[Samba] How to compile gnutls to samba-4.12.3

Andrew Bartlett abartlet at samba.org
Thu Jun 18 02:43:27 UTC 2020

On Thu, 2020-06-18 at 03:29 +0100, Sérgio Basto via samba wrote:
> On Wed, 2020-06-17 at 22:03 -0400, Rommel Rodriguez Toirac via samba
> wrote:
> > Hello all;
> >  sorry almost the offtopic.
> > 
> >  I want to upgrade to samba-4.12.3.tar.gz on CentOS 7 and has
> > problem
> > installing gnutls.
> > 
> > How can I install gnutls?
> > Has anyone got CentOS 7 and samba-4.12.3 installed and fixed this
> > situation that explaim me how to do that?
> I made compat-gnutls34 and compat-nettle32 packages , because half of
> Centos 7 depends system gnutls and you can't just upgrade it .
> After install compat-gnutls34 and compat-nettle32 before run
> ./configure you just need run export
> PKG_CONFIG_PATH=/usr/lib64/compat-
> gnutls34/pkgconfig:/usr/lib64/compat-nettle32/pkgconfig

Thank you so much for doing this.  This work enabled us to rid Samba of
a significant amount of in-tree cryptography. 

> Just a note you just need gnutls-3.4.7 if you will use MIT Kerberos
> integration if you use Heimdal Kerberos I think gnutls of Centos
> 7still enough [3] . 

Thanks to the availability of this package, and of course the
incredible efforts of Andreas and others who did the work on the
transition, we now do require a modern GnuTLS (3.4.7) even with
Heimdal, the system one on RHEL7 is no longer enough. 

If we could get an even more modern version then we can consider
removing even more duplicate in-house cryptography. 

My only concern is that now a significant number of Samba installs will
rely on this work, so if there is a security issue in GnuTLS, depending
on how people install the packages (using copr, or via the copy of the
packages and repos at https://samba.tranquil.it/centos7/, or downloaded
and installed locally) it may take quite some effort to get the fixes
to everyone. 

What I would say to Samba users installing Samba 4.12: if at all
possible, please take this opportunity to upgrade to RHEL 8 / CentOS 8.

Andrew Bartlett

Andrew Bartlett                       https://samba.org/~abartlet/
Authentication Developer, Samba Team  https://samba.org
Samba Developer, Catalyst IT          

More information about the samba mailing list