Require GnuTLS 3.4.7 for Samba 4.12 in March 2020?

Nico Kadel-Garcia nkadel at
Thu Aug 1 10:34:17 UTC 2019

On Wed, Jul 31, 2019 at 1:57 AM Andreas Schneider via samba-technical
<samba-technical at> wrote:
> On Wednesday, July 31, 2019 6:25:55 AM CEST Andrew Bartlett via samba-
> technical wrote:
> > I'm reviewing "Use GnuTLS AES ciphers if supported by the installed
> > GnuTLS version" for Andreas.
> >
> >
> >
> > The one thing I really don't like is the #ifdef on HAVE_GNUTLS_AEAD.  I
> > would prefer we just chose to rely on GnuTLS. [1]
> >
> > Duplicated code is bad, duplicated crypto code is particularly bad and
> > I would really like to remove our existing duplicates rather than add
> > more.
> >
> > Not only are we short on maintainece resources, we would also need to
> > restructure our testuite to force a non-GnuTLS build to ensure we
> > actually test this at all.
> >
> > In doing so I know many folks really like running current Samba (both
> > as an AD DC and fileserver) on older enterprise distributions.
> >
> > In this case, RHEL 8, Ubuntu 16.04 and current debian stable
> > all have GnuTLS versions later than 3.4.7.
> Also SLE15 offers newer GnuTLS via an update.
> Also note that the older the distro the more likely it is that there is no
> python3 available. RHEL7 will have to stick to 4.10 as it is the last version
> supporting python2.

Python 3.6 is available from EPEL for RHEL 7. It's also available as
an sclo" package, the Software Colleciotns Library offered by RHEL. My
published tools, and several other sets of tools, use the EPEL bnaries
quite successfully for Samba 4.10. EPEL is unfortunately not
officially supported by Red Hat, so it doesn't have the industry grade
"I can call Red Hat in the middle of the night and yell at them when
an update broke my server" support that may be necessary for a high
availability business critical service.

I will give Samba credit that the community has usually been more
responsive to critical problems or debugging than even a good
professional support team..

> That you can build a newer Samba version with python3 support is only possible
> because of EPEL7 repositories. I'm not sure something like that is offered.

I'm not publishing binaries, but am publishing source code to build
RPMs and SRPMs at with various
git bubmodules. Several other folks publish binaries, like Sergio's
work at .

I'm just waiting on a bundled tdb 4.1 or tdb 4.1rc1  to test Samba
4.11rc1 with my structure. Since ldb, tdb, tevent, and talloc all
require major version updates, and the updates are incompatible with
4.10 as best I can tell, I'm not ready to mix those with the  main
code line.

> Cheers,
>         Andreas
> --
> Andreas Schneider                      asn at
> Samba Team                   
> GPG-ID:     8DFF53E18F2ABC8D8F3C92237EE0FC4DCC014E3D

More information about the samba-technical mailing list