Samba Beats Windows IT Week Labs Test Results

jmhowitt writes "Tests by IT Week Labs show the latest version of the open-source Samba file and print server software is 2.5 times faster than Windows Server 2003 in the same role. The news comes as many firms are grappling with the consequences of Microsoft ending support for NT4, coupled with uncertainty about when Microsoft will next update Windows. The performance difference between Windows Server 2003 and Samba 3 has increased dramatically compared with Samba 2 and Windows 2000 Server."

Best choice for the job?

[Sheetrock]

I've been using Samba for awhile, and despite some config difficulties it performed as advertised.

However, even if it's quicker than Windows Server 2003, NFS still seems to do a great deal better on my home network for the same things. For example, I typically get 10%-20% of the transfer with SMB as I do with NFS.

So I don't recommend using Samba at all unless you're looking for Windows compatibility.

Re:Best choice for the job?

[Gwala]

Hell' if your not looking for Windows compatibility, FTP can work wonders. It's got minimal overhead, has been expanded several times (eg SFTP), has a secure base and run's on any system with minimal problems. Window's is a little less compatible (ie it's not as point and click, as the network neighborhood, but still, it's only typing a url)...

-Gwala

Re:Best choice for the job?

NFS has extremely bad security. It is practically unusable if you must allow "decentrally administered" systems on your network.

Re:Best choice for the job?

[Paul+Jakma]

remember NFS is utterly insecurable

sigh... not so, incorrect and misleading statement.

at least until NFSv4 becomes available

sigh.... the "security features" of "NFSv4" are:

• Not NFSv4 specific. NFSv3 can use them too. Indeed, many other apps can use them. because:
  
• Not even related to NFS, they're related to RPC, upon which NFS is built.
  
• "security features" only in so far that NFSv4 makes secure RPC mechanisms (eg RPCSEC_GSS) /mandatory/, as opposed to optional (NFSv3), hence the reason why finally Linux is getting support for something more secure than plain old not-too-secure AUTH_UNIX.
  

See OpenBSD or Solaris (and probably a other commercial Nixen) for NFSv3 (maybe V2 as well) with strong RPC authentication methods - (ie RPCSEC_GSS) - they've had them a while.

Just because Linux does not support strong RPC auth mechanisms (upon which security of NFS, etc.. depend), does not mean NFS is insecure. Stop tarring NFS with the Linux brush. And yes, it will be good to get strong RPC security support in Linux at last.

Re:Best choice for the job?

[Paul+Jakma]

"Stop tarring NFS with the Linux brush." Ahem... chill out.

Well, that is effectively what you did :)

but to the avg linux user NFSv3 is insecure

No... Linux's kernel RPC does not support any strong security mechanisms. Neither does glibc really, but I think it might now support AUTH_DES (shared key DES, not terribly secure, but better than AUTH_UNIX) to some extent. I dont think its really used anywhere.

Is the v3 spec abiguous

Nope. Again, RPC != NFS. NFS /uses/ RPC, RPC is the mechanism by which NFS clients and servers communicate. Just as how HTTP operates over SSL (if you want security) and you would not blame HTTP for problems or lack of support for strong security/auth mechs in SSL, you can not blame NFS too much for problems in security, as it relies on RPC to establish credentials (just as HTTP would with SSL). The major difference between v3 and v4 in terms of security is that v4 specifies that RPCSEC_GSS /will/ be available, whereas the lowest common denominator with v3 is plain AUTH_UNIX. So there is no choice but to implement secure RPC if you wish to support NFSv4. Hence the secure RPC mechanism will be guaranteed to be interoperable (Eg, only Sun supported AUTH_DSA iirc), eg these mech's presumably will have been tested at the NFS bake-athon's.

Was it hampered by export restrictions?

Probably, RPCSEC_GSS tends to be Kerberos v5 at the backend. Which was restricted. Sun's AUTH_DSA was similarly restricted as "ammunitions" for quite a while.

Anyway, go google for rpc_secure, RPCSEC, RPCSEC_GSS, AUTH_DSA, AUTH_DES and AUTH_UNIX! :)

Nice advertising

[BiggerIsBetter]

Now where are the numbers to back it up?

Re:Nice advertising

[Stonent1]

Now where are the numbers to back it up?

I was thinking the same thing. The article added nothing to what we already read in the Slashdot summary. The basis of the article "Someone (who is not us) says that Samba is 2.5 times faster than Windows server 2003!"

Score!!!!!!!!!!

Knowledge of the protocol

[MadX]

I read a while ago about some of the SAMBA developers having a better grasp of how the services / protocol all tie together, than the M$ employees doing the development. Most of the current M$ team inherited code from the older versions of the OS, and they are merely building on top of this codebase. The SAMBA team have had to reverse engineer the protocol. So it seems to make sense therefore, that should you understand it better, you can sqeeze more out of the service on the whole. It therefore appears that it can only get better and better as they develop ..
I also don't know how many developers are on the samba team in total (contributors / developers), but I would almost start assuming more than the manpower assigned by M$ to this area of code for Windows .. And with it being opensource, bugs are easier to find ...

Re:Security

[Kegetys]

Since when would it be a more secure choice to use a Windows based fileserver instead of a Linux one?

Sneaky popunder

[jsmyth]

Dunno if anyone else noticed, but when I clicked on the article, a "VNUNet Special" opened in the background, which was an advertisement or promotion under another name. It was formatted just like all other VNUNet articles, but was clearly a Microsoft sales pitch for W2003, complete with a flash advert on the right, and one at the top, both for W2003.

Interestingly unbiased, when clicking on a Samba article...

Samba starter question?

[WuphonsReach]

I know this is more of a AskSlashdot question...

My impression of Linux/Unix systems has always been that each host has it's own set of user accounts and if I have 3 hosts it means that I have to maintain 3 sets of passwords. With NT4/Win2000, my servers share a common userspace so that you only have to maintain a single user account. Is there something under Linux/Unix that does this?

How easy is it to drop a Samba server into an existing Win2000 network? Our Novell 5 server is starting to show it's age (file/printing only) and I'm starting to wonder whether to move to a later version of Novell, switch to Linux/Samba, use a NAS device, or just load up another Win2000 server.

(With the security issues this year with Windows, however, I'm not sure I want to make Windows our main file server.)

We just decided to use Samba

[SailFly]

I'm a networking, sysadmin, programmer (mostly programmer) consultant for small businesses in Sarasota, Florida. Most of my customers are small businesses (less than 12 people) and are looking for ways to keep costs down.

After proposing a new 2.4GHz server with Win2k3, they were sticker shocked and decided to not hire me for the job. Then one of THEM mentioned Linux (which I love and hav used for 5 years). I told them that I use Linux in my software development practice, and we could consider this as an alternative for File Server (Samba), centralized security (ldap) and backups (Mandrake backup utility). We're also using VNC (realvnc.org) for remote desktop. I can also easily SSH and do remote X session from my office, or use VNC.

It's been up for a week now, and they LOVE IT! It's fast, flexible, and you cant beat the price. And I've learned my Lesson to be mention Linux even when they specifically ask for Windows (I'm not a pushy sales person, but I do believe an presenting choices to my customers)

They wanted to outsource their IT department (the owner doesn't ever want to worry or think about their IT issues), so we made a deal that allows me to keep their systems updated, but doesn't force him to hire an on-site IT person.

Speed was NOT an issue for the Samba server, since they mostly use MS Office (win xp pro workstations) documents. However, this was a great step for them to embrace and support open source software (I donate to several projects in turn).

I hope this story might help somebody who is considering doing something similar. I'm happy to answer any questions about our experiences.

-Scott James

Re:We just decided to use Samba

[FyRE666]

Samba is a great tool for promoting Linux, I've found. When I began working at my current job they had a rack of (remarkably unstable) NT4 machines, with a couple of Linux servers doing nothing particularly worthwhile. I mentioned maybe installing some apps to make them more useful to everyone, and was given free reign (though I'm actually employed as a software developer rather than an admin).

Anyway, it's fair to say the NT admins, and other IT staff were pretty impressed once I'd integrated the Linux boxes into the domains, migrated a lot of Access reports (spreadsheets)across to perl+MySQL - making them execute in some cases hundreds of times faster, plus various other utilities. We have a nice development intranet, web tools for monitoring and handling problems with the Windows/HPUX servers and more all running on Linux now. We have DHCP+Dynamic DNS updates on Linux instead of the manual-settings they were using on clients before, traffic shaping via iptables etc etc...

Our latest subnet's first server was linux, and I can't see an NT box getting into that rack any time soon ;-)

It took some of my spare time, and patience to get the company to give Linux a real chance to prove itself, and I think without Samba it wouldn't have happened anywhere near as fast! I'm currently pushing to move our commercial system from HPUX to Linux (yes, a version of our in-house system exists for Linux), since a replacement HP box will cost over 50,000 with no more power or disk capacity than an x86 box with a couple of P3 1ghz in it (we were astonished when we asked about a pair of 750MHZ CPUS to upgrade the 400MHZ parts in the current HP box, and told they'd cost 7,500... EACH!)

So, well done to the Samba team!! Pity you're still allowing the scumbags at SCO to profit from your work though...

nuts.

[Erris]

NFS is utterly insecurable, Samba not. For home NFS is the system of choice but in a larger environment... you want to run Samba

If security is your worry, use ssh on a reasonable OS in any size environment. As the orignial poster said, Samba is only useful when you have brain dead M$ client machines. If you have a real OS on the desktop, you don't need M$ protocals. Samba, as good as it is, implements M$ holes, so that M$ transmitted diseases from your client boxes can fill up or wipe out your shares after calling home and giving away everything you care to keep to yourself. Security fails with the weakest link and that will be those nasty old M$ PCs as the Half Life people recently discovered.

Real agencies worried about security have gotten away from Microsoft. I spoke with a Federal Employee last week who told me about her locked down Linux laptop. It did what she needed it to do. Real information management comes with real hardware and software ownership. Real software ownership only comes through free software. If you are running M$, someone else owns your hardware and your data and you agreed to it with the EULA.

Re:nuts.

[Erris]

I said:

Samba, as good as it is, implements M$ holes, so that M$ transmitted diseases from your client boxes can fill up or wipe out your shares after calling home and giving away everything you care to keep to yourself.

You seem confused and ask, rudely: WTF are you talking about? The permissions you have on a mapped drive has nothing to do with what you mapped the drive with. Samba, NFS, Novell, FTP, HTTP or logging in locally all depend on permissions you are given to the file system.

Well sure, samba is better than Windoze servers for this reason, but that does not keep Windoze clients from mucking up your security. Server side permisions do you no good when a client with all the required permisions is comprimised. Microsoft clients are so easy to own that they wreck any attempt at keeping information secure. If, as in the case of the Half Life source code leak, someone uses a LookOut hole to install a keylogger, all the permisions of your LookOut user are now in the hands of someone you don't know. The worst security nightmare is someone back orificing a windoze box on your network. From there, they can go just about anwhere. This is why no one who's worried about security should use Microsoft anywhere.

Does that clear things up for you?

Re:nuts.

[Cat_Byte]

I use both linux and several flavors of MS daily. What is the difference in using samba for shares if a *nix box is compromised? None! If a username/pw has access to a share and it is compromised, you have access to the share. This is not a samba/NFS vs MS/*nix problem. This seems to be based on *nix not being hackable and the fact someone can't walk up to a *nix machine logged on and start typing.

I've been a security admin for almost 10 yrs and keyloggers, machine hijacks, etc DO exist for *nix too. If using a *nix client and a samba share makes you feel like you're secure, watch out. It's going to bite you where the sun doesn't shine.

Also, how many people do you know that use anti-virus on their *nix servers for samba shares? I don't know very many at all. They are usually hosting tons of windows viruses that can compromise the network when a client gets infected.

I love samba and use it myself. It's just scary to see people who still believe a non-MS product == always secure.

Re:The best thing about Samba...

[Lumpy]

also it makes for easy detection of worms or virus spreading. I detect the latest spreading on my samba servers at least 20 hours before the knuckleheads in corperate have the first clue that something is up. and using simple, existing log tools for linux make it happen.

Re:The numbers....

[sheldon]

Wait a minute. The BL10 is a Blade server.

Who would use a Blade for a file server?

Something doesn't make sense about that choice. Why not an Proliant ML530 or ML570? Something with RAID, an I/O bus and internal expansion? The BL10 only comes with a single ATA 40 Gig drive, no RAID... and you can't even hook it up to an external fibre array storage box like EMC.

That just seems like a really bizarre choice, almost makes me wonder if they had an ulterior motive.

Re:Okay, but who cares?

[Apparition29]

Absolutely. Talk to anyone in a CAD environment. We have servers with over 4GB of RAM and have 1Gig Network cards (both client and server side). We realized speed increases on the client end every upgrade of the server, increased RAM and higher speed network cards. Then again we may be 'different' we have 100's of thousands of parts that are opened in each assembly.

Re:Easy Way of Handling Printers

[Cat_Byte]

CUPS rules in my opinion simply because I can share certain HP printers that their own MS drivers can't...heh. I have an HP 710 and in their how-to's it says to share it you need to load a generic HP Laserjet driver (which disables the color, fax, scanner, etc). I still can't use the scanner/fax but I can print in color over the network. Very cool for free software.

Re:Okay, but who cares?

[laird]

You're right that for a typical workgroup raw performance doesn't much matter -- either NT or Linux+SAMBA would be "fast enough."

Where this does matter is to someone:

1) Making a decision between NT and Linux+SAMBA. It's great for the OSS alternative to not only be better strategically, but faster and cheaper. You'd have to work pretty hard to justify why you'd pay more (forever) for a slower fileserver that's less secure and requires you to do more paperwork and maintenance.

2) Trying to save money. A 2.5x performance advantage on the same hardware can also mean perfectly good performance on 1/2.5th of the hardware. So instead of buying a NT and a "2Ghz fileserver with fast ethernet and half-a-gig of RAM" you can get the same performance out of Linux+SAMBA on an old 800 MHz PC with 128 MB RAM that you have lying around, or which can be bought for almost nothing compared to the macho server required to get the same performance out of NT.

Re:Uh, where are the benchmarks?

[sootman]

I heard before (in the w2k days) that on a given piece of hardware, Samba ran twice as fast as w2k file sharing. When 2003 was first being touted a few months ago, MS said that they improved file serving so it was "faster than the competition", which means it's as fast as Samba (if not faster.) And now Samba is 2.5x faster again? That's more than a little unbelievable.

What I'd like to see would be an open, month-long contest, with 3 boxes--say, a single P4 with a couple drives, a dual-xeon+RAID, and some huge mother connected to a fiberchannel SAN. Make two identical copies of each box, then let MS tweak one set as far as it will go and let the Samba team tweak another. Make it a month long and open so each team can publish their results, get more opinions, etc etc etc., until everyone on both sides is convinced that the whole contest is as fair as can be and that neither side had an advantage. Then, see who won. Otherwise, we'll just keep seeing what we saw today and every other test--people come out of the woodwork claiming MS fixed this, or the Linux/Samba-biased testers didn't know how to tweak that, etc etc etc. Once it's this open and agreed upon, it wouldn't matter if the contest were funded by Bill Gates or Jeremy Allison. Until then, I'll just keep ignoring these tests.

Re:The numbers....

[sheldon]

That doesn't make much sense. A Blade isn't a cost justifiable solution for a small business, as you don't just buy one of them... you've got to buy the whole rack and supporting hardware to plug them in. A small Proliant ML would be far far cheaper.

And why would you bother benchmarking a file server for 15-20 seats? We used to server 500 users off a 486DX33 running Novell back in the day. 15-20 seats doesn't constitute a need for benchmarking, you could use anything.

I guess my point is, this hardware seems odd, like it was chosen because Linux would look better on it for some reason. I want to see further details and try to reproduce this benchmark myself.

Re:"reverse engineer"?

[AstroDrabb]

The base SMB or Server Message Block protocol is not the problem. It is as usual, all the MS extensions and divergences from this that are NOT documented publicly or published that make reverse engineering needed.

Re:Okay, but who cares?

[Halo-]

Try working as a developer on a large corporate software product. An average build in around a gig a pop, and you either have people "backing" to them, or copying them wholesale. Add in the fact that these patterns are also really bursty (based on build publications) and you are talking serious overhead.

We don't use Samba as the primary fileserver, but the majority of the windows developers use a Samba mirror (or gateway) to the backing tree.

If copying a build goes from 20 minutes to 10 minutes, and then you multiply this across the number of users, you get a signifigant time savings. (Especially for things like build publications, because the temptation to waste time "while the build copies" is pretty high. :) )