A whole host of new features in Samba 4 will simplify life for network admins

by Chad Perrin | Mar 24, 2006 7:00:00 PM

Tags: Microsoft Windows Active Directory, Kerberos, Microsoft Windows, Directory services, NETWORKING, Operating systems, network, Chad Perrin, network administration, Samba 3, Samba, Samba 4

27 comment(s)

Takeaway: A multitude of newly integrated capabilities will make working with Samba 4 in a CIFS Active Directory context a much easier and more complete experience than it has been before.

The new version four of the popular Samba networking suite is on its way. Samba was originally developed as a free implementation of the SMB (Server Message Block) protocol, but because the most common use of SMB is in Microsoft's CIFS (Common Internet File System) implementation, Samba has become a de facto Microsoft network compatibility tool. In relation to CIFS, Samba allows non-Microsoft operating systems to enjoy effectively seamless server and client operation in networks catering to the needs of Windows computers.

Samba 3 is best known for allowing excellent compatibility for Linux-based clients in Windows domain networks, especially Active Directory (AD) networks using Windows servers, and for similar compatibility in CIFS peer-to-peer networks�"what Microsoft calls a "workgroup". It has been possible for years to use Samba to create a non-Windows Primary or Backup Domain Controller for a Windows Domain, and to run an Active Directory server on a Linux system using a combination of tools, including Samba itself, MIT Kerberos, and OpenLDAP or Winbind (which is a part of the Samba package, but not always the preferred method of creating a Linux AD server). The process is a complex and difficult one, however. Samba 4 aims to change that.

The Samba 4 development project's Active Directory compatibility effort began with a proposal by Andrew Tridgell, the original creator of Samba, to create a new network virtual file system layer for Samba 3. A slew of newly integrated capabilities will make working with Samba in a CIFS Active Directory context a much easier and more complete experience than it has been before.

New features

Included with Technology Preview 2 of the new version of Samba are a number of improvements designed to make implementing Active Directory servers on non-Windows operating systems smoother and more rewarding for the network administrator:

The new Virtual File System (VFS) features of Samba 4 do a better job of imitating the behavior of Windows systems on the network. This will improve compatibility in general, and in particular includes more homogenous streamed file annotation information and support for Access Control Lists (ACLs).
The new Domain Controller implementation of Samba includes a built-in LDAP server called LDB, and Kerberos Key Distribution Center (KDC), in addition to the standard logon services provided over CIFS familiar to users of Samba 3. KDC with Samba 4 generates Kerberos Privilege Attribute Certificates (PACs), a Microsoft addition to the MIT Kerberos specification that has caused problems for attempts to integrate other operating systems with Windows AD networks. Integrated Kerberos functionality is provided by an embeddable version of the Heimdal Kerberos implementation.
Samba 4 also implements the Domain Name System (DNS) protocol internally to provide complete AD compatibility.
The Samba team implemented AD Access Control Lists to provide network security for Windows clients more natively than was previously possible. As of Samba 4.0.0 Technology Preview 2, ACLs have been implemented to protect the main user database, but not yet the registry.
Samba 4 includes a new scripting interface that allows administrative JavaScript programs to integrate with Samba's internals securely and conveniently. For the expert Active Directory administrator, this should provide a great deal of additional functionality and allow greater administrative automation.
The Samba Web Administration Tool (SWAT), which provides a Web browser interface for Samba configuration and management, is now integrated with the default Samba 4 package. This eliminates the need to install and configure SWAT separately to work with Samba. The integral SWAT configuration system includes usability and security features such as automatic TSL/SSL encryption setup and certificate generation, and automatic HTTPS discovery.
Attention has been given to making migration from a Windows Server 2003 PDC to a Samba PDC a very simple, quick, and straightforward process. The whole operation essentially consists of Web-based migration management where accounts, passwords, and attributes are pulled from the Windows domain controller; the old PDC is shut down, and the new PDC is brought up in its place, providing a fairly seamless migration path.
Standalone server and domain member roles for Samba systems are not yet fully supported in the current technology preview, but will be in the final release of the new Samba version.
Printing support will be integrated with the rest of the new functionality of Samba 4.
Windows Vista will reportedly include a new SMB2 protocol implementation. While the technology previews for Samba 4 are already incorporating initial implementations of the SMB2 protocol, they are of course not complete implementations yet. Until Vista's final form is known and available for testing, a finalized, Windows compatible implementation of SMB2 cannot be completed for Samba 4. Because of the necessity of backwards-compatibility for Vista with older Windows networks, however, this should not present a significant compatibility problem.

Other changes

Samba 4.0.0 TP2 comes with an experimental one-way migration script that can be used for easy upgrade from Samba 3.
The venerable nmbd service in Samba has been merged with smbd, which now implements "process models" that manage concurrent connection handling.
The functionality of Samba's "security" configuration parameter have been split up. The "user" and "share" security levels are still set using the "security" parameter, but other security options have been moved to the "server role" option, and "domain master" and "domain logons" have also been merged into the "server role" option.
Quite a few configuration parameters have been eliminated, in some cases because their functionality is now handled by the newly integrated services that Samba 4 provides such as LDB.
A number of new configuration parameters have been added to Samba 4 as well. Most of these deal with the additional services included in the new Samba version, though a few also provide additional configuration options for greater customizability for your Samba server implementations.
The smbclient tool used for file transfers no longer supports an optional password as its second argument.
Some of the advanced features of Samba 4 will require the use of a file system on Samba servers that supports both "user" and "system" xattr namespaces. This means that if a server uses ext3, for example, it will need to include the "user_xattr" option in the /etc/fstab configuration file. On a Linux system, the kernel needs to be compiled with the XATTR and SECURITY options for the file system. Standard kernel installs for major Linux distributions are typically compiled with these options by default.

Samba4WINS

Concurrently with Samba 4 development, the Samba4WINS software has been developed to address a long-standing shortcoming in Samba. While it has been possible, and even easy, to implement WINS servers previously, Samba did not provide the tools to implement replicating WINS servers in complex networks.

Replicating WINS is used to synchronize the configuration and functionality of multiple WINS servers in a network. The only way to achieve that in previous incarnations of Samba is by way of hacks using other tools in addition to the core Samba toolset. With the Samba4WINS software, that is changing, and it is now becoming possible to quickly and easily implement replicating WINS functionality on non-Windows systems.

Samba4WINS is being developed under the auspices of the Enterprise Samba project by SerNet, a German company that produces enterprise-ready Samba software packages for what it considers to be the enterprise-ready distributions of Linux: Debian GNU/Linux, Red Hat Enterprise Linux, and SuSE Linux Enterprise Server.

SerNet, through the Enterprise Samba project, reports Samba4WINS will be seamlessly integrated with Samba 4 and up, and it is available to be installed in parallel with Samba 3.0.21 and later versions. Samba4WINS will run as an individual daemon process that can be started and stopped separately from other Samba services.

What to expect

The complete Samba 4 package promises to provide a significant advance in compatibility between Windows Active Directory networks and non-Windows operating systems. Incorporation of the LDB implementation of LDAP functionality, an integrated version of Heimdal, and DNS functionality, coupled with an improved SWAT interface that does not require separate installation and configuration, will greatly reduce the time and effort necessary to create Active Directory servers using Samba. All things considered, Samba 4 will greatly simplify the lives of network administrators working with heterogeneous Active Directory networks, and for administrators looking to migrate AD networks from Windows to other operating systems without losing any of the functionality to which they've become accustomed.

27 comment(s)