Slashdot Mirror
Samba 4 Technology Preview Released
daria42 writes "Samba creator Andrew Tridgell has officially released a technology preview of Samba 4 at the Linux.conf.au conference in New Zealand, ending a three-year wait for users. But wait before upgrading those servers. 'It may eat your cat,' says the Samba team in a statement, 'but is far more likely to choose to munch on your password database.'" From the article: "'Samba 4 supports the server-side of the Active Directory logon environment used by Windows 2000 and later, so we can do full domain join and domain logon operations with these clients,' the group said in a statement on its Web site, noting this feature was 'the main emphasis' for the new software."
Came across this (short but interesting) interview with Jeremy Allison, one of the project's lead developers, where he talks about Samba 4:
a d&name=News&file=article&sid=217
:-)
http://www.linuxformat.co.uk/modules.php?op=modlo
Any software that has a 'Susan Stage' has got to be cool
Smooth or Crunchy?
Moderation in All Things... Especially Moderation - gurutc
But can I make an anonymous read/write share without performing invasive surery on config files. And can I then easily mount that share?
Samba is great as a home network share, but it's not a single click system. Security on a home netowrk doesn't really interest me. I'd like to be able to "just share" the files without setting up users etc, etc.
May the Maths Be with you!
Debian allready has packages.
/etc/apt/sources.list first.
Install them by running:
aptitude install -t experimental samba
But you'll need to add an entry for experimental to
If you don't know how to, you shouldn't be messing with experimental software anyway.
There has been info about Samba 4 for some time. Andrew Bartlett wrote a year ago an interesting thesis about Samba 4 and Active Directory (PDF).
But the release of this TP is good news, I hope that the use of Microsoft's Active Directory as an authentication service for Linux systems is coming to an end. All what we need now is a nice GUI.
-= If you fight Dragons long enough, you will become a Dragon =-
They've implemented the long awaited pussy-eating feature!
PenguiNet: the (shareware) Windows SSH client
Simba was the cat, Samba is the dance
Since discovering the joys of NFS I've not looked back (yes I do know what samba is and I run a samba server). Compared to Samba, NFS is almost too simple and reliable. Give me my complixity and unreliablity back!
I used to have a better sig but it broke.
True but this if free as in beer and as in $0.
Actually, windows copied in 2000 what was available in other environments for many years. AD is the bastard son of ldap+kerberos+smb.
What took years is reverse-engineering all the weird quirks MS introduced in the previously standard systems.
Besides, Samba can do a lot nifty things AD can't, so who's behind?
Ciao, Renato
Actually I think its quite good concidering how they are doing all of it without looking at the windows source code. The linux NTFS driver is in a similar camp (implementing without access to the closed source).
Yes. Not bad going for reverse engineering a deliberatley obsfucated and poorly documented proprietary set of protocols plus an open standard security protocol that was subtley altered and therefore incompatible with other standard implementations. Yep. Pretty good job for something that was done completely voluntarily. Sheesh...
"...So I hung back and lurked. For 18 months. Can't beat a good old-fashioned lurking."
So, in 2006, Samba is finally able to do what windows was able in 2000?
Five years to reverse engineer a difficult, obfuscated protocol is quite frankly amazing.
And you see - they don't really have to offer full compatability immediately - but if they do it before win2k ends its lifecycle, SAMBA + *nix offers companies dependant on AD a way out without having to go the win2k3 route.
Way to innovate, OSS community!
Way to troll dJOEK!
There is virtually no innovation in software, proprietary or OSS - everyone is just copying everyone elses ideas & making incremental improvements...
I mean we're all using the same desktop paradigm from 30 years ago - and the only substatial innovation I've seen in that is overlapping windows (from maybe 25 years ago)
My pics.
Yet Novell was able to do just the same in the early to mid 1990s, soundly beating Microsoft to that post (NDS, of which Active Directory is a poor ripoff).
And for the sharing of network filesystems, this was pegged in open release in 1985 by NFS. Which was on UNIX.
Yet again, Windows is late to the game in all aspects, playing catchup with the rest of the world.
Apart from Windows compatibility, which, for some older applications, it's currently almost as good as WINE and FreeDOS.
Not to knock Windows too much, it does what it was originally intended to do pretty well (i.e. be a desktop that people sit at and do work).
'It may eat your cat,' says the Samba team in a statement, 'but is far more likely to choose to munch on your password database.'
Wow, it only took 25 days for Samba to break its New Year's resolution to eat less and lose weight.
He who knows best knows how little he knows. - Thomas Jefferson
Linux.conf.au conference in New Zealand
What the ... HAS THE WORLD GONE MAD!
Since when did anything .au become New Zealands responsibility? Usually its the other way around! I.e blaming the existance of Russle Crow on Australians. This wasnt our fault HE WAS BORN IN NZ! Now they NZ is stealing our conferences. I for one find this an outrage!
Um, no. LDAP and Kerberos weren't invented by Microsoft. They put the two together and called it Active Directory, straying away from the RFCs and throwing in all manner of tweaks that required extensive reverse engineering on the part of the Samba team to figure out. That means figuring out the protocol from the packets, which is an incredible feat, especially as Microsoft's protocol designs aren't easily discerned and contain all sorts of weird gotchas (purposefully).
There's a lot of complexity under that GUI of yours and, whether you want to believe it or not, Microsoft isn't such an innovative organization. Generally, they poach something that's already widely available and tweak it so it won't be interoperable with other systems. If you call that innovation, then I guess that speaks for itself.
It tastes like chicken.
Wrong!, it's "``free'' as in ``free speech,'' not as in ``free beer.''" as described in The Free Software Definition. There's a direct link to it on the samba site ;)
And in other news...
Steve Ballmer was seen throwing chairs through his office's fourth floor windows in an angry rage.
Register the editry.
There's virtually no innovation in anything - we're all "standing on the shoulders of giants".
Fine! Have fun spending $$$$$$$$ on Windows server. I'll just go ahead and pick up Samba 4 for free.
Register the editry.
dude.. thats so out of line its not even funny. i dont know who you are or what groups you run with - but im stitting here at my windows desktop and im NOT doing any work. im reading slashdot and making funny comments. haha.
you know im just joking around =)
hah. later.
So now my linux machines do not have to do Samba with with windows. They will get a native partner yuppie :)
They called me mad, and I called them mad, and damn them, they outvoted me. -Nathaniel Lee
A bit off topic, but good info anyways...
;)
you'll want to set anon=-1 which will disable connection attempts that don't have a username associated to it, then you'll want to use the access option to limit what users can connect to the shares (obviously root wouldn't be on that list), then you'll want to use the nosuid and nosgid options to prevent suid scripts and such from stealing root. If you're running NIS+ you'll want to use the secure option too. And finally, you'll probably want to ensure that shared files are not world writable. But that's just me
Select from tblFriends where interesting >= 4;
You know, the big problem is, that the PHBs that are sitting at the head of big corps around have never heard of NFS. They've only seen the niiiiiice Shiiiiiinny PowerPoint presentation in Microsoft booths in big expos. And then, they have made their company to pay a lot for an over-priced non-standart Microsoft LDAP/Kerberos/SMB bastard (a.k.a. Active Domain) and are now knee deep into a locked-in solution from which there's no other out except paying an even higher price for the next even worse microsoft product.
This is the crowd that is targeted by Samba 4 :
- those who are SMB/CIFS dependant beyond repair, but need an alternate and opensource solution to Microsoft.
Of course, for the other guys out there, who can see differences between a real OS and a nice promises in a PowerPoint, there are other protocols to start with (like NFS).
"Sufficiently advanced satire is indistinguishable from reality." - [Tips: 1DrYakQDKCQ6y52z6QbnkxHXAocMZJE61o ]
"Share and enjoy
Share and enjoy
Journey through life with your plastic boy
Or girl by your side
Let your pal be your guide
And when it breaks down or starts to annoy
Or grinds when it moves and gives you no joy
Cos it's eaten your hat
Or had sex with your cat
Bled oil on your floor
Or ripped off your door
You get to the point you can't stand any more
Bring it to us, we won't give a fig
We'll tell you, 'Go stick your head in a pig'."
With spending like this, exactly what are "conservatives" conserving?
Yes, it has managed to fulfil it's original intent to be a GUI inside which one could run a word processor or/and a spreadsheet app.
The scary thing is the incredible amount of other usages for which Microsoft is trying to push a product that *isn't* designed for.
"Sufficiently advanced satire is indistinguishable from reality." - [Tips: 1DrYakQDKCQ6y52z6QbnkxHXAocMZJE61o ]
Can it do authorization of group access to a given application? How about publishing network resources (printers, workstations, etc.)? Can Samba 4 replicate its data between multiple sites? Is Samba 4's AD functionality even built off any sort of LDAP technology to begin with (probably OpenLDAP, if anything)?
/. routinely points out), AD *is* a decent NOS directory...
For all MSFT's faults (and there are many, as
Is Capitalism Good for the Poor?
I don't see where he said that Microsoft invented anything, just that they did AD in 2000.
This all sounds great, but will it work when(if) Vista comes out? Previously, I had samba setups running beautifully on Win2K networks. Then 2003 came out and it messed it all up. Eventually Samba (and supporting docs) caught up and 2003 now works reasonably well. So will Samba 4 come out with great support for 2003 then break as soon as Vista is released?
Lets be clear on this point -
When vista comes out, samba will not break.
MS will simply have changed the standard/protocol/whatever in some way that thier own prior implementations will be tolerant of but Samba will not. Samba will not be busted, MS' own implementation of thier own technology (or other peoples tech, kerberos for example) is what will be busted.
And,most importantly, made it trivially easy for most people to use.
There's no innovation in OSS? Sure, maybe not on the desktop or with Samba but I certainly see it with Firefox. Firefox has had a lot of great things (like tabs) before IE does. In fact, IE is in a major state of catch up right now.
Trivially easy?
Do you manage many Active Directory servers?
The ones I know about (in a EU wide bank) are a mess, and require an entire team of people just to let them run. And even so it is very simple to screw them up.
Not counting the fact that AD is horridly delicate: un-join a machine from the domain for long enough, and you are done.
AD is NOT easy. Clicking on "Share this folder" might look so, but managing AD is not.
Ciao, Renato
There are two parts to the answer to that. Traditional NFS access control is entirely host based. You can map root on the remote computer to an unprivileged user or map an entire host to a single user, but that's about it. NFS was designed in an era where all of a network's computers were managed by the sysadmins, and you could reasonably trust the computers on your local net. That trust is now a liability for protocols like NFS and NIS.
The extended answer is that the underlying rpc protocol has long supported more sophisticated access control. AFAICT, the only one which is currently usable is RPCSEC_GSS, the kerberos security flavor. Sun solaris has had this for years, but it has only recently become usable with linux (and there are still some gotchas). The new NFS protocol in development, NFSv4, mandates this and two others: SPKM-3 and LIPKEY. Both are SSL/TLS based. SPKM-3 uses certificates for user authentication, LIPKEY uses passwords. All of these schemes require the users sitting at the remote keyboard fork over his authentication info and cache credentials of some sort, so if that host is compromised, so may be his account. But that's unavoidable. Quite different from leaving your department fileserver wide open.
In theory, there's nothing to stop you from running an Active Directory server and adding a fileserver with samba-3 for the windows clients and nfs for the *nix clients, both using Active Directory's kerberos implementation for authentication. Being able to replace the AD server with samba-4 just sweetens the deal.
Let's not list all the things Windows can't do after 30 years
There are places where the networks are not touching,and there are places where they are-Boeing's Lori Gunter
Will configuration be simplified ? Will it be more easy ?r elationsWithIP/etc. mess at all. I have once or twice made it up to access some Win98 or Win95 files on a connected computer, but I it was with tries and errors, not knowing what was that last change that made it work finally.
I haver never understood thoses WINSserver/NetBIOS/User-Ressource-logins/sharing/
Maybe it's I who has a problem, maybe it's Windows way of doing a network (why not plain old FTP ?), or maybe it's Samba that is complicated. Even if it's Windows or me, maybe there could be some way to structure Samba's configuration files so that it is becomes easier.
Are there plans for this for version 4 ?
On my home network, I have been using Samba as an internal network file system for Linux to Linux networking. I use LDAP as my Database backend, Kerberos as my means of authentication too Samba.
You see I discovered something about Windows and SMB. Windows Cached its passwords. The passwords were replayed across the network whenever a new socket was opened. Konqueror would not replicate this behavior unless forced to by the KDE Control center. I have a big long thing that describes the whole thing.
It is not totally perfect but I want you to tell me if you think that
this constitutes Active Directory, or at least something close.
Eitherway, This is a major accomplishment for me, and I wanted some
suggestions or potential improvements because I know this isn't perfect
but it is a noticable advancement.
Abstract
The general idea is that we have a single unifying database system
(LDAP) a single protocol for Sign-On (Kerberos) Name resolution (Bind
DNS) And a network File system (CIFS by care of Samba.)
Basically, Kerberos now acts as a single sign-on (SSO) facility for my
home network.
When you log in Linux Pluggable Authentication Modules (PAM) verify the
account's credibility via LDAP, and request a ticket from the Kerberos
Key Distribution Center. based on the Principal (Username and Password)
and Policies in the Kerberos Realm.
These are DNS Service records thaat help clients find their KDC without the need for client side configuration files. This is how clients detect servers without Broadcast discovery protocols like Netbios Message Block,. The reason this is important is because it elimanates the "replay" attack threat from the fact that Windows likes to Cache its passwords in SAM files (PWL Files in the 9x Series). Even without the User's knowlege.
Some things I want to draw attention to.
First, this is a Windows 2000 Style Port 445 CIFS (SMBX) connection between two Linux machines. NOT a port 139 NT4 Netbios Session (SMB) connection.
The second thing I want you to notice is the fact that both servers are doing SPENGO, also known as "Sign and Seal" In Windows 2003 Server.
Finally that it aquaired the valid Kerberos Principal and ticket, and did a valid Kerberos setup.
Sorry if I sound incoherent. I'm tired.
There's no innovation in OSS?
I should have said "There's no more innovation in proprietary software then OSS software (or vice versa)
Sure, maybe not on the desktop or with Samba but I certainly see it with Firefox. Firefox has had a lot of great things (like tabs) before IE does. In fact, IE is in a major state of catch up right now.
Interesting example - I think however you're in the wrong thread (you're looking for the Microsoft vs OSS innovation thread, this is the proprietary vs OSS innovation thread).
Firefox is mildly innovative, but the first browser (I think) that had tabs was Opera, and they borrowed them from other windowing software that used tabs, I think they first appeared in OS/2 as a minor innovation for preference dialogues.
So - you see, as Newtown (and someone else in this thread) pointed out: "If I have seen further [than certain other men] it is by standing upon the shoulders of giants." holds true for everyone.
Iironically, Newton probably borrowed & incrementally improved upon earlier saying from others.
My pics.
If they focused their time, energy and skill on something that would integrate seamlessly with windows, unix and others, would be a breeze to set up and have more features, be free, faster and more secure, everybody would've used that, and they would've been done 3 years ago.
No real reason for quoting, i just wanted everybody to see how much of an idiot you are twice in one go. Sort of like idioicy in dolby surround sound.
Back when win 2k was just being released with AD I was in the midst of a class on Novell's network security model, they look supprisingly similer... like Microsoft got inspired by something that Novell had done...
Unfortunetly both are very complex and potentialy confusing, but Novell had it out for a while, so it as least was stable. Since then I've gotten out of the networking and gone into asp, asp.net, and javascript programming, where things make a little sense..... right?... (even I don't believe it)
DEMETRIUS: Villain, what hast thou done?
AARON: Villain, I have done thy mother.
Shakespeare invents 'your mom'
Well, actually Microsoft faced a difficult challenge when they decided to go with Kerberos. The NT security model wasn't a very good fit, but they were committed to it by years of investment and dependent design decisions, not to mention a huge installed base. They had to find a way to paste SIDs onto Kerberos. It was a long time before the rest of us got an unencumbered look at the TDATA that they worked out to do this, but once the format was known working with it should not be that complicated.
In terms of volume of proprietary information to work out, the plethora of interlocking directory object types that an ADS client depends on has got to be the big challenge. The static characteristics of these objects and their attributes are documented (I use the term loosely) in the PSDK, but how they are used or even what some values mean is not at all clear. Throw in a few obvious copy/paste errors in the doco. to cloud the issue further and it's not surprising that Samba took this long. Create a new ADS forest and look at all the stuff that was put into it out of nowhere.
This is going to be fantastic for consultants when Win2K Server support ends.
... shut down the Windows PDC and then logged into the domain with an XP client using the new Samba 4 server as the PDC."
Many companies are not going to want something that isn't supported and will be looking where they should transition. Savvy consultants can propose a migration to Samba which could provide higher margins than reselling Microsoft solutions -- especially if they aren't a close partner of Microsoft -- and they will be able to fix problems and customize the solution themselves without having to point fingers (they still can, they just don't have to).
This quote from the article gets me all warm and tingly inside:
"Tridge demonstrated sucking the life out a Windows 2003 PDC [primary domain controller] in one click, importing all its user and machine information using SWAT."
"He then restarted [domain server] BIND on his Samba 4 server, changed the server role to PDC
obviously no deficiencies vs. no obvious deficiencies
It can't make new users run in fear. That's still the domain of Unixish systems.
It's a joke. Mod down appropriately - I recommend -1, Violates Groupthink
Slashdot - where whining about luck is the new way to make the world you want.
Hah, and people that are into whips and chains call themselves masochists ... damn posers.
Slashdot: Where anecdotes and generalizations can be freely substituted for facts, logic, or intelligence
Way to innovate, OSS community!
Implies that proptietary and hence windows is more innovative. Innovative ~= invention. It is not a huge stretch to infer the meaning of the comments.
Troll on.
John Terpstra will be speaking at the Southern California Linux Expo on Feb 11-12, 2006
Webmin gives you an easy interface to Samba.
And if you do need to manage users at some point, you can have webmin automatically propagate changes to other modules ( like samba )
---- Booth was a patriot ----
You can blame Australians for Russle Crow, whoever he is.
Russell Crowe was born in New Zealand but alas has spent too much of his life in Australia.
Generally this (masquerading) is a problem with NFS. On a small LAN this isn't much of a big deal.
Several ways to solve the problem. First, UID and GID can be centrally controlled on a LAN by use of NIS. Still, if the machine is under the control of someone else, a forged UID/GID may be presented.
This can be controlled by the NFS server using "root squashing" or "all squash".
Both of these options "distrust" the UID/GID. In the case of root squash, root UID (0) is remapped to "nobody". This is a good thing on a LAN, because root file priviledge is contained. However, the attacker can obtain someone elses UID. Sensitive material should be encrypted. "All squash" option remaps all UIDs to "nobody" and is typically deployed for read-only shares, or "bulletin board" directories.
The security of your LAN is only as good as the security of the machines making up that LAN, anyway.
Ratboy
Just another "Cubible(sic) Joe" 2 17 3061
AFS (Andrew File System) provides similar functionality to NFS, with Kerberos authentication. Learn more at Wikipedia.
Trivially easy?
Do you manage many Active Directory servers?
The ones I know about (in a EU wide bank) are a mess, and require an entire team of people just to let them run. And even so it is very simple to screw them up.
When it comes to getting AD into a mess all you need is "servers" (i.e plural).
AD is NOT easy. Clicking on "Share this folder" might look so, but managing AD is not.
A common problem with GUI interfaces to severs is that they may it quite easy for people to change something when they don't understand the consequences of whatever it is they are changing.
So does this mean that Samba 4 will be able to act as a BDC to a Windows 2k3 PDC? I'm going to be setting up a new box soon and would like to use Samba if possible, but the PDC has to remain Windows based.
The ones I know about (in a EU wide bank) are a mess, and require an entire team of people just to let them run. And even so it is very simple to screw them up.
Before I start, I want to make it perfectly clear that I am a linux zeolot to the extreme both at work and at home.
With the proper configuration, Active Directory is a stable directory service. We've been running it for close to 6 months now and have lots of additions to the directory, exchange integration and a customized tree. We've yet to have a problem with it.
Maybe we just have uber-smart people, but I have a feeling it just leans towards the fact that it's just (god, am I saying this...) stable.
Not counting the fact that AD is horridly delicate: un-join a machine from the domain for long enough, and you are done.
Just need to re-join the machine to the domain.... I've done it several times.
Soon enough I'll be integrating our Linux servers to use AD for login.
-- This space for lease, low setup fee, inquire within!
Two things: the OP talked about "trivially easy". You talk about "proper configuration". In my experience the two things do not go together.
About re-joining: you say that. And I know that. In theory.
In practice we experienced in the past cases of impossible re-join. In that case you should re-generate the ID of the machine, and lose all the security and permission settings.
Ciao, Renato