Samba 4 Technology Preview Released 167
daria42 writes "Samba creator Andrew Tridgell has officially released a technology preview of Samba 4 at the Linux.conf.au conference in New Zealand, ending a three-year wait for users. But wait before upgrading those servers. 'It may eat your cat,' says the Samba team in a statement, 'but is far more likely to choose to munch on your password database.'" From the article: "'Samba 4 supports the server-side of the Active Directory logon environment used by Windows 2000 and later, so we can do full domain join and domain logon operations with these clients,' the group said in a statement on its Web site, noting this feature was 'the main emphasis' for the new software."
Jeremy Allison on Samba 4 (Score:5, Informative)
http://www.linuxformat.co.uk/modules.php?op=modlo
Any software that has a 'Susan Stage' has got to be cool
Re:Jeremy Allison on Samba 4 (Score:3, Informative)
I'm at LCA2006 and have spent several hours with both Tridge and Andrew Bartlett, testing, fixing bugs, and identifing missing features of samba4. I'm not a samba team member, just a sys-admin who wants samba4 to be the best code possible before I deploy it.
Re:Jeremy Allison on Samba 4 (Score:5, Interesting)
If you think about it for a minute, if you consider how Open Source functions, where people work on the things that interest them, the "suits" that are often derided from some quarters are just filling a non-technical need in the Open Source community. There are often calls for people to test, write manuals, and create artwork as something they can do if they aren't programmers, but perhaps "marketing, sales, build corporations" are things that also should be added to that list?
To clarify, I'm certainly not talking about the CherryOS-style GPL-theives, but honest and earnest businesspeople (even though their motives may be primarily cash, they still must abide by proper Open Source rules).
Anyway, thought it was interesting.
Re:Jeremy Allison on Samba 4 (Score:4, Insightful)
The genius of proprietary software: getting you to trade your sovreignty for code that does a lot of the less interesting stuff.
Unless you're actually selling that printer, are you going to want to spend all day writing a driver for it, much less testing it against a bazillion OS's?
Re:Jeremy Allison on Samba 4 (Score:3, Insightful)
Re:Jeremy Allison on Samba 4 (Score:5, Insightful)
Re:Jeremy Allison on Samba 4 (Score:2)
[1]I realize that booklet printing is probably quite doable under Gentoo, I just haven't overcome the static friction of mabooty to figure it out.
Re:Jeremy Allison on Samba 4 (Score:2)
[1]I realize that booklet printing is probably quite doable under Gentoo, I just haven't overcome the static friction of mabooty to figure it out.
In other words:
"I have to use Windows[1].
[1] I don't have to use Windows"
Re:Jeremy Allison on Samba 4 (Score:2)
Just got a udev-081 rule for my Logitech V200.
Next emerge upgraded me to udev-081-r1, and my rule was TU[1]. Aunt Petunia would die, I just cussed and debugged.
[1]Tits up.
Re:Jeremy Allison on Samba 4 (Score:2)
This is wrong in so many ways.
Here are four:
1. Gimp-print, CUPS, etc, etc.
2. (already mentioned) The straw that broke RMS's proprietary camel's back.
3. It's possible to be paid to write Open Source software.
4. If you already own the printer, that can be motivation enough.
Re:Jeremy Allison on Samba 4 (Score:2, Interesting)
People ALWAYS work on what interests them. The question is not "what", but "why" does the interest happen and "why" does the interest sustain. Consider the following hypothesis:
- In the corporate world, the interest is maintained because of financial or power rewards.
- In the dungeons of the cubical world, the interest is held by ?fear of losing income?, ?need for cash to survive?, ?lack of imagination? or any of a number of 'basic survivalist' needs.
- I
Re:Jeremy Allison on Samba 4 (Score:3, Insightful)
Sure, there may be a generic project that dumps courier on paper, and mostly gets the margins right.
But the annoyance of getting it RIGHT across a variety of printers/operating systems could lead to madness [planetmirror.com]
Re:Jeremy Allison on Samba 4 (Score:2, Insightful)
I'm personally hoping to find somone interested in re-writing the Samsung "gdi" Ghostscript driver as an IJS server.
Re:Jeremy Allison on Samba 4 (Score:3, Interesting)
Just out of curiosity, what are these? Not 'all' rules -- but does anybody know (or offer wild speculation on) what happens when open source and fat wads of cash collide?
Re:Jeremy Allison on Samba 4 (Score:2)
There are many sets of rules (which add together to form a sort of "ecosystem" of rules, if you want).
When the two collide depends on many things, including the perception of the "fat wads of cash", the license of the particular project, the vulnerability of the project to one person's whims and the nature of that person.
A few examples:
1. M
What Kind of Passwords Does It Prefer? (Score:3, Funny)
Re:What Kind of Passwords Does It Prefer? (Score:4, Funny)
Just Work (TM) (Score:5, Insightful)
Samba is great as a home network share, but it's not a single click system. Security on a home netowrk doesn't really interest me. I'd like to be able to "just share" the files without setting up users etc, etc.
Re:Just Work (TM) (Score:5, Funny)
I know - thats why I'm posting this from your home PC.
I'd like to be able to "just share" the files without setting up users etc, etc.
Just post your requirements here I'll set them up for you... after all I don't want your home net to be locked down
Seriously - just because you would like software to be shipped insecure (and easy) by default doesn't mean that it should be. Have a look at this guide - Samba-3: A Simple Anonymous Read-Write Server [informit.com]
Re:Just Work (TM) (Score:5, Interesting)
For example, OS X Tiger server uses SAMBA for Windows support. Any mangling with configuration goes trough Server Admin GUI (you can mess with configuration file too), but any changes gets written back to standard smb.conf.
It could be very good and nice present for common crowd.
Re:Just Work (TM) (Score:3, Informative)
Re:Just Work (TM) (Score:2)
I talk about very simple interface with one question and several choices.
Re:Just Work (TM) (Score:3, Interesting)
Re:Just Work (TM) (Score:2)
"AFAIK, KDE and GNOME has both easy ways to create shares for now, but there is no way to configure SAMBA for just several default scenarios which could be - anonymous read-only, anonymous read-write, user-based read-only, user-based read-write, custom. Default could be user-based read-only."
SME Server [contribs.org] does exactly that, through a very simple web interface. If you need corporate support, Mitel Networks provides a hardware/software package [mitel.com] that's easily deployed into IT-less situations, like franchise off
Re:Just Work (TM) (Score:1, Insightful)
Samba isn't meant to provide a friendly user interface, it's meant to do the bit that makes it all work. Look to your desktop environment to provide a nice, friendly interface. And whaddaya know, KDE does it just fine.
Re:Just Work (TM) (Score:3, Informative)
[global]
workgroup = WORKGROUP
server string = Description of Server
security = share
( Rpbailey Notes: This might be where you were led astray. You probably had samba set to use passwords instead of share security. )
[Multimedia] /usr/multimedia
path =
writable = yes
comment = Multimedia
browseable = yes
public = yes
---
Just make sure that the directory in question is writable by your samba user (assuming yo
Re:Just Work (TM) (Score:2)
This isn't that different from Windows servers.
Re:Just Work (TM) (Score:3, Interesting)
That's exactly what I thought. Samba is for network shares in a relatively simple environment. Authentication via Windows domain could be accomplished with more stability with Kerbeos / LDAP. It's what we do with our lab machines.
And I would much prefer to use samba to share out my oggs and mp3s without needing a volcano and a goat.
~Will
Re:Just Work (TM) (Score:2)
Re:Just Work (TM) (Score:2)
Re:Just Work (TM) (Score:2)
http://www.ccp14.ac.uk/ccp14admin/security/secure_ tunnelling_ftp.htm [ccp14.ac.uk]
Secure FTP transfers via Secure Shell Tunnelling
http://winscp.net/eng/docs/introduction [winscp.net]
WinSCP is an open source freeware SFTP client for Windows using SSH. Legacy SCP protocol is also supported. Its main function is safe copying of files between a local and a remote computer.
etc. etc.
Re:Just Work (TM) (Score:4, Insightful)
Webmin (Score:2)
And if you do need to manage users at some point, you can have webmin automatically propagate changes to other modules ( like samba )
Re:Just Work (TM) (Score:2)
it's in Debian (Score:5, Informative)
Install them by running:
aptitude install -t experimental samba
But you'll need to add an entry for experimental to
If you don't know how to, you shouldn't be messing with experimental software anyway.
Re:it's in Debian (Score:4, Informative)
Or, closer to the original: "Breathing. If you don't know how to, you shouldn't be messing with environmental oxygenation anyway."
Here's a link to a howto [debian.org] for configuring your Debian installation to use the experimental packages. (It's in section 4.6.4.3, or just search on the page for "experimental".)
Samba 4 (Score:5, Informative)
But the release of this TP is good news, I hope that the use of Microsoft's Active Directory as an authentication service for Linux systems [securityfocus.com] is coming to an end. All what we need now is a nice GUI [samba.org].
What is this samba you speak of? (Score:5, Interesting)
Since discovering the joys of NFS I've not looked back (yes I do know what samba is and I run a samba server). Compared to Samba, NFS is almost too simple and reliable. Give me my complixity and unreliablity back!
Re:What is this samba you speak of? (Score:4, Interesting)
Re:What is this samba you speak of? (Score:5, Informative)
"Authentication" with NFS is IP based. You grant access to NFS mounts by specifying which hosts can mount that share. This implies that the hosts you allow are trusted, and that your network is trusted as well. So yes, if a computer you have root access to has been granted read/write access to an NFS mount then you can just su to someone else's UID and delete their files on that NFS mount.
Is it a good idea to use NFS in a security sensitive environment? Probably not.
Re:What is this samba you speak of? (Score:3, Insightful)
Re:What is this samba you speak of? (Score:2)
Not with a properly configured, managed switch, which any security sensitive environment is going to have.
AFS (Re:What is this samba you speak of?) (Score:2)
Re:What is this samba you speak of? (Score:2)
I believe it is done via root squashing. Unless you specifically allow it you can't do root like things on the NFS mounts (such as deleting arbitary files) even if you are root on your machine. I forget exactly how it works as I set up and forgot about my NFS system a while ago but I left root squash on and it trips me up now and then. Physical intruders (someone pluging a computer into the network) aren't something I particularly worry about as I have a large iron bar next to me to hit anyone breaking in
Re:What is this samba you speak of? (Score:3, Informative)
man -S 5 exports
Re:What is this samba you speak of? (Score:4, Insightful)
Re:What is this samba you speak of? (Score:2, Informative)
Nope. That's how I used to update some web files on a central NFS server here long after the person left. I just added an account with his UID on my workstation, mounted the central NFS server's web share and voila. I could read/write his files just fine. Traditional NFS is HORRIBLE from a security standpoint since the only authentication involved is IP based and the only authorizati
Re:What is this samba you speak of? (Score:2)
In my opinion traditional NFS is not that secure, either against reading things "on the wire" or spoofing.
As another poster has mentioned you can export the filesystem on a client by client basis. As a "bad guy" you have to take over the identity of one of those trusted clients (steal the IP address). Tricky but not impossible.
The basic problem here is authenticating that the client really is the right client. IP addresses are not sufficient in this regard. For those that deem this necessar
NFS security (Score:2)
The extended answer is that the underlying rpc protocol has long su
NFS "Credentials" (Score:2)
Several ways to solve the problem. First, UID and GID can be centrally controlled on a LAN by use of NIS. Still, if the machine is under the control of someone else, a forged UID/GID may be presented.
This can be controlled by the NFS server using "root squashing" or "all squash".
Both of these options "distrust" the UID/GID. In the case of root squash, root UID (0) is remapped to "nobody". This is a good thing o
Re:What is this samba you speak of? (Score:2)
NFS and Samba (Score:3, Interesting)
Re:NFS and Samba (Score:2)
Doing this in a cross-platform way is a significant amount more effort than configuring Samba. Newer versions of NFS support things like Secure RPC and Kerberos authentication, but setting these up is still more effort than Samba (and good luck fi
Re:NFS and Samba (Score:2)
Re:NFS and Samba (Score:2)
The parent poster was speaking about how NFS is practical and fast for some small non-complex systems.
It was *exactly* about cases with a dozen or so machines.
Re:NFS and Samba (Score:2, Insightful)
Re:What is this samba you speak of? (Score:2)
My cat lost his password (Score:5, Funny)
Wow, it only took 25 days for Samba to break its New Year's resolution to eat less and lose weight.
Re: (Score:2)
NZ??? (Score:2, Funny)
Linux.conf.au conference in New Zealand
What the ... HAS THE WORLD GONE MAD!
Since when did anything .au become New Zealands responsibility? Usually its the other way around! I.e blaming the existance of Russle Crow on Australians. This wasnt our fault HE WAS BORN IN NZ! Now they NZ is stealing our conferences. I for one find this an outrage!
But as an Active Directory replacement? (Score:5, Insightful)
For all MSFT's faults (and there are many, as
Re:But as an Active Directory replacement? (Score:4, Interesting)
Re:But as an Active Directory replacement? (Score:2)
I have a request though, Publish your work. Let others know how you did it. That information can lead to strides forward for Samba and those that wish to i
Re:But as an Active Directory replacement? (Score:2)
Your slashdot profile doesn't have a URL in it - can you please provide a link?
I suspect most of us have gotten 90% there, so diffing your configs would be quite valuable.
Re:But as an Active Directory replacement? (Score:2)
To demonstrate this problem, make a new AD group and add a user account that al
Re:But as an Active Directory replacement? (Score:2)
Samba 4 supports the server-side of the Active Directory logon environment used by Windows 2000 and later, so we can do full domain join and domain logon operations with these clients," the group said in a statement on its Web site, noting this feature was "the main emphasis" for the new software.
"Our domain controller implementation contains our own built-in LDAP (Lightweight Directory Access Protocol) server and Kerberos key distribution centre as well as the Sam
Which version of Active Directory? (Score:5, Interesting)
Lets be clear - (Score:3, Informative)
When vista comes out, samba will not break.
MS will simply have changed the standard/protocol/whatever in some way that thier own prior implementations will be tolerant of but Samba will not. Samba will not be busted, MS' own implementation of thier own technology (or other peoples tech, kerberos for example) is what will be busted.
Re:Lets be clear - (Score:3, Insightful)
And, practically, does this make a difference? Can I look my boss in the eye and tell him that the mail server doesn't know who it's users are, but it's ok because it's MS's fault?
Re:Lets be clear - (Score:2)
Or if you are feeling brave, you can suggest they actually plan for these kinds of "gotchas" before they happen...
Re:Lets be clear - (Score:2)
Isn't the fact that "you have somebody to blame when things go wrong" a strong selling point for proprietary software? Why don't you give it a shot. If your boss finds out that the so called support you get from MS is worthless and then even when it's their fault they do nothing then next time your boss will have less incentive
Re:Lets be clear - (Score:2)
In so far that implies a guarantee that things won't go wrong.
End of the day, my boss doesn't care why something broke. She's just more concerned with why it's still not working.
Re:Lets be clear - (Score:2)
In that case your boss should be perfectly happy with an open source product.
Re:Lets be clear - (Score:2)
In a pure OSS enviroment, I would agree. However, I have to work with windows. Regardless of where the fault lies, this is problematic on the best of days.
Re:Lets be clear - (Score:2)
If it's problematic then you need to pick up the phone to MS and complain about how their stuff is not interporating with the rest of the software on your network. Once again your boss picked MS stuff because MS promised them that they would provide support and that he would have somebody to blame when things went wrong.
If things are going wrong then you should demand your support. You are pay
Re:Which version of Active Directory? (Score:2, Interesting)
Samba 3 Almost but not quite Active Directory,. (Score:2, Informative)
You see I discovered something about Windows and SMB. Windows Cached its passwords. The passwords were replayed across the network whenever a new socket was opened. Konqueror would not replicate this behavior unless forced to by the KDE Control center. I have a big long thing that describes the whole thing.
It is not
Re:Samba 3 Almost but not quite Active Directory,. (Score:2)
And then you proceed with writing text?
Re:Samba 3 Almost but not quite Active Directory,. (Score:2)
Windows caches all sorts of things. You can quite easily find profile paths (both network and local) along with SIDs relating to users who have logged in to the machine scattered all over the registry. Even if you tell it not to retain locally cached profiles it sometimes leaves them around.
Easy Transition? Excellent. (Score:5, Interesting)
Many companies are not going to want something that isn't supported and will be looking where they should transition. Savvy consultants can propose a migration to Samba which could provide higher margins than reselling Microsoft solutions -- especially if they aren't a close partner of Microsoft -- and they will be able to fix problems and customize the solution themselves without having to point fingers (they still can, they just don't have to).
This quote from the article gets me all warm and tingly inside:
"Tridge demonstrated sucking the life out a Windows 2003 PDC [primary domain controller] in one click, importing all its user and machine information using SWAT."
"He then restarted [domain server] BIND on his Samba 4 server, changed the server role to PDC
Re:Only 6 years (Score:2)
Re:Only 6 years (Score:4, Informative)
What took years is reverse-engineering all the weird quirks MS introduced in the previously standard systems.
Besides, Samba can do a lot nifty things AD can't, so who's behind?
Re:Only 6 years (Score:2)
And,most importantly, made it trivially easy for most people to use.
Re:Only 6 years (Score:3, Insightful)
Do you manage many Active Directory servers?
The ones I know about (in a EU wide bank) are a mess, and require an entire team of people just to let them run. And even so it is very simple to screw them up.
Not counting the fact that AD is horridly delicate: un-join a machine from the domain for long enough, and you are done.
AD is NOT easy. Clicking on "Share this folder" might look so, but managing AD is not.
Re:Only 6 years (Score:2)
Do you manage many Active Directory servers?
The ones I know about (in a EU wide bank) are a mess, and require an entire team of people just to let them run. And even so it is very simple to screw them up.
When it comes to getting AD into a mess all you need is "servers" (i.e plural).
AD is NOT easy. Clicking on "Share this folder" might look so, but managing AD is not.
A common problem with GUI interfaces to severs is that they may it quite easy for people to change something when they
Re:Only 6 years (Score:2)
Before I start, I want to make it perfectly clear that I am a linux zeolot to the extreme both at work and at home.
With the proper configuration, Active Directory is a stable directory service. We've been running it for close to 6 months now and have lots of additions to the directory, exchange integration and a customized tree. We've yet to have a
Re:Only 6 years (Score:2)
About re-joining: you say that. And I know that. In theory.
In practice we experienced in the past cases of impossible re-join. In that case you should re-generate the ID of the machine, and lose all the security and permission settings.
Re:Only 6 years (Score:2)
Re:Only 6 years (Score:1)
Re:Only 6 years (Score:4, Insightful)
Five years to reverse engineer a difficult, obfuscated protocol is quite frankly amazing.
And you see - they don't really have to offer full compatability immediately - but if they do it before win2k ends its lifecycle, SAMBA + *nix offers companies dependant on AD a way out without having to go the win2k3 route.
Way to innovate, OSS community!
Way to troll dJOEK!
There is virtually no innovation in software, proprietary or OSS - everyone is just copying everyone elses ideas & making incremental improvements...
I mean we're all using the same desktop paradigm from 30 years ago - and the only substatial innovation I've seen in that is overlapping windows (from maybe 25 years ago)
Re:Only 6 years (Score:3, Insightful)
Re:Only 6 years (Score:2)
Re:Only 6 years (Score:2)
I should have said "There's no more innovation in proprietary software then OSS software (or vice versa)
Sure, maybe not on the desktop or with Samba but I certainly see it with Firefox. Firefox has had a lot of great things (like tabs) before IE does. In fact, IE is in a major state of catch up right now.
Interesting example - I think however you're in the wrong thread (you're looking for the Microsoft vs OSS innovation thread, this is the proprietary vs OSS innovation thread).
Fi
Re:Only 6 years (Score:2)
And for the sharing of network filesystems, this was pegged in open release in 1985 by NFS. Which was on UNIX.
Yet again, Windows is late to the game in all aspects, playing catchup with the rest of the world.
Apart from Windows compatibility, which, for some older applications, it's currently almost as good as WINE and FreeDOS.
Not to knock Windows too mu
Indeed (Score:2)
Yes, it has managed to fulfil it's original intent to be a GUI inside which one could run a word processor or/and a spreadsheet app.
The scary thing is the incredible amount of other usages for which Microsoft is trying to push a product that *isn't* designed for.
Re:Only 6 years (Score:5, Informative)
Um, no. LDAP and Kerberos weren't invented by Microsoft. They put the two together and called it Active Directory, straying away from the RFCs and throwing in all manner of tweaks that required extensive reverse engineering on the part of the Samba team to figure out. That means figuring out the protocol from the packets, which is an incredible feat, especially as Microsoft's protocol designs aren't easily discerned and contain all sorts of weird gotchas (purposefully).
There's a lot of complexity under that GUI of yours and, whether you want to believe it or not, Microsoft isn't such an innovative organization. Generally, they poach something that's already widely available and tweak it so it won't be interoperable with other systems. If you call that innovation, then I guess that speaks for itself.
Re:Only 6 years (Score:4, Informative)
In terms of volume of proprietary information to work out, the plethora of interlocking directory object types that an ADS client depends on has got to be the big challenge. The static characteristics of these objects and their attributes are documented (I use the term loosely) in the PSDK, but how they are used or even what some values mean is not at all clear. Throw in a few obvious copy/paste errors in the doco. to cloud the issue further and it's not surprising that Samba took this long. Create a new ADS forest and look at all the stuff that was put into it out of nowhere.
Re:Only 6 years (Score:2)
Re:Will configuration be simplified ? (Score:2)
With NT based OSes, use the commandline:
net use
net use \\x.x.x.x\IPC$
net use [share name]
The second one in that list is the easy way to set up the credentials you want to use on a server. IPC$ is th
Re:Samba 4 BDC to Windows PDC? (Score:2)
On Active Directory, there are no more PDC/BDC setup. You have Domain Controllers (DC) that have roles in the AD infrastructure. So, the answer is yes, Samba 4 will be able to integrate itself into a current AD infrastructure as a DC.