Bug 11135 - 700 testsuites are failing since backupkey changed to gnutls
700 testsuites are failing since backupkey changed to gnutls
Status: RESOLVED FIXED
Product: Samba 4.1 and newer
Classification: Unclassified
Component: AD: LDB/DSDB/SAMDB
unspecified
All All
: P5 normal
: ---
Assigned To: Karolin Seeger
Samba QA Contact
:
Depends on: 11097
Blocks:
  Show dependency treegraph
 
Reported: 2015-03-05 15:32 UTC by Andreas Schneider
Modified: 2015-03-27 20:05 UTC (History)
6 users (show)

See Also:


Attachments
test.log (1.29 MB, text/plain)
2015-03-05 22:25 UTC, Andreas Schneider
no flags Details
patch for master (6.67 KB, patch)
2015-03-09 20:14 UTC, Andreas Schneider
no flags Details
patch for master v2 (7.57 KB, patch)
2015-03-09 20:22 UTC, Andreas Schneider
no flags Details
patch for master that handles --disable-gnutls and removes the extra linking (5.07 KB, patch)
2015-03-12 08:55 UTC, Andrew Bartlett
no flags Details
patch for master that handles --disable-gnutls and removes the extra linking (5.07 KB, patch)
2015-03-12 09:01 UTC, Andrew Bartlett
no flags Details
patch for master that handles --disable-gnutls and removes the extra linking (5.18 KB, patch)
2015-03-12 09:20 UTC, Andrew Bartlett
no flags Details
4.2 patch cherry-picked from master (6.68 KB, patch)
2015-03-13 00:20 UTC, Andrew Bartlett
asn: review+
Details

Note You need to log in before you can comment on or make changes to this bug.
Description Andreas Schneider 2015-03-05 15:32:00 UTC
Samba is broken on openSUSE and Fedora since commit:

commit 43d3e90418b5e0ac5986e08f9483146f4f5d2357
Author:     Garming Sam <garming@catalyst.net.nz>
AuthorDate: Fri Feb 13 09:54:50 2015 +1300
Commit:     Andrew Bartlett <abartlet@samba.org>
CommitDate: Wed Feb 25 01:08:12 2015 +0100

    backupkey: replace heimdal rsa key generation with GnuTLS
    
    We use GnuTLS because it can reliably generate 2048 bit keys every time.
    
    Windows clients strictly require 2048, no more since it won't fit and no
    less either. Heimdal would almost always generate a smaller key.
    
    Signed-off-by: Garming Sam <garming@catalyst.net.nz>
    Reviewed-by: Andrew Bartlett <abartlet@samba.org>
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=10980



FAILED (1698 failures, 151 errors and 2 unexpected successes in 792 
testsuites)


I bisected it down to this commit on an openSUSE 13.2 system.

gnutls-3.2.18-4.1.x86_64


A colleague is having this issue with Fedora 21, gnutls-3.3.12-1.fc21.x86_64
Comment 1 Andrew Bartlett 2015-03-05 20:02:50 UTC
Can you please upload the log output?
Comment 2 Andreas Schneider 2015-03-05 22:25:05 UTC
Created attachment 10820 [details]
test.log
Comment 3 Andreas Schneider 2015-03-06 10:26:48 UTC
I identified already several issues:

a) We offer an option --disable-gnutls if you set it then Samba fails to link cause dcerpc_backupkey.c needs to link against gnutls

b) in the wscript_build file for the rpc_server which builds backupkey it doesn't link against gnutls. Trough some mysterious dependency gnutls is linked.
Comment 4 maurer 2015-03-08 08:53:35 UTC
Hi

this problem migth be related to this entry too.

I have been trying to build  AD enabled samba 4.2.0 on centos-6 and centos-7
The build of 4.2.0rc5 with the same spec was fine on the same systems

With 4.2.0 I get the following error

default/source4/rpc_server/backupkey/dcesrv_backupkey_24.o: In function
`create_heimdal_rsa_key':
/root/rpmbuild/BUILD/samba-4.2.0/bin/../source4/rpc_server/backupkey/dcesrv_backupkey.c:808:
undefined reference to `gnutls_global_init'
/root/rpmbuild/BUILD/samba-4.2.0/bin/../source4/rpc_server/backupkey/dcesrv_backupkey.c:811:
undefined reference to `gcry_control'
/root/rpmbuild/BUILD/samba-4.2.0/bin/../source4/rpc_server/backupkey/dcesrv_backupkey.c:813:
undefined reference to `gnutls_x509_privkey_init'
/root/rpmbuild/BUILD/samba-4.2.0/bin/../source4/rpc_server/backupkey/dcesrv_backupkey.c:826:
undefined reference to `gnutls_x509_privkey_generate'
/root/rpmbuild/BUILD/samba-4.2.0/bin/../source4/rpc_server/backupkey/dcesrv_backupkey.c:906:
undefined reference to `gnutls_x509_privkey_deinit'
/root/rpmbuild/BUILD/samba-4.2.0/bin/../source4/rpc_server/backupkey/dcesrv_backupkey.c:907:
undefined reference to `gnutls_global_deinit'
/root/rpmbuild/BUILD/samba-4.2.0/bin/../source4/rpc_server/backupkey/dcesrv_backupkey.c:833:
undefined reference to `gnutls_x509_privkey_export'
/root/rpmbuild/BUILD/samba-4.2.0/bin/../source4/rpc_server/backupkey/dcesrv_backupkey.c:860:
undefined reference to `gnutls_x509_privkey_export'
/root/rpmbuild/BUILD/samba-4.2.0/bin/../source4/rpc_server/backupkey/dcesrv_backupkey.c:906:
undefined reference to `gnutls_x509_privkey_deinit'
/root/rpmbuild/BUILD/samba-4.2.0/bin/../source4/rpc_server/backupkey/dcesrv_backupkey.c:907:
undefined reference to `gnutls_global_deinit'
collect2: error: ld returned 1 exit status
Waf: Leaving directory `/root/rpmbuild/BUILD/samba-4.2.0/bin'
Build failed:  -> task failed (err #1):
        {task: cc_link
dcesrv_wkssvc_16.o,samba_server_gensec_8.o,forward_3.o,reply_3.o,dcesrv_auth_3.o,loadparm_3.o,dcesrv_backupkey_24.o,rpc_winreg_20.o,ntptr_simple_ldb_1.o,dcerpc_netlogon_21.o,dcesrv_samr_18.o,samr_password_18.o,dcesrv_eventlog6_29.o,dcerpc_dnsserver_30.o,dnsutils_30.o,dnsdata_30.o,dnsdb_30.o,dcesrv_drsuapi_27.o,updaterefs_27.o,getncchanges_27.o,addentry_27.o,writespn_27.o,drsutil_27.o,dcesrv_srvsvc_14.o,srvsvc_ntvfs_14.o,dcerpc_server_5.o,dcesrv_mgmt_5.o,handles_5.o,rpc_echo_11.o,dcesrv_spoolss_26.o,dcesrv_browser_28.o,dcesrv_remote_13.o,dcesrv_lsa_22.o,lsa_init_22.o,lsa_lookup_22.o,dcesrv_unixinfo_17.o,ntptr_base_2.o,ntptr_interface_2.o,rpc_epmapper_12.o,ndr_backupkey_c_151.o
-> libdcerpc-server.so}
make: *** [all] Error 1


I have added --enable-gnutls  to the configure with no sucess
The configure options for centos-7 are

./configure --build=x86_64-redhat-linux-gnu
--host=x86_64-redhat-linux-gnu --program-prefix=
--disable-dependency-tracking --prefix=/usr --exec-prefix=/usr
--bindir=/usr/bin --sbindir=/usr/sbin --sysconfdir=/etc
--datadir=/usr/share --includedir=/usr/include --libdir=/usr/lib64
--libexecdir=/usr/libexec --localstatedir=/var --sharedstatedir=/var/lib
--mandir=/usr/share/man --infodir=/usr/share/info --enable-fhs
--prefix=/usr --with-dnsupdate --with-ads --with-acl-support
--with-automount --with-pam_smbpass --with-quotas
--with-sendfile-support --with-syslog --with-utmp --with-winbind
--with-aio-support --enable-cups --enable-gnutls --with-piddir=/run
--with-sockets-dir=/run/samba --mandir=/usr/share/man
--libdir=/usr/lib64 --with-privatedir=/etc/samba
--with-modulesdir=/usr/lib64/samba
--with-pammodulesdir=/usr/lib64/security
--with-shared-modules=idmap_ad,idmap_rid,idmap_adex,idmap_hash,idmap_tdb2 --with-lockdir=/var/lib/samba
--with-cachedir=/var/lib/samba --disable-gnutls --disable-rpath-install
--with-shared-modules=idmap_ad,idmap_rid,idmap_adex,idmap_hash,idmap_tdb2,pdb_tdbsam,pdb_ldap,pdb_ads,pdb_smbpasswd,pdb_wbc_sam,pdb_samba4,auth_unix,auth_wbc,auth_server,auth_netlogond,auth_script,auth_samba4
'--bundled-libraries=heimdal,!zlib,!popt,talloc,pytalloc,pytalloc-util,tevent,pytevent,tdb,pytdb,ldb,pyldb'
--with-pam --without-fam --disable-glusterfs --with-cluster-support
--with-profiling-data --with-systemd  



The following gnu-tls versions are installed
2.8.5-14.el6_5 (Centos-6)
gnutls-devel-3.1.18-10.el7_0 (Centos-7)


Regards

Hansjörg
Comment 5 maurer 2015-03-09 08:33:01 UTC
Hi

I checked the spec file again and there was a 
--disable-gnutls \
after the 
--enable-gnutls \
I added

I removed --disable-gnutls and the I was able to compile again.

With rc5 the spec file with --disable-gnutls was fine

Regards

Hansjörg
Comment 6 Tom Schulz 2015-03-09 15:48:27 UTC
This is related to the change that caused this bug. The configure system checks that the version of gnutls is new enough but it does not check the version of gcrypt. Also, the check for the version of gnutls assumes that gnutls is installed as a package. It is possible to have these installed but not as a package. The .h files contain version information.

On Solaris 10, both are available but both are way too old. It is the old version of gcrypt that is causing the build to blow up.
Comment 7 Andreas Schneider 2015-03-09 20:14:41 UTC
Created attachment 10832 [details]
patch for master
Comment 8 Andreas Schneider 2015-03-09 20:22:04 UTC
Created attachment 10833 [details]
patch for master v2
Comment 9 Andrew Bartlett 2015-03-12 03:33:45 UTC
I'm unable to reproduce the test failures on CentOS7 or Fedora 21, so I'll just deal with this from the build failure side of things.
Comment 10 Andreas Schneider 2015-03-12 07:06:56 UTC
The issue is probably --disable-gnutls which has not been adapted to the latest changes!
Comment 11 Andrew Bartlett 2015-03-12 08:55:17 UTC
Created attachment 10865 [details]
patch for master that handles --disable-gnutls and removes the extra linking
Comment 12 Andrew Bartlett 2015-03-12 09:01:39 UTC
Created attachment 10866 [details]
patch for master that handles --disable-gnutls and removes the extra linking

This version adds the BUG lines that help tracking this in other branches.
Comment 13 Andrew Bartlett 2015-03-12 09:20:37 UTC
Created attachment 10867 [details]
patch for master that handles --disable-gnutls and removes the extra linking

(sorry, attached wrong patch)
Comment 14 Andrew Bartlett 2015-03-13 00:20:38 UTC
Created attachment 10871 [details]
4.2 patch cherry-picked from master

This handles --disable-gnutls and removes the extra linking
Comment 15 Andreas Schneider 2015-03-16 08:06:53 UTC
Comment on attachment 10871 [details]
4.2 patch cherry-picked from master

LGTM
Comment 16 Andreas Schneider 2015-03-16 08:07:19 UTC
Karolin, please add the patch to 4.2. Thanks!
Comment 17 Andrew Bartlett 2015-03-20 03:00:09 UTC
Just to help find the bugs, bug 11097 is the original bug that added ServerWrap support for BackupKey
Comment 18 Karolin Seeger 2015-03-23 20:23:30 UTC
Pushed to autobuild-v4-2-test.
Comment 19 Karolin Seeger 2015-03-27 20:05:11 UTC
(In reply to Karolin Seeger from comment #18)
Pushed to v4-2-test.
Closing out bug report.

Thanks!