Samba is broken on openSUSE and Fedora since commit: commit 43d3e90418b5e0ac5986e08f9483146f4f5d2357 Author: Garming Sam <garming@catalyst.net.nz> AuthorDate: Fri Feb 13 09:54:50 2015 +1300 Commit: Andrew Bartlett <abartlet@samba.org> CommitDate: Wed Feb 25 01:08:12 2015 +0100 backupkey: replace heimdal rsa key generation with GnuTLS We use GnuTLS because it can reliably generate 2048 bit keys every time. Windows clients strictly require 2048, no more since it won't fit and no less either. Heimdal would almost always generate a smaller key. Signed-off-by: Garming Sam <garming@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org> BUG: https://bugzilla.samba.org/show_bug.cgi?id=10980 FAILED (1698 failures, 151 errors and 2 unexpected successes in 792 testsuites) I bisected it down to this commit on an openSUSE 13.2 system. gnutls-3.2.18-4.1.x86_64 A colleague is having this issue with Fedora 21, gnutls-3.3.12-1.fc21.x86_64
Can you please upload the log output?
Created attachment 10820 [details] test.log
I identified already several issues: a) We offer an option --disable-gnutls if you set it then Samba fails to link cause dcerpc_backupkey.c needs to link against gnutls b) in the wscript_build file for the rpc_server which builds backupkey it doesn't link against gnutls. Trough some mysterious dependency gnutls is linked.
Hi this problem migth be related to this entry too. I have been trying to build AD enabled samba 4.2.0 on centos-6 and centos-7 The build of 4.2.0rc5 with the same spec was fine on the same systems With 4.2.0 I get the following error default/source4/rpc_server/backupkey/dcesrv_backupkey_24.o: In function `create_heimdal_rsa_key': /root/rpmbuild/BUILD/samba-4.2.0/bin/../source4/rpc_server/backupkey/dcesrv_backupkey.c:808: undefined reference to `gnutls_global_init' /root/rpmbuild/BUILD/samba-4.2.0/bin/../source4/rpc_server/backupkey/dcesrv_backupkey.c:811: undefined reference to `gcry_control' /root/rpmbuild/BUILD/samba-4.2.0/bin/../source4/rpc_server/backupkey/dcesrv_backupkey.c:813: undefined reference to `gnutls_x509_privkey_init' /root/rpmbuild/BUILD/samba-4.2.0/bin/../source4/rpc_server/backupkey/dcesrv_backupkey.c:826: undefined reference to `gnutls_x509_privkey_generate' /root/rpmbuild/BUILD/samba-4.2.0/bin/../source4/rpc_server/backupkey/dcesrv_backupkey.c:906: undefined reference to `gnutls_x509_privkey_deinit' /root/rpmbuild/BUILD/samba-4.2.0/bin/../source4/rpc_server/backupkey/dcesrv_backupkey.c:907: undefined reference to `gnutls_global_deinit' /root/rpmbuild/BUILD/samba-4.2.0/bin/../source4/rpc_server/backupkey/dcesrv_backupkey.c:833: undefined reference to `gnutls_x509_privkey_export' /root/rpmbuild/BUILD/samba-4.2.0/bin/../source4/rpc_server/backupkey/dcesrv_backupkey.c:860: undefined reference to `gnutls_x509_privkey_export' /root/rpmbuild/BUILD/samba-4.2.0/bin/../source4/rpc_server/backupkey/dcesrv_backupkey.c:906: undefined reference to `gnutls_x509_privkey_deinit' /root/rpmbuild/BUILD/samba-4.2.0/bin/../source4/rpc_server/backupkey/dcesrv_backupkey.c:907: undefined reference to `gnutls_global_deinit' collect2: error: ld returned 1 exit status Waf: Leaving directory `/root/rpmbuild/BUILD/samba-4.2.0/bin' Build failed: -> task failed (err #1): {task: cc_link dcesrv_wkssvc_16.o,samba_server_gensec_8.o,forward_3.o,reply_3.o,dcesrv_auth_3.o,loadparm_3.o,dcesrv_backupkey_24.o,rpc_winreg_20.o,ntptr_simple_ldb_1.o,dcerpc_netlogon_21.o,dcesrv_samr_18.o,samr_password_18.o,dcesrv_eventlog6_29.o,dcerpc_dnsserver_30.o,dnsutils_30.o,dnsdata_30.o,dnsdb_30.o,dcesrv_drsuapi_27.o,updaterefs_27.o,getncchanges_27.o,addentry_27.o,writespn_27.o,drsutil_27.o,dcesrv_srvsvc_14.o,srvsvc_ntvfs_14.o,dcerpc_server_5.o,dcesrv_mgmt_5.o,handles_5.o,rpc_echo_11.o,dcesrv_spoolss_26.o,dcesrv_browser_28.o,dcesrv_remote_13.o,dcesrv_lsa_22.o,lsa_init_22.o,lsa_lookup_22.o,dcesrv_unixinfo_17.o,ntptr_base_2.o,ntptr_interface_2.o,rpc_epmapper_12.o,ndr_backupkey_c_151.o -> libdcerpc-server.so} make: *** [all] Error 1 I have added --enable-gnutls to the configure with no sucess The configure options for centos-7 are ./configure --build=x86_64-redhat-linux-gnu --host=x86_64-redhat-linux-gnu --program-prefix= --disable-dependency-tracking --prefix=/usr --exec-prefix=/usr --bindir=/usr/bin --sbindir=/usr/sbin --sysconfdir=/etc --datadir=/usr/share --includedir=/usr/include --libdir=/usr/lib64 --libexecdir=/usr/libexec --localstatedir=/var --sharedstatedir=/var/lib --mandir=/usr/share/man --infodir=/usr/share/info --enable-fhs --prefix=/usr --with-dnsupdate --with-ads --with-acl-support --with-automount --with-pam_smbpass --with-quotas --with-sendfile-support --with-syslog --with-utmp --with-winbind --with-aio-support --enable-cups --enable-gnutls --with-piddir=/run --with-sockets-dir=/run/samba --mandir=/usr/share/man --libdir=/usr/lib64 --with-privatedir=/etc/samba --with-modulesdir=/usr/lib64/samba --with-pammodulesdir=/usr/lib64/security --with-shared-modules=idmap_ad,idmap_rid,idmap_adex,idmap_hash,idmap_tdb2 --with-lockdir=/var/lib/samba --with-cachedir=/var/lib/samba --disable-gnutls --disable-rpath-install --with-shared-modules=idmap_ad,idmap_rid,idmap_adex,idmap_hash,idmap_tdb2,pdb_tdbsam,pdb_ldap,pdb_ads,pdb_smbpasswd,pdb_wbc_sam,pdb_samba4,auth_unix,auth_wbc,auth_server,auth_netlogond,auth_script,auth_samba4 '--bundled-libraries=heimdal,!zlib,!popt,talloc,pytalloc,pytalloc-util,tevent,pytevent,tdb,pytdb,ldb,pyldb' --with-pam --without-fam --disable-glusterfs --with-cluster-support --with-profiling-data --with-systemd The following gnu-tls versions are installed 2.8.5-14.el6_5 (Centos-6) gnutls-devel-3.1.18-10.el7_0 (Centos-7) Regards Hansjörg
Hi I checked the spec file again and there was a --disable-gnutls \ after the --enable-gnutls \ I added I removed --disable-gnutls and the I was able to compile again. With rc5 the spec file with --disable-gnutls was fine Regards Hansjörg
This is related to the change that caused this bug. The configure system checks that the version of gnutls is new enough but it does not check the version of gcrypt. Also, the check for the version of gnutls assumes that gnutls is installed as a package. It is possible to have these installed but not as a package. The .h files contain version information. On Solaris 10, both are available but both are way too old. It is the old version of gcrypt that is causing the build to blow up.
Created attachment 10832 [details] patch for master
Created attachment 10833 [details] patch for master v2
I'm unable to reproduce the test failures on CentOS7 or Fedora 21, so I'll just deal with this from the build failure side of things.
The issue is probably --disable-gnutls which has not been adapted to the latest changes!
Created attachment 10865 [details] patch for master that handles --disable-gnutls and removes the extra linking
Created attachment 10866 [details] patch for master that handles --disable-gnutls and removes the extra linking This version adds the BUG lines that help tracking this in other branches.
Created attachment 10867 [details] patch for master that handles --disable-gnutls and removes the extra linking (sorry, attached wrong patch)
Created attachment 10871 [details] 4.2 patch cherry-picked from master This handles --disable-gnutls and removes the extra linking
Comment on attachment 10871 [details] 4.2 patch cherry-picked from master LGTM
Karolin, please add the patch to 4.2. Thanks!
Just to help find the bugs, bug 11097 is the original bug that added ServerWrap support for BackupKey
Pushed to autobuild-v4-2-test.
(In reply to Karolin Seeger from comment #18) Pushed to v4-2-test. Closing out bug report. Thanks!