samba - May 2024 - Place of functional levels in Samba4 roadmap

Hi Samba list,

As you know, security is currently the buzzword for
most critical organizations. Active Directory implementations are an
important node of all the security chain. 

French security agency,
called ANSSI release a tool to audit Active Directory implementations,
called ORADAD : https://github.com/ANSSI-FR/ORADAD/releases 

This tool
retrieves all configuration from your AD, and make it ready for
analysis. Don't hesitate to give a try. Based on this tool, French
National Agencies give a note on our Active Directory configuration.


Recent functional levels is a big part of AD security, since it is
supposed to add features like Protected users and much more. Don't
really know if this is real or fake, but anyway, it has to be done. 

Do
you know when we well be able to display a real Windows 2016 functional
level (or more). What's the place in the roadmap ? Does it lack funds to
implement it ? 

I couldn't find a really clear information about this
in Samba wiki, and neither in the samba list history, even if I know
that 4.20 seems to give a kickstart to the feature. 

Many thanks to all
contributors. 

--

Olivier BILHAUT

On Fri, 2024-05-31 at 12:58 +0200, Olivier BILHAUT via samba
wrote:
> Hi Samba list,
> 
> As you know, security is currently the buzzword for
> most critical organizations. Active Directory implementations are an
> important node of all the security chain. 
> 
> French security agency,
> called ANSSI release a tool to audit Active Directory
> implementations,
> called ORADAD : 
> https://github.com/ANSSI-FR/ORADAD/releases
>  
> 
> This tool
> retrieves all configuration from your AD, and make it ready for
> analysis. Don't hesitate to give a try. Based on this tool, French
> National Agencies give a note on our Active Directory configuration.
> 
> 
> Recent functional levels is a big part of AD security, since it is
> supposed to add features like Protected users and much more. Don't
> really know if this is real or fake, but anyway, it has to be done. 
Samba supports Protected Users, and can operate in FL 2012 with Samba
4.20.  It isn't the default yet but you can upgrade the FL with our
tools.
> Do
> you know when we well be able to display a real Windows 2016
> functional
> level (or more). What's the place in the roadmap ? Does it lack funds
> to
> implement it ? 
The biggest of the remaining issues for FL 2016 are the timit-limited
links (used by Microsoft PIM), and that is a big reason why we haven't
upgraded the FL default, as our testing is at FL 2016 with the parts we have,
but we don't have that part.

The other thing is key-trust, where PKINIT (used by Windows Hello for
Buisness) enrols the client by key, not by name and CA.  

While there will be other things, but these are some of the the bigger
items.  

Samba development is entirely dependent on funding or engineering
resources provided by our community. 

We strongly encourage any organisation that relies on Samba or would
like to have the opportunity to escape from a world where innovation
and security depends entirely on the priorities of Microsoft (see
Copiolt+ for this being derailed) to support Samba via our commercial
support partners. 

Samba relies on ongoing support of our users to resource our security
response and to develop new features, which in general are commissioned
by our users.
> I couldn't find a really clear information about this
> in Samba wiki, and neither in the samba list history, even if I know
> that 4.20 seems to give a kickstart to the feature. 
Yes, our wiki and roadmap needs work.  However we are also hesitent to
add items to the roadmap as we fear that some might assume that items listed
there are likely to see progress without an organisation stepping up with
funding.

Andrew Bartlett
  
-- 
Andrew Bartlett (he/him)       https://samba.org/~abartlet/
Samba Team Member (since 2001) https://samba.org
Samba Team Lead                https://catalyst.net.nz/services/samba
Catalyst.Net Ltd

Proudly developing Samba for Catalyst.Net Ltd - a Catalyst IT group
company

Samba Development and Support: https://catalyst.net.nz/services/samba

Catalyst IT - Expert Open Source Solutions