Building Samba master on CentOS 7 (gnutls)

[Andrew Bartlett]

On Wed, 2019-09-18 at 22:01 -0400, Nico Kadel-Garcia wrote:
> On Wed, Sep 18, 2019 at 7:33 PM Andrew Bartlett via samba-technical
> <samba-technical at lists.samba.org> wrote:
> 
> > We can't easily add comments like that to the bootstap.sh, but a README
> > might work.  Only trouble is that you will need to modify
> > bootstrap/template.py to also exclude that new file from the sha1sum
> > calcuations.
> > 
> > Getting a better gnutls34 or later package into EPEL without the
> > conflicts would also be really helpful.
> 
> The published compat-gnutls34 and compat-nettle32 from have "devel"
> packages that conflict with the default gnutls and nettle packages.
> There are probably more graceful ways around them, but they'd need
> some hooks in the samba building tools to *find* and use the
> alternative locations.

We are already setting 

> Is there any chance that the alternative, mit-krb5 based Kerberos
> setups are good enough to use for samba-4.11?

This was also asked by someone else yesterday.  The answer is still no.

>  Fedora has been enabling
> them in rawhide, but I don't know if all the older components in RHEL
> 7 or now RHEL 8 are recent and play nicely, and I for one have not had
> the spare stable build environment to test it out lately.

The issue isn't with MIT Kerberos per se, but the whole combined work
is not supported as an AD DC.  The effort largely stopped before RHEL8
branched from Fedora, so the right packages will be in place, but that
isn't the problem.  

The problem is resources to support it (issuing security patches etc),
the additional tests needed (because everything has changed) and the
missing features.

https://wiki.samba.org/index.php/Running_a_Samba_AD_DC_with_MIT_Kerberos_KDC

Andrew Bartlett

-- 
Andrew Bartlett
https://samba.org/~abartlet/
Authentication Developer, Samba Team         https://samba.org
Samba Development and Support, Catalyst IT   
https://catalyst.net.nz/services/samba