Why is gnutls-3.4.7 needed for samba-4.8.0 with "--with-dc" enabled?

Alexander Bokovoy ab at samba.org
Mon Apr 23 05:59:20 UTC 2018

On ma, 23 huhti 2018, Volker Lendecke wrote:
> On Mon, Apr 23, 2018 at 07:25:10AM +0300, Alexander Bokovoy via samba-technical wrote:
> > On su, 22 huhti 2018, Nico Kadel-Garcia via samba-technical wrote:
> > > I've been looking at backporting Samba 4.8.0 to RHEL and CentOS 7, and
> > > see that there is a hard-coded dependency for gnutls 3.4.7 or later
> > > iif "--with-dc" is enabled. Backporting gnutls-3.4.7 into RHEL or
> > > CentOS 7 is.... a lot more work than I'd personally want to take on.
> > > 
> > > Is the dependency on gnutls-3.4.7 a hard dependency?
> > Yes, it is. Backupkey remote protocol implementation relies on the
> > functionality that is provided by gnutls-3.4.7 or later. 
> Is that protocol a strict requirement for an AD controller? Or would
> it be possible to add a --without-backupkey-remote-protocol switch and
> still serve AD?
Yes, I think it is a strict requirement if we want to support DPAPI
(https://msdn.microsoft.com/en-us/library/ms995355.aspx) which is part
of Windows API set for quite a long time (since at least Windows 2000).
For example, there are known issues with Credential Manager in Windows
if DPAPI is failing.

/ Alexander Bokovoy

More information about the samba-technical mailing list