba Developer, Catalyst IT https://catalyst.net.nz/services/samba
More information about the samba-technical
mailing list