Slashdot Mirror
Samba 3.0.0RC1 Released
dook43 writes "Samba 3.0.0 RC1 has been released as of 8/16. Probably the most important new feature is its Active Directory support, but the rest of the new features can be found at the website."
← Back to Stories (view on slashdot.org)
3) New authentication system. The internal authentication system has
:)
been almost completely rewritten. Most of the changes are internal,
but the new auth system is also very configurable.
Does this mean I won't have to authenticate for every directory I access?
(Or are we misconfigured from the get go, and I should know and fixed such an issue
http://use.perl.org
...besides the features is some absolutely outstanding documentation. The old 2.x docs were basically a really long HOWTO. The new docs are broken into self-contained chapters that start by laying out how a certain task or protocol work in general, and then how to configure Samba to take part in it. Considering that Samba can perform so many different roles, the mix-and-match method is a lot more sensible. Even if you don't use Samba, consider their docs as a reference for troubleshooting Windows problems - I've found they offer a far more complete and focussed discussion of Windows technologies for the sysadmin than any MS book or webpage.
Great job, Samba team!
Are you suggesting that AD is a good LDAP server? If so you are very wrong. AD really blows is and is very slow. I remember a statement from MS about them getting 2.x million entries into their AD server, at about the same time Novell announced 1 billion! The only reason any effort is made within the Linux community to work with AD is because it is needed to work in many MS networks. Also, AD is an LDAP server with proprietary crap tacked on that MS does not share. I think the Samba team have made some great gains with SMB and now AD all from reverse engineering.
If Tyranny and Oppression come to this land,
it will be in the guise of fighting a foreign enemy. -James Madison
Right, I'm no coder actually: some php and odd C walkthrough thingie to check out exploits. Anyway, excusatio non petita but here it goes: why is the community chasing M$ in it's hide&seek strategy? Isn't the M$ auth GINA (what a lousy name...) whatever replaceable? M$ does kerberos proprietay? M$ AD is a vbasic LDAP server and some undoc binary protocol? Screw them! Let's interface windows auth methods to unix rather than run after their stuff. Wouldn't it be cool if the samba tree included some .dll to log a M$ box into an ldap ssha or cert , standards kerberos environment? Why screw unix philosophy for M$isms? Ok, it's a flaming comment but really, is there a reason for not taking this road?
Mi domando chi à il mandante di tutte le cazzate che faccio - Altan
Perhaps if you spent as much time looking for hardware that only works with windows on looking for hardware that works with linux, you'd not be in such a jam.
Vanilla LDAP != inherently better than AD. There are some crappy LDAP servers out there. Whatever you can say about openLDAP, the management and administration side of it is primitive.
I consider AD to be a viable general-purpose LDAP server for certain applications. I'm using it for a 20K user directory right now...but I wouldn't go over 250K with it, especially one that required any kind of master-hub-replica architecture to scale.
Premature optimization is the root of all evil
Proprietary crap? Please elaborate.
The standard stuff is fairly standard. inetOrgPerson is available as an add-on (which I think is lame, but you can get there from here). Many of the other "compliant" directories have their own blind spots too.
The nonstandard stuff is sometimes doc'd, sometimes not; for instance, if you are expecting full docs on how GPOs are represented in the database, you will be disappointed. Then again, why would you code to their goofy extension?
One thing I think is *lame* is the 5k size limit on number of users in static groups. We are using dynamic groups/roles for some stuff, but static groups are a useful adjunct to that. 5k is just pathetic.
Premature optimization is the root of all evil
Anyone know how the wins support is? It looks like samba 3 will finally be able to replicate. Currently Samba can't replicate with NT servers, or as far as I know, even with other Samba servers. That sort of limits Samba in terms of redundancy. Is adding static entries to WINS new as well? I don't recall ever seeing that in the samba 2 documentation - that's been an unfortunate hang up where I work.
There are plenty of of more elegant solutions for filesharing that have been developed and implemented in an open manner. AFS was designed at CMU and OpenAFS is largely the result of U of Michigan. This is certainly inovative and it is also open source. Painting 'open source' as a monolithic entity is silly, you may as well say that "I knew an MIT grad and he was a git, so all MIT grads are gits."
I have no reason to make Linux 'act like' Windows at home, where I can run a LInux network. However, at work I don't have that luxury. Networking with Windows is a reality. For this, Samba is an amazingly good piece of kit.
Think global, act loco
The problem is none of the Unix filesystems do snapshots the right way for a client facing system. They all do a whole filesystem at a time snapshotting, not just change vectors. MS and Netapp on the other hand do it correctly and simply store the changes. This makes snapshots of infrequently changing data take up significantly less room. Veritas style snapshots are really aimed at datacenters that want to be able to backup their database to a certain point in time while not effecting the live system. The one thing MS does wrong is place the revisions in a FIFO buffer where the 64th oldest backup is always the one that gets pushed off, I would like to be able to do things like you can on the netapp and make hourly, daily, weekly, and monthly backups, with the MS solution you can only keep a couple days back if you want to do hourly backup points.
There are 4 boxes to use in the defense of liberty: soap, ballot, jury, ammo. Use in that order. Starting now.
You should. OpenLDAP is very good. However, you can also look at commercial versions put out by Novell and Sun. Present them with choice over the MS dictate method.
If Tyranny and Oppression come to this land,
it will be in the guise of fighting a foreign enemy. -James Madison
Actually it's funny but the guys on the SAMBA team know more about the SMB protocol than anyone currently working for MS. I remember reading a tech conference note from one of the team members back before 2.0 went final and he had talked to one of the senior design guys from MS and the guy couldn't answer some questions about the reasoning behind the design of certain parts of SMB, he had simply inherited the codebase and designed extensions to it to do the new things for windows 2000, he knew very little about the history or design behind the overall protocol framework. Don't attribute to mallice what can be more easily explained by ignorance =)
There are 4 boxes to use in the defense of liberty: soap, ballot, jury, ammo. Use in that order. Starting now.
I just got back from a weekend retreat, but I have written a script/gui for doing this, and it works fine in production (where the people know what they are doing) but the setup is pretty automatic, and the gui (based on kommander (part of quanta atm)) allows a simple gui interface to the setup, which should all work, but as I said I need people to play with it and break things!
It should work for gentoo and redhat, atm.
sloppyadm.sourceforge.net if you are interested in helping.
Samba makes it very easy to get a linux box on a customers network. It also allows me to undercut the hell out of competitive bids in our area. All we are competing against it a bunch of vendors in the area and all they know how to do is windows and MS products. This allows us to completely smear any and all bids we run against them. We are doing it as much as we can right now because as linux spreads it is going to get a whole lot harder to do this and still make the profits we are making.
Got Code?
Where would one look for some good solid infomation on what all these buzzwords such as "shadow copy" and "active directy" accually mean? Ive seen those horrid 2003 server ads, but what do these features accually do?
but it would be nice if newbies didnt have to run a webserver just to configure Samba
Have to say Linux is coming right along!! With AD support, and soon to be ACL's in the filesystem (some already have it), all I'm wanting is a pretty GUI admin tool...
:)
Okay, sorry I'm spoiled
Good job Samba Team!!!!
3000 dead over past 2 years, still no free Palestinians, still
First off, the point of elaborating was to get past "AD sucks."
Export of passwords? Hmmm, given that the big metadirectory solutions have a problem doing this with non-AD servers, why should AD be different? They're called "salted hashes", by the way, and everyone does them a little differently. Exporting the clear password would be a horrible security problem.
How to push authentication credentials? If you mean importing accounts, then the above answer applies. You can always go over SSL as well. Do you mean implementing cross-domain trust?
And the reason you can authenticate Windows logins against OpenLDAP is that AD supports LDAP protocols, but Windows clients don't use it exclusively. AD may or may not be a great LDAP server, but I don't know that anyone has ever claimed that Windows boxes are vanilla LDAP clients.
AD is a MS product that has reasonable support for LDAP, not a great general-purpose LDAP server (then again I don't think openLDAP fits the bill either). My point was that some of the general-purpose LDAP servers have interoperability issues as well.
Premature optimization is the root of all evil