Follow Slashdot blog updates by subscribing to our blog RSS feed

 



Forgot your password?
typodupeerror
×
Programming IT Technology

Jeremy Allison Answers Samba Questions 98

Monday you asked Samba-meister Jeremy Allison a bunch of questions. He has answered the 10 highest-moderated ones in the finest lounge-lizard style imaginable (below).

Kerberos
by Claude Debussy

Microsoft has apparently molested Kerberos in their latest W2K upgrade, can you clear up some of the confusion about how this will effect samba server- NT.

I've heard their exploitation of the protocol won't affect samba, some say it wreaks havoc, what's the scoop ?

Jeremy:

A: Short answer - it won't affect Samba.

Long (*very* long :-) answer - it's a *very* subtle monopoly play by Microsoft to try and entend their desktop monopoly into the server space.

Kerberos is an authentication protocol (ie. it tells a server *who* you are). It is not an authorization protocol (ie. it doesn't tell a server what you can do). Authentication is all well and good, but in order to have useful network security you also need authorization as well. In UNIX (and NT) this is provided by your user id and a list of group id's to which you belong (on NT both user and group lists are SID's - security ID's - globally unique 128 bit ID's).

Kerberos allows a user to get tokens called 'tickets' that allow them access to services on the network. The initial ticket a user must obtain is called a Ticket-granting -ticket, or TGT. On standard UNIX implementations of kerberos, a users *name* (called a "principal") is used to get a TGT and then this name is looked up using the standard UNIX password database mechanisms (ie. /etc/passwd, NIS, NIS+, LDAP etc.) into a uid and a list of associated gid's that represent the authorization of that individual. When this user wants access to files or SYSV shared objects (the only securable things in standard UNIX) then the uid/gid list is checked against the access control of the object (usually user/group/world triple) and access is allowed or denied. Custom servers that use Kerberos tickets (eg. an Oracle database) use their own authentication mechanisms based on the name of the ticket owner (kerberos tickets contain proof of the ticket owner in the ticket). All well and good.

Note that in the above, Kerberos has *nothing* to do with the mapping between name and uid/gid list.

Now lets go back into history. Back when the Open Software Foundation ("a greater hive of scum and villainy has yet to be seen, we must be careful" :-) developed DCE (distributed computing envionment, which didn't work) to compete with SUN ONC/RPC (which *did* work :-) they decided to use kerberos authentication. However, they needed an authorization mechanism. Now kerberos 5 has a field in the TGT market "application specific data". But trying to be at least good citizens, and knowing that they wouldn't get the whole world to adopt their version of this field, they developed a secondary ticket format, called a PAC (privillage authorization certificate) that contained everything that a Kerberos 5 TGT did, but in addition had a list of DCE UUID's (which coincidently are also 128 bits :-) to represent the main userid and list of groups to which the user belongs. Now the great thing about this method was that it allowed a competely generic MIT code Kerberos 5 server to act as the KDC (Key Distribution Center) and have a *separate* database containing the authorization data (the name - uid/gid list mapping) contained in a separate server process. Ah..... security :-).

Now enter the 800lb gorilla..... :-).

In the grand tradition of "embrace and extend", Microsoft decided that as no one else was using this field they might as well just appropriate it for their own use, and so created the *exact equivalent* of the DCE PAC tickets, but added the additional data directly into the standard Kerberos 5 TGT (something the OSF for all their sins decided not to do). This is bad enough, but they have yet to document the format of the (cryptographically signed) data they have placed in this field. Now certain people I trust greatly at Microsoft have told me that they do intend to document this data format, but I have been asking publically now for over 2 years (one of my proudest moments was being publicly called a "troublemaker" over this point by a Microsoft VP at a Microsoft professional developers conference :-) and have yet to see any documentation on this field.

What does this mean ?

Well, for Samba as a file and print server, nothing at all. Currently we don't support the Win2k kerberos authentication (no user demand right now) and when we do we will be able to use the ordinary kerberos principal information to map directly into a UNIX uid and gid list, just like we do now (remember, we won't need to decode this extra info). However, if we ever wanted to get into the Win2K domain controller business (using kerberos authentication, not MS lanman backward compatible authentication, as Luke already has this working in the TNG Samba branch) then we would be stuffed...

Don't be fooled by the hype.
by Anonymous Coward

Samba? Samba? That word says one thing to me, and one thing only: Some slinky disreputable Latin American gigolo character, skulking around the suburbs and worming his way into the hearts of virtuous women, destroying their lives and moving on. The word "samba" says nothing to me of quality or reliability. Nothing.

So Jeremy, I ask you: Why do you choose to be associated with such a grossly disreputable and frankly immoral product? Why do you choose to spend your days lazing around the Beverly Wilshire, oiling your pencil-thin mustache, langorously sipping mai-tai's and attempting to seduce other men's wives? Aren't you disgusted with yourself and the low state to which you've fallen?

Have you no shame?

Jeremy:

A: No, I have *no* shame at all. And I'm not *ashamed* of having no shame either :-). Anyone who knows me knows I will drop my trousers at the *slightest* pretext, and parade around naked, for all the world to see! And I'm *PROUD* of it dammit ! Remember, for all you gits who for some reason think I'm an Australian (pah!) I'm a Brit - and my home town is Sheffield (in the Independent Socialist Republic of South Yorkshire). That's right - "THE FULL MONTY"! I've never even *been* to Australia, and have *never* eaten koala or emu (although I must confess to eating kangaroo once, but that was in New York, so I can be excused. They said on the menu it was cat :-).

As for "worming my way into the hearts of virtuous women", I personally think that virtue is *very* overrated. I didn't get onto the 100 most eligable men in silicon valley list for nothing you know (in fact I didn't get on it at all :-).

Besides, I think my pencil-thin mustache looks rather good.... :-).

For the Challenge or Outcome
by Col. Klink (retired)

Do you work on SAMBA for the thrill of the challenge of reverse engineering SMB or just for the practical uses? If MicroSoft were to open their protocols (perhaps as part of a DoJ settlement), would you still find it as much fun?

Jeremy:

A: Well, I work on Samba for the fun of it. I've been doing Open Source work now for over 8 years (back before there *was* Open Source, you young whippersnapper, we used to call it "Free Software" back then, when I had to lick t'road clean w'tongue... :-) and it's *always* been fun. I'd do it even if I didn't get paid to do it (DONT TELL VA ! :-).

As for Microsoft opening their protocols, they have tried to document what their clients do and do you know something, it doesn't make *any* difference. They have 100-200 Million clients out there, all with weird bugs (trust me on this :-). SMB is such a *horrible* protocol it can't be properly documented, as the real spec for SMB is "what Windows clients do on the wire". This is one of the reasons that Samba is becoming so popular as an OEM SMB solution, as writing your own SMB server from scratch is *hard*. People look at the published specs, think, well this can't be so bad :-), and start coding. Then they find the way the clients deviate from the spec and they're in a world of pain :-). Many of them end up licensing Microsoft server code, or start using Samba. SGI, Veritas, HP, Cobalt, Whistle (now IBM) and too many others to count are all shipping Samba based products now.

Replacing NT
by Pheros_7f4

I am continually amazed each time a major release of Samba comes out how well it works. My question is, I know that the Samba group has been working towards make Samba a suitable replacement for NT. How far do you expect that to go. I know you're in a continual battle with MS changing things with every minor release, but do you expect to someday get to the point where I can completely replace my NT PDC machine with a Unix/Linux box that has the same functionality? Perhaps the same question stated differently is what are the long term goals for the project in relation to NT PDC Server compatibility? Any estimates on how long such compatibility will take?

Jeremy:

A: Well, there are two goals really here. This question actually brings out some of the tension in the developers in the Samba project.

There are those of us (Andrew, myself), who see Samba as a UNIX file/print server with PDC-like features. And there are others (Luke mainly) who want to completely replicate all features of NT, whether they fit into the UNIX model or not. My question to you is - why do you want Samba to "save" you from NT? If you want the features of a PDC you know where to get them - www.microsoft.com (and they're not very stable). The Microsoft domain model is a *very* poor fit into the UNIX world, and it's a constant battle to mangle the NT semantics to fit them into a UNIX world. I *like* the UNIX model. I think it's a better, more stable, more proven model than NT. I guess our (Andrew & I) motto is "as close to NT as neccessary, but no closer".

Having said all that, Luke has made remarkable progress in the Samba-TNG branch (The Next Generation, for all you Star Trek fans out there :-) in getting NT PDC support working. However, this is not yet production code. The current plan is to mine the TNG branch and bring back as much of the working and *secure* PDC stuff to the HEAD branch (which will become Samba 3.0) as possible, and provisinally ship this by October this year (expect this to slip - no - *depend* on that date slipping :-).

But being totally honest, as Samba is having to reverse engineer *hundreds* of undocumented MS-RPC calls, there will always be some areas where we don't have the exact functionality that they do as a PDC/BDC. I'm not too unhappy with that - like I say, I consider that model an inferior one anyway (and *definately* a less secure model - you can trust me on that :-). If you need NT - you know where it lives....... just don't complain when it crashes on you.

ACLs
by Anonymous Coward

What are the plans for ACL support? I mean the stuff that comes up when you do (in NT) Properties, that second tab, then the Permissions button and get the list of users and groups. Right now we can mess with the existing user and group, but adding people fails.

Will this tie in with the Linux patch to add POSIX ACLs, or will it happen above that layer in a file Samba maintains?

The possibility exists for me to subvert W2K at my place of business if Samba can do this for my users. I hope this happens soon.

Jeremy:

A: Good news for you :-). HP has contributed a large chunk of code to do exactly this. The target is to get this code into the 2.0.8 release (sometime before August). I already have code that allows a UNIX user and group list to be displayed at the NT dialog box (I checked it in this morning), but it will need to be heavilly re-written before it goes into the production release. Currently it enumerates the *entire* passwd/group database each time (imangine *that* CPU load on a busy NIS server :-). As for the ACL work - we are adding a layer such that Samba will send NT style ACLs into that layer on set, and get NT style ACLs back from the layer on get. This layer will be replaceable so that the ACLs can be mapped into the native ACLs that the filesystem supports, IRIX ACLs on XFS, HP ACLs on HPUX, Solaris ACLs on Sun (you get the idea).

The default mapping will be the current user/group/world mapping we have now. Unfortunately, until Linux gets support for POSIX ACLs then we will only be able to use the default mapping on Linux. We have always been against using a non-OS layer (ie. dot files containing ACLs) in Samba to control access as this is just a *home* for security race conditions (just ask the AT&T "Advanced Server for UNIX" vendors :-). Samba will always map the native filesystem permissions into NT ACLs and vice versa, and allow the underlying OS to perform the real access control. That's the only secure way. The challenge is to provide a mapping between NT ACLs and native filesystem ACLs that doesn't violate the principal of least suprises for the admin.

Report Comments
by brunes69

I am currently in the process of writing a university-level report for a course I am taking. The topic of the report will be SMB vs. NFS. I am not trying to identify a clearly "surperior" protocol, I am seeking rather to simply present as much detailed facts/benefits of each and have the reader decide for themselves.

Obviously you would be an ideal person to ask about this topic. What are your feelings as to the advantages SMB has over NFS, if any, and how could the benefits of NFS, if any, be carried over into SMB?

Jeremy:

A: SMB sucks! *Really* *really* sucks :-). The complexity of SMB is one of the main reasons that NT is so unstable (Win2K isn't much better here) as it is not possible to do a safe and clean kernel implementation of the entire protocol. They even process DCE/RPC calls in kernel space for heavens sake!

Please don't ask for Samba to become part of the Linux kernel for speed purposes (as some have done). Both Linus and the Samba Team don't want this. I'd rather be slightly slower but running on a robust system, than have kernel speed and NT stability :-).

As part of their CIFS/9000 product HP have added some UNIX to UNIX SMB calls - allowing SMB to have UNIX-like semantics. However, the SMB locking semantics are very crude compared to POSIX locking semantics (no overlapping lock ranges, no spits/merges, no lock upgrades/downgrades) so it makes a poor fit for a UNIX to UNIX protocol (unless POSIX compatible locking calls are added).

SMB wasn't designed remember, it grew like a particularly ugly wart - with layers and layers of glop added onto a simple DOS filesharing interface, so it has no consistency at all. It has a basic header size of *39* bytes for heavens sake !

NFS also sucks but for different reasons :-). Seriously, the only nice feature of SMB is server-terminated leases (aka Oplocks). Andrew and I have been talking with Peter Braam (he of Coda fame) about a new filesystem he is developing called "Intermezzo" - I have much higher hopes of that as a distributed filesystem solution.

This is *much* too long a question to answer fully here I'm afraid. It's a research paper topic (oh wait - that's what you're writing :-).

Samba and Active Directory
by dee^lOts

With the release of Windows2000 we saw the introduction of a new computer, user, group managment system. Microsoft included some ability to be backwards compatible with WindowsNT Servers, Microsoft also included the ability to run Windows2000 in "native mode." which effectivly disallows any NT client/server from participating in it's user management. How will this affect Samba? Will Samba include Windows2000 "native mode" support, also will the AD tools used to administer a Windows2000 Server be able to administer a Samba server?

Jeremy:

A: Not initially. AD is just an LDAPv3 server. Samba doesn't serve LDAP. However, Gerald Carter (one of the Samba Team) is getting ready to start working on Samba/LDAP integration, so that a Samba server will get all the user/group authentication info from an LDAP server. You really need to ask this question of the OpenLDAP team, as it's important that OpenLDAP get to LDAPv3 as soon as possible to work with AD.

This is another one of those "Samba won't become a version of NT on UNIX" questions. We will just co-operate with other services running on UNIX to provide the same functionality.

Right now Win2k client compatibility is being addressed (Samba 2.0.7) but to be honest so few of our users are actually using it in anything more than test servers right now it's too early to say what effect (if any) Win2k will have.

Running Win2k in "native mode" will, as you point out, prevent any current NT server from participating. Hands up how many companies are going to convert *all* their NT servers to Win2k immediately..... you there at the back, you're not fooling anyone... you know Microsoft, put your hand down - you know that NT 4.x will be on your network for several years at least.

Reverse Engineering SMB
by Anonymous Coward

Jeremy, first, a BIG thank you for your work, I am sure you could lay a pizza-track from Earth to Jupiter by now with the money you saved people who would have had to buy Windows NT-Server. The issue of reverse-engineering has become a very *hot* issue recently with the advent of CSS source-code to authenticate DVD-ROMs and also descramble the content. My questions:

- How much reverse engineering went into the SMB and WINS protocols, in contrast to real coding, say up to the first usable share exported from a Unix machine?

- Did you peek under Microsoft's hood and examine some VXDs or NT kernel drivers to get to those last and hardest 10% of insight?

- How important do you think is the roll-out of working PDC-code?

- Finally, on the law side of things, there is a German law that explicitly allows reverse engineering for the purpose of interworkability. What has been YOUR legal situation (being "down under"), has Microsoft ever asked you to stop your work (BEFORE they needed it in their DOJ case), or even threaten you with legal action or a life-time supply of pizza?

Jeremy:

A: I am *not* "down under". I have never been there :-).

Ok, now I've go that off my chest :-), reverse engineering by looking into Microsoft disassembled code has never been a big part of how we make Samba work. We use the published docs (which are enough to get you started) and do wire sniffs almost exclusively.

To get a first usable share took no reverse engineering at all. Andrew did that with all on his own with a packet sniffer and a *lot* of coffee :-). Most of the other protocol levels were done using the X/Open spec document and a lot *more* packet sniffing (and some help from a second hand bookshop local to me in Mountain View, California :-).

The initial NT Domain protocol work was done in the EU, where such reverse engineering is explicitly permitted. I also believe that Australia now has a similar law, so Andrew will be fine (I may have to go visit him if there is certain "sensitive" reverse engineering work that I need to do :-) but currently this has not been a real problem. Luke now has reached the point where he can look at an MS-DCE/RPC network trace and just *know* what the fields are (you think I'm kidding - I've seen him do it. It's spooky. He did write a book on this you know :-).

However, I am concerned with the insanity of laws like UCITA and the Digital Millenium Copyright act that the USA is becominng a very poor place to do technical work. I'd better hang onto that UK passport.... :-) :-).

VFS
by Quicker

At one time (when I actually had free time) I was getting into the VFS system that is in SAMBA. For those that don't know, a gentleman named Tim Potter had started the VFS code because he wanted to use SAMBA to mount his tape drive. I was interested in extending SAMBA with VFS to mount relational databases as a file system so I could just copy objects into the tables of a database using normal file manipulation tools like cp and mv.

I have been out of the loop for a very long time, but was wondering how things a going with the VFS stuff and if anybody else has picked up on it. The possibilities are endless. One could "share" FTP sites, databases, tape drives, archives (tar, gz, zip) to the masses who use Windows clients while keeping them in the familiar surroundings of the Windows Explorer filemanager.

What are the plans for VFS in SAMBA?

Keep up the good work.

Jeremy:

A: The VFS layer has been integrated into the HEAD branch, it will be a part of Samba 3.0 (along with the MS-DFS work done by Shirish at Veritas). It is *amazingly* cool, and will allow us to duplicate the functionality of Oracle8i (ie. the Windows client direct access via the filesystem into a database) using *any* database for which the POSIX bridge library is written (Informix, Sybase, Interbase, PostgreSQ, MySQL etc.).

This is something for which people will still be finding uses for long after Windows clients are dead and buried :-).

Someone has even written a Perl interface to it. God knows why :-). Man - hackers are *scary* people sometimes :-).

samba and grander networking schemes
by Matthew Weigel

With MacOS X coming out soon, it's possible that for the first time since OS/2 was popular there will be another consumer PC operating system able to work along with or replace NT, but it's also UNIX that supports storing the information samba uses in network databases (NetInfo, NIS), and it also supports providing access to older Macs through Appletalk.

My understanding of, for instance, Mac Services for Windows NT and UNIX Services for Windows NT is that it provides services from the same databases, just with different protocols.

So if you can see where this is going, is there any work on making samba able to make use of network-wide databases for user authentication, share specification (I know it can already use the autohome map, but more than that!), etc.?

In particular, I'm interested in things like:

Being able to authenticate netatalk, samba, and UNIX users all the same way (i.e., not having smbpasswd, NIS, and /etc/passwd all need to be updated every time a user changes his password or is added)

Being able to specify at the same time what my file server serve up, via netatalk, samba, and NFS (so I don't edit three configuration files every time I add a share, or move a share) Being able to specify from one system what each and every file server serves up, without having to connect to the machine in question and edit the smb.conf by hand (or by web)

Clearly this depends on more than just the samba team, but are there plans to add NIS authentication (i.e., instead of or in addition to smbpasswd), NetInfo authentication, and/or smb.conf NetInfo or NIS databases?

Jeremy:

A: Apple are very interested in shipping Samba with MacOS X (c'mon Sun - you're the last holdout :-). But the authentication problem cannot be solved without the co-operation of Microsoft. Remeber, it is the authentication mechanisms that their clients use that dictate what password hashes can be used on the server side. It is not in Microsoft's interest (being a monopoly on the desktop) to allow authentication integration with any other systems. They came close with the Kerberos 5 in Win2k, but then pulled back of full interoperability by that nasty TGT stunt they pulled (described above).

Of course is the clients are using plaintext authentication then Samba can already use whatever the server requires on the backend (NIS+, Kerberos, PAM, you name it), but this is not a good idea (and all Microsoft clients default to disallowing this by default).

As for alternate config methods - be my guest ! If you add the code, I'll integrate it....... But this is one area where interested parties need to work on the Samba code to add the features they want. I have a lot on my plate at the moment (NT printer driver downloads, ACL code, UNICODE work, back-porting TNG features) that I simply won't get to this myself in what you'd consider a resonable time.

But then again this is Open Source - it's *your* code as much as mine. If you want this stuff - add it! Or persuade one of the Samba vendors (SGI/HP/Veritas/*all* of the Linux vendors etc.) to add it. Vote with your code or your dollars....

Active Directory vs. LDAP
by wilkinsm

Now that Windows 2000 can use a basterized version of LDAP vs. the undecriptable SAM, does it become any more feasible to have Access Control Lists (ACL) work from Unix? What are your feelings on the "extenstions" that Microsoft made to the LDAP spec - are they insurmountable to decode?

Jeremy:

A: LDAP isn't my area of expertise. Ask the OpenLDAP team. AD doesn't have any effect on Samba providing ACL support one way or another, it's simply a different area of the code. As far as I know Microsoft haven't added any extensions to the LDAP spec - they just use either NTLM and Kerberos authentication in order to control access to the AD server. Sorry for the brief answer but as I said, LDAP isn't my specialist subject.

-------------

Phew ! That was a *lot* of typing. I think I'll relax now by waxing my pencil thin mustache, sipping a mai-tai and dropping by the Beverly Wilshire. I hear there's a Silicon Valley black and white ball going on in Palo Alto, and I need to practice my ooouuutrraaaageeeous acceeentttt. "HHHHHaaalo, my name is Jeremy Allison, your Weendows server eees dead, preeeepare to Samba...." :-) :-).

Cheers,

Jeremy Allison,
Samba Team.

This discussion has been archived. No new comments can be posted.

Jeremy Allison Answers Samba Questions

Comments Filter:
  • by Anonymous Coward
    [user@server user]$ grep ":-)" test.txt
    Long (*very* long :-) answer - it's a *very* subtle monopoly play by Microsoft
    greater hive of scum and villainy has yet to be seen, we must be careful" :-)
    with SUN ONC/RPC (which *did* work :-) they decided to use kerberos
    coincidently are also 128 bits :-) to represent the main userid and list of
    server process. Ah..... security :-).
    Now enter the 800lb gorilla..... :-).
    Microsoft professional developers conference :-) and have yet to see any
    either :-). Anyone who knows me knows I will drop my trousers at the
    York, so I can be excused. They said on the menu it was cat :-).
    :-).
    Besides, I think my pencil-thin mustache looks rather good.... :-).
    lick t'road clean w'tongue... :-) and it's *always* been fun. I'd do it even
    if I didn't get paid to do it (DONT TELL VA ! :-).
    this :-). SMB is such a *horrible* protocol it can't be properly documented,
    published specs, think, well this can't be so bad :-), and start coding. Then
    pain :-). Many of them end up licensing Microsoft server code, or start using
    branch (The Next Generation, for all you Star Trek fans out there :-) in
    - no - *depend* on that date slipping :-).
    *definately* a less secure model - you can trust me on that :-). If you need
    A: Good news for you :-). HP has contributed a large chunk of code to do
    *that* CPU load on a busy NIS server :-). As for the ACL work - we are adding
    "Advanced Server for UNIX" vendors :-). Samba will always map the native
    A: SMB sucks! *Really* *really* sucks :-). The complexity of SMB is one of the
    speed and NT stability :-).
    NFS also sucks but for different reasons :-). Seriously, the only nice feature
    research paper topic (oh wait - that's what you're writing :-).
    A: I am *not* "down under". I have never been there :-).
    Ok, now I've go that off my chest :-), reverse engineering by looking into
    that with all on his own with a packet sniffer and a *lot* of coffee :-). Most
    me in Mountain View, California :-).
    certain "sensitive" reverse engineering work that I need to do :-) but
    write a book on this you know :-).
    technical work. I'd better hang onto that UK passport.... :-) :-).
    Windows clients are dead and buried :-).
    Someone has even written a Perl interface to it. God knows why :-). Man -
    hackers are *scary* people sometimes :-).
    you're the last holdout :-). But the authentication problem cannot be solved
    Jeremy Allison, your Weendows server eees dead, preeeepare to Samba...." :-)
    :-).
  • by Anonymous Coward
    The Folks down under and the Brits don't like to be confused with each other.

    I don't know about the other way 'round but I'm not aware of the Brits (ie us) having anything against the Aussies. It's just that people get annoyed when other people confuse their country with one on the exact opposite side of the planet!

    I am under the impression that the relationship of US Vs Canada is the same - at least they are joined, so there is someexcuse for confusion.

    Mind you, I'm from Northern Ireland, where that sort of mistake can literally get you killed.

    TWW

  • Whats the matter? Did the big bad Unix man hurt your feelings? Don't you have some Visual Basick work to finish?
  • by Anonymous Coward
    I'd like to see every interview involving a Free Software hacker add the questions "Do you need volunteer help? What kind of projects can you offer newbie hackers who aren't real experts on your code yet?" Should we make this conventional, or just try to waste one of the n questions each time?
  • by Anonymous Coward
    Sun have a similar product to Samba - PC Netlink http://www.sun.com/software/solutions/interoperabi lity/netlink/index.html.

    I'd be interested to hear if anyone had tried it and had comments on how it compares to Samba. As far as I can see it comes free with Solaris, is fully supported and means if you're running Sun, there's no need for Samba.
  • Simply because they assume, from Samba's being "based" in Australia, that all the dev-team are Australians too. Which, in this world of global connectivity, is no longer a valid assumption!

    (linux.com is based in the US, but Linus isn't an American. Nor is Alan Cox.)
  • Well, I lived there for 18 years, and I'm still not classified as Welsh. Mind you, it's probably the lack of accent more than anything else. Lord knows why.
  • Honestly, it is. You just the let the default install do it's thing, then set up SWAT in inetd. After that, it's *totally* web based admin. Not only that, it's one of the few *good* web based admin tools I've seen.

    I never thought I'd do this, but now, I fire up a browser rather than go and edit the config file with vi. It's that easy.
  • Share and Enjoy? Awful motto for a great product. Microsoft is the equivalent of Sirius Cybernetics Corp not SAMBA.

    I know that by association it's awful, but it makes so much sense! Just set up your shares with Samba and enjoy the peace and quiet of having the bloody thing working!

    And judging by the interview, he's definitely a mix of Ford and Zaphod. Although I have to say I've never met the chap. Something I consider to be entirely my loss now.

    I shall leave connections between the Heart of Gold and the Linux kernel up to you... (I'm a FreeBSD nut, anyway)

  • Alan Cox? Swansea. I say nothing else. He has not the decency to go further West.
  • No he's not, he just lives in Wales. He was born in (I think) Birmingham.
  • Like the ones you can hunt in South East United States? [state.fl.us]
    ^~~^~^^~~^~^~^~^^~^^~^~^~~^^^~^^~~^~~~^~~^~
  • Damn those drop-bears -- they're nearly as dangerous as the pernicious North American Snipe.
  • It's not very good. I speak from experience.

    First of all, it's only free if you buy a new Sun server. Not if you're already a multi-million dollar per year Sun customer. Thanks for that one, Sun. Also, the alleged "$1500 value" isn't what they'll charge you if you try to purchase it - they get you for a lot more. Still, these aren't technical issues, so if it was a truly great product I'd forget about it.

    However, it has several strange design issues. The worst one, in my opinion, is that it can't get user information out of NIS, NIS+, LDAP, or any other scheme - only /etc/passwd and /etc/shadow are supported. This is simply ludicrous for Sun, the people who originated NIS and NIS+. We run several other information services, but PC Netlink can only use those old classics. Note to any Sun programmers: it's called getpwnam() and can be found in your C library! /etc/nsswitch.conf is worth looking into for this sort of thing.

    As noted above, I'm at a big Sun shop, and we still went with Samba. Of course, I don't speak for my unnamed employer, and all my opinions are my own. My opinion of Sun is that while they make excellent hardware, and the best commercial Unix currently available, their sales and service divisions are little better than criminals.

  • Finally, an eccentric englishman I can look up to!

    Didn't you read the article? He's from Sheffield. They're barely human up there, let alone Englishmen! As the saying goes, it's grim up North! :-) BTW, is Alan Cox not eccentric enough for you?

  • Share and Enjoy?

    Awful motto for a great product. Microsoft is the equivalent of Sirius Cybernetics Corp not SAMBA.

    Hmmm, does that make Jeremy a Ford or Arthur? Seems more like a Ford kind of guy, which, of course, means that he is an alien. Which, if you think about it, he really is.

    I wonder if Linus is getting fitted for a third arm so he can wave at the crowds while playing Quake at the launch of the 2.4 kernel? Hmmm.
  • We are waiting for your patches...

    Besides, a horrible lot of LDAPv3 is already implemented in HEAD.
  • Maybe you only see the workstation side, so it's non-obvious -- Planning, installing, and configuring all of the domain controllers, WINS machines, DHCP machines, and Master Browser machines for a 50,000 system WinNT LAN is a non-trivial operation. Way more than 20 minutes per server.

    Windows networking seems easy because the machines will broadcast and small LANs are "auto-configuring". However, on a large network it actually takes some real work.

    As for Microsoft Premier Support, it just means that you have the priviledge of having a higher paid employee tell you that "It's not a bug, it's a design issue." (Actual words spoken to me from Microsoft in 1996 wrt an issue with Win95 users changing their NT Domain passwords with certain policy restrictions in place.) If you want any real help from Microsoft, you need to open your wallet and bring in the Microsoft Consulting guns. Not exactly "support" at that point..

    --
  • Welllll, the main problem was that the "IT Professionals" were too busy being guardians and weren't busy enough providing useful applications to users like Word Processors and Spreadsheets and BASIC interpreters.

    Frankly, it sucks that we had to have a "PC Revolution", but frankly overthrowing the powers-that-were was the only way to get anything out of the damn computer. Now were stuck with the mind-numbing task of putting the glass house back together again, something that nobody has quite figured out how to do. (And isn't Linux on the desktop a poor way to start?)

    Meanwhile the "IT Professionals" have become the guardians of anti-virus DAT files and Ghost reinstall images. And the users have their Microsoft Excel, their Lotus Notes, their Quake III, and their porn sites. It's drudge work, but a far more profitable racket than "qualty and stability" ever was...
    --
  • You need to type man smb.conf from the command line, read it till you can quote it, then write smb.conf from scratch and you won't have any trouble. I can set up a new working SAMBA box in around 20 minutes, consistantly.... it NEVER GIVES ME GRIEF. I was a contributing writer on SAMS new SAMBA book, but that's just 'cos I made SAMBA my mission in work (NT death by replacement count 7 boxes, $36k in user licenses and counting....)
  • Unless 400,000 minutes of configuration for the LAN client alone sounds like fun of course...

    gruntvald [slashdot.org] meant 20 minutes per server, not per workstation you dimwit.

    Samba [samba.org] runs on the server, not the client.

  • With a Server set up as the PDC of a domain, it's understandable, but if I get a "Can't access \\MyMachine\IPC$" error when trying to connect to an NT workstation that's on the WORKGROUP, I figure SMB is broken somehow.

    That problem is an authentication problem. Not SMB itself. (like saying problems with X has nothing to do with Linux itself..)

  • Alan Cox is Welsh.
  • FYI, solaris 8 ships with samba. It's on
    a secondary disk, but it's there. (it also
    ships with bash, apache, gcc, perl, and lots
    more)

  • Offtopic? Aren't you familiar with The Princess Bride? It's a followup on "HHHHHaaalo, my name is Jeremy Allison, your Weendows server eees dead, preeeepare to Samba...."

    Geez. It made me laugh.
  • then you have to get into bed with Microsoft to get a license for SAMBA

    I mean get a license for the windows implementation of SMB.

    Sorry

  • Beware... Anger, fear, aggression. These are the darke side of the force.

    What you are talking about is user intrface and ease of use, not quality and stability of the software. It took hardware quite a while to catch up to what would make ease of use a reality for the average user. When hardware did catch up Microsoft through a monkey-wrench into it all with Windows.

    The Unix-based Minicomputers that you talked about had MUCH beter stability than any WinBox. The software was of much higher quality than any software Microsoft has ever produced!

    So I'll keep my sig' 'till you can provide a much more valid arguement!

  • I talked with Jeremy at Linux World in NY about solving the CR/LF issue. He told me to implement a version of this using the VFS. I have yet to get started (I'm working heavily on something else at the moment) but I'm hoping to try it later (possibly in the summer) even if somebody else gets to it first. I think it would be a great exercise in writing stuff with the VFS.

    Steven Rostedt
  • You are sooo right!! The two names are synonymous with me, that I posted once that I met Jeremy back in NY, and it was actually Andrew that I met. I have never met Jeremy, so please ignore my previous post [slashdot.org]! Thank you.

    Steven Rostedt
  • Correction, after reading another post [slashdot.org], I realized that I confused Jeremy with Andrew Trigdell. I never met Jeremy, it was Andrew that I met in NY. Sorry!

    Steven Rostedt
  • After I submitted this, I figured that someone would argue this point.

    Actually, I agree that it is correct procedure to do that. The problem I have is that the documentation has plenty of errors. It seems that even the MS developers don't use the documentation. Mr. Lewis was mostly upset that it is common that the documentation is bad. Not that they fix it. But it shouldn't be as bad to begin with, that is the problem.

    Sorry, but I should have been more clear up front.

    Steven Rostedt
  • They do not fix the spec, that would reduce the confusion of the developers that might try to implement something from it. A spec is put out by Microsoft to maximize confusion and to be able to claim to work with Internet standards.
  • I really hope you're joking - I mean, 20 mins per box is not exactly a proud boast. I work for a company which has 50,000 employees and 20,000 deployed workstations in one rather small European country alone (100% NT 4 boxes, before you ask). In terms of rapid deployment and having a network which works straight away, Samba is next to useless. Plug an NT box in, and as the orignal poster observed, it works and sees everything immediately. Unless 400,000 minutes of configuration for the LAN client alone sounds like fun of course... OK, so it's time for some big flames, among which: Yeah, but put a Win9x box on there and you won't see a thing! Correct, but people who use Win9x to do business on a corporate LAN should be shot. Non-existent security and remote management, combined with the stability of a drunk, mean bad things... OK, but why pay for M$ when you could have Samba servers for free? Because in terms of a large company, the license costs are largely irrelevant. Licensing is a tiny fraction of the TCO; much more important are things like hardware support, application availability, and a guaranteed escalation channel for support issues. But M$ support is useless anyway! No, you just haven't had the benefit of a Premier Support contract... Actually, I have, and it's still not good. Fair enough, they're not IBM, but the corporate clients are getting something extra for their support bucks... You sound too much like a big corporation apologist! So what? I happen to have worked for very large TLA companies all my life. This is the way things happen in that environment, and all the idealism in the world isn't going to change that overnight (if ever...) Yeah, but it doesn't matter - M$oft sucks! Linux rules! That's just to save someone having to type the usual response to comments like this ;-) Basically, grow up and try to comprehend that the sooner Linux matures, the better for everyone, but for now, it's second fiddle to Solaris and NT when it comes to the world of big corporations. I won't dispute that it can do the job well in some markets (ISPs. *NIX shops generally), but if you expect to see it blow away NT any time soon, you're deluding yourself.
  • how about mounting a pager number or a fax machine or an instant messaging client? or even an email client. Anything that gets dragged and dropped gets sent. It'd be useful here to put filesize limits of course :)
  • We should be allow to moderate into oblivion. This post is in the more terrible of taste. Geeze.
  • Coom ere an say that, lad, an ah'll flatten thee!
    --
    Cheers
  • 98 machines can talk to 98 machines and 95 machines. But try getting a 9x machine to talk to an NT machine. It's a pain! With a Server set up as the PDC of a domain, it's understandable, but if I get a "Can't access \\MyMachine\IPC$" error when trying to connect to an NT workstation that's on the WORKGROUP, I figure SMB is broken somehow.

    Samba was a pain for me to configure the first time too. But then I figured out the magic trick (it was simple, and I wrote it down, but I forgot what it is, so it's a good thing I wrote it down), and now everything is happy. It's no more of a pain than your average NT workstation in a sea of 9x machines. And it works oh so much better.

  • Please don't grep the guests.
  • Like today I was trying to transfer two large-ish (20 MB) graphic files from Sven, my wife's Win95 box, to Marley, my Samba server. Not terribly had to do, especially since I've set it up and used it a million times before.

    Except I couldn't see Sven from either of the other two computers. Went across the house to her computer, pulled up the network neighborhood, and could see the other two from there.

    She had network access, though, and I could ping the other boxes... This is fairly typical in my experience with SMB networking, even peer-to-peer Win95 Networking. They should just call it Windows Notworking instead.

    I never have any problems getting into my Samba server though, wonder why that is.

  • That depends... I've had many problems with Windows networking in production environments. Windows will sometimes see the other machines, but not be able to access anything, then at other times work just fine, and then it will come up and not even see itself, then it will only see half of the machines, not seeing machines that can see it and access it...

    Windows networking easy to use, maybe, reliable, not at all.

  • ROFL, I was laughing my ass off. Okay so its nerd humor but Ive found very few people who use smiley's as often as me. Not to mention he has a cool first name *wink*

    Jeremy Allen<----Me
    Jeremy Allison<-----Him
    hehe

  • aww no way smileys are cool :-) :-)

    I use a lot of smileys to <G>

  • You are SO wrong. Does anyone even need to flame you to let you know that?

    I have a test for you Mr. Coward. This proves how big of a man you are.

    Go to savanah GA where Jason is in the hospital and if you see how easy it is to poke fun at people who are suffering

    I don't even really think this is necesarry except you are doing this on purpose but you have no idea how incredibly insensitive this is? Or do you just enjoy hurting people?

    I wonder...

    Go somewhere else.



  • There is a plugin for FAR (A very good quality shareware Win32 console mode Norton Commander clone) that allows one to nagivate the registry as if it were a filesystem. There are similair plugins for network browising, browsing resources in PE-COFF .EXE and .DLL files, etc.

    I wish somebody wrote an ext2 plugin. FSDEXT2 does not work on NT (and doesn't support 4096K blocks...).

    Of course this (like Midnight Commander's VFS) is available only for a single specific program.

  • by r0y ( 143051 )
    U/WIN from AT&T does this, se http://www.research.att.com/sw/tools/uwi n/ [att.com].
  • Oh great now someone has invented the Samba drinking game
  • It appears that VFS will allow Samba to mount a database and give transparent usage of that database to a regular Windows/Samba client. I thought it would be cool to brainstorm different things that you could do with this option. It sounds so cool, but I don't know why. Anybody have any ideas?

    I don't know VFS but given the (short) presentation made in the interview it sounds really COOL.

    The only problem I see is that the US are currently screwing everybody that isn't as big as MS or AOL/TW by giving patents on obvious stuff.

    So the idea is to put up a web page somewhere with a perl script (or PHP if you prefer or whatever suits the guy making it) that allow people to put ideas on it about all the cool things that could be done with this stuff, and anybody that got a weird idea but don't know what to do with it can put it here instead of keeping it in his head waiting for john shmoe with big$$$ to patent it.

    Of course what I propose is not new, many people proposed things like it before, and maybe some already made something like it, but given the coolness factor of this and the broad range of things you can do with it i think it is a good moment to talk about it again.

    If you already have done something similar or even better (ideas being sorted for example, or moderated to avoid having fucking trolls) then you could post a link to it below and describe it.

    One idea that could be added to this:

    This collection of ideas could be organised as a database, you can type in your idea, and add to it a certain number of attributes (genetics, computer science) or maybe even attributes and sub-attributes, either by the author or by the moderator, people could also refer older ideas when they write their own or add an addendum to the idea (for example, a possible design/implementation that is more detailed than the idea).

    Hey, such a database could be also useful for finding ideas to implement in our software!

    We could even use /. as a base for it, not by clobbering normal threads but by using "hidden" fora like the forum idea [slashdot.org] or the forum Computer Science [slashdot.org]...

  • When is OpenLDAP going to get their sh*t together?
  • I wonder why people are always confusing Jeremy Allison with Andrew Tridgell?

    Andrew is the one in Australia, Jeremy is from England.

    In person a lot of people mess them up because of the accents but in print, why does this happen? Not to knock the people who asked Jeremy about 'down under,' I just think it's funny that it happens so often.
  • Ha, you've found us out.

    My friend, klthekiten and I are actualy starting a company in about a year based almost entirely on this product. Some of the options have been mentioned, voice mail, email, etc... Different attributes would show up in different folders (directories) in the filesystem. There would be a voice mail directory, with checked and unchecked directories.

    Also a revision control system much like Clear Case, and document tracking. The perl extentions would make these things easy and fun, and customizable to a companies basic information flow needs. The beauty of the scheme, and hopefully there will be room in the design for this, is that managers can be given a database app to help them handle the manipulation of data also.

    So in three different areas of useability, the same information looks like three different things. To the programer, they see API, a manager sees an application and a user sees a very caged and secure filesystem.

    This is the stuff.... Sorry if I typed it to fast to be legible. It makes me giddy as a bubble maker...
    ^~~^~^^~~^~^~^~^^~^^~^~^~~^^^~^^~~^~~~^~ ~^~
  • I think many people are confusing Jeremy Allison with Andrew Tridgell; the latter _is_ from Australia, and no doubt eats koala and emu twice daily.
  • Their mailing list is regularly snapshotted. This one is # 17 [linuxcare.com].

    Cheers,
    Ben
  • Probably not. I hear emu is pretty scarce right now. Drop-bears have been killing emu-hunters left and right.
  • Charming, witty, can't spell worth a damb... it's people like Jeremy that make the world love the Open Source phenomenon.

    One more to add to my Hall of Heroes.

    --
  • That's funny. I'm going to start walking up to Brits and Canadians and asking them how things are going 'down under' Then asking "are you sure you're not Australian" when they say that they aren't. I think this is a prime chance for Jeremy, he can live a debaucherous life and pretend to be Austrailian and make the whole lot of 'em look bad.
  • This is one of the reasons that Samba is becoming so popular as an OEM SMB solution, as writing your own SMB server from scratch is *hard*. People look at the published specs, think, well this can't be so bad :-), and start coding. Then they find the way the clients deviate from the spec and they're in a world of pain :-). Many of them end up licensing Microsoft server code, or start using Samba. SGI, Veritas, HP, Cobalt, Whistle (now IBM) and too many others to count are all shipping Samba based products now.

    With examples like this of GPL code moving into main stream products we will see corporations being forced to publish software under the GPL.

    If you don't want to release your software under the GPL then you have to get into bed with Microsoft to get a license for SAMBA.

    Just one more example of Microsoft beaten by "amatures"

  • The Folks down under and the Brits don't like to be confused with each other. A story I like to relate is of an Ausie manager presented with a Brit who has applied for a programming job at a US Company. The HR people are explaining to the Ausie all the goofy stuff you have to fill out and post on the company board when you give a high paying job to an alien. When they are done explaining the problems he says "That's not the problem...I'll tell you what the problem is...he's a f*cking Brit! They're lazy and if I see him slacking off I want him out the door!"
  • You can get samba pre-packaged for Solaris 8
    at the Sun freeware [sunfreeware.com] site. The site is actually sponsored by Sun.

    Solaris 8 includes Perl & Apache, and the media
    kit contains a CD-ROM with lots of their freeware
    packages.
  • by six809 ( 1961 ) on Friday March 24, 2000 @09:40AM (#1176037) Homepage

    Well, as for "Someone has even written a Perl interface to it. God knows why", all packages grow until they have the ability to

    a) read mail, and
    b) be interfaced to perl!

    Good interview. I especially liked the "not trying to be *too* like 'doze" attitude. It's important to interact (at the moment), but you certainly don't want to sacrifice your OS's good points just to pander to the Windows types. Many people have perfectly legitimate reasons for using SMB (over NFS) in a Unix-based environment (NFS does, truly, suck in some situations), and until something better comes along...

  • In response to the question to Jeremy about work on making Samba authenticate against a network database, I'd like to put in a plug for Ganymede, the GPL'ed metadirectory we've been working on for the last four years.

    With Ganymede, all network directory information is held in the Ganymede server's object database. When anyone creates a new user account or changes a password, or whatever, Ganymede writes out the appropriate data into the appropriate network directory services.

    Here at ARL, when an admin creates a new user, that user's vital information gets set up in NIS, tacacs, Samba, and on a real live NT PDC via rsh and a Win32 Perl script.

    Ganymede is extremely customizable and expandable, and includes password logic designed explicitly to support an NT PDC and Samba server as best as can be done, given the difference in password formats, and the difficulty in keeping things synced without keeping plaintext passwords around on disk.

    We're working on preparing a 1.0pre1 release which will change a lot of things in the Ganymede system, including support for XML data import/export, but people interested can take a look right now at http://www.arlut.utexas.edu/gash2 [utexas.edu].

  • by ryanr ( 30917 ) <ryan@thievco.com> on Friday March 24, 2000 @07:38AM (#1176039) Homepage Journal
    VFS sounds interesting.. I hadn't heard of it before. Any chance it'll be ported to NT? I've often thought it would be useful to walk the registry from a command prompt as if it were a filesystem.
  • Than your typical /. article about M$, though I think a good point is made when he says (paraphrase):
    If you want
    X, you know where to go: http://www.microsoft.com [microsoft.com]

    I have not personally played with Samba, but I think this interview was very informative. It's good to know that the stable of legitimate alternatives to expensive, proprietary software is growing into niches that even PHB's can appreciate. I got sick of using warez for "educational" purposes...

    --

  • by MattMann ( 102516 ) on Friday March 24, 2000 @09:40AM (#1176041)
    I believe you when you say Microsoft's SMB is full of bugs, inconsistent, etc. But, whenever I plug Windows machines into a network, they can see each other and connect to each other. It takes me many hours to make Samba work in a new environment, and sometimes I never can get it to work, and with the next rev of my distro, back to zero again. Believe it or not, I find sendmail easier to configure than samba.

    What is going on? I'm not alone because there are a number of people who consider me to be their expert and ask me to set it up for them. And, not everybody knows me. It's a shame to see all of your good work go to waste in so many instances. Does Microsoft work around their own bugs by trying lots of combinations till something works? Whatever it is, can Samba be made to get to work as effortlessly as does the buggier Microsoft version?

    Once Samba is working, I like it a lot better. I suggested once, and they all laughed, but I'll suggest it again: it would be very cool to run Samba from a Windows machine instead of the native SMB. It's a much more powerful and flexible implementation: but, more than a little cranky.


  • I've noticed that the ones who bash Microsoft the most happens to be the Samba folks. This is probably due to being frustrated at them. As Jeremy stated in the article, Microsoft's documentation does not always map to what the clients actually do. SGI came to my place of work and held a Linux Seminar, and they employ one of the Samba Team members (Herb Lewis) and he seemed very frustrated at having to deal with Microsoft. He told me that they would notify MS about something not matching the spec, then MS would go and look at the code, and come back saying "you're right" and then fix the spec. This is common with MS.

    If anyone outside of MS has the most knowledge to how MS products work, it is probably the Samba team members. They are not given the luxury that MSCEs have in playing with the tools that manipulate SMB. They have to know exactly how it works. As Jeremy says, the specs are what comes across the wire. I have the utmost respect for the team, and I hope they keep up the good work. I do personally play with Samba, both at work and at home, and it definitely is a godsend.

    Steven Rostedt
  • I just wanted to say that this was a wonderful. I found it very informative and very very funny. It had the best short description of what Kerberos is that I have ever scene. I also like what he was mentioning about VFS. So, here's my comment:

    It appears that VFS will allow Samba to mount a database and give transparent usage of that database to a regular Windows/Samba client. I thought it would be cool to brainstorm different things that you could do with this option. It sounds so cool, but I don't know why. Anybody have any ideas?

    What could you do with VFS and Samba?

One person's error is another person's data.

Working...