MIT Kerberos version support for the AD DC in master (eg 1.20 and 1.19)
Andrew Bartlett
abartlet at samba.org
Fri Feb 25 10:07:51 UTC 2022
On Fri, 2022-02-25 at 10:41 +0100, Andreas Schneider via samba-
technical wrote:
> On Friday, February 25, 2022 9:48:52 AM CET Andrew Bartlett via
> samba-
> technical wrote:
> > I think this is a discussion worth having somewhere a little less
> > hidden than a MR. So sent to Samba-technical, but BCC to the
> > MR. Lets
> > see if that works...
> >
> > On
> > https://gitlab.com/samba-team/samba/-/merge_requests/2330#note_855084458
> > Andreas, Alexander and I are caught on the philosophical point of
> > what
> > MIT krb5 versions we should be including runtime support for in
> > master.
> >
> > My point is that we test MIT 1.20 on Fedora. The non-Fedora builds
> > all
> > build Heimdal. That is, with these changes the MIT 1.19 support is
> > untested in our CI, so we shouldn't put untested code in such
> > important
> > codepaths.
>
> This is not true!
>
> Take a look at the pipeline:
>
> https://gitlab.com/samba-team/devel/samba/-/pipelines/478777772
>
> samba-addc-mit120 - This runner tests MIT Kerberos 1.20 (pre-
> release). It
> tests the most important bits which have
> significantly
> changed. Like the KDB interface, S4U and RBCD.
> If you look at the log you can see:
> $ if [ -x "$(command -v krb5-config)" ]; then krb5-config --
> version; fi
> Kerberos 5 release 1.20-prerelease
Thanks for that. I missed that detail when I looked over the patches,
I didn't consider that the patch was further extending the number of
jobs (this is a different also difficult issue).
>
> samba-addc-mit-1 - This runner tests MIT Kerberos 1.19
> From the log:
> $ if [ -x "$(command -v krb5-config)" ]; then krb5-config --
> version; fi
> Kerberos 5 release 1.19.2
>
> samba-addc-mit-4a - This runner tests MIT Kerberos 1.19
> samba-addc-mit-4b - This runner tests MIT Kerberos 1.19
> samba-admem-mit - This runner tests MIT Kerberos 1.19
> samba-mitkrb5 - This runner tests MIT Kerberos 1.19
>
> > I'm honestly not making this argument to destroy the MIT KDC
> > effort, on
> > the contrary I want it to succeed!
> >
> > But for it to be a long-term success we must also be able to learn
> > from
> > the past 6 months in particular to ensure we have a viable,
> > practised
> > process for changes need to be made in both codebases.
> >
> > In particular, I'm concerned that the AD DC 'will build and
> > securely
> > operate against the MIT version found on enterprise distributions'
> > is
> > just not a promise we can keep, so setting that up as the baseline
> > expectation sets us up to fail.
>
> What sense does it make to drop support for the latest MIT Kerberos
> release
> (version 1.19) and require our users to build MIT Kerberos from git
> master
> with the next Samba release?
Fair enough. This makes a lot of sense. It also answers a bit of my
question (that I've been trying to figure out how to artfully put) of
how to make incremental development of features that cross the
Samba/KDC boundary practical and viable.
More importantly this looks like a pattern we can follow - security
releases will be harder, but even that could be handled similarly (with
an in-script private build of MIT rather than a COPR repo).
Andrew Bartlett
--
Andrew Bartlett (he/him) https://samba.org/~abartlet/
Samba Team Member (since 2001) https://samba.org
Samba Team Lead, Catalyst IT https://catalyst.net.nz/services/samba
Samba Development and Support, Catalyst IT - Expert Open Source
Solutions
More information about the samba-technical
mailing list