Require GnuTLS 3.4.7 for Samba 4.12 in March 2020?

Nico Kadel-Garcia nkadel at gmail.com
Wed Jul 31 05:37:10 UTC 2019 

On Wed, Jul 31, 2019 at 1:33 AM Nico Kadel-Garcia <nkadel at gmail.com> wrote:
>
> On Wed, Jul 31, 2019 at 12:27 AM Andrew Bartlett via samba-technical
> <samba-technical at lists.samba.org> wrote:
> >
> > I'm reviewing "Use GnuTLS AES ciphers if supported by the installed
> > GnuTLS version" for Andreas.
> >
> > https://gitlab.com/samba-team/samba/merge_requests/669
> >
> > The one thing I really don't like is the #ifdef on HAVE_GNUTLS_AEAD.  I
> > would prefer we just chose to rely on GnuTLS. [1]
> >
> > Duplicated code is bad, duplicated crypto code is particularly bad and
> > I would really like to remove our existing duplicates rather than add
> > more.
> >
> > Not only are we short on maintainece resources, we would also need to
> > restructure our testuite to force a non-GnuTLS build to ensure we
> > actually test this at all.
> >
> > In doing so I know many folks really like running current Samba (both
> > as an AD DC and fileserver) on older enterprise distributions.
> >
> > In this case, RHEL 8, Ubuntu 16.04 and current debian stable
> > all have GnuTLS versions later than 3.4.7.
> >
> > So, what do folks think?  This would be for Samba 4.12 to be released
> > in March 2020.
> >
> > To see how much can be removed, I'm exploring the idea in this WIP MR:
> > https://gitlab.com/samba-team/samba/merge_requests/676
> >
> > Note, for CentOS 7 and earlier it may be possible to use
> > https://github.com/nkadel/compat-gnutls34-3.x-srpm
> >
> > Andrew Bartlett

I only repackage that, I didn't write it, Credit where it's due, and
quoting from the README.md there:

>>This is based on sergiomb2's work at
>>
>>  https://github.com/sergiomb2/SambaAD

So Sergio gets credit. But I'm already using it for RHEL 7/CenbtOS 7.
I've done some very limited testing with RHEL 8, but am waiting for
CentOS 8 to finally be released to really test  that.

> > [1] Sadly we couldn't totally remove the Samba AES code, as SMB 2.24
> > requires AES-CMAC-128, but the impact would be far more constrained.

Fair enough. I'd say accept the requirement of a compatibility library
for older operating systems, and I'm glad Sergio did most of the work.

Nico Kadel-Garcia

More information about the samba-technical mailing list