[Samba] Azure AD Connect and the challenge of funding Samba bugs
abartlet at samba.org
Mon Oct 26 21:24:44 UTC 2020
Thank you both for digging into this.
As you have seen this is a tricky area for Samba, being as it involves
external services, additional (and it seems changing) essentially
third-party software (not just base Windows) and has consistently
fallen into a gap of 'almost working' for a number of years.
The fact that there is a viable workaround (pass-though authentication)
also seems to be making this harder to fix - because it remains an
annoyance, not a deal-breaker.
Furthermore, it seems to have been quite difficult to get good
diagnostic logs of the issue - both on Samba's bugzilla and when
speaking with potential commercial customers, I've never actually seen
a clear set of logs!
But I want to touch on something more broadly:
Samba's AD DC development is to each of or community members a
volunteer effort. The Samba Team isn't funded for development, we take
donations which help pay our hosting bills (CI in particular) and until
the year of the pandemic covered travel for those who needed it.
Nobody is on the long-term payroll of the Samba Team, instead Samba is
where is is thanks to the spare time of our committed volunteers and
the work time of those who are supported by their employers to work in
Samba for their $DAYJOB.
What that does mean is that what gets fixed and does not get fixed is
in large part comes down to what catches the interest of developers who
some flexibility (in their job or their own time) or what paying
customers need via support or development contracts.
Now, to be clear we all work hard to ensure that what do advances a
common Samba vision and helps more than just an immediate customer, but
my point is that we have a problem: Bugs like this sometimes have to
really hurt someone before they get attention.
As to a solution? I don't have a good one.
Samba isn't funded (by our donations) to a scale where we can afford
even a significant fraction of a senior developer salary. I'll also
warn that genuinely independent open source projects paying folks has a
Many say crowd-funding, but that essentially requires that someone
offer and hold to a fixed price quote for a fix. Given that much of
the work in Samba is to work out the problem, this is a challenge. (It
might work for feature development.)
I'm skating on really thin ice here, but I like the idea of support
contracts. I like them because they are outside Samba.org: a
commercial agreement between a single customer and a Samba support and
development shop. I also like them because for difficult issues at
least the customer and commercial support provider can work out what
the root of the problem is, which is often half the challenge.
Sadly I also know the economics of those are difficult for many of our
users, who are attracted to Samba not just for the awesome features but
the low cost.
Samba is a proud free software project and always will be. The freedom
to use, modify and redistribute is central to what we care about. The
challenge of keeping Samba development funded away from per-seat
licences and in an environment where the community expectation is that
Samba should not just be free but cost $0 remains however quite
Even more difficult is the funding of security support, but I'll leave
that for another time.
Finally, I do realise that compared to fond memories of times long ago
Samba is much harder to contribute to. Even despite recent work with
our move to GitLab new Contribute page on the wiki, making a meaningful
change to a C based project and following that up with a comprehensive
(and often Python based) testsuite is a big ask. Yes, it keeps Samba
from breaking but perhaps pushes away the 'Jack of all trades' sysadmin
or student (I was both...) who in times past might have just dived in
and fixed things.
Andrew Bartlett https://samba.org/~abartlet/
Authentication Developer, Samba Team https://samba.org
Samba Developer, Catalyst IT
More information about the samba