The official company press release says that Beta 2 includes “an updated installer, additional new technologies and resolutions to many of the issues that were reported in the initial Beta.”
There are still many known issues with the Beta 2 version, and it’s hard to quickly ascertain in the release notes what new improvements have been made.
One thing that caught my attention was the improved Samba support.
Red Hat Enterprise Linux 6 Beta provides the following significant enhancements to Samba:
- Internet Protocol version 6 support (IPv6)
- Support for Windows 2008 (R2) trust relationships.
- Support for Windows 7 domain members.
- Support for Active Directory LDAP signing/sealing policy.
- Improvements for libsmbclient
- Better support for Windows management tools (mmc and User Manager)
- Automatic machine password changes as domain member
- New registry based configuration layer
- Encrypted SMB transport between Samba client and server
- Full support for Windows cross-forest, transitive trusts and one-way domain trusts
- New NetApi remote management and winbind client C libraries
- A new graphical user interface for joining Windows Domains
If you’ve been playing with the RHEL 6 beta, what are your favorite new features and what do you wish was there?]]>
The company released a risk report comparing RHEL 5.2 to RHEL 5.3. Briefly, the report explains that 61 advisories were released to address the 181 vulnerabilities found in version 5.2. The seven critical advisories were for Firefox, Samba, and OpenSSH. The new version has all the updated security features, and the risk report shows that Red Hat saw fewer vulnerabilities with 5.2 than it did in 5.1 and 5.0.
The author of the risk report, Mark Cox, explains that “for Red Hat Enterprise Linux 5 since release and to date, every critical vulnerability has had an update to address it available from the Red Hat Network either the same day or the next calendar day after the issue was public.”
Let us know how your update goes — were there lags or glitches? What do you think about the new functionalities — are they useful in your enterprise? Is there more you want to see?]]>
If that interests you, check out the sample chapter on OpenLDAP and the guide to Samba and Active Directory on SearchEnterpriseLinux.com.
(Does the Caddyshack reference make up for the shameless plug?)]]>
In one of the rare tips I’ve written for SearchEnterpriseLinux.com, Carter said the next time a user comes knocking on your door with an Access Denied error message and blames it on Samba, tell them to slow down. Most of the time, it’s not Samba’s fault, he said. “Our motto is ‘Bug for bug, feature for feature, we are completely compatible with Microsoft Windows,” Carter said.
However, Carter also said that if there was a legitimate bug, the Samba team had no problem admitting it existed and working post haste to get it resolved. Today, the Samba team reported a security issue with Samba’s code, as well as a patch to fix it.
Secunia Research reported a vulnerability that allows for the execution of arbitrary code in nmbd. This defect may only be exploited when the “wins support” parameter has been enabled in smb.conf.
A patch addressing this defect has been posted to
Additionally, Samba 3.0.27 has been issued as a security release to correct the defect.
Samba administrators may avoid this security issue by disabling the “wins support” feature in the hosts smb.conf file.
This vulnerability was reported to Samba developers by Alin Rad Pop, Secunia Research.
The time line is as follows:
“Our Code, Our Bugs, Our Responsibility.” – The Samba Team]]>
“Samba is configured as standalone server, not as a domain controller. For this setup, I will use the Ubuntu Server installation CD but the same installation procedure will work on an Ubuntu desktop as well,” Timme said.
I’d be remiss if I didn’t also pitch SearchEnterpriseLinux.com’s wealth of Samba tips and news, some of which, coincidentally enough, were compiled by yours truly.
But you want more? You can also check out our Exploring Samba and Active Directory integration options landing page that was compiled by site expert Sander van Vugt. In that compilation, van Vugt discusses everything from Samba basics, to installation, to administration and migration. If you have no idea what Samba is, I salute you for reading this far, but I still encourage you to check out Sander’s tips — he defines Samba in the first paragraph
Check it out.]]>
Cue the streamers:
Major enhancements in Samba 3.2.0 include:
- Use of IDL generated parsing layer for several DCE/RPC interfaces.
- Removal of the 1024 byte limit on pathnames and 256 byte limit on filename components to honor the MAX_PATH setting from the host OS.
- Introduction of a registry based configuration system.
- Improved CIFS Unix Extensions support.
- Experimental support for file serving clusters.
Winbind and Active Directory Integration:
- Full support for Windows 2003 cross-forest, transitive trusts and one-way domain trusts
- Support for userPrincipalName logons via pam_winbind and NSS lookups.
- Support in pam_winbind for logging on using the userPrincipalName.
- Expansion of nested domain groups via NSS calls.
- Support for Active Directory LDAP Signing policy.
Users & Groups:
- New ldb backend for local group mapping tables
- Raised level of security defaults for authentication operations.
Note that this is also the first time that Samba is being released under the GPLv3. The Samba Team adopted version 3.0 of the GNU General Public License for the 3.2 and later releases as of September.]]>
The first, complete with patch availability:
The idmap_ad.so library provides an nss_info extension to Winbind for retrieving a user’s home directory path, login shell and primary group id from an Active Directory domain controller. This functionality is enabled by defining the “winbind nss info”smb.conf option to either “sfu” or “rfc2307″.
Both the Windows “Identity Management for Unix” and “Services for Unix” MMC plug-ins allow a user to be assigned a primary group for Unix clients that differs from the user’s Windows primary group.
When the rfc2307 or sfu nss_info plugin has been enabled, in the absence of either the RFC2307 or SFU primary group attribute, Winbind will assign a primary group ID of 0 to the domain user queried using the getpwnam() C library call.
A patch addressing this defect has been posted to
Additionally, Samba 3.0.26 has been issued as a security release to correct the defect.
Samba and Active Directory administrators may avoid this security issue by two methods:
(a) Ensure that all user’s stored in AD are properly assigned a Unix primary group, or
(b) Discontinue use of the sfu or rfc2307 “winbind nss info” plugin until a patched version of the idmap_ad.so library can be installed.
Note that the problem is only evident on servers using the sfu or rfc2307 “winbind nss info” plugin and not those only making use of Winbind’s idmap_ad IDMap backend interface.
There is also version 3.0.26a available for download today, complete with bug fix (Memory leaks in Winbind’s IDMap manager).
The uncompressed tarballs and patch files have been signed using GnuPG (ID 6568B7EA). The source code can be downloaded from:
The release notes are available online at:
Binary packages will be made available on a volunteer basis at
I initially spoke with John Flores, a system administrator with the University of Texas at San Antonio, earlier this year for a broad SearchEnterpriseLinux.com article on Linux support. The article focused on the good, the bad and the ugly of working with commercial Linux distributors, as well as with the alternatives like CentOS and Debian. It was also a comparison of the past, present and future of Linux support as a whole.
Flores and his data center — like many data centers today — were at a crossroads. He was using Windows NT as his domain controller, but it was update time as a few Dell servers were past their prime and new ones were set to be introduced in the summer of 2006.
“We had an old Dell 6300 that was to be put out of service … it was what was running the NT 4.0,” Flores told me. “Rather than move NT 4.0 to a new server, we were looking for an OS that could put onto a new server and it was going to be either Linux or MS.”
But old servers weren’t the only issue at the U of T that summer. Flores explained that NT 4.0 had become “unstable, mostly due to age.” The software configurations were also old and difficult to maintain, he said. and a lot of “junk” had accumulated over the years. The clutter was quickly becoming a maintenance issue for the IT staff, he said.”We were having a server failure almost once every two weeks. A server would have a major problem so we’d have to reboot it and bring it back up again,” Flores said. But then things got even worse.
“Because this is a university environment, we have a whole new set of something like 5,000 users changing over every semester. We have to log all those IDs and passwords every semester.”
Windows closed, Linux openedSo Flores, sticking with what he knew, immediately set out vetting a Windows Server 2003 upgrade (he already had a Windows Server 2003 academic license on hand).
“We were already running Windows XP in the classrooms so we had no reason not to consider Microsoft on the server too,” he said. “It seemed like a natural progression from NT 4.”
The relationship, for all the familiarity between interested parties, did not last much longer. Flores said he and his staff tested Windows Server and were uncomfortable with the way that the software wanted to take over domains and become the domain controller immediately even though it was deployed in a testing environment. This was an unacceptable development, as Flores’ department had to peacefully coexist with a larger university-wide network environment and needed to be somewhat separated. Separate but equal, right?
“Server wasn’t necessarily bad — it has a lot of features on the surface that would be fine for the average person,” Flores said.
But Flores was no “average user.” In fact, he said to me that the nature of his department is such that every employee needed to be a “server specialist” (think: “jack of all trades”). Oh, and they didn’t really have a lot of cash on hand for training into how to manage a MS SQL Server machine. “There’s probably a few things we could have done with it on the server, but we’re really not familiar enough with the OS to do it,” he said.
So an educational institution’s IT department is strapped for cash and wouldn’t have the time for training even if they did have the money for a Server upgrade. Sounds like a job for Linux and open source software (OSS), right?
Samba and open source management
Flores was already familiar with Linux and open source software — especially Samba — thanks to a healthy dose of toying around and testing that he had done on the side while his Dell servers toiled away running Windows. “We knew Samba provided Windows domain capabilities … we knew that the [industry leaders Red Hat and Novell] used Samba in a pretty much straightforward command line, customized way,” he said. It was straightforward, yes, but Flores contended that for his shop at least, the technology wasn’t very accessible.
“You could bring over existing NT 4.0 sets of users, but we have to be able to update it every four months or so, and we did that already through a flat file from registrar’s office,” Flores said. No need to fix something that isn’t broke, right?
But during the vetting process Flores’ team also started to look at utilities that could be deployed on top of Samba. One early front runner that showed promise was an unnamed end user management utility, but like many freely available projects (from SourceForge, for example), it needed a little work before Flores would have allowed it in a production level environment. Flores decided to keep looking for something similar but with a little more support.
The surfing and searching eventually led Flores to Xandros, a Linux desktop vendor that has only recently started to dabble in the systems management space. “We saw a demo at an academic technology conference in Austin,” Flores said. “[They] had a desktop product running and we sampled it. We saw their commercial version, and it was pretty well integrated so we could easily run Microsoft apps on it.”
Could I get a Linux support Amen?
Then Flores sampled the server side of Xandros’ offering, Xandros Server, and saw that the vendor’s strategy was geared towards users who wanted to migrate from Windows with as little a learning curve as possible. He was hooked. Windows didn’t stand a chance. The vendor built a “nice front end to manage applications, including Samba,” he said. The vendor had also only just released the product when Flores first took a look, but that didn’t seem to matter.
“My coworker is a Macintosh maniac; always saying Macs are so easy to use — but even when he saw the Xandros interface he said it was easy as a Mac,” Flores said.
Xandros Server provided the department with the point and click interface it needed to avoid learning curves and other time constraints. It even allowed for a command line interface, which Flores said was perfect for his department’s needs.
Also perfect was Xandros approach to support. As I noted in an article for SearchEnterpriseLinux.com this summer, the support situation can still be a pain point for IT managers deploying Linux and Linux-based applications.
“I could call them, or pick up phone, and one or two people personally responded. It was a first name basis in 24 hours or less,” Flores said.
And then it went even further than that. “When it got time to import the users in September for the Fall semester, we told Xandros what we were trying to do, and a guy at Xandros wrote a utility for us to import users on routine basis with complete step-by-step how-to.”
The attention was a first for Flores, who said he had never seen of heard of a vendor — especially and operating system vendor — go that far. “With 150 PC’s and five different laboratories, we’d hear it from faculty if things didn’t go smoothly,” Flores said. “I wasn’t expecting a lot of support, so the fact that we got great support blew me away. We were used to large companies like Microsoft, Sun Microsystems, where you just expect that it is going take a while to get answer looking for.”
Oh, and not to sound completely like a Xandros infomercial, but then things went further still.
When Xandros Server was all settled in and humming along, Flores ran into some issues when installing some network attached storage. “We were doing a TCIP connection to a server and a RAID and trying to figure out how to set that interface up. It wasn’t clear to me how to do that with our configurations,” he said.
So, Flores fired off an email to Xandros support. Within a “day or two” the company had sent him a customized step-by-step how-to guide on how to connect the RAID to their unqiue configuration. “This issue hadn’t come for them before, but now it’s published on the Xandros web site,” he said.
Today, Flores manages his Windows XP PC’s, printers, laboratory thin clients and Linux servers all via a central hub in Xandros Server. Other IT managers might have used something different, then again maybe not. For Flores and the University of Texas/San Antonio, however, this was the perfect application for his environment.
EDIT/correction: Removed “SQL” from copy.
Samba4 supports the server-side of the Active Directory logon environment used by Windows 2000 and later, so we can do full domain join and domain logon operations with these clients.
Our Domain Controller (DC) implementation includes our own built-in LDAP server and Kerberos Key Distribution Center (KDC) as well as the Samba3-like logon services provided over CIFS. We correctly generate the infamous Kerberos PAC, and include it with the Kerberos tickets we issue.
The new VFS features in Samba 4 adapts the filesystem on the server to match the Windows client semantics, allowing Samba 4 to better match windows behaviour and application expectations. This includes file annotation information (in streams) and NT ACLs in particular. The VFS is backed with an extensive automated test suite.
The Samba 4 architecture is based around an LDAP-like database that can use a range of modular backends. One of the backends supports standards compliant LDAP servers (including OpenLDAP), and we are working on modules to map between AD-like behaviours and this backend.
We are aiming for Samba 4 to be powerful frontend to large directories.
There’s also a warning to read, because this is NOT a production level release!
Samba4 alpha1 is not a final Samba release. That is more a reference to Samba4′s lack of the features we expect you will need than a statement of code quality, but clearly it hasn’t seen a broad deployment yet. If you were to upgrade Samba3 (or indeed Windows) to Samba4, you would find many things work, but that other key features you may have relied on simply are not there yet.
For example, while Samba 3.0 is an excellent member of a Active Directory domain, Samba4 is happier as a domain controller: (This is where we have done most of the research and development).
While Samba4 is subjected to an awesome battery of tests on an automated basis, and we have found Samba4 to be very stable in it’s behaviour, we have to recommend against upgrading production servers from Samba 3 to Samba 4 at this stage. If you are upgrading an experimental server, or looking to develop and test Samba, you should backup all configuration and data.
You can check out an interview I did with Samba’a release manager Jerry Carter (who actually works more on Samba 3.025, fyi) about how Samba4 is making Active Directory “Linux friendlier.”]]>
Via the Samba News page:
Samba 4 is the ambitious next version of the Samba suite that is being developed in parallel to the stable 3.0 series. The main emphasis in this branch is support for the Active Directory logon protocols used by Windows 2000 and above.
Samba 4 is currently not yet in a state where it is usable in production environments. Note the WARNINGS in WHATSNEW.txt in the source and the STATUS file which aims to document what should and should not work.
Samba4 alpha1 is the culmination of 4.5 years of development under our belt since Tridge first proposed a new Virtual File System (VFS) layer for Samba3 (a project which eventually lead to our Active Directory efforts), and 1.5 years since we first released a Technology Preview. We wish to allow users, managers and developers to see how we have progressed, and to invite feedback and support.
This release has been signed using GPG with Andrew Barlett’s GPG key (28B436BB). The source code can be downloaded now.
Remember, there are two distinct development efforts going on at Samba right now. This is a different beast from the 3.0 release, and should be treated as such!]]>