Olivier BILHAUT
2024-May-31 10:58 UTC
[Samba] Place of functional levels in Samba4 roadmap
Hi Samba list, As you know, security is currently the buzzword for most critical organizations. Active Directory implementations are an important node of all the security chain. French security agency, called ANSSI release a tool to audit Active Directory implementations, called ORADAD : https://github.com/ANSSI-FR/ORADAD/releases This tool retrieves all configuration from your AD, and make it ready for analysis. Don't hesitate to give a try. Based on this tool, French National Agencies give a note on our Active Directory configuration. Recent functional levels is a big part of AD security, since it is supposed to add features like Protected users and much more. Don't really know if this is real or fake, but anyway, it has to be done. Do you know when we well be able to display a real Windows 2016 functional level (or more). What's the place in the roadmap ? Does it lack funds to implement it ? I couldn't find a really clear information about this in Samba wiki, and neither in the samba list history, even if I know that 4.20 seems to give a kickstart to the feature. Many thanks to all contributors. -- Olivier BILHAUT
Andrew Bartlett
2024-Jun-03 23:02 UTC
[Samba] Place of functional levels in Samba4 roadmap
On Fri, 2024-05-31 at 12:58 +0200, Olivier BILHAUT via samba wrote:> Hi Samba list, > > As you know, security is currently the buzzword for > most critical organizations. Active Directory implementations are an > important node of all the security chain. > > French security agency, > called ANSSI release a tool to audit Active Directory > implementations, > called ORADAD : > https://github.com/ANSSI-FR/ORADAD/releases > > > This tool > retrieves all configuration from your AD, and make it ready for > analysis. Don't hesitate to give a try. Based on this tool, French > National Agencies give a note on our Active Directory configuration. > > > Recent functional levels is a big part of AD security, since it is > supposed to add features like Protected users and much more. Don't > really know if this is real or fake, but anyway, it has to be done.Samba supports Protected Users, and can operate in FL 2012 with Samba 4.20. It isn't the default yet but you can upgrade the FL with our tools.> Do > you know when we well be able to display a real Windows 2016 > functional > level (or more). What's the place in the roadmap ? Does it lack funds > to > implement it ?The biggest of the remaining issues for FL 2016 are the timit-limited links (used by Microsoft PIM), and that is a big reason why we haven't upgraded the FL default, as our testing is at FL 2016 with the parts we have, but we don't have that part. The other thing is key-trust, where PKINIT (used by Windows Hello for Buisness) enrols the client by key, not by name and CA. While there will be other things, but these are some of the the bigger items. Samba development is entirely dependent on funding or engineering resources provided by our community. We strongly encourage any organisation that relies on Samba or would like to have the opportunity to escape from a world where innovation and security depends entirely on the priorities of Microsoft (see Copiolt+ for this being derailed) to support Samba via our commercial support partners. Samba relies on ongoing support of our users to resource our security response and to develop new features, which in general are commissioned by our users.> I couldn't find a really clear information about this > in Samba wiki, and neither in the samba list history, even if I know > that 4.20 seems to give a kickstart to the feature.Yes, our wiki and roadmap needs work. However we are also hesitent to add items to the roadmap as we fear that some might assume that items listed there are likely to see progress without an organisation stepping up with funding. Andrew Bartlett -- Andrew Bartlett (he/him) https://samba.org/~abartlet/ Samba Team Member (since 2001) https://samba.org Samba Team Lead https://catalyst.net.nz/services/samba Catalyst.Net Ltd Proudly developing Samba for Catalyst.Net Ltd - a Catalyst IT group company Samba Development and Support: https://catalyst.net.nz/services/samba Catalyst IT - Expert Open Source Solutions