Unfortunately I'm not able to tell whether that bug violates our FreeIPA criteria, which seem to be here:
https://fedoraproject.org/wiki/Fedora_43_Beta_Release_Criteria#FreeIPA_server_requirements

Can anyone explain?

The only justification given is "Since this is a regression of a pretty important functionality for FreeIPA, we consider this a blocker bug". That's not how this works. The criteria define blockers. "FreeIPA trust to Active Directory" is not in the criteria; we require clients to be able to enrol against FreeIPA domains and AD domains, but that's all.

If you think this should be in the criteria, please propose it to the QA and Server communities - a post on discussion with the server-wg and quality-team tags would be ideal.

Under the existing criteria:
BetaBlocker -1

Probably also:
BetaFE -1

as this can be reasonably fixed with an update, there's no real need for an FE.

BetaFE -1
BetaBlocker -1

BetaFE -1
BetaBlocker -1

I don't see how this violates the existing criteria.

BetaBlocker -1
BetaFE -1

Thanks, Adam, for explanation.

BetaBlocker -1
BetaFE -1

AGREED RejectedBetaBlocker
AGREED RejectedBetaFreezeException

The following votes have been closed:

• Rejected BetaBlocker (+0, 0, -5)
  • -1 by adamwill, derekenz, geraldosimiao, nielsenb, kparal
• Rejected BetaFreezeException (+0, 0, -5)
  • -1 by adamwill, derekenz, geraldosimiao, nielsenb, kparal

I find it unfortunate that a hard work FreeIPA and Samba teams do upstream to early consume Fedora beta/rawhide composes and contribute fixes is neglected by the release wranglers.

Unfortunately, there are more problems with Samba 4.23 that break FreeIPA functionality. I understand you want to limit with the blockers/exceptions but this would be a rare beta release where IPA will be broken.

Hi @abbra, we certainly don't want to neglect it. But we have a pretty well defined process for this. Any blockers need to fail release criteria, so if you see a critical functionality which is not covered, please make sure it's added there, most probably in one of these places:

• https://fedoraproject.org/wiki/Basic_Release_Criteria#Server_Edition_requirements
• https://fedoraproject.org/wiki/Fedora_43_Beta_Release_Criteria#Server_Product_requirements
• https://fedoraproject.org/wiki/Fedora_43_Final_Release_Criteria#Server_Edition_requirements

The process to amend criteria is started by having a public discussion with all affected parties.

The fixes will be in updates-testing, and that repo is enabled by default, so anyone doing network install, or updating after installation, will have the issue fixed. If you believe there's a strong need why this has to work right after offline installation without applying any updates, please justify, thank you.

Upgrade of the existing FreeIPA deployment will fail if that deployment has trust to Active Directory feature enabled or is configured to handle SMB file shares.

A mere upgrade to Samba 4.23 is enough to fail restarting FreeIPA services. This is what is reproduced in the requested bug and we have found yet another issue which causes the same failure to restart result: https://pagure.io/freeipa/issue/9852

The inability to restart without an error will break already existing https://fedoraproject.org/wiki/QA:Testcase_upgrade_dnf_current_server in that environment.

Are you saying that if FreeIPA is configured with AD trust, then dnf system-upgrade process will fail to complete? Meaning if I try to upgrade F42 Server to F43 Beta Server (upgrade happens without updates-testing enabled, unless you enabled it manually before), the upgrade process will break, i.e. system packages of the final system will be in an undefined state?

In other words, the solution isn't just "run dnf update in the final system and freeipa will start working again", as we assumed?

Yes. Samba 4.23rc2 is already in F43 stable, and the bug exists since RC1.

the upgrade process will break, i.e. system packages of the final system will be in an undefined state

Yes to this ^^? Ok, that is very concerning. We definitely have to document it as a Common Issue. I've marked the bugzilla.

I still don't see a way to make it a blocker, though, because our criteria only say that upgrades from a clean default installation must work:
https://fedoraproject.org/wiki/Fedora_43_Beta_Release_Criteria#Upgrade_requirements

If you really want to make it a blocker, I suggest you ping some Server WG members and you quickly come up with at least some rough idea of what we would block on, and then we can all vote on it. The Go/NoGo meeting is this Thursday. The exact criterion sounding can be then finished later.

However, I'll at least reset the freeze exception vote, because this is new information, and I believe the mentioned consequences make it a clear candidate for at least pulling the fix into the stable repo, if available.

REVOTE BetaFreezeException
BetaFE +1

Let me be clear: the bug this request is associated with is not causing the upgrade problem. However, the other bug in Samba 4.23 will do, as we have found today. As I mentioned, it is FreeIPA upstream issue https://pagure.io/freeipa/issue/9852.

We are going to file a bug against Fedora too, once we figured out what exactly is broken on Samba side. And then I'll reopen this discussion as a blocker or exception request for that second bug. We'll need to fix both problems at the same time because they both prevent the corresponding functionality in FreeIPA, the problem is triggered via similar paths.

We will need to have both bugfixes in F43.

BetaFE +1

BetaFE +1

(Based on Alexander's rationale in this comment above: https://pagure.io/fedora-qa/blocker-review/issue/1903#comment-984990)

Discussed at the 2025-09-08 (blocker / freeze exception) review meeting:

AGREED AcceptedBetaFreezeException RejectedBetaBlocker

This is the first part of a fix that should prevent server folks with specific FreeIPA configuration from encountering a broken upgrade process.

The following votes have been closed:

• Rejected BetaBlocker (+0, 0, -5)
  • -1 by adamwill, derekenz, geraldosimiao, nielsenb, kparal
• Accepted BetaFreezeException (+3, 0, -0)
  • +1 by kparal, boniboyblue, kashyapc

Release F43 is no longer tracked by BlockerBugs, closing this ticket.