samba - Oct 2022 - gnutls 3.7.2 in https://copr.fedorainfracloud.org/coprs/sergiomb/SambaAD/ ?

>
> 2022/01/23 20:31:10.008619, 3]
> ../../lib/ldb-samba/ldb_wrap.c:332(ldb_wrap_connect) ldb_wrap open of
> secrets.ldb [2022/01/23 20:31:10.011317, 0]
> ../../source4/lib/tls/tls_tstream.c:1300(_tstream_tls_accept_send)
> _tstream_tls_accept_send: TLS ../../source4/lib/tls/tls_tstream.c:1300 -
> The request is invalid.. Failed to set default priorities

I just encountered this with Tranquil.IT's 4.16.5 packages on CentOS 7 --
which also includes compat-gnutls37.  As previously mentioned, it seems to
break TLS and thus LDAPS, and probably more.  This was not an issue with
Samba 4.15.x/compat-gnutls34.

After more digging [1] (among others), it appears that compat-gnutls37
(both from the COPR [2] and Tranquil.IT) look for a systemwide config file
that doesn't exist and isn't created by the package --
/etc/crypto-policies/back-ends/gnutls.config.

Creating this file (with Johannes' defaults [1] ) seems to fix this issue.
It'd be nice if this were deployed with the package, but considering that
it seems to be a "system" config, there might be unintended
consequences.
(Perhaps using NORMAL[3]?)

/etc/crypto-policies/backends/gnutls.config

[priorities]
# Johannes Engel version
#SYSTEM = SECURE192:-VERS-ALL:+VERS-TLS1.2:+VERS-TLS1.3
# Or set to NORMAL as a reasonable default?
SYSTEM = NORMAL

Hope this helps someone else with legacy systems ...

-Kris


[1] https://lists.samba.org/archive/samba/2020-December/233651.html
[2]
https://download.copr.fedorainfracloud.org/results/sergiomb/SambaAD/epel-7-x86_64/03203991-compat-gnutls37/compat-gnutls37.spec
[3] https://gnutls.org/manual/html_node/Priority-Strings.html


Kris Lou
klou at themusiclink.net

>

On Fri, Oct 14, 2022 at 7:48 PM Kris Lou via samba
<samba at lists.samba.org> wrote:
>
> >
> > 2022/01/23 20:31:10.008619, 3]
> > ../../lib/ldb-samba/ldb_wrap.c:332(ldb_wrap_connect) ldb_wrap open of
> > secrets.ldb [2022/01/23 20:31:10.011317, 0]
> > ../../source4/lib/tls/tls_tstream.c:1300(_tstream_tls_accept_send)
> > _tstream_tls_accept_send: TLS ../../source4/lib/tls/tls_tstream.c:1300
-
> > The request is invalid.. Failed to set default priorities
>
>
> I just encountered this with Tranquil.IT's 4.16.5 packages on CentOS 7
--
> which also includes compat-gnutls37.  As previously mentioned, it seems to
> break TLS and thus LDAPS, and probably more.  This was not an issue with
> Samba 4.15.x/compat-gnutls34.
These compatibility difficulties are why I've personally given up on
backporting current Samba releases to RHEL 7. Since RHEL 7 is on its
last legs, with maintenance support ended for ARM and Power platforms
ended, it doesn't seem like a wise place to invest the backporting
effort for system critical libraries like gnutls.
> After more digging [1] (among others), it appears that compat-gnutls37
> (both from the COPR [2] and Tranquil.IT) look for a systemwide config file
> that doesn't exist and isn't created by the package --
> /etc/crypto-policies/back-ends/gnutls.config.
Interesting catch. As it is, I'm staring at a CentOS 8's copy of that
file, and seeng this:

    lrwxrwxrwx. 1 root root 45 Sep 29 07:53 gnutls.config ->
/usr/share/crypto-policies/DEFAULT/gnutls.txt
    [nkadel at nkadel-c8 back-ends]$ rpm -q -f gnutls.config
    crypto-policies-20211116-1.gitae470d6.el8.noarch

So inserting it in RHEL 7 would probably be best done with a teeny
accessory RPM and a file dependency, to deploy it along the
crypto-policies package.
> Creating this file (with Johannes' defaults [1] ) seems to fix this
issue.
> It'd be nice if this were deployed with the package, but considering
that
> it seems to be a "system" config, there might be unintended
consequences.
> (Perhaps using NORMAL[3]?)
>
> /etc/crypto-policies/backends/gnutls.config
>
> [priorities]
> # Johannes Engel version
> #SYSTEM = SECURE192:-VERS-ALL:+VERS-TLS1.2:+VERS-TLS1.3
> # Or set to NORMAL as a reasonable default?
> SYSTEM = NORMAL
>
> Hope this helps someone else with legacy systems ...
>
> -Kris
>
>
> [1] https://lists.samba.org/archive/samba/2020-December/233651.html
> [2]
>
https://download.copr.fedorainfracloud.org/results/sergiomb/SambaAD/epel-7-x86_64/03203991-compat-gnutls37/compat-gnutls37.spec
> [3] https://gnutls.org/manual/html_node/Priority-Strings.html
>
>
> Kris Lou
> klou at themusiclink.net
>
>
> >
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba

On Fri, 2022-10-14 at 16:45 -0700, Kris Lou via samba
wrote:
> > 
> > 2022/01/23 20:31:10.008619, 3]
> > ../../lib/ldb-samba/ldb_wrap.c:332(ldb_wrap_connect) ldb_wrap open
> > of
> > secrets.ldb [2022/01/23 20:31:10.011317, 0]
> > ../../source4/lib/tls/tls_tstream.c:1300(_tstream_tls_accept_send)
> > _tstream_tls_accept_send: TLS
> > ../../source4/lib/tls/tls_tstream.c:1300 -
> > The request is invalid.. Failed to set default priorities
> 
> 
> I just encountered this with Tranquil.IT's 4.16.5 packages on CentOS
> 7 --
> which also includes compat-gnutls37.? As previously mentioned, it
> seems to
> break TLS and thus LDAPS, and probably more.? This was not an issue
> with
> Samba 4.15.x/compat-gnutls34.
> 
> After more digging [1] (among others), it appears that compat-
> gnutls37
> (both from the COPR [2] and Tranquil.IT) look for a systemwide config
> file
> that doesn't exist and isn't created by the package --
> /etc/crypto-policies/back-ends/gnutls.config.
> 
> Creating this file (with Johannes' defaults [1] ) seems to fix this
> issue.
> It'd be nice if this were deployed with the package, but considering
> that
> it seems to be a "system" config, there might be unintended
> consequences.
> (Perhaps using NORMAL[3]?)
> 
> /etc/crypto-policies/backends/gnutls.config
> 
> [priorities]
> # Johannes Engel version
> #SYSTEM = SECURE192:-VERS-ALL:+VERS-TLS1.2:+VERS-TLS1.3
> # Or set to NORMAL as a reasonable default?
> SYSTEM = NORMAL
> 
> Hope this helps someone else with legacy systems ...
Hi,

Thank you for the report, indeed this a bug in backport gnutls 3.7 from
epel 8 to epel 7 .
I hadn't enough time to review this I saw that I just commented out
from gnutls spec #Requires: crypto-policies
and maybe is just remove the line 
--with-system-priority-file=%{_sysconfdir}/crypto-policies/back-
ends/gnutls.config 

> 
> -Kris
> 
> 
> [1] https://lists.samba.org/archive/samba/2020-December/233651.html
> [2]
>
https://download.copr.fedorainfracloud.org/results/sergiomb/SambaAD/epel-7-x86_64/03203991-compat-gnutls37/compat-gnutls37.spec
> [3] https://gnutls.org/manual/html_node/Priority-Strings.html
> 
> 
> Kris Lou
> klou at themusiclink.net
> 
> 
> > 
-- 
S?rgio M. B.