[Samba] Place of functional levels in Samba4 roadmap
Fabio Fantoni
fabio.fantoni at m2r.biz
Wed Jun 5 09:58:11 UTC 2024
Il 04/06/2024 01:02, Andrew Bartlett via samba ha scritto:
> On Fri, 2024-05-31 at 12:58 +0200, Olivier BILHAUT via samba wrote:
>> Hi Samba list,
>>
>> As you know, security is currently the buzzword for
>> most critical organizations. Active Directory implementations are an
>> important node of all the security chain.
>>
>> French security agency,
>> called ANSSI release a tool to audit Active Directory
>> implementations,
>> called ORADAD :
>> https://github.com/ANSSI-FR/ORADAD/releases
>>
>>
>> This tool
>> retrieves all configuration from your AD, and make it ready for
>> analysis. Don't hesitate to give a try. Based on this tool, French
>> National Agencies give a note on our Active Directory configuration.
>>
>>
>> Recent functional levels is a big part of AD security, since it is
>> supposed to add features like Protected users and much more. Don't
>> really know if this is real or fake, but anyway, it has to be done.
> Samba supports Protected Users, and can operate in FL 2012 with Samba
> 4.20. It isn't the default yet but you can upgrade the FL with our
> tools.
>
>> Do
>> you know when we well be able to display a real Windows 2016
>> functional
>> level (or more). What's the place in the roadmap ? Does it lack funds
>> to
>> implement it ?
> The biggest of the remaining issues for FL 2016 are the timit-limited
> links (used by Microsoft PIM), and that is a big reason why we haven't upgraded the FL default, as our testing is at FL 2016 with the parts we have, but we don't have that part.
>
> The other thing is key-trust, where PKINIT (used by Windows Hello for
> Buisness) enrols the client by key, not by name and CA.
>
> While there will be other things, but these are some of the the bigger
> items.
>
> Samba development is entirely dependent on funding or engineering
> resources provided by our community.
>
> We strongly encourage any organisation that relies on Samba or would
> like to have the opportunity to escape from a world where innovation
> and security depends entirely on the priorities of Microsoft (see
> Copiolt+ for this being derailed) to support Samba via our commercial
> support partners.
>
> Samba relies on ongoing support of our users to resource our security
> response and to develop new features, which in general are commissioned
> by our users.
>
>> I couldn't find a really clear information about this
>> in Samba wiki, and neither in the samba list history, even if I know
>> that 4.20 seems to give a kickstart to the feature.
> Yes, our wiki and roadmap needs work. However we are also hesitent to
> add items to the roadmap as we fear that some might assume that items listed there are likely to see progress without an organisation stepping up with funding.
>
> Andrew Bartlett
>
Hi, I think the need for funding to implement new features is too little
known and it would be better to specify it.
I saw somethink was done here (https://wiki.samba.org/index.php/Roadmap)
in introduction but that page is not updated for long time.
I think is good update it (including the completed task part), extend
the Active Directory part, for example for the domain feature level
2012/2016 full list of things (what done, what in progress and funded
and what need to be funded)
For example, a company is interested in the AD feature level 2016, tries
to search for information on its completion, sees the notes of the
latest versions that implement it in part but no details in roadmap and
the like, how can it know if certain missing parts are in development or
planned and already funded or if funding is missing?
I think that if any people can find out quickly and easily whether
certain parties need funding and more information on how to contribute,
there will be more chances that interested people and companies will
contribute.
I think can be useful know also all the way to contribute, for example
both specific for the implementation of specific features and generic
ones that concern those who contribute to the development.
--
Questa email è stata esaminata alla ricerca di virus dal software antivirus Avast.
www.avast.com
More information about the samba
mailing list