Fedora DS Support

Endi Sukma Dewata edewata at redhat.com
Wed Aug 26 21:52:01 MDT 2009

Hi Andrew,

----- "Andrew Bartlett" <abartlet at samba.org> wrote:

> Thanks for getting back to me quickly, as it means I can help redirect
> your efforts.  It seems I must have been unclear about the future of
> those particular changes.  We must remove them - not re-add them.  

Thanks for your response. I understood what you meant, it's just I think
I need to do it in multiple steps:

1. I need to make sure the master branch tests run with the "temporary"
   patch I submitted. This is to ensure that the code is good and I'm
   not wasting time troubleshooting the test script while the problem
   could lie somewhere else. Currently I'm having a problem compiling
   the code, it's complaining about missing a header file. I need to
   investigate whether this is a code or environment issue.

2. Once #1 is done, I'll remove the "temporary" patch and fix the code
   to make sure it's still running like before, producing the same test
   results. When this is done, I'll submit the "real" patch.

You don't need to merge the "temporary" patch into the repository, I just
submitted it in case you want to try it. Sorry I wasn't very clear about
my intention.
> Setting that ACI makes Fedora DS completely insecure - because it
> changes the ACL on each partition to be 'anonymous may do anything'. It
> was a great hack when we first started this, but it must not be
> revived.

> The patch I need from you, against master, is best summed up as:
> 'whatever is needed to make Fedora DS work as a backend, as pass as
> much
> of make test as possible, using SASL authentication between Samba4
> and
> Fedora DS'. 

> The background to this is that I reworked the OpenLDAP backend to use
> secure SASL authentication and strict access control between Samba4 and
> OpenLDAP many months ago, but did not upgrade Fedora DS to that same
> level of support.  The Fedora DS backend needs to be upgraded to this
> same level of maturity. 

Understood. I might need to do this in multiple steps too so you don't
have to wait too long to see any progress, also I might have to switch
back & forth with some other tasks as well. Here is my plan:

3. In #2 above I might just move the system:anonymous and aci parameters
   inside the code, so at least it's no longer visible during provisioning.
   In #3 I will add the SASL authentication. I might send another
   patch here.

4. After that I will start fixing Fedora DS specific problems one-by-one
   so it works as well as OpenLDAP. I might send one patch for each issue.

You don't need to merge each patch that I will submit right away. You could
just wait until I complete step #3 or even #4 if you prefer. What do you
think about this plan?


Endi S. Dewata

More information about the samba-technical mailing list