Samba-TNG Team Releases 0.3

emissary47 writes "The Samba-TNG (the next generation) team, releases the first beta of Samba-TNG (a Samba fork since 2000) including some very interesting features for everyone willing to replace NT4 domain controllers. With excellent LDAP-backend support, integration of Microsoft tools such as usermanager for domains and servermanager and a powerful command-line tool called rpcclient it is _the_ alternative solution for Windows domain controlling at the moment. They even include scripts for NT4-server migration in order to make a change easier."

What's new?

[$$$$$exyGal]

Taken directly from the announcement, but it's short enough to just put here.

Most important changes in 0.3:

• Updated LDAP schema in ldap/samba-tng.schema-v3
• Improved LDAP backend (subcontexts, performance speed up)
• NT trusting TNG works now out of the box
• Update to the registry tools in rpcclient
• libiconv usage

--sex

Re:What's new?

[extra88]

When I have a file open on an NT server and an OS X client also has it open, everything is fine until I try to save the file. The app says it can't save the file under the original name and saves it with a random (alphanumeric) 8 character string for a name, not even the correct filename extension. That's pretty annoying but at least my changes aren't lost.

If a 2nd Windows client opened the file, they would be warned that the file was already open and they could only open it Read Only (I only have experience with MS Word and Excel in this context so I don't know for certain if the applications play a part).

I think there certainly is the potential for ending up with a crazy mixed-up file if more than one client saves changes to it at once. The more likely event is the last saved version is the one which is kept but it depends on the application and in some cases, the file.

Samba lead considers the fork a Good Thing(TM)

[tempest303]

Before anyone gets off on a huge rant about this fork being pointless/harmfull/etc, read this - it's a statement by Andrew Tridgell, saying that he is "delighted" about the fork...

Re:NTLMv2?

[praetorian_x]

In what context? NTLM authentication over the web (between IE and a java based app server) is available at http://jcifs.samba.org. This is a great solution for "single signon" for intranet applications.

Of course, it goes without saying, that this protocol is not internet safe

The JCIFS team even includes a delightful filter than you can plug in so request.getRemoteUser() will return DOMAIN_NAME\user_name. Realy good stuff for intranet development.

Now, if only 'zilla will get NTLM support in 1.3...

Cheers,
prat

Re:Better late than never?

[msgmonkey]

There are alot of places that still use NT4 and with MS EOL'ing it people will be forced to upgrade to Windows 2000. If this makes it easy for people to move over to Linux instead of Windows 2000 than all the better.

Samba-TNG+OpenLDAP howto

Due to the complexity of LDAP, and samba w/PDC in general about 6 months ago I wroteup a pretty significant document on how to configure and deploy such a system, I've spent more then 40 hours on it to date, it's fairly complete:

http://howto.aphroland.de/HOWTO/LDAP

no way in hell could it withstand the slashdot effect, it runs ontop of Zope which is slow enough as it is! Apache seems to be in the order of 2000x to 2500x faster then zope+Zwiki, but the features of zope make it worth it.

(been on /. for 5 years and still don't have an account)

Re:late ???

[ed1park]

"Can Samba be a Backup Domain Controller?
With version 2.2, no. The native NT SAM replication protocols have not yet been fully implemented. The Samba Team is working on understanding and implementing the protocols, but this work has not been finished for version 2.2.

Can I get the benefits of a BDC with Samba? Yes. The main reason for implementing a BDC is availability. If the PDC is a Samba machine, a second Samba machine can be set up to service logon requests whenever the PDC is down."

You can find out more here...

http://us2.samba.org/samba/ftp/cvs_current/docs/ ht mldocs/samba-bdc.html

Re:late ???

[buchanmilne]

can samba-TNG be a real PDC and comunicate to a NT BDC all the information such as the userlist AND when it falls over and comes back up (system maintenance) take back the PDC status and any changes from the BDC ?

AFAIK, this is what TNG was aiming for.

acting as a PDC and syncing with a NT BDC is what SAMBA really lacks IMHO

You mean samba-2.2.x. Samba-3.0alpha does support this, and has a better NT->Samba migration tool, 'net rpc vampire'.

Samba3 is due out in about 2 months (hopefully).

What I want to know is, have they got all the samba-2.2.x features?

We run samba-2.2.x with ldap support for samba-only PDC/BDC operation.

Re:Better late than never?

[lkaos]

The regular Samba project has had NT4 domain controller support for quite sometime...

We are currently working on Active Directory domain controller support. We've got a domain join more or less working for AD but are still working on initial logon.

Read here for more info.

Article Extremely Misleading

[0x0d0a]

This whole thing about a "fork" is kind of bogus. It's hardly a "fork" in traditional sense, like WINE or BSD.

Even the letter linked to is quite old.

Here's a simplified version of what happened: there was one Samba. One group of people wanted to rearchitect it to make significant improvements. Another group of people pointed out that a lot of people depend upon Samba as a production server, and would be without major bugfixes or improvements while Samba's guts were ripped out, especially since it might be years until Samba functionality reached former levels.

Basically, the two groups couldn't agree, and a fork occured. The old Samba was maintained to keep people who were currently using Samba happy, and the new Samba was placed on the operating table and dubbed Samba: The Next Generation.

A while later, both groups decided that Samba:TNG would make a good next major version for Samba. The old Samba will become 2.x, and Samba:TNG will become 3.x. So basically, all we have here is a Linux 1/Linux 2 or GNOME 1/GNOME 2 situation. The two forked for a version change.

Most of the changes in TNG were based around domain controller stuff. Since I only use Samba as a client, it doesn't really affect me much...

Re:Article Extremely Misleading

[abartlet]

This comment is misleading. There are no plans for samba.org to release Samba TNG, they are there own project now, and we have our own development process that is producing a very nice PDC for 3.0.

Samba 2.2 contained basic domain control capabilty, and 3.0 really does a good job of completing it.

Also, Samba 3.0 does many things that TNG does not - in particular Active Directory client support, and even Active Directory DC developement (very early)

Re:NTLMv2?

[abartlet]

NTLMv2 authentication is fully supported in Samba 3.0 - we brought the code across from TNG 18 months ago.

Recent alphas have LMv2 authenticaion too :-).

The truth is, almost nobody uses NTLMv2 - certainly not MS...

Re:late ???

[t0ny]

thats not true. Everyone you talk to wants to move, and sees the benefits of AD, but moving your entire production network to a new NOS takes lots of planning.

I have been taking the necessary babysteps to get my network on AD for the past year, and am almost there. But when your network has hundreds of users with a whole lot of servers that absolutely have to be up during business hours, and have your normal support stuff to do besides, it is quite a huge undertaking.

Probably the biggest thing that causes problems, but is the biggest reason to switch to AD, is being able to finally say goodbye to NetBIOS (the bane of my existence). Soon we will be deploying the AD Client to the Win9x machines and switching to DDNS for name resolution, replacing WINS. That step alone will solve tons of problems.

After that I will work on switching the PDC to Win2k and run it in PDC emulation mode until the other DCs are upgraded and AD is ready to go.

So, my point is just that its a lot of work.

Re:ACLs?

[Junta]

Samba already does support ACLs... I know that is at least possible if XFS is the underlying filesystem. It may be true for the other acl implementations, but Samba certainly is capable.

As an aside, I'm really not that big of a fan of ACLs, they get too complex for users to effectively manage too quickly in large organizations. Sure, in theory it is good to give that degree of granularity, but in practice it is too fine grained. Now if the users used acls judiciously, it is no problem, but I often see users frequently adding groups and users to allow access to certain files without bothering to ever remove them. At that point, the permission system breaks down, and that is my complaint about ACLs.

Re:Printing?

[psamuels]

Did I mis-read it?

No, you read it right. Here's the thing. samba.org has a much larger and (well, at least back in the boom days) better-funded team than we do, so we can only concentrate on so much at a time. Printing just isn't a priority. It might work in samba-tng, in some cases (it is after all derived from samba.org code, which includes printing) but we don't pay much attention to it.

If you need your PDC to also be a print server, you should either (a) run samba-tng and samba.org on the same machine, on two separate IP addresses and netbios names (yes, this is a common and supported configuration), or (b) just use samba.org for your PDC, which in the past wasn't such a great idea but nowadays it is reported to be quite usable.

Re:Don't jump on conclusions

[GombuMstr]

Well..... We are successfully using it since June of 2001 pre beta.... pre anything. We have not had a single problem with it except for printing. We solved that with Samba. It is really quite usable. Just don't run smbd with -d 10 and forget about it. :)

Samba vs Samba-TNG

[boots@work]

Samba-TNG was originally an unstable CVS branch, run by people from the Samba team. However, the project has now forked, and is developed by a separate group. It's vaguely similar to XEmacs vs GNU Emacs, although the details are very different.

If you want the unstable version of Samba, try the Samba 3.0 alpha snapshots. Many of the domain integration features will be in this development series. If I understand correctly, some of the code is reused from Samba-TNG (both projects are GPL'd), but most is rewritten.

As Andrews says in the open letter, diversity is good: you can try -TNG and 3.0a and see which one suits you.

Re:Still doesnt fix a Samba problem.

[Spruce+Moose]

When did you last post to samba-technical about it?

Try again - you might have some better luck. Bring your log file at debug level 10 with you.

Re:Still doesnt fix a Samba problem.

[Knightmare]

Unfortunately I would like to say nobody but... that seems to be far from the truth. Spend a little time doing consulting for the medical industry and you will be VERY surprised what you find. Alot of hospitals doing upgrades from 95 to 98, while xp is already at SP1. I figure by 2010 they will be up to NT4.

And yes there are people still using dos. Hell there are pharmacy packages that run off dual floppy computers still. Medical industry is the king of legacy. Low IT budgets and the fear of messing with something that "works." In most other places the biggest fear you have is an assembly line stops for a few minutes, or a website goes down for a few minutes (God forbid.) But you screw up an upgrade or change out to something that doesn't have a feature needed in the medical industry.... you might start killing people. Stakes are a little high, so the idea of if it isn't broken don't fix it is rather common.

Re:Still doesnt fix a Samba problem. Little Advice

[puto]

I am gonna have two subjects in this message. One a suggestion to fix the problem, and two, some advice on the medical software industry.

You are running dos software? I am assuming you are peer to peered unless you are running it across NT. Also assuming you want to put in a Linux box so you can have a fileserver, web proxy, and whatever your heart desires.

I dont know your office but i cant imagine it is very large if you are using DOS, otherwise you could have used novell. You dont have NT, or why would you worry about Samba?

Heres what I would do. Goto ebay. You can Lantastic with 10 licenses for 40 bucks. You can acquire as many as you need at that price or lower. You acquire an old p2 or p3 for 200 bucks and your choice of ram. make sure it is in good shape. Pricewatch a new one. 150 bucks for a new p3 750, kick another 100 for hard drive and nic. You ever seen DOS run on a p///??? Like a scalded dog.

Pop lantastic on that baby and fire it up and walk away. Problem solved for 300 bucks. And whatever labor you charge.

Give me some more details on what you want to do and what you currently have installed. Then I can probably be a lot more helpful.

My father ran a medical management company from 1970 to 1998. He had a mainframe installed in his office in 1970 to manage the financial end of the business then. He was way a head of his time. Offer the years I saw him switch systems from IBM/36s, in house Cobol Programmers, Sco boxes, Lantastic, Novell and finally to NT. And I learned them as they came out.

I installed and supported a variety of systems over a 10 year period in the medical industry. So let me drop a dime on you and save you some headaches. I also did a stint for a group of 8 clinics as the IT guy. 30k active patienrs running through my box. AS400, 8 modems. All locations dialed in with 286, 386s. with a client. Ran smooth as hell.

PLUS I was an actual clinic manager. I know the financial side as well.

****KEEP THE OLD SYSTEM RUNNING***** Whether it is still on the network or you got one station.

1. They have access to all the old records, as will be explained.
2. Something happens(employees refuse to learn new stuff) your box blows up. You got the old one as back up.

1. Doctors make plenty of money. But they do not like to spend it in their practice, usually the least amount is done on the system. And with good reason. Late 80's billing systems that filed electronically could cost a 250k and upwards. But most medical tech sales people approach it the wrong way. Tell them to finance it(yes banks will finance software and hardware together) make it a part of operating costs, and they can write the whole thing off, so no need to skimp. Get the numbers together. When you give final bid. Show them total cost. Then show them that they can finance for three years at 500 a month.

And remember all of this really hinges on docs being cheapskates.

2. DONT SKIMP ON HARDWARE OR SOFTWARE that manages peoples money. Because that 400 you saved you went with some cheaper hardware. It craps out. The manufacturer doesnt get the blame, you get the blame. You cant say"well you wanted to save money on the hardware" A doctor will have a lawyer on your ass in a heartbeat. And then tell all his doctor buddies at the club you are a louse. Remember you have to fix the hardware. Get a Dell. They make good on the warranty and quick. Docs also like big named companies, might have stock in them. Docs will throw a bone that way.

3. Most real practice management software, legacy software was made to run on old Unix boxes. AS400's. Some of it was later ported to dos boxes, or to run on Novell. However, the medical industry preffered UNIX. I have seen logs of uptimes of 5 years plus, and even one for 8. NT and SQL has made heavy inroads. Honestly, in all my years I only saw a few dos apps, and most were just clients that hit a nix box.

4.And if you glean anything from this post make it this. It is a good selling point, headache saver, and NECCESITY if you are going to have peace of mind.

NO DATA CONVERSION. Unless you intimatley know both databases, or someone has written a tool to go from one to the other. Do not do it.

A. You usually can only get patient demographics and money owed. Too difficult, costly, to get all historical data. Those old 'bases aint pretty.
And it costs money. And the first time Betty Sue Blowjob whines to the doc all the history aint there(cause she is too lazy to fill it in) he reams you.

B. Docs carry around a load of DEAD Accounts receivables. So you been using a system for 8 years, you are carrying around loads of deadbeats. If they hadn't paid in three, they will not pay ever. So any reporting on the A/R is useless. I knew a doc with 8 million in outstanding. And i did a couple queries, and it was because since he started practicing, he kept people on the books. Now is a good time to start fresh. Make this point to him. They alway go for it if you can explain it concerning money. Tell them that he can get current real A/R totals ,and on the old machine turn over all stuff over three years out to a collection agency(careful with this, some people are on payment plans and do not deserve collections).

5. Whenever a patient comes in the girls can say"Hey we have a new system, new encounter form, whatever" and have the patient fill it out. As each patient comes in, they do this. You clean up the patients files this way, mistakes, get all the new info, and it really is not too much work for the girls to do. And they do not have to sit 100 hours in a row rekeying. Just as necessary. And really, takes about 6 minutes for a normal typist to whip this on in. I did a study of this with 10 office workers.

So I hope I hope I have given you some ideas and things to look out for. You gotta really go head to head with docs. But 90% of it are people issues. I no longer work in this part of IT because it burned me out. I wouldn't reccomend it to anyone. And I left good money.