On Mon, Nov 04, 2019 at 03:14:34PM +0100, Dario Lesca wrote: > Il giorno lun, 04/11/2019 alle 08.38 -0500, Neal Gompa ha scritto: > > What defines it as experimental? > > https://wiki.samba.org/index.php/Running_a_Samba_AD_DC_with_MIT_Kerberos_KDC > > Using MIT Kerberos is still considered experimental.
I'd say you've buried the lede, as the rest at the link is much worse: > Samba 4.7 and later versions have shipped with code to support > building the Samba AD DC using MIT Kerberos. Since the time of the > release a number of issues, *including security issues*, have been > found by real-world use. However sadly the Samba Team has not been > able to resource the resolution of these issues to a standard that we > are happy with, and so Samba 4.9.3, 4.8.7 and 4.7.12 releases mark > this mode more clearly as experimental. > > As an experimental feature, *we will not be issuing security patches* > for this feature, including for: > * S4U2Self crash with MIT KDC build [emphasis mine] (That said, the linked-to crasher was fixed about 3.5 months after the report. I have no idea how that compares to typical response times.) I find that text worrying. Of course, all software has the potential for vulnerabilities, and some software is better quality than other software in general. Still, it's not hard to imagine people relying on the security features in higher risk environments than they might otherwise because "of course Fedora is using high quality security code" and/or "it's Samba/MIT Kerberos, of course it's high quality" ... and then it isn't. From the wording above, it seems that Samba is no longer as confident as they used to be that their MIT Kerberos integration is solid (i.e., they weren't always calling it experimental), so they've (now) made the risks explicit in their documentation. Fedora doesn't appear to be passing that information along (yet). That's an easy thing to overlook -- I'm willing to assume that the Samba project didn't send out an all points bulletin to all the distros warning about it, but does it make sense to reconsider the default? Maybe not, for all the reasons already stated. In that case, I'd say the ethical thing would be to do *something* to make sure that users are participating in the experiment with full knowledge of the risks. (As a point of comparison, we've deferred to the btrfs upstream recommendation not to install Fedora on btrfs by default. How is this different?)
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org
