Red Hat Bugzilla – Bug 436228
gnutls 2.0 fails Samba4 'make test'
Last modified: 2013-01-09 23:35:42 EST
Description of problem:
Samba4 has a test for it's use of GnuTLS. We use the API to override send() and
recv() in the library, so our use is probably 'odd'. In any case, the testsuite
hangs when running against GnuTLS 2.0, but works against 1.6 (Fedora 8) and 2.2
Version-Release number of selected component (if applicable):
Steps to Reproduce:
1. Download Samba4 from git
3. make test
Stuck in LDAPS tests
Continue though testsutie
On hosts running GnuTLS 2.0, the test will not proceed. This isn't just a lack
of entropy issue (suspected and ruled out).
This was originally seen on Debian unstable PPC64 (when the host was upgraded
from 1.6 to 2.0), but is common to Fedora with the upgrade from Fedora 8 to
rawhide. Upgrading the Debian unstable PPC64 host to gnutls 2.2 (current
release in Debian unstable) allowed our tests to proceed for the first time in
I am willing to help with anything required to get GnuTLS 2.2 into rawhide
before the upcoming freeze.
However, perhaps note http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=466477
The problem with version 2.2 is that it breaks ABI requiring rebuild of all
dependencies - given the feature freeze I am afraid that it is too late to
upgrade. It would be much better to find out why it hangs and fix it in 2.0.
If you create a standalone test-case I can try to investigate the problem.
Sorry, I have no standalone test case at this time.
Talking with warren on IRC this morning, he thought there might just be time to
push it though. It would seem a pity to have to write a gnutls blacklist into
I don't think there is enough time for that given the experiences with latest
version upgrade of openssl which took a few weeks to settle rawhide to drop all
the deps on the old library.
There is about 70 packages which have to be rebuilt but the rebuild in koji has
to be done in specific order (and there might be dependency loops even).
> Talking with warren on IRC this morning, he thought there might just be time to
> push it though. It would seem a pity to have to write a gnutls blacklist into
This is not true. I only said you should talk to the package owner.
Can you give the specific set of commands to check out and run the Samba test
suite, which demonstrates the hang?
(with gnutls headers in place)
rsync -a ftp.samba.org::ftp/pub/unpacked/samba_4_0_test .
I have tried to approach this from various angles but without a definitve
conclusion. Stracing revealed that the client (ldbsearch) and server (smbd) are
deadlocked each waiting on the other side.
Then I tried to bisect the change in the 2.1.x releases of gnutls to find which
patch caused it to start working. I have found a patch which applied to 2.1.4
makes it work but this patch is already included in 2.0.4 and even doesn't seem
to be related.
My current opinion is that the implementation of event handling on nonblocking
sockets in samba-4.0 might be incorrect in regards to gnutls and that it works
with 1.6.3 and 2.2.x only by chance. One possible reason could be the client or
server in samba prematurely clearing the write event handling although some SSL
data are still to be sent from gnutls.
Hmm, we did that (we added a fake read event, in testing for this bug) for read
handling, but I'll try it for write handling.
Thanks for all the effort you have obviously put into testing this!
Changing version to '9' as part of upcoming Fedora 9 GA.
More information and reason for this action is here:
Unfortunately there is no apparent way how to fix it currently, it might be API problem of GNUTLS with non-blocking io or some problem in Samba.