Bug 15852 - ‘no secrets’ backups contain confidential attributes and KDS root keys
Summary: ‘no secrets’ backups contain confidential attributes and KDS root keys
Status: ASSIGNED
Alias: None
Product: Samba 4.1 and newer
Classification: Unclassified
Component: Tools (show other bugs)
Version: 4.22.1
Hardware: All All
: P5 normal (vote)
Target Milestone: ---
Assignee: Jennifer Sutton
QA Contact: Samba QA Contact
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2025-04-21 23:38 UTC by Jennifer Sutton
Modified: 2025-08-19 23:54 UTC (History)
0 users

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Jennifer Sutton 2025-04-21 23:38:34 UTC 
“Lab domains” and other backups without secrets will still contain confidential attributes (e.g. BitLocker keys) and, most importantly, the KDS root keys. These should be filtered out.
Comment 1 Samba QA Contact 2025-05-26 03:45:04 UTC 
This bug was referenced in samba master:

b0828fc3b06aae5649b9c3ea1d442cfd22ad6c33
25c4ee2337cfc0c5ccf72cb7e47ad3f190b48df5
b9e9b5371b3daeef6eb53932fc8d334483b9d4a9
51e14680b96c4b6597717eea309bca3d53989436
ef11923c6bdad535af7268dcdb0efce563b9c6e1
6fa5aff8466c227cd8a30de1b7ed034da2cf1dd7
8fc5c78ff64ec1357b6d288e6069b0c9c78915df
44548de57a3f2932bb6546945cdb6f2212d3c4c2
e40e7fc6bf0f3dab9f4942741dac6ce188f8535c
3cc42b090ec716c55335604193c1a5fa1b27750a
4443abc74b7623dabc113b7f34ee7d4e2db3bedb
3eb65f1a6bdd5c44f919882e6842b3872608aa5c
cf848e35d1ddfbcc45325992459da059f968fe3a
50fb8fc795a2824195fbf9c756ab2d07e927ae7d
b6fd9e22117266aeff12797d09c18376f0cc55f9
be22a49f5deb24c8e24ea60368d8a9cfdf827a1b
865e37b4a18d670e8287b1bf913ba1e21b3dc681
260424a171a35403b578a5afce1d8826ebc5c476
5e0b53542b7441214078389d5f9d5de553098988
b7e7a0705094bdd1fe6fb13a52b2a34169bb00f7
fda6aef10f02e2bf4efde65af4259b864ceee095
ff3be2892b152f2217337e88fd446404c2be87c2
Comment 2 Douglas Bagnall 2025-08-19 23:54:29 UTC 
do we want to backport?