Releasing Samba 4 [LWN.net]

By Jake Edge
November 30, 2011

Samba 4 has been a long time in coming—and it seems to still be a ways off. Samba is a free implementation of Microsoft's SMB/CIFS protocol that is used in the vast majority of consumer-targeted network storage devices, but the current 3.x versions lack many of the features that enterprise users require (Active Directory support in particular) and Samba 4 is meant to address that shortcoming while also reworking and rewriting much of the code base. The biggest hurdle to a Samba 4 release seems to be integrating the new code with the existing pieces that currently reside in Samba 3. A recent proposal to release the current code "as is"—rather than complete the integration work before a 4.0 release—is under heavy discussion on the samba-technical mailing list.

There is a fair amount of impatience, it seems, for a Samba 4.0 release. In the proposal, Andrew Bartlett notes that vendors would like to build their products atop a stable release, rather than alphas, and that finishing the integration work in 4.1 might allow a final 4.0 release "in about three months time". Samba 4 has been in the works since 2003, with several "technology preview" releases starting in 2006 and the first alpha release in 2007, but a 4.0 final release has so far proved elusive. In his proposal, Bartlett is seeking to route around the hurdles and get a release out there.

Part of the problem with integrating the Active Directory (AD) Domain Controller (DC) work with the existing production Samba 3 code is that there needs to be a clear migration path for users who upgrade. If the existing Samba 3 file server code (often referred to as "smbd") were still shipped as an option, existing users would not need to change anything. Only users that were interested in moving to Samba-based DCs would need to start using bin/samba (which is the name of the Samba 4 server that includes AD and DC functionality).

But, some have always envisioned Samba 4 as a single server process that can handle all of the different roles (file server and AD DC), which necessitates the integration. Others are not so sure that it doesn't make sense to release a Samba 4 that incorporates the new functionality for those who need AD DC support, while leaving other users to continue using the older, working and well-tested code. Part of the problem seems to be that various different sub-groups within the project are taking their own approach, and no one has done a lot of development—or testing—of an integrated server solution.

Those who are currently testing DC setups with the Samba 4 code are using the simpler, single-process "ntvfs" file server code, rather than smbd. For that reason and others, Andrew Tridgell would like to see ntvfs still be available as an option:

For embedded devices the single process mode and ntvfs/ file server code is what we are likely to use for some time, as it uses far fewer resources. For intensive file serving using smbd makes sense but I don't want to lose the ability to run in small environments.

But that doesn't sit well with Jeremy Allison, partly because of the maintenance burden:

Having a second file server embedded - used only in certain cases and having differing semantics is a [recipe] for disaster, and not a good idea for long term stability of this release.

That's a big sticking point for me. I though we'd decided s4 fileserver was smbd code - end of story. The details were how to do the integration.

Beyond just the embedded case, though, Tridgell sees value in keeping ntvfs alive, rather than forcing those users to switch to the smbd-based file server code. It's a matter of what testing has been done, as well as causing fewer disruptions to existing setups:

Apart from the embedded case, it is also the file server we have done all testing of Samba as a DC against so far. Being able to run it by setting a config option is a good thing I think, at the very least for debugging issues with the changeover to the smbd based file server. It also means that existing sites running s4 as a DC are able to continue to run the file server they have been using up to now.

Tridgell also thinks that ntvfs has a design and structure that should eventually migrate into smbd. But, as he notes, his arguments haven't convinced Allison, so he's started working on a branch that uses the smbd server. That's only one of the problem areas, though. AD DCs handle far more than just file serving, they also perform authentication, DNS lookups, act as printer servers, and more.

But, once again, there are two versions of some of the services floating around. For example, winbind, which handles some authentication and UID/GID lookups has two separate flavors, neither of which currently handles everything needed for an AD DC. Tridgell and Bartlett have been looking into whether it makes sense to have a single winbind server for both worlds, seemingly coming to the conclusion that it doesn't. But Allison, Simo Sorce, and Matthieu Patou see that as another unnecessary split between existing and future functionality. Sorce is particularly unhappy with that direction, saying:

It almost [seems] like we should just fork the 2 projects, after all we reimplement everything differently between the file server components and the DC components with no intention of sharing common code [...]

Part of the complaints about Bartlett's proposal is about positioning. Samba 4 has been envisioned as a complete drop-in replacement for Samba 3. To some, that means integrating the Samba 3 functionality into Samba 4, but for others, it could mean making the Samba 3 pieces available as part of Samba 4. Tridgell and others are in the latter camp, but Allison looks at it this way: "It isn't an integrated product yet, it's just a grab bag of non-integrated features." He goes on to say that it will put OEMs and Linux distributions "in an incredibly difficult position w.r.t. marketing and communications".

Everyone seems to agree that the ultimate goal is to integrate the two code bases, but there is enough clamor for a real release of the AD DC feature that some would like to see an interim release. One idea that seems to be gaining some traction is to do a "Samba AD" release using the Samba 4 code (and possibly including some of Samba 3 server programs). That release would be targeted at folks that want to run a Samba AD DC—as many are already doing using the alpha code—encouraging those who don't need that functionality to stay with Samba 3. As Géza Gémes put it:

Call the Samba 4.0 release Samba-AD (the idea behind the name belongs to Sernet people), and continue to release Samba3 as Samba-FS. This way people would have a suggestion where those are going to be deployable. Of course I DON'T propose the end of the integration efforts. But if the plan is to do a release in the near future that seems a good (certainly not perfect) compromise. Having a Samba release with ability to act as an AD DC is becoming more and more important to many people who have to upgrade their network infrastructure.

Doing something like that would remove much of the pressure that the Samba team is feeling regarding a Samba 4 release. That would allow time to work out the various technical issues with integrating the two Sambas for an eventual Samba 4 release that fulfills the goal of having a single server for handling both the AD DC world and the simpler file-and-print-server world. As Gémes and others said, it's not a perfect solution, but it may well be one that solves most of the current problems.

The underlying issue seems to be that Samba 3 and Samba 4 have been on divergent development paths for some time now. While it was widely recognized that those paths would need to converge at some point, no real plan to do so has come about until now. Meanwhile, users and OEMs have been patiently—or not so patiently—waiting for the new features. It is probably still a ways off before the "real" Samba 4 makes an appearance, but plans are coming together, which is certainly a step in the right direction. Given that some have been using the AD DC feature for some time now, it probably makes sense to find a way to get it into people's hands. Not everyone is convinced of that last part, however, so it remains to be seen which way the project will go.

(Log in to post comments)

Releasing Samba 4

Posted Dec 1, 2011 7:52 UTC (Thu) by abartlet (✭ supporter ✭, #3928) [Link]

One of the important features of the 'master' branch of Samba (which I advocate should be released under Samba 4.0 or some other name) is a new waf-based build system. This build system produces much smaller binaries for both of the file server architectures mentioned in this article.

In terms of the ntvfs file server being part of the Samba4 AD component, it can operate as a standalone server, the AD components only add a small disk overhead in this case.

Andrew Bartlett
Samba Team

Releasing Samba 4

Posted Dec 1, 2011 16:08 UTC (Thu) by drag (subscriber, #31333) [Link]

> I've long wanted a lean stand-alone CIFS-file server to run on my 16 MB RAM Router, without the whole baggage that comes with AD,

I believe that many Microsoft client implementations are broken without some sort of minimal AD support. I don't remember the details anymore.

But regardless, you are going to have a tough time deviating from what Microsoft Windows expect and have it work well.

I would like to have a full fledged 'Unix native' Samba implementation. NFS is terrible.

Is it some kind of "yes, I can do that" project?

Posted Dec 1, 2011 17:47 UTC (Thu) by khim (subscriber, #9252) [Link]

Are you doing this to prove that yes, you can fit the beast in a tiny footprint is it just because you feel that beefer router (something like Buffalo WZR-HP-AG300H) is "not worth it"?

If you want to help others then I can only cheer for you, but if not then beefer router looks like saner option (or do you value your time sooo cheap?).

Releasing Samba 4

Posted Dec 1, 2011 10:18 UTC (Thu) by trasz (guest, #45786) [Link]

Yup. And that's one of the reasons Samba was dropped by e.g. Apple (they have their own userland SMB server implementation now) and Sun (they have their own in-kernel SMB file server). It would be nice for someone to create userland implementation using the latter, btw - it's small, simple, secure and it even handles ACLs properly.

Releasing Samba 4

Posted Dec 1, 2011 11:32 UTC (Thu) by jengelh (subscriber, #33263) [Link]

*nod* *nod*. One big fat program-process is so DOS-era-ish. Many system daemons, e.g. cups, postfix, other MTAs, split up in some form, either for reasons of pluggability, better scheduling, selective restart, or in fact debuggability. In fact, even desktop environments do that. XFCE, KDE, even icewm, is not a single process.

I recall that 5-7 years ago, smbd subprocesses could go into an infinite loop ("Transport endpoint not connected" over and over and visibility in top(1)) if a Windows client suddenly disconnected in some form. Were samba, or even just smbd, a single process - it would have been hard to kill the thread. Were samba/smbd just one thread - it would have taken down the entire fileserving.

Releasing Samba 4

Posted Dec 1, 2011 13:59 UTC (Thu) by pj (subscriber, #4506) [Link]

Yeah, it sounds to me like they don't need to so much to integration into one big process as they need to integrate them all into a common message bus or something. D-Bus springs to mind, but standardizing on any kind of IPC would be a win - then they can all stay separate processes and just... talk to each other.

Releasing Samba 4

Posted Dec 1, 2011 18:34 UTC (Thu) by jra (subscriber, #55261) [Link]

Apple was dropped by Samba for purely religious (GPLv2 vs GPLv3) reasons. Trust me on that.

Sun had bought the Procom code and integrated it into their kernel (badly). As for "it even handles ACLs properly" don't make me laugh. I communicate with Nexenta quite a lot. Let's just say there are some ACL "issues" with that code still being worked on (that's not to say there aren't ACL issues with Samba, I work on them myself :-).

Jeremy.

Releasing Samba 4

Posted Dec 1, 2011 19:58 UTC (Thu) by trasz (guest, #45786) [Link]

Yes, there are some ACL issues. But it's still lot better than with Samba, which does all kinds of sick stuff to work around lack of compatible ACL model in Linux, and which, generally, does not work at all.

Releasing Samba 4

Posted Dec 1, 2011 20:32 UTC (Thu) by nix (subscriber, #2304) [Link]

You may find your respondent (the coauthor of Samba), as well as a lot of Samba users, disagree with your somewhat contentious comment that ACLs in Samba 'do[] not work at all'!

Releasing Samba 4

Posted Dec 2, 2011 7:54 UTC (Fri) by trasz (guest, #45786) [Link]

Let me rephrase: while ACLs in Samba work in some specific, even if common, cases, they don't work in the general case. That's because it's impossible to "emulate" NTFS/NFSv4 ACLs on top of POSIX.1e ACLs, which is what Samba is trying to do - these two differ even in fundamental ways, e.g.in the way ACL entries are evaluated. In order to support ACLs properly Samba would have to either ditch support for systems that don't support NFSv4 ACLs natively (i.e. Linux), or just store the ACLs independently from the filesystem.

Releasing Samba 4

Posted Dec 2, 2011 18:51 UTC (Fri) by jra (subscriber, #55261) [Link]

You're obviosly unaware of the acl_xattr module shipped in modern Samba, and used by most OEMs.

This stores "pristine" Windows ACLs in an EA on the filesystem, and consults them before allowing access to the underlying file/directory. The mapping to underlying POSIX ACLs (for systems that don't support them) is done underneath this layer for compatibility with NFSv3 and system process accessing the same files.

Samba of course has a full mapping into NFSv4 (ZFS, or GPFS) ACLs, which will be supported on Linux once the "RichACLs" patch is accepted into the kernel.

So yes, ACLs *do* work in the general case in Samba, and many successful OEMs ship with them turned on.

Jeremy.

Releasing Samba 4

Posted Dec 5, 2011 9:40 UTC (Mon) by trasz (guest, #45786) [Link]

Yup, my bad. I didn't know about this module.

Releasing Samba 4

Posted Feb 8, 2012 7:19 UTC (Wed) by kaiser (guest, #82799) [Link]

It's my experience that most users want ACLs which interoperate with the native filesystem as well as NFSv3/v4--in other words, they want their permissions to be the same regardless of access protocol. In this respect I think Sun and Isilon did it right by integrating ACL/SID support directly into the kernel.

This fixes some minor interop. nits (group owners of files, for example) but also allows the Windows privilege model to be integrated as a first class citizen in the OS, and most importantly, allows for SIDs to be stored natively as the user's in-kernel credentials, which is a real boon for identity management/mapping across protocols, and for group policy (e.g. local groups). As a bonus, this allows any userspace CIFS processes to run without escalated privilege (e.g. switching to root for take ownership) which can be seen as a security risk.

Releasing Samba 4

Posted Dec 1, 2011 16:33 UTC (Thu) by drag (subscriber, #31333) [Link]

Trying to administrate a large number of Windows machines without Active Directory controller support is like trying to ride a bicycle with no wheels, no crank, no sprockets, no chain, and a spike for a seat..

One example;

Active Directory supports making RPC calls to Windows. This is used as part of group policies. The RPC calls are used to make edits to the registry and other things on the Windows node.

Using Samba 4 utilities and this feature a administrator on the Samba box should be able to run a virus scanner or other such thing to check the registry settings of any system that is a member of the domain.

Lots of fun stuff like that.

AD is file server, print server, configuration management system, kerberos single sign on, ldap server, and a bunch of other stuff.

Releasing Samba 4

Posted Dec 2, 2011 9:59 UTC (Fri) by myllynen (subscriber, #55412) [Link]

> Trying to administrate a large number of Windows machines without Active
> Directory controller support is like trying to ride a bicycle with no
> wheels, no crank, no sprockets, no chain, and a spike for a seat..
>
> Using Samba 4 utilities and this feature a administrator on the Samba box
> should be able to run a virus scanner or other such thing to check the
> registry settings of any system that is a member of the domain.

I think we are looking at this from slightly different angles. I was talking about enterprises where they definitely have AD DCs in production for administrating their thousands of Windows systems and users, and they do run virus scanners and much more with Windows/AD tools. But Samba 3.x nicely allows providing the aforementioned SSO services in those enterprise environments already today.

Wrt Samba DC in those environments, apart from organizational issues (like convincing AD admin teams and CIO to investigate and invest to Samba DCs), you'd also need to check with your Microsoft account manager what would happen support-wise to your Windows/AD systems if you'd add Samba DCs to an existing AD domain.

Releasing Samba 4

Posted Dec 1, 2011 20:23 UTC (Thu) by abartlet (✭ supporter ✭, #3928) [Link]

Sadly the AD modal takes over the LDAP and Kerberos services. Migration tools are provided from Samba 3.x, and I am looking into adding migration from Unix kerberos realms as well.

It is simply not possible to just 'add' AD functionality to these existing services, which is unfortunate for sites such the ones you describe. AD clients expect very particular behaviour from their KDC and LDAP servers.

Andrew Bartlett
Samba Team

Releasing Samba 4

Posted Dec 1, 2011 22:01 UTC (Thu) by magnus (subscriber, #34778) [Link]

Thanks for clearing that up for me, I think it's a strong candidate for an FAQ entry.

Releasing Samba 4

Posted Dec 1, 2011 22:09 UTC (Thu) by abartlet (✭ supporter ✭, #3928) [Link]

I should note in line with khim that 16MB may still be too small. The new build system produces smaller binaries, and the ntvfs file server is interesting, but 16MB of flash or RAM is still very small.

Building Samba on and for small devices still remains a challenge: The old build system produces large binaries, and the new build system uses a lot of memory at build time.

Releasing Samba 4

Posted Dec 1, 2011 22:54 UTC (Thu) by abartlet (✭ supporter ✭, #3928) [Link]

(sorry for the misplaced reply, this was clearly meant to be in reply to the build systems/embedded sub-thread)

Releasing Samba 4

Posted Dec 2, 2011 0:43 UTC (Fri) by ras (subscriber, #33059) [Link]

> 16MB of flash or RAM is still very small.

16Mb of flash and 64Mb of RAM is typical. There is always more RAM than flash a new image can be downloaded to RAM, then burnt into flash. Embedded systems of this size running CIFS and Windows printer servers are very common. In fact vendors are now starting to drop their home brew solutions and base their stock firmware on OpenWrt, which is very pleasing to see. It means manufacturers like Broadcom and Atheros are being dragged into the open source world.

Anyway, my point is there are now substantial revenue streams dependent on Samba running on these devices. That means regardless of what the Samba development team decides, one of two things will happen: either Samba v4.0 runs on these devices or Samba will be be forked into v4 and v3 streams.

Releasing Samba 4

Posted Dec 2, 2011 1:04 UTC (Fri) by abartlet (✭ supporter ✭, #3928) [Link]

> Anyway, my point is there are now substantial revenue streams dependent on Samba running on these devices. That means regardless of what the Samba development team decides, one of two things will happen: either Samba v4.0 runs on these devices or Samba will be be forked into v4 and v3 streams.

If Samba operates on these devices now, then it will continue to operate. Even the previous build system is being kept for now. However, when we are able to make a release with the new 'waf' build system, the job of fitting Samba into embedded devices will get much easier, due to internal shared libraries.

The AD support is surprisingly small, but there will also be the ability to not to install it

Gosh. Try to recall what we are dealing with for a minute, will you?

Posted Dec 1, 2011 20:54 UTC (Thu) by khim (subscriber, #9252) [Link]

Or can you chain the Samba4 to use the existing LDAP/Krb as back-end. Or are you forced to have two separate domains and user databases, one for Unix and one for Windows?

Gosh. Where such a crazy questions come from? AD technology was created from scratch with a few important goals. And one of them (very important for the Microsoft, but of course not to it's customers) was: make positively, absolutely, 200% sure that you can not ever use large Unix systems with it's LDAP and Kerberos servers.

Microsoft planned to kill Unix - and to do that it needed to nip the coexistence plan (Unix is on server, while Windows is on client) in the bud.

Samba can not fix this fundamental design decision. So it's either Samba4 in charge or separate user databases. I think over time third capability may arrive: some LDAP/Kerberos servers may be extended to support bastardized version of LDAP/Kerberos meeded for Windows clients... but don't hold your breath...

Gosh. Try to recall what we are dealing with for a minute, will you?

Posted Dec 1, 2011 21:54 UTC (Thu) by magnus (subscriber, #34778) [Link]

Khim, your condescending tone is unneccesary. I asked a question and gave a couple of alternative answers, some of them I knew in advance were probably not true. That's a good way to get your questions answered, since many people love to point out when you are wrong...

I was unable to find the answer to this pretty basic question on the Samba website and documentation. It's probably obvious to the devels and experienced admins.

Gosh. Try to recall what we are dealing with for a minute, will you?

Posted Dec 5, 2011 6:19 UTC (Mon) by speedster1 (subscriber, #8143) [Link]

I read that reply as somewhat tongue-in-cheek. The "crazy question" is really a sensible goal for those who have to maintain a mixed network, but the sensible desire of customers has been intentionally foiled by Microsoft using "embrace and extend" strategy to discourage such mixed networks (assuming it would usually be the unix side that got dropped).

Releasing Samba 4

Posted Dec 2, 2011 22:37 UTC (Fri) by jldugger (subscriber, #57576) [Link]

You can probably use cross realm federation if you don't want to migrate.

Releasing Samba 4

Posted Jan 4, 2012 22:31 UTC (Wed) by mfedyk (guest, #55303) [Link]

Are federated domains even fully supported by samba4?