Adding Alexander (cc'ed, thank you) Hi Sergio, I found some hints (dating back almost a year ago) about why gnutls-3.4 might be needed: https://lists.samba.org/archive/samba-technical/2018-April/127282.html I don't know how much of this still holds true (I've been running an AD DC with rhel7's gnutls 3.3.z for over a year without apparent issues). Regards, Vincent On Mon, 8 Apr 2019, Sérgio Basto via samba wrote:> On Mon, 2019-04-08 at 06:25 +0100, Sérgio Basto via samba wrote: >> On Sun, 2019-04-07 at 12:38 -0400, vincent at cojot.name wrote: >>> On Sat, 6 Apr 2019, Sérgio Basto via samba wrote: >>> >>>>> http://nova.polymtl.ca/~coyote/dist/samba/samba-4.8.10 >>>> >>>> How do you build this on Centos 7 without gnutls 3.4 and nettle >>>> 3.2 >>>> ? >>> >>> Hi Sergio, >>> that's a very good question. I built these on rhrl7.6 with gnutls- >>> 3.3.39 >>> and nettle-2.7.1: >>> >>> [root at dc02 ~]# rpm -q nettle gnutls >>> nettle-2.7.1-8.el7.x86_64 >>> nettle-2.7.1-8.el7.i686 >>> gnutls-3.3.29-9.el7_6.x86_64 >>> gnutls-3.3.29-9.el7_6.i686 >>> >>> Anything wrong with that? the SPECs are slightly modified from >>> Fedora. >>> (mostly to account for rhel7's python2 drfsults) >>> >>> I'd like to know more about the issies you suspect.. Do you have >>> any >>> pointers? Perhaps it is just a matter of RedHat's backports. Any >>> specific >>> CVE's ? >> >> All what I know, is just a requirement from ./configure when you >> enable >> -ad option IIRC . ./configure requires gnutls-3.4.7 [1] > > whe we use %global with_dc 1 we need gnutls-3.4.7 > >> >> [1] >> BUILDSTDERR: Checking for program krb5-config.heimdal >> : not found >> >> BUILDSTDERR: Checking for program krb5-config >> : /usr/bin/krb5- >> config >> >> BUILDSTDERR: Checking for gnutls >= 3.4.7 >> : yes >> >>> thanks, >>> >>> vincent >>> >>>> >>>> [1] >>>> https://copr.fedorainfracloud.org/coprs/sergiomb/SambaAD/builds/ >>>> >>>> [2] >>>> https://github.com/sergiomb2/sambaad >>>> >>>>> Regards, >>>>> >>>>> ,-*~'`^`'~*-,._.,-*~'`^`'~*-,._.,-*~'`^`'~*-,._.,-*~'`^`'~*- >>>>> ,._.,- >>>>> *~'`^`'~*-, >>>>> Vincent S. Cojot, Computer Engineering. STEP project. _.,- >>>>> *~'`^`'~*- >>>>> ,._.,-*~ >>>>> Ecole Polytechnique de Montreal, Comite Micro-Informatique. >>>>> _.,- >>>>> *~'`^`'~*-,. >>>>> Linux Xview/OpenLook resources page _.,-*~'`^`'~*-,._.,- >>>>> *~'`^`'~*- >>>>> ,._.,-*~' >>>>> http://step.polymtl.ca/~coyote _.,-*~'`^`'~*-,._ >>>>> coyote at NOSPAM4cojot.name >>>>> >>>>> They cannot scare me with their empty spaces >>>>> Between stars - on stars where no human race is >>>>> I have it in me so much nearer home >>>>> To scare myself with my own desert places. - Robert Frost >>>>> >>>>> >>>> >>>> -- >>>> Sérgio M. B. >>>> >>>> >>>> -- >>>> To unsubscribe from this list go to the following URL and read >>>> the >>>> instructions: https://lists.samba.org/mailman/options/samba >> >> -- >> Sérgio M. B. >> >> > -- > Sérgio M. B. > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >
On 08.04.2019 17:12, Vincent S. Cojot via samba wrote:> > Adding Alexander (cc'ed, thank you) > > Hi Sergio, > I found some hints (dating back almost a year ago) about why > gnutls-3.4 might be needed: > https://lists.samba.org/archive/samba-technical/2018-April/127282.html > > I don't know how much of this still holds true (I've been running an > AD DC with rhel7's gnutls 3.3.z for over a year without apparent issues). > > Regards, > > Vincent > > On Mon, 8 Apr 2019, Sérgio Basto via samba wrote: > >> On Mon, 2019-04-08 at 06:25 +0100, Sérgio Basto via samba wrote: >>> On Sun, 2019-04-07 at 12:38 -0400, vincent at cojot.name wrote: >>>> On Sat, 6 Apr 2019, Sérgio Basto via samba wrote: >>>> >>>>>> http://nova.polymtl.ca/~coyote/dist/samba/samba-4.8.10 >>>>> >>>>> How do you build this on Centos 7 without gnutls 3.4 and nettle >>>>> 3.2 >>>>> ? >>>> >>>> Hi Sergio, >>>> that's a very good question. I built these on rhrl7.6 with gnutls- >>>> 3.3.39 >>>> and nettle-2.7.1: >>>> >>>> [root at dc02 ~]# rpm -q nettle gnutls >>>> nettle-2.7.1-8.el7.x86_64 >>>> nettle-2.7.1-8.el7.i686 >>>> gnutls-3.3.29-9.el7_6.x86_64 >>>> gnutls-3.3.29-9.el7_6.i686 >>>> >>>> Anything wrong with that? the SPECs are slightly modified from >>>> Fedora. >>>> (mostly to account for rhel7's python2 drfsults) >>>> >>>> I'd like to know more about the issies you suspect.. Do you have >>>> any >>>> pointers? Perhaps it is just a matter of RedHat's backports. Any >>>> specific >>>> CVE's ? >>> >>> All what I know, is just a requirement from ./configure when you >>> enable >>> -ad option IIRC . ./configure requires gnutls-3.4.7 [1] >> >> whe we use %global with_dc 1 we need gnutls-3.4.7 >> >>> >>> [1] >>> BUILDSTDERR: Checking for program krb5-config.heimdal >>> : not found >>> >>> BUILDSTDERR: Checking for program krb5-config >>> : /usr/bin/krb5- >>> config >>> >>> BUILDSTDERR: Checking for gnutls >= 3.4.7 >>> : yes >>> >>>> thanks, >>>> >>>> vincent >>>> >>>>> >>>>> [1] >>>>> https://copr.fedorainfracloud.org/coprs/sergiomb/SambaAD/builds/ >>>>> >>>>> [2] >>>>> https://github.com/sergiomb2/sambaad >>>>> >>>>>> Regards, >>>>>> >>>>>> ,-*~'`^`'~*-,._.,-*~'`^`'~*-,._.,-*~'`^`'~*-,._.,-*~'`^`'~*- >>>>>> ,._.,- >>>>>> *~'`^`'~*-, >>>>>> Vincent S. Cojot, Computer Engineering. STEP project. _.,- >>>>>> *~'`^`'~*- >>>>>> ,._.,-*~ >>>>>> Ecole Polytechnique de Montreal, Comite Micro-Informatique. >>>>>> _.,- >>>>>> *~'`^`'~*-,. >>>>>> Linux Xview/OpenLook resources page _.,-*~'`^`'~*-,._.,- >>>>>> *~'`^`'~*- >>>>>> ,._.,-*~' >>>>>> http://step.polymtl.ca/~coyote _.,-*~'`^`'~*-,._ >>>>>> coyote at NOSPAM4cojot.name >>>>>> >>>>>> They cannot scare me with their empty spaces >>>>>> Between stars - on stars where no human race is >>>>>> I have it in me so much nearer home >>>>>> To scare myself with my own desert places. - Robert Frost >>>>>> >>>>>> >>>>> >>>>> -- >>>>> Sérgio M. B. >>>>> >>>>> >>>>> -- >>>>> To unsubscribe from this list go to the following URL and read >>>>> the >>>>> instructions: https://lists.samba.org/mailman/options/samba >>> >>> -- >>> Sérgio M. B. >>> >>> >> -- >> Sérgio M. B. >> >> >> -- >> To unsubscribe from this list go to the following URL and read the >> instructions: https://lists.samba.org/mailman/options/samba >>Hi folks, I followed the link below to compile a Samba AD DC (CentOS 7.5, now upgraded to CentOS 7.6). Instead of using 4.8.3, I took the 4.9.1 source, that was fresh at the moment. I have got the same gnutls and nettle versions as Vincent. Everything compiled well. I scrapped the quota stuff, as it is a small domain with a few users, where quota doesn't make any sense (I face down users that misbehave). I also disabled cups (no need for printer sharing). https://www.server-world.info/en/note?os=CentOS_7&p=samba&f=4 I had some problems with configuration, but they were related to my inexperience, and not to Samba (thanks to Rowland and Louis, who had patience with me). It's keeps going for around 6 months now. Every part of it seems to work nicely. DNS, permissions (exclusively Windows based), time sync. I haven't detected anything that seems problematic so far. I did set some GPOs in Samba for the first time yesterday (using RSAT under Windows 10 Pro), which also worked. Roaming profiles, home shares, and different data shares reside on a separate Samba server (CentOS 7.6, bundled Samba 4.7.1). Just my fiver... Best regards, Peter
On Mon, 2019-04-08 at 11:12 -0400, Vincent S. Cojot via samba wrote:> Adding Alexander (cc'ed, thank you) > > Hi Sergio, > I found some hints (dating back almost a year ago) about why gnutls-3.4 > might be needed: > https://lists.samba.org/archive/samba-technical/2018-April/127282.html > > I don't know how much of this still holds true (I've been running an AD DC > with rhel7's gnutls 3.3.z for over a year without apparent issues).For builds with the (recommended) internal Heimdal Kerberos we do not require GnuTLS 3.4 because we have a fallback implementation against a the Heimdal crypto API. The 'requirement' probably came via the Fedora build which uses MIT Kerberos. No production builds should use MIT Kerberos for the AD DC as this remains an experimental configuration. Finally, we do try and pick this kind of thing up at configure time. If a Samba build completes but it doesn't function at runtime then we consider that a bug. (With the proviso that we don't currently have a way to detect and fail on missing python packages). I hope this clarifies things, Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org Samba Developer, Catalyst IT http://catalyst.net.nz/services/samba
On Tue, 9 Apr 2019, Andrew Bartlett wrote:> For builds with the (recommended) internal Heimdal Kerberos we do not > require GnuTLS 3.4 because we have a fallback implementation against a > the Heimdal crypto API.Confirmed. This is what my (and most other) rhel7/centos7 builds are using it seems. [root at dc02 bin]# /usr/sbin/smbd -b|grep -i heim SAMBA4_USES_HEIMDAL (that's the right way to check, correct?)> The 'requirement' probably came via the Fedora build which uses MIT > Kerberos. No production builds should use MIT Kerberos for the AD DC > as this remains an experimental configuration.Interesting.. so RHEL8 might in fact be a different story.> Finally, we do try and pick this kind of thing up at configure time. > If a Samba build completes but it doesn't function at runtime then we > consider that a bug. (With the proviso that we don't currently have a > way to detect and fail on missing python packages).Well, thank you for leaving those 'options' in place so people like me (us) can use your great samba work on el7/centos7 derivatives. your efforts and help are very much apreciated (speaking in my own name here).> I hope this clarifies things,Yes, thank you. Vincent