On Mon, 22 Apr 2019 01:27:47 -0400 Nico Kadel-Garcia via samba <samba at lists.samba.org> wrote:> Sergio's used python36 from iusrelease. I used the one from EPEL. Our > builds are very similar, except that I compile all the added libraries > such as libtdb, libtevent, etc. as distinct RPM's as they are > published by RHEL, just with Pythone 3.6 as well as with Python 2.7 > and with resent enough versions for Samba 4.10.2. I'm uspicious about > your build and whether it effectively provides full domain controller > features, which I believe require gnutls 3.4.17.You can stop believing ;-) You only need gnutls 3.4.17 if you are using MIT and you shouldn't be using MIT, it is experimental. Rowland
On Mon, 2019-04-22 at 08:12 +0100, Rowland Penny via samba wrote:> On Mon, 22 Apr 2019 01:27:47 -0400 > Nico Kadel-Garcia via samba <samba at lists.samba.org> wrote: > > > Sergio's used python36 from iusrelease. I used the one from EPEL. Our > > builds are very similar, except that I compile all the added libraries > > such as libtdb, libtevent, etc. as distinct RPM's as they are > > published by RHEL, just with Pythone 3.6 as well as with Python 2.7 > > and with resent enough versions for Samba 4.10.2. I'm uspicious about > > your build and whether it effectively provides full domain controller > > features, which I believe require gnutls 3.4.17. > > You can stop believing ;-) > > You only need gnutls 3.4.17 if you are using MIT and you shouldn't be > using MIT, it is experimental.Thank you very much Rowland, you are correct. However, thankfully Nico's efforts are not in vain! There is an ongoing effort to rely on GnuTLS for more of Samba's cryptography and so a practical way to build Samba with GnuTLS 3.4 is really worthwhile! The reason is that having such a mechanism for our most popular host OS (RHEL7/CentOS7) would make it easier to enforce such a requirement in the future. (And allow us to remove the duplicate BackupKey server for example). I also want to put in a really big thank-you to everybody working so hard to package Samba 4.10 properly and with Python3. Practical working proof, again on RHEL7/CentOS7, of a pure python3 build is invaluable! Without it we may have had to consider a backtrack on being Py3 only for Samba 4.11, which would have been quite unfortunate. Thanks! Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org Samba Developer, Catalyst IT http://catalyst.net.nz/services/samba
On Tue, 23 Apr 2019 07:14:45 +1200 Andrew Bartlett <abartlet at samba.org> wrote:> On Mon, 2019-04-22 at 08:12 +0100, Rowland Penny via samba wrote: > > On Mon, 22 Apr 2019 01:27:47 -0400 > > Nico Kadel-Garcia via samba <samba at lists.samba.org> wrote: > > > > > Sergio's used python36 from iusrelease. I used the one from EPEL. > > > Our builds are very similar, except that I compile all the added > > > libraries such as libtdb, libtevent, etc. as distinct RPM's as > > > they are published by RHEL, just with Pythone 3.6 as well as with > > > Python 2.7 and with resent enough versions for Samba 4.10.2. I'm > > > uspicious about your build and whether it effectively provides > > > full domain controller features, which I believe require gnutls > > > 3.4.17. > > > > You can stop believing ;-) > > > > You only need gnutls 3.4.17 if you are using MIT and you shouldn't > > be using MIT, it is experimental. > > Thank you very much Rowland, you are correct. > > However, thankfully Nico's efforts are not in vain! There is an > ongoing effort to rely on GnuTLS for more of Samba's cryptography and > so a practical way to build Samba with GnuTLS 3.4 is really > worthwhile! > > The reason is that having such a mechanism for our most popular host > OS (RHEL7/CentOS7) would make it easier to enforce such a requirement > in the future. (And allow us to remove the duplicate BackupKey > server for example).Are you sure about RHEL7/CENTOS7 being our most popular OS ? Up until recently, they hardly got a mention on here and neither will ever have OS packages that will provision as an AD DC. My personal opinion is that the Debian based OS's are our most popular.> > I also want to put in a really big thank-you to everybody working so > hard to package Samba 4.10 properly and with Python3. Practical > working proof, again on RHEL7/CentOS7, of a pure python3 build is > invaluable! Without it we may have had to consider a backtrack on > being Py3 only for Samba 4.11, which would have been quite > unfortunate.The problem is that they, unfortunately, have had to put all this work in, something that the OS should do, but something that isn't likely to happen, perhaps on Fedora, or from EPEL on CENTOS, but never from RHEL. It just goes to show how far Samba users will go, if they think their OS is ignoring them and for this, I applaud them. Rowland
On Mon, 2019-04-22 at 08:12 +0100, Rowland Penny via samba wrote:> On Mon, 22 Apr 2019 01:27:47 -0400 > Nico Kadel-Garcia via samba <samba at lists.samba.org> wrote: > > > Sergio's used python36 from iusrelease.I use Python2 , I don't have planes soon to change my configuration to Python3, anyway If I switch to Python 3 I will use EPEL version .> > I used the one from EPEL. Our > > builds are very similar, except that I compile all the added > > libraries > > such as libtdb, libtevent, etc. as distinct RPM's as they are > > published by RHEL,Good , I'm glad that you do it, I also will try check your rpms .> > just with Pythone 3.6 as well as with Python 2.7 > > and with resent enough versions for Samba 4.10.2. I'm uspicious > > about > > your build and whether it effectively provides full domain > > controller > > features, which I believe require gnutls 3.4.17. > > You can stop believing ;-) > > You only need gnutls 3.4.17 if you are using MIT and you shouldn't be > using MIT, it is experimental.Yes, Nico, the default RHEL samba packages are compiled with MIT kerberos, but for Samba AD we "need" heimdal kdc [1] and when we don't build with MIT kerberos, we don't need gnutls 3.4.17. Although I keep gnutls 3.4.17 because should work better and with a better performance. [1] https://wiki.samba.org/index.php/Running_a_Samba_AD_DC_with_MIT_Kerberos_KDC https://www.google.com/search?q=heimdal+kdc+vs+mit+kerberos> Rowland > > >-- Sérgio M. B.