[ROADMAP] Catalyst's focus on Samba

Sun Mar 12 08:51:37 UTC 2017

G'Day,

Over a week ago, I promised to write a broad overview of the things
that Catalyst is looking at in Samba over the next few months, so as to
avoid surprises, encourage collaboration and to encourage all our users
about what they might see for 4.7 if everything goes to plan.  

Logging
-------

As you have seen we have made a massive effort to get proper
authentication and authorization logging in Samba.   We hope to extend
this to the KDC, but even with the current status covering NTLM, it is
a massive step forward.

Performance
-----------

We are building an AD performance measurement tool.  The idea is that
this tool will replicate real traffic (like a number of the smbtorture
commands in the past) and allow us to measure if Samba's performance
has changed, and how it compares with (eg) Windows.

Once we build that, and alongside it, we plan to address performance
hot spots as we see them.  We have made massive strides in Samba
performance so far, and we plan to continue to address those in the AD
DC that we see.  I hope to see further improvements in our search
performance (see latest ldb index patches for another 2%, on top of 10%
from the libndr work by douglas).  We love flame graphs for this work.

Scale
-----

Tied up in performance work is a desire to have samba scale more, to
serve more user and hold more groups/group members.  The direction of
this work is less certain, but having broken the back of the 'too many
links melts Samba' issue, I'm sure we will be asked to do more here.  

Specific possibilities include LMDB and a GUID-based index scheme.

We also expect to deploy the above tool at representations of large
networks, and that should help us understand better how well Samba
performs when scaled up.

Multi-process LDAP
------------------

We have made our Samba AD netlogon server multi-process, and we have
been asked to make the LDAP server multi-process as well.  We hope to
do that with a prefork system, or address the fork() and exit() costs
enough for the standard model to be practical.

Replication Correctness
-----------------------

The Catalyst Samba team has already been asked to implement the
REPL_GET_TGT flag, which will make our replication code safer and more
correct.  This will build on the REPL_GET_ANC code that landed for 4.6.

RODC
----

A number of RODC patches were posted recently (for msDS-RevealedUsers), 
and we hope to get the RODC into a much more tested and deployable
condition soon.  

General Samba improvements
--------------------------

Beyond just these things, it has been great working with so many others
on general improvements to Samba.  It was great to land the Python
patches for more python3, and the ability to disable python recently. 
I love reviewing the great work others are doing making Samba better,
as well as digging into it myself!

I'm excited to be part of such a busy team, both at Catalyst and in the
broader Samba community.  It is also really exiting to see where Samba
AD is being deployed.  In Open Source and Free Software we don't hear
about most of our most interesting deployments, but it is really quite
fun to see 'Effectively managing a Samba-based Active Directory domain'
end up in the desired experience line of a job ad:

https://au.indeed.com/cmp/Expressway-Spares/jobs/Desktop-Network-Support-Analyst-acc961a80fd9d5b3

I think this means we really did make it!

Thanks,

Andrew Bartlett
-- 
Andrew Bartlett                       http://samba.org/~abartlet/
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba