Blog

All talks for sambaXP 2022 welcome!

Update: Due to the ongoing Corona pandemic, the organising committee has decided to host the sambaXP 2022 again as a virtual event.

The call for papers for the 21st sambaXP has officially started! SerNet will host the annual meeting of the international samba community from May 31st to June 2nd 2022 at Hotel Freizeit In in Göttingen, Germany. Early Bird tickets for the conference are already available. Ticket bookings and more information about the CfP here: sambaxp.org.

Tickets for the conference (June 1 & 2, 2022) are available until February 28, 2022 at the early bird price of 399 Euro. After that, the regular price is 499 Euros. In addition, tutorials are being planned for May 31, about which we will provide information at a later date.  

As it stands now, the plan is for the conference to be held on-site again. The entire SerNet and Samba@SerNet team is looking forward to seeing everyone again in Göttingen. Nevertheless, we are continuously monitoring the situation and will re-decide if necessary depending on current developments.


Ralph Böhme on "The new Samba VFS"

Recordings from the 2021 Storage Developer Conference (SDC)  are now online, including those from the SerNet Samba Team. Ralph Böhme talked about "The new Samba VFS" and Stefan Metzmacher presented an Status Update on "Samba Multi-Channel/io_uring".

"The new Samba VFS" video by Ralph Böhme is on YouTube: https://youtu.be/D9EZO3gkT9U, also available are the slides.

Abstract: Starting with version 4.14 Samba provides core infrastructure code that allows basing all access to the server's filesystem on file handles and not on paths. An example of this is using fstat() instead of stat(), or SMB_VFS_FSTAT() instead of SMB_VFS_STAT() in Samba parlance. Historically Samba's fileserver code had to deal a lot with processing path based SMB requests. While the SMB protocol itself has been streamlined to be purely handle based starting with SMB2, large parts of infrastructure code remains in place that will "degrade" handle based SMB2 requests to path based filesystem access. In order to fully leverage the handle based nature of the SMB2 protocol we came up with a straight forward way to convert this infrastructure code, so it can be converted to make use of a purely handle based VFS interface. The talk presents what we have achieved so far and what is left to do. It's intended audience is anyone working on the Samba fileserver code and anyone working on Samba VFS modules.

The "Samba Multi-Channel/io_uring Status Update" by Stefan Metzmacher is also on YouTube: https://youtu.be/fnA4imgBsUo, slides are available.

Abstract: Samba had experimental support for multi-channel for quite a while. SMB3 has a few concepts to replay requests safely. We now implement them completely (and in parts better than a Windows Server). The talk will explain how we implemented the missing features. With the increasing amount of network throughput, we'll reach a point where a data copies are too much for a single cpu core to handle. This talk gives an overview about how the io_uring infrastructure of the Linux kernel could be used in order to avoid copying data, as well as spreading the load between cpu cores. A prototype for this exists and shows excellent results.


SAMBA+ 4.15.2, 4.14.10 and 4.13.14 have just been released by SerNet. These are important security releases, please update affected systems as soon as possible. The packages are available for various SUSE and Red Hat platforms as well as for Debian GNU/Linux, Ubuntu and AIX.

The packages address the following issues:

  • CVE-2020-25717: A user in an AD Domain could become root on domain members.
  • CVE-2020-25718: Samba AD DC did not correctly sandbox Kerberos tickets issued by an RODC.
  • CVE-2020-25719: Samba AD DC did not always rely on the SID and PAC in Kerberos tickets.
  • CVE-2020-25721: Kerberos acceptors need easy access to stable AD identifiers (eg objectSid).
  • CVE-2020-25722: Samba AD DC did not do sufficient access and conformance checking of data stored. 
  • CVE-2016-2124: SMB1 client connections can be downgraded to plaintext authentication.
  • CVE-2021-3738: Use after free in Samba AD DC RPC server.
  • CVE-2021-23192: Subsequent DCE/RPC fragment injection vulnerability.

IMPORTANT NOTES:

This releases involve some behaviour changes which might break existing setups. Additional configuration changes might be required.

A new smb.conf parameter "min domain uid" (default 1000) has been added. By default no UNIX uid below this value will be accepted. Please check your ID-Mapping configuration.

The fallback from 'DOMAIN\user' to just 'user' has also been removed, as it dangerous and not needed when nss_winbind is used (even when 'winbind use default domain = yes' is set).

However there are setups which are joined to an Active Directory domain just for authentication, but the authorization is handled without nss_winbind by mapping the domain account to a local user provided by nss_file, nss_ldap or something similar. NOTE: These setups won't work anymore without explicitly mapping the users!

For these setups administrators need to use the 'username map' or 'username map script' option in order to map domain users explicitly to local users, e.g. user = DOMAIN\user

Please consult the 'man 5 smb.conf' for further details on 'username map' or 'username map script'. Also note that in the above example '\' refers to the default value of the 'winbind separator' option.

There is a regression with the "allow trusted domains = no" smb.conf option. It prevents the winbind service from starting. We'll provide a follow up fix as soon as possible.

Additionally the 4.15.2 packages address the following issues:

  • Bug 14890: Crash in vfs_fruit asking for fsp_get_io_fd() for an XATTR call. 
  • Bug 14846: Fix -k legacy option for client tools like smbclient, rpcclient, net, etc. 
  • Bug 14882: smbXsrv_client_global record validation leads to crash if existing record points at non-existing process.

SAMBA+ packages and all later versions are available as software subscription. They can be purchased at the SAMBA+ shop, detailed information and prices are listed at https://shop.samba.plus. The subscriptions are managed at our platform OPOSSO (https://oposso.samba.plus). Users can activate their subscriptions here and manage access credentials. The new SAMBA+ packages are included in existing subscriptions.


ksmbd vs. Samba

"ksmbd" is a new Linux kernel module which implements an SMB server. It's aimed at being low overhead, low footprint, performant fileserver covering many basic usecases, running on smaller devices with limited resources being the most apparent one: OpenWRT, the Linux distribution for embedded devices, adopted ksmbd already 18 months ago while ksmbd was still being developed.

ksmbd hit the public in November 2021 as part of the next Linux kernel version 5.15. It is not meant to replace the existing Samba fileserver "smbd", but rather be an extension and will integrate with Samba in the future. Samba's fileserver smbd is much broader in scope and supports various usecases and features that ksmbd does not:

  • Running as a Active Directory domain member
  • Scale-out clustering
  • Optimize for specific filesystems like GlusterFS or Ceph via dedicated VFS modules
  • Shadow Copy support

While being a mostly feature complete SMB3 server, lacking only some advanced features like Durable Handles, Directory Leases and Multi-Channel, ksmbd currently can only make use of local users and passwords which precludes use in corporate environments where typically Active Directory or similar identity sources are used.

ksmbd claims performance improvements on a wide range of benchmarks: the graphs on this page show a doubling of performance on some tests. There was also the notion that an in-kernel server is likely an easier place to support SMB Direct, which uses RDMA to transfer data between systems.

Clearly, those numbers are impressive, but at the same time recent improvements in Samba's IO performance put this into perspective: by leveraging the new “io_uring” Linux API Samba is able to provide roughly 10x the throughput compared to ksmbd.

Time will tell whether it's better to reside in kernel-space like ksmbd or in user-space like Samba in order to squeeze the last bit of performance out of the available hardware.

How mature is ksmbd? Given that its was primarily developed by a Samsung engineer, it is likely that it is being used in Samsung products today. However, the November release is a .0 release with all caveats that come with it. Some of the details, including various security issues that were found and fixed quite late in the game, are described in an article over at LWN.

All in all, ksmbd is an impressive work and in order to facilitate and encourage collaboration, the main ksmbd developer Namjae Jeon has been invited to join the international Samba team. ksmbd already adds interesting capabilities to the mix and the SerNet Samba team is looking forward to working with and on ksmbd!


SAMBA+ 4.13.13 has just been released by SerNet. Packages for various SUSE and Red Hat platforms as well as for Debian GNU/Linux, Ubuntu and AIX are available now.

These packages address several issues, which are listed in the release notes:

This release also fixes a security problem related to Kerberos authentication. As usual, we recommended to update to the latest bugfix release of the major version branch that you use.

SAMBA+ packages and all later versions are available as software subscription. They can be purchased at the SAMBA+ shop, detailed information and prices are listed at https://shop.samba.plus. The subscriptions are managed at our platform OPOSSO (https://oposso.samba.plus). Users can activate their subscriptions here and manage access credentials. The new SAMBA+ packages are included in existing subscriptions.


Contact us
Contact
Deutsch English Français