On Суб, 22 ліп 2023, Neal Gompa wrote:
On Sat, Jul 22, 2023 at 5:09 PM Adam Williamson adamwill@fedoraproject.org wrote:
On Sat, 2023-07-22 at 21:43 +0300, Alexander Bokovoy wrote:
On Суб, 22 ліп 2023, Adam Williamson wrote:
On Sat, 2023-07-22 at 06:31 -0400, Neal Gompa wrote:
What I intend after that is that we will be OK with releasing so long as the automated tests against Samba AD pass, but if anyone decides to manually test against Microsoft AD and finds a bug, that can potentially be a blocker. But we will not block the release on making sure Microsoft AD has been tested.
Does this sound like a decent solution to everyone? Thanks!
Does that mean that we will also have tests for setting up and using Samba AD from Fedora? Because if we're going to block on client connectivity on Samba AD, I think we should also block on Samba AD from the server side too.
It means we'll have a test, but as things stand, failures of it won't be blocking, because "work as a Samba AD server" is not in the criteria.
You could, of course, propose a criterion change and we could debate it, though I think that might be a bit of a stretch - we already block on one domain server technology which is more in our ecosystem. Who's going to be the "throat to choke" for Samba AD server functionality if it breaks?
The same people who are responsible for 'FreeIPA server functionality if it breaks', for years.
We chose to have FreeIPA and Samba AD with MIT Kerberos as our domain controller technologies in Fedora more than a decade ago, we committed to develop them through Samba and FreeIPA upstreams, we keep doing so. Please watch our talk at SambaXP'23: 'Samba AD / MIT Kerberos: path out of experimental'.
https://www.youtube.com/watch?v=0_cdYuIYw0o
As I said, we already committed to this work for more than a decade ago in Fedora. We first announced productization of Samba AD DC with MIT Kerberos in Fedora 27 in 2017, this was a milestone which went into Fedora 27's release notes: https://docs.fedoraproject.org/en-US/fedora/f27/release-notes/sysadmin/Domai...
Thanks. I didn't realize it had that status.
If you team is happy to stand behind Samba AD in the same way it stands behind FreeIPA, I'd have no problem at all with it being release- blocking, if the WG wants to do that.
I think we'd be comfortable with that. The main issue right now is a lack of official Fedora documentation for setting this up that we could support it with.
To be honest, I'd hoped for a long time that Samba AD would become part of the FreeIPA setup. Sadly, it hasn't so far. :(
That is not a plan and it never was. FreeIPA works just fine with Samba AD over forest trust.
If you want to get a grasp over how complex things are, watch wonderful talk by Nadia who spent a good part of the past decade trying to make OpenLDAP backend for Samba AD.
https://www.youtube.com/watch?v=6TMd9r2VngI