samba - Oct 2022 - gnutls 3.7.2 in https://copr.fedorainfracloud.org/coprs/sergiomb/SambaAD/ ?

Hi,

thanks for your answer.

But for me this didn't work, i removed the new packages and installed the
old ones again, did it the old way and it just started working again.


Am Montag, Januar 24, 2022 00:53 CET, schrieb S?rgio Basto <sergio at
serjux.com>:
??On Sun, 2022-01-23 at 20:41 +0100, J?rgen Echter wrote:Hi,

i got the update today and now samba (after compiling) isn't working as i
expect it to work.

In fact dovecot/pfsense cannot authenticate users anymore.

What i see in the logs:

2022/01/23 20:31:10.008619, 3]
../../lib/ldb-samba/ldb_wrap.c:332(ldb_wrap_connect) ldb_wrap open of
secrets.ldb [2022/01/23 20:31:10.011317, 0]
../../source4/lib/tls/tls_tstream.c:1300(_tstream_tls_accept_send)
_tstream_tls_accept_send: TLS ../../source4/lib/tls/tls_tstream.c:1300 - The
request is invalid.. Failed to set default priorities [2022/01/23
20:31:10.011428, 3]
../../source4/samba/service_stream.c:67(stream_terminate_connection)
stream_terminate_connection: Terminating connection -
'ldapsrv_accept_tls_loop: tstream_tls_accept_recv() - 22:Invalid
argument' [2022/01/23 20:31:21.797979, 3]
../../lib/ldb-samba/ldb_wrap.c:332(ldb_wrap_connect) ldb_wrap open of
secrets.ldb

I compiled samba before the update like this and it worked:

export
PKG_CONFIG_PATH=/usr/lib64/compat-gnutls34/pkgconfig:/usr/lib64/compat-nettle32/pkgconfig?Hi,??export
PKG_CONFIG_PATH is not need anymore , after decide that we can't install
various devel packages of the same software??so you just need Builrequires
pkgconfig(gnutls) and pkgconfig(nettle) ?>= 3.7 to install the correct devel
packages??BuildRequires: pkgconfig(gnutls) >= 3.7.2BuildRequires:
pkgconfig(nettle) >= 3.7.3BuildRequires: pkgconfig(hogweed) >=
3.4.1??pkg-config will work correctly??/usr/bin/pkg-config "gnutls >=
3.6.8" --cflags --libs gnutls???./configure
make

I haven't found any compat-nettle in /usr/lib64

compat-gnutls34 is present, samba also compiled and installed fine but i cannot
authenticate anymore.

i'm using centos 7 and samba-4.15.4

Thanks for hints

Juergen

Am Donnerstag, Januar 20, 2022 15:53 CET, schrieb S?rgio Basto via samba
<samba at lists.samba.org>:
?Hi,

copr sergiomb/SambaAD update finished

mock -r epel-7-x86_64 -a
https://download.copr.fedorainfracloud.org/results/sergiomb/SambaAD/epel-7-x86_64/
install "pkgconfig(gnutls) >= 3.5"

installs compat-gnutls37-devel.x86_64

any feedback is welcome

Best regards,

On Mon, 2022-01-17 at 14:50 +0000, S?rgio Basto wrote:
> Hi, added contacts from previous thread (back to 2020 )
>
> as requested I will update sergiomb/SambaAD with compat-gnutls 3.7.2
> and his dependencies.
>
> Hopefully was just follow c9-beta [1] .
>
> Centos 9 is just a continuation of Centos 8 , but now Centos will be
> ahead of RHEL, i.e., first will came out centos 9 stream and just after
> RHEL 9 , that is why the release number was bumped. AFAIU
> ?
> [1]
> https://git.centos.org/rpms/nettle/tree/c9-beta
> https://git.centos.org/rpms/gnutls/tree/c9-beta
>
> On Mon, 2022-01-17 at 14:36 +0100, Volker Lendecke wrote:
> > Hi S?rgio,
> >
> > that looks very good, thanks!
> >
> > Can you move that to just SambaAD?
> >
> > Thanks!
> >
> > Volker
> >
> > Am Mon, Jan 17, 2022 at 01:13:58AM +0000 schrieb S?rgio Basto:
> > > Please test it in?SambaAD-testing copr
> > >
> > > https://copr.fedorainfracloud.org/coprs/sergiomb/SambaAD-testing/
> > > ?
> > > if it is good I will move to SambaAD
> > >
> > >
> > >
> > > On Sat, 2022-01-15 at 15:02 +0000, S?rgio Basto wrote:
> > > > Checking ...
> > > >
> > > > On Fri, 2022-01-14 at 11:39 +0100, Volker Lendecke wrote:
> > > > > Hi Sergio,
> > > > >
> > > > > due to
> > > > >
https://gitlab.com/samba-team/samba/-/merge_requests/2327?and
> > > > > the fix in
> > > > > https://gitlab.com/gnutls/gnutls/-/merge_requests/1396
> > > > > we're considering to require gnutls 3.7.2 to build
Samba on
> > > > > RHEL7. As
> > > > > we're using your copr repo in our gitlab CI
infrastructure, it
> > > > > would
> > > > > be great if we could get 3.7.2 in copr. Would that be
possible?
> > > > >
> > > > > Thanks,
> > > > >
> > > > > Volker
> > > >
> > >
> > > --
> > > S?rgio M. B.
> > >
>
--
S?rgio M. B.


--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba???-- 
S?rgio M. B.??

>
> 2022/01/23 20:31:10.008619, 3]
> ../../lib/ldb-samba/ldb_wrap.c:332(ldb_wrap_connect) ldb_wrap open of
> secrets.ldb [2022/01/23 20:31:10.011317, 0]
> ../../source4/lib/tls/tls_tstream.c:1300(_tstream_tls_accept_send)
> _tstream_tls_accept_send: TLS ../../source4/lib/tls/tls_tstream.c:1300 -
> The request is invalid.. Failed to set default priorities

I just encountered this with Tranquil.IT's 4.16.5 packages on CentOS 7 --
which also includes compat-gnutls37.  As previously mentioned, it seems to
break TLS and thus LDAPS, and probably more.  This was not an issue with
Samba 4.15.x/compat-gnutls34.

After more digging [1] (among others), it appears that compat-gnutls37
(both from the COPR [2] and Tranquil.IT) look for a systemwide config file
that doesn't exist and isn't created by the package --
/etc/crypto-policies/back-ends/gnutls.config.

Creating this file (with Johannes' defaults [1] ) seems to fix this issue.
It'd be nice if this were deployed with the package, but considering that
it seems to be a "system" config, there might be unintended
consequences.
(Perhaps using NORMAL[3]?)

/etc/crypto-policies/backends/gnutls.config

[priorities]
# Johannes Engel version
#SYSTEM = SECURE192:-VERS-ALL:+VERS-TLS1.2:+VERS-TLS1.3
# Or set to NORMAL as a reasonable default?
SYSTEM = NORMAL

Hope this helps someone else with legacy systems ...

-Kris


[1] https://lists.samba.org/archive/samba/2020-December/233651.html
[2]
https://download.copr.fedorainfracloud.org/results/sergiomb/SambaAD/epel-7-x86_64/03203991-compat-gnutls37/compat-gnutls37.spec
[3] https://gnutls.org/manual/html_node/Priority-Strings.html


Kris Lou
klou at themusiclink.net

>