Samba 3.0.0RC1 Released 261
dook43 writes "Samba 3.0.0 RC1 has been released as of 8/16. Probably the most important new feature is its Active Directory support, but the rest of the new features can be found at the website."
Nothing ever becomes real till it is experienced -- even a proverb is no proverb to you till your life has illustrated it. -- John Keats
Active Directory (Score:5, Insightful)
Way to Go Samba!
Re:Active Directory (Score:5, Funny)
Having the Active Directory support is really a bug feature
Now, was this a Freudian slip or what...
Anonymous Cowards Unite
Re:Active Directory (Score:2, Informative)
Bug= Big
Re:Active Directory (Score:2)
Did he main "big feature" or "bug feature?" You decide.
Changes to Auth system (Score:4, Interesting)
been almost completely rewritten. Most of the changes are internal,
but the new auth system is also very configurable.
Does this mean I won't have to authenticate for every directory I access?
(Or are we misconfigured from the get go, and I should know and fixed such an issue
Re:Changes to Auth system (Score:4, Insightful)
And don't forget all those switchs that are platform dependent, remember the source code is the documentation.
Re:Changes to Auth system (Score:2, Funny)
Yes. The term for these people is "Professionals". That's why we make money doing it.
Which is why... (Score:2)
Re:Which is why... (Score:4, Interesting)
I just got back from a weekend retreat, but I have written a script/gui for doing this, and it works fine in production (where the people know what they are doing) but the setup is pretty automatic, and the gui (based on kommander (part of quanta atm)) allows a simple gui interface to the setup, which should all work, but as I said I need people to play with it and break things!
It should work for gentoo and redhat, atm.
sloppyadm.sourceforge.net if you are interested in helping.
Re:Which is why... (Score:2, Insightful)
> box with very little administration
That would represent a very radical change in Microsoft policy.
Don't get me wrong, NT has some things going for it, but "doing
it all out of the box" isn't one of them. All that stuff is
*available*, of course, and once you install it you have a
pretty decent system, but it's not included OOTB. The reason
for this goes directly back to Microsoft policy: the OOTB system
is a base platform with basic functio
Re:Changes to Auth system (Score:3, Interesting)
Re:Changes to Auth system (Score:5, Interesting)
I say this because there are to many porly documented applications out there. Documentation to often is looked at by the marketing department and dumbed down so nobody might get scared of it. If you have ever looked at the home service manual for a Saturn (the $500 one thats an option) that nearly would allow you to machine replacment parts thats documentation. Want something easy to read with pretty pictures get a for dummy's book aka the dumbed down book from somebody that read and understood most of the documentation.
Re:Changes to Auth system (Score:3, Funny)
How dare you discriminate against those poor people that can earn obscene amounts of money by learning how to pass MCSE exams without the slightest bit of computer expertise?
You, sir, are a cad, and a Unix elitist bastard. Anyone knows that true enterprise solutions only require a few mouse clicks to configure, and that manuals are for those who have overstayed their contracts.
Have to say I agree with you 100% though ; /.
Re:Changes to Auth system (Score:2)
BTW I like the right tool for the problem beleive it or not clusters of Linux boxes dont work for any problem yet.
Re:Changes to Auth system (Score:2)
Re:Changes to Auth system (Score:2)
Re:Changes to Auth system (Score:2)
Damn it! (Score:5, Funny)
Shit.
Re:Damn it! (Score:2, Funny)
Lucky Linux users (Score:5, Funny)
Re:Lucky Linux users (Score:5, Insightful)
Comment removed (Score:4, Funny)
Re:Lucky Linux userssimple registry change (Score:4, Informative)
echo Allow a maximum of 255 concurrent connections to this machine
reg add "HKLM\System\CurrentControlSet\Services\LanmanSer
see http://thegoldenear.org/tweak/ [thegoldenear.org] for more
Re:Lucky Linux users (Score:5, Interesting)
Re:Lucky Linux users (Score:3, Interesting)
Re:Lucky Linux users (Score:5, Insightful)
Re:Lucky Linux users (Score:5, Informative)
There is an open source GINA implementation to auth against other services.
[xpasystems.com]
http://pgina.xpasystems.com/
I think it comes in two parts, one a general backend and there are a bunch of different auth systems.
Re:Lucky Linux users (Score:5, Funny)
(For non-US, that would be VA)
Re:Lucky Linux users (Score:4, Funny)
But seriously. If you think AD is written in VB, I've got a GNU/Bridge to sell you.
Re:Lucky Linux users (Score:3, Informative)
Unfortunately, GINA doesn't do everything, and it is (or at least was when I had the misfortune to write a replacement GINA) very badly documented. We had a $40K support contract with MS to provide us development support for this, but it was a complete waste of money - they couldn't answer our questions. We ended up essentially reverse engineering msgina.dll to find out exactly what needed to be set for everything to work correctly
Re:Lucky Linux users (Score:4, Interesting)
The standard stuff is fairly standard. inetOrgPerson is available as an add-on (which I think is lame, but you can get there from here). Many of the other "compliant" directories have their own blind spots too.
The nonstandard stuff is sometimes doc'd, sometimes not; for instance, if you are expecting full docs on how GPOs are represented in the database, you will be disappointed. Then again, why would you code to their goofy extension?
One thing I think is *lame* is the 5k size limit on number of users in static groups. We are using dynamic groups/roles for some stuff, but static groups are a useful adjunct to that. 5k is just pathetic.
Re:Lucky Linux users (Score:2)
Re:Lucky Linux users (Score:3, Interesting)
Export of passwords? Hmmm, given that the big metadirectory solutions have a problem doing this with non-AD servers, why should AD be different? They're called "salted hashes", by the way, and everyone does them a little differently. Exporting the clear password would be a horrible security problem.
How to push authentication credentials? If you mean importing accounts, then the above answer applies. You can always go over SSL as well. Do
Ben Franklin? (Score:4, Funny)
Programmer Analyst
Davenport, FL
Man, couldn't he find a better place to live?
Re:Ben Franklin? (Score:2)
Another bonus (Score:5, Interesting)
Great job, Samba team!
The Samba Docs (Score:5, Funny)
Under debian (Score:5, Insightful)
I've only experienced a few cases of "lock outs" of all clients, the first time because the init script didden't sucessfully kill all smbd's before starting new ones and the second time... Who knows, a restart of it helped fine anyway.
Other than that it seems pretty good for me with W98/W2K/XP Pro clients using different laguages, except for some random slowdowns in access to it but nothing major.
Also, that build is compiled with GCC-3.3 if anyone's interested in that.
AD Controller Not Yet Suported (Score:5, Informative)
From the 3.0 FAQ
The samba team is doing a great job moving forward. What I would hope to also see in the near future is support for creating a (Linux) directory heirachy based network using samba that will allow both MS and non MS clients. It would be nice to be able to create an LDAP directory trust relationship to your friends/family/etc.. network to allow logins between them...
Re:AD Controller Not Yet Suported (Score:5, Informative)
Once they have AD controller support, that part is easy - and also not exactly Samba's job. Just create appropriate schemas for your LDAP server and have a Samba AD controller authenticate client requests via LDAP. What's not there yet is the ability to handle MS Kerberos properly - creating the Kerberos tokens in the proper format and passing them off to the client is more of a barrier than any LDAP protocol issue.
Re:AD Controller Not Yet Suported (Score:2, Insightful)
Re:AD Controller Not Yet Suported (Score:4, Informative)
So here's the deal. AD domain controller support is really a nebulus phrase because it involves a lot of different things. Before the end of last week, an OpenLDAP server could not fool most AD clients into thinking it was a Windows LDAP server. This is no longer true though since we know have proper GSS-SPNEGO support.
I got Windows client authenticating without modification to a Heimdal KDC quite a while ago (with fully signed PAC etc.).
What's really missing at this point is actually a number of RPCs in Samba. Problem is these RPCs are coming directly over TCP (normally they're part of a named pipe over SMB) and they are encrypted. We should be able to figure these out soon enough though.
What's most interesting though is that of all CIFS vendors, Samba is by far furtherest along in AD compatibility (well... sort of).
Re:AD Controller Not Yet Suported (Score:2)
Cool feature that is easy to miss (Score:5, Informative)
Now, I would just love to see this in smbfs [swin.edu.au].
Re:Cool feature that is easy to miss (Score:2)
Re:Cool feature that is easy to miss (Score:4, Interesting)
Re:Cool feature that is easy to miss (Score:2)
that's not true .. (Score:5, Informative)
AdvFS, currently on HP's Tru64 Unix and also (already) ported to the up and coming combined Tru64 + HP-UX offering, called Enterprise Unix, has a snapshot feature called 'cloning'. A cloned filesystem is mountable, and only contains pointers to the blocks of data on the original. Further write operations on the original first copy the data block to be changed to the clone before allowing the block to be replaced. It takes seconds to create a clone of a terrabyte filesytem and then you're back in business. This feature has been around for years!
You shouldn't make statements like that without doing your homework.
Mac OS X integration? (Score:4, Insightful)
Re:Mac OS X integration? (Score:5, Informative)
Some version did. [apple.com]
Re:Mac OS X integration? (Score:2)
Re:Mac OS X integration? (Score:2)
*excluding OpenDoc, Bedrock, Copeland, Yellow Box for Windows . .
Re:Mac OS X integration? (Score:2)
Given, a SW update would not be difficult, I'm sure there is more beta SW in the OS distribution than I'm aware of. Just my mind wandering.
Re: (Score:2, Informative)
Wins support (Score:3, Interesting)
Re:Wins support (Score:5, Funny)
And just what will the offspring of this Windows/Unix replication be like? Will its NT kernel be able to handle Unix-style system calls? Or will the offspring be a penguin with Bill Gates' face?
No matter how I look at this, I just cannot see that this "replication" can be a good thing. You're going to create an abomination that will bring only misery to the world. Keep your computers on opposite sides of the room, with very short power cables, or you will doom us all.
/me goes off to look up "replication."
Samba is the greatest (Score:5, Interesting)
Re:Samba is the greatest (Score:2)
Sure they always try to throw those arguments, but let me be the first to tell you that joes manufacturing company only cares about the cost not what operating system they are running.
Stupid question... (Score:2, Funny)
Being a good implementation (Score:2)
Re:Stupid question... (Score:2)
If you're talking about the viruses that simply "infect all Word files it can find, even on network shares," for example, then running Samba instead of Windows makes no difference. The infected client simply sees a share like any other -- that being the whole point, after all. The Samba server simply sees a write request like any other.
So yes, files shared via Samba can be infected, if it's that kind of virus.
Exploits that try to break into a Windows file server directly (as opposed to writing to exp
Looking for some info. (Score:2, Interesting)
Re:Looking for some info. (Score:5, Informative)
LDAP servers are pretty much quasi-object-oriented databases (LDAP is the protocol used to talk to the server). On a Unix-like system, you could store all the user information (/etc/passwd, /etc/shadow, /etc/group, everything) in an LDAP directory. But you can really store anything in an LDAP directory, such as the complete DNS database for a server. This can be handy because LDAP has replication and such built right in, so you no longer need to worry about DNS replication. These are the two big things stored in the Active Directory in Windows (user information and DNS records).
As for Kerberos, it's a secure authentication mechanism. The whole process is kind of complicated, but here are the basics. When you log in to a Kerberos domain (this is just a normal domain login for Windows) what you are doing is requesting a Ticket-Granting Ticket (TGT) from the Key Distribution Center (KDC). The TGT is returned, encrypted. If your password decrypts the TGT properly, you're logged in. Note that your password never goes over the network! Now you want to access a service on another machine in the same domain. You give your TGT to the KDC, asking it for a ticket to the specified machine. You get the ticket back, then provide it to the server. The server verifies the ticket similar to how the TGT is verified at login, and if it passes, then you've identified yourself securely. This means you don't need your password at all once you get your TGT, unless for some reason you need to get a new TGT. So Kerberos is both a secure authentication mechanism and a single sign-on mechanism.
Believe me, all this is a huge leap forward for Microsoft. Even though they keep adding proprietary bits to both LDAP and Kerberos, they are at least getting on the open standards bandwagon. And technologically, this is all far superior to the way Windows NT did things.
Features galour. (Score:4, Insightful)
Samba 3.0 is the first real samba (excluding samba-tng), imho, that can replace a WinNT4 PDC (Primary Domain Controller) *fully*.
(eg: with samba3, the windows usrmgr.exe works for adding/deleting users & groups. (usrmgr.exe communicates over RPC, so I consider it something that should work for a windows primary domain controller). I have just recently setup for a company:
A samba PDC, with usrmgr.exe working.
With an LDAP backend for authenciation.
With posix ACLs on the file system (to allow *real* permission settings. The perms are still a bit wierd, and I feel better setting them in Linux rather than through the windows gui, but they do work).
With cups printer backend, so printing works great.
Basically, this machine fully replaces their windows NT4 server, and does it pretty damn well.
The move from NT4 to PDC was pretty good. Once everything is setup on the samba side, you can "net vampire" all of the user and group accounts over to the samba server, and the users can login with no problems.
The only missing feature was I needed some way to copy the file system on the NT box to the linux box and keep the ACLs.
Anyway, the samba team does a great job
AD Support & ACL's coming.. WhooHoo! (Score:3, Interesting)
Okay, sorry I'm spoiled
Good job Samba Team!!!!
Re:additional new feature (Score:5, Insightful)
Re:additional new feature (Score:4, Informative)
Re:additional new feature (Score:5, Interesting)
I consider AD to be a viable general-purpose LDAP server for certain applications. I'm using it for a 20K user directory right now...but I wouldn't go over 250K with it, especially one that required any kind of master-hub-replica architecture to scale.
Re:additional new feature (Score:2, Informative)
Maybe not but it is more compatible with other operating systems and non MS software.
I think those are strong enough reasons to avoid it right there.
Re:additional new feature (Score:3, Informative)
Re:additional new feature (Score:3, Interesting)
Re:additional new feature (Score:2, Informative)
Re:additional new feature (Score:5, Funny)
Glad this was modded up to +5 Informative so we all know to never use Samba 3.x.
Re:additional new feature (Score:5, Insightful)
Why, oh why chunk everything into one huge and fumbly command? I find "net ???" on Windows to be a pain in the arse to use and usually end up going through several 'net help blah' sessions when looking for how to do something.
Keep smbpasswd separate. You can still chunk it by prefixing smb-related commands with "smb" (hit [tab] to see the list of commands and start with smb). Not good, or what? I think it's fine.
Re:I wonder.... (Score:3, Insightful)
give up? it's integration in to a Windows network. there are other network share protocols that work on basically every other OS, and would be the first choice for networks containing only those OSes (i.e. NFS for *nix nets, Appleshare for Mac nets)
Most people who run samba will simply be wanting to access the data the same way they would on their windows box. using the same commands will make it simpler on them.
Usually when the subject of windo
Re:I wonder.... (Score:2)
I agree with your reasoning, *except* they said replace existing commands. If they had said "augment" existing commands, I would have been satisfied. Right now, it sounds like the same thing with using some command with a cryptic command-line argument to replace ifconfig.
Re:just an RC (Score:5, Insightful)
Now, if you had something to say about the quality of the Samba team's RC releases in particular, that'd be worthwhile -- but given how long the Samba 3 *betas* (not RCs, mind you, betas) have been stable, I doubt you'd be saying much the same thing.
Re:just an RC (Score:2)
Dunno, though -- I'm (strongly) guessing that these folks are suffering from configuration issues more than anything else. A release candidate, after all, is something which actually *could* become the
As a result, a RC generally won't have known issues large enough to prevent release -- because if it had such known issues, it wouldn't be eligable for
1. The folks complaining about S
Watch the free coders out code MS when... (Score:4, Insightful)
Re:Watch the free coders out code MS when... (Score:5, Interesting)
Re:I'd like to be enthusiastic (Score:2)
Ok, which moderator didn't recognize this as a troll?
Re:I'd like to be enthusiastic (Score:5, Insightful)
Furthermore, you've clearly never reverse-engineered a protocol before. Since Microsoft doesn't release specifications for Active Directory interactions, the Samba team has to pretty much capture thousands of packets as a workstation logs in, then logs out, then logs in, then logs out, etc. and stare at the data for weeks or months to figure out how to emulate the AD logon. And then they have to do this for domain discovery, resource sharing, and all the other operations that AD supports. To do this for an entire suite of functionality can take years.
Frankly, I'm surprised and pleased that they've managed to build the excellent support they have for MS' network protocols, and I think the Samba team deserves some congratulations. Thanks and keep up the good work!
Re:I'd like to be enthusiastic (Score:2, Informative)
Idiot.
Re:Samba wha?.... (Score:5, Insightful)
Re:Samba wha?.... (Score:5, Informative)
No. How much security does NFS have built-in? Exactly none.
Re:Samba wha?.... (Score:5, Informative)
Care to back that up?
NFS protocol has built in encryption/authentication using GSS-API since version 3. That was quite a few years ago. NFS version 4 is out.
I maintained a lab running on an encrypted NFS FS about 3 years ago, on Solaris 7.
Linux didn't have support for encrypted NFS because the kernel hackers couldn't get encryption into the kernel at the time. Now that 2.6 has kernel encryption services Linux will support the full NFSv4 spec. Or at least support the security features.
But you can't blame the engineers that developed NFS, they've had encryption/authentication built into the protocol for years now.
Re:Samba wha?.... (Score:2)
(it can make use of security contexts, eg for permissions checking of file access - but establishing those security contexts is
So where should that security be then? RPC.
(see Solaris and most commercial Unixen also OpenBSD for implementations of the more secure types of RPCSEC than the default AUTH_UNIX. Also, Linux 2.6 should have the secure AUTH_GSSAPI RPCSEC method, hopefully.)
Re:Samba wha?.... (Score:5, Insightful)
You don't have to install it Richard. For those of us with jobs to do however, this is a big step forward.
NFS is fine and all, but its limited to really unixy networking.
That said Active directory actively puzzles me (as does LDAP). I guess its back to the books again. I guess my windoze knowledge never did advance much beyond NT4.
Re:Samba wha?.... (Score:2, Insightful)
No, this is exactly what is needed to displace Mictosoft. Other than email, the second biggest use by client computers of a server is for file-serving. No matter how good Linux is, Microsoft has an iron-clad hold on that area for Windows clients, because users can browse and print through the interface they know so well. If that can be subbed out in a way invisible to the user, the
Re:Samba wha?.... (Score:2)
Re:Samba wha?.... (Score:2)
I had an issue with their X server after win2k came out and we were piloting our new desktop. We ran dual heads on some of our engineering stations and some of the guys were having really weird problems. I call up and go through about a half hour of troubleshooting with their very knowledgable level 1 support people, no dice, so she puts me through to t
Re:Samba wha?.... (Score:3, Funny)
Right now (here on the east coast, at least) most managers and IT people will laugh you out of the room if you mention Linux seriously. Hell, most places I won' even mention tha
Re:Samba wha?.... (Score:5, Insightful)
Anyone who has administered large numbers of computers knows that sweeping changes are nearly impossible to execute. This is not due to technological restrictions, but rather those of the social variety: people don't like change, and require help in adapting. They need a period of migration.
If there is no way to migrate, large scale deployments of Linux will be avoided-- it simply costs too much to change things without a smooth transition.
For this reason, Samba does not hurt Linux. It should certainly be noted also that Samba actually does alot of Windows networking things faster than Windows it self-- there are benchmarks kicking around to this effect.
So not only does Samba allow easy migration, but it allows interoperability between platforms and a superior solution to existing applications.
~geogeek
You have to crawl before you walk (Score:5, Insightful)
One of the steps towards linux-only is getting the servers on linux. Linux servers are becoming very popular, but that doesn't mean that every place has them yet, let alone linux workstations.
Many IT departments have already replaced some (or all) windows servers with linux servers, running Samba to provide the same services to their workstations. If Samba didn't exist, they wouldn't be switching their servers to it, since it would be incompatible with their existing windows servers. Nobody is going to upgrade if it means they lose features (namely, all the features samba provides).
There is just beginning to be a move towards linux on the desktop, and there have been a few articles on /. about it recently. My personal view is that it's not quite there yet, but close. I just work at a small company, but likely within a year I will have linux on the desktops. Some companies are beginning to roll out linux workstations, but not that many. And certainly not many enterprises.
You even say it yourself:
I've already gone 100% Linux on any networks I can.
Why not all of them? Without samba, it would basically be either 100% linux networks, or 0% linux networks. At the most, linux would be limited to being a router, NAS, webserver, etc.. which isn't bad, but it's leaving a monopoly on a fairly critical service (authentication) to one platform.
Re:Samba wha?.... (Score:3, Insightful)
Samba isn't just Linux, I run Samba on a Solaris box. Unfortunately, at this point in time, you still need Samba and Microsoft, but as Tridge has said, in 20 years time, people will still be using Rsync, but Samba will have been forgotten.
Re:q from a newbie (Score:3, Informative)
So, you can share files and printers just like you would if you were running a Microsoft-based server, but without paying for an MS licence.
This is possible because originally MS' file sharing standards were published as an (incomplete) open standard, and many patient developers have figured out how to make it work.
A pure Linux network can also be configured with shared files and printers from a central
Re:q from a newbie (Score:5, Informative)
Re: (Score:2)
Re:this bugs me (Score:5, Insightful)
There are plenty of innovative open source protcols out there, but how do you expect them to be adopted when just about everybody else (ie MS) won't use them? And in the meantime you'd deny the usefulness of Samba?
It's a chicken and egg situation, and Samba breaks that. Samba allows Unix/Linux/*BSD to interoperate with Windows networks. Then once open source stuff is installed widely, then you can start using other open standards.
Re:this bugs me (Score:3, Interesting)
There are plenty of of more elegant solutions for filesharing that have been developed and implemented in an open manner. AFS was designed at CMU and OpenAFS is largely the result of U of Mic