February 3, 2010
This article was contributed by Don Marti
From one point of view, Samba is open source high
drama at its finest: an early adopter of version 3
of the GNU General Public License, and the recipient
of an unprecedented release of formerly proprietary
Microsoft documentation, thanks to a high-profile
anti-trust case. Meanwhile, though, it's the
low-profile software that implements the Server Message Block (SMB)
file-sharing protocol, sometimes known as CIFS. Samba powers every inexpensive
NAS device in the computer store—without even a
mention on the box—and comes with all the common
Linux distributions and with Apple's Mac OS X Server.
Today, as Samba comes closer to implementing a
key Microsoft directory protocol, the two aspects are
being forced together.
Samba creator Andrew Tridgell,
better known as Tridge, posted
to his blog, "There has been a lot of progress
recently in the development of the directory server
capabilities of Samba4." In a half-hour screencast
video, he demonstrated a development version of Samba
acting as a Microsoft Active Directory domain controller in a mixed environment.
"We are making very rapid progress now," he added.
Active Directory (AD) is a central repository for
all the administrative information that a modern
Microsoft Windows site needs. Besides user
names and passwords, AD functions as a DNS
server, stores network configuration policy
such as firewall rules, and acts as a back-end
for applications' configuration. Microsoft
Exchange, for example, is completely dependent
on it.
AD is made up of "domains" which are data structures
that contain groups of objects, which might represent
everything from an individual printer to the entire
company sales force. Domains can then be collected up
into "forests". A company might have many AD domains
within its forest, and everything in the forest can
be managed by the same administrators. Because AD
is such a critical service, Windows sites typically
install multiple AD servers, which replicate their
data using a formerly secret protocol.
The Samba team received
Active Directory documentation, including
the server-to-server protocol, as part of an agreement
made in response to a European Commission antitrust
case in 2007. The documents have helped the project,
Tridge said:
Stefan Metzmacher had managed to
decode some very important parts of the protocol as
part of his thesis work, but we were still missing
some key parts of the puzzle. The documentation from Microsoft filled
in many of these key elements, and perhaps more
importantly, Microsoft has been very willing to
engage with us to fill in any gaps that we find,
including working directly with traces of Samba
talking to Windows domain controllers to enable us
to debug our implementation.
The documentation project was a huge project from the
Microsoft side. Tridge described it this way:
I think it is fair to say that the
WSPP/MCPP documentation effort is one of the largest
efforts in IT history to document a set of network
protocols. The sheer scale of the
effort means that there are inevitably errors and
omissions. We have been pleased at how Microsoft has
responded to our reports of these errors by providing
us with additional documentation where needed.
In the video, Tridge demonstrates provisioning an
Active Directory domain on a Samba server, running
a development version of Samba from shortly before
Samba 4 alpha 11. Once the Samba server is running,
he then starts a copy of Microsoft Windows Server
2008R2 Standard as a guest under VirtualBox, and
runs the Windows "dcpromo" command to have it join
the domain as a domain controller.
A few clicks and entries in the "Active Directory
Domain Services Installation Wizard" later, the
Windows box is ready to reboot and come up as part
of the domain originally created on Samba. It takes
about 30 seconds to synchronize key information for
the newly-created domain. This step might take hours
on a larger, longer-running domain.
Samba 4 has
a few limitations, compared to a Windows AD server.
There is only one domain per forest, and only one site
per domain, but Tridge says that removing those limitations are
near-future priority tasks. Windows administrators,
like sysadmins everywhere, fall all over the
"lumpers" vs. "splitters" spectrum, and anyone
but extreme lumpers with simple configurations
will need the ability to define separate domains,
for departments and roles, and separate sites, for
physical locations.
The remaining manual step is to add the
Windows domain controller to the DNS zonefile
on the DNS server. Microsoft's Active Directory handles
DNS duties itself, while Samba relies on the
system nameserver. A change to a Samba AD domain
requires a corresponding change to a zonefile on the
nameserver. "What we don't yet support in Samba 4
is the ability to create arbitrary DNS names within
a Bind9 server using Kerberos authenticated DNS
requests," he said. "Microsoft stores DNS within
Active Directory. We can't join a Windows domain
controller as a new DNS server, so have to rely
on the Unix machines to provide DNS," he added.
After recording the screencast, Tridge did write
a script to automate the needed zonefile changes,
he said.
Tridge's screencast shows the Windows box
successfully syncing with the Samba server, and a
user added on the Windows side shows up quickly in a
search of the Samba server. Samba 4 is also able to
join an existing AD domain. A tool called "vampire"
is the Samba-side equivalent of the "dcpromo" command
on Windows. Tridge demonstrated using it to add a
second Samba server to the domain, ending up with a
domain with two Samba servers and one Windows server.
This ability means that an administrator could soon
add a Samba appliance to an existing AD network,
reducing the number of actual Windows servers
needed.
Integration and the "Franky" concept
Samba 4 is an ambitious rewrite, which has been in progress
since 2003. Meanwhile, Samba 3 has been through many
releases with incremental improvements, and currently
works well as a member, but not a domain controller,
of an Active Directory domain. Samba 3 is "closer
and closer to Windows compatibility in timestamps and
Windows ACLs. It's harder and harder to tell us from
a Windows box," Samba team member Jeremy Allison said.
Thanks to extensive usage and bug reports, Samba 3
has gained the ability to handle real-world client
quirks, while Samba 4 has focused on the big AD
problem but not faced the day-to-day beatings of
production use.
Tridge said that in addition to remaining AD work,
"we also need to find out exactly how we will achieve
our stated goal of re-integrating the great file
sharing and printing work that has been done in the
Samba3 branch with all of the work on Active Directory
server support in Samba4."
Samba developers have been discussing
ideas for combining the new functionality
in Samba 4 with the existing Samba 3 code.
One design for a combined project, called "Franky,"
short for "Frankenstein," would run Samba 3, listening on the SMB ports
(139 and 445), along with Samba 4 listening on the ports required for AD
support. Another alternative would be
to run Samba3, but pass through AD-related requests
to Samba4. "Obviously this will
require quite a lot of merge work, but we believe
this may be possible to achieve in 2010," Jeremy said
on the Samba team blog.
Tridge said:
We need to have a single common file
server component and printing component again. The
strain on the team of having two implementations of
the file serving component is too great. One way of
achieving that is via something like the 'Franky'
approach, but that has a significant downside of
making deployment and administration of Samba more
difficult. We need to put more thought into how we can
make it easy for administrators, while also offering
the best set of features from both branches.
"I'm expecting a fairly heated discussion at
SambaXP
this year," said John Terpstra, Samba team
member and chief software architect of ClearCenter,
which produces a web-administered distribution for
small and medium businesses. The SambaXP conference
is scheduled for May 3rd - 7th, 2010 in Göttingen,
Germany.
Licensing and downstream
Samba with Active Directory is still not on downstream
roadmaps. Simo Sorce, Principal Software Engineer
at Red Hat, who maintains Samba packages for Fedora,
said that project is looking at including Samba
3.5.0 in Fedora 13, if it's ready in time. But AD
is still in the future. For future releases, "We
will wait until the solution is stable enough that
upgrades won't mean your server has a good chance of
breaking," he said.
ClearCenter's ClearOS combines network gateway
with VPN, web and mail filtering, Samba file server,
Kolab groupware, and web-based administration tools
into a package designed for resellers to deploy at small
businesses and branch offices. Samba is a key part of
the company's product, which competes with Microsoft
Small Business Server but with a monthly subscription
bill instead of an up-front license price. ClearOS is
based on CentOS, a rebuild of Red Hat Enterprise
Linux, but includes Samba 3.4 in place of CentOS's
3.0 package. "ClearOS 6 is going to ship pretty
quickly after Samba 4 ships," John said.
Samba adopted
version 3 of the GPL in 2007. One effect of
the new license was to prohibit downstream Samba
resellers from entering into new patent license
agreements covering Samba, like the controversial Novell-Microsoft
patent deal of 2006. Samba's license change
doesn't affect Novell, whose contract predates the
GPLv3 cutoff date, but according to the Samba web
site, "Patent covenant deals done after 28 March 2007
are explicitly incompatible with the license if they
are 'discriminatory' under section 11 of the GPLv3."
No GPLv2 fork has emerged, and, Jeremy
says, the license change "has essentially
been a complete non-issue." Downstream
vendors ship Samba on everything from tiny NAS
devices that connect to a USB drive, up to IBM's Scale
Out File Services, which runs clustered Samba
on top of IBM's proprietary General Parallel File
System (GPFS). "What Samba does is it turns the
CIFS server into a commodity, allowing people to
compete on back-end scaled clustered filesystems,"
Jeremy said.
All of the Samba code is under individual copyrights,
without assignment. "It's completely impossible to
be bought out," Jeremy said. "No one can get any
advantage over anyone else in the Samba code."
As part of the agreement with Microsoft, the
company must disclose any of its patents that it
believes are necessary to implement its protocols,
and it has not added any to its list since reaching
the agreement. Microsoft has been "very cautions
about breaking compatibility," Jeremy said.
"With Windows 7, Microsoft made sure that it
would work with a Samba 3 domain controller."
Microsoft ended support for Windows NT 4, the
last of its OS products to implement the old NT
Directory Services system, at the end of 2004, and
Windows 7 does not work with an NT4 domain controller, he added.
Help wanted
As you might expect, the Samba team is looking for
help. Tridge invites new contributors: "Join the #samba-technical
IRC channel (on the FreeNode
network, irc.freenode.net), join the samba-technical
mailing list, and get involved with the development
process. Point out what the priorities are for Samba4
before you would consider deploying it, and help us
to prioritize our development to meet your needs."
Jeremy asks would-be redistributors and SMB
appliance vendors to work on functionality they
anticipate needing. "If you're planning on a
product within the next 18 months, the earlier you get
involved the more chance you get to steer it to do the
things you need to do," he said. "If you
need Samba to interface with a particular filesystem,
give us a VFS module that will let us do that,"
Jeremy said. Contributions to Samba itself have
to be licensed under the GPLv3, but the team does
want to be able to run Samba on the user's choice of
clustered filesystem.
Then, as Jeremy posted, "Once we have a
merged code-base, we'll declare victory, ship Samba4
and have the biggest darn release party since Duke
Nukem Forever shipped and revolutionized computer
gaming ! :-)." Samba 3 has served well as an
essential file server, and Samba 4 has broken new
ground in Microsoft protocol discovery, but eventually,
one way or another, there will be one Samba again.
(
Log in to post comments)