LCA: A Samba 4 update [LWN.net]

By Jonathan Corbet
January 16, 2012

The systems administration miniconf at the 2012 linux.conf.au hosted 'a casual conversation' with a group of core Samba developers on the project's near future roadmap and the plans for Samba 4. Andrew "Tridge" Tridgell led off by saying that the last a lot of people had heard about the project's plans came from "an article in a disreputable web site." The discussion reported on there was "very exciting," in that it moved the project's point of view on the Samba 4 release from "someday" to "let's get ready for a release." Since then, things have gotten quiet, but that does not mean that nothing has been happening.

Andrew Bartlett took over to say that both he and Tridge think that the project is about ready for the Samba 4 release. The active directory (AD) domain controller (DC) support - a headline Samba 4 feature - is working well and is in production use in a number of sites; it is time to get it out there to the rest of the world. While they think that, at this point, things are ready for a release, the idea came as a shock to some of the other members of the team. Samba 4 had been seen by those developers as being far out on the horizon; they were not expecting talk of a release at this point.

The ensuing discussion was lively, but AD DC support was not the main point; everybody seems to agree that it is working well. The sticking point has to do with the long-time "bread and butter" features of Samba - little things like file serving. The new file server implementation in Samba 4 is missing a number of features that have gone into Samba 3 in recent years, so now the focus is on integration of Samba 4 with the Samba 3 file server. The developers have come up with a plan for this integration, and are now busily trying to implement it as quickly as possible. As Tridge put it, they ran into a social problem and came up with a technical solution because, in the end, coding is easier than arguing. The discussion has gone quiet because this coding is underway; they expect to present their solution soon, at which point the release discussion can be expected to restart.

Andrew spent some time talking about some of the things the Samba team has achieved with Samba 4. One of those is the new integrated build system - there is now "a single Samba." It is possible to build all binaries together; and there are a number of plugins to further integrate Samba's various pieces. As a result, Samba is now "one project," rather than a collection of related pieces.

Related to that is the new combined testing framework which is, according to Andrew, the most important thing that the Samba team has achieved. The framework can do full testing of all AD semantics. It is also set up to test Samba 3 and 4 against each other. A number of "rather embarrassing" interoperability problems between the two releases have been found and, naturally, fixed. This testing can now be done before every commit.

There is also a common security system that simplifies administration and fixes a lot of old "misunderstandings of Kerberos" that have been with the project for a long time. The Samba 3 and 4 security architectures have been merged.

All of this, Andrew said, has been good to make the new system work well, but it does not necessarily change the user's experience of Samba. There has been new feature work done as well, though. At the top of the list, according to Tridge, is subdomain support. Lots of sites do not work with a single domain at this point; instead, they have "forest" of domains organized into a hierarchy. Getting Samba to work in this mode has taken a lot of work over the last year. The 2011 plugfest event, where eight or so Samba developers went to Redmond to work on interoperability issues with Microsoft, was dedicated to firming up subdomain support and getting to a point where Samba can work at any level in an AD forest. It does work, but has not yet been designated ready for production; Tridge said he would like to see a couple of "brave" production sites deploy it and let them know how it works for them.

The project's relationship with Microsoft, they said, is quite good. They get quick answers to questions, even for detailed protocol history queries that require a fair amount of digging in the code to answer. Tridge said that he has been very impressed with the quality of the engineers that Microsoft has assigned to work with the project.

Another area of development is easing the process of upgrading from Samba 3 to Samba 4. Production sites, it seems, do not react well if you tell them that all of their users have to set new passwords before they can work under a new Samba release. At this point they have full user and group import into Samba 4, so users should not see the difference. The update is transparent to clients, except that they see the new AD support and start using it. There is still a bit of a flag day involved, though, in that clients, once they see an AD server, will not go back to talking to an older server release. So careful testing before deploying Samba 4 is still called for.

Amitay Isaacs and Kai Blin talked about their area of work: the built-in DNS server. Amitay has implemented one solution, whereby a new DLZ plugin for bind9 enables it to get its domain information from the AD database. It works, but it is "a bit clunky" as a result of the interactions between the two separate subsystems. So Kai is working on a new, internal DNS server. He had tried, he said, to get an existing DNS server project interested in closer integration, but found no takers. So he wrote a new server which, he said, was not that hard a problem. It is working now, with signed updates being the main missing feature at this point.

The "roadmap," according to Andrew, is that Samba 4 will probably be the next release from the project. It will include all of the expected features, including file and print servers, support for NT4-like domain controllers, and active directory support. It will also feature a number of improved tools and better usability in general. Samba has seen nearly 8,000 commits over the past year, changing 800,000 lines of code, and coming from some 70 authors. It has been, he said, a busy and important year. With a Samba 4 release likely, 2012 could be an even busier and more important year for this project, which quietly celebrated its 20th anniversary at the end of 2011.

[Your editor would like to thank the LCA organizers for assisting with his travel to Ballarat.]

(Log in to post comments)

LCA: A Samba 4 update

Posted Jan 16, 2012 20:10 UTC (Mon) by jake (editor, #205) [Link]

> I am guessing that was said/meant in a humourous way?

well, I certainly *hope* so :)

that's definitely how I read it ... my guess is that Tridge noticed a certain grumpy editor in the audience and decided to tweak him a little ...

jake

LCA: A Samba 4 update

Posted Jan 16, 2012 20:46 UTC (Mon) by abartlet (subscriber, #3928) [Link]

With Jonathan Corbet smiling in the front row, I can assure readers that it was indeed friendly banter, returned in good form by being quoted here in perfectly the humour in which it was intended.

Andrew Bartlett

LCA: A Samba 4 update

Posted Jan 16, 2012 20:53 UTC (Mon) by smoogen (subscriber, #97) [Link]

Thank you for clarifying. I am trying to make it a habit to ask before assuming one way or another.

LCA: A Samba 4 update

Posted Jan 18, 2012 23:07 UTC (Wed) by foom (subscriber, #14868) [Link]

I hope it has an integral NTP server too. The clients need to have the correct time for Kerberos to work, and it sure would be a pain to have to configure NTPd and samba separately!

LCA: A Samba 4 update

Posted Jan 19, 2012 6:22 UTC (Thu) by abartlet (subscriber, #3928) [Link]

NTP support is via a configuration option for NTPd.

restrict default mssntp

We didn't wish to reimplement this protocol if we could avoid it. The option to point to a different NTP signing deamon (a samba service, on by default) is:

ntpsigndsocket /var/run/ntp_signd/

The NTPd on the system must have been configured with --enable-ntp-signd

Andrew Bartlett

LCA: A Samba 4 update

Posted Jan 19, 2012 22:19 UTC (Thu) by codewiz (subscriber, #63050) [Link]

> I hope it has an integral NTP server too. The clients need to have the
> correct time for Kerberos to work, and it sure would be a pain to have
> to configure NTPd and samba separately!

I hope it gets an integral TCP/IP stack too. It's needed in order to communicate with the clients :)

Seriously, does Samba *really* need to rewrite custom versions of everything? I used to run an enterprise network in which Windows clients had to coexist with Linux and MacOS clients. Most corporate networks already have their own dns, dhcp, ldap and kerberos services and all they need the Samba DC to integrate with them--not replace them.

LCA: A Samba 4 update

Posted Jan 20, 2012 0:14 UTC (Fri) by dlang (✭ supporter ✭, #313) [Link]

note that they tried to get one of the existing DNS servers to care about their issues, but weren't able to get anyone to work with them. Only after that approach failed did they decide to roll their own.

I agree with you that it's far better to integrate with an existing project rather than recreating it, but in this case it sounds like they tried