[Pkg-samba-maint] Packaging Samba 4.2 in Debian

Jelmer Vernooij jelmer at debian.org
Sat May 9 23:52:13 UTC 2015

On Sun, Apr 26, 2015 at 11:28:06PM +1200, Andrew Bartlett wrote:
> On Sat, 2015-04-25 at 21:26 +0000, Jelmer Vernooij wrote:
> > With (almost) jessie out of the door, I've had a look at packaging
> > Samba 4.2 for Sid today.
> > 
> > There appear to be a number of issues currently preventing 4.2 from
> > being uploaded:
> > 
> >  * Samba 4.2 includes ctdb, rather than supporting system versions *
> >    (https://lists.samba.org/archive/samba-technical/2014-October/103189.html)
> > 
> > With Samba being the origin of the latest ctdb release, do we want to keep
> > shipping standalone ctdb packages?
> > 
> > No other packages in the archive currently depend on it, and with
> > the recent changes Samba can no longer use it.
> > 
> >  * Samba 4.2 uses a patched Heimdal, with changes that are neither
> >    upstream nor in the Heimdal Debian package *
> > 
> > The skew between Samba's copy of Heimdal and upstream Heimdal has been
> > frustrating me for a long time. Getting the right changes upstreamed
> > and then packaged in Debian takes up a lot of time and has caused
> > complications.
> > 
> > For example, we're currently shipping a rc of Heimdal 1.6 in Debian to
> > allow building of Samba, rather than a stable version of Heimdal. This
> > in turn has meant that we've run into several bugs that were newly
> > introduced in Heimdal 1.6. [1]
> > 
> > At this point, I'm inclined to just use the bundled Heimdal. We could
> > reconsider this when (if?) Samba starts supporting MIT Kerberos [2].
> > Thoughts?
> The required steps are to, for git master (which has better tests):
>  - Ensure 'make test' passes against a system heimdal (built from
> current lorikeet-heimdal)
>  - Then get 'make test' to pass against the proposed system Heimdal
>  - Add in a runtime check for correct password lockout behaviour. 
> I think a required part of this will actually be to finish the work to
> upgrade Heimdal in Samba.  This is not a small task.  I *may* be able to
> look at this before SambaXP, if not then at least around then we can
> examine the (lack of) progress so far. 

Andrew and I discussed this in person today.

At least for the moment, we'd like to switch the Samba package to use the
bundled Heimdal. This is because:

 * regressions tend to be subtle and we are now running an untested
   Heimdal/Samba pair (not tested manually or automated)
 * we've had a number of bugs because changes had not yet
   landed in Debian's Heimdal package (Debian's Heimdal package follows the
   1.6 branch, not master - unlike Samba's bundled copy of Heimdal)
 * we've had to package an unreleased version of Heimdal,
   which is also not ideal.
 * the APIs in Heimdal that Samba relies on are semi-public and
   in practice they've changed under us between snapshots

While compiling a copy of a Kerberos implementation into Samba is not
ideal, we think this is the only sensible option at the moment.

We can re-evaluate this and reconsider when:

 * The changes to Samba's Heimdal land upstream
 * The changes required for Samba end up in a Heimdal release we can
   package in Debian
 * We find a good way to regression test the Samba+Heimdal
   combination from the Debian packages (e.g. using
   ld-preloaded socket_wrapper/uid_wrapper/nss_wrapper/etc)



Jelmer Vernooij <jelmer at samba.org> - https://jelmer.uk/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 473 bytes
Desc: Digital signature
URL: <http://lists.alioth.debian.org/pipermail/pkg-samba-maint/attachments/20150509/82f69c16/attachment.sig>

More information about the Pkg-samba-maint mailing list