Samba | Bronze bit, S4U and RBCD support with MIT Kerberos 1.20 (!2330)

[Andrew Bartlett]

I think this is a discussion worth having somewhere a little less
hidden than a MR.  So sent to Samba-technical, but BCC to the MR.  Lets
see if that works...

On https://gitlab.com/samba-team/samba/-/merge_requests/2330#note_855084458
Andreas, Alexander and I are caught on the philosophical point of what
MIT krb5 versions we should be including runtime support for in master.

My point is that we test MIT 1.20 on Fedora.  The non-Fedora builds all
build Heimdal.  That is, with these changes the MIT 1.19 support is
untested in our CI, so we shouldn't put untested code in such important
codepaths. 

I'm honestly not making this argument to destroy the MIT KDC effort, on
the contrary I want it to succeed!

But for it to be a long-term success we must also be able to learn from
the past 6 months in particular to ensure we have a viable, practised
process for changes need to be made in both codebases.

In particular, I'm concerned that the AD DC 'will build and securely
operate against the MIT version found on enterprise distributions' is
just not a promise we can keep, so setting that up as the baseline
expectation sets us up to fail.  

Instead, it needs to be much closer to that, particularly in the
development of master the AD DC 'will build and securely operate
against a particular MIT release (plus patches potentially) or pre-
release', and we continue to work to get those changes upstream so that
sometimes, when things go well, that also means 'will build and
securely operate against the system MIT krb5 of a distribution like
Fedora'.  

When that happens if things go well, then an enterprise distribution
could also operate Samba as an AD DC against a system krb5, by freezing
both at the right time, but no enterprise distributions will ship the
AD DC so we shouldn't really target that.

(I'm also happy to have a video chat about this if it helps).

Andrew Bartlett