LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Recent Features

LWN.net Weekly Edition for May 23, 2013

An "enum" for Python 3

An unexpected perf feature

LWN.net Weekly Edition for May 16, 2013

A look at the PyPy 2.0 release

Printable page
Weekly edition Kernel Security Distributions Contact Us Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ Sponsors

Releasing Samba 4

Releasing Samba 4

Posted Dec 1, 2011 20:16 UTC (Thu) by magnus (subscriber, #34778)
Parent article: Releasing Samba 4

Maybe I'm just a tad dense but I haven't been able to understand how Samba4 is supposed to integrate with the rest of the system.

Let's say you have reasonably modern Linux network using LDAP and Kerberos authentication, with NFS4 server and clients.

Now add a Samba4 server and a bunch of Windows clients to the mix. The server has its own LDAP/Kerberos implementation built in as part of the Domain controller, and the windows machines will of course authenticate to this domain.

Are the Unix machines supposed to now also authenticate to the Samba4 server? Or can you chain the Samba4 to use the existing LDAP/Krb as back-end. Or are you forced to have two separate domains and user databases, one for Unix and one for Windows?

(Log in to post comments)

Releasing Samba 4

Posted Dec 1, 2011 20:23 UTC (Thu) by abartlet (✭ supporter ✭, #3928) [Link]

Sadly the AD modal takes over the LDAP and Kerberos services. Migration tools are provided from Samba 3.x, and I am looking into adding migration from Unix kerberos realms as well.

It is simply not possible to just 'add' AD functionality to these existing services, which is unfortunate for sites such the ones you describe. AD clients expect very particular behaviour from their KDC and LDAP servers.

Andrew Bartlett
Samba Team

Releasing Samba 4

Posted Dec 1, 2011 22:01 UTC (Thu) by magnus (subscriber, #34778) [Link]

Thanks for clearing that up for me, I think it's a strong candidate for an FAQ entry.

Releasing Samba 4

Posted Dec 1, 2011 22:09 UTC (Thu) by abartlet (✭ supporter ✭, #3928) [Link]

I should note in line with khim that 16MB may still be too small. The new build system produces smaller binaries, and the ntvfs file server is interesting, but 16MB of flash or RAM is still very small.

Building Samba on and for small devices still remains a challenge: The old build system produces large binaries, and the new build system uses a lot of memory at build time.

Releasing Samba 4

Posted Dec 1, 2011 22:54 UTC (Thu) by abartlet (✭ supporter ✭, #3928) [Link]

(sorry for the misplaced reply, this was clearly meant to be in reply to the build systems/embedded sub-thread)

Releasing Samba 4

Posted Dec 2, 2011 0:43 UTC (Fri) by ras (subscriber, #33059) [Link]

> 16MB of flash or RAM is still very small.

16Mb of flash and 64Mb of RAM is typical. There is always more RAM than flash a new image can be downloaded to RAM, then burnt into flash. Embedded systems of this size running CIFS and Windows printer servers are very common. In fact vendors are now starting to drop their home brew solutions and base their stock firmware on OpenWrt, which is very pleasing to see. It means manufacturers like Broadcom and Atheros are being dragged into the open source world.

Anyway, my point is there are now substantial revenue streams dependent on Samba running on these devices. That means regardless of what the Samba development team decides, one of two things will happen: either Samba v4.0 runs on these devices or Samba will be be forked into v4 and v3 streams.

Releasing Samba 4

Posted Dec 2, 2011 1:04 UTC (Fri) by abartlet (✭ supporter ✭, #3928) [Link]

> Anyway, my point is there are now substantial revenue streams dependent on Samba running on these devices. That means regardless of what the Samba development team decides, one of two things will happen: either Samba v4.0 runs on these devices or Samba will be be forked into v4 and v3 streams.

If Samba operates on these devices now, then it will continue to operate. Even the previous build system is being kept for now. However, when we are able to make a release with the new 'waf' build system, the job of fitting Samba into embedded devices will get much easier, due to internal shared libraries.

The AD support is surprisingly small, but there will also be the ability to not to install it

Gosh. Try to recall what we are dealing with for a minute, will you?

Posted Dec 1, 2011 20:54 UTC (Thu) by khim (subscriber, #9252) [Link]

Or can you chain the Samba4 to use the existing LDAP/Krb as back-end. Or are you forced to have two separate domains and user databases, one for Unix and one for Windows?

Gosh. Where such a crazy questions come from? AD technology was created from scratch with a few important goals. And one of them (very important for the Microsoft, but of course not to it's customers) was: make positively, absolutely, 200% sure that you can not ever use large Unix systems with it's LDAP and Kerberos servers.

Microsoft planned to kill Unix - and to do that it needed to nip the coexistence plan (Unix is on server, while Windows is on client) in the bud.

Samba can not fix this fundamental design decision. So it's either Samba4 in charge or separate user databases. I think over time third capability may arrive: some LDAP/Kerberos servers may be extended to support bastardized version of LDAP/Kerberos meeded for Windows clients... but don't hold your breath...

Gosh. Try to recall what we are dealing with for a minute, will you?

Posted Dec 1, 2011 21:54 UTC (Thu) by magnus (subscriber, #34778) [Link]

Khim, your condescending tone is unneccesary. I asked a question and gave a couple of alternative answers, some of them I knew in advance were probably not true. That's a good way to get your questions answered, since many people love to point out when you are wrong...

I was unable to find the answer to this pretty basic question on the Samba website and documentation. It's probably obvious to the devels and experienced admins.

Gosh. Try to recall what we are dealing with for a minute, will you?

Posted Dec 5, 2011 6:19 UTC (Mon) by speedster1 (subscriber, #8143) [Link]

I read that reply as somewhat tongue-in-cheek. The "crazy question" is really a sensible goal for those who have to maintain a mixed network, but the sensible desire of customers has been intentionally foiled by Microsoft using "embrace and extend" strategy to discourage such mixed networks (assuming it would usually be the unix side that got dropped).

Releasing Samba 4

Posted Dec 2, 2011 22:37 UTC (Fri) by jldugger (subscriber, #57576) [Link]

You can probably use cross realm federation if you don't want to migrate.

Releasing Samba 4

Posted Jan 4, 2012 22:31 UTC (Wed) by mfedyk (guest, #55303) [Link]

Are federated domains even fully supported by samba4?

Copyright © 2013, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds