The Samba-Bugzilla – Attachment 14607 Details for
Bug 13678
[SECURITY] Mark MIT support for the AD DC experimental (related to CVE-2018-16853)
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
patch for master to disable the build by default
mit-kdc-experimental.patch (text/plain), 3.36 KB, created by
Andrew Bartlett
on 2018-11-06 21:26:10 UTC
(
hide
)
Description:
patch for master to disable the build by default
Filename:
MIME Type:
Creator:
Andrew Bartlett
Created:
2018-11-06 21:26:10 UTC
Size:
3.36 KB
patch
obsolete
>From e3192068847269c269431249092ef1745bafe6b9 Mon Sep 17 00:00:00 2001 >From: Andrew Bartlett <abartlet@samba.org> >Date: Tue, 6 Nov 2018 13:32:05 +1300 >Subject: [PATCH 1/2] build: The Samba AD DC, when build with MIT Kerberos is > experimental > >This matches https://wiki.samba.org/index.php/Running_a_Samba_AD_DC_with_MIT_Kerberos_KDC > >BUG: https://bugzilla.samba.org/show_bug.cgi?id=13678 > >Signed-off-by: Andrew Bartlett <abartlet@samba.org> >--- > wscript | 17 +++++++++++++++++ > 1 file changed, 17 insertions(+) > >diff --git a/wscript b/wscript >index c5d8e5bdd7d..e9d8a834aa2 100644 >--- a/wscript >+++ b/wscript >@@ -55,6 +55,14 @@ def options(opt): > help='build Samba with system MIT Kerberos. ' + > 'You may specify list of paths where Kerberos is installed (e.g. /usr/local /usr/kerberos) to search krb5-config', > action='callback', callback=system_mitkrb5_callback, dest='with_system_mitkrb5', default=False) >+ >+ opt.add_option('--with-experimental-mit-ad-dc', >+ help='Enable the experimental MIT Kerberos-backed AD DC. ' + >+ 'Note that security patches are not issued for this configuration', >+ action='store_true', >+ dest='with_experimental_mit_ad_dc', >+ default=False) >+ > opt.add_option('--with-system-mitkdc', > help=('Specify the path to the krb5kdc binary from MIT Kerberos'), > type="string", >@@ -214,7 +222,16 @@ def configure(conf): > conf.DEFINE('AD_DC_BUILD_IS_ENABLED', 1) > > if Options.options.with_system_mitkrb5: >+ if not Options.options.with_experimental_mit_ad_dc and \ >+ not Options.options.without_ad_dc: >+ raise Utils.WafError('The MIT Kerberos build of Samba as an AD DC ' + >+ 'is experimental. Therefore ' >+ '--with-system-mitkrb5 requires either ' + >+ '--with-experimental-mit-ad-dc or ' + >+ '--without-ad-dc') >+ > conf.PROCESS_SEPARATE_RULE('system_mitkrb5') >+ > if not (Options.options.without_ad_dc or Options.options.with_system_mitkrb5): > conf.DEFINE('AD_DC_BUILD_IS_ENABLED', 1) > >-- >2.11.0 > > >From 500b6f517e146f3c0601e60871c157732fe710cd Mon Sep 17 00:00:00 2001 >From: Andrew Bartlett <abartlet@samba.org> >Date: Tue, 6 Nov 2018 13:40:48 +1300 >Subject: [PATCH 2/2] WHATSNEW: The Samba AD DC, when build with MIT Kerberos > is experimental > >BUG: https://bugzilla.samba.org/show_bug.cgi?id=13678 > >Signed-off-by: Andrew Bartlett <abartlet@samba.org> >--- > WHATSNEW.txt | 10 ++++++++++ > 1 file changed, 10 insertions(+) > >diff --git a/WHATSNEW.txt b/WHATSNEW.txt >index bdc3df78b23..72889c61f2f 100644 >--- a/WHATSNEW.txt >+++ b/WHATSNEW.txt >@@ -31,6 +31,16 @@ the backup and restore to account for the change in domain). > REMOVED FEATURES > ================ > >+MIT Kerberos build of the AD DC >+------------------------------- >+ >+While not removed, the MIT Kerberos build of the Samba AD DC is still >+considered experimental. Because Samba will not issue security >+patches for this configuration, such builds now require the explicit >+configure option: --with-experimental-mit-ad-dc >+ >+For further details see >+https://wiki.samba.org/index.php/Running_a_Samba_AD_DC_with_MIT_Kerberos_KDC > > smb.conf changes > ================ >-- >2.11.0 >
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=14607">View the attachment on a separate page</a>.</b>
View Attachment As Raw
Actions:
View
Attachments on
bug 13678
:
14606
|
14607
|
14624
|
14625
|
14633
|
14675