Samba 3.0.0 Released

Matt writes "As posted on Samba.org the fine folks at Samba.org released their newest version of the popular free Windows File- and Print Server. Most famous additions are Active Directory integration and possibilities to form NT4 trust relationships. Release notes are online." See also their press release.

Get the doc!

[Karamchand]

..at O'Reilly's Safari Bookshelf!

Congrats to the Samba Team!

I did not have relations with that server

now my linux box has to deny having a relationship the that windows server next door.

Re:Becareful about using this

[Brahmastra]

There are exploits in every product, opensource or not. It's just a matter of you taking necessary precautions like using a decent firewall and patching regularly.

wonderful!

[borgdows]

...and possibilities to form NT4 trust relationships.

but is it wise to trust a NT4 server?

That's nothing !!

We've had Samba in Brazil for centuries...

Amazing how the USA thinks they are ahead of everyone else... ;)

Does this ver. solve the WinXP security "features"

[HiroProtagonist]

I was recently banging my head against the wall when attempting to use a Samba share on an XP box that had worked fine on all my Win2K boxes.

Days & days of hacking the config and attempting to get it to work to no avail. Finally I find that it appears that WinXP has some security "features" added into it that break the use of samaba shares.

This frustration I felt has actually pushed me one more step towards switching all of our machines over to Linux. It may not happen tomorrow, but it will happen.

Best new features

[linuxkrn]

The author missed one of the bigger points that they have working now. BDC! You can finally, if it works - I haven't tried it, have automated fail over without hacking some scripts and running a few PDCs. Very COOL!

That and it says it will work "out of the box" with Windows Server 2003. I wonder if that means they fixed the "trust" issue with Windows XP trying to auth with it for login without reg hacks....

Re:Best new features

[XSforMe]

Actually, I think the most important feature is this:
10) Support for migrating from a Windows NT 4.0 domain to a Samba domain and maintaining user, group and domain SIDs.
Why? NT Server is coming to the end of support period (Dec 2003). There are still LOTS of NT4 server out there. Last time I checked, you had to recreate ALL of the groups and users whenever you migrated them from NT4 to any other PDC (there is a little support for automating this activity, but it just saves you from retyping the users and groups names).

Vulnerable?

[gregarican]

Serious question here, not flamebait. Does Samba use similar RPC methods to thje Windoze NT family? If so are there potential exploits? I'm not sure. I've used Samba and Mars_NWE (a Linux emulator of a Novell Netware server) for years now but never thought of potential parallel security holes. I doubt that the code could be that similar, but am curious. I recall back in the day where anonymous RPC sessions on Windoze NT could totally give admin access through that simple sechole.exe exploit.

Aside from that concern I can personally say that Samba rules. I have benchmarked it as being a faster file/print server compared to Windoze on identical hardware. A Linux box that can act as a domain controller, and now participate in cross-domain trust relationships and use AD is a helpful tool for weaning folks away from Micro$loth.

Re:Vulnerable?

[gregarican]

Here is a footnote of the other side of the coin. I recall back around 1999 working with Samba 2.0.something-or-other. Our company had many sites but centralized Windoze NT domain administration at CHQ. I was interested in trying to sneak a Samba server onto the domain.

Typically in the Windoze NT model in order to add a server to the domain you have to have admin rights. I recall the Samba box added itself to the domain without any authentication necessary. It was funny when an NT admin from CHQ called me to ask me why our site had this new server showing up. He couldn't browse any of the shares (only local Linux accounts were defined in the Samba user file and /etc/passwd file) and was pissed.

I apologized and proceeded to take the box off the network, but found it funny that no authentication was necessary. With all of the inherent flaws in Microsoft's security models I would bet that a Samba box could potentially wreak havok on a pre-Windows 2003 network!

Re:Vulnerable?

[davecb]

Yes, the SMB protocol does use all the NT RPCs, and the Samba team usually find and fix numerous security holes in it with each new release. And report them to MS, and code Samba so it doesn't accidentally trigger NT security problems.

They're really very professional, and a pleasure to work with.

--dave (the Using Samba 3rd author) c-b

Re:Vulnerable?

[Large+Green+Mallard]

It's a fair enough question.. one that someone asked Tridge at LCA2003.

Basically no.

Buffer overflows in RPC are due to server programming, and since both are entirely different server codebases, they don't share vulnerabilities. But the Samba team have found many of these RPC bugs with windows ;)

Re:Vulnerable?

[requim]

Sounds to me like what you are describing is just the SAMBA server showing up in the browse list either via a WINS or NETBIOS name resolution. You cannot in fact join an NT domain without administrative rights to grant the machine an account in the domain, whether it be created on the server prior to joining the machine, or in the process of joing the machine to the domain from the joining machine.

This isn't to say that there are not other ways in which a unix box can wreak havoc on an NT/200x network...

Re:Vulnerable?

[gregarican]

I hear what you are saying, but I mean that the Samba box was on the Server Manager list as a member server. If I would've tried to add an NT Workstation or Server to the domain in this capacity the action wouldn't failed because I wouldn't have known the admin logon to authenticate. AFAIK you can't add another node to the domain in this manner without admin rights. But the Linux box popped right in without a problem.

Re:Vulnerable?

[requim]

I would like to test the scenario for the answer I am about to give just to validate my thinking, but I will give it to you anyway. My understanding of how the Server Manager lists the machines is by how the machine is configured, not necessarily as a member of any particular domain/workgroup/etc. It would appear that it lists the machines that are configured to set their domain/workgroup name via netbios in the same groupings (ie if you have a workgroup named SERVERS and and a domain named SERVERS) machines from both the workgroup and domain will appear in the same listing (if using Explorer or some other tree listing. The NETBIOS protocol uses/stores the machine type used for Domain Master Browser functions for election purposes in specific packets. These packets use a code to determine what type of function/server the machine is setup, so in the Browser elections that take place in each subnet, the machine with the highest setting wins (ie PDC > BDC > Member Server > Workstation (it's really a little bit more complicated, but this should suffice.)).

This being the case, I would have to interpret the samba server appearing in the Server Manager as a result of the code passed in the netbios protocol and it being used to determine machine times when listing the (PDC, BDC, Member Server, etc) I would also imagine that if you were to setup a second NT/200x server as a PDC using the same Domain Name, that that machine would also appear in the Browse List and have a similar effect, though in reality the two domains would not be related except by name (the SID's would be different which would cause many problems that I would rather not go into.).

Re:Becareful about using this

[Jugalator]

as we've seen so many times this week,

opensource != secure

by any stretch of the imagination, in fact there are probably numerous untold exploits available for this software. Its just a matter of time, as with any opensource product.

Yeah, so let's use the alternative.

Windows servers.

Those are more secure I heard. :-P

Re:Does this ver. solve the WinXP security "featur

[Jellybob]

I'm not entirely sure what you're talking about. I'm running Samba at home, and my XP boxes can pick up the shares on it just fine.

You may need to add smbpasswd entries for the machines users, but other than that, it should be ok.

Re:Becareful about using this

[davejenkins]

opensource != secure

Thanks Egan, good safety tip.

by any stretch of the imagination, in fact there are probably numerous untold exploits available for this software. Its just a matter of time, as with any opensource product.

And let`s also remember that _because_ it is open source, we now have thousands of developers who can view the code, find potential exploits, and then propose patches, QUICKLY and WITHOUT BIAS. Unfortunately, for patches to the same styled exploits that would exist in a closed source networking protocol, we would need to depend on a small team of developers under a common management structure (one pointy haired boss = single point of failure).

Open Source != secure
Open Source == better method toward security

quite impressive

[Dreadlord]

I quite happy with this new release, what I like the most about it is the new Active Directory support, I have been waiting for it since I started to use it in my homenetwork. Another impressive feature is UNICODE support (isn't mentioned in the post), one of my family members needed it badly to deal with non-latin charsets.
And the new "get" command which is similar to windows "net" is useful too.
Keep up the great work SAMBA team!

Re:Does this ver. solve the WinXP security "featur

[Large+Green+Mallard]

Samba 2.2.x + XP + SP1 requires some tweaking to do domain logons for XP clients.

Basic file sharing is fine, but if you're using Samba as a domain controller, you need to set a SignOrSeal reg value off to allow domain logons and also unset a "check profile ownership acls" setting which was introduced by SP1.

-- Someone who uses Samba 2.2.x as domain controller for several hundred XP boxes :)

Re:Becareful about using this

[weave]

in fact there are probably numerous untold exploits available for this software. Its just a matter of time, as with any opensource product.

Didn't quite a few of the Microsoft hotfixes credit the Samba team for finding the weaknesses and bringing it to Microsoft's attention?

rh9 samba lockup

I've experienced numerous random lockups using samba v3. The mount point would just hang requiring a samba restart.

After searching for a while, I found that there's a bug in Redhat 9's new thread library which samba somehow triggers. There's a workaround on the net, look for it and avoid hassling the samba team - they're not at fault here!

Re:Does this ver. solve the WinXP security "featur

[Large+Green+Mallard]

It's accessable from the MMC on each client machine, or alternatively if you have a recent enough samba, there's a "profile acls = yes" option you can set in the smb.conf

Re:Becareful about using this

[RevMike]

opensource != secure

Very true.

The advantage of opensource is that you can examine the internals yourself, and fix it yourself.

The more sophisticated the user, the more valuable opensource is. If you're a low level admin who can't do anything more than apply pre-canned patches, opensource may be cheaper but it isn't defacto better. If you can participate in the patch process by either writing your own patches or applying patches from the developers directly or from other users, rather than waiting for a vendor, you can be way ahead of the game.

It's called winbind

[buchanmilne]

You could do this with 2.2.8a if your AD server allowed anonymous authentication. If not, you need 3.0.0.

See how we do it on Mandrake (since 9.0).

I run a Mandrake 8.2 box in production as a mail server in an AD domain, all authentication is via winbind.

Re:Single Sign-On

[fodder69]

Yes, use pam and the winbind. I can ssh to my samba box and authenticate against Active Directory. There are how tos out there, here are a few links I used. http://www.netadmintools.com/part172.html http://www.flatmtn.com/computer/Linux-Samba3.html http://us1.samba.org/samba/docs/man/winbind.html

Samba 3, Squid and NTLM Authentication - a change!

[OneNonly]

One thing that does change with Samba 3 is the way that you need to configure Squid to use NTLM authentication...

If you upgrade and try using the old authenticators built with squid, you'll be stuck. Samba 3 comes with it's own helper utility (ntlm_auth) to work with other applications such as Squid.

I have written a Samba 3 / Squid Walkthrough that takes users step by step through getting this going.

Find out about it here:
http://itmanagers.net/article-4--0-0.html

Re:Single Sign-On

[pirhana]

Why dont you configure samba as PDC and use LDAP for all the authentication purpose?. I found it a robust solution. The beuty is that you can use it as a back end for any services/servers which requires authentication and can act as a truly single source of authentication. All the requirements you mentioned is possible with this.

Re:Does this ver. solve the WinXP security "featur

[TheMayor]

There is an easy fix to this for XP:

Settings -> Control Panel -> Admin Tools -> Local Security Policy

Look under Local Policies, then Security Options.

Look for "Domain Member: Digitally encrypt or sign secured channel (always)" and set it to DISABLED.

That should solve some of your problems.

XP only wants to trust other Windows machines when working in a domain environment.

Re:Does this ver. solve the WinXP security "featur

[batkiwi]

XP Home does not allow logon to domains, so there's no problem to fix.

No.

[abulafia]

It means samba can function as your Bondage and Discipline Cop.

What happens is that if you fail to listen to your Primary Domain Controller, the Bondage and Discipline Cop steps in to beat and humiliate you until you submit creditentials to the proper authorities. Usually, this happens when you're standing in front of many people and attempting to get at Powerpoint slides you left on your client machine.

Egads a new holy war...

[EvilTwinSkippy]

First it was VI vs. Emacs

Then, Gnome Vs. KDE

Now its MySQL Vs. Postgres

At least we are evolving from text editors and eye-candy to relational databases.

Re:Does this ver. solve the WinXP security "featur

[Jeremy+Allison+-+Sam]

Not any more. We implemented sign&seal for Samba 3.0.

If it doesn't work when you remove this please log
a bug at bugzilla.samba.org.

Thanks,

Jeremy Allison,
Samba Team.

Re:Does this ver. solve the WinXP security "featur

[Jeremy+Allison+-+Sam]

It's probably the Web sharing service. Turn off the client
side on the XP box. It tries to contact a port on the Samba
server that isn't open and times out. Sorry, I can't remember
the exact instructions to turn this off (I only use Windows
under VMware to test Samba :-).

Jeremy Allison,
Samba Team.

Re:Do you mean 'oplocks'?

[Jeremy+Allison+-+Sam]

No, they never did this. Oplocks are problematic in that
Windows boxes tend not to respond to oplock break requests
if there are *any* network problems. Most people have cheap
switches/hubs etc. For instance on my home network I can
only reliably ssh transfer a 100mb file over one of my
switches (the gigabit one), the 100Mbit switch will
consistantly corrupt the tcp stream causing ssh to abort.

oplocks need *reliable* networking hardware.

Jeremy Allison,
Samba Team.

Re:So Am I Nuts

[Jeremy+Allison+-+Sam]

I wouldn't do it. And I write lots of the Samba code :-).
The protocol is just too complex to be sure any implementation
is safe.

Hopefully that should tell you something. It should also
tell you why we don't want it in the Linux kernel. Microsoft
put it in their kernel - I think that's a mistake.

Jeremy Allison,
Samba Team.

Re:Open source top 5 best contributions

[xchino]

How are you going to compile apache without GCC? I think you should reverse that order..