deprecate pdb_ldap and "NT4-like" domains in Samba 4.13 to allow removal for Samba 4.14 in March 2021?

Andrew Bartlett abartlet at
Tue Jun 16 10:44:30 UTC 2020

On Tue, 2020-06-16 at 12:53 +0300, Alexander Bokovoy wrote:
> On ti, 16 kesä 2020, Andrew Bartlett wrote:
> > On Tue, 2020-06-16 at 11:26 +0300, Alexander Bokovoy wrote:
> > > What is required from FreeIPA side is a set of operations to
> > > provide
> > > implementation of PASSDB interfaces that deal with searches:
> > >  - search users
> > >  - search groups
> > >  - search aliases
> > 
> > Can you do that on the FreeIPA side?  pdb_ipa isn't in the Samba
> > tree,
> > could you handle the maintenance of the code it depends on?
> > 
> > Presumably you have plenty of other ldap client stuff on the
> > FreeIPA
> > side of the fence you could plug into?
> So basically you are saying that you don't care how FreeIPA would
> handle
> integration to Samba PASSDB, neither you care about PASSDB being
> testable and used. Is that right?

Not really.  FreeIPA isn't Samba, and it isn't my primary concern, and
so I would suggest that some things are perhaps best handled on the
FreeIPA side of the fence, where you maintain the module anyway.

Now of course it is your concern, and I look in equal parts wonder and
horror at the way Samba is used in FreeIPA, which is why I'm asking for
feedback, because FreeIPA (and apparently NAS internals) clearly isn't
my area.

> My concern is that you are looking to deprecate interfaces without
> providing sufficient functionality to handle those needs, neither
> acknowledging existing proposed replacements need to be improved
> before
> even considering them.

The supported replacement of the Samba NT4 DC is the Samba AD DC.  

As pdb_ldap is outside of FreeIPA's use case it seems to me that there
is very little maintenance of this code, and so while it seems we will
kick this can down the road a little longer, the costs to maintain this
stack will continue to come back at us.

> Outside of FreeIPA, most of home storage devices built on top of
> Synology, for example, rely on pdb_ldap. There is support and
> integration for Samba AD DC to be run on Synology but there is a
> separate LDAP Server component and an integration with that one for
> Samba requires use of pdb_ldap.
> As far as I understand, same feature and support is available in QNAP
> devices.
> I personally don't think it makes sense to deprecate pdb_ldap now.
> Instead, I hope to look into improving its test coverage now that we
> have a good way to create test environments and use them in CI.

Thanks for your feedback, that is very interesting.  This is why we
raise such things on the mailing list.

I look forward to seeing the tests!

Andrew Bartlett

Andrew Bartlett             
Authentication Developer, Samba Team
Samba Developer, Catalyst IT 

More information about the samba-technical mailing list