LCA: A Samba 4 update
![[Andrew Bartlett]](https://static.lwn.net/images/conf/2012/lca/AndrewBartlett-sm.jpg)
Andrew Bartlett took over to say that both he and Tridge think that the
project is about ready for the Samba 4 release. The active directory
(AD) domain controller (DC) support - a headline Samba 4 feature - is working well and is in
production use in a number of sites; it is time to get it out there to the
rest of the world. While they think that, at this point,
things are ready for a release, the idea came as a shock to some of the
other members of the team. Samba 4 had been seen by those developers as being far
out on the horizon; they were not expecting talk of a release at this
point.
The ensuing discussion was lively, but AD DC support was not the main point; everybody seems to agree that it is working well. The sticking point has to do with the long-time "bread and butter" features of Samba - little things like file serving. The new file server implementation in Samba 4 is missing a number of features that have gone into Samba 3 in recent years, so now the focus is on integration of Samba 4 with the Samba 3 file server. The developers have come up with a plan for this integration, and are now busily trying to implement it as quickly as possible. As Tridge put it, they ran into a social problem and came up with a technical solution because, in the end, coding is easier than arguing. The discussion has gone quiet because this coding is underway; they expect to present their solution soon, at which point the release discussion can be expected to restart.
Andrew spent some time talking about some of the things the Samba team has achieved with Samba 4. One of those is the new integrated build system - there is now "a single Samba." It is possible to build all binaries together; and there are a number of plugins to further integrate Samba's various pieces. As a result, Samba is now "one project," rather than a collection of related pieces.
Related to that is the new combined testing framework which is, according to Andrew, the most important thing that the Samba team has achieved. The framework can do full testing of all AD semantics. It is also set up to test Samba 3 and 4 against each other. A number of "rather embarrassing" interoperability problems between the two releases have been found and, naturally, fixed. This testing can now be done before every commit.
There is also a common security system that simplifies administration and fixes a lot of old "misunderstandings of Kerberos" that have been with the project for a long time. The Samba 3 and 4 security architectures have been merged.
![[Andrew Tridgell]](https://static.lwn.net/images/conf/2012/lca/AndrewTridgell-sm.jpg)
All of this, Andrew said, has been good to make the new system work well, but it
does not necessarily change the user's experience of Samba. There has been
new feature work done as well, though. At the top of the list, according
to Tridge, is subdomain support. Lots of sites do not work with a single
domain at this point; instead, they have "forest" of domains organized into
a hierarchy. Getting Samba to work in this mode has taken a lot of work
over the last year. The 2011 plugfest event, where eight or so Samba
developers went to Redmond to work on interoperability issues with
Microsoft, was dedicated to firming up subdomain support and getting to a
point where Samba can work at any level in an AD forest. It does work, but
has not yet been designated ready for production; Tridge said he would like
to see a couple of "brave" production sites deploy it and let them know how
it works for them.
The project's relationship with Microsoft, they said, is quite good. They get quick answers to questions, even for detailed protocol history queries that require a fair amount of digging in the code to answer. Tridge said that he has been very impressed with the quality of the engineers that Microsoft has assigned to work with the project.
Another area of development is easing the process of upgrading from Samba 3 to Samba 4. Production sites, it seems, do not react well if you tell them that all of their users have to set new passwords before they can work under a new Samba release. At this point they have full user and group import into Samba 4, so users should not see the difference. The update is transparent to clients, except that they see the new AD support and start using it. There is still a bit of a flag day involved, though, in that clients, once they see an AD server, will not go back to talking to an older server release. So careful testing before deploying Samba 4 is still called for.
![[Amitay Isaacs and Kai Blin]](https://static.lwn.net/images/conf/2012/lca/Amatay+Kai-sm.jpg)
Amitay Isaacs and Kai Blin talked about their area of work: the built-in
DNS server. Amitay has implemented one solution, whereby a new DLZ plugin
for bind9 enables it to get its domain information from the AD database. It
works, but it is "a bit clunky" as a result of the interactions between the
two separate subsystems. So Kai is working on a new, internal DNS server. He
had tried, he said, to get an existing DNS server project interested in
closer integration, but found no takers. So he wrote a new server which,
he said, was not that hard a problem. It is working now, with signed
updates being the main missing feature at this point.
The "roadmap," according to Andrew, is that Samba 4 will probably be the next release from the project. It will include all of the expected features, including file and print servers, support for NT4-like domain controllers, and active directory support. It will also feature a number of improved tools and better usability in general. Samba has seen nearly 8,000 commits over the past year, changing 800,000 lines of code, and coming from some 70 authors. It has been, he said, a busy and important year. With a Samba 4 release likely, 2012 could be an even busier and more important year for this project, which quietly celebrated its 20th anniversary at the end of 2011.
[Your editor would like to thank the LCA organizers for
assisting with his travel to Ballarat.]
| Index entries for this article | |
|---|---|
| Conference | linux.conf.au/2012 |
Posted Jan 16, 2012 20:06 UTC (Mon)
by smoogen (subscriber, #97)
[Link] (3 responses)
Andrew "Tridge" Tridgell led off by saying that the last a lot of people had heard about the project's plans came from "an article in a disreputable web site."
I am guessing that was said/meant in a humourous way? [For those of us who have a hard time reading emotions.]
Posted Jan 16, 2012 20:10 UTC (Mon)
by jake (editor, #205)
[Link] (2 responses)
well, I certainly *hope* so :)
that's definitely how I read it ... my guess is that Tridge noticed a certain grumpy editor in the audience and decided to tweak him a little ...
jake
Posted Jan 16, 2012 20:46 UTC (Mon)
by abartlet (subscriber, #3928)
[Link] (1 responses)
Andrew Bartlett
Posted Jan 16, 2012 20:53 UTC (Mon)
by smoogen (subscriber, #97)
[Link]
Posted Jan 16, 2012 20:28 UTC (Mon)
by BenHutchings (subscriber, #37955)
[Link]
That's not right. In Active Directory, a hierarchy of domains is called a 'tree'. A 'forest' contains multiple trees without a common root. This allows, for example, foo.com and bar.com to merge and integrate their ADs without renaming anything immediately.
Posted Jan 18, 2012 22:47 UTC (Wed)
by jonabbey (guest, #2736)
[Link] (4 responses)
Posted Jan 18, 2012 23:07 UTC (Wed)
by foom (subscriber, #14868)
[Link] (3 responses)
Posted Jan 19, 2012 6:22 UTC (Thu)
by abartlet (subscriber, #3928)
[Link]
restrict default mssntp
We didn't wish to reimplement this protocol if we could avoid it. The option to point to a different NTP signing deamon (a samba service, on by default) is:
ntpsigndsocket /var/run/ntp_signd/
The NTPd on the system must have been configured with --enable-ntp-signd
Andrew Bartlett
Posted Jan 19, 2012 22:19 UTC (Thu)
by codewiz (subscriber, #63050)
[Link] (1 responses)
I hope it gets an integral TCP/IP stack too. It's needed in order to communicate with the clients :)
Seriously, does Samba *really* need to rewrite custom versions of everything? I used to run an enterprise network in which Windows clients had to coexist with Linux and MacOS clients. Most corporate networks already have their own dns, dhcp, ldap and kerberos services and all they need the Samba DC to integrate with them--not replace them.
Posted Jan 20, 2012 0:14 UTC (Fri)
by dlang (guest, #313)
[Link]
I agree with you that it's far better to integrate with an existing project rather than recreating it, but in this case it sounds like they tried
Posted Jan 20, 2012 15:24 UTC (Fri)
by zooko (guest, #2589)
[Link] (2 responses)
Would you please start putting captions under the photos of people's faces, naming those people? Perhaps you don't realize that some of your readers cannot already recognize all of the people involved.
Posted Jan 20, 2012 15:43 UTC (Fri)
by jake (editor, #205)
[Link] (1 responses)
It's something we should probably look into. Clicking on those photos will get you a larger version with the names of the people as a headline. Hopefully that helps some.
jake
Posted Jan 20, 2012 16:22 UTC (Fri)
by BlueLightning (subscriber, #38978)
[Link]
LCA: A Samba 4 update
LCA: A Samba 4 update
LCA: A Samba 4 update
LCA: A Samba 4 update
LCA: A Samba 4 update
Lots of sites do not work with a single domain at this point; instead, they have "forest" of domains organized into a hierarchy.
LCA: A Samba 4 update
LCA: A Samba 4 update
LCA: A Samba 4 update
LCA: A Samba 4 update
> correct time for Kerberos to work, and it sure would be a pain to have
> to configure NTPd and samba separately!
LCA: A Samba 4 update
LCA: A Samba 4 update
LCA: A Samba 4 update
> faces, naming those people?
LCA: A Samba 4 update