Looking to once again re-bundle LDB

[Alexander Bokovoy]

On 14 February 2024 13.09.21 UTC, Michael Tokarev via samba-technical <samba-technical at lists.samba.org> wrote:
>14.02.2024 03:45, Andrew Bartlett via samba-technical:
>...
>
>>>> We would change the ldb modules dir to have the version string in it,
>>>> so that modules are not installed for the wrong version.
>>> 
>>> Sounds good.
>> 
>> I've chickened out of this small aspect.
>> 
>> It would mean a repackage of sssd for every single Samba version (well,
>> LDB version, but they change pretty often), and that would make Samba
>> security releases more painful, not less.
>
>If ldb interface changes in the next version, it becomes incompatible with
>existing sssd.  Moving ldb modules into version-specific subdir makes it
>explicit, - user gets more friendly error message (at the very least,
>something like "can't find modules") instead of a crash.
>
>If, on the other hand, the version-specific subdir is changed in every
>release no matter if the interface actually changed or not, that will be
>more difficult indeed for no visible gain.
>
>I don't think there will be real issues either way, - we'll sort it out
>one way or another.  It's already impossible to provide "more recent
>samba" to older release of a distribution without either breaking sssd
>or providing sssd together with the new samba, it just has to be made
>more explicit in the downstream packages.
>
>BTW, there's also freeipa now, but I don't know if that one is possible
>to use with samba compiled with (bundled) heimdal, - last time I come
>across this (someone else mentioned it, I haven't looked myself), they
>required samba built with MIT Kerberos.
>
>Thanks,
>
>/mjt
>

We do rebuilds of the whole stack in Fedora if bots detect samba ABI had changed. So for us it is not a problem.

FreeIPA only supports MIT Kerberos for the server side and SSSD provides Kerberos pre-authentication modules to MIT Kerberos soi it is also best to be built against MIT version.
-- 
Alexander Bokovoy