Hello everyone,
I'll summarize the status of the recent samba discussion about support, it's
package status, and functional tests in this mail.
======================================================
samba support scope & discussions
======================================================
The upstream samba project only supports their releases for 18 months. In the
past it was fairly straight forward to backport patches for Debian, however the
Debian samba maintainers have signaled that there was a major rewrite of the VFS
layer, and as such backporting security patches to samba versions in bullseye
and earlier are not feasible anymore.
As such, samba in bookworm will receive full security support, and samba in
bullseye will only receive support as file server, and not as active directory
domain controller (AD DC) [0]. Note that samba in buster is already treated
similarly since November 2021 [1].
In this context we at Freexian has decided to maintain samba in LTS/ELTS in the
same manner, meaning that AD DC setups are not supported, and samba server in
pure file server mode, the client, and the libraries still are covered by
security support.
[0] https://www.debian.org/security/2023/dsa-5477
[1] https://www.debian.org/security/2021/dsa-5015
======================================================
samba package status
======================================================
A WIP samba package targeted for buster and stretch are available in the
lts-team git repository, in a feature branch [2]. However, through the
previously mentioned discussion it has become clear that the next samba update
will only provide a subset of those patches.
[2]
https://salsa.debian.org/lts-team/packages/samba/-/tree/lgarrett/2023-02-23-debian/buster-proposed
https://salsa.debian.org/lts-team/packages/samba/-/tree/jochen/2023-07-25-debian/stretch-proposed
======================================================
(samba) functional test framework
======================================================
In the context of the July 2023 Windows update that broke samba running as a AD
DC [3] it became clear to me that the unit tests in the autopkgtest suite are
not sufficient to check the functionality of the samba release in a Windows
environment.
As such I spent some time building a framework that automates:
- bootstrapping a buster VM
- bootstrapping a Windows 11 VM
- provisioning samba in various configurations
- making the Windows 11 VM interact with samba in various ways
On a technical level, it uses Ansible to drive all those steps, allowing it to
be fully automated. kvm/libvirt is used for virtualization, as there is already
a fairly well supported inventory plugin for it in Ansible, as well as various
modules that allow provisioning of VMs via guest agents. The buster VM is
bootstrapped via vmdb2 (though this step may be replaced by an alternative in
the future). The Windows 11 VM is bootstrapped by downloading the Win11 trial
VMware image, and converting it to a libvirt compatible image via virt-v2v.
rhsrvany is used to inject the guest agent and spice agent to provide it at
first boot. rhsrvany was packaged for Debian in the process [4].
Given that AD DC setups are not supported anymore for ELTS/LTS, the initial
purpose has become somewhat obsolete. It can however still be used to test AD DC
setups for samba in Debian stable, and also samba in file server mode against
current Windows releases. Samba upstream has also contacted me privately and
shown interest in the framework.
It's also possible to trivially extend the framework to test other interactions
between several VMs, like NFS server/client, postgres primary/secondary, MTA
SMTP, etc. should there be interest and/or need for that. There is no limit on
the OS or number of machines, other than the resource constraints of running
several VMs on the (local) physical machine.
[3] https://bugzilla.samba.org/show_bug.cgi?id=15418
[4]
https://tracker.debian.org/news/1448343/accepted-rhsrvany-11-1-source-all-into-unstable/
Greetings,
Lee
