How many NS installations use Samba DC


(Alessio Fattorini) #1

Another idea was raised at our meeting: figuring out how many NethServer installations use Samba4 as DC. Getting to know those data would be extremely useful to make the right decision and the impact of it.


RHEL 8 is still lacking a Samba Active Directory package
(Davide Principi) #2

Yes we should collect some information from existing installations in anonymous form, like the installed packages list and some relevant values from nsdc, sssd and smb keys.

I propose to instruct the phone-home package to send back more information only if it has been enabled.

Who decided to not send anything at the end of the first configuration wizard will not partecipate and contribute to this “poll”.

Instructions about how to enable it will be provided anyway.


(Rob Bosch) #3

Is there an option to enable the phone-home config when you did not enable this during first time config wizard? Maybe we can persuade some people to enable it if the data collection is transparent enough to allow this.


(Davide Principi) #4

Yes it is documented here:

http://docs.nethserver.org/en/v7/phone_home.html


(Rob Bosch) #5

In these times of privacy issues, I think the information that is collected should be precisely specified in the documentation. If we want to be able to use the collected data, we need more information. IMO admins will only be prepared to allow this if the know what data is collected and how it is anonymized.
I think the docs need some work to get to such a point.


(Davide Principi) #6

The doc page states clearly what data is collected today: IP address, RELEASE number and YUM random UUID number. No less, no more. It’s so since ns6.

The proposal is to collect more information. If it’s accepted the doc page will be updated accordingly.


(Davide Principi) split this topic #7

2 posts were merged into an existing topic: RHEL 8 is still lacking a Samba Active Directory package


(Enrique D) #8

Reading the docs to enable and help. (currently I’m out for a week but I’ll try to enable via SSH-forwarded)

This do the trick?

  • config setprop phone-home status enabled

How many days you’ll need this to be enabled? I disable this at setup just because I got a bad experience with some other distro stuck with this kind of “calling home”


(Davide Principi) #9

…I don’t know it’s just a proposal :smile:

Anyway the command is correct, thank you!


(HF) #10

Even more precise, GDPR requires a very clear undoubtly concent. Referring to documentation is NOT compliant, one must clearly state what is collected directly with the question asked on the same page.

I am aware that all EU countries have ‘translated’ the GDPR into local law, and this is one directive that is very clear.

HTH


(Dominik) #11

Hi,
I am able to provide you my Samba4AD info’s about my installation and configuration for you → in private message or here on the forum → i think providing info about for example: 2 AD controller, 50 users would’nt take any security risk…


(Ralf Jeckel) #12

IMO this has nothing to do with GDPR.
GDPR is meant to protect data about human beeings.
Every data that let conclusions to specific human beeings has to be protected.
Keyword is “identifiable person”.

What constitutes personal data?
The GDPR applies to ‘personal data’, meaning any information relating to an identifiable person who can be directly or indirectly identified in particular by reference to an identifier. This definition provides for a wide range of personal identifiers to constitute personal data, including name, identification number, location data or online identifier, reflecting changes in technology and the way organisations collect information about people.

To provide data like how many AD, FQDN and number of users does not violate GDPR.
But of course, to specify this point exactly during installationprocess, when asking to enable the “phone home” and in the docs is a good idea for transparency reasons.

Just my opinion.


(Alessio Fattorini) #13

Yes but in this case data are not accurate. We need to collect those kind of data: no sensibile data, no user data, no IP. Nothing.
I’d like just answer simple questions like:

  • how many NethServer installations out there?
  • how many of them are firewall? How many DC?

Having this kind data could be useful for a lot of reasons.
My proposal is doing it by default and put a checkbox somewhere giving the possibility to disable it.


(Rob Bosch) #14

Dismissing Samba stats as not identifyable to persons is IMO a bit too easy. Samba4 AD is all about useraccounts. If, for some reason or misconfiguration anything of the useraccounts ‘leaks’, you have a problem with GDPR.
I think it is necessary to get detailed information what data is collected when you activate the phone-home feature. If GDPR kicks in, you even explicitly must agree with this (some checkbox that says “I have read what data is collected, and I agree with this to happen” (or something similar).


(Michael Kicks) #15

And this links to Mattermost too…


(Alessio Fattorini) #16

We don’t need data about user accounts just something like: DC installed and used on 6374 installations


(HF) #17

That’s the issue, too vague :slight_smile:


(Marc) #18

Useful data to collect could be which user provider is used, how many groups/accounts, number of interfaces and its type… you name it.

In my opinion, if there are changes on what data is collected, the user has to be informed before accepting those changes or be able to select only the data she wants to share (although most service providers used to change terms/conditions with a notification and a deadline without explicit consent).

Another source is this community. Searching through the activedirectory tag (or a database search query) you can get an idea of how many community members use(d) it.

Unless there’s another compatible identity manager / directory service, I think the question is not so about dropping samba-AD/DC but more on how to implement it in a sustainable way (build package, use container…) once upstream package is not available.


(Davide Principi) #19

As many are concerned about data privacy I think we can proceed without collecting additional information, leaving phone-home as is now.

The discussion, analysis, implementation, communication, documentation of this feature are growing too much and the resulting data are not worth the effort IMO.


(Giacomo Sanchietti) #20

I agree with Davide: the feature is getting to complex.

We will try to estimate the numbers using subscription and enterprise installations.