samba - May 2024 - classifying samba componens and sorting into debian binary packages

Hi!

I'm evaluating how various binaries and components are split into different
binary packages in Debian.  And am having issues classifying these.

Initially there has been request to remove dependency on python3-samba
package (this is AD-related stuff) from samba-the-file-server package,
to be able to use it on smaller devices.  And at the same time, there
has been another request to move samba-gpupdate binary from samba to
samba-common-bin, since it can be used independently of the file server
(but it requires python3-samba).  So these are conflicting requests.


Here are the review with many comments and questions and plans to do.
I would appreciate any clarification.

===================   samba-common  - basically smb.conf only, arch-indep, used
by smbclient,
       winbind, samba, etc.

===================   samba-common-bin - common binaries in /usr/bin:
       net
       testparm - it probably should come together with smb.conf but ok
       nmblookup - should it be part of smbclient? Probably irrelevant at this
time.
       samba-tool - is about AD, I plan to move it to samba-ad-client pkg.
       samba-regedit - should it be part of the file server?
       smbpasswd - should it be part of the file server? But I guess it can be
           used to change password on another server too, so let it stay.
           Or should it be part of smbclient?
       dbwrap_tool - should it be part of ctdb?
       samba-log-parser

     also a few rpcd daemons used by samba and winbindd:
       /usr/libexec/samba/rpcd_*.

     samba-common-bin is not used by smbclient or libsmbclient (but samba-common
is).

     This package used to depend on python components (due to samba-tool), but
     with it moved elsewhere, python is not longer needed.

     Just with samba-common-bin and winbind it should be possible to join a
     linux system to a domain (including AD, b/c `net ads join`) and do user
     auth without using remote files, or maybe cifs-clients can be used for that
too.

===================   smbclient - client for the file server:
       smbclient, rpcclient, smbcacls, smbget, smbspool, smbtar, ...

===================   samba - the main file server part, including some remnants
of AD functions.
       smbd, nmbd, smbstatus - the file server components
       samba - ad-dc, it is going into samba-ad-dc package
       samba-gpupdate - will go into samba-ad-client
       samba_dnsupdate, samba_spnupdate - should these go to samba-ad-client?
       samba_upgradedns - samba-ad-client or samba-ad-dc? Or is it used at all
         outside of selftests and testprogs?

     Other files in there:
       profiles
       dumpmscat
       mvxattr
       oLschema2ldif
       pdbedit
       sharesec
       smbcontrol - this one should probably be moved to samba-common-bin
        (it can control winbindd too)

     This package used to depend on python

===================   winbind - winbindd, wbinfo and ntlm_auth

===================   samba-ad-dc - a relatively new package aimed to provide
ad-dc functionality.
     I plan to move a few items here (maybe), including the samba binary from
samba
     package.  A new samba-ad-client will be a dependency, also samba
(fileserver)
     package.  Right now it is just a metapackage.

===================   samba-ad-client - new package with basic ad client
functionality.  This receives
     the following files (from samba-common-bin or samba):
       samba-tool
       samba-gpupdate
       samba_dnsupdate, samba_spnupdate - can these be run w/o
samba-the-file-server?
       samba_downgrade_db ?


There's some confusion between the split between samba and (new)
samba-ad-client.
One one hand, samba the file server does not need AD functionality for the
stand-
alone usage, so it can be quite lean.  So I'm moving AD-related binaries
(which
depend on python) to samba-ad-client.  On another hand, some of the tools
currently
within samba-the-file-server package can be used without the file server but as
part of an AD, like samba-gpupdate.  Maybe dnsupdate and spnupdate too, when a
server isn't a file server?  So samba-ad-client can be either a stand-alone
pkg
or a package "enhancing" samba-the-file-server with the AD
functionality (domain
member server) (so as the `net' command from samba-common-bin).  On the
other
hand, there are a few commands (samba_downgrade_db, samba_upgradedns) which
don't
fit neither in samba (due to python deps and not being relevant to standalone
server use case) nor in samba-ad-client package (due to being impractical
without
the file server component).

I don't see how it can be split better.  Maybe an interesting way would be
to
move some files to samba-ad-dc and rename it to samba-ad, so that it can be used
either as a domain controller or a member server.  In this case things like
samba_downgrade_db will go there.  Or maybe just introduce samba-ad pkg which
depends on samba and samba-ad-client, and includes python-based ad-specific
file server components.

BTW, do we really need samba_downgrade_db these days?  Changing format to the
one used by samba 4.7, srsly?  I'd just remove this one :)


Do we really need samba-vfs-modules package?  It looks like it should be just
part of the file server (with optional dependencies), since it's almost
always
required.  It's not the same situation as with samba-dsdb-modules.


Another big question is about python3-samba and samba-ad-provision packages.
Right now these receives basically everything samba build procedure puts into
python subdir.  But it turned out some of that stuff is only needed by the
smbtorture tool (samba-testsuite package).  Also there are a few libs with
unknown purpose, - I already asked about libsamba-policy python C lib.  I'd
love to reduce the amount of files we ship further.


I'm sorry for this become such large.  It's been something I've been
looking
for quite some time. Samba has grown to a lot of various components, and I
need help sorting these out.. :)

Thanks,

/mjt
-- 
GPG Key transition (from rsa2048 to rsa4096) since 2024-04-24.
New key: rsa4096/61AD3D98ECDF2C8E  9D8B E14E 3F2A 9DD7 9199  28F1 61AD 3D98 ECDF
2C8E
Old key: rsa2048/457CE0A0804465C5  6EE1 95D1 886E 8FFB 810D  4324 457C E0A0 8044
65C5
Transition statement: http://www.corpit.ru/mjt/gpg-transition-2024.txt

25.05.2024 17:39, Michael Tokarev via samba wrote:
> ===================>  ? samba-common-bin - common binaries in /usr/bin:
>  ????? net
>  ????? testparm - it probably should come together with smb.conf but ok
>  ????? nmblookup - should it be part of smbclient? Probably irrelevant at
this time.
>  ????? samba-tool - is about AD, I plan to move it to samba-ad-client pkg.
>  ????? samba-regedit - should it be part of the file server?
>  ????? smbpasswd - should it be part of the file server? But I guess it can
be
>  ????????? used to change password on another server too, so let it stay.
>  ????????? Or should it be part of smbclient?
>  ????? dbwrap_tool - should it be part of ctdb?
>  ????? samba-log-parser
There's also /usr/sbin/samba_kcc in there, - should go either to
samba-ad-client
or samba-ad-dc, I can't understand which one.
>  ??? also a few rpcd daemons used by samba and winbindd:
>  ????? /usr/libexec/samba/rpcd_*.
> 
>  ??? samba-common-bin is not used by smbclient or libsmbclient (but
samba-common is).
> 
>  ??? This package used to depend on python components (due to samba-tool),
but
>  ??? with it moved elsewhere, python is not longer needed.
> 
>  ??? Just with samba-common-bin and winbind it should be possible to join a
>  ??? linux system to a domain (including AD, b/c `net ads join`) and do
user
>  ??? auth without using remote files, or maybe cifs-clients can be used for
that too.
> 
> ===================>  ? smbclient - client for the file server:
>  ????? smbclient, rpcclient, smbcacls, smbget, smbspool, smbtar, ...
Actually maybe whole samba-common-bin isn't really necessary,
and all remaining files can be moved to smbclient (with it being
required by the file server).  samba-common-bin is a badly named
package which has its own functionality which is partly related to
smbclient, and it also has unrelated-to-client files which are used
by server packages (samba and winbind).
> .....? On the other
> hand, there are a few commands (samba_downgrade_db, samba_upgradedns) which
don't
> fit neither in samba (due to python deps and not being relevant to
standalone
> server use case) nor in samba-ad-client package (due to being impractical
without
> the file server component).
> 
> I don't see how it can be split better.? Maybe an interesting way would
be to
> move some files to samba-ad-dc and rename it to samba-ad, so that it can be
used
> either as a domain controller or a member server.? In this case things like
> samba_downgrade_db will go there.? Or maybe just introduce samba-ad pkg
which
> depends on samba and samba-ad-client, and includes python-based ad-specific
> file server components.
> 
> BTW, do we really need samba_downgrade_db these days?? Changing format to
the
> one used by samba 4.7, srsly?? I'd just remove this one :)
Both samba_downgrade_db (if this one is really needed still) and
samba_upgradedns
(I found a reference to it in the wiki) can be part of samba-ad-dc package.
Maybe together with samba_kcc (if it is not going to samba-ad-client).

Thanks,

/mjt
-- 
GPG Key transition (from rsa2048 to rsa4096) since 2024-04-24.
New key: rsa4096/61AD3D98ECDF2C8E  9D8B E14E 3F2A 9DD7 9199  28F1 61AD 3D98 ECDF
2C8E
Old key: rsa2048/457CE0A0804465C5  6EE1 95D1 886E 8FFB 810D  4324 457C E0A0 8044
65C5
Transition statement: http://www.corpit.ru/mjt/gpg-transition-2024.txt