Samba 3.0.0 Released 252
Matt writes "As posted on Samba.org the fine folks at Samba.org released their newest version of the popular free Windows File- and Print Server. Most famous additions are Active Directory integration and possibilities to form NT4 trust relationships. Release notes are online." See also their press release.
Get the doc! (Score:4, Informative)
Congrats to the Samba Team!
Re:Get the doc! (Score:3, Interesting)
I did not have relations with that server (Score:5, Funny)
Re:I did not have relations with that server (Score:3, Funny)
wonderful! (Score:5, Funny)
but is it wise to trust a NT4 server?
Re:wonderful! (Score:2)
That's nothing !! (Score:5, Funny)
Amazing how the USA thinks they are ahead of everyone else...
Re:That's nothing !! (Score:2)
Re:That's nothing !! (Score:2, Funny)
men with wigs on it.
Does this ver. solve the WinXP security "features" (Score:5, Interesting)
Days & days of hacking the config and attempting to get it to work to no avail. Finally I find that it appears that WinXP has some security "features" added into it that break the use of samaba shares.
This frustration I felt has actually pushed me one more step towards switching all of our machines over to Linux. It may not happen tomorrow, but it will happen.
Re:Does this ver. solve the WinXP security "featur (Score:5, Informative)
You may need to add smbpasswd entries for the machines users, but other than that, it should be ok.
Re:Does this ver. solve the WinXP security "featur (Score:5, Informative)
Basic file sharing is fine, but if you're using Samba as a domain controller, you need to set a SignOrSeal reg value off to allow domain logons and also unset a "check profile ownership acls" setting which was introduced by SP1.
-- Someone who uses Samba 2.2.x as domain controller for several hundred XP boxes
Re:Does this ver. solve the WinXP security "featur (Score:2, Insightful)
"unset a 'check profile ownership acls'"
I'll have to look into that.
Thanks!
Re:Does this ver. solve the WinXP security "featur (Score:4, Informative)
Re:Does this ver. solve the WinXP security "featur (Score:2)
Cool, I actually have to visit each and everyone of my clients, personally?
Re:Does this ver. solve the WinXP security "featur (Score:2)
Re:Does this ver. solve the WinXP security "featur (Score:4, Informative)
Re:Does this ver. solve the WinXP security "featur (Score:2)
Re:Does this ver. solve the WinXP security "featur (Score:2, Informative)
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Ser
Re:Does this ver. solve the WinXP security "featur (Score:2)
The Samba unofficial HOWTO - 5.3. Joining your Samba Domain [uoregon.edu]
Re:Does this ver. solve the WinXP security "featur (Score:4, Informative)
If it doesn't work when you remove this please log
a bug at bugzilla.samba.org.
Thanks,
Jeremy Allison,
Samba Team.
Re:Does this ver. solve the WinXP security "featur (Score:2)
Nobody said it was a conspiracy. It's not like I was stumbling around in the dark here. I read the docs for Samba, I read the man pages of Samba, I googled for the problem.
It appears to be some DNS-like issue that XP _sometimes_ does, and samba 2.8 didn't support. My bet is that 3.0 probably takes care of this issue, or at least addresses it in the readme or docs.
Re:Does this ver. solve the WinXP security "featur (Score:4, Informative)
side on the XP box. It tries to contact a port on the Samba
server that isn't open and times out. Sorry, I can't remember
the exact instructions to turn this off (I only use Windows
under VMware to test Samba
Jeremy Allison,
Samba Team.
Do you mean 'oplocks'? (Score:2, Informative)
If you Google "Microsoft SAMBA oplock" you'll see a lot of hits, some of which [google.com] went away when oplocks were turned off in Samba.
Re:Do you mean 'oplocks'? (Score:5, Insightful)
Windows boxes tend not to respond to oplock break requests
if there are *any* network problems. Most people have cheap
switches/hubs etc. For instance on my home network I can
only reliably ssh transfer a 100mb file over one of my
switches (the gigabit one), the 100Mbit switch will
consistantly corrupt the tcp stream causing ssh to abort.
oplocks need *reliable* networking hardware.
Jeremy Allison,
Samba Team.
Flamebait? (Score:3, Insightful)
"This frustration I felt has actually pushed me one more step towards switching all of our machines over to Linux. It may not happen tomorrow, but it will happen"
It's not flamebait people, it's actualy how I feel. Other nice
Re:Does this ver. solve the WinXP security "featur (Score:2, Insightful)
net use t: \\linux-box\samba-share *
(and just press enter for the password)
This maps it to drive t:
Re:Does this ver. solve the WinXP security "featur (Score:3, Insightful)
In fact I'm sitting at an XP machine right now that's mounting from 3 different Samba servers...
Re:Does this ver. solve the WinXP security "featur (Score:2, Informative)
Re:Does this ver. solve the WinXP security "featur (Score:2, Informative)
Re:Does this ver. solve the WinXP security "featur (Score:5, Informative)
Settings -> Control Panel -> Admin Tools -> Local Security Policy
Look under Local Policies, then Security Options.
Look for "Domain Member: Digitally encrypt or sign secured channel (always)" and set it to DISABLED.
That should solve some of your problems.
XP only wants to trust other Windows machines when working in a domain environment.
Re:Does this ver. solve the WinXP security "featur (Score:2)
And hey, who can't love the fisher-price dialog system. You have no need to go in and change a setting that you know where it goes. There is a ritual now by which you painstaking step through a set of droolproof dialogs, enter the setting you wanted 4 steps in, and then have step 7 negate them.
Best new features (Score:5, Interesting)
That and it says it will work "out of the box" with Windows Server 2003. I wonder if that means they fixed the "trust" issue with Windows XP trying to auth with it for login without reg hacks....
Re:Best new features (Score:2, Informative)
Re:Best new features (Score:2, Funny)
It really helps when aiming files across long distances
Re:Best new features (Score:5, Informative)
10) Support for migrating from a Windows NT 4.0 domain to a Samba domain and maintaining user, group and domain SIDs.
Why? NT Server is coming to the end of support period (Dec 2003). There are still LOTS of NT4 server out there. Last time I checked, you had to recreate ALL of the groups and users whenever you migrated them from NT4 to any other PDC (there is a little support for automating this activity, but it just saves you from retyping the users and groups names).
Re:Best new features (Score:3, Interesting)
Jeremy Allison,
Samba Team.
No. (Score:4, Funny)
What happens is that if you fail to listen to your Primary Domain Controller, the Bondage and Discipline Cop steps in to beat and humiliate you until you submit creditentials to the proper authorities. Usually, this happens when you're standing in front of many people and attempting to get at Powerpoint slides you left on your client machine.
Re:Best new features (Score:2)
Vulnerable? (Score:5, Interesting)
Aside from that concern I can personally say that Samba rules. I have benchmarked it as being a faster file/print server compared to Windoze on identical hardware. A Linux box that can act as a domain controller, and now participate in cross-domain trust relationships and use AD is a helpful tool for weaning folks away from Micro$loth.
Re:Vulnerable? (Score:5, Interesting)
Typically in the Windoze NT model in order to add a server to the domain you have to have admin rights. I recall the Samba box added itself to the domain without any authentication necessary. It was funny when an NT admin from CHQ called me to ask me why our site had this new server showing up. He couldn't browse any of the shares (only local Linux accounts were defined in the Samba user file and /etc/passwd file) and was pissed.
I apologized and proceeded to take the box off the network, but found it funny that no authentication was necessary. With all of the inherent flaws in Microsoft's security models I would bet that a Samba box could potentially wreak havok on a pre-Windows 2003 network!
Re:Vulnerable? (Score:4, Interesting)
This isn't to say that there are not other ways in which a unix box can wreak havoc on an NT/200x network...
Re:Vulnerable? (Score:3, Interesting)
Re:Vulnerable? (Score:5, Interesting)
This being the case, I would have to interpret the samba server appearing in the Server Manager as a result of the code passed in the netbios protocol and it being used to determine machine times when listing the (PDC, BDC, Member Server, etc) I would also imagine that if you were to setup a second NT/200x server as a PDC using the same Domain Name, that that machine would also appear in the Browse List and have a similar effect, though in reality the two domains would not be related except by name (the SID's would be different which would cause many problems that I would rather not go into.).
Uh, no. (Score:2)
Your machine may have -appeared- on the network, but it wasn't part of the domain, unless the admin password was blank. You simply -cannot- join the domain without domain admin rights. Period.
Re:Vulnerable? (Score:3)
It's ama
Re:Vulnerable? (Score:2)
Keeping in mind that back then you could just connect through to the RPC$ share anonymously or attach to the debugger process and immediately get admin rights using a sechole.exe program freely avail
Re:Vulnerable? (Score:5, Informative)
They're really very professional, and a pleasure to work with.
--dave (the Using Samba 3rd author) c-b
Nah... (Score:2, Interesting)
I'd say no - the RPC vulnerabilities you mention are buffer overrun errors, which lie with the (somewhat braindamaged) implementation of the protocol. As long as there are no flaws discovered in the actual protocols, you won't see the same exploits unless the source code is copied directly between implementations.
zRe:Nah... (Score:2)
Re:Vulnerable? (Score:4, Informative)
Basically no.
Buffer overflows in RPC are due to server programming, and since both are entirely different server codebases, they don't share vulnerabilities. But the Samba team have found many of these RPC bugs with windows
Re:So Am I Nuts (Score:5, Informative)
The protocol is just too complex to be sure any implementation
is safe.
Hopefully that should tell you something. It should also
tell you why we don't want it in the Linux kernel. Microsoft
put it in their kernel - I think that's a mistake.
Jeremy Allison,
Samba Team.
quite impressive (Score:5, Informative)
And the new "get" command which is similar to windows "net" is useful too.
Keep up the great work SAMBA team!
Re:quite impressive (Score:2)
Re:quite impressive (Score:2)
Because they won't let me tinker with 'rouge servers' at the office, so I have to learn the ins and outs on my own time and dime. My wife's one desk home office tax practice is seriously overpowered because I use it as a learning tool (and she is a typical end-user).
rh9 samba lockup (Score:5, Informative)
After searching for a while, I found that there's a bug in Redhat 9's new thread library which samba somehow triggers. There's a workaround on the net, look for it and avoid hassling the samba team - they're not at fault here!
Slightly OT - Samba Clustering (Score:3, Interesting)
Re:Slightly OT - Samba Clustering (Score:2)
Re:Slightly OT - Samba Clustering (Score:2)
* Computers w/ shared SCSI RAID array
* Each computer has a serial connection that can terminate the power of the other (VERY IMPORTANT)
* Server A is master, Server B monitors server A
* When Server A goes down, Server B turns off the power to A, takes over the IP address, and mounts the volume from the SCSI array.
* When Server A comes back up, you manually switch it back over.
The
Thanks all! (Score:2)
Re:Slightly OT - Samba Clustering (Score:2)
--Paul
Open source top 5 best contributions (Score:2, Interesting)
Apache
Gcc
PostgreSQL
Samba
In that order. Thank you.
Merlin
Re:Open source top 5 best contributions (Score:4, Insightful)
Re:Open source top 5 best contributions (Score:2)
Troll.
Postgres is miles ahead of MySQL (which still has it's uses, mind you). And Apache is one of the most successful Open Source projects, no matter how you see it (I don't use Apache and I love Python, but Apache is a much bigger and more important project).
Egads a new holy war... (Score:4, Funny)
Then, Gnome Vs. KDE
Now its MySQL Vs. Postgres
At least we are evolving from text editors and eye-candy to relational databases.
Re:Open source top 5 best contributions (Score:2)
Re:Open source top 5 best contributions (Score:2)
Sure. As if postgres can mystically operate over multiple servers at once, and makes a server immune to hardware failure.
That's as bad as the MySQL guys saying "You don't NEED server-side includes or foriegn keys."
Single Sign-On (Score:2, Interesting)
It's called winbind (Score:4, Informative)
See how [dnsalias.com] we do it on Mandrake (since 9.0).
I run a Mandrake 8.2 box in production as a mail server in an AD domain, all authentication is via winbind.
Re:Single Sign-On (Score:3, Informative)
Re:Single Sign-On (Score:3, Informative)
From the release notes (Score:2)
Now making it more useful for windows users might be a good idea, but is'nt replacing the older commands with windows style commands a bad idea? the "net" command does not take a standard "-" or "--" for parameters, also we now have to worry about our "/"s and "\"es. With everything in the GUI alread
Re:From the release notes (Score:2)
Just "net" seems a bit presumptuous.
After all this "net" refers to you local LAN
and there is after all the interNET.
you're worried about migrating users, of course (Score:2, Insightful)
And worry about alienating Linux users? Please, where are you going to go to get something better? On a Mac? I know you're not going to stop using Linux (maybe Samba, but who cares, I guess) and go to Windows because your system is operating more and more like Windows.
Unless you're losing functionality, cheer the changes. As more users (like me)
Multiple workgroups? (Score:3, Interesting)
I've got a bunch of laptops that have to connect to different workgroups but I'd like to have them all connect to my samba server. But they have different workgroups and that cannot easily be changed. Samba doesn't deal well with this out of the box, though it works pretty well under Windows proper.
Huh? (Score:2)
Re:Huh? (Score:2)
What lit
Works for me (Score:2)
On our business network (running samba-2.2.8a on LDAP etc), we often have consultants bring their own machines, some of which are joined to their own Windows domains, and they have no problems accessing our samba boxes.
Of course, it would help if you gave more detail, but it would be more appropria
NT4 support? Err , what about 2000, XP? (Score:2)
too many people getting excited over support for NT4 trust relationships just as MS is phasing NT4 out. Isn't this a classic example of
too little too late since anyone who wanted NT with this functionality would have long ago gone the all MS route and is unlikely to suddenly
want to zap their legacy NT4 servers and replace them with *nix and samba. Are they?
Re:NT4 support? Err , what about 2000, XP? (Score:2)
Re:NT4 support? Err , what about 2000, XP? (Score:3, Insightful)
That's exactly what I did 3 years ago when M$ started playing games with Active Directory, and I still had a network full of 98 and NT boxes. We set up a new domain, and moved all the file and print services to it.
Now that we have aged out all of the decrepid hardware and standardized on 2k, ActiveDirectory is a good idea. But that is 3 years, and a $100,000 in hardware later.
Having trust support would have saved me from having to hike to all the machines and add them to the new domain.
Re:NT4 support? Err , what about 2000, XP? (Score:2)
For some it's all they need.
Samba 3, Squid and NTLM Authentication - a change! (Score:5, Informative)
If you upgrade and try using the old authenticators built with squid, you'll be stuck. Samba 3 comes with it's own helper utility (ntlm_auth) to work with other applications such as Squid.
I have written a Samba 3 / Squid Walkthrough that takes users step by step through getting this going.
Find out about it here:
http://itmanagers.net/article-4--0-0.html
Looks like a great leap in the right direction... (Score:2, Interesting)
One of the stumbling blocks I've run into in the past (I am no Samba guru) is dealing with the occasionally complex, nested groupings, permisions, and far more detailed ACLs than the ext2-3 filesystems provide. I know that there are some filesystems (and what? overlays?) that can be applied to ext3 which allow more than OWNER-GROUP-WORLD permissions.
How does this improved AD integration tie in with the various exended-ACL solutions?
I would LOVE to yank most or all of our windows fileservers and r
Re:Becareful about using this (Score:4, Insightful)
Re:Becareful about using this (Score:3, Funny)
opensource != secure
by any stretch of the imagination, in fact there are probably numerous untold exploits available for this software. Its just a matter of time, as with any opensource product.
Yeah, so let's use the alternative.
Windows servers.
Those are more secure I heard.
Re:Becareful about using this (Score:5, Insightful)
Thanks Egan, good safety tip.
by any stretch of the imagination, in fact there are probably numerous untold exploits available for this software. Its just a matter of time, as with any opensource product.
And let`s also remember that _because_ it is open source, we now have thousands of developers who can view the code, find potential exploits, and then propose patches, QUICKLY and WITHOUT BIAS. Unfortunately, for patches to the same styled exploits that would exist in a closed source networking protocol, we would need to depend on a small team of developers under a common management structure (one pointy haired boss = single point of failure).
Open Source != secure
Open Source == better method toward security
Re:Becareful about using this (Score:3, Informative)
1. Profit!
2. PR/Spin
3. ???
4. Satisfy customers just enough to keep them
5. Everything else (ie. security, stability, etc...)
Since a lot of OSS projects aren't made in the name of profit, the hierarchy is more like this:
1. Write something useful/cool
2. Share it with everyone and get peer review
3. Pa
Re:Becareful about using this (Score:2)
Re:Becareful about using this (Score:2)
The original poster made the ridiculios claim that in open source projects bugs are fixed quickly and efficiently by an army of programmers. The response about the OpenSSH bug was pointing out that not all bugs are fixed quickly. He wasn't making a comparison about the relative security of either product.
Re:Becareful about using this (Score:4, Interesting)
Didn't quite a few of the Microsoft hotfixes credit the Samba team for finding the weaknesses and bringing it to Microsoft's attention?
Re:Becareful about using this (Score:4, Insightful)
Very true.
The advantage of opensource is that you can examine the internals yourself, and fix it yourself.
The more sophisticated the user, the more valuable opensource is. If you're a low level admin who can't do anything more than apply pre-canned patches, opensource may be cheaper but it isn't defacto better. If you can participate in the patch process by either writing your own patches or applying patches from the developers directly or from other users, rather than waiting for a vendor, you can be way ahead of the game.
Re:SMB/OSX question (Score:2, Informative)
Re:SMB/OSX question (Score:2)
Re:well (Score:2)
It would be nice if there wasn't a "KDE VFS" and a "Gnome VFS" on top of the kernel VFS... it'd be nicer if there was, perhaps, a LibC VFS, or kernel-mountable userspace filesystems.
Re:well (Score:2, Insightful)
Re:question (Score:2)
rpmbuild --rebuild
And it should compile you some nice RPMS to install (hint: look under
Re:How many hidden root exploits in this version? (Score:2, Interesting)
2 so far?
Works fine in 2.2.8a (Score:2)
<plug>
Implementing a Samba LDAP PDC Setup [mandrakesecure.net]
and
Implementing Disconnected Authentication and PDC/BDC Relationships Using Samba and OpenLDAP [mandrakesecure.net]
</plug>
Those two documents cover a setup which will give you a PDC-BDC setup where any member of the right group (adm by default) will be able join machines to the domain without having to pre-mak
Re:Trust relationships (Score:3, Informative)
Jeremy Allison,
Samba Team.