Please create an account to participate in the Slashdot moderation system


Forgot your password?
Software Announcements

Samba 3.0.0 Released 252

Matt writes "As posted on the fine folks at released their newest version of the popular free Windows File- and Print Server. Most famous additions are Active Directory integration and possibilities to form NT4 trust relationships. Release notes are online." See also their press release.
This discussion has been archived. No new comments can be posted.

Samba 3.0.0 Released

Comments Filter:
  • Get the doc! (Score:4, Informative)

    by Karamchand ( 607798 ) on Thursday September 25, 2003 @08:42AM (#7053760) O'Reilly's Safari Bookshelf []!

    Congrats to the Samba Team!
    • Re:Get the doc! (Score:3, Interesting)

      by Rudeboy777 ( 214749 )
      Is anyone here privy to any insider O'Reilly information regarding a release date of Using Samba, 3rd ed.? I was hoping it would follow closely on the tails of Samba 3.0.0's release, and I'm sure many of the other geeks here are interested in buying it as well.
  • by Anonymous Coward on Thursday September 25, 2003 @08:43AM (#7053766)
    now my linux box has to deny having a relationship the that windows server next door.
  • wonderful! (Score:5, Funny)

    by borgdows ( 599861 ) on Thursday September 25, 2003 @08:44AM (#7053778)
    ...and possibilities to form NT4 trust relationships.

    but is it wise to trust a NT4 server?
  • by Anonymous Coward on Thursday September 25, 2003 @08:45AM (#7053785)
    We've had Samba in Brazil for centuries...

    Amazing how the USA thinks they are ahead of everyone else... ;)
  • by HiroProtagonist ( 56728 ) on Thursday September 25, 2003 @08:45AM (#7053788) Homepage
    I was recently banging my head against the wall when attempting to use a Samba share on an XP box that had worked fine on all my Win2K boxes.

    Days & days of hacking the config and attempting to get it to work to no avail. Finally I find that it appears that WinXP has some security "features" added into it that break the use of samaba shares.

    This frustration I felt has actually pushed me one more step towards switching all of our machines over to Linux. It may not happen tomorrow, but it will happen.
  • Best new features (Score:5, Interesting)

    by linuxkrn ( 635044 ) <> on Thursday September 25, 2003 @08:45AM (#7053792)
    The author missed one of the bigger points that they have working now. BDC! You can finally, if it works - I haven't tried it, have automated fail over without hacking some scripts and running a few PDCs. Very COOL!

    That and it says it will work "out of the box" with Windows Server 2003. I wonder if that means they fixed the "trust" issue with Windows XP trying to auth with it for login without reg hacks....
    • The BDC functionality has been in Samba for awhile now. I recall working with a beta test of that back before the Y2K. There's a decent amount of tweaking and fine-tuning to be done to get it to work, but once it works it usually works well. Companies who still think they have to run Windoze on the client end due to the application suite folks are supposedly so used to can still migrate the server end to Linux, potentially without anyone noticing any difference.
    • Finally! I was talking with a friend about this just the other day -- the only big thing that Samba is lacking is a working Bullet Drop Compensator!

      It really helps when aiming files across long distances :)
    • Re:Best new features (Score:5, Informative)

      by XSforMe ( 446716 ) on Thursday September 25, 2003 @10:50AM (#7054716)
      Actually, I think the most important feature is this:
      10) Support for migrating from a Windows NT 4.0 domain to a Samba domain and maintaining user, group and domain SIDs.
      Why? NT Server is coming to the end of support period (Dec 2003). There are still LOTS of NT4 server out there. Last time I checked, you had to recreate ALL of the groups and users whenever you migrated them from NT4 to any other PDC (there is a little support for automating this activity, but it just saves you from retyping the users and groups names).
    • It means we do SMB signing by default now :-).

      Jeremy Allison,
      Samba Team.
  • Vulnerable? (Score:5, Interesting)

    by gregarican ( 694358 ) on Thursday September 25, 2003 @08:46AM (#7053796) Homepage
    Serious question here, not flamebait. Does Samba use similar RPC methods to thje Windoze NT family? If so are there potential exploits? I'm not sure. I've used Samba and Mars_NWE (a Linux emulator of a Novell Netware server) for years now but never thought of potential parallel security holes. I doubt that the code could be that similar, but am curious. I recall back in the day where anonymous RPC sessions on Windoze NT could totally give admin access through that simple sechole.exe exploit.

    Aside from that concern I can personally say that Samba rules. I have benchmarked it as being a faster file/print server compared to Windoze on identical hardware. A Linux box that can act as a domain controller, and now participate in cross-domain trust relationships and use AD is a helpful tool for weaning folks away from Micro$loth.

    • Re:Vulnerable? (Score:5, Interesting)

      by gregarican ( 694358 ) on Thursday September 25, 2003 @08:59AM (#7053885) Homepage
      Here is a footnote of the other side of the coin. I recall back around 1999 working with Samba 2.0.something-or-other. Our company had many sites but centralized Windoze NT domain administration at CHQ. I was interested in trying to sneak a Samba server onto the domain.

      Typically in the Windoze NT model in order to add a server to the domain you have to have admin rights. I recall the Samba box added itself to the domain without any authentication necessary. It was funny when an NT admin from CHQ called me to ask me why our site had this new server showing up. He couldn't browse any of the shares (only local Linux accounts were defined in the Samba user file and /etc/passwd file) and was pissed.

      I apologized and proceeded to take the box off the network, but found it funny that no authentication was necessary. With all of the inherent flaws in Microsoft's security models I would bet that a Samba box could potentially wreak havok on a pre-Windows 2003 network!

      • Re:Vulnerable? (Score:4, Interesting)

        by requim ( 174679 ) on Thursday September 25, 2003 @12:25PM (#7055630)
        Sounds to me like what you are describing is just the SAMBA server showing up in the browse list either via a WINS or NETBIOS name resolution. You cannot in fact join an NT domain without administrative rights to grant the machine an account in the domain, whether it be created on the server prior to joining the machine, or in the process of joing the machine to the domain from the joining machine.

        This isn't to say that there are not other ways in which a unix box can wreak havoc on an NT/200x network...
        • Re:Vulnerable? (Score:3, Interesting)

          by gregarican ( 694358 )
          I hear what you are saying, but I mean that the Samba box was on the Server Manager list as a member server. If I would've tried to add an NT Workstation or Server to the domain in this capacity the action wouldn't failed because I wouldn't have known the admin logon to authenticate. AFAIK you can't add another node to the domain in this manner without admin rights. But the Linux box popped right in without a problem.
          • Re:Vulnerable? (Score:5, Interesting)

            by requim ( 174679 ) on Thursday September 25, 2003 @04:00PM (#7057731)
            I would like to test the scenario for the answer I am about to give just to validate my thinking, but I will give it to you anyway. My understanding of how the Server Manager lists the machines is by how the machine is configured, not necessarily as a member of any particular domain/workgroup/etc. It would appear that it lists the machines that are configured to set their domain/workgroup name via netbios in the same groupings (ie if you have a workgroup named SERVERS and and a domain named SERVERS) machines from both the workgroup and domain will appear in the same listing (if using Explorer or some other tree listing. The NETBIOS protocol uses/stores the machine type used for Domain Master Browser functions for election purposes in specific packets. These packets use a code to determine what type of function/server the machine is setup, so in the Browser elections that take place in each subnet, the machine with the highest setting wins (ie PDC > BDC > Member Server > Workstation (it's really a little bit more complicated, but this should suffice.)).

            This being the case, I would have to interpret the samba server appearing in the Server Manager as a result of the code passed in the netbios protocol and it being used to determine machine times when listing the (PDC, BDC, Member Server, etc) I would also imagine that if you were to setup a second NT/200x server as a PDC using the same Domain Name, that that machine would also appear in the Browse List and have a similar effect, though in reality the two domains would not be related except by name (the SID's would be different which would cause many problems that I would rather not go into.).

      • Typically in the Windoze NT model in order to add a server to the domain you have to have admin rights. I recall the Samba box added itself to the domain without any authentication necessary.

        Your machine may have -appeared- on the network, but it wasn't part of the domain, unless the admin password was blank. You simply -cannot- join the domain without domain admin rights. Period.

      • This reminds me of one of the first times I experimented with Samba. I was using 2.0.something as well. We had a Win9x network at the time. I configured Samba as a client without really reading much of the documentation, and installed one of the GUI clients to play (tksamba, maybe? I don't really remember). I was browsing randomly around the network to test, and discovered I could connect to all the shares on the network without authentication (and there were passwords on most of those shares).

        It's ama

        • Exactly. Combining NT security from 5+ years ago with a misbehaving client and things weren't as they should've been. Some other guy on this thread posted that it just *cannot* happen, but I can tell you it did back then. Our CHQ NT "gurus" were going out of their skulls trying to figure out what was happening.

          Keeping in mind that back then you could just connect through to the RPC$ share anonymously or attach to the debugger process and immediately get admin rights using a sechole.exe program freely avail

    • Re:Vulnerable? (Score:5, Informative)

      by davecb ( 6526 ) * <> on Thursday September 25, 2003 @09:01AM (#7053897) Homepage Journal
      Yes, the SMB protocol does use all the NT RPCs, and the Samba team usually find and fix numerous security holes in it with each new release. And report them to MS, and code Samba so it doesn't accidentally trigger NT security problems.

      They're really very professional, and a pleasure to work with.

      --dave (the Using Samba 3rd author) c-b

    • Nah... (Score:2, Interesting)

      by zonix ( 592337 )
      If so are there potential exploits?

      I'd say no - the RPC vulnerabilities you mention are buffer overrun errors, which lie with the (somewhat braindamaged) implementation of the protocol. As long as there are no flaws discovered in the actual protocols, you won't see the same exploits unless the source code is copied directly between implementations.

      • Except when the buffer overflow is a "feature" and it must be duplicated in order to work with properly with the windows version of the SMB protocol :)
    • Re:Vulnerable? (Score:4, Informative)

      by Large Green Mallard ( 31462 ) <> on Thursday September 25, 2003 @09:27AM (#7054081) Homepage
      It's a fair enough question.. one that someone asked Tridge at LCA2003.

      Basically no.

      Buffer overflows in RPC are due to server programming, and since both are entirely different server codebases, they don't share vulnerabilities. But the Samba team have found many of these RPC bugs with windows ;)
  • quite impressive (Score:5, Informative)

    by Dreadlord ( 671979 ) on Thursday September 25, 2003 @09:02AM (#7053910) Journal
    I quite happy with this new release, what I like the most about it is the new Active Directory support, I have been waiting for it since I started to use it in my homenetwork. Another impressive feature is UNICODE support (isn't mentioned in the post), one of my family members needed it badly to deal with non-latin charsets.
    And the new "get" command which is similar to windows "net" is useful too.
    Keep up the great work SAMBA team!
    • Active Directory in your home network? Why would you ever want/need that? I'm not flaming you, I'm genuinely curious.
      • Active Directory in your home network? Why would you ever want/need that? I'm not flaming you, I'm genuinely curious.

        Because they won't let me tinker with 'rouge servers' at the office, so I have to learn the ins and outs on my own time and dime. My wife's one desk home office tax practice is seriously overpowered because I use it as a learning tool (and she is a typical end-user).
  • rh9 samba lockup (Score:5, Informative)

    by Anonymous Coward on Thursday September 25, 2003 @09:12AM (#7053975)
    I've experienced numerous random lockups using samba v3. The mount point would just hang requiring a samba restart.

    After searching for a while, I found that there's a bug in Redhat 9's new thread library which samba somehow triggers. There's a workaround on the net, look for it and avoid hassling the samba team - they're not at fault here!
  • by jACL ( 75401 ) on Thursday September 25, 2003 @09:16AM (#7054003)
    We've been waiting for this release as the version to start replacing Windows servers with. We'd like to build the farm clustered, however. From our research, it looks like clustering Samba can only be done with Mission Critical Linux' [] products. Anyone seen anything else out there that can also do the job?
    • Sun's Sun Cluster can do it, on Solaris of course. There's a supported agent. The new cheapo V440 and V250 would be ideal for this, although they won't be certified for Sun Cluster for a bit. The V240 is certified though.
    • It's pretty easy to do this just scripted. The main part of MCL is the process, not the technology. What you need is

      * Computers w/ shared SCSI RAID array
      * Each computer has a serial connection that can terminate the power of the other (VERY IMPORTANT)
      * Server A is master, Server B monitors server A
      * When Server A goes down, Server B turns off the power to A, takes over the IP address, and mounts the volume from the SCSI array.
      * When Server A comes back up, you manually switch it back over.

    • All of your contributions have given some good leads. I'm out digging into them now.
    • You might want to look into Mac OS X Server []. It ships with Samba 2.x right now, and the new version (MOSXS 10.3) will ship RSN with Samba 3.0. It does active/passive clustering out of the box, and comes with a very nice toolset beyond just Samba. Apple's XServe Raid unit just about owns the storage market in terms of price/performance/capacity.

  • Linux/FreeBSD

    In that order. Thank you.

  • Single Sign-On (Score:2, Interesting)

    by CromeDome ( 184915 )
    The promise of single sign-on for the various servers I have around here seems great :) While I know how to get Windows clients to authenticate against a Samba server, and also how to get *nix boxes to connect to a Samba server, is there a way to replace the traditional *nix login/authentication methods and replace it with Samba? Our domain is predominantly NT/2k, with a small scattering of Linux and FreeBSD boxes. Would be great if users could change their NT password and still be able to log in to our
    • It's called winbind (Score:4, Informative)

      by buchanmilne ( 258619 ) on Thursday September 25, 2003 @09:39AM (#7054186) Homepage
      You could do this with 2.2.8a if your AD server allowed anonymous authentication. If not, you need 3.0.0.

      See how [] we do it on Mandrake (since 9.0).

      I run a Mandrake 8.2 box in production as a mail server in an AD domain, all authentication is via winbind.
    • Re:Single Sign-On (Score:3, Informative)

      by fodder69 ( 701416 )
      Yes, use pam and the winbind. I can ssh to my samba box and authenticate against Active Directory. There are how tos out there, here are a few links I used.
    • Re:Single Sign-On (Score:3, Informative)

      by pirhana ( 577758 )
      Why dont you configure samba as PDC and use LDAP for all the authentication purpose?. I found it a robust solution. The beuty is that you can use it as a back end for any services/servers which requires authentication and can act as a truly single source of authentication. All the requirements you mentioned is possible with this.
  • 5) A new "net" command has been added. It is somewhat similar to the "net" command in windows. Eventually we plan to replace numerous other utilities (such as smbpasswd) with subcommands in "net".
    Now making it more useful for windows users might be a good idea, but is'nt replacing the older commands with windows style commands a bad idea? the "net" command does not take a standard "-" or "--" for parameters, also we now have to worry about our "/"s and "\"es. With everything in the GUI alread
    • I hope the new command is called "smbnet".
      Just "net" seems a bit presumptuous.
      After all this "net" refers to you local LAN
      and there is after all the interNET.
    • Of course you're worried about migrating users. If Samba gets easier to use, you'll find people migrating from the biggest user base on the planet - Windows.

      And worry about alienating Linux users? Please, where are you going to go to get something better? On a Mac? I know you're not going to stop using Linux (maybe Samba, but who cares, I guess) and go to Windows because your system is operating more and more like Windows.

      Unless you're losing functionality, cheer the changes. As more users (like me)
  • Multiple workgroups? (Score:3, Interesting)

    by sjbe ( 173966 ) on Thursday September 25, 2003 @09:30AM (#7054107)
    Can anyone tell me if 3.0 includes an easier way to get computers in more than one workgroup to connect? I know you can do it with by running an extra instance of samba but it's awkward. Any better ideas?

    I've got a bunch of laptops that have to connect to different workgroups but I'd like to have them all connect to my samba server. But they have different workgroups and that cannot easily be changed. Samba doesn't deal well with this out of the box, though it works pretty well under Windows proper.
    • Unless you are talking about domains, no, there is no reason you should be having any trouble to connect (besides the usual windows browsing problems, but you should use WINS to prevent that).
      • I should clarify. It connects fine but accounts that are in a workgroup that does not match the samba server can only log in as guest. So for example I have two workgroups GROUPA and GROUPB, and the samba server is in GROUPA. One laptop in each workgroup. The GROUPA laptop can share the printer and copy files to the samba server, but the GROUPB laptop can only do so as Guest. The accounts are properly defined and if I switch the workgroup name for the samba server, the problem reverses itself.

        What lit
        • Our home network ran a samba-2.2.8a+LDAP domain controller (for me to test), but some of the machines are in their own workgroup, and can access the samba server (which is in another workgroup) with no problems.

          On our business network (running samba-2.2.8a on LDAP etc), we often have consultants bring their own machines, some of which are joined to their own Windows domains, and they have no problems accessing our samba boxes.

          Of course, it would help if you gave more detail, but it would be more appropria
  • I'm not a windows admin so I may have got the wrong end of the stick here , but I can't see
    too many people getting excited over support for NT4 trust relationships just as MS is phasing NT4 out. Isn't this a classic example of
    too little too late since anyone who wanted NT with this functionality would have long ago gone the all MS route and is unlikely to suddenly
    want to zap their legacy NT4 servers and replace them with *nix and samba. Are they?
  • by OneNonly ( 55197 ) on Thursday September 25, 2003 @09:50AM (#7054266)
    One thing that does change with Samba 3 is the way that you need to configure Squid to use NTLM authentication...

    If you upgrade and try using the old authenticators built with squid, you'll be stuck. Samba 3 comes with it's own helper utility (ntlm_auth) to work with other applications such as Squid.

    I have written a Samba 3 / Squid Walkthrough that takes users step by step through getting this going.

    Find out about it here:

  • But...

    One of the stumbling blocks I've run into in the past (I am no Samba guru) is dealing with the occasionally complex, nested groupings, permisions, and far more detailed ACLs than the ext2-3 filesystems provide. I know that there are some filesystems (and what? overlays?) that can be applied to ext3 which allow more than OWNER-GROUP-WORLD permissions.

    How does this improved AD integration tie in with the various exended-ACL solutions?

    I would LOVE to yank most or all of our windows fileservers and r

A bug in the code is worth two in the documentation.