Created attachment 14606 [details] security advisory text Samba 4.7 and later versions have shipped with code to support building the Samba AD DC using MIT Kerberos. Since the time of the release a number of issues, including security issues, have been found by real- world use. However sadly the Samba Team has not been able to resource the resolution of these issues to a standard that we are happy with, and so this release marks this mode more clearly as experimental. As an experimental feature, we will not be issuing security patches for this feature, including for: S4U2Self crash with MIT KDC build https://bugzilla.samba.org/show_bug.cgi?id=13571 For further information, please see https://wiki.samba.org/index.php/Running_a_Samba_AD_DC_with_MIT_Kerbero s_KDC While not removed, the MIT Kerberos build of the Samba AD DC is considered experimental. Because Samba will not issue security patches for this configuration, such builds now require the explicit configure option: --with-experimental-mit-ad-dc
Created attachment 14607 [details] patch for master to disable the build by default
Created attachment 14624 [details] patch for master to disable the build by default (v2)
Created attachment 14625 [details] patch for v4-7, v4-8, v4-9 to disable the build by default (v2)
Created attachment 14633 [details] advisory text v2
Opening bug report for vendors. Planned release date is Tuesday, November 27 2018.
Created attachment 14675 [details] updated adisory with CVE number
Comment on attachment 14675 [details] updated adisory with CVE number Thanks, this is clearer.
Samba 4.9.3, 4.8.7 and 4.7.12 have been shipped to address this defect.
Pushed to autobuild-master.
(In reply to Karolin Seeger from comment #9) Pushed to master. Closing out bug report. Thanks!