On Thu, 2020-06-18 at 03:29 +0100, S?rgio Basto via samba wrote:> On Wed, 2020-06-17 at 22:03 -0400, Rommel Rodriguez Toirac via samba > wrote: > > Hello all; > > sorry almost the offtopic. > > > > I want to upgrade to samba-4.12.3.tar.gz on CentOS 7 and has > > problem > > installing gnutls. > > > > How can I install gnutls? > > Has anyone got CentOS 7 and samba-4.12.3 installed and fixed this > > situation that explaim me how to do that? > > > I made compat-gnutls34 and compat-nettle32 packages , because half of > Centos 7 depends system gnutls and you can't just upgrade it . > After install compat-gnutls34 and compat-nettle32 before run > ./configure you just need run export > PKG_CONFIG_PATH=/usr/lib64/compat- > gnutls34/pkgconfig:/usr/lib64/compat-nettle32/pkgconfigThank you so much for doing this. This work enabled us to rid Samba of a significant amount of in-tree cryptography.> Just a note you just need gnutls-3.4.7 if you will use MIT Kerberos > integration if you use Heimdal Kerberos I think gnutls of Centos > 7still enough [3] .Thanks to the availability of this package, and of course the incredible efforts of Andreas and others who did the work on the transition, we now do require a modern GnuTLS (3.4.7) even with Heimdal, the system one on RHEL7 is no longer enough. If we could get an even more modern version then we can consider removing even more duplicate in-house cryptography. My only concern is that now a significant number of Samba installs will rely on this work, so if there is a security issue in GnuTLS, depending on how people install the packages (using copr, or via the copy of the packages and repos at https://samba.tranquil.it/centos7/, or downloaded and installed locally) it may take quite some effort to get the fixes to everyone. What I would say to Samba users installing Samba 4.12: if at all possible, please take this opportunity to upgrade to RHEL 8 / CentOS 8. Andrew Bartlett -- Andrew Bartlett https://samba.org/~abartlet/ Authentication Developer, Samba Team https://samba.org Samba Developer, Catalyst IT https://catalyst.net.nz/services/samba
On Thu, 2020-06-18 at 14:43 +1200, Andrew Bartlett via samba wrote:> If we could get an even more modern version then we can consider > removing even more duplicate in-house cryptography.Thank you , glad to help . You mean do compat-gnutls36 packages ? IIRC, already when I tried to build gnutls-3.5, I found that we need to update and build many more package dependencies ... Best regards, -- S?rgio M. B.
Andrew Bartlett
2020-Jun-18 04:11 UTC
[Samba] GnuTLS for samba-4.12.x on RHEL7 / CentOS 7: encourage or discourage?
On Thu, 2020-06-18 at 04:46 +0100, S?rgio Basto via samba wrote:> On Thu, 2020-06-18 at 14:43 +1200, Andrew Bartlett via samba wrote: > > If we could get an even more modern version then we can consider > > removing even more duplicate in-house cryptography. > > Thank you , glad to help . > > You mean do compat-gnutls36 packages ? IIRC, already when I tried to > build gnutls-3.5, I found that we need to update and build many more > package dependencies ...Thanks for that extra information. I wondered what the issue was. Now, the big question I wanted to ask you is this: It is one thing to give us a really big helping hand for development, but I wondered how comfortable are you with being the repository for a security-sensitive package being used significant number of production Samba sites? Do you have the resources to ensure that if GnuTLS issues a security advisory impacting GnuTLS 3.4 that you backport the patches? I notice a number of issues here: https://www.gnutls.org/security-new.html Or should we instead strongly discourage the use of Samba 4.12, particularly as an AD DC (because the LDAP server exposes TLS, which seems to be a more likely target), on RHEL7 / CentOS 7? (We would instead suggest that an upgrade to RHEL8 / CentOS 8 instead). Thanks! Andrew Bartlett -- Andrew Bartlett https://samba.org/~abartlet/ Authentication Developer, Samba Team https://samba.org Samba Developer, Catalyst IT https://catalyst.net.nz/services/samba
Hi S?rgio, Andrew and Rommel, Sorry to the join the discussion so late. Yes, compat-* packages are the right way to solve that for RHEL7/Centos7 (until people can upgrade to RHEL8/Centos8). Of course, like Andrew says, the consequence is that those compat\* packages must be maintained by the package maintainers (in case a security issue comes up). I compiled samba-4.12.3 for RHEL7 a few days ago and placed the repo here: https://nova.polymtl.ca/~coyote/dist/samba/samba-4.12.3/RHEL7 I'll probably update the packages soonish because I found a couple minor dependency issues.. Regards, Vincent On Thu, 18 Jun 2020, S?rgio Basto via samba wrote:> On Thu, 2020-06-18 at 14:43 +1200, Andrew Bartlett via samba wrote: >> If we could get an even more modern version then we can consider >> removing even more duplicate in-house cryptography. > > Thank you , glad to help . > > You mean do compat-gnutls36 packages ? IIRC, already when I tried to > build gnutls-3.5, I found that we need to update and build many more > package dependencies ... > > > Best regards, > -- > S?rgio M. B. > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >