Re: Could we drop Active Directory requirements from Fedora release criteria?

On Суб, 22 ліп 2023, Neal Gompa wrote: >On Sat, Jul 22, 2023 at 5:09 PM Adam Williamson ><adamwill(a)fedoraproject.org> wrote: >> >> On Sat, 2023-07-22 at 21:43 +0300, Alexander Bokovoy wrote: >> > On Суб, 22 ліп 2023, Adam Williamson wrote: >> > > On Sat, 2023-07-22 at 06:31 -0400, Neal Gompa wrote: >> > > > > >> > > > > What I intend after that is that we will be OK with releasing so long >> > > > > as the automated tests against Samba AD pass, but if anyone decides to >> > > > > manually test against Microsoft AD and finds a bug, that can >> > > > > potentially be a blocker. But we will not block the release on making >> > > > > sure Microsoft AD has been tested. >> > > > > >> > > > > Does this sound like a decent solution to everyone? Thanks! >> > > > >> > > > Does that mean that we will also have tests for setting up and using >> > > > Samba AD from Fedora? Because if we're going to block on client >> > > > connectivity on Samba AD, I think we should also block on Samba AD >> > > > from the server side too. >> > > >> > > It means we'll have a test, but as things stand, failures of it won't >> > > be blocking, because "work as a Samba AD server" is not in the >> > > criteria. >> > > >> > > You could, of course, propose a criterion change and we could debate >> > > it, though I think that might be a bit of a stretch - we already block >> > > on one domain server technology which is more in our ecosystem. Who's >> > > going to be the "throat to choke" for Samba AD server functionality if >> > > it breaks? >> > >> > The same people who are responsible for 'FreeIPA server functionality if >> > it breaks', for years. >> > >> > We chose to have FreeIPA and Samba AD with MIT Kerberos as our domain >> > controller technologies in Fedora more than a decade ago, we committed >> > to develop them through Samba and FreeIPA upstreams, we keep doing so. >> > Please watch our talk at SambaXP'23: 'Samba AD / MIT Kerberos: path out >> > of experimental'. >> > >> > https://www.youtube.com/watch?v=0_cdYuIYw0o >> > >> > As I said, we already committed to this work for more than a decade ago >> > in Fedora. We first announced productization of Samba AD DC with MIT >> > Kerberos in Fedora 27 in 2017, this was a milestone which went into >> > Fedora 27's release notes: >> > https://docs.fedoraproject.org/en-US/fedora/f27/release-notes/sysadmin/Do... >> >> Thanks. I didn't realize it had that status. >> >> If you team is happy to stand behind Samba AD in the same way it stands >> behind FreeIPA, I'd have no problem at all with it being release- >> blocking, if the WG wants to do that. > >I think we'd be comfortable with that. The main issue right now is a >lack of official Fedora documentation for setting this up that we >could support it with. > >To be honest, I'd hoped for a long time that Samba AD would become >part of the FreeIPA setup. Sadly, it hasn't so far. :( That is not a plan and it never was. FreeIPA works just fine with Samba AD over forest trust. If you want to get a grasp over how complex things are, watch wonderful talk by Nadia who spent a good part of the past decade trying to make OpenLDAP backend for Samba AD. https://www.youtube.com/watch?v=6TMd9r2VngI