[MS-BKRP] backupkey server and GnuTLS

Andreas Schneider asn at samba.org
Wed Dec 2 08:43:43 UTC 2015 

On Wednesday 02 December 2015 12:03:06 Garming Sam wrote:
> Hi Andreas,
> 
> That was mostly what I was expecting. Well the configure identifies that
> my system is missing the package, although a better error message could
> be nice. Some of the others like ldap, suggest some packages to install.
> I would suggest rearranging the code so that the conf.fatal is triggered
> and make sure to include the minimum version in that user message.

Well, the question is if we want to require GnuTLS 3.2 or not.

Can you test if only the changes to the torture test work on your machine?

> 
> However, libcups2-dev appears to rely on libgnutls-dev and installing
> libgnutls28-dev removes it (and reinstalling libcups2-dev will remove
> libgnutls28-dev).
> 
> I also originally thought gnutls_x509_privkey_import_rsa_raw2 was
> usable, but there was an odd linkage error. That might be on my end but
> it's not really important if the requirement is higher.
> 
> I presume the question will be supporting Centos 6, and regarding
> impact, this would probably have to be fielded to others.

The option I see is that we are looking for GnuTLS 3.4.7, if present we build 

dcesrv_backupkey_gnutls.c

if not and we do a heimdal build, we build the old code which we rename to:

dcesrv_backupkey_heimdal.c

We might need to require MIT Kerberos 1.13 for an AD DC build, because earlier 
versions have race conditions in the replay cache or do not support features 
we need, like GSS_KRB5_CRED_NO_CI_FLAGS_X for SPNEGO which is required for 
working TLS support. I'm also currently working on support for 

Things we need to discuss ...

> 
> Cheers,
> 
> Garming
> 
> On 02/12/15 03:41, Andreas Schneider wrote:
> > I've updated my branch which has additional patches fix building without
> > Heimdal and I've also added patches to require GnuTLS 3.2.0.
> > 
> > It should be working on your Ubuntu if you install libgnutls28-dev. Could
> > you please verify that?
> > 
> > Metze is currently updating autobuild to Ubuntu 14.04. So if everything
> > works on 14.04 we would be good to go with version 3.2.0 of GnuTLS.
> > 
> > If someone disagrees we have to either use Heimdal if not available or add
> > gnutls to third_party/
> > 
> > 
> > Cheers,
> > 
> > 	-- andreas

-- 
Andreas Schneider                   GPG-ID: CC014E3D
Samba Team                             asn at samba.org
www.samba.org

More information about the samba-technical mailing list