Slashdot Mirror
Samba 4 Reaches "Susan" Stage
superfebs writes "Some day ago Samba4
reached a pretty serious test stage. Promises are beautiful: full SMB protocol implementation, Active Directory Domain Controller facility, and more; here's a full roadmap."
← Back to Stories (view on slashdot.org)
its not, thats an advert quite cleverly designed to liik like the rest of the site. The links are all ad.doubleclick.net and the blurb is all about windows being better.
slashdot even has MS adverts, they are just everywhere. and where better to put them? trying to scare inquisitive new users away.
How many computers are too many?
Check out cwrsync
It is a stand alone package of rsync for windows. It even comes with an installer to make it run as a service. I use to it replicate web content on some faily major websites.
If you had RTFA, you would realize that it mean that the head developer, Tridge, who started the whole samba thing years ago, go to the place where his wife, Susan, is testing it at home. She has apparently been a tester for ever major release, and she apparently encouraged him to started the Samba project to begin with.
For more information on lkcl; Here is a quite interesting presentation by Luke Kenneth Casson Leighton (lkcl) from a SSLUG (a Danish LUG) meeting: http://sslug.mmmanager.org/Members/BabyTux/luke_le ighton
http://www.mralert.com/ - Free web site monitoring
They actually made a full implementation of AD Controller (a very difficult thing to do).
This is really a major acheivement.
Kudos to the Samba Development
I presume this something to do with some Windows functionality?
I remember reading Andrew Tridgell's comments in 'The Rebel Code' by Glyn Moody - "...And we try to remain bug-for-bug compatible where it makes sense. There are some cases where it doesn't make sense, and their [MS] bugs are just ridiculous, and you shouldn't emulate them. But in most cases, we emulate the bugs so that we interoperate completely with the Microsoft implementation."
The Windows world has either robocopy or the more automated Distributed Filesystem support. DFS replication is a bit more elegant but robocopy is nice and simple, easy to understand and very easy to script.
Robocopy != Rsync
Rsync copies the minimum amount required to make the old file == the new file - works well over slow links. Robocopy can only copy whole files.
My solution is to either use ssh and copy the file from the box, or if the two servers/shares are Windows I use AnalogX TS Drop Copy which does exactly what you ask for.
Samba3 is a mess. All the RPC code is hand-written, the SMB parsing logic is all over the place.
Samba4 automates the generate of most of the RPC code (the numbers change frequently, but it's something like 3,000 lines of IDL now replaces 100,000 lines of handcoded C).
Plus, Samba3 took the approach of just doing enough of the protocol so that it worked. You'd see a lot of mysterious += 8 where you'd just skip over chunks of the packet. In Samba4, every field is understand and accounted for.
Samba3 never could have been written as Samba4. Noone knew enough about SMB to understand that Samba4 was needed. This is really just Samba4 growing up.
The biggest user-visible change is going to be better Active Directory support. Active Directory support in Samba3 is painful. Very painful. If Samba4 does get it's own LDAP server, you may seem some extremely good interop in Samba4.
I'm sorry, but Samba is not ready for prime-time. Having a single point of failure in your Samba PDC is not acceptable for enterprise use.
Well, if you looked a bit deeper into FMSO roles and AD, you would see that Windows has a glaring SPOF also. Youre box responsible for the Global Catalog is NOT the one you dont want to lose.
It would be nice if they actually fixed their LDAP code so that it would work with any directory server other than OpenLDAP.
It does. We routinely run it with IBM Directory Server.
and the buggy Samba implementation of LDAP as a storage mechanism for account information just doesn't work with anything other than OpenLDAP.
Were you linking against iPlanet LDAP libs or OpenLDAP libs? It's quite possible that you're linking against the OpenLDAP libs and that they're not getting along with iPlanet.
Samba only uses the standard LDAP calls. Other than the schema extensions (which unfortunately aren't in a standardized format) there's no LDAP-platform dependence.
It's bizzare, it's actually as if Samba is sending the XP client a buffer overflow while authenticating.
Why haven't you submitted this as a bug report at samba.org?
I spent weeks working with RHEL technical support,
Grab the latest from samba.org. The RHEL packages are sometimes quite old.
I'm sorry, but Samba is not ready for prime-time.
It's good that you made this decision for the world. Since noone's actually using Samba in production environments right now.
Look, Samba's used in a lot of enterprise environments. You're experience isn't the norm. You're environment also isn't the norm. Not many folks use iPlanet. Netscape's DS is also considered one of the lesser LDAP servers out there.
If this is a reproducable bug, and of the severity you describe, and is still present in the latest version of Samba, it's certainly be a high priority fix.
Keep in mind though, we don't do a lot of testing with things like iPlanet because we don't have access to copies of it. OpenLDAP and IDS get a lot of testing with Samba because people who work on Samba have ready access to it.
What's more, I don't see a single way in which any kind of LDAP failure could result in Samba sending an incorrect packet (with an incorrectly sized buffer) to a Windows client.
Bugzilla is your friend.
Actually, there is a CopyFile SMB. If it's there, Samba4 supports it. However, the burden really falls to the client here. It depends on how smart KDE would be in using the appropriate SMB's. Samba4's client libraries are much richer than Samba3's so the ability to do this would be exposed to them.
So, the short answer is yes, but it would require a much more sophisticated client than what you presently see today.
yep, that's me.
yes, i failed. i took on a fascinating and very large task - to help EVERYONE out of a difficult hole, both microsoft, the open source community AN D its users, AND microsoft and samba's competitors (the Storage Area Network community) i succeeded in getting the knowledge out there but i failed in implementing it in an "acceptable" way.
yes, the times when i was working on samba got progressively more painful as the difference between the SAMBA_NTDOM and the main cvs branch got steadily further and further apart - in the end approximately 100,000 to 120,000 lines of code apart.
yes, without the work that i did for four years, spurred by paul ashton's initial decoding of the NT domains logon system, the samba team would likely still be peddling you a system that was compatible with windows 95. that's a gross exaggeration: the Active Directory interoperability is a lot easier but still fraught with difficulties.
one of the key problems was that andrew tridgell found it increasingly difficult to actually accept that i could think of things that he could not.
he also had great difficulty, as most people do, in accepting the level of complexity of the MSRPC (aka DCE/RPC) subsystem and quite how inter-connected the whole thing is.
in the end, i had to use other people (such as tim potter, to whom i am very grateful) to get ideas and code accepted.
in particular, the winbind project: note the striking similarity between the use of unix domain sockets in winbind, which andrew tridgell reviewed and accepted, and the use of unix domain sockets in Samba TNG, which andrew tridgell REFUSED to review and REFUSED to accept.
i was told, by andrew tridgell, things like "you should try to log in as root occasionally, and if you break out in a cold sweat, lie down for a while until the feeling goes away".
whilst i learned an awful lot about systems programming from andrew, the way that he treated me was with disdain and complete lack of respect - which was terribly, terribly disappointing for me because, being absolutely honest, i loved and respected him greatly.
anyway: he learned nothing from me, and consequently, he has set samba's development back by at least ten man-years.
luke howard, in three years, ON HIS OWN, produced XAD (www.padl.com) which he has been selling for at least the past two years as a commercial product - an NT 5 Active Directory Server.
warning, warning, that presentation is about two hours long!!!
Check out Unison File Synchronizer.
It's bi-directional file/directory synchronizer, works over just ssh, cross-platform, very fast.
Extremely useful when you need to keep, say, home and university accounts in sync, or do remote backups.
"My experience is with AD in small networks, where the usesrs want something simple like central passwords and roaming profiles."
..."
Yah, that's generally what we use it for, too. (I work for an IT systems integrator.)
"... there have been nothing but problems. Slow logons, the server requires rebooting
Dollars to donuts, your DNS configuration is wrong. For most small networks, this usually boils down to: "You need to make sure the one and only resolving DNS server mentioned anywhere in your configuration is your Active Directory Domain Controller". Along that same line: "Never mention your ISP's DNS servers anywhere!" (This is a tremendous over-simplication, but it will do for Slashdot. Reply if you really want to know the details.)
A lot of people are still used to NT4. There wasn't much you could do to mis-configure NT4. Sure, it might not work in the first place, but it was always due to Microsoft bugs and limitations and there wasn't anything you could do about it. If it could be done with NT4 "out of the box", it was generally pretty easy to do.
Contrast that with Windows 2000 and Active Directory. Suddenly, DNS, DHCP, dynamic DNS updates, DNS record types, DNS SRV records, LDAP, and Kerberos all get involved. Your DNS infrastructure has to correct or Active Directory will blow chunks. You cannot get by without reading the manual. That is a stark constrast to NT4.
"... and user management is a pain."
This strikes me as odd. If anything, I find user management much easier in AD vs NT4. What makes you say it is a pain? Maybe I can offer some advice.
FYI and FWIW, we also frequently deploy Samba in NT4 PDC emulation mode, and find it works very well at that. Centralized security database, roaming profiles, etc. I just miss Active Directory Group Policy.
dragonhawk@iname.microsoft.com
I do not like Microsoft. Remove them from my email address.
Here is the link M. Coward posted, but fixed, plus my +2 score so more will see it. (Sorry M. Coward, but then, I figure if you're Anonymous, you're not worried about credit or karma.)
0 2-January/018388.html
http://lists.samba.org/archive/samba-technical/20
I don't know the people or the situation enough to judge either one, but I figure it is good to see both sides. The truth, I suspect, is somewhere in the middle, but I say that onlly because it usually is.
dragonhawk@iname.microsoft.com
I do not like Microsoft. Remove them from my email address.
If I'm in a good mood and I want to become angry, all I have to do is click on Network Neighborhood, and I go from happy to pissed off in no time flat. First of all, it practically locks up the entire computer while it SEARCHES for network shares.
In the default configuration, that is pretty common. If you are interested, I can explain how to make it work well.
1. Create a WINS server (NetBIOS name server). Point all your SMB/CIFS clients to the WINS server.
2. Set your NetBIOS Node type to 2 (P-node, or Peer Node -- WINS resolution only).
3. Disable the NetBIOS computer browser service on all but a handful of "reliable server" machines.
To disable the NetBIOS browser on NT, disable the "Computer Browser" service.
On Win 95/98/ME, set the "Master Browser" option to "No" instead of "Auto" in the "Windows File and Printer Sharing" component in Network properties. (I might have the names wrong; I don't use 9X much anymore, and I don't have one handy to check.)
I usually recommend disabling the browser service on all computers expect for domain controller(s). If you do not have a domain, disable said service on all but one or two of your servers. If you do not have any servers, you're hosed, regardless of protocol. Designate a computer "the server" to fix things.
Once this is done, Windows name resolution works pretty well.
dragonhawk@iname.microsoft.com
I do not like Microsoft. Remove them from my email address.
This has come up before with web servers -- Microsoft got on Orielly's case because Orielly's web server allowed as many connections as the machine could handle, and didn't restrict it to 10 even if the machine wasn't licensed for it. (This was at least 10 years ago, so maybe my memory is sketchy. I had a friend who was working at Orielly at the time and he was fussing about this ...)
I don't think Orielly gave in, and I'm sure this has come up again and again with every web server, ftp server, mail server, etc. that runs under Windows. But Microsoft can't really enforce it, so ...