Discussion:
Why is gnutls-3.4.7 needed for samba-4.8.0 with "--with-dc" enabled?
Nico Kadel-Garcia via samba-technical
2018-04-22 18:00:55 UTC
Permalink
I've been looking at backporting Samba 4.8.0 to RHEL and CentOS 7, and
see that there is a hard-coded dependency for gnutls 3.4.7 or later
iif "--with-dc" is enabled. Backporting gnutls-3.4.7 into RHEL or
CentOS 7 is.... a lot more work than I'd personally want to take on.

Is the dependency on gnutls-3.4.7 a hard dependency?
Alexander Bokovoy via samba-technical
2018-04-23 04:25:10 UTC
Permalink
Post by Nico Kadel-Garcia via samba-technical
I've been looking at backporting Samba 4.8.0 to RHEL and CentOS 7, and
see that there is a hard-coded dependency for gnutls 3.4.7 or later
iif "--with-dc" is enabled. Backporting gnutls-3.4.7 into RHEL or
CentOS 7 is.... a lot more work than I'd personally want to take on.
Is the dependency on gnutls-3.4.7 a hard dependency?
Yes, it is. Backupkey remote protocol implementation relies on the
functionality that is provided by gnutls-3.4.7 or later.
--
/ Alexander Bokovoy
Volker Lendecke via samba-technical
2018-04-23 05:30:50 UTC
Permalink
Post by Alexander Bokovoy via samba-technical
Post by Nico Kadel-Garcia via samba-technical
I've been looking at backporting Samba 4.8.0 to RHEL and CentOS 7, and
see that there is a hard-coded dependency for gnutls 3.4.7 or later
iif "--with-dc" is enabled. Backporting gnutls-3.4.7 into RHEL or
CentOS 7 is.... a lot more work than I'd personally want to take on.
Is the dependency on gnutls-3.4.7 a hard dependency?
Yes, it is. Backupkey remote protocol implementation relies on the
functionality that is provided by gnutls-3.4.7 or later.
Is that protocol a strict requirement for an AD controller? Or would
it be possible to add a --without-backupkey-remote-protocol switch and
still serve AD?

Volker
--
SerNet GmbH, Bahnhofsallee 1b, 37081 Göttingen
phone: +49-551-370000-0, fax: +49-551-370000-9
AG Göttingen, HRB 2816, GF: Dr. Johannes Loxen
http://www.sernet.de, mailto:***@sernet.de
Alexander Bokovoy via samba-technical
2018-04-23 05:59:20 UTC
Permalink
Post by Volker Lendecke via samba-technical
Post by Alexander Bokovoy via samba-technical
Post by Nico Kadel-Garcia via samba-technical
I've been looking at backporting Samba 4.8.0 to RHEL and CentOS 7, and
see that there is a hard-coded dependency for gnutls 3.4.7 or later
iif "--with-dc" is enabled. Backporting gnutls-3.4.7 into RHEL or
CentOS 7 is.... a lot more work than I'd personally want to take on.
Is the dependency on gnutls-3.4.7 a hard dependency?
Yes, it is. Backupkey remote protocol implementation relies on the
functionality that is provided by gnutls-3.4.7 or later.
Is that protocol a strict requirement for an AD controller? Or would
it be possible to add a --without-backupkey-remote-protocol switch and
still serve AD?
Yes, I think it is a strict requirement if we want to support DPAPI
(https://msdn.microsoft.com/en-us/library/ms995355.aspx) which is part
of Windows API set for quite a long time (since at least Windows 2000).
For example, there are known issues with Credential Manager in Windows
if DPAPI is failing.
--
/ Alexander Bokovoy
Garming Sam via samba-technical
2018-04-26 00:07:41 UTC
Permalink
Hi,

We had all sorts of things break when Windows updated to require a call
in BackupKey we didn't implement (now a few years back). Outlook
accounts suddenly stopped working and credentials manager fails to open.

Cheers,

Garming
Post by Alexander Bokovoy via samba-technical
Post by Volker Lendecke via samba-technical
Post by Alexander Bokovoy via samba-technical
Post by Nico Kadel-Garcia via samba-technical
I've been looking at backporting Samba 4.8.0 to RHEL and CentOS 7, and
see that there is a hard-coded dependency for gnutls 3.4.7 or later
iif "--with-dc" is enabled. Backporting gnutls-3.4.7 into RHEL or
CentOS 7 is.... a lot more work than I'd personally want to take on.
Is the dependency on gnutls-3.4.7 a hard dependency?
Yes, it is. Backupkey remote protocol implementation relies on the
functionality that is provided by gnutls-3.4.7 or later.
Is that protocol a strict requirement for an AD controller? Or would
it be possible to add a --without-backupkey-remote-protocol switch and
still serve AD?
Yes, I think it is a strict requirement if we want to support DPAPI
(https://msdn.microsoft.com/en-us/library/ms995355.aspx) which is part
of Windows API set for quite a long time (since at least Windows 2000).
For example, there are known issues with Credential Manager in Windows
if DPAPI is failing.
Loading...