USENIX '04: Gerald Carter, Samba team: Deploying Samba

Gerald (Jerry) Carter, HP SAMBA team
http://www.plainjoe.org/
jerry@samba.org

Main development now is on Samba4

Samba 3.[125]


Samba 3.2:
full NT ACL compatibility
full SAM replication with NT 4.0 BDCs
i18n
NT privs
libregistry API
uses LDAP directories services for config
merge of RPC server infrastructure from Samba 4 (maybe)
better management tools


Samba 4:

Tridge started S4 to fix IBM filesystem needs, feeling a rewrite was needed
Nevermind the "official" CIFS draft -- they just copy what Windows does
extremely flexible, very robust client library (IDL for client layer)
They want to share IDL under LGPL (or similar) for Wine etc to use, while Samba itself will still be GPL
Able to run a single multiplexing TCP daemon for embedded devices
Also a threaded mode for those that want it, but still a forking model

Samba 4 is probably 24 months off right now.


Active Directory DC -- when will Samba be able to replace Active Directory?
* cross project: kerberos 5, ldap, ddns, cifs
* works remains: ms-cldap, new rpcs
* work continues, but the scope is unknown so there's no target release yet

Prospects for CIFS clients on UNIX
* IBM funded cifsvfs for linux 2.6
* OSX has native smbfs support
* possibility for interaction with hp, 'unix extensions' smb.conf,
* possibly an alternative to NFSv4
* however, MS wants to do away with CIFS in Longhorn...

Other Samba team activities
* cvs modules (lorikeet - interop patches), sangria (python framework for smb.conf management)
* huge bugzilla backlog


***** questions *****

Samba accounts really do have to map to Unix accounts. They tried doing without them, but the code got more confusing & difficult to maintain, and the gain was debatable, so they went back to requiring that Samba accounts have a traditional Unix UID.

Interop with Sun1 or IBM's LDAP directory server is messy -- things aren't as standard or compatible as they should be. Interaction with Novell's NDS is an issue open to discussion right now.

Password lockout support was included in Samba 3.0.3. The pdpedit command sets this policy. It does not require LDAP, but you need at least TDB SAM or smbpasswd. Patches related to this are pending.

TDB SAM deals with password database backends, which basically puts smbpasswd in a database with a single read, single write, very fast db engine.

Policy management. Workstation only; limits.
System policies are implemented as registry entries; group policy objects & priviliges aren't supported (yet). Much of this comes with AD support, whenever that arrives.

Domain Controller support is tentatively on the way for 4.0, but because the scope of the project isn't known he can't pin down when it will be available. He mentions that it has been done, at least as a proof of concept, but when Samba will be able to do it remains an open question.

Issue where cached versions of user profiles are accidentally being converted into backup profiles. Jerry suspects this is an issue with the security descriptor on that particular file, but he hasn't been able to pin down why this happens.

Samba supplies a suggest LDAP schema. For a new LDAP server, it makes sense to use there; other than that it isn't published anywhere.

The Apple OSX Server windows networking is provided by a forked version of Samba. Their changes have been published, but haven't been imported into mainline Samba (not seen as broadly relevant, e.g. hacks for NetInfo support). He doesn't really see any obvious issues with going with Apple for PDC serving, but thinks that Debian would be more flexible.

A guy asked about an office where first the servers & now the clients have all been migrated from Windows to BSD; should this person keep using the nice, reliable Samba server? Jerry says they don't need it in that case, and as a Unix to Unix protocol it doesn't really contribute much yet, especially as compared to how well tested NFS is. Long term, they would like to be an alternative to NFSv4, but they're not there yet.