Blog

The SAMBA+ software packages from SerNet are now also available for IBM's Unix operating system AIX. SAMBA+ AIX can be purchased as a subscription with a runtime of 1, 3 or 5 years in the SAMBA+ shop. The administration of the subscription as well as the download of SAMBA+ AIX is done via the open source system OPOSSO.

A decisive advantage of SerNet's AIX packages is the minimized dependency on third-party libraries or other external package sources. This is achieved by SAMBA+ AIX consisting of a tar ball with an installation script. This distinguishes SAMBA+ AIX from rpm-based packages on the market, which often have dependency problems and are not well tested.

By providing AIX packages, SerNet is responding to various customer requests. For AIX systems, the Samba software previously had to be compiled at great effort. In the past, SerNet's Samba team has often provided support and made individual adaptations. This is now obsolete due to the extensively tested and maintained SAMBA+ AIX software packages.

At SerNet, Björn Jacke, a long-time member of the international Samba team, worked primarily on the AIX packages. He has already gained a lot of experience in porting the Samba software for various Unix distributions or AIX customizations on customer request. Subscribers to the SAMBA+ AIX packages can now benefit from this know-how.

Volker Lendecke, SerNet co-founder and long-time Samba Team member, gave a  talk on "Integrating Storage Systems into Active Directory with winbind" at this year’s SDC EMEA (January 30, 2019 – Tel Aviv, Israel). The recording is available on YouTube: https://youtu.be/w_r27Ono9TI (direct link).

From the abstract
Most environments use Active Directory as their primary authentication and authorization source. Users and groups are stored there. Any storage system must authenticate and authorize users in some way. Samba's winbind provides a solution to seamlessly integrate with Active Directory using the same mechanisms a native Windows client uses. It provides an API to authenticate users and retrieve authorization information like gorup memberships of authenticated users. Also, it can integrate into any kind of mappings scheme of Windows and Unix principals, and from there it can integrate Windows users into the Unix user database.

This talk will give an overview of the API that storage vendors and integrators can use to access winbind's services. This API is licensed LGPL and not GPL, so it does not put licensing restrictions on the storage software using it.

Learning outcomes:

1. Active Directory Authentication Mechanisms
2. Windows/Unix ID-mapping
3. Practical API description for accessing Active Directory

Download slides as PDF.

Samba developers from SerNet gave talks at his year’s SDC - Storage Developer Conference (September 24 to 27, 2018 in Santa Clara, California/USA). Video recordings from the conference are available on YouTube now.

Here are the links:

• Stefan Metzmacher: "Samba SMB-Direct Status Update"

• Ralph Böhme: "Implementing Persistent Handles in Samba"

• Volker Lendecke: "Clustered Samba Scalability Improvements"

SerNet released the first SAMBA+ packages of the 4.9 release series. These packages are available for various SUSE and Red Hat platforms as well as for Debian GNU/Linux and Ubuntu. One of the new features in Samba 4.9 is improved support for trusted domains when Samba is running as Active Directory Domain Controller (AD DC). This main improvement was made possible by a sponsorship from SerNet.

In addition, the new 4.9 series includes many improvements and features, which are documented in the Samba 4.9.0 release notes.

Improved support for trusted domains (as AD DC)

The support for trusted domains/forests has been further improved. External domain trusts, as well as transitive forest trusts, are now supported in both directions (inbound and outbound) for Kerberos and NTLM authentication. Stefan Metzmacher, long time Samba team member and valued SerNet colleague, worked on the topic. SerNet has made this possible through a six-figure development sponsoring.

The following features are new in 4.9 (compared to 4.8):

• It’s now possible to add users/groups of a trusted domain into domain groups. The group memberships are expanded on trust boundaries.
• foreignSecurityPrincipal objects (FPO) are now automatically created when members (as SID) of a trusted domain/forest are added to a group.
• The 'samba-tool group *members' commands allow members to be specified as foreign SIDs.


However there are currently still a few limitations:

• Both sides of the trust need to fully trust each other!
• No SID filtering rules are applied at all!
• This means DCs of domain A can grant domain admin rights in domain B.
• Selective (CROSS_ORGANIZATION) authentication is not supported. It's possible to create such a trust, but the KDC and winbindd ignore them.
• Samba can still only operate in a forest with just one single domain.

CTDB changes and further notes

Due to major changes, users should pay a visit to the Samba release notes to carefully read the 'CTDB changes' section and instructions if they use CTDB. The configuration style has been overhauled. The configuration needs to be migrated to run CTDB with the new release. The configuration migration script, which can assist to migrate the old CTDB configuration into the new style, is stored at /usr/share/ctdb/scripts/config_migrate.sh in the new packages. The script takes the /etc/default/sernet-samba-ctdb configuration file and creates a directory including a new example configuration. If CTDB manages Samba services, the created commands.sh file shows how the event scripts can be enabled.

This is the first release of SAMBA+ packages for the Samba 4.9 release series. We recommend to test thoroughly before upgrading and read the release notes carefully! With the release of Samba 4.9 former release series change their status as follows: Samba 4.8 enters maintenance mode, Samba 4.7 enters security releases only mode and Samba 4.6 is discontinued.

Also, the new 4.9 packages won’t be available for some distributions any longer. Please have a look at the SAMBA+ HowTo on OPOSSO.

This year’s SDC - Storage Developer Conference will take place from September 24 to 27, 2018 in Santa Clara (California/USA). SerNet supports the SNIA hosted event again as silver sponsor. We will also be present with a sales team and a lot of information about SAMBA+, especially SAMBA+ for OEM and SAMBA+ LTS.

In addition, our Samba developer team will be attending and give the following talks:

• Stefan Metzmacher: He will give his talk "Samba SMB-Direct Status Update" from 1:00 p.m. to 1:50 p.m. on Tuesday, September 25, in room Winchester.

• Ralph Böhme: His talk "Implementing Persistent Handles in Samba" is set for Tuesday, September 25, from 3:05 p.m. to 3:55 p.m. in room Winchester. 

•  Volker Lendecke: On Wednesday, September 26, he presents "Clustered Samba Scalability Improvements" in room Winchester.