[Samba] gnutls 3.7.2 in https://copr.fedorainfracloud.org/coprs/sergiomb/SambaAD/ ?
Kris Lou
klou at themusiclink.net
Fri Oct 14 23:45:59 UTC 2022
>
> 2022/01/23 20:31:10.008619, 3]
> ../../lib/ldb-samba/ldb_wrap.c:332(ldb_wrap_connect) ldb_wrap open of
> secrets.ldb [2022/01/23 20:31:10.011317, 0]
> ../../source4/lib/tls/tls_tstream.c:1300(_tstream_tls_accept_send)
> _tstream_tls_accept_send: TLS ../../source4/lib/tls/tls_tstream.c:1300 -
> The request is invalid.. Failed to set default priorities
I just encountered this with Tranquil.IT's 4.16.5 packages on CentOS 7 --
which also includes compat-gnutls37. As previously mentioned, it seems to
break TLS and thus LDAPS, and probably more. This was not an issue with
Samba 4.15.x/compat-gnutls34.
After more digging [1] (among others), it appears that compat-gnutls37
(both from the COPR [2] and Tranquil.IT) look for a systemwide config file
that doesn't exist and isn't created by the package --
/etc/crypto-policies/back-ends/gnutls.config.
Creating this file (with Johannes' defaults [1] ) seems to fix this issue.
It'd be nice if this were deployed with the package, but considering that
it seems to be a "system" config, there might be unintended consequences.
(Perhaps using NORMAL[3]?)
/etc/crypto-policies/backends/gnutls.config
[priorities]
# Johannes Engel version
#SYSTEM = SECURE192:-VERS-ALL:+VERS-TLS1.2:+VERS-TLS1.3
# Or set to NORMAL as a reasonable default?
SYSTEM = NORMAL
Hope this helps someone else with legacy systems ...
-Kris
[1] https://lists.samba.org/archive/samba/2020-December/233651.html
[2]
https://download.copr.fedorainfracloud.org/results/sergiomb/SambaAD/epel-7-x86_64/03203991-compat-gnutls37/compat-gnutls37.spec
[3] https://gnutls.org/manual/html_node/Priority-Strings.html
Kris Lou
klou at themusiclink.net
>
More information about the samba
mailing list