View previous topic :: View next topic |
Author |
Message |
mefisto74 n00b
Joined: 05 May 2022 Posts: 2
|
Posted: Sat Jan 14, 2023 3:27 pm Post subject: samba ad dc not anymore suporting mit kerberos? |
|
|
i know that MIT kerberos for samba AD DC marked as experimental but i already using it. a couple days ago i tried to update my system and have this:
! Code: | !! Problem resolving dependencies for net-fs/samba from @selected
... done!
!!! The ebuild selected to satisfy "net-fs/samba" has unmet requirements.
- net-fs/samba-4.16.7-r2::gentoo USE="acl addc ads client cups json ldap pam python regedit syslog system-mitkrb5 winbind -ceph -cluster -debug (-fam) -glusterfs -gpg -iprint -llvm-libunwind -profiling-data -quota (-selinux) -snapper -spotlight (-system-heimdal) (-systemd) (-test) -unwind -zeroconf" ABI_X86="(64) -32 (-x32)" CPU_FLAGS_X86="aes" PYTHON_SINGLE_TARGET="python3_10 -python3_8 -python3_9"
The following REQUIRED_USE flag constraints are unsatisfied:
addc? ( !system-mitkrb5 )
The above constraints are a subset of the following complete expression:
exactly-one-of ( python_single_target_python3_8 python_single_target_python3_9 python_single_target_python3_10 ) addc? ( json python !system-mitkrb5 winbind ) ads? ( acl ldap python winbind ) cluster? ( ads ) gpg? ( addc ) spotlight? ( json ) test? ( python ) !ads? ( !addc ) at-most-one-of ( system-heimdal system-mitkrb5 ) |
so there is no way using mit kerberos instead of heimdal for gentoo? looks like its just gentoo problem. but anyway i dont understand why?? |
|
Back to top |
|
|
Hu Moderator
Joined: 06 Mar 2007 Posts: 21595
|
Posted: Sat Jan 14, 2023 4:45 pm Post subject: |
|
|
This appears to have been added as part of <net-fs/samba[-system-mitkrb5]-{4.15.12,4.16.7}: DC integer overflow. I see in that bug the git commit which added the constraint, but not an explanation for it. However, reading the underlying CVE, I see:From this, it seems plausible that the Gentoo maintainer locked out system-mitkrb5 because (1) the MIT Kerberos library is affected, and (2) the Samba release only fixed the embedded Heimdal library, so allowing Samba to use the system-heimdal or system-mitkrb5 is unsafe until fixed versions of those libraries are released and installed. If I am right, which I may not be since I only looked at this because of your post and have no involvement with Samba, then these flags could plausibly be allowed in situations where the vulnerability does not apply:- 64-bit systems are unaffected, per the upstream CVE
- Heimdal and MIT will hopefully release a fixed version at some point, after which Gentoo could remove this block and instead use a version constraint to require a fixed version be installed
mefisto74 wrote: | so there is no way using mit kerberos instead of heimdal for gentoo? looks like its just gentoo problem. but anyway i dont understand why?? | According to this output, you can use MIT Kerberos if you set USE=-addc. All distributions ought to have this limitation, not just Gentoo, since it is a workaround for a security problem. |
|
Back to top |
|
|
|
|
You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum You cannot vote in polls in this forum
|
|