On Sun, 2023-06-18 at 12:30 +0300, Alexander Bokovoy wrote:
On Sun, Jun 18, 2023 at 12:27 PM Alexander Bokovoy
<abokovoy(a)redhat.com> wrote:
>
> On Sun, Jun 18, 2023 at 8:37 AM Adam Williamson
> <adamwill(a)fedoraproject.org> wrote:
> >
> > Hi folks! I want to talk about the Active Directory requirements in the
> > release criteria.
> >
> > Since Fedora Server was created, we've had this in the criteria:
> >
> > "It must be possible to join the system to a FreeIPA or Active
> > Directory domain at install time and post-install, and the system must
> > respect the identity, authentication and access control configuration
> > provided by the domain."
> >
> > ...plus various further requirements at Beta and Final.
> >
> > For FreeIPA we have this testing entirely automated, it's no problem at
> > all. For Active Directory we...don't. At every release point this does
> > not get tested until very late. Often Stephen Gallagher has to test it
> > manually at the very last minute, which is an unfair burden on him.
> > When we *do* find problems, there is a mad scramble to fix them or at
> > least find workarounds, because we find them way too late.
>
> We want to add automation. I can help with this.
Forgot to add that we have the tests against Windows-based Active
Directory working already in SSSD and FreeIPA upstream, using images
Microsoft has been publishing for exactly this purpose for years.
It's been a while since I last checked, but IIRC, these are intended as
"evaluation" images. It wasn't entirely clear to me whether they
actually *are* intended for the purpose of automated testing, and if
their licensing is appropriate for this. Also, for openQA purposes we
would probably want to have a pre-configured disk image for the AD
server - we don't want to waste time setting it up in the test process
every time (for FreeIPA we do because that's part of the criteria, but
it's not for AD) - and I think it wasn't clear if *that's* OK legally
speaking either.
> >
> > We've looked into automating it and still kinda intend to do so, but
> > it's not really simple. There's a legal side to it - it's not
clear
> > what the licensing requirements involved would be - and a technical
> > side to it - we'd need a way to reliably and quite quickly deploy an AD
> > domain controller using openQA automation, which is not a trivial job.
>
> Samba AD in Fedora is to save you here. This is what we should be testing.
>
> >
> > When I estimate the time that's going to take and consider what *else*
> > I (or anyone else) could do with that time, I'm not certain that
> > "automating AD testing" is the best use of it. To me it doesn't
feel
> > like a really key feature of Fedora to the point that would justify the
> > work involved, or justify continuing to throw Stephen and others under
> > the last-minute-manual-testing bus. But I'm not sure!
> >
> > What do others think? Do you use the AD client support of Fedora
> > Server? Do you think it's a key feature that we should keep as a
> > release-blocking requirement, or no?
>
> I think we need to keep the release blocking state and instead of
> Windows test against Samba AD in Fedora. That was always the intent.
Was it? That's not my recollection; my memory is that we were always
intending to support enrolling to Microsoft AD-controlled domains. I
can't find the discussion in the archives, though - the 2014 version of
the tech spec says "Fedora Server will provide and support the realmd
project for joining FreeIPA and Active Directory domains
automatically", I can't find any references for how that got there,
though.
Testing against Samba AD would probably be significantly easier, but I
was kinda working on the basis that wasn't really what we wanted to do.
--
Adam Williamson (he/him/his)
Fedora QA
Fedora Chat: @adamwill:fedora.im | Mastodon: @adamw(a)fosstodon.org
https://www.happyassassin.net