Description of problem: Samba4 has a test for it's use of GnuTLS. We use the API to override send() and recv() in the library, so our use is probably 'odd'. In any case, the testsuite hangs when running against GnuTLS 2.0, but works against 1.6 (Fedora 8) and 2.2 (debian unstable). Version-Release number of selected component (if applicable): gnutls-2.0.4-2.fc9 How reproducible: every time Steps to Reproduce: 1. Download Samba4 from git 2. configure 3. make test Actual results: Stuck in LDAPS tests Expected results: Continue though testsutie Additional info: On hosts running GnuTLS 2.0, the test will not proceed. This isn't just a lack of entropy issue (suspected and ruled out). This was originally seen on Debian unstable PPC64 (when the host was upgraded from 1.6 to 2.0), but is common to Fedora with the upgrade from Fedora 8 to rawhide. Upgrading the Debian unstable PPC64 host to gnutls 2.2 (current release in Debian unstable) allowed our tests to proceed for the first time in months. I am willing to help with anything required to get GnuTLS 2.2 into rawhide before the upcoming freeze. However, perhaps note http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=466477
The problem with version 2.2 is that it breaks ABI requiring rebuild of all dependencies - given the feature freeze I am afraid that it is too late to upgrade. It would be much better to find out why it hangs and fix it in 2.0. If you create a standalone test-case I can try to investigate the problem.
Sorry, I have no standalone test case at this time. Talking with warren on IRC this morning, he thought there might just be time to push it though. It would seem a pity to have to write a gnutls blacklist into Samba4...
I don't think there is enough time for that given the experiences with latest version upgrade of openssl which took a few weeks to settle rawhide to drop all the deps on the old library. There is about 70 packages which have to be rebuilt but the rebuild in koji has to be done in specific order (and there might be dependency loops even).
> Talking with warren on IRC this morning, he thought there might just be time to > push it though. It would seem a pity to have to write a gnutls blacklist into > Samba4... This is not true. I only said you should talk to the package owner.
Can you give the specific set of commands to check out and run the Samba test suite, which demonstrates the hang?
(with gnutls headers in place) rsync -a ftp.samba.org::ftp/pub/unpacked/samba_4_0_test . cd samba_4_0_test/source ./configure.developer make test
I have tried to approach this from various angles but without a definitve conclusion. Stracing revealed that the client (ldbsearch) and server (smbd) are deadlocked each waiting on the other side. Then I tried to bisect the change in the 2.1.x releases of gnutls to find which patch caused it to start working. I have found a patch which applied to 2.1.4 makes it work but this patch is already included in 2.0.4 and even doesn't seem to be related. My current opinion is that the implementation of event handling on nonblocking sockets in samba-4.0 might be incorrect in regards to gnutls and that it works with 1.6.3 and 2.2.x only by chance. One possible reason could be the client or server in samba prematurely clearing the write event handling although some SSL data are still to be sent from gnutls.
Hmm, we did that (we added a fake read event, in testing for this bug) for read handling, but I'll try it for write handling. Thanks for all the effort you have obviously put into testing this!
Changing version to '9' as part of upcoming Fedora 9 GA. More information and reason for this action is here: http://fedoraproject.org/wiki/BugZappers/HouseKeeping
Unfortunately there is no apparent way how to fix it currently, it might be API problem of GNUTLS with non-blocking io or some problem in Samba.