Samba 4 Technology Preview Released

daria42 writes "Samba creator Andrew Tridgell has officially released a technology preview of Samba 4 at the Linux.conf.au conference in New Zealand, ending a three-year wait for users. But wait before upgrading those servers. 'It may eat your cat,' says the Samba team in a statement, 'but is far more likely to choose to munch on your password database.'" From the article: "'Samba 4 supports the server-side of the Active Directory logon environment used by Windows 2000 and later, so we can do full domain join and domain logon operations with these clients,' the group said in a statement on its Web site, noting this feature was 'the main emphasis' for the new software."

Jeremy Allison on Samba 4

Came across this (short but interesting) interview with Jeremy Allison, one of the project's lead developers, where he talks about Samba 4:

http://www.linuxformat.co.uk/modules.php?op=modloa d&name=News&file=article&sid=217

Any software that has a 'Susan Stage' has got to be cool :-)

Re:Jeremy Allison on Samba 4

[laptop006]

Erm, he's not a major developer of samba 4, Tridge is, Andrew Bartlett is, and a few others are, but Jeremy isn't (at least according to Andrew Bartlett yesterday).

I'm at LCA2006 and have spent several hours with both Tridge and Andrew Bartlett, testing, fixing bugs, and identifing missing features of samba4. I'm not a samba team member, just a sys-admin who wants samba4 to be the best code possible before I deploy it.

Re:Jeremy Allison on Samba 4

[node+3]

There's a very interesting quote at the end of that article:

"Let's be honest, we don't really care about selling it, we're just having fun doing it. So long as we're having fun and we're working on problems that interest us then other people can worry about market share and how you sell it to the government or whoever, because that's the stuff that interests them."

If you think about it for a minute, if you consider how Open Source functions, where people work on the things that interest them, the "suits" that are often derided from some quarters are just filling a non-technical need in the Open Source community. There are often calls for people to test, write manuals, and create artwork as something they can do if they aren't programmers, but perhaps "marketing, sales, build corporations" are things that also should be added to that list?

To clarify, I'm certainly not talking about the CherryOS-style GPL-theives, but honest and earnest businesspeople (even though their motives may be primarily cash, they still must abide by proper Open Source rules).

Anyway, thought it was interesting.

Re:Jeremy Allison on Samba 4

[smittyoneeach]

where people work on the things that interest them

Let's not kid ourselves: this is the good news/bad news of FOSS.
The genius of proprietary software: getting you to trade your sovreignty for code that does a lot of the less interesting stuff.
Unless you're actually selling that printer, are you going to want to spend all day writing a driver for it, much less testing it against a bazillion OS's?

Re:Jeremy Allison on Samba 4

[DocLandolt]

"even though their motives may be primarily cash, they still must abide by proper Open Source rules"

Just out of curiosity, what are these? Not 'all' rules -- but does anybody know (or offer wild speculation on) what happens when open source and fat wads of cash collide?

Re:Jeremy Allison on Samba 4

[smittyoneeach]

Oh, come on: how many people, seriously, are going to write printer drivers?
Sure, there may be a generic project that dumps courier on paper, and mostly gets the margins right.
But the annoyance of getting it RIGHT across a variety of printers/operating systems could lead to madness

Re:Jeremy Allison on Samba 4

[mwood]

Obviously there *are* people who want to spend all day writing drivers for hardware, otherwise we'd have no drivers. "Because I want to sell X" and "because I want to buy X" are equally valid reasons for wanting a driver for X to exist.

Re:Jeremy Allison on Samba 4

[Vanders]

Lots of people are interested in writing printer drivers. Just look around linuxprinting.org Gimp-Print/Gutten-Print, the HP IJS drivers, people maintaining the Samsung "gdi" patches for various versions of Ghostscript etc. There are more people doing stuff like this than you imagine.

I'm personally hoping to find somone interested in re-writing the Samsung "gdi" Ghostscript driver as an IJS server.

Re:Jeremy Allison on Samba 4

[Chemicalscum]

RMS started the Free Software Movement because he wanted to improve a printer driver for an early laser printer and they wouln't give him the source.

Re:Jeremy Allison on Samba 4

[Fuzzy+Greybeard]

"where people work on the things that interest them"

People ALWAYS work on what interests them. The question is not "what", but "why" does the interest happen and "why" does the interest sustain. Consider the following hypothesis:

- In the corporate world, the interest is maintained because of financial or power rewards.

- In the dungeons of the cubical world, the interest is held by ?fear of losing income?, ?need for cash to survive?, ?lack of imagination? or any of a number of 'basic survivalist' needs.

- IN the FOSS world, I can think of dozens of reasons for holding my interest. Some of which include ... artistic expression; no boss to say 'release it by wednesday, bugs or no'; self improvement; it's a hobby; peer acknowledgement; one way of advertising skills.

I note that in the corporate world, one of the world's leading bug/virus hunters recently resigned - speculation being 'he was bored'. Which leaves us where?

What Kind of Passwords Does It Prefer?

[gurutc]

Smooth or Crunchy?

Re:What Kind of Passwords Does It Prefer?

[DeadRoman]

I was going to say that it likes them hashed.

Just Work (TM)

[ObsessiveMathsFreak]

But can I make an anonymous read/write share without performing invasive surery on config files. And can I then easily mount that share?

Samba is great as a home network share, but it's not a single click system. Security on a home netowrk doesn't really interest me. I'd like to be able to "just share" the files without setting up users etc, etc.

Re:Just Work (TM)

[tpgp]

Security on a home netowrk doesn't really interest me.

I know - thats why I'm posting this from your home PC.

I'd like to be able to "just share" the files without setting up users etc, etc.

Just post your requirements here I'll set them up for you... after all I don't want your home net to be locked down ;-)

Seriously - just because you would like software to be shipped insecure (and easy) by default doesn't mean that it should be. Have a look at this guide - Samba-3: A Simple Anonymous Read-Write Server

Re:Just Work (TM)

[rpbailey1642]

Well, granted I did have to set up the config file, but it wasn't too terribly difficult:
[global]
workgroup = WORKGROUP
server string = Description of Server
security = share

( Rpbailey Notes: This might be where you were led astray. You probably had samba set to use passwords instead of share security. )

[Multimedia]
path = /usr/multimedia
writable = yes
comment = Multimedia
browseable = yes
public = yes
---
Just make sure that the directory in question is writable by your samba user (assuming you have a user that samba runs as) or is otherwise writable. The most "playing around" you have to do is with permissions on that one folder.

Good luck!

Re:Just Work (TM)

[zerocool^]

That's exactly what I thought. Samba is for network shares in a relatively simple environment. Authentication via Windows domain could be accomplished with more stability with Kerbeos / LDAP. It's what we do with our lab machines.

And I would much prefer to use samba to share out my oggs and mp3s without needing a volcano and a goat.

~Will

Re:Just Work (TM)

[Pecisk]

What he meant there should be definetly easy way to turn it on, of course, with warning that some security problems could arise. AFAIK, KDE and GNOME has both easy ways to create shares for now, but there is no way to configure SAMBA for just several default scenarios which could be - anonymous read-only, anonymous read-write, user-based read-only, user-based read-write, custom. Default could be user-based read-only. Or something like that.

For example, OS X Tiger server uses SAMBA for Windows support. Any mangling with configuration goes trough Server Admin GUI (you can mess with configuration file too), but any changes gets written back to standard smb.conf.

It could be very good and nice present for common crowd.

Re:Just Work (TM)

[HoosierPeschke]

Easy... as in SWAT?

Re:Just Work (TM)

[mwood]

"[Samba is] not a single click system." Hooray for that. I'd love to be able to give the boot to these Windows servers with their sysadmin-hostile pointy-clicky interfaces and their million and one secret Registry keys that have no user interface at all. Go Samba Team!

Re:Just Work (TM)

[CastrTroy]

I think the problem is that even if you tell samba that you want to make folders read/write anonymous, it still doesn't always work. This is because the anonymous user that samba uses also has to have access to those folders and files for read/write access. If it doesn't, then the system won't let samba access it, no matter how much it's config files tell it it should be able to. If you want a samba share that you can access anonymously from any computer, make a Fat32 partition, mount it read/write/execute all, and share that. The problem is that you can't share the stuff in your home folder, while still maintaining permissions that are sane on that folder, and it's files.

it's in Debian

[CAPSLOCK2000]

Debian allready has packages.
Install them by running:
aptitude install -t experimental samba

But you'll need to add an entry for experimental to /etc/apt/sources.list first.
If you don't know how to, you shouldn't be messing with experimental software anyway.

Re:it's in Debian

[Thing+1]

"If you don't know how to breathe, you shouldn't bother taking your first breath."

Or, closer to the original: "Breathing. If you don't know how to, you shouldn't be messing with environmental oxygenation anyway."

Here's a link to a howto for configuring your Debian installation to use the experimental packages. (It's in section 4.6.4.3, or just search on the page for "experimental".)

Samba 4

[YearOfTheDragon]

There has been info about Samba 4 for some time. Andrew Bartlett wrote a year ago an interesting thesis about Samba 4 and Active Directory (PDF).

But the release of this TP is good news, I hope that the use of Microsoft's Active Directory as an authentication service for Linux systems is coming to an end. All what we need now is a nice GUI.

What is this samba you speak of?

[squoozer]

Since discovering the joys of NFS I've not looked back (yes I do know what samba is and I run a samba server). Compared to Samba, NFS is almost too simple and reliable. Give me my complixity and unreliablity back!

Re:What is this samba you speak of?

[BenjyD]

I'm not a sysadmin, but I never got how NFS prevented a user plugging a computer which they have root access on into the network, mounting a common NFS mount, "su"ing to somebody's UID and then deleting their files. AFAICS, SMB handles this by requiring credentials of some kind from the computer. Can anyone explain this?

Re:What is this samba you speak of?

[Spacelord]

I'm not a sysadmin, but I never got how NFS prevented a user plugging a computer which they have root access on into the network, mounting a common NFS mount, "su"ing to somebody's UID and then deleting their files. AFAICS, SMB handles this by requiring credentials of some kind from the computer. Can anyone explain this?

"Authentication" with NFS is IP based. You grant access to NFS mounts by specifying which hosts can mount that share. This implies that the hosts you allow are trusted, and that your network is trusted as well. So yes, if a computer you have root access to has been granted read/write access to an NFS mount then you can just su to someone else's UID and delete their files on that NFS mount.

Is it a good idea to use NFS in a security sensitive environment? Probably not.

Re:What is this samba you speak of?

[StressedEd]

The default behaviour is to not allow this. From the manual,
man -S 5 exports

              Very often, it is not desirable that the root user on a client machine
              is also treated as root when accessing files on the NFS server. To this
              end, uid 0 is normally mapped to a different id: the so-called anony-
              mous or nobody uid. This mode of operation (called 'root squashing') is
              the default, and can be turned off with no_root_squash.

Re:What is this samba you speak of?

[BenjyD]

That doesn't help when the root user creates a user account with the correct UID and then logs in as that user, does it?

Re:What is this samba you speak of?

[Professor_UNIX]

That doesn't help when the root user creates a user account with the correct UID and then logs in as that user, does it?

Nope. That's how I used to update some web files on a central NFS server here long after the person left. I just added an account with his UID on my workstation, mounted the central NFS server's web share and voila. I could read/write his files just fine. Traditional NFS is HORRIBLE from a security standpoint since the only authentication involved is IP based and the only authorization is to rely on the UID/GID to prevent other users from munging with your files. This relies on only having trusted hosts having read/write access to your network. Newer versions of NFS add additional security mechanisms in place for both authentication and authorization, but they are rarely used from what I've seen since most people still use it the way NFS v2 behaved (relying on IP address and UID/GID) rather than Kerberos and certificates.

Re:What is this samba you speak of?

[petermgreen]

and on ethernet isn't stealing another machines ip pretty easy?

Re:Only 6 years

[RenatoRam]

Actually, windows copied in 2000 what was available in other environments for many years. AD is the bastard son of ldap+kerberos+smb.

What took years is reverse-engineering all the weird quirks MS introduced in the previously standard systems.

Besides, Samba can do a lot nifty things AD can't, so who's behind?

Re:Only 6 years

[tpgp]

So, in 2006, Samba is finally able to do what windows was able in 2000?

Five years to reverse engineer a difficult, obfuscated protocol is quite frankly amazing.

And you see - they don't really have to offer full compatability immediately - but if they do it before win2k ends its lifecycle, SAMBA + *nix offers companies dependant on AD a way out without having to go the win2k3 route.

Way to innovate, OSS community!

Way to troll dJOEK!

There is virtually no innovation in software, proprietary or OSS - everyone is just copying everyone elses ideas & making incremental improvements...

I mean we're all using the same desktop paradigm from 30 years ago - and the only substatial innovation I've seen in that is overlapping windows (from maybe 25 years ago)

My cat lost his password

[digitaldc]

'It may eat your cat,' says the Samba team in a statement, 'but is far more likely to choose to munch on your password database.'

Wow, it only took 25 days for Samba to break its New Year's resolution to eat less and lose weight.

NZ???

[oztiks]

Linux.conf.au conference in New Zealand

What the ... HAS THE WORLD GONE MAD!

Since when did anything .au become New Zealands responsibility? Usually its the other way around! I.e blaming the existance of Russle Crow on Australians. This wasnt our fault HE WAS BORN IN NZ! Now they NZ is stealing our conferences. I for one find this an outrage!

Re:Only 6 years

[TallMatthew]

So, in 2006, Samba is finally able to do what windows was able in 2000?

Um, no. LDAP and Kerberos weren't invented by Microsoft. They put the two together and called it Active Directory, straying away from the RFCs and throwing in all manner of tweaks that required extensive reverse engineering on the part of the Samba team to figure out. That means figuring out the protocol from the packets, which is an incredible feat, especially as Microsoft's protocol designs aren't easily discerned and contain all sorts of weird gotchas (purposefully).

There's a lot of complexity under that GUI of yours and, whether you want to believe it or not, Microsoft isn't such an innovative organization. Generally, they poach something that's already widely available and tweak it so it won't be interoperable with other systems. If you call that innovation, then I guess that speaks for itself.

Re:Only 6 years

[SteveAyre]

There's virtually no innovation in anything - we're all "standing on the shoulders of giants".

NFS and Samba

[DrYak]

You know, the big problem is, that the PHBs that are sitting at the head of big corps around have never heard of NFS. They've only seen the niiiiiice Shiiiiiinny PowerPoint presentation in Microsoft booths in big expos. And then, they have made their company to pay a lot for an over-priced non-standart Microsoft LDAP/Kerberos/SMB bastard (a.k.a. Active Domain) and are now knee deep into a locked-in solution from which there's no other out except paying an even higher price for the next even worse microsoft product.

This is the crowd that is targeted by Samba 4 :
- those who are SMB/CIFS dependant beyond repair, but need an alternate and opensource solution to Microsoft.

Of course, for the other guys out there, who can see differences between a real OS and a nice promises in a PowerPoint, there are other protocols to start with (like NFS).

Re:NFS and Samba

[Bohiti]

You're dreaming. I doubt there are [m]any Active Directory shops out there who "need an alternate and opensource solution to Microsoft". Those who implemented Active Directory generally did so because they're mostly a Windows shop. Got Windows on the desktop, might as well pay the relatively insignificant fee to use Windows Servers and the free LDAP directory that comes with it. Don't delude yourself, AD, especially 2003, is rock solid. And you get easy, intuitive interfaces and "it just works" setup for the clients. And a huge installbase worldwide from which to glean information out of. And a company to call if you have problems, for-fee or "included" in another agreement. Microsoft Premier is amazing.

Don't get me wrong, if I were to run IT for an up-and-coming small company without a huge Windows client base, I'd certainly love to give Linux et al a shot. I use Samba at home, as the go-between my hobby Linux box and Windows PC's. Just don't be under the impression that big Windows shops are itching to switch to Linux. Some individual techs might, but the corporation will stick with what works, the big name they see in the CIO magazines, the company they can send a check to and get some accountability from.

But as an Active Directory replacement?

[Money+for+Nothin']

Can it do authorization of group access to a given application? How about publishing network resources (printers, workstations, etc.)? Can Samba 4 replicate its data between multiple sites? Is Samba 4's AD functionality even built off any sort of LDAP technology to begin with (probably OpenLDAP, if anything)?

For all MSFT's faults (and there are many, as /. routinely points out), AD *is* a decent NOS directory...

Re:But as an Active Directory replacement?

[gentimjs]

Yes, active directory is decent - if you only ever want windows clients. I confess that Ive got a samba3 server (Gentooooooo) as "full" member of our W2K ActiveDirectory - and even got the permissions synced up enough so that users can right-click files and play with permissions through the gui on the doze client. HOWEVER this setup took weeks of tweakage, involved a dozen or so actual software packages, and required violating some published microsoft specs on how AD (supposedly...) works. If samba4 gives me this without the BS, I'm happy. If samba4 lets me replace my domain controller and have the existing doze infrastructure not notice, I'm even more happy.

Which version of Active Directory?

[j-cloth]

This all sounds great, but will it work when(if) Vista comes out? Previously, I had samba setups running beautifully on Win2K networks. Then 2003 came out and it messed it all up. Eventually Samba (and supporting docs) caught up and 2003 now works reasonably well. So will Samba 4 come out with great support for 2003 then break as soon as Vista is released?

Re:Which version of Active Directory?

The weblog linked from the article explains that Windows Vista will be using a new protocol, SMB2. Apparently the Samba team have already reverse engineered this and its in the technology preview! Impressive if you ask me.

Lets be clear -

[gentimjs]

Lets be clear on this point -
When vista comes out, samba will not break.
MS will simply have changed the standard/protocol/whatever in some way that thier own prior implementations will be tolerant of but Samba will not. Samba will not be busted, MS' own implementation of thier own technology (or other peoples tech, kerberos for example) is what will be busted.

Re:Lets be clear -

[grasshoppa]

MS will simply have changed the standard/protocol/whatever in some way that thier own prior implementations will be tolerant of but Samba will not. Samba will not be busted, MS' own implementation of thier own technology (or other peoples tech, kerberos for example) is what will be busted.

And, practically, does this make a difference? Can I look my boss in the eye and tell him that the mail server doesn't know who it's users are, but it's ok because it's MS's fault?

Re:Lets be clear -

[gentimjs]

No, you can look your boss in the eye and tell him/her/it not to buy vista....
Or if you are feeling brave, you can suggest they actually plan for these kinds of "gotchas" before they happen...

Re:Only 6 years

[RenatoRam]

Trivially easy?
Do you manage many Active Directory servers?

The ones I know about (in a EU wide bank) are a mess, and require an entire team of people just to let them run. And even so it is very simple to screw them up.

Not counting the fact that AD is horridly delicate: un-join a machine from the domain for long enough, and you are done.

AD is NOT easy. Clicking on "Share this folder" might look so, but managing AD is not.

Samba 3 Almost but not quite Active Directory,.

[Zombie+Ryushu]

On my home network, I have been using Samba as an internal network file system for Linux to Linux networking. I use LDAP as my Database backend, Kerberos as my means of authentication too Samba.

You see I discovered something about Windows and SMB. Windows Cached its passwords. The passwords were replayed across the network whenever a new socket was opened. Konqueror would not replicate this behavior unless forced to by the KDE Control center. I have a big long thing that describes the whole thing.

It is not totally perfect but I want you to tell me if you think that
this constitutes Active Directory, or at least something close.
Eitherway, This is a major accomplishment for me, and I wanted some
suggestions or potential improvements because I know this isn't perfect
but it is a noticable advancement.

Abstract

The general idea is that we have a single unifying database system
(LDAP) a single protocol for Sign-On (Kerberos) Name resolution (Bind
DNS) And a network File system (CIFS by care of Samba.)

Basically, Kerberos now acts as a single sign-on (SSO) facility for my
home network.

When you log in Linux Pluggable Authentication Modules (PAM) verify the
account's credibility via LDAP, and request a ticket from the Kerberos
Key Distribution Center. based on the Principal (Username and Password)
and Policies in the Kerberos Realm.

These are DNS Service records thaat help clients find their KDC without the need for client side configuration files. This is how clients detect servers without Broadcast discovery protocols like Netbios Message Block,. The reason this is important is because it elimanates the "replay" attack threat from the fact that Windows likes to Cache its passwords in SAM files (PWL Files in the 9x Series). Even without the User's knowlege.

Some things I want to draw attention to.

First, this is a Windows 2000 Style Port 445 CIFS (SMBX) connection between two Linux machines. NOT a port 139 NT4 Netbios Session (SMB) connection.

The second thing I want you to notice is the fact that both servers are doing SPENGO, also known as "Sign and Seal" In Windows 2003 Server.

Finally that it aquaired the valid Kerberos Principal and ticket, and did a valid Kerberos setup.

Sorry if I sound incoherent. I'm tired.

Re:Only 6 years

[mwood]

Well, actually Microsoft faced a difficult challenge when they decided to go with Kerberos. The NT security model wasn't a very good fit, but they were committed to it by years of investment and dependent design decisions, not to mention a huge installed base. They had to find a way to paste SIDs onto Kerberos. It was a long time before the rest of us got an unencumbered look at the TDATA that they worked out to do this, but once the format was known working with it should not be that complicated.

In terms of volume of proprietary information to work out, the plethora of interlocking directory object types that an ADS client depends on has got to be the big challenge. The static characteristics of these objects and their attributes are documented (I use the term loosely) in the PSDK, but how they are used or even what some values mean is not at all clear. Throw in a few obvious copy/paste errors in the doco. to cloud the issue further and it's not surprising that Samba took this long. Create a new ADS forest and look at all the stuff that was put into it out of nowhere.

Easy Transition? Excellent.

[foo+fighter]

This is going to be fantastic for consultants when Win2K Server support ends.

Many companies are not going to want something that isn't supported and will be looking where they should transition. Savvy consultants can propose a migration to Samba which could provide higher margins than reselling Microsoft solutions -- especially if they aren't a close partner of Microsoft -- and they will be able to fix problems and customize the solution themselves without having to point fingers (they still can, they just don't have to).

This quote from the article gets me all warm and tingly inside:
"Tridge demonstrated sucking the life out a Windows 2003 PDC [primary domain controller] in one click, importing all its user and machine information using SWAT."
"He then restarted [domain server] BIND on his Samba 4 server, changed the server role to PDC ... shut down the Windows PDC and then logged into the domain with an XP client using the new Samba 4 server as the PDC."