Samba 4.0 Released: the First Free Software Active Directory Compatible Server

Jeremy Allison - Sam writes "We released Samba 4.0 today, containing the first compatible Free Software implementation of Microsoft's Active Directory protocols. 'Samba 4.0 comprises an LDAP directory server, Heimdal Kerberos authentication server, a secure Dynamic DNS server, and implementations of all necessary remote procedure calls for Active Directory. Samba 4.0 provides everything needed to serve as an Active Directory Compatible Domain Controller for all versions of Microsoft Windows clients currently supported by Microsoft, including the recently released Windows 8. The Samba 4.0 Active Directory Compatible Server provides support for features such as Group Policy, Roaming Profiles, Windows Administration tools and integrates with Microsoft Exchange and Free Software compatible services such as OpenChange.'" Full release notes are available, and you grab the files from the download page.

No more licensing fees :)

[somersault]

Oh hell yes

Re:No more licensing fees :)

[kagaku]

Spoken like someone who has NEVER done SQL development. SQL most definitely is not SQL, it's a world full of vendor specific dialects of SQL, each varying in subtle and incompatible ways. Not to mention each requires a different method of connection, protocol, authentication and integration.

Re:No more licensing fees :)

[erroneus]

Sorry, but no. There are bunches and bunches of PHBs out there who will perpetually doubt that anyone can make a Microsoft server as good as Microsoft and would be more than a little afraid that by doing this, they would be in violation of some sort of license requirement. At the very least, it would void any support services if an exchange server were to connect to a Samba 4 AD domain. PHBs care a lot about stuff like that even if people rarely if ever use Microsoft's support.

For that dream to become a reality, a big player out there would have to step up and put their branding and reputation behind it. For example, IBM might be a great candidate for that. PHBs still know who IBM is. RedHat might not get the reception Linux users might think they deserve. Oracle, as much as I would like to see them die in a fire, might also be able to pull it off.

For now, the IT world is ruled by PHBs and one must always consider what things they might believe regardless of how ridiculous it may actually be.

Re:No more licensing fees :)

[aquarajustin]

This is why I don't work for a PHB. In fact, he's balding a bit. I have the best boss ever. He just gave me the green light to be early adopters and run this in production (once it passes a few sanity checks). We've been running the alphas and betas with much success. Samba team ftw!! Thanks guys! I've been waiting for this for so long.

fsck yeah!

[Netdoctor]

Oh My Gawd.

I have been waiting literally *years* for this.

This just made up for an otherwise very crappy day. No, this just fixed my whole year.

Re:fsck yeah!

[neokushan]

I'm going to take a wild stab in the dark and assume you're a sysadmin.

Re:fsck yeah!

[MrHanky]

Ah, POSIX porn. Most people never even thought it existed, yet there it is, already a standard.

Wow

I'll be interested to see the reviews on this over the next several months. I'm interested to see how well this performs under different levels of load, and how it utilized group policy. Kind of exciting in an extremely nerdy sort of way.

How does Microsoft feel about this?

[gstoddart]

I'm assuming if Microsoft could legally stop this, they would.

Likely the interfaces aren't copyrightable and this is probably a clean implementation -- but I'm sure if Microsoft could trot out a patent or something else to stop people they would.

I can't imagine they want implementations of their stuff out there. (Granted, they mostly started out by implementing other people's stuff, so there may not be much they can do about it.)

Re:How does Microsoft feel about this?

[mcl630]

Microsoft provided them with documentation and helped them with interoperability testing. From TFA:

The Samba 4.0 Active Directory Compatible Server was created with help from the official protocol documentation published by Microsoft Corporation and the Samba Team would like acknowledge the documentation help and interoperability testing by Microsoft engineers that made our implementation interoperable.

"Active Directory is a mainstay of enterprise IT environments, and Microsoft is committed to support for interoperability across platforms," said Thomas Pfenning, director of development, Windows Server. "We are pleased that the documentation and interoperability labs that Microsoft has provided have been key in the development of the Samba 4.0 Active Directory functionality."

Re:How does Microsoft feel about this?

[Jeremy+Allison+-+Sam]

Ahem. Microsoft provided a positive quote for the press release, and were involved in bug fixing to ensure interoperability.

So no, I don't think they hate it :-).

Jeremy.

Re:How does Microsoft feel about this?

[leoxx]

Of course what you failed to mention is that Microsoft only did this because the European Commission forced them to:

December 20th 2007. Today the Protocol Freedom Information Foundation (PFIF), a non-profit organization created by the Software Freedom Law Center, signed an agreement with Microsoft to receive the protocol documentation needed to fully interoperate with the Microsoft Windows workgroup server products and to make them available to Free Software projects such as Samba. Microsoft was required to make this information available to competitors as part of the European Commission March 24th 2004 Decision in the antitrust lawsuit, after losing their appeal against that decision on September 17th 2007.

Re:How does Microsoft feel about this?

[Jeremy+Allison+-+Sam]

Possibly their marketing and senior exec's hate it (although I doubt that - Thomas Pfenning is at director level in the Windows org and he think's it's pretty cool.

But I know their engineers think it's cool :-).

Jeremy.

Re:How does Microsoft feel about this?

[Bengie]

Microsoft actually invited several of the SAMBA team over, had 2 senior engineers on hand to answer any questions they had about SMB and even gave the SAMBA team their own VM environment complete with Win7/Win8/Linux to run SMB2/3 compatibility testing. Lots of questions about RDMA, Interface teaming, and multi-pathing.

The SAMBA team said they received a lot of insight and understanding from their time with the MS engineers and were impressed and excited.

I'm not sure Microsoft is too concerned about SAMBA 4 being released.

Re:How does Microsoft feel about this?

[erroneus]

From the Groklaw article, the documentation for active directory was sold to the Samba project. The Samba project then went about using the documentation as a reference. Microsoft did not want to sell this documentation to the Samba project and were required to do so under court order. So no. They weren't all that willing to help out.

And if Microsoft starts playing "undocumented features" games again to break compatibility, they will find themselves in court again.

Re:Administrative UI

[Jeremy+Allison+-+Sam]

Yes :-). That's why you can use the Windows tools to administer Samba4.0 AD server :-).

Jeremy.

Re:Too Late

[X0563511]

Where the fuck do you think all that web-based administration plugs into, a unicorn?

Re:GPLv3

[Jeremy+Allison+-+Sam]

Oh you mean corporations like IBM, EMC, Netgear, WDC,Google ? Yeah, the GPLv3 really scared them :-).

Listen to my presentation here:

http://www.softwarefreedom.org/podcast/2011/may/10/why-samba-switched-to-GPLv3/

to explain why GPLv3 is a *better* license for commercial use the GPLv2.

Jeremy.

Re:I wouldn't jump the gun just yet

[Zombie+Ryushu]

Samba 3+OpenLDAP+Heimdal Kerberos created what were often termed "Open Directory Services" by the Apple Crowd. They were mutant NT 4.0 Domains that had broken a bunch of the limitations of NT4, (such as multiple PDCs and levels of trusts.) provided LDAP and Kerberos, but to Windows, they were still just NT Domains to Windows. Not true ADs. XP and 2000 would disable Kerberos because it thought it was talking to NT4. Windows 7 dropped support for NT4 EXCEPT there was a special mode just for Samba 3 to work, and you had to edit the registry to get it working.

Re:GPLv3

[Jeremy+Allison+-+Sam]

Yes, I'm Jeremy Allison - the original poster. I created Samba along with tridge (he was there first, and is much smarter than me though :-). I thought that was obvious, sorry :-).

Jeremy.

Microsoft Don't support Shit

Sorry to point this out so bluntly, but I'm sick to death of this argument. that Microsoft is better than open source, because they offer full support to business customers. As a sys admin with 15 years under the belt, I can tell you that I have never gotten anything from Microsoft past a link to a technet support wizard that asks 4 obvious, general questions and always ends with "Sorry we cannot provide a solution to this problem, Do you find this article helpful?"

NO I FUCKIN' DON'T.

Microsoft would be the last place I would ever call if there was a critical server failure where downtime is money.

In the real world, this kind of support is provided by 3rd party Managed Service Companies who are paid separately anyways, so you might as well pay for support on a nix based system, as they are well known to be much more stable (look at your average local nix admin with his feet up knitting or making chainmail, because he's got his systems singing and cron-grepping him hourly reports about how awesome he is and why he deserves a raise, compare this you your best of breed bad ass wizard windows admin, stressed as fuck, up till 4am fixing stupid shit for peanuts)

Re:No more job security :)

[Jeremy+Allison+-+Sam]

You do realize that many enterprise storage servers made by companies like IBM, Symantec, EMC, Dell etc. are or have been based on Samba code, right ?

Nah, probably not... :-). After all, you know that only Windows storage servers work with Windows clients don't you :-).

Jeremy

Existing OpenLDAP setups

[abartlet]

I agree, existing OpenLDAP sites using Samba 3.x in cooperation with a host of other packages, using the traditional LDAP directory structure deployed on many Linux oriented sites are not going to migrate to Samba 4.0 as an AD DC any time soon. The change is just as big as the change to migrate to Microsoft's Active Directory, except that we provide a tested upgrade tool to handle the Samba-essential parts.

We want this to be easier, and the tools can certainly be extended to cover other schema items, and integration of these services can improve, because many of these can work well against a Microsoft Windows AD. However, we know this is a big leap, so we continue to support existing configurations (with the existing features. (For want of a better term, we call it a 'classic' domain).

The issue isn't as much being unable to use an LDAP server as a data store (but this became more difficult as we became more like AD), as that unless we were to implement on the fly schema translation, most of the same issues would remain (assumptions about AD or traditional schema and layout between Samba and the other tools on the LDAP backend), and so the result would not have be useful anyway!

As such, the LDAP backend has been put aside as an interesting technical modal that didn't work out. If a plausible use case ever comes up, then interested developers might revive some of it (the code and some tests remain where they are not impeding development), but for now there are no plans for support of anything other than local LDB files and native replication with other AD servers.

Andrew Bartlett
Samba Team

Re:If only it were samba-tng

[abartlet]

The AD DC is actually is a bunch of core libraries and services. To make things easiest for our users, the services are linked into and started up by one binary, but internally each different task ends up in a forked process (if appropriate). But we do one better, and allow this to be controlled at runtime, so with '-M single' it essentially becomes a giant state machine, and can be handled with a single gdb. Inter-process communication is via a unix domain socket based messaging system or full DCE/RPC pipes.

External processes can register specific named pipes (when, as we do by default, we use smbd as the file server, this is actually a key part of the design), or DCE/RPC server modules can be loaded (the OpenChange project provides such a module).

We could discuss if more or less of Samba's internal communication should use one design pattern or another, but what is more interesting is that without fanfare or bother, some of those ideas, implemented pragmatically rather than dogmatically, have become an essential part of how Samba is implemented. That pragmatism has then brought us the AD DC that we are so proud to announce today.

I also love that the shared libraries that we now use internally make Samba much smaller as well, reducing the disk space overhead.

Finally, a surprising amount of the code is actually in modules on ldb, our ldap-like database at the core of the system.

I know you were hoping to troll with what has been a long-running design philosophy, but when you spend the time building the system, you find the pragmatism rules the day, and we use a variety of tools to get the job done, and to get it done is a way that is most seamless to our users.

Andrew Bartlett
Samba Team