Why is gnutls-3.4.7 needed for samba-4.8.0 with "--with-dc" enabled?

Garming Sam garming at catalyst.net.nz
Thu Apr 26 00:07:41 UTC 2018


We had all sorts of things break when Windows updated to require a call
in BackupKey we didn't implement (now a few years back). Outlook
accounts suddenly stopped working and credentials manager fails to open.



On 23/04/18 17:59, Alexander Bokovoy via samba-technical wrote:
> On ma, 23 huhti 2018, Volker Lendecke wrote:
>> On Mon, Apr 23, 2018 at 07:25:10AM +0300, Alexander Bokovoy via samba-technical wrote:
>>> On su, 22 huhti 2018, Nico Kadel-Garcia via samba-technical wrote:
>>>> I've been looking at backporting Samba 4.8.0 to RHEL and CentOS 7, and
>>>> see that there is a hard-coded dependency for gnutls 3.4.7 or later
>>>> iif "--with-dc" is enabled. Backporting gnutls-3.4.7 into RHEL or
>>>> CentOS 7 is.... a lot more work than I'd personally want to take on.
>>>> Is the dependency on gnutls-3.4.7 a hard dependency?
>>> Yes, it is. Backupkey remote protocol implementation relies on the
>>> functionality that is provided by gnutls-3.4.7 or later. 
>> Is that protocol a strict requirement for an AD controller? Or would
>> it be possible to add a --without-backupkey-remote-protocol switch and
>> still serve AD?
> Yes, I think it is a strict requirement if we want to support DPAPI
> (https://msdn.microsoft.com/en-us/library/ms995355.aspx) which is part
> of Windows API set for quite a long time (since at least Windows 2000).
> For example, there are known issues with Credential Manager in Windows
> if DPAPI is failing.

More information about the samba-technical mailing list