Slashdot Mirror
Samba 3.0.0 Released
Matt writes "As posted on Samba.org the fine folks at Samba.org released their newest version of the popular free Windows File- and Print Server. Most famous additions are Active Directory integration and possibilities to form NT4 trust relationships. Release notes are online." See also their press release.
..at O'Reilly's Safari Bookshelf!
Congrats to the Samba Team!
now my linux box has to deny having a relationship the that windows server next door.
There are exploits in every product, opensource or not. It's just a matter of you taking necessary precautions like using a decent firewall and patching regularly.
...and possibilities to form NT4 trust relationships.
but is it wise to trust a NT4 server?
We've had Samba in Brazil for centuries...
;)
Amazing how the USA thinks they are ahead of everyone else...
I was recently banging my head against the wall when attempting to use a Samba share on an XP box that had worked fine on all my Win2K boxes.
Days & days of hacking the config and attempting to get it to work to no avail. Finally I find that it appears that WinXP has some security "features" added into it that break the use of samaba shares.
This frustration I felt has actually pushed me one more step towards switching all of our machines over to Linux. It may not happen tomorrow, but it will happen.
--Remove chicken to e-mail
The author missed one of the bigger points that they have working now. BDC! You can finally, if it works - I haven't tried it, have automated fail over without hacking some scripts and running a few PDCs. Very COOL!
That and it says it will work "out of the box" with Windows Server 2003. I wonder if that means they fixed the "trust" issue with Windows XP trying to auth with it for login without reg hacks....
Aside from that concern I can personally say that Samba rules. I have benchmarked it as being a faster file/print server compared to Windoze on identical hardware. A Linux box that can act as a domain controller, and now participate in cross-domain trust relationships and use AD is a helpful tool for weaning folks away from Micro$loth.
as we've seen so many times this week,
:-P
opensource != secure
by any stretch of the imagination, in fact there are probably numerous untold exploits available for this software. Its just a matter of time, as with any opensource product.
Yeah, so let's use the alternative.
Windows servers.
Those are more secure I heard.
Beware: In C++, your friends can see your privates!
I'm not entirely sure what you're talking about. I'm running Samba at home, and my XP boxes can pick up the shares on it just fine.
You may need to add smbpasswd entries for the machines users, but other than that, it should be ok.
opensource != secure
Thanks Egan, good safety tip.
by any stretch of the imagination, in fact there are probably numerous untold exploits available for this software. Its just a matter of time, as with any opensource product.
And let`s also remember that _because_ it is open source, we now have thousands of developers who can view the code, find potential exploits, and then propose patches, QUICKLY and WITHOUT BIAS. Unfortunately, for patches to the same styled exploits that would exist in a closed source networking protocol, we would need to depend on a small team of developers under a common management structure (one pointy haired boss = single point of failure).
Open Source != secure
Open Source == better method toward security
davejenkins.com |
File Locking. You can tune Samba to fix this.
I quite happy with this new release, what I like the most about it is the new Active Directory support, I have been waiting for it since I started to use it in my homenetwork. Another impressive feature is UNICODE support (isn't mentioned in the post), one of my family members needed it badly to deal with non-latin charsets.
And the new "get" command which is similar to windows "net" is useful too.
Keep up the great work SAMBA team!
The IT section color scheme sucks.
Samba 2.2.x + XP + SP1 requires some tweaking to do domain logons for XP clients.
:)
Basic file sharing is fine, but if you're using Samba as a domain controller, you need to set a SignOrSeal reg value off to allow domain logons and also unset a "check profile ownership acls" setting which was introduced by SP1.
-- Someone who uses Samba 2.2.x as domain controller for several hundred XP boxes
Sounds to me like signorseal. You want to edit the following entry:
v ic es\Netlogon\Parameters\requiresignorseal and set it to 0. Reboot and your XP machines will now be able to logon to your samba domain.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Ser
That's only because there wasn't a "Very Intersting" selection...
Didn't quite a few of the Microsoft hotfixes credit the Samba team for finding the weaknesses and bringing it to Microsoft's attention?
If you Google "Microsoft SAMBA oplock" you'll see a lot of hits, some of which went away when oplocks were turned off in Samba.
I've experienced numerous random lockups using samba v3. The mount point would just hang requiring a samba restart.
After searching for a while, I found that there's a bug in Redhat 9's new thread library which samba somehow triggers. There's a workaround on the net, look for it and avoid hassling the samba team - they're not at fault here!
We've been waiting for this release as the version to start replacing Windows servers with. We'd like to build the farm clustered, however. From our research, it looks like clustering Samba can only be done with Mission Critical Linux' products. Anyone seen anything else out there that can also do the job?
"It remains to be seen if the human brain is powerful enough to solve the problems it has created." Dr. Richard Wallace
Now that's something I haven't seen before.
"unset a 'check profile ownership acls'"
I'll have to look into that.
Thanks!
--Remove chicken to e-mail
I imagine the flamebait was for:
/.'s have been attempting to help me solve the problem instead of modding me out of existence. :(
"This frustration I felt has actually pushed me one more step towards switching all of our machines over to Linux. It may not happen tomorrow, but it will happen"
It's not flamebait people, it's actualy how I feel. Other nice
--Remove chicken to e-mail
It's accessable from the MMC on each client machine, or alternatively if you have a recent enough samba, there's a "profile acls = yes" option you can set in the smb.conf
Linux/FreeBSD
Apache
Gcc
PostgreSQL
Samba
In that order. Thank you.
Merlin
The promise of single sign-on for the various servers I have around here seems great :) While I know how to get Windows clients to authenticate against a Samba server, and also how to get *nix boxes to connect to a Samba server, is there a way to replace the traditional *nix login/authentication methods and replace it with Samba? Our domain is predominantly NT/2k, with a small scattering of Linux and FreeBSD boxes. Would be great if users could change their NT password and still be able to log in to our *nix boxes for e-mail and such.
Very true.
The advantage of opensource is that you can examine the internals yourself, and fix it yourself.
The more sophisticated the user, the more valuable opensource is. If you're a low level admin who can't do anything more than apply pre-canned patches, opensource may be cheaper but it isn't defacto better. If you can participate in the patch process by either writing your own patches or applying patches from the developers directly or from other users, rather than waiting for a vendor, you can be way ahead of the game.
Can anyone tell me if 3.0 includes an easier way to get computers in more than one workgroup to connect? I know you can do it with by running an extra instance of samba but it's awkward. Any better ideas?
I've got a bunch of laptops that have to connect to different workgroups but I'd like to have them all connect to my samba server. But they have different workgroups and that cannot easily be changed. Samba doesn't deal well with this out of the box, though it works pretty well under Windows proper.
I had a lot of trouble getting xp to read a public samba share with no password - 2k worked fine, but for xp I needed to do (in the command prompt):
/USER:
net use t: \\linux-box\samba-share *
(and just press enter for the password)
This maps it to drive t:
I call bullshit here. I regularly set up Linux Samba servers (file and print) that work fine with Win98, NT, 2K and XP machines. Both standalone and as domain members. I've used both the normal smb password file and LDAP passwords for authentication, and it all works faultlessly.
In fact I'm sitting at an XP machine right now that's mounting from 3 different Samba servers...
Code, Hardware, stuff like that.
You could do this with 2.2.8a if your AD server allowed anonymous authentication. If not, you need 3.0.0.
See how we do it on Mandrake (since 9.0).
I run a Mandrake 8.2 box in production as a mail server in an AD domain, all authentication is via winbind.
One thing that does change with Samba 3 is the way that you need to configure Squid to use NTLM authentication...
If you upgrade and try using the old authenticators built with squid, you'll be stuck. Samba 3 comes with it's own helper utility (ntlm_auth) to work with other applications such as Squid.
I have written a Samba 3 / Squid Walkthrough that takes users step by step through getting this going.
Find out about it here:
http://itmanagers.net/article-4--0-0.html
I'm sure a lot less than in W2K3.
2 so far?
This sig is the express property of someone.
That's exactly what I did 3 years ago when M$ started playing games with Active Directory, and I still had a network full of 98 and NT boxes. We set up a new domain, and moved all the file and print services to it.
Now that we have aged out all of the decrepid hardware and standardized on 2k, ActiveDirectory is a good idea. But that is 3 years, and a $100,000 in hardware later.
Having trust support would have saved me from having to hike to all the machines and add them to the new domain. I can imagine with NT entering M$'s discard pile, there are quite a few NT shops that are looking for a drop in replacement.
Enter the dragon...
"Learning is not compulsory... neither is survival."
--Dr.W.Edwards Deming
nope, SignOrSeal is supported now!
- In Memoriam: Jeroen de Bruin (1972-2004), bye bro
This is a well-documented problem with XP and 2000 when service pack 4 is installed. Besides setting the registry entry "RequireSignOrSeal" to "0," you must run the "mmc" program, add a "Group Policy" Snap-in, then in there find and option that says something about ignore permissions on roaming profile. Set that to "enabled." I'm not yet at work, but when I get there, I'll get the exact key name and post it here. A quick search of google reveals it's not terribly obvious, although I found this before.
There is an easy fix to this for XP:
Settings -> Control Panel -> Admin Tools -> Local Security Policy
Look under Local Policies, then Security Options.
Look for "Domain Member: Digitally encrypt or sign secured channel (always)" and set it to DISABLED.
That should solve some of your problems.
XP only wants to trust other Windows machines when working in a domain environment.
The real key is that where there is money involved (ie. a company stands to lose money on good bug hunting and peer review) security is always going to come second to last. With Microsoft, here's the hierarchy:
1. Profit!
2. PR/Spin
3. ???
4. Satisfy customers just enough to keep them
5. Everything else (ie. security, stability, etc...)
Since a lot of OSS projects aren't made in the name of profit, the hierarchy is more like this:
1. Write something useful/cool
2. Share it with everyone and get peer review
3. Patch holes and bugs
4. Wind up with excellent quality software (Emacs, GNU, etc..)
5. Rinse and repeat
With either approach, you have to keep in mind that the cycles are unending because the bars are always being raised. But, which bar is payed more attention varies based on the end goal. For proprietary/non-free software, the only goal is to write software to make money. For free software, the primary goal is to write good software for the sake of writing good software. This approach angers the capitalists because it potentially threatens their system. And in the long run, Emacs is still going to be around long after MS Notepad is gone. Just like classical music has more lasting value than Eminem or Kidd Rock. Someday 25 years from now you can ask a 10 year old who Kidd Rock is, and they'll say, "Who"? But if you ask the same 10 year old who Beethoven is, they'll probably have heard of him.
Un-news
XP Home does not allow logon to domains, so there's no problem to fix.
Of course you're worried about migrating users. If Samba gets easier to use, you'll find people migrating from the biggest user base on the planet - Windows.
And worry about alienating Linux users? Please, where are you going to go to get something better? On a Mac? I know you're not going to stop using Linux (maybe Samba, but who cares, I guess) and go to Windows because your system is operating more and more like Windows.
Unless you're losing functionality, cheer the changes. As more users (like me) migrate to open source, your exclusive club will get better and better. I'll tell you one thing - if Samba gets easier to figure out, I'll certainly start using it to get my systems connected to a single file server.
What happens is that if you fail to listen to your Primary Domain Controller, the Bondage and Discipline Cop steps in to beat and humiliate you until you submit creditentials to the proper authorities. Usually, this happens when you're standing in front of many people and attempting to get at Powerpoint slides you left on your client machine.
I forget what 8 was for.
Then, Gnome Vs. KDE
Now its MySQL Vs. Postgres
At least we are evolving from text editors and eye-candy to relational databases.
"Learning is not compulsory... neither is survival."
--Dr.W.Edwards Deming
One of the stumbling blocks I've run into in the past (I am no Samba guru) is dealing with the occasionally complex, nested groupings, permisions, and far more detailed ACLs than the ext2-3 filesystems provide. I know that there are some filesystems (and what? overlays?) that can be applied to ext3 which allow more than OWNER-GROUP-WORLD permissions.
How does this improved AD integration tie in with the various exended-ACL solutions?
I would LOVE to yank most or all of our windows fileservers and replace them with Linux boxes. The increased security and protection from viruses, etc. would be great. But with thousands of users in hundreds of departments in our domain(s) needing to access some of the same resources with different permissions - I've not found a satisfactory Linux solution.
Obviously, I'm missing something. But it would be great to have an out-of-the-box solution that takes the best of NTFS (for what it's worth) and the best of journaled Linux FSs to provide a truly stable, yet flexible fileserver.
Any /.'ers have a solution that's worked for them which you'd be willing to share?
"terrorism" and "pedophilia" are the root passwords to the Constitution
Not any more. We implemented sign&seal for Samba 3.0.
If it doesn't work when you remove this please log
a bug at bugzilla.samba.org.
Thanks,
Jeremy Allison,
Samba Team.
It's probably the Web sharing service. Turn off the client :-).
side on the XP box. It tries to contact a port on the Samba
server that isn't open and times out. Sorry, I can't remember
the exact instructions to turn this off (I only use Windows
under VMware to test Samba
Jeremy Allison,
Samba Team.
I wouldn't do it. And I write lots of the Samba code :-).
The protocol is just too complex to be sure any implementation
is safe.
Hopefully that should tell you something. It should also
tell you why we don't want it in the Linux kernel. Microsoft
put it in their kernel - I think that's a mistake.
Jeremy Allison,
Samba Team.
Yes it works.
Jeremy Allison,
Samba Team.
Someone please explain why my post was moderated as redundant. I looked at all previous posts and did not see a single overlord comment. If the joke isn't funny then it should be rated offtopic, or overated, but not redundant. Unless, maybe the moderators were saying that the joke was getting redundant. I think moderators should provide an explanation for their decisions. That way posters would learn what makes a good post good and a bad post bad.
Well.. maybe. Or Maybe not. But Definitely not sort of.
ACLs aren't just limited to XFS. ext2/3 has had ACLs for years, with support being rolled into the kernel proper with 2.6.
Marxism is the opiate of dumbasses