© 2005 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice Advanced Samba Administration Part 1: Samba 3 Overview Tim Samba
March 6, About Me Samba Team member since 2000 Worked on Samba 2.0, 2.2, 3.0 and 4.0 Hired by HP to work on Print Server Appliance Now working on Integrity server manageability Still contributing to Samba project
March 6, Tutorial Format Three sections −Part 1: Overview and New Features −Part 2: Domain Configurations −Part 3: Server Migration 10 minute break between parts Please ask questions as we go
March 6, Tutorial Theme How does this feature of Samba enable us to kick ass in our jobs? To do this we will look at: −features −configurations −know-how
March 6, Samba 3 vs Samba 4 Samba 4 is an almost complete rewrite An emphasis on completeness and testing Cross-pollination of code, tests, and ideas between branches Samba 3 development to continue as before Samba 4 development in parallel
March 6, Samba 3 vs Samba 4 Samba 3 Production branch Version released 20 Aug 2005 Version released 22 Dec 2005 Features to help you get your job done Samba 4 Research branch Technical Preview 1 released 24 Jan 2006 Technical Preview 2 released 22 Mar 2006 Try out new ideas and designs
March 6, Samba 4 Resources Keeping track of development −25 August, August, −#samba-technical on irc.freenode.net Developer interviews and presentations −Jeremy Allison, Linux Format UK −Slides from Samba XP conference, Technical Preview source code −TP1 released 24/1/06 −TP2 released 22/3/06
March 6, Part 1- Overview & New Features What's new in Samba 3.0? Network analysis tools User Rights and Privileges File System ACLs Distributed File System support (Dfs) Samba Virtual File System (VFS) layer
March 6, What's New in 3.0? Use of Kerberos and LDAP when joined to an Active Directory domain UNICODE support Improved printing Better NT4 domain control and migration features Flexible authentication and account storage options
March 6, What's New in 3.0? (cont) Improved winbind Better CIFS compatibility with Windows file servers Later 3.0.x versions include more policy settings −Password lockout −Password history −Logon hours −User rights −Nested groups
March 6, Network Analysis Tools Ethereal – a network protocol analyser Works under Windows and Linux Parses Unix, Windows and proprietary capture file formats Decodes hundreds of network protocols
March 6, Ethereal Filters Capture filters vs display filters Capture filters for CIFS traffic −port 139 or port 445 −udp port 137 or udp port 138 or udp port 139 Display filters know about more protocols −smb −dcerpc −spoolss Connection tracking features
March 6, Ethereal Tips Shows many important and unimportant protocol details Need to know what is normal and what is not Error codes are sometimes normal Run ethereal and examine the output when everything is working!
March 6, Network Analysis Tools tcpdump – a network packet capture program Run on your Linux box to capture and filter traffic seen by that box To capture all CIFS traffic: # tcpdump -i eth0 -s 0 -w cifs.cap \ port 139 or port 445
March 6, File System ACLs Requires POSIX ACL support −kernel −file system −samba Must use 'acl' mount option nt acl support (boolean) −Should a file share support file system ACLs? Defaults to true
March 6, POSIX ACL Semantics No new permission bits Normal Unix permissions still apply Can grant additional ugo bits to named users and groups Can specify ACLs on directories that are inherited by files and subdirectories
March 6, Handling Windows ACLs WindowsSamba NT ACL POSIX ACL Samba maps ACLs in the Windows domain to ACLs in the POSIX domain An engineering trade-off Mapping algorithm reasonably complex
March 6, More Info on ACLs “POSIX Access Control Lists on Linux” −Paper by Andreas Grünbacher from SuSE Labs −25 August, 2015ttp:// acls/online/25 August, 2015ttp:// acls/online/ General man page on POSIX ACLs is at acl(5) Man pages for getfacl(1), setfacl(1) and chacl(1) utilities IEEE POSIX e standards document
March 6, Distributed File System Network mount points for Windows Native client support in −Windows 98/ME −Windows NT/2K/XP −Download add-on for Windows 95 Samba includes Dfs support in smbclient
March 6, Dfs Redirection dir \\potato\dfs\cdrom ? look at \\carrot\cdrom... \\POTATO \\CARROT dir \\carrot\cdrom ? 1 2
March 6, MS Dfs Parameters host msdfs (boolean) (G) −Should smbd act as a Dfs server? msdfs root (boolean) (S) −Does this file share contain Dfs redirects? −msdfs links coexist with local files and directories msdfs proxy (string) (S) −UNC path to share containing the real Dfs referrals Dfs disabled by default in Samba <=
March 6, Creating Dfs Redirects Specially formed symbolic links −msdfs:SERVER\share For the potato/carrot cdrom example $ ln -s msdfs:carrot\\cdrom cdrom
March 6, File Share Switcheroo Can use the msdfs proxy parameter to transparently redirect a file share Original server must have Dfs enabled beforehand [data] msdfs proxy = \newserver\data
March 6, Virtual File System File system operations abstracted behind a function call interface Default is to call the regular disk I/O functions VFS module provides another implementation of these functions vfs objects (string) −List of shared libraries and configuration options
March 6, Available VFS Modules Multiple vfs modules can be loaded for a given share −audit file open/close, read/write operations −scan for viruses −implement a recycle bin −netatalk compatibility −MS-DFS referral heuristics
March 6, VFS Example Network recycle bin [protected] path = /export/smb/protected vfs object = recycle recycle:repository =.recycle recycle:versions = True recycle:touch = True recycle:keeptree = True recycle:exclude = *.tmp|*.temp|*.o|*.obj|~$
March 6, Write your own! API definition in source/include/vfs.h Implement subset of disk, directory, file, ACL, EA and async I/O operations Handle configuration parameters
March 6, Summary of Part 1 Samba 3 vs Samba 4 Network analysis with ethereal and tcpdump File system ACLs Distributed File System support Virtual File System support
End of Part 1 Break for 10 minutes End of Part 1 Break for 10 minutes