On Fri, Jul 21, 2023 at 11:03 PM Adam Williamson
<adamwill(a)fedoraproject.org> wrote:
On Sun, 2023-06-18 at 07:36 +0200, Adam Williamson wrote:
> Hi folks! I want to talk about the Active Directory requirements in the
> release criteria.
>
> Since Fedora Server was created, we've had this in the criteria:
>
> "It must be possible to join the system to a FreeIPA or Active
> Directory domain at install time and post-install, and the system must
> respect the identity, authentication and access control configuration
> provided by the domain."
>
> ...plus various further requirements at Beta and Final.
>
> For FreeIPA we have this testing entirely automated, it's no problem at
> all. For Active Directory we...don't. At every release point this does
> not get tested until very late. Often Stephen Gallagher has to test it
> manually at the very last minute, which is an unfair burden on him.
> When we *do* find problems, there is a mad scramble to fix them or at
> least find workarounds, because we find them way too late.
>
> We've looked into automating it and still kinda intend to do so, but
> it's not really simple. There's a legal side to it - it's not clear
> what the licensing requirements involved would be - and a technical
> side to it - we'd need a way to reliably and quite quickly deploy an AD
> domain controller using openQA automation, which is not a trivial job.
>
> When I estimate the time that's going to take and consider what *else*
> I (or anyone else) could do with that time, I'm not certain that
> "automating AD testing" is the best use of it. To me it doesn't feel
> like a really key feature of Fedora to the point that would justify the
> work involved, or justify continuing to throw Stephen and others under
> the last-minute-manual-testing bus. But I'm not sure!
>
> What do others think? Do you use the AD client support of Fedora
> Server? Do you think it's a key feature that we should keep as a
> release-blocking requirement, or no?
Hey folks! Just to give an update on this, as I'm not sure I ever did
on the list: the current plan is to not drop the criterion, but instead
implement automated testing based on Samba AD (not Microsoft AD).
I am working on this at present and have got quite far, should have it
completed next week.
What I intend after that is that we will be OK with releasing so long
as the automated tests against Samba AD pass, but if anyone decides to
manually test against Microsoft AD and finds a bug, that can
potentially be a blocker. But we will not block the release on making
sure Microsoft AD has been tested.
Does this sound like a decent solution to everyone? Thanks!
Does that mean that we will also have tests for setting up and using
Samba AD from Fedora? Because if we're going to block on client
connectivity on Samba AD, I think we should also block on Samba AD
from the server side too.
--
真実はいつも一つ!/ Always, there's only one truth!