On Sun, 2019-04-07 at 12:38 -0400, vincent at cojot.name wrote:> On Sat, 6 Apr 2019, Sérgio Basto via samba wrote: > > > > http://nova.polymtl.ca/~coyote/dist/samba/samba-4.8.10 > > > > How do you build this on Centos 7 without gnutls 3.4 and nettle 3.2 > > ? > > Hi Sergio, > that's a very good question. I built these on rhrl7.6 with gnutls- > 3.3.39 > and nettle-2.7.1: > > [root at dc02 ~]# rpm -q nettle gnutls > nettle-2.7.1-8.el7.x86_64 > nettle-2.7.1-8.el7.i686 > gnutls-3.3.29-9.el7_6.x86_64 > gnutls-3.3.29-9.el7_6.i686 > > Anything wrong with that? the SPECs are slightly modified from > Fedora. > (mostly to account for rhel7's python2 drfsults) > > I'd like to know more about the issies you suspect.. Do you have any > pointers? Perhaps it is just a matter of RedHat's backports. Any > specific > CVE's ?All what I know, is just a requirement from ./configure when you enable -ad option IIRC . ./configure requires gnutls-3.4.7 [1] [1] BUILDSTDERR: Checking for program krb5-config.heimdal : not found BUILDSTDERR: Checking for program krb5-config : /usr/bin/krb5-config BUILDSTDERR: Checking for gnutls >= 3.4.7 : yes> thanks, > > vincent > > > > > [1] > > https://copr.fedorainfracloud.org/coprs/sergiomb/SambaAD/builds/ > > > > [2] > > https://github.com/sergiomb2/sambaad > > > > > Regards, > > > > > > ,-*~'`^`'~*-,._.,-*~'`^`'~*-,._.,-*~'`^`'~*-,._.,-*~'`^`'~*- > > > ,._.,- > > > *~'`^`'~*-, > > > Vincent S. Cojot, Computer Engineering. STEP project. _.,- > > > *~'`^`'~*- > > > ,._.,-*~ > > > Ecole Polytechnique de Montreal, Comite Micro-Informatique. _.,- > > > *~'`^`'~*-,. > > > Linux Xview/OpenLook resources page _.,-*~'`^`'~*-,._.,- > > > *~'`^`'~*- > > > ,._.,-*~' > > > http://step.polymtl.ca/~coyote _.,-*~'`^`'~*-,._ > > > coyote at NOSPAM4cojot.name > > > > > > They cannot scare me with their empty spaces > > > Between stars - on stars where no human race is > > > I have it in me so much nearer home > > > To scare myself with my own desert places. - Robert Frost > > > > > > > > > > -- > > Sérgio M. B. > > > > > > -- > > To unsubscribe from this list go to the following URL and read the > > instructions: https://lists.samba.org/mailman/options/samba-- Sérgio M. B.
On Mon, 2019-04-08 at 06:25 +0100, Sérgio Basto via samba wrote:> On Sun, 2019-04-07 at 12:38 -0400, vincent at cojot.name wrote: > > On Sat, 6 Apr 2019, Sérgio Basto via samba wrote: > > > > > > http://nova.polymtl.ca/~coyote/dist/samba/samba-4.8.10 > > > > > > How do you build this on Centos 7 without gnutls 3.4 and nettle > > > 3.2 > > > ? > > > > Hi Sergio, > > that's a very good question. I built these on rhrl7.6 with gnutls- > > 3.3.39 > > and nettle-2.7.1: > > > > [root at dc02 ~]# rpm -q nettle gnutls > > nettle-2.7.1-8.el7.x86_64 > > nettle-2.7.1-8.el7.i686 > > gnutls-3.3.29-9.el7_6.x86_64 > > gnutls-3.3.29-9.el7_6.i686 > > > > Anything wrong with that? the SPECs are slightly modified from > > Fedora. > > (mostly to account for rhel7's python2 drfsults) > > > > I'd like to know more about the issies you suspect.. Do you have > > any > > pointers? Perhaps it is just a matter of RedHat's backports. Any > > specific > > CVE's ? > > All what I know, is just a requirement from ./configure when you > enable > -ad option IIRC . ./configure requires gnutls-3.4.7 [1]whe we use %global with_dc 1 we need gnutls-3.4.7> > [1] > BUILDSTDERR: Checking for program krb5-config.heimdal > : not found > > BUILDSTDERR: Checking for program krb5-config > : /usr/bin/krb5- > config > > BUILDSTDERR: Checking for gnutls >= 3.4.7 > : yes > > > thanks, > > > > vincent > > > > > > > > [1] > > > https://copr.fedorainfracloud.org/coprs/sergiomb/SambaAD/builds/ > > > > > > [2] > > > https://github.com/sergiomb2/sambaad > > > > > > > Regards, > > > > > > > > ,-*~'`^`'~*-,._.,-*~'`^`'~*-,._.,-*~'`^`'~*-,._.,-*~'`^`'~*- > > > > ,._.,- > > > > *~'`^`'~*-, > > > > Vincent S. Cojot, Computer Engineering. STEP project. _.,- > > > > *~'`^`'~*- > > > > ,._.,-*~ > > > > Ecole Polytechnique de Montreal, Comite Micro-Informatique. > > > > _.,- > > > > *~'`^`'~*-,. > > > > Linux Xview/OpenLook resources page _.,-*~'`^`'~*-,._.,- > > > > *~'`^`'~*- > > > > ,._.,-*~' > > > > http://step.polymtl.ca/~coyote _.,-*~'`^`'~*-,._ > > > > coyote at NOSPAM4cojot.name > > > > > > > > They cannot scare me with their empty spaces > > > > Between stars - on stars where no human race is > > > > I have it in me so much nearer home > > > > To scare myself with my own desert places. - Robert Frost > > > > > > > > > > > > > > -- > > > Sérgio M. B. > > > > > > > > > -- > > > To unsubscribe from this list go to the following URL and read > > > the > > > instructions: https://lists.samba.org/mailman/options/samba > > -- > Sérgio M. B. > >-- Sérgio M. B.
Hi Sergio, You're right and I hadn't noticed because everything worked fine. Here's an exercept from samba's config.log (I just refreshed the packages for 4.8.11): --------------------------------------------------------------------------------- Checking for gnutls >= 3.4.7 /usr/bin/pkg-config "gnutls >= 3.4.7" --cflags --libs gnutls Requested 'gnutls >= 3.4.7' but version of GnuTLS is 3.3.29 You may find new versions of GnuTLS at http://www.gnutls.org/ not found --------------------------------------------------------------------------------- Checking for gnutls >= 3.0.0s /usr/bin/pkg-config "gnutls >= 3.0.0" --cflags --libs gnutls -I/usr/include/p11-kit-1 -lgnutls yes --------------------------------------------------------------------------------- Is it possible that an AD/DC builds and works fine with gnutls-3.3.x? I admit I didn't pay attention to that issue when I confirmed some of spec files settings from https://samba.tranquil.it/centos7/samba-4.8.8-srcrpm. That spec file shows: BuildRequires: gnutls-devel >= 3.3.26 RHEL7 (and most likely centos7 too) currently includes this: # rpm -q gnutls gnutls-3.3.29-9.el7_6.x86_64 gnutls-3.3.29-9.el7_6.i686
Adding Alexander (cc'ed, thank you) Hi Sergio, I found some hints (dating back almost a year ago) about why gnutls-3.4 might be needed: https://lists.samba.org/archive/samba-technical/2018-April/127282.html I don't know how much of this still holds true (I've been running an AD DC with rhel7's gnutls 3.3.z for over a year without apparent issues). Regards, Vincent On Mon, 8 Apr 2019, Sérgio Basto via samba wrote:> On Mon, 2019-04-08 at 06:25 +0100, Sérgio Basto via samba wrote: >> On Sun, 2019-04-07 at 12:38 -0400, vincent at cojot.name wrote: >>> On Sat, 6 Apr 2019, Sérgio Basto via samba wrote: >>> >>>>> http://nova.polymtl.ca/~coyote/dist/samba/samba-4.8.10 >>>> >>>> How do you build this on Centos 7 without gnutls 3.4 and nettle >>>> 3.2 >>>> ? >>> >>> Hi Sergio, >>> that's a very good question. I built these on rhrl7.6 with gnutls- >>> 3.3.39 >>> and nettle-2.7.1: >>> >>> [root at dc02 ~]# rpm -q nettle gnutls >>> nettle-2.7.1-8.el7.x86_64 >>> nettle-2.7.1-8.el7.i686 >>> gnutls-3.3.29-9.el7_6.x86_64 >>> gnutls-3.3.29-9.el7_6.i686 >>> >>> Anything wrong with that? the SPECs are slightly modified from >>> Fedora. >>> (mostly to account for rhel7's python2 drfsults) >>> >>> I'd like to know more about the issies you suspect.. Do you have >>> any >>> pointers? Perhaps it is just a matter of RedHat's backports. Any >>> specific >>> CVE's ? >> >> All what I know, is just a requirement from ./configure when you >> enable >> -ad option IIRC . ./configure requires gnutls-3.4.7 [1] > > whe we use %global with_dc 1 we need gnutls-3.4.7 > >> >> [1] >> BUILDSTDERR: Checking for program krb5-config.heimdal >> : not found >> >> BUILDSTDERR: Checking for program krb5-config >> : /usr/bin/krb5- >> config >> >> BUILDSTDERR: Checking for gnutls >= 3.4.7 >> : yes >> >>> thanks, >>> >>> vincent >>> >>>> >>>> [1] >>>> https://copr.fedorainfracloud.org/coprs/sergiomb/SambaAD/builds/ >>>> >>>> [2] >>>> https://github.com/sergiomb2/sambaad >>>> >>>>> Regards, >>>>> >>>>> ,-*~'`^`'~*-,._.,-*~'`^`'~*-,._.,-*~'`^`'~*-,._.,-*~'`^`'~*- >>>>> ,._.,- >>>>> *~'`^`'~*-, >>>>> Vincent S. Cojot, Computer Engineering. STEP project. _.,- >>>>> *~'`^`'~*- >>>>> ,._.,-*~ >>>>> Ecole Polytechnique de Montreal, Comite Micro-Informatique. >>>>> _.,- >>>>> *~'`^`'~*-,. >>>>> Linux Xview/OpenLook resources page _.,-*~'`^`'~*-,._.,- >>>>> *~'`^`'~*- >>>>> ,._.,-*~' >>>>> http://step.polymtl.ca/~coyote _.,-*~'`^`'~*-,._ >>>>> coyote at NOSPAM4cojot.name >>>>> >>>>> They cannot scare me with their empty spaces >>>>> Between stars - on stars where no human race is >>>>> I have it in me so much nearer home >>>>> To scare myself with my own desert places. - Robert Frost >>>>> >>>>> >>>> >>>> -- >>>> Sérgio M. B. >>>> >>>> >>>> -- >>>> To unsubscribe from this list go to the following URL and read >>>> the >>>> instructions: https://lists.samba.org/mailman/options/samba >> >> -- >> Sérgio M. B. >> >> > -- > Sérgio M. B. > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >
On Monday, April 8, 2019 7:36:40 PM CEST Alexander Bokovoy wrote:> On ma, 08 huhti 2019, vincent at cojot.name wrote: > > Adding Alexander (cc'ed, thank you) > > > > Hi Sergio, > > I found some hints (dating back almost a year ago) about why gnutls-3.4 > > might be needed: > > https://lists.samba.org/archive/samba-technical/2018-April/127282.html > > > > I don't know how much of this still holds true (I've been running an AD DC > > with rhel7's gnutls 3.3.z for over a year without apparent issues). > > Actually, you need Andreas, not me. ;) > > Andreas is working on crypto unification and moves crypto implementation > to use standardized crypto libraries which have better chances to pass > audit and certifications. Over few releases, gnutls has been improved to > provide more and more of crypto primitives used by Samba. This is where > a requirement for newer versions of gnutls comes from.Samba AD DC built with MIT Kerberos requires gnutls 3.4.7 for implement the crypt for the DCERPC backupkey service. If you build Samba on your with Heimdal on your own, then is it works with older GnuTLS versions. However I wouldn't run Samba AD DC with Heimdal, the Samba copy is from 2011. Who knows what's in there ... Best regards, Andreas -- Andreas Schneider asn at samba.org Samba Team www.samba.org GPG-ID: 8DFF53E18F2ABC8D8F3C92237EE0FC4DCC014E3D
> If you build Samba on your with Heimdal on your own, then is it works with > older GnuTLS versions. However I wouldn't run Samba AD DC with Heimdal, the > Samba copy is from 2011. Who knows what's in there ... > > Best regards, > > AndreasWOW! If Samba with Heimdal can't be trusted, and Samba with MIT is clearly experimental and not supported, then WHAT EXACTLY should Samba be used for? Just file/print services? Am I completely insane, or am I reading the above statement correctly?
On Mon, 08 Apr 2019 20:58:00 +0200 Andreas Schneider via samba <samba at lists.samba.org> wrote:> On Monday, April 8, 2019 7:36:40 PM CEST Alexander Bokovoy wrote: > > On ma, 08 huhti 2019, vincent at cojot.name wrote: > > > Adding Alexander (cc'ed, thank you) > > > > > > Hi Sergio, > > > I found some hints (dating back almost a year ago) about why > > > gnutls-3.4 might be needed: > > > https://lists.samba.org/archive/samba-technical/2018-April/127282.html > > > > > > I don't know how much of this still holds true (I've been running > > > an AD DC with rhel7's gnutls 3.3.z for over a year without > > > apparent issues). > > > > Actually, you need Andreas, not me. ;) > > > > Andreas is working on crypto unification and moves crypto > > implementation to use standardized crypto libraries which have > > better chances to pass audit and certifications. Over few releases, > > gnutls has been improved to provide more and more of crypto > > primitives used by Samba. This is where a requirement for newer > > versions of gnutls comes from. > > Samba AD DC built with MIT Kerberos requires gnutls 3.4.7 for > implement the crypt for the DCERPC backupkey service. > > If you build Samba on your with Heimdal on your own, then is it works > with older GnuTLS versions. However I wouldn't run Samba AD DC with > Heimdal, the Samba copy is from 2011. Who knows what's in there ... >Andreas, you have just written off every working Samba AD DC on the planet! Do you think it was wise to do this ? Rowland