Samba 4 Technology Preview Released

fp by Anonymous Coward · 2006-01-24 23:45 · Score: -1, Offtopic

fp

Jeremy Allison on Samba 4 by Anonymous Coward · 2006-01-24 23:46 · Score: 5, Informative

Came across this (short but interesting) interview with Jeremy Allison, one of the project's lead developers, where he talks about Samba 4:

http://www.linuxformat.co.uk/modules.php?op=modloa d&name=News&file=article&sid=217

Any software that has a 'Susan Stage' has got to be cool :-)

Re:Jeremy Allison on Samba 4 by laptop006 · 2006-01-24 23:57 · Score: 3, Informative

Erm, he's not a major developer of samba 4, Tridge is, Andrew Bartlett is, and a few others are, but Jeremy isn't (at least according to Andrew Bartlett yesterday).

I'm at LCA2006 and have spent several hours with both Tridge and Andrew Bartlett, testing, fixing bugs, and identifing missing features of samba4. I'm not a samba team member, just a sys-admin who wants samba4 to be the best code possible before I deploy it.

--
/* FUCK - The F-word is here so that you can grep for it */
Re:Jeremy Allison on Samba 4 by node+3 · 2006-01-25 00:42 · Score: 5, Interesting

There's a very interesting quote at the end of that article:
"Let's be honest, we don't really care about selling it, we're just having fun doing it. So long as we're having fun and we're working on problems that interest us then other people can worry about market share and how you sell it to the government or whoever, because that's the stuff that interests them."

If you think about it for a minute, if you consider how Open Source functions, where people work on the things that interest them, the "suits" that are often derided from some quarters are just filling a non-technical need in the Open Source community. There are often calls for people to test, write manuals, and create artwork as something they can do if they aren't programmers, but perhaps "marketing, sales, build corporations" are things that also should be added to that list?

To clarify, I'm certainly not talking about the CherryOS-style GPL-theives, but honest and earnest businesspeople (even though their motives may be primarily cash, they still must abide by proper Open Source rules).

Anyway, thought it was interesting.
Re:Jeremy Allison on Samba 4 by smittyoneeach · 2006-01-25 01:34 · Score: 3, Insightful

where people work on the things that interest them
Let's not kid ourselves: this is the good news/bad news of FOSS.
The genius of proprietary software: getting you to trade your sovreignty for code that does a lot of the less interesting stuff.
Unless you're actually selling that printer, are you going to want to spend all day writing a driver for it, much less testing it against a bazillion OS's?

--
Get thee glass eyes, and, like a scurvy politician, seem to see things thou dost not.--King Lear
Re:Jeremy Allison on Samba 4 by Anonymous Coward · 2006-01-25 01:39 · Score: 0

I think you'll find Jeremy Allison is a "core" Samba team member.

He is often referred to as joint leader or co-founder etc. on the web,
but I don't think it goes quite that far.

I believe Tridge does consider him his right hand man though, but I
can't find a link to back that up.

Definitely he features highly on the samba website and cvs logs.
Re:Jeremy Allison on Samba 4 by Anonymous Coward · 2006-01-25 02:13 · Score: 0

No, people might write drivers for their own printers, and printer manufacturers might
write drivers for their printers as well.

_That_ is "the good news / bad news of FOSS".
Re:Jeremy Allison on Samba 4 by DocLandolt · 2006-01-25 02:29 · Score: 3, Interesting

"even though their motives may be primarily cash, they still must abide by proper Open Source rules"

Just out of curiosity, what are these? Not 'all' rules -- but does anybody know (or offer wild speculation on) what happens when open source and fat wads of cash collide?
Re:Jeremy Allison on Samba 4 by smittyoneeach · 2006-01-25 02:50 · Score: 2, Insightful

Oh, come on: how many people, seriously, are going to write printer drivers?
Sure, there may be a generic project that dumps courier on paper, and mostly gets the margins right.
But the annoyance of getting it RIGHT across a variety of printers/operating systems could lead to madness

--
Get thee glass eyes, and, like a scurvy politician, seem to see things thou dost not.--King Lear
Re:Jeremy Allison on Samba 4 by mwood · 2006-01-25 03:00 · Score: 2, Insightful

Obviously there *are* people who want to spend all day writing drivers for hardware, otherwise we'd have no drivers. "Because I want to sell X" and "because I want to buy X" are equally valid reasons for wanting a driver for X to exist.
Re:Jeremy Allison on Samba 4 by Vanders · 2006-01-25 03:31 · Score: 2, Insightful

Lots of people are interested in writing printer drivers. Just look around linuxprinting.org Gimp-Print/Gutten-Print, the HP IJS drivers, people maintaining the Samsung "gdi" patches for various versions of Ghostscript etc. There are more people doing stuff like this than you imagine.

I'm personally hoping to find somone interested in re-writing the Samsung "gdi" Ghostscript driver as an IJS server.

--
Syllable : It's an Operating System
Re:Jeremy Allison on Samba 4 by Anonymous Coward · 2006-01-25 03:47 · Score: 0

You only need to write one driver per make of printer.

Take a look at the hundreds (probably thousands by now) drivers for various
things in Linux now. Is the concept of writing a printer driver fundamentally
different to a usb camera or a joystick or a soundcard driver?

If you didn't already know, would you have thought anyone would write a
free operating system that can run on about 2 dozen CPU architectures and
systems ranging from 1024 CPU supercomputers with over 16TB of memory and
database servers with over 10,000 disks, down to embedded devices with
less than 512K and CPUs without MMUs? (And there are the BSDs too)

Would you have thought anyone would write a free web server that serves
over half the sites on the internet?
Re:Jeremy Allison on Samba 4 by Chemicalscum · 2006-01-25 03:50 · Score: 4, Insightful

RMS started the Free Software Movement because he wanted to improve a printer driver for an early laser printer and they wouln't give him the source.
Re:Jeremy Allison on Samba 4 by smittyoneeach · 2006-01-25 04:25 · Score: 1

Case in point. I can PS print out of emacs well enough, but, for a nice booklet printout, I still need[1] to boot 'Doze and use a spiffier HP driver.

[1]I realize that booklet printing is probably quite doable under Gentoo, I just haven't overcome the static friction of mabooty to figure it out.

--
Get thee glass eyes, and, like a scurvy politician, seem to see things thou dost not.--King Lear
Re:Jeremy Allison on Samba 4 by node+3 · 2006-01-25 17:31 · Score: 1

Case in point. I can PS print out of emacs well enough, but, for a nice booklet printout, I still need[1] to boot 'Doze and use a spiffier HP driver.

[1]I realize that booklet printing is probably quite doable under Gentoo, I just haven't overcome the static friction of mabooty to figure it out.

In other words:

"I have to use Windows[1].

[1] I don't have to use Windows"
Re:Jeremy Allison on Samba 4 by node+3 · 2006-01-25 17:34 · Score: 1

Unless you're actually selling that printer, are you going to want to spend all day writing a driver for it, much less testing it against a bazillion OS's?

This is wrong in so many ways.

Here are four:

1. Gimp-print, CUPS, etc, etc.
2. (already mentioned) The straw that broke RMS's proprietary camel's back.
3. It's possible to be paid to write Open Source software.
4. If you already own the printer, that can be motivation enough.
Re:Jeremy Allison on Samba 4 by node+3 · 2006-01-25 17:56 · Score: 1

Just out of curiosity, what are these? Not 'all' rules -- but does anybody know (or offer wild speculation on) what happens when open source and fat wads of cash collide?

There are many sets of rules (which add together to form a sort of "ecosystem" of rules, if you want).

When the two collide depends on many things, including the perception of the "fat wads of cash", the license of the particular project, the vulnerability of the project to one person's whims and the nature of that person.

A few examples:

1. MS incorporated code from BSD into Windows. They do not make that code available, and have not (AFAIK) contributed any enhancements back.

2. Sony uses Linux in TiVo, and provides the source as required.

3. Apple, Google and Sun have all hired prominent Open Source programmers and have done so with the intent that these programmers continue work on their Open Source projects.

4. Linus has been offered money to provide Linux under proprietary licenses. Although Linus does not believe he even has the right to do so, he wouldn't do it anyway.

5. RMS has refused to engage in financial endeavors which he feels would compromise his commitment to the FSF.

6. IBM sells Open Source software, provides end-user support for Open Source software, and contributes both software and patents to the Open Source community.

7. Seeing the threat to their business model, the chairman of Microsoft (Bill Gates, in case that wasn't obvious) has equated the Open Source/Free Software movement with Communism, and has lobbied to outlaw state support of Open Source software.

8. In a few cases, Open Source software has been brazenly been offered as a proprietary product in violation of the license agreements. These cases tend to fail miserably (see: CherryOS).

9. SCO vs IBM re: Linux

10. The issues surrounding DeCSS, GIF, MP3, among others.

11. Potentially the future patent wars against Open Source/Free Software (don't expect the plaintiffs to be Apple, IBM, Sun or Google, but either MS, proxies for MS (SCO), or companies out of left-field (say, a food conglomerate acquiring a patent and incorrectly thinking enforcing it against OSS/FS is a good idea, or one of the companies that specialize in patents just operating business as usual).

Etc.

I haven't really outlined any rules specifically, but I hope I've shown that they exist, and provided an idea of how they work under various circumstances. If you want the rules more explicitly spelled out, the best I can offer is to suggest that you read the various licenses, research the various corporations which have supported and/or subverted the Open Source/Free Software communities, and so on.
Re:Jeremy Allison on Samba 4 by smittyoneeach · 2006-01-26 00:37 · Score: 1

The learning curve of FOSS is nothing if not a lengthy, slippery slope, sir.
Just got a udev-081 rule for my Logitech V200.
Next emerge upgraded me to udev-081-r1, and my rule was TU[1]. Aunt Petunia would die, I just cussed and debugged.

[1]Tits up.

--
Get thee glass eyes, and, like a scurvy politician, seem to see things thou dost not.--King Lear
Re:Jeremy Allison on Samba 4 by Fuzzy+Greybeard · 2006-01-26 03:21 · Score: 2, Interesting

"where people work on the things that interest them"

People ALWAYS work on what interests them. The question is not "what", but "why" does the interest happen and "why" does the interest sustain. Consider the following hypothesis:

- In the corporate world, the interest is maintained because of financial or power rewards.

- In the dungeons of the cubical world, the interest is held by ?fear of losing income?, ?need for cash to survive?, ?lack of imagination? or any of a number of 'basic survivalist' needs.

- IN the FOSS world, I can think of dozens of reasons for holding my interest. Some of which include ... artistic expression; no boss to say 'release it by wednesday, bugs or no'; self improvement; it's a hobby; peer acknowledgement; one way of advertising skills.

I note that in the corporate world, one of the world's leading bug/virus hunters recently resigned - speculation being 'he was bored'. Which leaves us where?

I dislike the new slashdot layout. by Fecal+Troll+Matter · 2006-01-24 23:47 · Score: -1

I dislike change. Fix it.

For true emulation.... by ehaggis · 2006-01-24 23:50 · Score: -1, Flamebait

Can it attract viruses? Does it come with a BSOD? Will it generate flamebait comments like this on Slashdot? Inquiring minds want to know.

--
One ring to bind them - should probably have more fiber and less rings in their diet.

It may eat my cat...? by Anonymous Coward · 2006-01-24 23:52 · Score: -1, Offtopic

Pah, I won't give you my cat. Eat my shorts!

What Kind of Passwords Does It Prefer? by gurutc · 2006-01-24 23:54 · Score: 3, Funny

Smooth or Crunchy?

--
Moderation in All Things... Especially Moderation - gurutc

Re:What Kind of Passwords Does It Prefer? by Anonymous Coward · 2006-01-25 01:02 · Score: 0, Redundant

Neither. It prefers salted.
Re:What Kind of Passwords Does It Prefer? by DeadRoman · 2006-01-25 02:04 · Score: 4, Funny

I was going to say that it likes them hashed.
Re:What Kind of Passwords Does It Prefer? by gurutc · 2006-01-25 05:27 · Score: 1

ROFL!!! That, people, is what my comment should have been!

--
Moderation in All Things... Especially Moderation - gurutc

Just Work (TM) by ObsessiveMathsFreak · 2006-01-24 23:58 · Score: 4, Insightful

But can I make an anonymous read/write share without performing invasive surery on config files. And can I then easily mount that share?

Samba is great as a home network share, but it's not a single click system. Security on a home netowrk doesn't really interest me. I'd like to be able to "just share" the files without setting up users etc, etc.

--
May the Maths Be with you!

Re:Just Work (TM) by tpgp · 2006-01-25 00:14 · Score: 5, Funny

Security on a home netowrk doesn't really interest me.

I know - thats why I'm posting this from your home PC.

I'd like to be able to "just share" the files without setting up users etc, etc.

Just post your requirements here I'll set them up for you... after all I don't want your home net to be locked down ;-)

Seriously - just because you would like software to be shipped insecure (and easy) by default doesn't mean that it should be. Have a look at this guide - Samba-3: A Simple Anonymous Read-Write Server

--
My pics.
Re:Just Work (TM) by Anonymous Coward · 2006-01-25 00:15 · Score: 0

Use e.g. KDE where they've made it very easy to share files (just point and click as you're saying) while still maintaining high security.
Re:Just Work (TM) by Anonymous Coward · 2006-01-25 00:22 · Score: 1, Insightful

Samba isn't meant to provide a friendly user interface, it's meant to do the bit that makes it all work. Look to your desktop environment to provide a nice, friendly interface. And whaddaya know, KDE does it just fine.
Re:Just Work (TM) by rpbailey1642 · 2006-01-25 00:29 · Score: 2, Informative

Well, granted I did have to set up the config file, but it wasn't too terribly difficult:
[global]
workgroup = WORKGROUP
server string = Description of Server
security = share
( Rpbailey Notes: This might be where you were led astray. You probably had samba set to use passwords instead of share security. )
[Multimedia]
path = /usr/multimedia
writable = yes
comment = Multimedia
browseable = yes
public = yes
---
Just make sure that the directory in question is writable by your samba user (assuming you have a user that samba runs as) or is otherwise writable. The most "playing around" you have to do is with permissions on that one folder.
Good luck!
Re:Just Work (TM) by zerocool^ · 2006-01-25 00:30 · Score: 2, Interesting

That's exactly what I thought. Samba is for network shares in a relatively simple environment. Authentication via Windows domain could be accomplished with more stability with Kerbeos / LDAP. It's what we do with our lab machines.

And I would much prefer to use samba to share out my oggs and mp3s without needing a volcano and a goat.

~Will

--
sig?
Re:Just Work (TM) by ettlz · 2006-01-25 00:40 · Score: 1

Just use SSH.
Re:Just Work (TM) by Anonymous Coward · 2006-01-25 00:40 · Score: 0

Security on a home netowrk doesn't really interest me.

If your home network is connected to the internet, it should.
Re:Just Work (TM) by Pecisk · 2006-01-25 00:59 · Score: 4, Interesting

What he meant there should be definetly easy way to turn it on, of course, with warning that some security problems could arise. AFAIK, KDE and GNOME has both easy ways to create shares for now, but there is no way to configure SAMBA for just several default scenarios which could be - anonymous read-only, anonymous read-write, user-based read-only, user-based read-write, custom. Default could be user-based read-only. Or something like that.

For example, OS X Tiger server uses SAMBA for Windows support. Any mangling with configuration goes trough Server Admin GUI (you can mess with configuration file too), but any changes gets written back to standard smb.conf.

It could be very good and nice present for common crowd.

--
user@ubuntubox:~$ stfu This server is going down for shutdown NOW!
Re:Just Work (TM) by dan+the+person · 2006-01-25 01:28 · Score: 1

mark the share as "guest only" then give the guest user ( usually the user nobody ) full rights to the shared directory.
Re:Just Work (TM) by HoosierPeschke · 2006-01-25 01:30 · Score: 3, Informative

Easy... as in SWAT?

--
Mr. Universe: "They can't stop the signal, Mal. They can never stop the signal."
Re:Just Work (TM) by Anonymous Coward · 2006-01-25 01:32 · Score: 0

You're right; the biggest problem most people seem to have with Samba is understanding user v's share security. Synonyms such as "public" (guest ok) don't really help matters either; any newbie searching Google for examples or HOWTOs may find themselves looking at several different configuration files that do exactly the same thing, leaving many of them trying to work out how.

Better PAM integration (instead of having to use smbpasswd) and a configuration format that can either be streamed or an extended libsamba API that allows configuration tools to modify smb.conf as well as reading would help improve configuration tool, too.
Re:Just Work (TM) by Anonymous Coward · 2006-01-25 01:52 · Score: 0

And I would much prefer to use samba to share out my oggs and mp3s without needing a volcano and a goat.

A Will Dunn goat? To fuck? With a volcano?
Re:Just Work (TM) by DrSkwid · 2006-01-25 02:16 · Score: 1

http://www.faqs.org/rfcs/rfc959.html File Transfer Protocol

http://www.ccp14.ac.uk/ccp14admin/security/secure_ tunnelling_ftp.htm
Secure FTP transfers via Secure Shell Tunnelling

http://winscp.net/eng/docs/introduction
WinSCP is an open source freeware SFTP client for Windows using SSH. Legacy SCP protocol is also supported. Its main function is safe copying of files between a local and a remote computer.

etc. etc.

--
There are places where the networks are not touching,and there are places where they are-Boeing's Lori Gunter
Re:Just Work (TM) by Chineseyes · 2006-01-25 02:46 · Score: 0

While we are on the topic does anyone know if there is a way to access a directory via sftp in windows the same way you would in kde with fish://? Or at a bare minimum be able mount a remote directory via sftp and access it as a local drive??

--
I think the invisible hand of the market has its middle finger extended

--A wise old fart named SC0RN
Re:Just Work (TM) by mwood · 2006-01-25 03:04 · Score: 3, Insightful

"[Samba is] not a single click system." Hooray for that. I'd love to be able to give the boot to these Windows servers with their sysadmin-hostile pointy-clicky interfaces and their million and one secret Registry keys that have no user interface at all. Go Samba Team!
Re:Just Work (TM) by Anonymous Coward · 2006-01-25 03:23 · Score: 0

Samba is great as a home network share, but it's not a single click system. Security on a home netowrk doesn't really interest me. I'd like to be able to "just share" the files without setting up users etc, etc.
Sure it is. net join -Uusername With tweaks to krb5.conf, you can join an AD domain, and it works quite well. Even with Samba 3. Cheaper than Windows 2003 Server for file and print sharing, as well as DHCP. Cheap as is $0 vs. $1000+
Re:Just Work (TM) by Pecisk · 2006-01-25 03:27 · Score: 1

Please, I talk about some common crowd and I talk about envorement GUI, GNOME/KDE based.
I talk about very simple interface with one question and several choices.

--
user@ubuntubox:~$ stfu This server is going down for shutdown NOW!
Re:Just Work (TM) by CastrTroy · 2006-01-25 03:52 · Score: 2, Interesting

I think the problem is that even if you tell samba that you want to make folders read/write anonymous, it still doesn't always work. This is because the anonymous user that samba uses also has to have access to those folders and files for read/write access. If it doesn't, then the system won't let samba access it, no matter how much it's config files tell it it should be able to. If you want a samba share that you can access anonymously from any computer, make a Fat32 partition, mount it read/write/execute all, and share that. The problem is that you can't share the stuff in your home folder, while still maintaining permissions that are sane on that folder, and it's files.

--

Anthropic principle: We see the universe the way it is because if it were different we would not be here to see it.
Re:Just Work (TM) by kamochan · 2006-01-25 04:24 · Score: 1

I'd like to be able to "just share" the files without setting up users etc, etc.
I've been running samba in my home firewall/filestore box for ages. On a lark I recently pkg_add'd netatalk -- and managed to "just share" stuff with exactly one simple line in a config file:
/pub "Public stuff"
Now compare this to samba. It hurts my head to think that Apple-heads have had this kind of stuff for over a decade (and nobody told me)!

PS. I later got fancy and added "options:usedots" to the line, so that unix users won't see the odd :2E files left by mac clients. Almost doubled the complexity *ugh*.
Re:Just Work (TM) by grcumb · 2006-01-25 04:29 · Score: 1

"AFAIK, KDE and GNOME has both easy ways to create shares for now, but there is no way to configure SAMBA for just several default scenarios which could be - anonymous read-only, anonymous read-write, user-based read-only, user-based read-write, custom. Default could be user-based read-only."

SME Server does exactly that, through a very simple web interface. If you need corporate support, Mitel Networks provides a hardware/software package that's easily deployed into IT-less situations, like franchise offices or into teleworker setups.

Full disclosure: I worked on this software for a number of years, but in fairness, I like it enough that I continue to deploy it in places where people need robust but simple small network servers.

--
Crumb's Corollary: Never bring a knife to a bun fight.
Re:Just Work (TM) by DataSpring · 2006-01-25 05:43 · Score: 1

I second that!
Re:Just Work (TM) by bjohnson · 2006-01-25 06:31 · Score: 1

A decade? try two decades. Appletalk was introduced with the Mac itself in 1984.
Re:Just Work (TM) by mpe · 2006-01-25 08:04 · Score: 1

You're right; the biggest problem most people seem to have with Samba is understanding user v's share security.

This isn't that different from Windows servers.
Re:Just Work (TM) by spudgun · 2006-01-25 11:02 · Score: 1

If you want a samba share that you can access anonymously from any computer, make a Fat32 partition,

make samba anon user a member of the group that owns those files in /etc/group , change the masks .

or

[f-drive]
path = /share/f-drive
username = samba
guest account = samba
force user = samba
force group = users
writeable = Yes
guest ok = Yes

and then chown -R samba /share/f-drive

--
Type unto others as you would have them type unto you.
Re:Just Work (TM) by DaJeff · 2006-01-25 15:19 · Score: 1

The easy way is to just set the security level to "share" as opposed to "user" and then authentication is optional. IE if you set a share to guest ok and writeable, then it's basically a wide open r/w share.
Re:Just Work (TM) by 5of0 · 2006-01-26 14:27 · Score: 1

No kidding. This is precisely why I hate XP - it took the wizards to a new level. I can't just change the network name of my PC, I have to run through the evil home network setup wizard again. Grr! I agree, thank goodness, and thank the Samba team!

--
You all have Oo.o and Firefox, so get World Wind.

it's in Debian by CAPSLOCK2000 · 2006-01-24 23:59 · Score: 5, Informative

Debian allready has packages.
Install them by running:
aptitude install -t experimental samba

But you'll need to add an entry for experimental to /etc/apt/sources.list first.
If you don't know how to, you shouldn't be messing with experimental software anyway.

Re:it's in Debian by Thing+1 · 2006-01-25 01:33 · Score: 3, Informative

"If you don't know how to breathe, you shouldn't bother taking your first breath."
Or, closer to the original: "Breathing. If you don't know how to, you shouldn't be messing with environmental oxygenation anyway."
Here's a link to a howto for configuring your Debian installation to use the experimental packages. (It's in section 4.6.4.3, or just search on the page for "experimental".)

--
I feel fantastic, and I'm still alive.

Samba 4 by YearOfTheDragon · 2006-01-25 00:01 · Score: 5, Informative

There has been info about Samba 4 for some time. Andrew Bartlett wrote a year ago an interesting thesis about Samba 4 and Active Directory (PDF).

But the release of this TP is good news, I hope that the use of Microsoft's Active Directory as an authentication service for Linux systems is coming to an end. All what we need now is a nice GUI.

--
-= If you fight Dragons long enough, you will become a Dragon =-

Finally! by Sircus · 2006-01-25 00:01 · Score: 0, Troll

They've implemented the long awaited pussy-eating feature!

--
PenguiNet: the (shareware) Windows SSH client

Re:Finally! by gurutc · 2006-01-25 00:24 · Score: 1

Finally, an Open Source Software Feature Set to help the love life of Geeks!

--
Moderation in All Things... Especially Moderation - gurutc

Simba was the cat, Samba is the dance by Anonymous Coward · 2006-01-25 00:02 · Score: 0, Interesting

Simba was the cat, Samba is the dance

Only 6 years by dJOEK · 2006-01-25 00:10 · Score: -1, Troll

So, in 2006, Samba is finally able to do what windows was able in 2000?

Way to innovate, OSS community!

(Yes, i know i'm burning karma here. See if i care. you know that i'm right on this)

--
Exercise caution when modding this message up: the author acts like a jerk when his karma is excellent.

Re:Only 6 years by OffTheLip · 2006-01-25 00:16 · Score: 1

True but this if free as in beer and as in $0.
Re:Only 6 years by RenatoRam · 2006-01-25 00:17 · Score: 3, Informative

Actually, windows copied in 2000 what was available in other environments for many years. AD is the bastard son of ldap+kerberos+smb.

What took years is reverse-engineering all the weird quirks MS introduced in the previously standard systems.

Besides, Samba can do a lot nifty things AD can't, so who's behind?

--
Ciao, Renato
Re:Only 6 years by 4b696e67 · 2006-01-25 00:18 · Score: 1

Actually I think its quite good concidering how they are doing all of it without looking at the windows source code. The linux NTFS driver is in a similar camp (implementing without access to the closed source).
Re:Only 6 years by AntiDragon · 2006-01-25 00:19 · Score: 1

Yes. Not bad going for reverse engineering a deliberatley obsfucated and poorly documented proprietary set of protocols plus an open standard security protocol that was subtley altered and therefore incompatible with other standard implementations. Yep. Pretty good job for something that was done completely voluntarily. Sheesh...

--
"...So I hung back and lurked. For 18 months. Can't beat a good old-fashioned lurking."
Re:Only 6 years by tpgp · 2006-01-25 00:20 · Score: 3, Insightful

So, in 2006, Samba is finally able to do what windows was able in 2000?

Five years to reverse engineer a difficult, obfuscated protocol is quite frankly amazing.

And you see - they don't really have to offer full compatability immediately - but if they do it before win2k ends its lifecycle, SAMBA + *nix offers companies dependant on AD a way out without having to go the win2k3 route.

Way to innovate, OSS community!

Way to troll dJOEK!

There is virtually no innovation in software, proprietary or OSS - everyone is just copying everyone elses ideas & making incremental improvements...

I mean we're all using the same desktop paradigm from 30 years ago - and the only substatial innovation I've seen in that is overlapping windows (from maybe 25 years ago)

--
My pics.
Re:Only 6 years by malkavian · 2006-01-25 00:23 · Score: 1

Yet Novell was able to do just the same in the early to mid 1990s, soundly beating Microsoft to that post (NDS, of which Active Directory is a poor ripoff).
And for the sharing of network filesystems, this was pegged in open release in 1985 by NFS. Which was on UNIX.
Yet again, Windows is late to the game in all aspects, playing catchup with the rest of the world.
Apart from Windows compatibility, which, for some older applications, it's currently almost as good as WINE and FreeDOS.
Not to knock Windows too much, it does what it was originally intended to do pretty well (i.e. be a desktop that people sit at and do work).
Re:Only 6 years by TallMatthew · 2006-01-25 00:39 · Score: 4, Informative

So, in 2006, Samba is finally able to do what windows was able in 2000?
Um, no. LDAP and Kerberos weren't invented by Microsoft. They put the two together and called it Active Directory, straying away from the RFCs and throwing in all manner of tweaks that required extensive reverse engineering on the part of the Samba team to figure out. That means figuring out the protocol from the packets, which is an incredible feat, especially as Microsoft's protocol designs aren't easily discerned and contain all sorts of weird gotchas (purposefully).
There's a lot of complexity under that GUI of yours and, whether you want to believe it or not, Microsoft isn't such an innovative organization. Generally, they poach something that's already widely available and tweak it so it won't be interoperable with other systems. If you call that innovation, then I guess that speaks for itself.
Re:Only 6 years by Anonymous Coward · 2006-01-25 00:46 · Score: 0

Wrong!, it's "``free'' as in ``free speech,'' not as in ``free beer.''" as described in The Free Software Definition. There's a direct link to it on the samba site ;)
Re:Only 6 years by SteveAyre · 2006-01-25 00:55 · Score: 2, Insightful

There's virtually no innovation in anything - we're all "standing on the shoulders of giants".
Re:Only 6 years by wetfeetl33t · 2006-01-25 00:57 · Score: 1

Fine! Have fun spending $$$$$$$$ on Windows server. I'll just go ahead and pick up Samba 4 for free.

--
Register the editry.
Re:Only 6 years by frankm_slashdot · 2006-01-25 01:09 · Score: 1

dude.. thats so out of line its not even funny. i dont know who you are or what groups you run with - but im stitting here at my windows desktop and im NOT doing any work. im reading slashdot and making funny comments. haha.

you know im just joking around =)

hah. later.
Re:Only 6 years by drsmithy · 2006-01-25 01:46 · Score: 1

Actually, windows copied in 2000 what was available in other environments for many years. AD is the bastard son of ldap+kerberos+smb.
And,most importantly, made it trivially easy for most people to use.
Re:Only 6 years by Daytona955i · 2006-01-25 01:56 · Score: 1

There's no innovation in OSS? Sure, maybe not on the desktop or with Samba but I certainly see it with Firefox. Firefox has had a lot of great things (like tabs) before IE does. In fact, IE is in a major state of catch up right now.
Re:Only 6 years by dJOEK · 2006-01-25 01:57 · Score: -1, Troll

Five years to reverse engineer a difficult, obfuscated protocol is quite frankly amazing

Five years of poking a black box with a stick is such an immense waste of time that it's only possible in academic circles, and only applauded by free-hugging hippies that have spent those 5 years playing nethack to kill time, then go off ranting about how great and amazing an accomplishment Samba is.

If they focused their time, energy and skill on something that would integrate seamlessly with windows, unix and others, would be a breeze to set up and have more features, be free, faster and more secure, everybody would've used that, and they would've been done 3 years ago.

--
Exercise caution when modding this message up: the author acts like a jerk when his karma is excellent.
Re:Only 6 years by RenatoRam · 2006-01-25 01:59 · Score: 2, Insightful

Trivially easy?
Do you manage many Active Directory servers?

The ones I know about (in a EU wide bank) are a mess, and require an entire team of people just to let them run. And even so it is very simple to screw them up.

Not counting the fact that AD is horridly delicate: un-join a machine from the domain for long enough, and you are done.

AD is NOT easy. Clicking on "Share this folder" might look so, but managing AD is not.

--
Ciao, Renato
Re:Only 6 years by DrSkwid · 2006-01-25 02:18 · Score: 1

Let's not list all the things Windows can't do after 30 years

--
There are places where the networks are not touching,and there are places where they are-Boeing's Lori Gunter
Re:Only 6 years by tpgp · 2006-01-25 02:39 · Score: 1

There's no innovation in OSS?

I should have said "There's no more innovation in proprietary software then OSS software (or vice versa)

Sure, maybe not on the desktop or with Samba but I certainly see it with Firefox. Firefox has had a lot of great things (like tabs) before IE does. In fact, IE is in a major state of catch up right now.

Interesting example - I think however you're in the wrong thread (you're looking for the Microsoft vs OSS innovation thread, this is the proprietary vs OSS innovation thread).

Firefox is mildly innovative, but the first browser (I think) that had tabs was Opera, and they borrowed them from other windowing software that used tabs, I think they first appeared in OS/2 as a minor innovation for preference dialogues.

So - you see, as Newtown (and someone else in this thread) pointed out: "If I have seen further [than certain other men] it is by standing upon the shoulders of giants." holds true for everyone.

Iironically, Newton probably borrowed & incrementally improved upon earlier saying from others.

--
My pics.
Re:Only 6 years by Anonymous Coward · 2006-01-25 02:49 · Score: 0

If they focused their time, energy and skill on something that would integrate seamlessly with windows, unix and others, would be a breeze to set up and have more features, be free, faster and more secure, everybody would've used that, and they would've been done 3 years ago.

No real reason for quoting, i just wanted everybody to see how much of an idiot you are twice in one go. Sort of like idioicy in dolby surround sound.
Re:Only 6 years by mwood · 2006-01-25 03:24 · Score: 3, Informative

Well, actually Microsoft faced a difficult challenge when they decided to go with Kerberos. The NT security model wasn't a very good fit, but they were committed to it by years of investment and dependent design decisions, not to mention a huge installed base. They had to find a way to paste SIDs onto Kerberos. It was a long time before the rest of us got an unencumbered look at the TDATA that they worked out to do this, but once the format was known working with it should not be that complicated.

In terms of volume of proprietary information to work out, the plethora of interlocking directory object types that an ADS client depends on has got to be the big challenge. The static characteristics of these objects and their attributes are documented (I use the term loosely) in the PSDK, but how they are used or even what some values mean is not at all clear. Throw in a few obvious copy/paste errors in the doco. to cloud the issue further and it's not surprising that Samba took this long. Create a new ADS forest and look at all the stuff that was put into it out of nowhere.
Re:Only 6 years by heinousjay · 2006-01-25 03:52 · Score: 1

It can't make new users run in fear. That's still the domain of Unixish systems.

It's a joke. Mod down appropriately - I recommend -1, Violates Groupthink

--
Slashdot - where whining about luck is the new way to make the world you want.
Re:Only 6 years by Senzei · 2006-01-25 04:37 · Score: 1

Yes. Not bad going for reverse engineering a deliberatley obsfucated and poorly documented proprietary set of protocols plus an open standard security protocol that was subtley altered and therefore incompatible with other standard implementations. Yep. Pretty good job for something that was done completely voluntarily. Sheesh...
Hah, and people that are into whips and chains call themselves masochists ... damn posers.

--
Slashdot: Where anecdotes and generalizations can be freely substituted for facts, logic, or intelligence
Re:Only 6 years by mpe · 2006-01-25 08:30 · Score: 1

Trivially easy?
Do you manage many Active Directory servers?

The ones I know about (in a EU wide bank) are a mess, and require an entire team of people just to let them run. And even so it is very simple to screw them up.

When it comes to getting AD into a mess all you need is "servers" (i.e plural).

AD is NOT easy. Clicking on "Share this folder" might look so, but managing AD is not.

A common problem with GUI interfaces to severs is that they may it quite easy for people to change something when they don't understand the consequences of whatever it is they are changing.
Re:Only 6 years by arkane1234 · 2006-01-25 12:50 · Score: 1

The ones I know about (in a EU wide bank) are a mess, and require an entire team of people just to let them run. And even so it is very simple to screw them up.

Before I start, I want to make it perfectly clear that I am a linux zeolot to the extreme both at work and at home.
With the proper configuration, Active Directory is a stable directory service. We've been running it for close to 6 months now and have lots of additions to the directory, exchange integration and a customized tree. We've yet to have a problem with it.
Maybe we just have uber-smart people, but I have a feeling it just leans towards the fact that it's just (god, am I saying this...) stable.

Not counting the fact that AD is horridly delicate: un-join a machine from the domain for long enough, and you are done.

Just need to re-join the machine to the domain.... I've done it several times.
Soon enough I'll be integrating our Linux servers to use AD for login.

--
-- This space for lease, low setup fee, inquire within!
Re:Only 6 years by RenatoRam · 2006-01-25 20:03 · Score: 1

Two things: the OP talked about "trivially easy". You talk about "proper configuration". In my experience the two things do not go together.

About re-joining: you say that. And I know that. In theory.
In practice we experienced in the past cases of impossible re-join. In that case you should re-generate the ID of the machine, and lose all the security and permission settings.

--
Ciao, Renato

What is this samba you speak of? by squoozer · 2006-01-25 00:11 · Score: 4, Interesting

Since discovering the joys of NFS I've not looked back (yes I do know what samba is and I run a samba server). Compared to Samba, NFS is almost too simple and reliable. Give me my complixity and unreliablity back!

--
I used to have a better sig but it broke.

Re:What is this samba you speak of? by BenjyD · 2006-01-25 00:36 · Score: 3, Interesting

I'm not a sysadmin, but I never got how NFS prevented a user plugging a computer which they have root access on into the network, mounting a common NFS mount, "su"ing to somebody's UID and then deleting their files. AFAICS, SMB handles this by requiring credentials of some kind from the computer. Can anyone explain this?
Re:What is this samba you speak of? by Spacelord · 2006-01-25 00:53 · Score: 5, Informative

I'm not a sysadmin, but I never got how NFS prevented a user plugging a computer which they have root access on into the network, mounting a common NFS mount, "su"ing to somebody's UID and then deleting their files. AFAICS, SMB handles this by requiring credentials of some kind from the computer. Can anyone explain this?

"Authentication" with NFS is IP based. You grant access to NFS mounts by specifying which hosts can mount that share. This implies that the hosts you allow are trusted, and that your network is trusted as well. So yes, if a computer you have root access to has been granted read/write access to an NFS mount then you can just su to someone else's UID and delete their files on that NFS mount.

Is it a good idea to use NFS in a security sensitive environment? Probably not.
Re:What is this samba you speak of? by squoozer · 2006-01-25 00:53 · Score: 1

I believe it is done via root squashing. Unless you specifically allow it you can't do root like things on the NFS mounts (such as deleting arbitary files) even if you are root on your machine. I forget exactly how it works as I set up and forgot about my NFS system a while ago but I left root squash on and it trips me up now and then. Physical intruders (someone pluging a computer into the network) aren't something I particularly worry about as I have a large iron bar next to me to hit anyone breaking in to my house with.

--
I used to have a better sig but it broke.
Re:What is this samba you speak of? by StressedEd · 2006-01-25 01:25 · Score: 2, Informative

The default behaviour is to not allow this. From the manual,
man -S 5 exports

Very often, it is not desirable that the root user on a client machine
is also treated as root when accessing files on the NFS server. To this
end, uid 0 is normally mapped to a different id: the so-called anony-
mous or nobody uid. This mode of operation (called 'root squashing') is
the default, and can be turned off with no_root_squash.

--
Be nice to people on the way up. You will meet them again on your way down!
Re:What is this samba you speak of? by BenjyD · 2006-01-25 01:31 · Score: 3, Insightful

That doesn't help when the root user creates a user account with the correct UID and then logs in as that user, does it?
Re:What is this samba you speak of? by kylegordon · 2006-01-25 01:48 · Score: 0, Flamebait

You let unknown MAC addresses on your network? Oooh, let me come play...
Re:What is this samba you speak of? by Anonymous Coward · 2006-01-25 01:50 · Score: 0

I'm not a sysadmin, but I never got how NFS prevented a user plugging a computer which they have root access on into the network, mounting a common NFS mount, "su"ing to somebody's UID and then deleting their files.

Easy. It's called "physical security", and consists (in this case) of the sysadmin and a 2x4, also known as "clue by four". Or in the case of a company, often "paper security" is used, where the above-mentioned scenario is prevented by your boss, a HR person, a piece of paper and the word "fired".

Joking aside, newer versions of NFS do have real user authentication, and from NFSv4 they are mandatory (can't be turned off).
Re:What is this samba you speak of? by Professor_UNIX · 2006-01-25 01:51 · Score: 2, Informative

That doesn't help when the root user creates a user account with the correct UID and then logs in as that user, does it?
Nope. That's how I used to update some web files on a central NFS server here long after the person left. I just added an account with his UID on my workstation, mounted the central NFS server's web share and voila. I could read/write his files just fine. Traditional NFS is HORRIBLE from a security standpoint since the only authentication involved is IP based and the only authorization is to rely on the UID/GID to prevent other users from munging with your files. This relies on only having trusted hosts having read/write access to your network. Newer versions of NFS add additional security mechanisms in place for both authentication and authorization, but they are rarely used from what I've seen since most people still use it the way NFS v2 behaved (relying on IP address and UID/GID) rather than Kerberos and certificates.
Re:What is this samba you speak of? by BenjyD · 2006-01-25 01:53 · Score: 1

But MAC addresses can be spoofed too - just get the MAC of a trusted machine, unplug it from the network and plug in a laptop with the other machine's MAC set.
Re:What is this samba you speak of? by scumbaguk · 2006-01-25 01:54 · Score: 1

if you had physical access to the network, sniffing and then spoffing ip adds and mac adds' wouldn't be too dificult.
Re:What is this samba you speak of? by StressedEd · 2006-01-25 02:11 · Score: 1

Agreed.
In my opinion traditional NFS is not that secure, either against reading things "on the wire" or spoofing.
As another poster has mentioned you can export the filesystem on a client by client basis. As a "bad guy" you have to take over the identity of one of those trusted clients (steal the IP address). Tricky but not impossible.
The basic problem here is authenticating that the client really is the right client. IP addresses are not sufficient in this regard. For those that deem this necessary Secure NFS is key. (excuse the DES pun).
For the extra paranoid you can even tunnel the connection with SSH.
-ed

--
Be nice to people on the way up. You will meet them again on your way down!
Re:What is this samba you speak of? by Nimey · 2006-01-25 02:28 · Score: 1

Pfft. sshfs is even simpler and more reliable, not to mention far, far more secure.

--
Hail Eris, full of mischief...

E pluribus sanguinem
Re:What is this samba you speak of? by TheSkyIsPurple · 2006-01-25 03:52 · Score: 1

NFS=No File Security =-)
Re:What is this samba you speak of? by petermgreen · 2006-01-25 04:45 · Score: 2, Insightful

and on ethernet isn't stealing another machines ip pretty easy?

--
note: i'm known as plugwash most places but i screwd up registering that here somehow in the past and now can't register
Re:What is this samba you speak of? by Anonymous Coward · 2006-01-25 08:50 · Score: 0

NFSv4 does offer per-user authentication as an option if you want that. I suspect you'll have a lot of trouble getting it to work with more than one vendor's software though...

SMB is a terrible RPC mechanism for implementing a fairly sound idea. NFS is a terrible RPC mechanism for implementing a completely different fairly sound idea. Both of them are garbage, millions of people rely on them, hev'n help us.
Re:What is this samba you speak of? by stedo · 2006-01-25 10:06 · Score: 1

Have a look at NFSv4. It finally gets some sense and uses Kerberos instead of relying on the client to authenticate themselves.
Re:What is this samba you speak of? by vdboor · 2006-01-25 10:33 · Score: 1

NFS=No File Security

I think you've misspelled the word Fucking...

--
The best way to accelerate a windows server is by 9.81 m/s2 ;-)
Re:What is this samba you speak of? by a.d.trick · 2006-01-25 11:15 · Score: 1

NFS has a backronym: No Fucking Security. So yes you right, it is too simple.

I've found that SSH works great for file sharing though. It's secure, simple enough, and definitly reliable. Just make sure you disable root logins and have proper security on your own box.

If you want to share stuff anonymously, there's another protocol called HTTP. I've found Apache handles it fairly well. Also there's FTP, but might be a bit more complicated.
Re:What is this samba you speak of? by Sithgunner · 2006-01-25 12:27 · Score: 1

it's for different use. so, why do you compare? besides nfs can't even do charset conversions, and of course Windows clients can't change the charset off from the default value, so server needs capability. and the reason nfs needs quite a lot of different daemon running with different ports, it makes it not my favourite. although throughput over WAN, samba becomes the poorest of capability when NFS makes it a good speed.
Re:What is this samba you speak of? by dan_bethe · 2006-01-27 16:35 · Score: 1

and on ethernet isn't stealing another machines ip pretty easy?

Not with a properly configured, managed switch, which any security sensitive environment is going to have.

My cat lost his password by digitaldc · 2006-01-25 00:31 · Score: 4, Funny

'It may eat your cat,' says the Samba team in a statement, 'but is far more likely to choose to munch on your password database.'

Wow, it only took 25 days for Samba to break its New Year's resolution to eat less and lose weight.

--
He who knows best knows how little he knows. - Thomas Jefferson

NZ??? by oztiks · 2006-01-25 00:32 · Score: 2, Funny

Linux.conf.au conference in New Zealand

What the ... HAS THE WORLD GONE MAD!

Since when did anything .au become New Zealands responsibility? Usually its the other way around! I.e blaming the existance of Russle Crow on Australians. This wasnt our fault HE WAS BORN IN NZ! Now they NZ is stealing our conferences. I for one find this an outrage!

Re:NZ??? by laptop006 · 2006-01-25 00:37 · Score: 1

well then why didn't you bid for it in your home city, I'm one of the people doing so for Melbourne in 2008, if you haven't put the effort in then stop bitching. The truth is that the NZ people were the only ones who put a bid in for 2006.

(I write this lying in bed in my room for the week at LCA)

--
/* FUCK - The F-word is here so that you can grep for it */
Re:NZ??? by Anonymous Coward · 2006-01-25 00:51 · Score: 0

LCA?? Lesbian Chefs Association .. I was never aware that they dealt in the tourism industry
Re:NZ??? by Anonymous Coward · 2006-01-25 01:56 · Score: 0

They only wanted the conference so they could say 'In two thousund and sex, you can bring you hooded sweatshirts over here and have a bear with us...bro'
Re:NZ??? by Anonymous Coward · 2006-01-25 02:12 · Score: 0

I hear they make a great blancmange.
(go read cantebury tales)

Re:Smooth or Cruchy by Jeremy+Singer · 2006-01-25 00:40 · Score: 0, Redundant

It tastes like chicken.

And in other news by wetfeetl33t · 2006-01-25 00:51 · Score: 0, Troll

And in other news...
Steve Ballmer was seen throwing chairs through his office's fourth floor windows in an angry rage.

--
Register the editry.

Re:And in other news by Capt+James+McCarthy · 2006-01-25 01:03 · Score: 0, Troll

That's because he found more hair on his pillow.

--
There are no loopholes. It's either legal or it's not.
Re:And in other news by markiv34 · 2006-01-25 01:15 · Score: 0

In that case he should be happy, atleast he has some left. One need to have hair to have a hair loss. Why is it such a bad news for the window world interoperablity between win and the linux world is no way threating to microsoft might actually be benefiting to the windows world.

--
No Black or White only shades of Gray

Samba. by poeidon1 · 2006-01-25 01:10 · Score: 0

So now my linux machines do not have to do Samba with with windows. They will get a native partner yuppie :)

--
They called me mad, and I called them mad, and damn them, they outvoted me. -Nathaniel Lee

How to lock down NFS in 5 lines or less by mitcheli · 2006-01-25 01:12 · Score: 0

A bit off topic, but good info anyways...

you'll want to set anon=-1 which will disable connection attempts that don't have a username associated to it, then you'll want to use the access option to limit what users can connect to the shares (obviously root wouldn't be on that list), then you'll want to use the nosuid and nosgid options to prevent suid scripts and such from stealing root. If you're running NIS+ you'll want to use the secure option too. And finally, you'll probably want to ensure that shared files are not world writable. But that's just me ;)

--
Select from tblFriends where interesting >= 4;

NFS and Samba by DrYak · 2006-01-25 01:12 · Score: 2, Interesting

You know, the big problem is, that the PHBs that are sitting at the head of big corps around have never heard of NFS. They've only seen the niiiiiice Shiiiiiinny PowerPoint presentation in Microsoft booths in big expos. And then, they have made their company to pay a lot for an over-priced non-standart Microsoft LDAP/Kerberos/SMB bastard (a.k.a. Active Domain) and are now knee deep into a locked-in solution from which there's no other out except paying an even higher price for the next even worse microsoft product.

This is the crowd that is targeted by Samba 4 :
- those who are SMB/CIFS dependant beyond repair, but need an alternate and opensource solution to Microsoft.

Of course, for the other guys out there, who can see differences between a real OS and a nice promises in a PowerPoint, there are other protocols to start with (like NFS).

--
"Sufficiently advanced satire is indistinguishable from reality." - [Tips: 1DrYakQDKCQ6y52z6QbnkxHXAocMZJE61o ]

Re:NFS and Samba by TheRaven64 · 2006-01-25 02:01 · Score: 1
Securing NFS is incredibly difficult. By default, NFS uses host-based authentication. The only way of making this secure is to:
1. Only allow NFS access from a VPN.
2. Drop all packets from VPN IPs that do not come from the VPN.
3. Set up an authenticating VPN server.
Doing this in a cross-platform way is a significant amount more effort than configuring Samba. Newer versions of NFS support things like Secure RPC and Kerberos authentication, but setting these up is still more effort than Samba (and good luck finding two platforms with compatible NFS implementations that support these things).
There is a reason that BOFHs believe NFS stands for 'Nightmare FileSystem' or 'Not F*ing Secure.'
--
I am TheRaven on Soylent News
Re:NFS and Samba by duffbeer703 · 2006-01-25 03:22 · Score: 1

Have you ever used NFS with more than a dozen or so machines? It sucks hard. I used to be a sysadmin in a place that used NFS extensively... NFS is and was a buggy, insecure piece of crap.

--
Conformity is the jailer of freedom and enemy of growth. -JFK
Re:NFS and Samba by Bohiti · 2006-01-25 05:46 · Score: 2, Insightful

You're dreaming. I doubt there are [m]any Active Directory shops out there who "need an alternate and opensource solution to Microsoft". Those who implemented Active Directory generally did so because they're mostly a Windows shop. Got Windows on the desktop, might as well pay the relatively insignificant fee to use Windows Servers and the free LDAP directory that comes with it. Don't delude yourself, AD, especially 2003, is rock solid. And you get easy, intuitive interfaces and "it just works" setup for the clients. And a huge installbase worldwide from which to glean information out of. And a company to call if you have problems, for-fee or "included" in another agreement. Microsoft Premier is amazing.

Don't get me wrong, if I were to run IT for an up-and-coming small company without a huge Windows client base, I'd certainly love to give Linux et al a shot. I use Samba at home, as the go-between my hobby Linux box and Windows PC's. Just don't be under the impression that big Windows shops are itching to switch to Linux. Some individual techs might, but the corporation will stick with what works, the big name they see in the CIO magazines, the company they can send a check to and get some accountability from.
Re:NFS and Samba by DrYak · 2006-01-27 08:31 · Score: 1

Have you ever used NFS with more than a dozen or so machines?

The parent poster was speaking about how NFS is practical and fast for some small non-complex systems.
It was *exactly* about cases with a dozen or so machines.

--
"Sufficiently advanced satire is indistinguishable from reality." - [Tips: 1DrYakQDKCQ6y52z6QbnkxHXAocMZJE61o ]

Could be worse. by Caspian · 2006-01-25 01:14 · Score: 1

"Share and enjoy
Share and enjoy
Journey through life with your plastic boy
Or girl by your side
Let your pal be your guide
And when it breaks down or starts to annoy
Or grinds when it moves and gives you no joy
Cos it's eaten your hat
Or had sex with your cat
Bled oil on your floor
Or ripped off your door
You get to the point you can't stand any more
Bring it to us, we won't give a fig
We'll tell you, 'Go stick your head in a pig'."

--
With spending like this, exactly what are "conservatives" conserving?

Indeed by DrYak · 2006-01-25 01:15 · Score: 1

Not to knock Windows too much, it does what it was originally intended to do pretty well (i.e. be a desktop that people sit at and do work).

Yes, it has managed to fulfil it's original intent to be a GUI inside which one could run a word processor or/and a spreadsheet app.
The scary thing is the incredible amount of other usages for which Microsoft is trying to push a product that *isn't* designed for.

--
"Sufficiently advanced satire is indistinguishable from reality." - [Tips: 1DrYakQDKCQ6y52z6QbnkxHXAocMZJE61o ]

But as an Active Directory replacement? by Money+for+Nothin' · 2006-01-25 01:16 · Score: 4, Insightful

Can it do authorization of group access to a given application? How about publishing network resources (printers, workstations, etc.)? Can Samba 4 replicate its data between multiple sites? Is Samba 4's AD functionality even built off any sort of LDAP technology to begin with (probably OpenLDAP, if anything)?

For all MSFT's faults (and there are many, as /. routinely points out), AD *is* a decent NOS directory...

--

Is Capitalism Good for the Poor?

Re:But as an Active Directory replacement? by gentimjs · 2006-01-25 01:26 · Score: 4, Interesting

Yes, active directory is decent - if you only ever want windows clients. I confess that Ive got a samba3 server (Gentooooooo) as "full" member of our W2K ActiveDirectory - and even got the permissions synced up enough so that users can right-click files and play with permissions through the gui on the doze client. HOWEVER this setup took weeks of tweakage, involved a dozen or so actual software packages, and required violating some published microsoft specs on how AD (supposedly...) works. If samba4 gives me this without the BS, I'm happy. If samba4 lets me replace my domain controller and have the existing doze infrastructure not notice, I'm even more happy.
Re:But as an Active Directory replacement? by robgamble · 2006-01-25 02:09 · Score: 1

I'm so glad you owned up to that. I thought I was just missing the boat when I had a hard time getting Samba to bend to my will.

Sometimes even when your software works just fine, you may not realize what you are asking it to do.

--
No sig for you!
Re:But as an Active Directory replacement? by Anonymous Coward · 2006-01-25 02:14 · Score: 0

Samba 4's AD functionality even built off any sort of LDAP technology to begin with (probably OpenLDAP, if anything)?

RTFA, that it is clearly stated.

All of your questions can be answered with very little reasearch but considering you will not even RTFA, why should anyone waste their time gathering information for you?

How you are initially modded as insightful is beyond me.
Re:But as an Active Directory replacement? by C_Kode · 2006-01-25 02:50 · Score: 1

I'm happy to hear you got all of these working, but this is exactly why I do not replace my Windows Domain/File servers with Samba. I've got enough to deal with now. I do not have the times to dedicate. I've been keeping a eye on the status of Samba and I have used Samba (Samba 2) before, but until I can get easy integration; It's just not a choice.

I have a request though, Publish your work. Let others know how you did it. That information can lead to strides forward for Samba and those that wish to implement it.
Re:But as an Active Directory replacement? by gentimjs · 2006-01-25 03:08 · Score: 1

We had no real choice but to go with samba ... small company, small IT budget, you know how it goes...
I agree that it is more of a pain than it really should be .. we can hope samba4 eases some of this
I've published my working setup back to the community, tho I've been meaning to write a "howto" in a bit more linear format.
Re:But as an Active Directory replacement? by foo+fighter · 2006-01-25 03:24 · Score: 1

Most of your questions are answered in TFA:
Samba 4 supports the server-side of the Active Directory logon environment used by Windows 2000 and later, so we can do full domain join and domain logon operations with these clients," the group said in a statement on its Web site, noting this feature was "the main emphasis" for the new software.
"Our domain controller implementation contains our own built-in LDAP (Lightweight Directory Access Protocol) server and Kerberos key distribution centre as well as the Samba 3-like logon services provided over CIFS," the statement continued.

AD is an OK directory. Novell's eDirectory is still the gold standard. IMO, Samba should be the go to choice for consultants since you can increase your margins over selling Microsoft solutions, especially if you aren't a close partner with Microsoft, and actually fix problems yourself instead having to point fingers (you still can if you want, but you don't have to).

--
obviously no deficiencies vs. no obvious deficiencies
Re:But as an Active Directory replacement? by Monkey · 2006-01-25 10:33 · Score: 1

I ran into a problem with Samba 3 where there seems to be a cap on the number of groups an AD user can belong to if you're trying to authenticate a share based on AD Group membership. It seems that if a user belongs to around 20 AD groups, or the aggregate text length of the user's AD group names is too long, Samba will not recognize the user account's group membership past a certain point in the user's AD group membership list.

To demonstrate this problem, make a new AD group and add a user account that already has membership in a shitload of other AD groups. Then add a user to the group that belongs to only a few other groups. Create a new share on your samba box and allow your newly created AD group access to it. The account with a few memberships will work while the one belonging to a whack of other groups will not.

I'm not sure why this is, or if they've fixed it recently, but its a serious pain in the ass if your AD structure has any sort of complexity.
Re:But as an Active Directory replacement? by Anonymous Coward · 2006-01-25 13:07 · Score: 0

Actually, where I work, we are busy on a project to authenticate our AIX systems against AD.

Because I value my job, I won't say what we're using to do it. But there is at least 1 company that sells software which, I'm told (I do dev. work, not administration/"engineering"), does this sort of Unix-to-AD authentication very nicely.

As for the "if you only ever want windows clients" point, well, at last check, some 95% of the world's desktops run Windoze; it's therefore highly-probable that in most companies, all you'll run into are Windows clients. (Personally, I wish we'd all go OSX or BSD/Linux on the desktop. But I learned from experience years ago that ain't happenin' anytime soon.)
Re:But as an Active Directory replacement? by bill_mcgonigle · 2006-01-25 15:34 · Score: 1

I've published my working setup back to the community, tho I've been meaning to write a "howto" in a bit more linear format.

Your slashdot profile doesn't have a URL in it - can you please provide a link?

I suspect most of us have gotten 90% there, so diffing your configs would be quite valuable.

--
My God, it's Full of Source!
OUTSIDE_IP=$(dig +short my.ip @outsideip.net)

Mod Parent Down, Not Up by xeno314 · 2006-01-25 01:24 · Score: 1

Um, no. LDAP and Kerberos weren't invented by Microsoft.

I don't see where he said that Microsoft invented anything, just that they did AD in 2000.

Re:Mod Parent Down, Not Up by Anonymous Coward · 2006-01-25 02:13 · Score: 0

thing is, if the samba team wanted to make their own revision of the protocol, they could. they're doing something much harder - figuring out what someone ELSE did.

Which version of Active Directory? by j-cloth · 2006-01-25 01:34 · Score: 5, Interesting

This all sounds great, but will it work when(if) Vista comes out? Previously, I had samba setups running beautifully on Win2K networks. Then 2003 came out and it messed it all up. Eventually Samba (and supporting docs) caught up and 2003 now works reasonably well. So will Samba 4 come out with great support for 2003 then break as soon as Vista is released?

Re:Which version of Active Directory? by Anonymous Coward · 2006-01-25 01:59 · Score: -1, Troll

Isn't Vista a desktop OS?

so, no.
Re:Which version of Active Directory? by Anonymous Coward · 2006-01-25 02:07 · Score: 2, Interesting

The weblog linked from the article explains that Windows Vista will be using a new protocol, SMB2. Apparently the Samba team have already reverse engineered this and its in the technology preview! Impressive if you ask me.

Lets be clear - by gentimjs · 2006-01-25 01:43 · Score: 3, Informative

Lets be clear on this point -
When vista comes out, samba will not break.
MS will simply have changed the standard/protocol/whatever in some way that thier own prior implementations will be tolerant of but Samba will not. Samba will not be busted, MS' own implementation of thier own technology (or other peoples tech, kerberos for example) is what will be busted.

Re:Lets be clear - by grasshoppa · 2006-01-25 02:07 · Score: 2, Insightful

MS will simply have changed the standard/protocol/whatever in some way that thier own prior implementations will be tolerant of but Samba will not. Samba will not be busted, MS' own implementation of thier own technology (or other peoples tech, kerberos for example) is what will be busted.

And, practically, does this make a difference? Can I look my boss in the eye and tell him that the mail server doesn't know who it's users are, but it's ok because it's MS's fault?

--
Mod me down with all of your hatred and your journey towards the dark side will be complete!
Re:Lets be clear - by gentimjs · 2006-01-25 02:17 · Score: 2

No, you can look your boss in the eye and tell him/her/it not to buy vista....
Or if you are feeling brave, you can suggest they actually plan for these kinds of "gotchas" before they happen...
Re:Lets be clear - by killjoe · 2006-01-25 08:50 · Score: 1

"And, practically, does this make a difference? Can I look my boss in the eye and tell him that the mail server doesn't know who it's users are, but it's ok because it's MS's fault?"

Isn't the fact that "you have somebody to blame when things go wrong" a strong selling point for proprietary software? Why don't you give it a shot. If your boss finds out that the so called support you get from MS is worthless and then even when it's their fault they do nothing then next time your boss will have less incentive to go with MS.

--
evil is as evil does
Re:Lets be clear - by wizkid · 2006-01-25 09:33 · Score: 1

If the EU courts have there way, and are not corrupted by corrupt Political scum (Likely, unfortunately), then $M will need to publish the docs for the interface. Then, when they change it so samba don't work, they will be forced to document thier changes. There will be a lag of course, and it will probably be reverse-engineered before they squeeze the docs out of Redmond.

In the mean time, the marketeers will be boasting they have vista, and forcing management to force the grunts to get it fixed. And about half the samba servers will be replaced by $M servers.

Lets hope that the EU judges stick to their guns, and the Political scum with $M Bread in there pockets don't succeed in overturning/minimalizing the EU Anti-trust settlement. It would be good for the industry to put some reigns on $M.

--
I take no responsibility for what I say. Even though I'm never wrong :)
Re:Lets be clear - by grasshoppa · 2006-01-25 09:58 · Score: 1

Isn't the fact that "you have somebody to blame when things go wrong" a strong selling point for proprietary software?

In so far that implies a guarantee that things won't go wrong.

End of the day, my boss doesn't care why something broke. She's just more concerned with why it's still not working.

--
Mod me down with all of your hatred and your journey towards the dark side will be complete!
Re:Lets be clear - by killjoe · 2006-01-25 15:57 · Score: 1

"End of the day, my boss doesn't care why something broke. She's just more concerned with why it's still not working."

In that case your boss should be perfectly happy with an open source product.

--
evil is as evil does
Re:Lets be clear - by grasshoppa · 2006-01-25 16:41 · Score: 1

In that case your boss should be perfectly happy with an open source product.

In a pure OSS enviroment, I would agree. However, I have to work with windows. Regardless of where the fault lies, this is problematic on the best of days.

--
Mod me down with all of your hatred and your journey towards the dark side will be complete!
Re:Lets be clear - by killjoe · 2006-01-25 19:09 · Score: 1

"However, I have to work with windows. Regardless of where the fault lies, this is problematic on the best of days."

If it's problematic then you need to pick up the phone to MS and complain about how their stuff is not interporating with the rest of the software on your network. Once again your boss picked MS stuff because MS promised them that they would provide support and that he would have somebody to blame when things went wrong.

If things are going wrong then you should demand your support. You are paying for this shit remember that. They are the vendor you are the customer.

If after calling MS you don't get satisfaction and if having somebody to blame ends up not being that great of a thing then make a report and give it to your boss. Your boss needs to know that MS is not delivering on what they promised.

Saying "my boss doesn't care who is at fault" is not true. Your boss cares very much who is at fault. Your boss is paying big bucks and making decisions based on who is at fault. It's not your job to protect vendors from your boss. It's your job to feed accurate and timely information to your boss so he/she can make better decisions.

--
evil is as evil does

NFS security by kangasloth · 2006-01-25 02:12 · Score: 1

There are two parts to the answer to that. Traditional NFS access control is entirely host based. You can map root on the remote computer to an unprivileged user or map an entire host to a single user, but that's about it. NFS was designed in an era where all of a network's computers were managed by the sysadmins, and you could reasonably trust the computers on your local net. That trust is now a liability for protocols like NFS and NIS.

The extended answer is that the underlying rpc protocol has long supported more sophisticated access control. AFAICT, the only one which is currently usable is RPCSEC_GSS, the kerberos security flavor. Sun solaris has had this for years, but it has only recently become usable with linux (and there are still some gotchas). The new NFS protocol in development, NFSv4, mandates this and two others: SPKM-3 and LIPKEY. Both are SSL/TLS based. SPKM-3 uses certificates for user authentication, LIPKEY uses passwords. All of these schemes require the users sitting at the remote keyboard fork over his authentication info and cache credentials of some sort, so if that host is compromised, so may be his account. But that's unavoidable. Quite different from leaving your department fileserver wide open.

In theory, there's nothing to stop you from running an Active Directory server and adding a fileserver with samba-3 for the windows clients and nfs for the *nix clients, both using Active Directory's kerberos implementation for authentication. Being able to replace the AD server with samba-4 just sweetens the deal.

Will configuration be simplified ? by dom1234 · 2006-01-25 02:26 · Score: 1

Will configuration be simplified ? Will it be more easy ?
I haver never understood thoses WINSserver/NetBIOS/User-Ressource-logins/sharing/r elationsWithIP/etc. mess at all. I have once or twice made it up to access some Win98 or Win95 files on a connected computer, but I it was with tries and errors, not knowing what was that last change that made it work finally.

Maybe it's I who has a problem, maybe it's Windows way of doing a network (why not plain old FTP ?), or maybe it's Samba that is complicated. Even if it's Windows or me, maybe there could be some way to structure Samba's configuration files so that it is becomes easier.

Are there plans for this for version 4 ?

Re:Will configuration be simplified ? by Malc · 2006-01-25 03:24 · Score: 1

Microsoft Networking on Win9x systems is a pain. The "server" must use the same username and password for the its shares as you are using on the client. I don't think there is any easy way for a Win9x client to use different logon credentials to those of the current logon session.

With NT based OSes, use the commandline:
net use
net use \\x.x.x.x\IPC$ /user:DOMAIN\Username
net use [share name] /delete

The second one in that list is the easy way to set up the credentials you want to use on a server. IPC$ is the resource that Explorer will look at when you browse to a computer. Explorer will use your current logon credentials which might not match those on the target computer. It might take a while before it fails and asks for credentials. Thus doing it from the command first is much faster. Of course the logon credentials you use must be a local account on the server (COMPUTERNAME\UserName), or a domain account (DOMAINNAME\UserName). In a non-domain environment, it's all about the accounts on the server, not on the client you're using. If you create accounts on both computers with the same username and passwords, the networking and sharing becomes more transparent.

If you know an adminstrators' password on the target/server computer, you can then start mapping things like "net use z: \\x.x.x.x\C$" to access everything ;)

Samba 3 Almost but not quite Active Directory,. by Zombie+Ryushu · 2006-01-25 02:35 · Score: 2, Informative

On my home network, I have been using Samba as an internal network file system for Linux to Linux networking. I use LDAP as my Database backend, Kerberos as my means of authentication too Samba.

You see I discovered something about Windows and SMB. Windows Cached its passwords. The passwords were replayed across the network whenever a new socket was opened. Konqueror would not replicate this behavior unless forced to by the KDE Control center. I have a big long thing that describes the whole thing.

It is not totally perfect but I want you to tell me if you think that
this constitutes Active Directory, or at least something close.
Eitherway, This is a major accomplishment for me, and I wanted some
suggestions or potential improvements because I know this isn't perfect
but it is a noticable advancement.

Abstract

The general idea is that we have a single unifying database system
(LDAP) a single protocol for Sign-On (Kerberos) Name resolution (Bind
DNS) And a network File system (CIFS by care of Samba.)

Basically, Kerberos now acts as a single sign-on (SSO) facility for my
home network.

When you log in Linux Pluggable Authentication Modules (PAM) verify the
account's credibility via LDAP, and request a ticket from the Kerberos
Key Distribution Center. based on the Principal (Username and Password)
and Policies in the Kerberos Realm.

These are DNS Service records thaat help clients find their KDC without the need for client side configuration files. This is how clients detect servers without Broadcast discovery protocols like Netbios Message Block,. The reason this is important is because it elimanates the "replay" attack threat from the fact that Windows likes to Cache its passwords in SAM files (PWL Files in the 9x Series). Even without the User's knowlege.

Some things I want to draw attention to.

First, this is a Windows 2000 Style Port 445 CIFS (SMBX) connection between two Linux machines. NOT a port 139 NT4 Netbios Session (SMB) connection.

The second thing I want you to notice is the fact that both servers are doing SPENGO, also known as "Sign and Seal" In Windows 2003 Server.

Finally that it aquaired the valid Kerberos Principal and ticket, and did a valid Kerberos setup.

Sorry if I sound incoherent. I'm tired.

Re:Samba 3 Almost but not quite Active Directory,. by tliet · 2006-01-25 02:53 · Score: 1

I have a big long thing that describes the whole thing.

And then you proceed with writing text?
Re:Samba 3 Almost but not quite Active Directory,. by mpe · 2006-01-25 08:22 · Score: 1

You see I discovered something about Windows and SMB. Windows Cached its passwords.

Windows caches all sorts of things. You can quite easily find profile paths (both network and local) along with SIDs relating to users who have logged in to the machine scattered all over the registry. Even if you tell it not to retain locally cached profiles it sometimes leaves them around.

Novell had it first by chaim79 · 2006-01-25 03:15 · Score: 1

Back when win 2k was just being released with AD I was in the midst of a class on Novell's network security model, they look supprisingly similer... like Microsoft got inspired by something that Novell had done...

Unfortunetly both are very complex and potentialy confusing, but Novell had it out for a while, so it as least was stable. Since then I've gotten out of the networking and gone into asp, asp.net, and javascript programming, where things make a little sense..... right?... (even I don't believe it)

--
DEMETRIUS: Villain, what hast thou done?
AARON: Villain, I have done thy mother.
Shakespeare invents 'your mom'

Easy Transition? Excellent. by foo+fighter · 2006-01-25 03:28 · Score: 4, Interesting

This is going to be fantastic for consultants when Win2K Server support ends.

Many companies are not going to want something that isn't supported and will be looking where they should transition. Savvy consultants can propose a migration to Samba which could provide higher margins than reselling Microsoft solutions -- especially if they aren't a close partner of Microsoft -- and they will be able to fix problems and customize the solution themselves without having to point fingers (they still can, they just don't have to).

This quote from the article gets me all warm and tingly inside:
"Tridge demonstrated sucking the life out a Windows 2003 PDC [primary domain controller] in one click, importing all its user and machine information using SWAT."
"He then restarted [domain server] BIND on his Samba 4 server, changed the server role to PDC ... shut down the Windows PDC and then logged into the domain with an XP client using the new Samba 4 server as the PDC."

--
obviously no deficiencies vs. no obvious deficiencies

Mod Parent Troll by slo_learner · 2006-01-25 05:55 · Score: 1

Way to innovate, OSS community!

Implies that proptietary and hence windows is more innovative. Innovative ~= invention. It is not a huge stretch to infer the meaning of the comments.

Troll on.

Re:Mod Parent Troll by xeno314 · 2006-01-25 06:52 · Score: 1

Implies that proptietary and hence windows is more innovative. Innovative ~= invention. It is not a huge stretch to infer the meaning of the comments.
Very well, I'll indulge. Assuming that you infer that meaning, which I can now concede is possible, then it is also equally possible to claim that MS did innovate, not by inventing LDAP or Kerberos, which obviously they didn't, but by combining them in creating the AD structure (which they obviously did).
Generally, they poach something that's already widely available and tweak it so it won't be interoperable with other systems. If you call that innovation, then I guess that speaks for itself.
Here, they didn't tweak something widely available, they made huge modifications and combined multiple technologies to create AD. That IS innovation, and my initial call to mod that post down stands.

John Terpstra @ SCALE 4x by Anonymous Coward · 2006-01-25 06:01 · Score: 0

John Terpstra will be speaking at the Southern California Linux Expo on Feb 11-12, 2006

Webmin by nurb432 · 2006-01-25 06:04 · Score: 1

Webmin gives you an easy interface to Samba.

And if you do need to manage users at some point, you can have webmin automatically propagate changes to other modules ( like samba )

--
---- Booth was a patriot ----

Re Russle Crow by dmbrun · 2006-01-25 06:30 · Score: 1

You can blame Australians for Russle Crow, whoever he is.

Russell Crowe was born in New Zealand but alas has spent too much of his life in Australia.

NFS "Credentials" by ratboy666 · 2006-01-25 07:45 · Score: 1

Generally this (masquerading) is a problem with NFS. On a small LAN this isn't much of a big deal.

Several ways to solve the problem. First, UID and GID can be centrally controlled on a LAN by use of NIS. Still, if the machine is under the control of someone else, a forged UID/GID may be presented.

This can be controlled by the NFS server using "root squashing" or "all squash".

Both of these options "distrust" the UID/GID. In the case of root squash, root UID (0) is remapped to "nobody". This is a good thing on a LAN, because root file priviledge is contained. However, the attacker can obtain someone elses UID. Sensitive material should be encrypted. "All squash" option remaps all UIDs to "nobody" and is typically deployed for read-only shares, or "bulletin board" directories.

The security of your LAN is only as good as the security of the machines making up that LAN, anyway.

Ratboy

--
Just another "Cubible(sic) Joe" 2 17 3061

AFS (Re:What is this samba you speak of?) by VP · 2006-01-25 08:20 · Score: 1

AFS (Andrew File System) provides similar functionality to NFS, with Kerberos authentication. Learn more at Wikipedia.

Samba 4 BDC to Windows PDC? by PJC1 · 2006-01-25 08:38 · Score: 1

So does this mean that Samba 4 will be able to act as a BDC to a Windows 2k3 PDC? I'm going to be setting up a new box soon and would like to use Samba if possible, but the PDC has to remain Windows based.

Re:Samba 4 BDC to Windows PDC? by MaoTse · 2006-01-25 11:15 · Score: 1

Samba 3 is a perfect choice if you need to setup BDCs for windows 2k3.
Re:Samba 4 BDC to Windows PDC? by arkane1234 · 2006-01-25 12:39 · Score: 1

So does this mean that Samba 4 will be able to act as a BDC to a Windows 2k3 PDC? I'm going to be setting up a new box soon and would like to use Samba if possible, but the PDC has to remain Windows based.

On Active Directory, there are no more PDC/BDC setup. You have Domain Controllers (DC) that have roles in the AD infrastructure. So, the answer is yes, Samba 4 will be able to integrate itself into a current AD infrastructure as a DC.

--
-- This space for lease, low setup fee, inquire within!
Re:Samba 4 BDC to Windows PDC? by Anonymous Coward · 2006-01-25 15:23 · Score: 0

I wonder about using Samba 4 as PDC only with other servers for all the other activities that Windows makes so easy. I'm thinking that Samba 4 as pdc gives us unlimited licenses.

Am I wrong?

Slashdot Mirror

Samba 4 Technology Preview Released

167 comments