Releasing Samba 4
Samba 4 has been a long time in coming—and it seems to still be a ways off. Samba is a free implementation of Microsoft's SMB/CIFS protocol that is used in the vast majority of consumer-targeted network storage devices, but the current 3.x versions lack many of the features that enterprise users require (Active Directory support in particular) and Samba 4 is meant to address that shortcoming while also reworking and rewriting much of the code base. The biggest hurdle to a Samba 4 release seems to be integrating the new code with the existing pieces that currently reside in Samba 3. A recent proposal to release the current code "as is"—rather than complete the integration work before a 4.0 release—is under heavy discussion on the samba-technical mailing list.
There is a fair amount of impatience, it seems, for a Samba 4.0 release.
In the proposal, Andrew Bartlett notes that
vendors would like to build their products atop a stable release, rather
than alphas, and that finishing the integration work in 4.1 might allow a
final 4.0 release "in about three
months time
". Samba 4 has been in the works since 2003, with
several "technology preview" releases starting in 2006 and the first alpha
release in 2007, but a 4.0 final release has so far proved elusive.
In his proposal, Bartlett is seeking to route around the hurdles and get
a release out there.
Part of the problem with integrating the Active Directory (AD) Domain Controller (DC) work with the existing production Samba 3 code is that there needs to be a clear migration path for users who upgrade. If the existing Samba 3 file server code (often referred to as "smbd") were still shipped as an option, existing users would not need to change anything. Only users that were interested in moving to Samba-based DCs would need to start using bin/samba (which is the name of the Samba 4 server that includes AD and DC functionality).
But, some have always envisioned Samba 4 as a single server process that can handle all of the different roles (file server and AD DC), which necessitates the integration. Others are not so sure that it doesn't make sense to release a Samba 4 that incorporates the new functionality for those who need AD DC support, while leaving other users to continue using the older, working and well-tested code. Part of the problem seems to be that various different sub-groups within the project are taking their own approach, and no one has done a lot of development—or testing—of an integrated server solution.
Those who are currently testing DC setups with the Samba 4 code are using the simpler, single-process "ntvfs" file server code, rather than smbd. For that reason and others, Andrew Tridgell would like to see ntvfs still be available as an option:
But that doesn't sit well with Jeremy Allison, partly because of the maintenance burden:
That's a big sticking point for me. I though we'd decided s4 fileserver was smbd code - end of story. The details were how to do the integration.
Beyond just the embedded case, though, Tridgell sees value in keeping ntvfs alive, rather than forcing those users to switch to the smbd-based file server code. It's a matter of what testing has been done, as well as causing fewer disruptions to existing setups:
Tridgell also thinks that ntvfs has a design and structure that should eventually migrate into smbd. But, as he notes, his arguments haven't convinced Allison, so he's started working on a branch that uses the smbd server. That's only one of the problem areas, though. AD DCs handle far more than just file serving, they also perform authentication, DNS lookups, act as printer servers, and more.
But, once again, there are two versions of some of the services floating around. For example, winbind, which handles some authentication and UID/GID lookups has two separate flavors, neither of which currently handles everything needed for an AD DC. Tridgell and Bartlett have been looking into whether it makes sense to have a single winbind server for both worlds, seemingly coming to the conclusion that it doesn't. But Allison, Simo Sorce, and Matthieu Patou see that as another unnecessary split between existing and future functionality. Sorce is particularly unhappy with that direction, saying:
Part of the complaints about Bartlett's proposal is about positioning.
Samba 4 has been envisioned as a complete drop-in replacement for Samba 3.
To some, that means integrating the Samba 3 functionality into Samba 4, but for others, it could mean making the Samba 3 pieces available as
part of Samba 4. Tridgell and others are in the latter camp, but Allison looks at it this
way: "It isn't an integrated product yet,
it's just a grab bag of non-integrated features.
" He goes on to say
that it will put OEMs and Linux distributions "in an incredibly
difficult position w.r.t. marketing and communications
".
Everyone seems to agree that the ultimate goal is to integrate the two code bases, but there is enough clamor for a real release of the AD DC feature that some would like to see an interim release. One idea that seems to be gaining some traction is to do a "Samba AD" release using the Samba 4 code (and possibly including some of Samba 3 server programs). That release would be targeted at folks that want to run a Samba AD DC—as many are already doing using the alpha code—encouraging those who don't need that functionality to stay with Samba 3. As Géza Gémes put it:
Doing something like that would remove much of the pressure that the Samba team is feeling regarding a Samba 4 release. That would allow time to work out the various technical issues with integrating the two Sambas for an eventual Samba 4 release that fulfills the goal of having a single server for handling both the AD DC world and the simpler file-and-print-server world. As Gémes and others said, it's not a perfect solution, but it may well be one that solves most of the current problems.
The underlying issue seems to be that Samba 3 and Samba 4 have been on divergent development paths for some time now. While it was widely recognized that those paths would need to converge at some point, no real plan to do so has come about until now. Meanwhile, users and OEMs have been patiently—or not so patiently—waiting for the new features. It is probably still a ways off before the "real" Samba 4 makes an appearance, but plans are coming together, which is certainly a step in the right direction. Given that some have been using the AD DC feature for some time now, it probably makes sense to find a way to get it into people's hands. Not everyone is convinced of that last part, however, so it remains to be seen which way the project will go.
Posted Dec 1, 2011 7:40 UTC (Thu)
by Felix.Braun (guest, #3032)
[Link] (3 responses)
Posted Dec 1, 2011 7:52 UTC (Thu)
by abartlet (subscriber, #3928)
[Link]
In terms of the ntvfs file server being part of the Samba4 AD component, it can operate as a standalone server, the AD components only add a small disk overhead in this case.
Andrew Bartlett
Posted Dec 1, 2011 16:08 UTC (Thu)
by drag (guest, #31333)
[Link]
I believe that many Microsoft client implementations are broken without some sort of minimal AD support. I don't remember the details anymore.
But regardless, you are going to have a tough time deviating from what Microsoft Windows expect and have it work well.
I would like to have a full fledged 'Unix native' Samba implementation. NFS is terrible.
Posted Dec 1, 2011 17:47 UTC (Thu)
by khim (subscriber, #9252)
[Link]
Are you doing this to prove that yes, you can fit the beast in a tiny footprint is it just because you feel that beefer router (something like Buffalo WZR-HP-AG300H) is "not worth it"? If you want to help others then I can only cheer for you, but if not then beefer router looks like saner option (or do you value your time sooo cheap?).
Posted Dec 1, 2011 7:44 UTC (Thu)
by mjthayer (guest, #39183)
[Link]
Posted Dec 1, 2011 8:24 UTC (Thu)
by Fowl (subscriber, #65667)
[Link] (10 responses)
From memory, the file server is in kernel mode, the LDAP/Authentication goop, DNS, WINS, DFS and printer servers are separate user mode services while named pipes/rpc/mailslots are spread between both.
While not having a great depth of knowledge about Samba-the-software or Samba-the-prokect I'd imagine there is slightly more to the story. The note that Samba has two conflicting "markets" is very true: enterprise v consumer/SMB/embedded.
Posted Dec 1, 2011 10:18 UTC (Thu)
by trasz (guest, #45786)
[Link] (9 responses)
Posted Dec 1, 2011 11:32 UTC (Thu)
by jengelh (guest, #33263)
[Link] (1 responses)
I recall that 5-7 years ago, smbd subprocesses could go into an infinite loop ("Transport endpoint not connected" over and over and visibility in top(1)) if a Windows client suddenly disconnected in some form. Were samba, or even just smbd, a single process - it would have been hard to kill the thread. Were samba/smbd just one thread - it would have taken down the entire fileserving.
Posted Dec 1, 2011 13:59 UTC (Thu)
by pj (subscriber, #4506)
[Link]
Posted Dec 1, 2011 18:34 UTC (Thu)
by jra (subscriber, #55261)
[Link] (6 responses)
Sun had bought the Procom code and integrated it into their kernel (badly). As for "it even handles ACLs properly" don't make me laugh. I communicate with Nexenta quite a lot. Let's just say there are some ACL "issues" with that code still being worked on (that's not to say there aren't ACL issues with Samba, I work on them myself :-).
Jeremy.
Posted Dec 1, 2011 19:58 UTC (Thu)
by trasz (guest, #45786)
[Link] (5 responses)
Posted Dec 1, 2011 20:32 UTC (Thu)
by nix (subscriber, #2304)
[Link] (4 responses)
Posted Dec 2, 2011 7:54 UTC (Fri)
by trasz (guest, #45786)
[Link] (3 responses)
Posted Dec 2, 2011 18:51 UTC (Fri)
by jra (subscriber, #55261)
[Link] (2 responses)
This stores "pristine" Windows ACLs in an EA on the filesystem, and consults them before allowing access to the underlying file/directory. The mapping to underlying POSIX ACLs (for systems that don't support them) is done underneath this layer for compatibility with NFSv3 and system process accessing the same files.
Samba of course has a full mapping into NFSv4 (ZFS, or GPFS) ACLs, which will be supported on Linux once the "RichACLs" patch is accepted into the kernel.
So yes, ACLs *do* work in the general case in Samba, and many successful OEMs ship with them turned on.
Jeremy.
Posted Dec 5, 2011 9:40 UTC (Mon)
by trasz (guest, #45786)
[Link]
Posted Feb 8, 2012 7:19 UTC (Wed)
by kaiser (guest, #82799)
[Link]
This fixes some minor interop. nits (group owners of files, for example) but also allows the Windows privilege model to be integrated as a first class citizen in the OS, and most importantly, allows for SIDs to be stored natively as the user's in-kernel credentials, which is a real boon for identity management/mapping across protocols, and for group policy (e.g. local groups). As a bonus, this allows any userspace CIFS processes to run without escalated privilege (e.g. switching to root for take ownership) which can be seen as a security risk.
Posted Dec 1, 2011 8:25 UTC (Thu)
by myllynen (guest, #55412)
[Link] (2 responses)
I think this needs a bit of clarification.
Already with Samba 3.x a Linux/Unix system can be a domain *member* in an AD domain. When a system running Samba 3.x is a domain member it enables user id/authentication with Samba's Winbind component from AD domain(s), different Winbind idmap backends are available depending whether AD has IdM for UNIX role service enabled or not. And when you have set up user id/auth from AD you can turn your system into a server providing Kerberos based single sign-on (SSO) login, file shares, and printers for AD users (so both Windows/Linux users who just have a Kerberos ticket from AD are able to access those SSO services). And if wanted you can use the Samba net(8) tool to generate additional Kerberos principals, for example for additional services like httpd which are then also available as SSO services for AD users.
As later made clearer in the article the missing piece in Active Directory support is the AD domain *controller* functionality. However, how many enterprises are eagerly awaiting to be able to start introducing Samba DCs into their domains which often provide the most crucial pieces of infrastructure for an organization and might easily have tens of thousands of users, groups, and systems around the globe, I don't know.
Posted Dec 1, 2011 16:33 UTC (Thu)
by drag (guest, #31333)
[Link] (1 responses)
One example;
Active Directory supports making RPC calls to Windows. This is used as part of group policies. The RPC calls are used to make edits to the registry and other things on the Windows node.
Using Samba 4 utilities and this feature a administrator on the Samba box should be able to run a virus scanner or other such thing to check the registry settings of any system that is a member of the domain.
Lots of fun stuff like that.
AD is file server, print server, configuration management system, kerberos single sign on, ldap server, and a bunch of other stuff.
Posted Dec 2, 2011 9:59 UTC (Fri)
by myllynen (guest, #55412)
[Link]
I think we are looking at this from slightly different angles. I was talking about enterprises where they definitely have AD DCs in production for administrating their thousands of Windows systems and users, and they do run virus scanners and much more with Windows/AD tools. But Samba 3.x nicely allows providing the aforementioned SSO services in those enterprise environments already today.
Wrt Samba DC in those environments, apart from organizational issues (like convincing AD admin teams and CIO to investigate and invest to Samba DCs), you'd also need to check with your Microsoft account manager what would happen support-wise to your Windows/AD systems if you'd add Samba DCs to an existing AD domain.
Posted Dec 1, 2011 13:51 UTC (Thu)
by idra (guest, #36289)
[Link]
Posted Dec 1, 2011 15:38 UTC (Thu)
by Baylink (guest, #755)
[Link]
Well, that would violate the Unix Philosophy rather thoroughly, wouldn't it?
Why, exactly, might people think that's a Pretty Neat Idea?
And are there digital watches involved?
Posted Dec 1, 2011 20:16 UTC (Thu)
by magnus (subscriber, #34778)
[Link] (11 responses)
Let's say you have reasonably modern Linux network using LDAP and Kerberos authentication, with NFS4 server and clients.
Now add a Samba4 server and a bunch of Windows clients to the mix. The server has its own LDAP/Kerberos implementation built in as part of the Domain controller, and the windows machines will of course authenticate to this domain.
Are the Unix machines supposed to now also authenticate to the Samba4 server? Or can you chain the Samba4 to use the existing LDAP/Krb as back-end. Or are you forced to have two separate domains and user databases, one for Unix and one for Windows?
Posted Dec 1, 2011 20:23 UTC (Thu)
by abartlet (subscriber, #3928)
[Link] (5 responses)
It is simply not possible to just 'add' AD functionality to these existing services, which is unfortunate for sites such the ones you describe. AD clients expect very particular behaviour from their KDC and LDAP servers.
Andrew Bartlett
Posted Dec 1, 2011 22:01 UTC (Thu)
by magnus (subscriber, #34778)
[Link] (4 responses)
Posted Dec 1, 2011 22:09 UTC (Thu)
by abartlet (subscriber, #3928)
[Link] (3 responses)
Building Samba on and for small devices still remains a challenge: The old build system produces large binaries, and the new build system uses a lot of memory at build time.
Posted Dec 1, 2011 22:54 UTC (Thu)
by abartlet (subscriber, #3928)
[Link]
Posted Dec 2, 2011 0:43 UTC (Fri)
by ras (subscriber, #33059)
[Link] (1 responses)
16Mb of flash and 64Mb of RAM is typical. There is always more RAM than flash a new image can be downloaded to RAM, then burnt into flash. Embedded systems of this size running CIFS and Windows printer servers are very common. In fact vendors are now starting to drop their home brew solutions and base their stock firmware on OpenWrt, which is very pleasing to see. It means manufacturers like Broadcom and Atheros are being dragged into the open source world.
Anyway, my point is there are now substantial revenue streams dependent on Samba running on these devices. That means regardless of what the Samba development team decides, one of two things will happen: either Samba v4.0 runs on these devices or Samba will be be forked into v4 and v3 streams.
Posted Dec 2, 2011 1:04 UTC (Fri)
by abartlet (subscriber, #3928)
[Link]
If Samba operates on these devices now, then it will continue to operate. Even the previous build system is being kept for now. However, when we are able to make a release with the new 'waf' build system, the job of fitting Samba into embedded devices will get much easier, due to internal shared libraries.
The AD support is surprisingly small, but there will also be the ability to not to install it
Posted Dec 1, 2011 20:54 UTC (Thu)
by khim (subscriber, #9252)
[Link] (2 responses)
Gosh. Where such a crazy questions come from? AD technology was created from scratch with a few important goals. And one of them (very important for the Microsoft, but of course not to it's customers) was: make positively, absolutely, 200% sure that you can not ever use large Unix systems with it's LDAP and Kerberos servers. Microsoft planned to kill Unix - and to do that it needed to nip the coexistence plan (Unix is on server, while Windows is on client) in the bud. Samba can not fix this fundamental design decision. So it's either Samba4 in charge or separate user databases. I think over time third capability may arrive: some LDAP/Kerberos servers may be extended to support bastardized version of LDAP/Kerberos meeded for Windows clients... but don't hold your breath...
Posted Dec 1, 2011 21:54 UTC (Thu)
by magnus (subscriber, #34778)
[Link] (1 responses)
I was unable to find the answer to this pretty basic question on the Samba website and documentation. It's probably obvious to the devels and experienced admins.
Posted Dec 5, 2011 6:19 UTC (Mon)
by speedster1 (guest, #8143)
[Link]
Posted Dec 2, 2011 22:37 UTC (Fri)
by jldugger (guest, #57576)
[Link] (1 responses)
Posted Jan 4, 2012 22:31 UTC (Wed)
by mfedyk (guest, #55303)
[Link]
Releasing Samba 4
Releasing Samba 4
Samba Team
Releasing Samba 4
Is it some kind of "yes, I can do that" project?
Releasing Samba 4
Releasing Samba 4
Releasing Samba 4
Releasing Samba 4
Releasing Samba 4
Releasing Samba 4
Releasing Samba 4
Releasing Samba 4
Releasing Samba 4
Releasing Samba 4
Releasing Samba 4
Releasing Samba 4
Releasing Samba 4
Releasing Samba 4
Releasing Samba 4
> Directory controller support is like trying to ride a bicycle with no
> wheels, no crank, no sprockets, no chain, and a spike for a seat..
>
> Using Samba 4 utilities and this feature a administrator on the Samba box
> should be able to run a virus scanner or other such thing to check the
> registry settings of any system that is a member of the domain.
Releasing Samba 4
Releasing Samba 4
Releasing Samba 4
Releasing Samba 4
Samba Team
Releasing Samba 4
Releasing Samba 4
Releasing Samba 4
Releasing Samba 4
Releasing Samba 4
Gosh. Try to recall what we are dealing with for a minute, will you?
Or can you chain the Samba4 to use the existing LDAP/Krb as back-end. Or are you forced to have two separate domains and user databases, one for Unix and one for Windows?
Gosh. Try to recall what we are dealing with for a minute, will you?
Gosh. Try to recall what we are dealing with for a minute, will you?
Releasing Samba 4
Releasing Samba 4