[Samba] Place of functional levels in Samba4 roadmap

Fabio Fantoni fabio.fantoni at m2r.biz
Wed Jun 5 09:58:11 UTC 2024 

Il 04/06/2024 01:02, Andrew Bartlett via samba ha scritto:
> On Fri, 2024-05-31 at 12:58 +0200, Olivier BILHAUT via samba wrote:
>> Hi Samba list,
>>
>> As you know, security is currently the buzzword for
>> most critical organizations. Active Directory implementations are an
>> important node of all the security chain.
>>
>> French security agency,
>> called ANSSI release a tool to audit Active Directory
>> implementations,
>> called ORADAD :
>> https://github.com/ANSSI-FR/ORADAD/releases
>>   
>>
>> This tool
>> retrieves all configuration from your AD, and make it ready for
>> analysis. Don't hesitate to give a try. Based on this tool, French
>> National Agencies give a note on our Active Directory configuration.
>>
>>
>> Recent functional levels is a big part of AD security, since it is
>> supposed to add features like Protected users and much more. Don't
>> really know if this is real or fake, but anyway, it has to be done.
> Samba supports Protected Users, and can operate in FL 2012 with Samba
> 4.20.  It isn't the default yet but you can upgrade the FL with our
> tools.
>
>> Do
>> you know when we well be able to display a real Windows 2016
>> functional
>> level (or more). What's the place in the roadmap ? Does it lack funds
>> to
>> implement it ?
> The biggest of the remaining issues for FL 2016 are the timit-limited
> links (used by Microsoft PIM), and that is a big reason why we haven't upgraded the FL default, as our testing is at FL 2016 with the parts we have, but we don't have that part.
>
> The other thing is key-trust, where PKINIT (used by Windows Hello for
> Buisness) enrols the client by key, not by name and CA.
>
> While there will be other things, but these are some of the the bigger
> items.
>
> Samba development is entirely dependent on funding or engineering
> resources provided by our community.
>
> We strongly encourage any organisation that relies on Samba or would
> like to have the opportunity to escape from a world where innovation
> and security depends entirely on the priorities of Microsoft (see
> Copiolt+ for this being derailed) to support Samba via our commercial
> support partners.
>
> Samba relies on ongoing support of our users to resource our security
> response and to develop new features, which in general are commissioned
> by our users.
>
>> I couldn't find a really clear information about this
>> in Samba wiki, and neither in the samba list history, even if I know
>> that 4.20 seems to give a kickstart to the feature.
> Yes, our wiki and roadmap needs work.  However we are also hesitent to
> add items to the roadmap as we fear that some might assume that items listed there are likely to see progress without an organisation stepping up with funding.
>
> Andrew Bartlett
>    

Hi, I think the need for funding to implement new features is too little 
known and it would be better to specify it.

I saw somethink was done here (https://wiki.samba.org/index.php/Roadmap) 
in introduction but that page is not updated for long time.

I think is good update it (including the completed task part), extend 
the Active Directory part, for example for the domain feature level 
2012/2016 full list of things (what done, what in progress and funded 
and what need to be funded)

For example, a company is interested in the AD feature level 2016, tries 
to search for information on its completion, sees the notes of the 
latest versions that implement it in part but no details in roadmap and 
the like, how can it know if certain missing parts are in development or 
planned and already funded or if funding is missing?

I think that if any people can find out quickly and easily whether 
certain parties need funding and more information on how to contribute, 
there will be more chances that interested people and companies will 
contribute.

I think can be useful know also all the way to contribute, for example 
both specific for the implementation of specific features and generic 
ones that concern those who contribute to the development.



-- 
Questa email è stata esaminata alla ricerca di virus dal software antivirus Avast.
www.avast.com

More information about the samba mailing list