http:///https:///api.php?action=feedcontributions&user=Ekacnet&feedformat=atomSambaWiki - User contributions [en]2024-03-29T07:21:37ZUser contributionsMediaWiki 1.39.5https://wiki.samba.org/index.php?title=SoC/Ideas&diff=10267SoC/Ideas2015-05-20T16:32:01Z<p>Ekacnet: </p>
<hr />
<div>= Google Summer of Code: Suggested Project ideas =<br />
<br />
The following are the Samba project ideas for Summer of Code.<br />
Of course you are free to come up with ideas not listed here.<br />
Please discuss the your planned project by either joining us on irc://irc.freenode.net/#samba-technical or <br />
by sending email to samba-technical@lists.samba.org<br />
<br />
Most of our projects will require C programming skills, but the Samba section has a couple of Python projects.<br />
<br />
==Samba==<br />
<br />
Some additional possible GSoC topics can be found in Bugzilla in the form of bugs which are marked as "Feature request": [https://bugzilla.samba.org/buglist.cgi?query_format=advanced&short_desc=Feature%20request&bug_status=NEW&bug_status=ASSIGNED&bug_status=REOPENED&short_desc_type=allwordssubstr&product=Samba%204.0 here]. Questions regarding complexity and requirements should be directed to the technical mailing list.<br />
<br />
<!-- Commented out possibly stale proposals<br />
<br />
===Browsing support in Samba 4===<br />
Samba 4 still needs support for mailslots in general and in particular for the BROWSE mailslot. Should come with tests. Documentation of the BROWSER protocol is available here:<br />
http://msdn.microsoft.com/en-us/library/cc201609(PROT.10).aspx<br />
http://ubiqx.org/cifs/Browsing.html<br />
<br />
*Difficulty: Hard<br />
*Language(s): C<br />
*Possible mentors: Stefan Metzmacher<br />
<br />
===Implement login / logout related counter update===<br />
For the moment the attributes related to login and logout are not <br />
updated by Samba4.<br />
The goal of this project is to understand in which case windows update <br />
the counters (ie. most probably during interactive logon but also maybe <br />
with some netlogon calls ?) and to implement counter and timestamp <br />
update is Samba code so that this information can be available.<br />
This project of course includes the development of unit tests.<br />
<br />
*Difficulty: Easy<br />
*Language(s): C<br />
*Possible mentors: Andrew Bartlett<br />
<br />
===Improve regedit===<br />
<br />
Last year someone has started to write a ncurses based registry editor. The editor could be improved, like put some effort in a better look and feel and adding dcerpc winreg support to remotely connect to the registry.<br />
<br />
See https://git.samba.org/?p=asn/samba.git;a=shortlog;h=refs/heads/regedit<br />
<br />
* Difficulty: Medium<br />
* Language(s): C<br />
* Possible mentors: Andreas Schneider, Michael Adam<br />
<br />
--><br />
<br />
===Add (lib)smbclient server-side copy support===<br />
<br />
Using the Copy-Chunk server-side copy FSCTL, an SMB client can request that a server copy a specific range of bytes from one file to another, without needing to transfer the data across the network. Copy-Chunk is now supported by Samba's SMB2 file-server. The goal of this task is to implement smbclient support for server-side copy operations using FSCTL_SRV_REQUEST_RESUME_KEY and FSCTL_SRV_COPYCHUNK SMB2 requests.<br />
<br />
*Difficulty: Easy, Medium<br />
*Language(s): C<br />
*Possible mentors: David Disseldorp<br />
<br />
===Utilize libsmbclient server-side copy support in file managers===<br />
<br />
Following the completion of [[#Add (lib)smbclient server-side copy support|libsmbclient server-side copy support]], file managers making use of libsmbclient can be changed to utilize server-side copy support for greatly improved remote copy performance. Potential file manager targets include GNOME Files/Nautilus (gvfs_smb), Dolphon (kio_smb) and Kodi's File Manager.<br />
<br />
*Difficulty: Easy, Medium<br />
*Language(s): C, C++<br />
*Possible mentors: David Disseldorp<br />
<br />
===Improve libcli/dns===<br />
<br />
Samba comes with its own asynchronous DNS parser framework developed for the internal DNS server. Basic calls have been implemented for a client-side library as well, but a more fleshed out implementation would be needed. The goal of this project is to implement more high-level calls handling DNS requests, such as UDP/TCP switchover and client-side GSS-TSIG cryptography. A test suite excercising all the functions is required and can be used to cross-check and complement the existing DNS server tests already shipped by Samba. This testsuite should use [http://cmocka.org/ cmocka].<br />
<br />
See [https://git.samba.org/?p=samba.git;a=tree;f=libcli/dns;hb=HEAD Samba's gitweb] for the current code.<br />
<br />
* Difficulty: Medium<br />
* Language(s): C<br />
* Possible mentors: Kai Blin<br />
<br />
===Windows Search Protocol WSP client library and torture tests===<br />
<br />
The Windows Search Protocol WSP is used to implement remote full filesystem indexing (indexed search) between Windows machines. We would like to support this functionality in Samba, interfacing with existing indexing tools on Unix systems (such as GNOME Tracker).<br />
<br />
This is a DCE/RPC protocol. See http://msdn.microsoft.com/en-us/library/cc251767.aspx .<br />
<br />
The student should write a (un)marshalling library to push and pull PDUs and an asynchronous client library on top of the Samba raw smb client library.<br />
<br />
The student should write sub-tests for smbtorture which should demonstrate how the protocol works against a Windows server.<br />
The student doesn't have to implement the Samba server code.<br />
Noel Power from SUSE has done some basic server implementation, he should be able to give guidance<br />
<br />
*Difficulty: Medium, Hard<br />
*Language(s): C, (Python)<br />
*Possible Mentors: Noel Power<br />
<br />
=== Print System Asynchronous Remote Protocol client library and torture tests===<br />
<br />
The Print System Asynchronous Remote Protocol ([https://msdn.microsoft.com/en-us/library/cc238080.aspx MS-PAR]) is a replacement for the synchronous Print System Remote Protocol (MS-RPRN). MS-PAR inherits many message and buffer formats from the old protocol, but allows for asynchronous submission and notification of print jobs. Further details of the protocol can be found in Günther and Andreas' [http://sambaxp.org/fileadmin/user_upload/SambaXP2013-DATA/thu/track2/Guenther_Deschner_Andreas_Schneider-Printing_Samba_4.pdf SambaXP presentation].<br />
<br />
The student should write a (un)marshalling library to push and pull MS-PAR PDUs, and an asynchronous client library on top of the Samba raw smb client library.<br />
<br />
The student should write sub-tests for smbtorture which should demonstrate how the protocol works against a Windows server.<br />
The student doesn't have to implement the Samba server code.<br />
<br />
*Difficulty: Medium, Hard<br />
*Language(s): C<br />
*Possible Mentors: Andreas Schneider, David Disseldorp<br />
<br />
===dbwrap back-end for Ceph RADOS key-value storage===<br />
<br />
Ceph offers a highly scalable and fault-tolerant storage system. Samba is already capable of sharing data located on the [https://ceph.com/ceph-storage/file-system/ Ceph Filesystem], however scale-out sharing (the same data exposed by multiple Samba nodes) currently requires the use of [https://ctdb.samba.org/ CTDB] for consistent and coherent state across Samba cluster nodes. In such a setup CTDB provides a clustered database with persistent key-value data storage and locking. Database usage is abstracted out via a generic ''dbwrap'' interface.<br><br />
<br />
Ceph's librados library provides an API for the storage and retrieval of arbitrary key-value data via the ''omap'' functions. A watch/notify protocol is also provided as a mechanism for synchronising client state (locking). Key-value data stored in the RADOS back-end inherits the same redundancy features as regular objects, making it a potentially good candidate as a replacement for CTDB in scale-out Samba clusters.<br />
<br />
This task involves the implementation and testing of a new ''dbwrap'' back-end that uses librados for the storage, retrieval and locking of Samba key-value state. Ideally, the candidate would also allow time for benchmarking, and an investigation of [http://ceph.newdream.net/papers/CawthonKeyValueStore.pdf scalability bottlenecks].<br />
<br />
*Difficulty: Medium, Hard<br />
*Language(s): C<br />
*Possible Mentors: David Disseldorp<br />
<br />
<br />
===Samba AD DC as the ideal POSIX Directory===<br />
<br />
Samba is a great Active Directory Domain Controller, but it is not an ideal directory server for a large, passionate and important user base: Sites with Samba SMB servers, but also general purpose Linux servers. A smaller subset of these sites also have Linux desktops. These sites may also have Windows servers, but they like the Windows desktops, are not the focus. <br />
<br />
These sites often used Samba + OpenLDAP, and are finding the move to Samba's AD DC a bit difficult, because schema extension is hard, some things are not done automatically (like uidNumber allocation), and in general the focus has been around matching Windows not listening to the needs of this part of our user base. <br />
<br />
Specific research should be done into what FreeIPA does well in targeting this user segment, and what customisations advanced users of OpenLDAP apply. <br />
<br />
This project would be to propose a number of specific improvements, and to add both tests and an implementation of these improvements to Samba.<br />
<br />
*Difficulty: Hard<br />
*Languages(s): C, Python<br />
*Possible Mentors: Andrew Bartlett<br />
<br />
==Linux Kernel CIFS/SMB2/SMB3 client improvements==<br />
Interested students should contact Steve French (or Jeff Layton) and discuss possible improvements to the Linux Kernel CIFS VFS client. Here are some ideas to get you started:<br />
<br />
===Multiadapter support===<br />
* Benefits: Big performance advantage for some common cases (e.g. RSS capable adapters, and also two adapter scenarios) and prepares for RDMA in the future which will help cifs.ko in even more workloads.<br />
* Challenges: Testing may require more physical hardware (two, dual adapter machines to demonstrate performance improvements).<br />
* Language: C<br />
* Difficulty: Moderate<br />
* Possible Mentors: Steve French<br />
<br />
===Directory oplocks===<br />
* Benefits: Will reduce network load a lot in some workloads, and improve performance as well. Works with recent Windows servers (Windows 2012 and later e.g.).<br />
* Challenges: Samba does not support it yet (although this might help drive changes to the Server and Linux VFS eventually, if we have client support).<br />
* Language: C<br />
* Difficulty: Moderate<br />
* Possible Mentors: Steve French<br />
<br />
===Failover/Continuous Availability and HA improvements (Witness protocol)===<br />
* Benefits: Improved reliability, data integrity - may also allow planned migrations (moving data from one server to another).<br />
* Challenges: Complexity, requires additional RPC infrastructure in client.<br />
* Language: C<br />
* Difficulty: High<br />
* Possible Mentors: Steve French<br />
<br />
===File Copy Offload: T10 operations, and improved tools for using CopyChunk===<br />
* Benefits: Improved performance. Good news is that CopyChunk already works. May be even more useful if TRIM/DISCARD support also added.<br />
* Challenges: No cross-filesystem user space tools for NFSv4.2 and CIFS copy offload.<br />
* Language: C<br />
* Difficulty: Low / moderate<br />
* Possible Mentors: Steve French<br />
<br />
=== Support for SELinux ===<br />
* Mac Security Label support is important for virtualization and useful for improved security some workloads. Support for setting/getting these labels over the wire was investigated in the NFS version 4 workgroup. Adding support to the CIFS Unix Extensions (Linux kernel client and Samba server) should be possible, especially if this is just a new class of extended attribute. The goal would be to support this feature of SELinux to allow KVM and other applications to take advantage of security labels. Some of the background requirements are loosely related to the (nfs equivalent of) what is mentioned in: http://tools.ietf.org/html/draft-quigley-nfsv4-sec-label-01<br />
* Language: C<br />
* Difficulty: Hard<br />
* Possible Mentors: Steve French<br />
<br />
===Create GUI or command-line tools for displaying /proc/fs/cifs statistics and and mount/session status===<br />
* Might also involve some cleanup of the in-kernel stats / status output.<br />
* A mostly complete [http://oss.sgi.com/archives/pcp/2013-08/msg00090.html cifs.ko Performance Co-Pilot (PCP) monitoring agent] was implemented in 2013.<br />
* Language: some C (for kernel code), something else for GUI?<br />
* Difficulty: Easy<br />
* Possible Mentors: Steve French<br />
<br />
===Create a common uid mapping mechanism for Linux nfs and cifs vfs clients===<br />
* or maybe just figure out a way to hook cifs up to rpc.idmapd<br />
* add a way for the client to remap the uids returned by the server to uids which would be valid on the client (or to a default if such uid does not exist).<br />
* This is helpful especially when the server supports the CIFS Unix Extensions and has different uids and gids mapping than the client<br />
* Difficulty: Hard<br />
* Possible Mentors: Steve French<br />
<br />
===VFS change notification support===<br />
* add VFS support for calling into the filesystem when setting up notifications<br />
* add code to cifs/smb2 to set up and deal with notifications from the server in response to inotify/dnotify calls<br />
* Difficulty: Hard<br />
* Possible Mentors: Steve French<br />
<br />
===Support for retrieving snapshots, encrypted files, or compressed files from Windows===<br />
* Difficulty: Medium<br />
* Possible Mentors: Steve French<br />
<br />
===cifs->Samba automated test facility===<br />
* Do build verification similar to what we can now do with the Samba server and tools in the Samba build farm. Mounts from the Linux SMB2 and CIFS kernel clients could be tested with posix file i/o tests which might include modified versions of the "connectathon" and xfstest test suites and others. The goal is to quickly identify problems with newly integrated patches.<br />
* xfstests support for CIFS was added as part of [[SoC/2014]].<br />
* Difficulty: Hard<br />
* Possible Mentors: Steve French<br />
<br />
===Other Random Ideas===<br />
* Ideas aren't limited to these, feel free to propose something else:<br />
** Create a GUI for creating and managing Linux cifs mounts, and more easily configuring the many complex cifs mount options, statistics (/proc/fs/cifs)<br />
** Support for alternate transport protocols (other than TCP sockets). Adding support for SCTP to cifs/smb2 kernel clients and Samba server or perhaps more interesting add support for Linux's "virtio" transport to the cifs/smb2 kernel clients and Samba server (to allow optimized mounts and zero-copy transfer of data from virtualized guests to hosts on the same box)<br />
** Support for features (such as directory delegations) which NFS version 4.1 has but which current CIFS even with the most current CIFS->Samba protocol extensions (CIFS Unix Extensions) do not have -- will probably need server support too.<br />
** Add additional library support or modify Samba client libraries so they can use existing kernel cifs functions (such as sending SMBs on negotiated sessions when the kernel client already has a session to the server). With the addition of library to access cifs's pipe (in kernel), Samba client libraries or other dce/rpc code could use cifs kernel sessions for management of and over cifs mounts.<br />
** Add libraries and utilities to manage acls (cifs kernel client has an extended attribute for setting/getting "raw" cifs acls but userspace posix acl tools obviously can't be used to manage cifs specific acl features).<br />
*Difficulty: Varies<br />
*Language(s): C<br />
*Possible mentors: Steve French<br />
<br />
<!-- Commented out possibly stale proposals<br />
==Build Farm==<br />
<br />
The [[http://build.samba.org/ Build Farm]] is a set of machines with different configuration that regularly rebuild the latest snapshots of Samba and other projects on different platforms, to catch portability issues. It has a web interface and sends out emails.<br />
<br />
===Improve Build Farm look and Feel===<br />
Samba's [http://build.samba.org build farm] still hasn't adopt the new Samba graphical chart and the look and feel is not very good.<br />
With this submission we propose to address this with the following objectives:<br />
<br />
*Main ideas:<br />
** Adopt the new samba style <br />
** Improve reporting (ie. present which are the build that can't be built and which are not, daily emails, ...)<br />
** Make test errors quickly accessible, in this [http://build.samba.org/build.cgi/build/d72e624c4a62a62e8d34b0c54efc2a97c0493aa9 example], user has to scroll a long time before meeting the errors<br />
** Add the capacity to manage flaky tests, reduce emails alerts (ie. need 2 consecutive builds with the same flacky test to trigger a real error)<br />
** Improve page loading speed (ajax ?)<br />
*Difficulty: Easy to Medium<br />
*Language(s): HTML, CSS, Python<br />
*Possible mentors: Matthieu Patou<br />
--></div>Ekacnethttps://wiki.samba.org/index.php?title=Setting_up_Samba_as_an_Active_Directory_Domain_Controller&diff=6693Setting up Samba as an Active Directory Domain Controller2012-07-01T21:31:31Z<p>Ekacnet: /* Step 6: Testing Samba4 */</p>
<hr />
<div>= Samba4 HOWTO =<br />
<br />
This document explains how to setup a simple Samba4<br />
server. This is aimed at people who are already familiar with Samba3<br />
and wish to participate in Samba4 development or test the alpha<br />
releases of Samba4. This is not aimed at general production use of<br />
Samba4, although some brave sites are running Samba4 in production<br />
based on these instructions.<br />
<br />
== Video demonstrations of this HOWTO ==<br />
<br />
A set of [[samba4/videos|demonstration videos]] is available that<br />
may provide a useful overview of this contents of this HOWTO<br />
<br />
== A note on alpha/beta versions ==<br />
<br />
Samba4 is developing very rapidly. This HOWTO is frequently updated to reflect the latest changes in the Samba git repository. Please see the Samba4 [[Samba4/Status|Status]] Wiki for more specifics on project status.<br />
<br />
== Step 1: Download Samba4 ==<br />
<br />
If you have downloaded the Samba4 code via a tarball released from the<br />
samba.org website, Step 1 has already been completed for you. For testing<br />
with the version released in the tarball, you may continue on to Step 2.<br />
<br />
Note that the references below to the top-level directory named<br />
"samba-master" will instead be based on the name of the tarball<br />
downloaded (e.g. "samba-4.0.0alpha13" for the tarball<br />
samba-4.0.0alpha13.tar.gz). Also note that in the "master" branch the<br />
samba4 code in our current git tree is now located in the top level<br />
directory.<br />
<br />
Otherwise there are two methods for downloading the current samba version:<br />
<br />
* via git<br />
* via rsync<br />
<br />
If you don't have rsync or git then install one of them, or stick to the latest tarball release.<br />
If you have a choice, we strongly recommend using the git method for<br />
downloading Samba, as it makes getting updates easier, and also allows<br />
you to integrate test patches from Samba developers more easily in<br />
case of problems.<br />
<br />
=== git ===<br />
<br />
$ git clone git://git.samba.org/samba.git samba-master; cd samba-master<br />
<br />
or via http:<br />
<br />
$ git clone http://gitweb.samba.org/samba.git samba-master; cd samba-master<br />
<br />
This will create a directory called "samba-master" in the current<br />
directory.<br />
<br />
If you want to update the tree to the latest version run:<br />
<br />
$ git pull<br />
<br />
=== rsync ===<br />
<br />
$ rsync -avz samba.org::ftp/unpacked/samba_4_0_test/ samba-master<br />
<br />
Note that the above rsync command will give you a checked out git<br />
repository, but it needs some changes so that you can update it using git:<br />
<br />
$ cd samba-master/<br />
$ rm .git/refs/tags/*<br />
$ rm -r .git/refs/remotes/<br />
$ git config remote.origin.url git://git.samba.org/samba.git<br />
$ git config --add remote.origin.fetch +refs/tags/*:refs/tags/* (this line is optional)<br />
$ git fetch<br />
<br />
Note you can ignore this error from git fetch:<br />
error: refs/heads/master does not point to a valid object!<br />
<br />
You can update it to the latest version at some future date using:<br />
<br />
$ git pull<br />
<br />
If you get an error like this:<br />
fatal: Unable to create '[...]/samba_master/.git/index.lock': File exists.<br />
remove the lock file and try running "git pull" again.<br />
<br />
== Step 2: Compile Samba4 ==<br />
<br />
Required development libraries:<br />
*Python development libraries (python-dev in Debian/Ubuntu) required to compile<br />
<br />
Recommended optional development libraries:<br />
*acl and xattr development libraries (libacl1-dev, libattr1-dev packages in Debian/Ubuntu)<br />
*blkid development libraries (libblkid-dev package in Debian/Ubuntu)<br />
*gnutls (libgnutls-dev package in Debian/Ubuntu)<br />
*readline (libreadline-dev package in Debian/Ubuntu)<br />
*openldap (libldap2-dev package in Debian/Ubuntu; openldap2-devel in openSUSE) is required to build the Samba3 components with LDAP support. Lacking this library the build will complete but attempts to provision (via upgrade) an Active Directory domain from an existing Samba3 LDAP backend will fail.<br />
<br />
For Debian/Ubuntu:<br />
$ apt-get install build-essential libacl1-dev libattr1-dev \<br />
libblkid-dev libgnutls-dev libreadline-dev python-dev \<br />
python-dnspython gdb pkg-config libpopt-dev libldap2-dev \<br />
bind9utils dnsutils<br />
<br />
For Fedora:<br />
<br />
$ yum install libacl-devel libblkid-devel gnutls-devel \<br />
readline-devel python-devel gdb pkgconfig<br />
<br />
For Red Hat Enterprise Linux 6.x or CentOS 6.x:<br />
<br />
$ yum install libacl-devel libblkid-devel gnutls-devel \<br />
readline-devel python-devel gdb pkgconfig krb5-workstation<br />
$ yum install zlib-devel setroubleshoot-server \<br />
setroubleshoot-plugins policycoreutils-python \<br />
libsemanage-python setools-libs-python setools-libs \<br />
popt-devel libpcap-devel sqlite-devel libidn-devel \<br />
libxml2-devel libacl-devel libsepol-devel libattr-devel \<br />
keyutils-libs-devel cyrus-sasl-devel<br />
<br />
For openSUSE 11.4 or openSUSE 12.1:<br />
<br />
$ zypper install libacl-devel python-selinux autoconf make \<br />
python-devel gdb sqlite3-devel libgnutls-devel binutils \<br />
policycoreutils-python setools-libs selinux-policy \<br />
setools-libs popt-devel libpcap-devel keyutils-devel \<br />
libidn-devel libxml2-devel libacl-devel libsepol-devel \<br />
libattr-devel zlib-devel cyrus-sasl-devel gcc \<br />
krb5-client openldap2-devel libopenssl-devel<br />
<br />
For Gentoo:<br />
<br />
$ USE="dlz python gssapi" emerge cyrus-sasl heimdal bind bind-tools gnutls dnspython gdb libidn subunit<br />
$ ACCEPT_KEYWORDS="~amd64" USE="python" emerge =sys-libs/tdb-1.2.10 =sys-libs/tevent-0.9.15 =sys-libs/ldb-1.1.6<br />
Obviously that would be ~x86 instead of ~amd64 on a x86 arch, also don't forget to <br />
$ eselect python set 1<br />
where 1 is python 2.X (3.X is not yet supported) if you don't know which version you are using, '''eselect python list''' will give you a list of available ones.<br />
<br />
To build, run this:<br />
<br />
$ cd samba-master<br />
$ ./configure.developer<br />
$ make<br />
<br />
The above command will setup Samba4 to install in /usr/local/samba. If<br />
you want Samba to install somewhere else then you should use the<br />
--prefix option to configure.developer.<br />
<br />
The reason we recommend using configure.developer rather than<br />
configure for Samba4 alpha releases is that it will include extra<br />
debug information that will help us diagnose problems in case of<br />
failures. It will also allow you to run the various builtin automatic<br />
tests.<br />
<br />
== Step 3: Install Samba4 ==<br />
<br />
Run this as a user who have permission to write to the install<br />
directory (which defaults to /usr/local/samba). Use --prefix option to<br />
configure.developer above to change this.<br />
<br />
$ make install<br />
<br />
For the rest of this HOWTO we will assume that you have installed<br />
Samba4 in the default location, which is /usr/local/samba.<br />
<br />
== Step 4: Provision Samba4 ==<br />
<br />
The "provision" step sets up a basic user database, and is used when you are setting up your Samba4<br />
server in its own domain. If you instead want to setup your Samba4 server as an additional domain controller<br />
in an existing domain, then please see the separate page on [[Samba4 joining a domain]]. If you want to migrate an existing Samba3 domain to Samba4, see the [[#Migrating an Existing Samba3 Domain to Samba4|Migrating an Existing Samba3 Domain to Samba4]] section on this page.<br />
<br />
In the following examples we will assume your DNS domain name is<br />
'samdom.example.com' and your short (also known as NT4) domain name is<br />
'samdom'. We will assume that your Samba servers hostname is samba.<br />
<br />
It must be run as a user with permission to write to the install directory (which means you may need to run this command with sudo)<br />
<br />
# /usr/local/samba/sbin/provision \<br />
--realm=samdom.example.com --domain=SAMDOM \<br />
--adminpass=SOMEPASSWORD --server-role=dc<br />
<br />
If you get an error like this:<br />
tdb_open_ex: could not open file /usr/local/samba/private/sam.ldb.d/DC=SAMDOM,DC=EXAMPLE,DC=COM. ldb: Permission denied<br />
then you need to rerun with sudo<br />
<br />
Troubleshooting note:<br />
you may need to rm the smb.conf file if you failed to pass valid names and provision previously failed<br />
<br />
There are many other options you can pass to the 'provision' command, run it with the --help option to see a list of them.<br />
<br />
*Note: when using debian SID samba4 package, provision script and samba4 installation will abort if <tt>hostname -d</tt> is returning an empty string (domainname not found). Indeed debian4.config script get REALM as follow <tt>REALM=`hostname -d | tr 'a-z' 'A-Z'`</tt>. So check /etc/resolv.conf contains:<br />
domain ''samdom.example.com''<br />
<br />
== Step 5: Starting Samba4 ==<br />
<br />
If you are planning to run Samba4 as a production server, then just run the "samba" binary as root<br />
<br />
# samba<br />
<br />
That will run Samba4 in 'standard' mode, which is suitable for<br />
production use. Samba4 alpha13 doesn't yet have init scripts included<br />
for each platform, but making one for your platform should not be<br />
difficult. There are some example scripts (for RedHat/Fedora and Debian/Ubuntu) on the [[Samba4/InitScript]] page.<br />
<br />
If you are running Samba4 as a developer you may find<br />
the following more useful:<br />
<br />
# samba -i -M single<br />
<br />
that means start "samba" with messages in stdout, and running a<br />
single process. That mode of operation makes debugging "samba" with gdb<br />
particularly easy. If you want to launch it under gdb, then the following<br />
example could be useful:<br />
<br />
$ sudo gdb --args bin/samba -i -M single<br />
<br />
Note that if you are running any Samba3 smbd or nmbd processes<br />
they need to be stopped before starting "samba" from Samba 4.<br />
<br />
Make sure you put the bin and sbin directories from your new install<br />
in your $PATH or you may end up running the wrong version. You can see what version <br />
you have by running "samba -V".<br />
<br />
Note: in older developer versions of samba4 "samba" was still called "smbd".<br />
<br />
== Step 6: Testing Samba4 ==<br />
<br />
First check you have the right version of smbclient in your $PATH<br />
<br />
$ smbclient --version<br />
<br />
This should show you a version starting with "Version 4.0.XXXXX". <br />
<br />
Now try this command:<br />
<br />
$ smbclient -L localhost -U%<br />
<br />
That should show you a list of shares available on your server. For example:<br />
<br />
Sharename Type Comment<br />
--------- ---- -------<br />
netlogon Disk<br />
sysvol Disk<br />
IPC$ IPC IPC Service (Samba 4.0.0alpha12-GIT-5e755e9)<br />
ADMIN$ Disk DISK Service (Samba 4.0.0alpha12-GIT-5e755e9)<br />
<br />
The 'netlogon' and 'sysvol' shares are basic shares needed for Active Directory server<br />
operation. <br />
<br />
If this is not (or not anymore) working, and you have a message like that:<br />
<br />
Failed to connect to ncacn_np:localhost - NT_STATUS_NO_MEMORY<br />
REWRITE: list servers not implemented<br />
<br />
Then stop samba, and check for the presence of ''/usr/local/samba/var/run/smbd-fileserver.conf.pid'', if present remove it.<br />
<br />
To test that authentication is working, you should try to connect to the netlogon share<br />
using the administrator password you set earlier.<br />
<br />
$ smbclient //localhost/netlogon -Uadministrator%PASSWORD<br />
<br />
You should get a "smb>" prompt, and access to your netlogon directory.<br />
<br />
== Step 7 Create a share in smb.conf ==<br />
<br />
The provisioning will create a very simple smb.conf with no shares by<br />
default. For the server to be useful you will need to update it to<br />
have at least one share. For example:<br />
<br />
[test]<br />
path = /data/test<br />
read only = no<br />
<br />
Note that in current alpha versions of Samba4 you need to restart Samba<br />
to make new shares visible. This will be fixed in a future release.<br />
<br />
== Step 8 Configure DNS ==<br />
<br />
A working DNS setup is essential to the correct operation of<br />
Samba4. Without the right DNS entries, kerberos won't work, which in<br />
turn means that many of the basic features of Samba4 won't work.<br />
<br />
It is worth spending some extra time to ensure your DNS setup is just<br />
right, as debugging problems caused by mis-configured DNS can take a<br />
lot of time later on.<br />
<br />
The simplest way to get a working DNS setup for Samba4 is to start<br />
with the DNS configuration file that are created by the<br />
'provision' step above. If you look in /usr/local/samba/private<br />
directory, you'll find a file called 'named.conf'.<br />
<br />
Assuming your have a bind9.8.x or newer DNS server installed, you can<br />
activate the configuration that the provision has created by adding a<br />
line like this to /etc/bind/named.conf.local:<br />
<br />
include "/usr/local/samba/private/named.conf";<br />
<br />
After adding that line you should restart your bind server and check<br />
in the system logs for any problems.<br />
<br />
Note that the /usr/local/samba/private/named.conf requires at least<br />
bind 9.8.x to function and you may need to edit the <br />
/usr/local/samba/private/named.conf file to use the bind 9.9.x module<br />
(need to verify this).<br />
<br />
One common problem is that many modern Linux distributions activate<br />
'Apparmor' or 'SELinux' by default, and these may be configured to<br />
deny access to bind for your the named.conf and zone files created in<br />
the provision. If your bind logs show that bind is getting a access<br />
denied error accessing these files then please see your local system<br />
documentation for how to enable access to these files in bind (hint:<br />
for Apparmor systems such as Ubuntu, the command aa-logprof may be<br />
useful).<br />
<br />
Now you need to test that DNS is working correctly. Check that your<br />
/etc/resolv.conf is pointing correctly at your local DNS server, then<br />
run the following commands:<br />
<br />
$ host -t SRV _ldap._tcp.samdom.example.com.<br />
_ldap._tcp.samdom.example.com has SRV record 0 100 389 samba.samdom.example.com.<br />
<br />
$ host -t SRV _kerberos._udp.samdom.example.com.<br />
_kerberos._udp.samdom.example.com has SRV record 0 100 88 samba.samdom.example.com.<br />
<br />
$ host -t A samba.samdom.example.com.<br />
samba.samdom.example.com has address 10.0.0.1<br />
<br />
Check that you get answers similar to the ones above (adjusted for<br />
your DNS domain name and hostname). If you get any errors then<br />
carefully check your system logs to find and fix the problem.<br />
<br />
*Note: One of the problems I've had on Debian system is that the zone autogeneration always detects, and uses, 127.0.1.1 as the domain controller's IP address. That works fine until you 1) Don't have a 127.0.1.1 interface on the machine or 2) Go to join your first client to the domain. In /usr/local/samba/private/named.conf you might need to change 127.0.1.1 to reflect the actual IP address of the server you're setting up.<br />
*Note: On debian SID (bind9 package), /etc/bind/named.conf.options is missing and prevent named daemon to be started and installation to be completed (create an empty file or comment out corresponding line in /etc/bind/named.conf see syslog messages)<br />
<br />
== Step 9: Testing kerberos ==<br />
Once DNS is working, you should test that kerberos server builtin to<br />
Samba4 is working correctly.<br />
<br />
Before testing, first configure the krb.conf file (/etc/krb.conf on RHEL like systems), replace the existing one with the sample from /usr/local/samba/share/setup/krb5.conf.<br />
Edit the file and replace ${REALM} with you domain name.<br />
<br />
The easiest test is to use the kinit command like this:<br />
<br />
$ kinit administrator@SAMDOM.EXAMPLE.COM<br />
Password:<br />
<br />
''Note:''<br><br />
: You have to give your 'domain realm SAMDOM.EXAMPLE.COM' in <b>uppercase letters</b> to kinit.<br />
<br />
The kinit should completely successfully. After it completes you can<br />
examine the received ticket like this:<br />
<br />
$ klist -e<br />
Ticket cache: FILE:/tmp/krb5cc_1000<br />
Default principal: administrator@SAMDOM.EXAMPLE.COM<br />
<br />
Valid starting Expires Service principal<br />
02/10/10 19:39:48 02/11/10 19:39:46 krbtgt/SAMDOM.EXAMPLE.COM@SAMDOM.EXAMPLE.COM<br />
Etype (skey, tkt): ArcFour with HMAC/md5, ArcFour with HMAC/md5<br />
<br />
If you find you don't have kinit or klist, you may need to install them. On debian based<br />
systems (such as Ubuntu) the packages are called krb5-config and krb5-user.<br />
<br />
You can also test kerberos form a remote client, just make sure you have configure the<br />
krb5.conf and the resolve.conf to point to the domain controller IP address.<br />
<br />
''Note:''<br><br />
: If you are using a client behind NAT then you have to add the following to the krb5.conf on the domain controller server:<br />
<br />
[kdc]<br />
check-ticket-addresses = false<br />
<br />
== Step 10 Configure kerberos DNS dynamic updates (optional) ==<br />
<br />
To setup dynamic DNS updates you need to have a recent version of bind9 installed. It is highly recommended that you install at least version 9.8.0 as that version includes a set of patches from the Samba Team to make dynamic DNS updates much more robust and easier to configure. In the instructions below we give instructions for both bind 9.7.2 and 9.8.0, but please use 9.8.0 or later if at all possible.<br />
<br />
For Debian Lenny:<br />
<br />
If you also want to use Dynamically Loadable Zones (DLZ) then you should add the corresponding option (dlopen) depending on your version of bind.<br />
If you are about to compile a downloaded tarball you might need these libraries: libkrb5-dev and libssl-dev<br />
<br />
$ apt-get install libkrb5-dev libssl-dev<br />
$ tar -zxvf bind9.x.x.tar.gz<br />
$ cd bind9.x.x<br />
<br />
Bind9.8.0<br />
<br />
$ ./configure --with-gssapi=/usr/include/gssapi --with-dlz-dlopen=yes<br />
<br />
Bind9.8.1<br />
<br />
$ ./configure --with-gssapi=/usr/include/gssapi --with-dlopen=yes<br />
<br />
$ make<br />
$ make install<br />
<br />
You can tell what version of bind9 you have using the command "/usr/sbin/named -V". If your OS does not have bind9 9.8.0 or later, then please consider getting it from a package provided by a 3rd party (for example, on Ubuntu there is a ppa available with the newer versions of bind9).<br />
<br />
=== Instructions for bind9 9.8.0 or later ===<br />
<br />
When using bind9 9.8.0 or later you should add a line like the following to the options section of your bind9 config:<br />
options {<br />
[...]<br />
tkey-gssapi-keytab "/usr/local/samba/private/dns.keytab";<br />
[...]<br />
};<br />
<br />
On some systems (such as Ubuntu) this is located in /etc/bind/named.conf.options. Otherwise look for the "options {" part of your bind9 configuration.<br />
<br />
You also need an include line pointing at the named.conf in the private directory of your Samba install (this file is created by the provision command):<br />
<br />
include "/usr/local/samba/private/named.conf";<br />
<br />
On Debian based systems (such as Ubuntu) this include line is normally put in /etc/bind/named.conf.local. On RedHat based systems it goes in /etc/named.conf.<br />
<br />
=== Instructions for bind9 9.7.x ===<br />
<br />
If you have bind9 9.7.x (specifically 9.7.2 or later), then first determine if you can <br />
at all possibly run bind 9.8. You will have far fewer problems. Otherwise, follow these instructions.<br />
<br />
The Samba provision will have created a custom named.conf.update configuration file in the private directory of your Samba install. You need to include in your master named.conf to allow Samba/Kerberos DNS updates to automatically take place. Be advised that if you include this file in Bind versions that don't support it, Bind will fail to start.<br />
<br />
You additionally need to set two environment variables for bind9 when using bind9 version 9.7.x:<br />
<br />
KEYTAB_FILE="/usr/local/samba/private/dns.keytab"<br />
KRB5_KTNAME="/usr/local/samba/private/dns.keytab"<br />
export KEYTAB_FILE<br />
export KRB5_KTNAME<br />
<br />
These should be put in your settings file for bind9. On Debian based<br />
systems (including Ubuntu) this is in /etc/default/bind9. On RedHat and SUSE derived systems it is<br />
in /etc/sysconfig/named. Strictly speaking you only either need<br />
KEYTAB_FILE or KRB5_KTNAME, but which you need depends on your distro,<br />
so it's easier to just set both.<br />
<br />
The dns.keytab must be readable by the bind server user this could be accomplished by executing:<br />
$ chown named.named /usr/local/samba/private/dns.keytab<br />
<br />
(the provision should have setup these permissions for you automatically).<br />
<br />
Then in your /etc/bind/named.conf.options you need this:<br />
<br />
tkey-gssapi-credential "DNS/server.samdom.example.com";<br />
tkey-domain "SAMDOM.EXAMPLE.COM";<br />
<br />
The last part of the credential in the first line must match the dns name of the server you have set up.<br />
<br />
=== Debugging dynamic DNS updates ===<br />
<br />
The way the automatic DNS update in Samba works is that the provision<br />
will create a file /usr/local/samba/private/dns_update_list, which<br />
contains a list of DNS entries that Samba will try to dynamically<br />
update at startup and every 10 minutes thereafter using samba_dnsupdate utility.<br />
Updates will only happen if the DNS entries do not already exist.<br />
Remember that you need nsupdate utility from bind distribution<br />
for all these to work (dnsutils package in Debian/Ubuntu).<br />
<br />
If you want to debug this process, then please run this as root:<br />
<br />
/usr/local/samba/sbin/samba_dnsupdate --verbose<br />
<br />
that will give you more information on the updates that Samba is doing<br />
at runtime, and show you any errors that are generated.<br />
<br />
=== Interaction with apparmor or SELinux ===<br />
<br />
Now you have to ensure that bind can read the dns.keytab file, the<br />
named.conf file and the zone file. It also needs to be able to write<br />
the zone file. The Samba provision tries to setup the permissions<br />
correctly for these files, but you may find you need to make changes<br />
in your Apparmor or SELinux configuration if you are running either of<br />
those. If you are using Apparmor then the aa-logprof command may help<br />
you add any missing permissions you need to add after you start Samba<br />
and bind9 for the first time after configuring them.<br />
<br />
You should also carefully check the permissions on the private/dns directory to ensure it is writeable by bind.<br />
<br />
== Step 11 Configure NTP (optional) ==<br />
<br />
RedHat 6.x:<br />
Redhat does not provide a recent NTP version to support signed ntp so a newer version is required.<br />
<br />
1. Download NTP =>4.2.6 release from ntp.org ( verify md5 sum )<br />
<br />
2. Download the Redhat 6.1 ntp source rpm file from RedHat and install.<br />
<br />
3. Edit the ntp.spec and remove all lines regarding patches and correct the version number.<br />
<br />
4. Here is a <b>partial</b> diff showing required edits then run <i>$ rpmbuild -ba ntp.spec</i><br />
218c115<br />
< --enable-linuxcaps<br />
---<br />
> --enable-linuxcaps --enable-ntp-signd<br />
327a225<br />
> %{_sbindir}/sntp<br />
345,346c243,244<br />
< %{_mandir}/man8/ntptime.8*<br />
< %{_mandir}/man8/tickadj.8*<br />
---<br />
> %{_mandir}/man8/ntpdtime.8*<br />
> #%{_mandir}/man8/tickadj.8*<br />
352c250<br />
< %{_mandir}/man8/ntp-wait.8*<br />
---<br />
> #%{_mandir}/man8/ntp-wait.8*<br />
<br />
For Debian/Ubuntu:<br />
<br />
Recent versions of Debian/Ubuntu already contain a version of ntp with support for signing. For older versions (Debian Squeeze, Ubuntu < 11.04), get a recent version of ntp:<br />
<br />
$ tar -zxvf ntp-4.x.x.tar.gz<br />
$ cd ntp-4.x.x<br />
$ ./configure --enable-ntp-signd<br />
$ make<br />
$ make install<br />
<br />
5. TODO ( add example ntp.conf changes )<br />
<br />
# A simple ntp.conf tested in Debian Lenny<br />
# Using the hardware clock<br />
server 127.127.1.1<br />
fudge 127.127.1.1 stratum 12<br />
ntpsigndsocket /usr/local/samba/var/run/ntp_signd/<br />
restrict default mssntp<br />
[...]<br />
<br />
== NOTES on permissions, SELinux labeling and policy ==<br />
<br />
RedHat 6.X:<br />
<br />
There is still more work TODO in regards of creating a Samba4 specific SELinux policy but for now you should be<br />
able to have everything working *without* disabling SELinux.<br />
<br />
Based on the provision example above set this ENV for commands below :<br />
MYREALM="samdom.example.com"<br />
<br />
Change permissions:<br />
chown named:named /usr/local/samba/private/dns<br />
chgrp named /usr/local/samba/private/dns.keytab<br />
chmod g+r /usr/local/samba/private/dns.keytab<br />
chmod 775 /usr/local/samba/private/dns<br />
<br />
Label files ( ensure $MYREALM is correct ):<br />
chcon -t named_conf_t /usr/local/samba/private/dns.keytab<br />
chcon -t named_conf_t /usr/local/samba/private/named.conf.update<br />
chcon -t named_var_run_t /usr/local/samba/private/dns<br />
chcon -t named_var_run_t /usr/local/samba/private/dns/${MYREALM}.zone<br />
<br />
<br />
Needed for persistence of labels ( ensure $MYREALM is correct ):<br />
semanage fcontext -a -t named_conf_t /usr/local/samba/private/dns.keytab<br />
semanage fcontext -a -t named_conf_t /usr/local/samba/private/named.conf<br />
semanage fcontext -a -t named_conf_t /usr/local/samba/private/named.conf.update<br />
semanage fcontext -a -t named_var_run_t /usr/local/samba/private/dns<br />
semanage fcontext -a -t named_var_run_t /usr/local/samba/private/dns/${MYREALM}.zone<br />
semanage fcontext -a -t named_var_run_t /usr/local/samba/private/dns/${MYREALM}.zone.jnl<br />
semanage fcontext -a -t ntpd_t /usr/local/samba/var/run/ntp_signd<br />
<br />
NOTE: Multiple attempts to set the context for ntp failed so (below) policy was needed for windows clients time sync after joining the DOMAIN.<br />
$ chcon -u system_u -t ntpd_t /usr/local/samba/var/run/ntp_signd<br />
$ chcon -u system_u -t ntpd_t /usr/local/samba/var/run/<br />
$ chcon -t ntpd_t /usr/local/samba/var/run/ntp_signd/socket<br />
<br />
samba4.te policy:<br />
module samba4 1.0;<br />
<br />
<br />
require {<br />
type ntpd_t;<br />
type usr_t;<br />
type initrc_t;<br />
class sock_file write;<br />
class unix_stream_socket connectto;<br />
}<br />
<br />
#============= ntpd_t ==============<br />
allow ntpd_t usr_t:sock_file write;<br />
<br />
#============= ntpd_t ==============<br />
allow ntpd_t initrc_t:unix_stream_socket connectto;<br />
<br />
Check and load policy:<br />
$ checkmodule -M -m -o samba4.mod samba4.te <br />
$ semodule_package -o samba4.pp -m samba4.mod<br />
$ semodule -i samba4.pp<br />
<br />
== NOTE about filesystem support ==<br />
<br />
To use the advanced features of Samba4 you need a filesystem that<br />
supports both the "user" and "system" xattr namespaces.<br />
<br />
If you run Linux with a 2.6 kernel and ext3 this means you need to<br />
include the option "user_xattr" in your /etc/fstab. For example:<br />
<br />
/dev/hda3 /home ext3 user_xattr 1 1<br />
<br />
You also need to compile your kernel with the XATTR and SECURITY<br />
options for your filesystem. For ext3 that means you need:<br />
<br />
CONFIG_EXT3_FS_XATTR=y<br />
CONFIG_EXT3_FS_SECURITY=y<br />
<br />
If you are running a Linux 2.6 kernel with CONFIG_IKCONFIG_PROC<br />
defined you can check this with the following command:<br />
<br />
$ zgrep CONFIG_EXT3_FS /proc/config.gz<br />
<br />
If you don't have a filesystem with xattr support, then you can<br />
simulate it by using the option:<br />
<br />
posix:eadb = /usr/local/samba/eadb.tdb<br />
<br />
that will place all extra file attributes (NT ACLs, DOS EAs, streams<br />
etc), in that tdb. It is not efficient, and doesn't scale well, but at<br />
least it gives you a choice when you don't have a modern filesystem.<br />
<br />
=== Testing your filesystem ===<br />
<br />
To test your filesystem support, install the 'attr' package and run<br />
the following 4 commands as root:<br />
<br />
# touch test.txt<br />
# setfattr -n user.test -v test test.txt<br />
# setfattr -n security.test -v test2 test.txt<br />
# getfattr -d test.txt<br />
# getfattr -n security.test -d test.txt<br />
<br />
You should see output like this:<br />
<br />
# file: test.txt<br />
user.test="test"<br />
<br />
# file: test.txt<br />
security.test="test2"<br />
<br />
If you get any "Operation not supported" errors then it means your<br />
kernel is not configured correctly, or your filesystem is not mounted<br />
with the right options.<br />
<br />
If you get any "Operation not permitted" errors then it probably means<br />
you didn't try the test as root.<br />
<br />
If you are using the posix:eadb option then you don't need to test your filesystem in this manner.<br />
<br />
== Profiling with google-perftools ==<br />
<br />
LDFLAGS="-ltcmalloc -lprofiler" ./configure --enable-developer ..... <br />
<br />
This also works for CFLAGS<br />
<br />
= Configure a Windows Client to join a Samba 4 Active Directory =<br />
<br />
Active Directory is a powerful administration service which enables an administrator to centrally manage a network of Windows 2000, Windows XP Pro, Windows 2003, and Windows Vista Business Edition effectively. To test the real Samba 4 capability, we use Windows XP Pro as testing environment (Windows XP Home doesn't include Active Directory functionality and won't work).<br />
<br />
To allow Samba 4 Active Directory or Microsoft Active Directory to manage a computer, we need to join the computer into the active directory.<br />
It involves:<br />
<br />
# Configuring DNS Setting<br />
# Configuring date/time and time zone<br />
# Joining the domain<br />
<br />
== Step 1: Configure DNS Setting for Windows ==<br />
<br />
Before we configure the DNS setting, verify that you are able to ping the Server's IP Address. If you are not able to ping the server, double check your IP address, firewall, routing, etc.<br />
<br />
Once you have verified network connectivity between the Samba server and client,<br />
<br />
# Right Click My Network Places -> Properties<br />
# Double click local area network->Properties<br />
# Double click tcp/ip<br />
# Use static dns server, add the Samba 4 server's ip address inside the primary dns server column.<br />
#:[[Image:Samba4dnsclient.jpg]]<br />
# Press ok, ok, ok again until finished.<br />
# Open a command prompt, type 'ping servername.your.realm' (change to suit your custom realm per your provision)<br />
<br />
If you get replies, then it means your Windows XP settings are correct (for DNS) and Samba4 Server's DNS services is working as well.<br />
<br />
== Step 2: Configure date/time and time zone ==<br />
<br />
Active Directory uses Kerberos as the backend for authentication. Kerberos requires that the system clock on the client and server be synchronized to within a few seconds of each other. If they are not synchronized, authentication will fail for apparently no reason.<br />
<br />
# Change the timezone in Windows XP Pro so that server and client using same time zone. In my computer, I use Asia/Kuala_Lumpur (I come from Malaysia).<br />
#:[[Image:Samba4timezone.jpg]]<br />
# Change the date/time so the client have same HH:MM with the server.<br />
#:[[Image:Samba4time.jpg]]<br />
<br />
== Step 3: Joining the Windows client into domain ==<br />
<br />
Now your Windows is ready to join the Active Directory (AD) domain,<br />
<br />
As administrator:-<br />
<br />
# Right Click my Computer-> Properties<br />
# Choose Computer Name, click change..<br />
# Click option 'Domain', insert YOUR.REALM (if you failed, try YOURDOM)([[Image:Samba4joindomain.jpg]]<br />
# When it request username/password, type '''administrator''' as username, '''SOMEPASSWORD''' as password (per your earlier provision).<br />
# It will tell you the Windows XP has successfully join into Active Directory Domain, and you need to restart.<br />
# After restart, you should get the normal domain logon dialog<br />
# Choose domain YOURDOM, insert username '''administrator''' as username, '''SOMEPASSWORD''' as password (again, per your earlier provision)<br />
# If you login successfully, then you able to enjoy samba 4 active directory services at next section.<br />
<br />
= Viewing Samba 4 Active Directory object from Windows =<br />
<br />
We need install windows 2003 adminpak into windows XP in order to use<br />
GUI tools to manage the domain. Before begin, make sure the domain<br />
administrator have administrative right to control your computer.(To<br />
give any user administrative right, in Windows XP Pro, right click my<br />
computer, press manage-> choose groups-> double click administrators<br />
and add members from domain into the member list. During you add<br />
member from active directory as member, it will prompt you to enter<br />
active directory username/password).<br />
<br />
== Step 1: Installing Windows Remote Administration Tools onto Windows ==<br />
<br />
=== Windows7 ===<br />
<br />
#Download the Windows Remote Administration Tools from<br />
#: http://www.microsoft.com/downloads/details.aspx?FamilyID=7D2F6AD7-656B-4313-A005-4E344E43997D&displaylang=en<br />
#and follow the "Install RSAT" instructions<br />
<br />
=== Vista ===<br />
<br />
Download the Windows Remote Administration Tools from<br />
* http://www.microsoft.com/downloads/details.aspx?FamilyId=9FF6E897-23CE-4A36-B7FC-D52065DE9960&displaylang=en<br />
<br />
and follow the "Install RSAT" instruction described at<br />
* http://support.microsoft.com/kb/941314<br />
<br />
=== Windows XP Pro ===<br />
<br />
# In Windows XP, download adminpak and supporttools from <br />
#* http://www.microsoft.com/downloads/en/details.aspx?FamilyID=86b71a4f-4122-44af-be79-3f101e533d95<br />
#* http://download.microsoft.com/download/3/e/4/3e438f5e-24ef-4637-abd1-981341d349c7/WindowsServer2003-KB892777-SupportTools-x86-ENU.exe<br />
#:If you installed an older version of the adminpak, you'll notice the dial-in tab is missing from property pages. Just follow the link above to get SP2 which does not have this issue.<br />
# Run through the installation.<br />
# Press start->run, type 'dsa.msc', if a window 'active directory users and computers' prompt up, it mean you had install adminpak it successfully. You can also find this at Start>Programs>Administrative Tools, which should have a lot more items now.<br />
# Go to c:\Program Files\Support Tools to check whether the support tools were installed correctly; if yes, then your XP workstation is ready to manage the Samba 4 Active Directory.<br />
<br />
== Step 2: Viewing samba 4 active directory content ==<br />
<br />
# Login as domain 'testing1.org' administrator, press start->run.<br />
# type dsa.msc<br />
#:[[Image:Samba4run.jpg ]]<br />
# Expand the testing1.org tree to see existing object in domain. [[Image:Samba4dsa.msc.jpg]]<br />
<br />
= Managing Samba 4 Active Directory From Windows XP Pro =<br />
One of Samba4's goals is to integrate with (and replace) Active Directory as a system. At this point, if everything has worked correctly you should have an "Administrative Tools" menu under Programs. If, under Administrative Tools you have "Active Directory Users and Computers", that is a very good sign. Most times, if there is a configuration or bug in Samba4, the AD Users & Computers (among other interfaces) won't show up as an option. You can run it by hand (Start->Run->dsa.msc) but it's unlikely to work correctly.<br />
<br />
<br />
== Step 1: Adding user into Samba 4 Active Directory ==<br />
Unlike Samba3, Samba4 does not require a local unix user for each Samba user that is created.<br />
<br />
To create a Samba user, use the command <br />
<br />
samba-tool user add USERNAME<br />
<br />
To inspect the allocated user ID and SID, use wbinfo<br />
<br />
$ bin/wbinfo --name-to-sid USERNAME<br />
S-1-5-21-4036476082-4153129556-3089177936-1005 SID_USER (1)<br />
<br />
$ bin/wbinfo --sid-to-uid S-1-5-21-4036476082-4153129556-3089177936-1005<br />
3000011<br />
<br />
If you want to change this mapping, then use ldbedit on the idmap.idb,<br />
like this:<br />
<br />
$ bin/ldbedit -e emacs -H /usr/local/samba/private/idmap.ldb objectsid=S-1-5-21-4036476082-4153129556-3089177936-1005<br />
<br />
You will find records that look like this:<br />
<br />
# record 1<br />
dn: CN=S-1-5-21-4036476082-4153129556-3089177936-1005<br />
cn: S-1-5-21-4036476082-4153129556-3089177936-1005<br />
objectClass: sidMap<br />
objectSid: S-1-5-21-4036476082-4153129556-3089177936-1005<br />
type: ID_TYPE_BOTH<br />
xidNumber: 3000011<br />
distinguishedName: CN=S-1-5-21-4036476082-4153129556-3089177936-1005<br />
<br />
If you change the xidNumber attribute and save your editor then exit,<br />
then Samba will update the mapping to between the SID and the user<br />
ID. Updating group mappings works in the same way.<br />
<br />
You can also manage users using the normal Windows AD user management<br />
tools.<br />
<br />
= Setting Up Roaming Profiles (Windows 7) =<br />
<br />
1. You will need to create a share for the profiles, typically named '''profiles'''. Edit the ''/usr/local/samba/etc/smb.conf'' to include:<br />
<br />
[profiles]<br />
path = /usr/local/samba/var/profiles<br />
read only = no<br />
<br />
2. Create the directory above using:<br />
<br />
$ sudo mkdir /usr/local/samba/var/profiles<br />
<br />
3. On windows start the ''Active Directory Users and Computers'', select all the users, right click and hit properties<br />
<br />
4. Under the profile tab, in the ''Profile path'' type the path to your share along with %USERNAME% as follows:<br />
<br />
\\sambaserver.samdom.example.com\profiles\%USERNAME%<br />
<br />
5. click OK, logout and login as one of those users. When you logout again, you should see that the profile has been synced onto the samba server.<br />
<br />
= Adding organization unit (OU) into samba 4 domain =<br />
<br />
Organizational Unit (OU), is a powerful feature in active<br />
directory. This is a type of container which allows you to drag & drop<br />
users and/or computers into it.<br />
<br />
We can link several kind of group policy to an OU, and the settings<br />
will deploy to all users/computers under the OU. With a single domain<br />
we can have as many OU and sub OU as you like. So the result is that<br />
it can greatly reduce administrative overhead because you are able to<br />
manage everything via an OU. The implementation of group policy will<br />
be discussed in the next chapter.<br />
<br />
Before we create an OU, we must know what an OU looks like. By default<br />
we can see a sample OU 'Domain Controllers', which uses a different<br />
icon in the Windows management tools to the 'users' and 'computers'<br />
container. We can deploy group policy to users or computers container.<br />
<br />
# To create an OU, as the domain administrator, use start -> run -> dsa.msc<br />
# right click on your domain.<br />
# choose new -> organizational unit<br />
# type OU Demo'<br />
# Then you will see an new OU appear, with the name 'OU Demo'.<br />
# You can drag your user 'demo' into the new OU (Don't move other users! Unless you want to get stuck!)<br />
# Right Click the 'OU Demo', you can create a sub OU with New->Organizational.<br />
<br />
Normally we create OU based the departmental setup of your<br />
organization. Be careful not to confuse groups and OUs, groups are<br />
used to control permissions, OU are used for deployment settings to<br />
all users/computers within the OU.<br />
<br />
= Implementing Group Policies (GPO) in a Samba4 domain =<br />
<br />
Samba4 Active Directory has support for group policies, and can create<br />
the group policy on the fly. The basic idea of group policies is:-<br />
<br />
# Group Policies have 2 kind of settings, computers and users.<br />
# Computer settings apply to computers, user settings apply to users<br />
# We link the group policy to a particular OU, and the group policy will effect all computers/users under the OU.<br />
# To add a group policy, right click 'OU Demo' OU->properties<br />
# Choose group policy<br />
# Press new, name as 'GP Demo'<br />
# Press edit to edit the policy.<br />
# Here will demonstrate how to block user from access the control panel. Open the tree 'User Configuration'->'Administrative Templates'->'control panel'.<br />
# Double click on 'Prohibit access to the Control Panel'<br />
# Press enabled and then press OK. Now the all users under 'OU Demo' won't able to access to the control panel.<br />
# Make sure user demo is inside the 'OU Demo' (You can drag and drop it). <br />
# Logout and login as user 'demo'<br />
# You'll find user demo is not able to access control panel<br />
<br />
;Note :that user configuration will take effect once you logout and login.<br />
;Computer :configuration will take effect when you restart the computer<br />
<br />
To learn more about managing and implementing organizational units, group policy, and active directory, try a web search for Google in Windows 2003 Active Directory implementation.<br />
<br />
== Installing the Group Policy Management Console ==<br />
<br />
You may also find the Group Policy Management console useful. You can<br />
download it from:<br />
http://www.microsoft.com/downloads/details.aspx?FamilyId=0A6D4C24-8CBD-4B35-9272-DD3CBFC81887&displaylang=en<br />
<br />
This is primarily useful for when you have larger installs and<br />
are managing many machines. You may need to download the .NET<br />
framework first.<br />
<br />
= Joining a Windows domain controller as an additional DC in a domain =<br />
<br />
Once you have a Samba domain controller setup, you can choose to join<br />
additional domain controllers to the domain, whether they be<br />
additional Samba domain controllers, or additional Windows domain<br />
controllers.<br />
<br />
If you wish to join an additional Samba domain controller to a domain,<br />
then please see the [[Samba4/HOWTO/Join a domain as a DC|Joining a domain as a DC]] page. The instructions<br />
on that page are the same for joining Samba to a Windows domain as<br />
they are for joining Samba to an existing Samba domain.<br />
<br />
If you wish to join a new Windows domain controller to a Samba domain,<br />
then you should use the 'dcpromo' tool on the Windows machine. Please<br />
see the normal instructions for installing dcpromo on Windows, with<br />
the exception that you should not tick the 'DNS server' option box<br />
when it is offered. Right now you should either use Windows for DNS,<br />
or use Samba and bind9 for DNS. Mixing the two can work, but it is an<br />
advanced topic that is beyond the scope of this howto.<br />
<br />
= Migrating an Existing Samba3 Domain to Samba4 =<br />
<br />
It is very likely that you already have a running Samba3 domain on your network. The question is, how do you migrate that domain and all of its users and machines over to a new Samba4 based domain, without needing to move every user profile and machine to the new domain? The answer is the [[Samba4/samba-tool/domain/classicupgrade/HOWTO|samba-tool domain classicupgrade]] function.<br />
<br />
= Report your success/failure! =<br />
<br />
Samba4 as a replicating domain controller is still developing rapidly,<br />
and we like to hear from users about their successes and<br />
failures. While Samba4 is still in alpha release we would encourage<br />
you to report both your successes and failures to the samba-technical<br />
mailing list on http://lists.samba.org<br />
<br />
Please be aware that Samba4 is not complete, so you should deploy it<br />
carefully until it is ready for a non-alpha release.</div>Ekacnethttps://wiki.samba.org/index.php?title=Setting_up_Samba_as_an_Active_Directory_Domain_Controller&diff=6692Setting up Samba as an Active Directory Domain Controller2012-07-01T21:30:59Z<p>Ekacnet: /* Step 6: Testing Samba4 */</p>
<hr />
<div>= Samba4 HOWTO =<br />
<br />
This document explains how to setup a simple Samba4<br />
server. This is aimed at people who are already familiar with Samba3<br />
and wish to participate in Samba4 development or test the alpha<br />
releases of Samba4. This is not aimed at general production use of<br />
Samba4, although some brave sites are running Samba4 in production<br />
based on these instructions.<br />
<br />
== Video demonstrations of this HOWTO ==<br />
<br />
A set of [[samba4/videos|demonstration videos]] is available that<br />
may provide a useful overview of this contents of this HOWTO<br />
<br />
== A note on alpha/beta versions ==<br />
<br />
Samba4 is developing very rapidly. This HOWTO is frequently updated to reflect the latest changes in the Samba git repository. Please see the Samba4 [[Samba4/Status|Status]] Wiki for more specifics on project status.<br />
<br />
== Step 1: Download Samba4 ==<br />
<br />
If you have downloaded the Samba4 code via a tarball released from the<br />
samba.org website, Step 1 has already been completed for you. For testing<br />
with the version released in the tarball, you may continue on to Step 2.<br />
<br />
Note that the references below to the top-level directory named<br />
"samba-master" will instead be based on the name of the tarball<br />
downloaded (e.g. "samba-4.0.0alpha13" for the tarball<br />
samba-4.0.0alpha13.tar.gz). Also note that in the "master" branch the<br />
samba4 code in our current git tree is now located in the top level<br />
directory.<br />
<br />
Otherwise there are two methods for downloading the current samba version:<br />
<br />
* via git<br />
* via rsync<br />
<br />
If you don't have rsync or git then install one of them, or stick to the latest tarball release.<br />
If you have a choice, we strongly recommend using the git method for<br />
downloading Samba, as it makes getting updates easier, and also allows<br />
you to integrate test patches from Samba developers more easily in<br />
case of problems.<br />
<br />
=== git ===<br />
<br />
$ git clone git://git.samba.org/samba.git samba-master; cd samba-master<br />
<br />
or via http:<br />
<br />
$ git clone http://gitweb.samba.org/samba.git samba-master; cd samba-master<br />
<br />
This will create a directory called "samba-master" in the current<br />
directory.<br />
<br />
If you want to update the tree to the latest version run:<br />
<br />
$ git pull<br />
<br />
=== rsync ===<br />
<br />
$ rsync -avz samba.org::ftp/unpacked/samba_4_0_test/ samba-master<br />
<br />
Note that the above rsync command will give you a checked out git<br />
repository, but it needs some changes so that you can update it using git:<br />
<br />
$ cd samba-master/<br />
$ rm .git/refs/tags/*<br />
$ rm -r .git/refs/remotes/<br />
$ git config remote.origin.url git://git.samba.org/samba.git<br />
$ git config --add remote.origin.fetch +refs/tags/*:refs/tags/* (this line is optional)<br />
$ git fetch<br />
<br />
Note you can ignore this error from git fetch:<br />
error: refs/heads/master does not point to a valid object!<br />
<br />
You can update it to the latest version at some future date using:<br />
<br />
$ git pull<br />
<br />
If you get an error like this:<br />
fatal: Unable to create '[...]/samba_master/.git/index.lock': File exists.<br />
remove the lock file and try running "git pull" again.<br />
<br />
== Step 2: Compile Samba4 ==<br />
<br />
Required development libraries:<br />
*Python development libraries (python-dev in Debian/Ubuntu) required to compile<br />
<br />
Recommended optional development libraries:<br />
*acl and xattr development libraries (libacl1-dev, libattr1-dev packages in Debian/Ubuntu)<br />
*blkid development libraries (libblkid-dev package in Debian/Ubuntu)<br />
*gnutls (libgnutls-dev package in Debian/Ubuntu)<br />
*readline (libreadline-dev package in Debian/Ubuntu)<br />
*openldap (libldap2-dev package in Debian/Ubuntu; openldap2-devel in openSUSE) is required to build the Samba3 components with LDAP support. Lacking this library the build will complete but attempts to provision (via upgrade) an Active Directory domain from an existing Samba3 LDAP backend will fail.<br />
<br />
For Debian/Ubuntu:<br />
$ apt-get install build-essential libacl1-dev libattr1-dev \<br />
libblkid-dev libgnutls-dev libreadline-dev python-dev \<br />
python-dnspython gdb pkg-config libpopt-dev libldap2-dev \<br />
bind9utils dnsutils<br />
<br />
For Fedora:<br />
<br />
$ yum install libacl-devel libblkid-devel gnutls-devel \<br />
readline-devel python-devel gdb pkgconfig<br />
<br />
For Red Hat Enterprise Linux 6.x or CentOS 6.x:<br />
<br />
$ yum install libacl-devel libblkid-devel gnutls-devel \<br />
readline-devel python-devel gdb pkgconfig krb5-workstation<br />
$ yum install zlib-devel setroubleshoot-server \<br />
setroubleshoot-plugins policycoreutils-python \<br />
libsemanage-python setools-libs-python setools-libs \<br />
popt-devel libpcap-devel sqlite-devel libidn-devel \<br />
libxml2-devel libacl-devel libsepol-devel libattr-devel \<br />
keyutils-libs-devel cyrus-sasl-devel<br />
<br />
For openSUSE 11.4 or openSUSE 12.1:<br />
<br />
$ zypper install libacl-devel python-selinux autoconf make \<br />
python-devel gdb sqlite3-devel libgnutls-devel binutils \<br />
policycoreutils-python setools-libs selinux-policy \<br />
setools-libs popt-devel libpcap-devel keyutils-devel \<br />
libidn-devel libxml2-devel libacl-devel libsepol-devel \<br />
libattr-devel zlib-devel cyrus-sasl-devel gcc \<br />
krb5-client openldap2-devel libopenssl-devel<br />
<br />
For Gentoo:<br />
<br />
$ USE="dlz python gssapi" emerge cyrus-sasl heimdal bind bind-tools gnutls dnspython gdb libidn subunit<br />
$ ACCEPT_KEYWORDS="~amd64" USE="python" emerge =sys-libs/tdb-1.2.10 =sys-libs/tevent-0.9.15 =sys-libs/ldb-1.1.6<br />
Obviously that would be ~x86 instead of ~amd64 on a x86 arch, also don't forget to <br />
$ eselect python set 1<br />
where 1 is python 2.X (3.X is not yet supported) if you don't know which version you are using, '''eselect python list''' will give you a list of available ones.<br />
<br />
To build, run this:<br />
<br />
$ cd samba-master<br />
$ ./configure.developer<br />
$ make<br />
<br />
The above command will setup Samba4 to install in /usr/local/samba. If<br />
you want Samba to install somewhere else then you should use the<br />
--prefix option to configure.developer.<br />
<br />
The reason we recommend using configure.developer rather than<br />
configure for Samba4 alpha releases is that it will include extra<br />
debug information that will help us diagnose problems in case of<br />
failures. It will also allow you to run the various builtin automatic<br />
tests.<br />
<br />
== Step 3: Install Samba4 ==<br />
<br />
Run this as a user who have permission to write to the install<br />
directory (which defaults to /usr/local/samba). Use --prefix option to<br />
configure.developer above to change this.<br />
<br />
$ make install<br />
<br />
For the rest of this HOWTO we will assume that you have installed<br />
Samba4 in the default location, which is /usr/local/samba.<br />
<br />
== Step 4: Provision Samba4 ==<br />
<br />
The "provision" step sets up a basic user database, and is used when you are setting up your Samba4<br />
server in its own domain. If you instead want to setup your Samba4 server as an additional domain controller<br />
in an existing domain, then please see the separate page on [[Samba4 joining a domain]]. If you want to migrate an existing Samba3 domain to Samba4, see the [[#Migrating an Existing Samba3 Domain to Samba4|Migrating an Existing Samba3 Domain to Samba4]] section on this page.<br />
<br />
In the following examples we will assume your DNS domain name is<br />
'samdom.example.com' and your short (also known as NT4) domain name is<br />
'samdom'. We will assume that your Samba servers hostname is samba.<br />
<br />
It must be run as a user with permission to write to the install directory (which means you may need to run this command with sudo)<br />
<br />
# /usr/local/samba/sbin/provision \<br />
--realm=samdom.example.com --domain=SAMDOM \<br />
--adminpass=SOMEPASSWORD --server-role=dc<br />
<br />
If you get an error like this:<br />
tdb_open_ex: could not open file /usr/local/samba/private/sam.ldb.d/DC=SAMDOM,DC=EXAMPLE,DC=COM. ldb: Permission denied<br />
then you need to rerun with sudo<br />
<br />
Troubleshooting note:<br />
you may need to rm the smb.conf file if you failed to pass valid names and provision previously failed<br />
<br />
There are many other options you can pass to the 'provision' command, run it with the --help option to see a list of them.<br />
<br />
*Note: when using debian SID samba4 package, provision script and samba4 installation will abort if <tt>hostname -d</tt> is returning an empty string (domainname not found). Indeed debian4.config script get REALM as follow <tt>REALM=`hostname -d | tr 'a-z' 'A-Z'`</tt>. So check /etc/resolv.conf contains:<br />
domain ''samdom.example.com''<br />
<br />
== Step 5: Starting Samba4 ==<br />
<br />
If you are planning to run Samba4 as a production server, then just run the "samba" binary as root<br />
<br />
# samba<br />
<br />
That will run Samba4 in 'standard' mode, which is suitable for<br />
production use. Samba4 alpha13 doesn't yet have init scripts included<br />
for each platform, but making one for your platform should not be<br />
difficult. There are some example scripts (for RedHat/Fedora and Debian/Ubuntu) on the [[Samba4/InitScript]] page.<br />
<br />
If you are running Samba4 as a developer you may find<br />
the following more useful:<br />
<br />
# samba -i -M single<br />
<br />
that means start "samba" with messages in stdout, and running a<br />
single process. That mode of operation makes debugging "samba" with gdb<br />
particularly easy. If you want to launch it under gdb, then the following<br />
example could be useful:<br />
<br />
$ sudo gdb --args bin/samba -i -M single<br />
<br />
Note that if you are running any Samba3 smbd or nmbd processes<br />
they need to be stopped before starting "samba" from Samba 4.<br />
<br />
Make sure you put the bin and sbin directories from your new install<br />
in your $PATH or you may end up running the wrong version. You can see what version <br />
you have by running "samba -V".<br />
<br />
Note: in older developer versions of samba4 "samba" was still called "smbd".<br />
<br />
== Step 6: Testing Samba4 ==<br />
<br />
First check you have the right version of smbclient in your $PATH<br />
<br />
$ smbclient --version<br />
<br />
This should show you a version starting with "Version 4.0.XXXXX". <br />
<br />
Now try this command:<br />
<br />
$ smbclient -L localhost -U%<br />
<br />
That should show you a list of shares available on your server. For example:<br />
<br />
Sharename Type Comment<br />
--------- ---- -------<br />
netlogon Disk<br />
sysvol Disk<br />
IPC$ IPC IPC Service (Samba 4.0.0alpha12-GIT-5e755e9)<br />
ADMIN$ Disk DISK Service (Samba 4.0.0alpha12-GIT-5e755e9)<br />
<br />
The 'netlogon' and 'sysvol' shares are basic shares needed for Active Directory server<br />
operation. <br />
<br />
If this is not (or not anymore) working, and you have a message like that:<br />
<br />
Failed to connect to ncacn_np:localhost - NT_STATUS_NO_MEMORY<br />
REWRITE: list servers not implemented<br />
<br />
Then stop samba, and check for the presence of ''/usr/local/samba/var/run/smbd-fileserver.conf.pid'', if present remove it<br />
<br />
To test that authentication is working, you should try to connect to the netlogon share<br />
using the administrator password you set earlier.<br />
<br />
$ smbclient //localhost/netlogon -Uadministrator%PASSWORD<br />
<br />
You should get a "smb>" prompt, and access to your netlogon directory.<br />
<br />
== Step 7 Create a share in smb.conf ==<br />
<br />
The provisioning will create a very simple smb.conf with no shares by<br />
default. For the server to be useful you will need to update it to<br />
have at least one share. For example:<br />
<br />
[test]<br />
path = /data/test<br />
read only = no<br />
<br />
Note that in current alpha versions of Samba4 you need to restart Samba<br />
to make new shares visible. This will be fixed in a future release.<br />
<br />
== Step 8 Configure DNS ==<br />
<br />
A working DNS setup is essential to the correct operation of<br />
Samba4. Without the right DNS entries, kerberos won't work, which in<br />
turn means that many of the basic features of Samba4 won't work.<br />
<br />
It is worth spending some extra time to ensure your DNS setup is just<br />
right, as debugging problems caused by mis-configured DNS can take a<br />
lot of time later on.<br />
<br />
The simplest way to get a working DNS setup for Samba4 is to start<br />
with the DNS configuration file that are created by the<br />
'provision' step above. If you look in /usr/local/samba/private<br />
directory, you'll find a file called 'named.conf'.<br />
<br />
Assuming your have a bind9.8.x or newer DNS server installed, you can<br />
activate the configuration that the provision has created by adding a<br />
line like this to /etc/bind/named.conf.local:<br />
<br />
include "/usr/local/samba/private/named.conf";<br />
<br />
After adding that line you should restart your bind server and check<br />
in the system logs for any problems.<br />
<br />
Note that the /usr/local/samba/private/named.conf requires at least<br />
bind 9.8.x to function and you may need to edit the <br />
/usr/local/samba/private/named.conf file to use the bind 9.9.x module<br />
(need to verify this).<br />
<br />
One common problem is that many modern Linux distributions activate<br />
'Apparmor' or 'SELinux' by default, and these may be configured to<br />
deny access to bind for your the named.conf and zone files created in<br />
the provision. If your bind logs show that bind is getting a access<br />
denied error accessing these files then please see your local system<br />
documentation for how to enable access to these files in bind (hint:<br />
for Apparmor systems such as Ubuntu, the command aa-logprof may be<br />
useful).<br />
<br />
Now you need to test that DNS is working correctly. Check that your<br />
/etc/resolv.conf is pointing correctly at your local DNS server, then<br />
run the following commands:<br />
<br />
$ host -t SRV _ldap._tcp.samdom.example.com.<br />
_ldap._tcp.samdom.example.com has SRV record 0 100 389 samba.samdom.example.com.<br />
<br />
$ host -t SRV _kerberos._udp.samdom.example.com.<br />
_kerberos._udp.samdom.example.com has SRV record 0 100 88 samba.samdom.example.com.<br />
<br />
$ host -t A samba.samdom.example.com.<br />
samba.samdom.example.com has address 10.0.0.1<br />
<br />
Check that you get answers similar to the ones above (adjusted for<br />
your DNS domain name and hostname). If you get any errors then<br />
carefully check your system logs to find and fix the problem.<br />
<br />
*Note: One of the problems I've had on Debian system is that the zone autogeneration always detects, and uses, 127.0.1.1 as the domain controller's IP address. That works fine until you 1) Don't have a 127.0.1.1 interface on the machine or 2) Go to join your first client to the domain. In /usr/local/samba/private/named.conf you might need to change 127.0.1.1 to reflect the actual IP address of the server you're setting up.<br />
*Note: On debian SID (bind9 package), /etc/bind/named.conf.options is missing and prevent named daemon to be started and installation to be completed (create an empty file or comment out corresponding line in /etc/bind/named.conf see syslog messages)<br />
<br />
== Step 9: Testing kerberos ==<br />
Once DNS is working, you should test that kerberos server builtin to<br />
Samba4 is working correctly.<br />
<br />
Before testing, first configure the krb.conf file (/etc/krb.conf on RHEL like systems), replace the existing one with the sample from /usr/local/samba/share/setup/krb5.conf.<br />
Edit the file and replace ${REALM} with you domain name.<br />
<br />
The easiest test is to use the kinit command like this:<br />
<br />
$ kinit administrator@SAMDOM.EXAMPLE.COM<br />
Password:<br />
<br />
''Note:''<br><br />
: You have to give your 'domain realm SAMDOM.EXAMPLE.COM' in <b>uppercase letters</b> to kinit.<br />
<br />
The kinit should completely successfully. After it completes you can<br />
examine the received ticket like this:<br />
<br />
$ klist -e<br />
Ticket cache: FILE:/tmp/krb5cc_1000<br />
Default principal: administrator@SAMDOM.EXAMPLE.COM<br />
<br />
Valid starting Expires Service principal<br />
02/10/10 19:39:48 02/11/10 19:39:46 krbtgt/SAMDOM.EXAMPLE.COM@SAMDOM.EXAMPLE.COM<br />
Etype (skey, tkt): ArcFour with HMAC/md5, ArcFour with HMAC/md5<br />
<br />
If you find you don't have kinit or klist, you may need to install them. On debian based<br />
systems (such as Ubuntu) the packages are called krb5-config and krb5-user.<br />
<br />
You can also test kerberos form a remote client, just make sure you have configure the<br />
krb5.conf and the resolve.conf to point to the domain controller IP address.<br />
<br />
''Note:''<br><br />
: If you are using a client behind NAT then you have to add the following to the krb5.conf on the domain controller server:<br />
<br />
[kdc]<br />
check-ticket-addresses = false<br />
<br />
== Step 10 Configure kerberos DNS dynamic updates (optional) ==<br />
<br />
To setup dynamic DNS updates you need to have a recent version of bind9 installed. It is highly recommended that you install at least version 9.8.0 as that version includes a set of patches from the Samba Team to make dynamic DNS updates much more robust and easier to configure. In the instructions below we give instructions for both bind 9.7.2 and 9.8.0, but please use 9.8.0 or later if at all possible.<br />
<br />
For Debian Lenny:<br />
<br />
If you also want to use Dynamically Loadable Zones (DLZ) then you should add the corresponding option (dlopen) depending on your version of bind.<br />
If you are about to compile a downloaded tarball you might need these libraries: libkrb5-dev and libssl-dev<br />
<br />
$ apt-get install libkrb5-dev libssl-dev<br />
$ tar -zxvf bind9.x.x.tar.gz<br />
$ cd bind9.x.x<br />
<br />
Bind9.8.0<br />
<br />
$ ./configure --with-gssapi=/usr/include/gssapi --with-dlz-dlopen=yes<br />
<br />
Bind9.8.1<br />
<br />
$ ./configure --with-gssapi=/usr/include/gssapi --with-dlopen=yes<br />
<br />
$ make<br />
$ make install<br />
<br />
You can tell what version of bind9 you have using the command "/usr/sbin/named -V". If your OS does not have bind9 9.8.0 or later, then please consider getting it from a package provided by a 3rd party (for example, on Ubuntu there is a ppa available with the newer versions of bind9).<br />
<br />
=== Instructions for bind9 9.8.0 or later ===<br />
<br />
When using bind9 9.8.0 or later you should add a line like the following to the options section of your bind9 config:<br />
options {<br />
[...]<br />
tkey-gssapi-keytab "/usr/local/samba/private/dns.keytab";<br />
[...]<br />
};<br />
<br />
On some systems (such as Ubuntu) this is located in /etc/bind/named.conf.options. Otherwise look for the "options {" part of your bind9 configuration.<br />
<br />
You also need an include line pointing at the named.conf in the private directory of your Samba install (this file is created by the provision command):<br />
<br />
include "/usr/local/samba/private/named.conf";<br />
<br />
On Debian based systems (such as Ubuntu) this include line is normally put in /etc/bind/named.conf.local. On RedHat based systems it goes in /etc/named.conf.<br />
<br />
=== Instructions for bind9 9.7.x ===<br />
<br />
If you have bind9 9.7.x (specifically 9.7.2 or later), then first determine if you can <br />
at all possibly run bind 9.8. You will have far fewer problems. Otherwise, follow these instructions.<br />
<br />
The Samba provision will have created a custom named.conf.update configuration file in the private directory of your Samba install. You need to include in your master named.conf to allow Samba/Kerberos DNS updates to automatically take place. Be advised that if you include this file in Bind versions that don't support it, Bind will fail to start.<br />
<br />
You additionally need to set two environment variables for bind9 when using bind9 version 9.7.x:<br />
<br />
KEYTAB_FILE="/usr/local/samba/private/dns.keytab"<br />
KRB5_KTNAME="/usr/local/samba/private/dns.keytab"<br />
export KEYTAB_FILE<br />
export KRB5_KTNAME<br />
<br />
These should be put in your settings file for bind9. On Debian based<br />
systems (including Ubuntu) this is in /etc/default/bind9. On RedHat and SUSE derived systems it is<br />
in /etc/sysconfig/named. Strictly speaking you only either need<br />
KEYTAB_FILE or KRB5_KTNAME, but which you need depends on your distro,<br />
so it's easier to just set both.<br />
<br />
The dns.keytab must be readable by the bind server user this could be accomplished by executing:<br />
$ chown named.named /usr/local/samba/private/dns.keytab<br />
<br />
(the provision should have setup these permissions for you automatically).<br />
<br />
Then in your /etc/bind/named.conf.options you need this:<br />
<br />
tkey-gssapi-credential "DNS/server.samdom.example.com";<br />
tkey-domain "SAMDOM.EXAMPLE.COM";<br />
<br />
The last part of the credential in the first line must match the dns name of the server you have set up.<br />
<br />
=== Debugging dynamic DNS updates ===<br />
<br />
The way the automatic DNS update in Samba works is that the provision<br />
will create a file /usr/local/samba/private/dns_update_list, which<br />
contains a list of DNS entries that Samba will try to dynamically<br />
update at startup and every 10 minutes thereafter using samba_dnsupdate utility.<br />
Updates will only happen if the DNS entries do not already exist.<br />
Remember that you need nsupdate utility from bind distribution<br />
for all these to work (dnsutils package in Debian/Ubuntu).<br />
<br />
If you want to debug this process, then please run this as root:<br />
<br />
/usr/local/samba/sbin/samba_dnsupdate --verbose<br />
<br />
that will give you more information on the updates that Samba is doing<br />
at runtime, and show you any errors that are generated.<br />
<br />
=== Interaction with apparmor or SELinux ===<br />
<br />
Now you have to ensure that bind can read the dns.keytab file, the<br />
named.conf file and the zone file. It also needs to be able to write<br />
the zone file. The Samba provision tries to setup the permissions<br />
correctly for these files, but you may find you need to make changes<br />
in your Apparmor or SELinux configuration if you are running either of<br />
those. If you are using Apparmor then the aa-logprof command may help<br />
you add any missing permissions you need to add after you start Samba<br />
and bind9 for the first time after configuring them.<br />
<br />
You should also carefully check the permissions on the private/dns directory to ensure it is writeable by bind.<br />
<br />
== Step 11 Configure NTP (optional) ==<br />
<br />
RedHat 6.x:<br />
Redhat does not provide a recent NTP version to support signed ntp so a newer version is required.<br />
<br />
1. Download NTP =>4.2.6 release from ntp.org ( verify md5 sum )<br />
<br />
2. Download the Redhat 6.1 ntp source rpm file from RedHat and install.<br />
<br />
3. Edit the ntp.spec and remove all lines regarding patches and correct the version number.<br />
<br />
4. Here is a <b>partial</b> diff showing required edits then run <i>$ rpmbuild -ba ntp.spec</i><br />
218c115<br />
< --enable-linuxcaps<br />
---<br />
> --enable-linuxcaps --enable-ntp-signd<br />
327a225<br />
> %{_sbindir}/sntp<br />
345,346c243,244<br />
< %{_mandir}/man8/ntptime.8*<br />
< %{_mandir}/man8/tickadj.8*<br />
---<br />
> %{_mandir}/man8/ntpdtime.8*<br />
> #%{_mandir}/man8/tickadj.8*<br />
352c250<br />
< %{_mandir}/man8/ntp-wait.8*<br />
---<br />
> #%{_mandir}/man8/ntp-wait.8*<br />
<br />
For Debian/Ubuntu:<br />
<br />
Recent versions of Debian/Ubuntu already contain a version of ntp with support for signing. For older versions (Debian Squeeze, Ubuntu < 11.04), get a recent version of ntp:<br />
<br />
$ tar -zxvf ntp-4.x.x.tar.gz<br />
$ cd ntp-4.x.x<br />
$ ./configure --enable-ntp-signd<br />
$ make<br />
$ make install<br />
<br />
5. TODO ( add example ntp.conf changes )<br />
<br />
# A simple ntp.conf tested in Debian Lenny<br />
# Using the hardware clock<br />
server 127.127.1.1<br />
fudge 127.127.1.1 stratum 12<br />
ntpsigndsocket /usr/local/samba/var/run/ntp_signd/<br />
restrict default mssntp<br />
[...]<br />
<br />
== NOTES on permissions, SELinux labeling and policy ==<br />
<br />
RedHat 6.X:<br />
<br />
There is still more work TODO in regards of creating a Samba4 specific SELinux policy but for now you should be<br />
able to have everything working *without* disabling SELinux.<br />
<br />
Based on the provision example above set this ENV for commands below :<br />
MYREALM="samdom.example.com"<br />
<br />
Change permissions:<br />
chown named:named /usr/local/samba/private/dns<br />
chgrp named /usr/local/samba/private/dns.keytab<br />
chmod g+r /usr/local/samba/private/dns.keytab<br />
chmod 775 /usr/local/samba/private/dns<br />
<br />
Label files ( ensure $MYREALM is correct ):<br />
chcon -t named_conf_t /usr/local/samba/private/dns.keytab<br />
chcon -t named_conf_t /usr/local/samba/private/named.conf.update<br />
chcon -t named_var_run_t /usr/local/samba/private/dns<br />
chcon -t named_var_run_t /usr/local/samba/private/dns/${MYREALM}.zone<br />
<br />
<br />
Needed for persistence of labels ( ensure $MYREALM is correct ):<br />
semanage fcontext -a -t named_conf_t /usr/local/samba/private/dns.keytab<br />
semanage fcontext -a -t named_conf_t /usr/local/samba/private/named.conf<br />
semanage fcontext -a -t named_conf_t /usr/local/samba/private/named.conf.update<br />
semanage fcontext -a -t named_var_run_t /usr/local/samba/private/dns<br />
semanage fcontext -a -t named_var_run_t /usr/local/samba/private/dns/${MYREALM}.zone<br />
semanage fcontext -a -t named_var_run_t /usr/local/samba/private/dns/${MYREALM}.zone.jnl<br />
semanage fcontext -a -t ntpd_t /usr/local/samba/var/run/ntp_signd<br />
<br />
NOTE: Multiple attempts to set the context for ntp failed so (below) policy was needed for windows clients time sync after joining the DOMAIN.<br />
$ chcon -u system_u -t ntpd_t /usr/local/samba/var/run/ntp_signd<br />
$ chcon -u system_u -t ntpd_t /usr/local/samba/var/run/<br />
$ chcon -t ntpd_t /usr/local/samba/var/run/ntp_signd/socket<br />
<br />
samba4.te policy:<br />
module samba4 1.0;<br />
<br />
<br />
require {<br />
type ntpd_t;<br />
type usr_t;<br />
type initrc_t;<br />
class sock_file write;<br />
class unix_stream_socket connectto;<br />
}<br />
<br />
#============= ntpd_t ==============<br />
allow ntpd_t usr_t:sock_file write;<br />
<br />
#============= ntpd_t ==============<br />
allow ntpd_t initrc_t:unix_stream_socket connectto;<br />
<br />
Check and load policy:<br />
$ checkmodule -M -m -o samba4.mod samba4.te <br />
$ semodule_package -o samba4.pp -m samba4.mod<br />
$ semodule -i samba4.pp<br />
<br />
== NOTE about filesystem support ==<br />
<br />
To use the advanced features of Samba4 you need a filesystem that<br />
supports both the "user" and "system" xattr namespaces.<br />
<br />
If you run Linux with a 2.6 kernel and ext3 this means you need to<br />
include the option "user_xattr" in your /etc/fstab. For example:<br />
<br />
/dev/hda3 /home ext3 user_xattr 1 1<br />
<br />
You also need to compile your kernel with the XATTR and SECURITY<br />
options for your filesystem. For ext3 that means you need:<br />
<br />
CONFIG_EXT3_FS_XATTR=y<br />
CONFIG_EXT3_FS_SECURITY=y<br />
<br />
If you are running a Linux 2.6 kernel with CONFIG_IKCONFIG_PROC<br />
defined you can check this with the following command:<br />
<br />
$ zgrep CONFIG_EXT3_FS /proc/config.gz<br />
<br />
If you don't have a filesystem with xattr support, then you can<br />
simulate it by using the option:<br />
<br />
posix:eadb = /usr/local/samba/eadb.tdb<br />
<br />
that will place all extra file attributes (NT ACLs, DOS EAs, streams<br />
etc), in that tdb. It is not efficient, and doesn't scale well, but at<br />
least it gives you a choice when you don't have a modern filesystem.<br />
<br />
=== Testing your filesystem ===<br />
<br />
To test your filesystem support, install the 'attr' package and run<br />
the following 4 commands as root:<br />
<br />
# touch test.txt<br />
# setfattr -n user.test -v test test.txt<br />
# setfattr -n security.test -v test2 test.txt<br />
# getfattr -d test.txt<br />
# getfattr -n security.test -d test.txt<br />
<br />
You should see output like this:<br />
<br />
# file: test.txt<br />
user.test="test"<br />
<br />
# file: test.txt<br />
security.test="test2"<br />
<br />
If you get any "Operation not supported" errors then it means your<br />
kernel is not configured correctly, or your filesystem is not mounted<br />
with the right options.<br />
<br />
If you get any "Operation not permitted" errors then it probably means<br />
you didn't try the test as root.<br />
<br />
If you are using the posix:eadb option then you don't need to test your filesystem in this manner.<br />
<br />
== Profiling with google-perftools ==<br />
<br />
LDFLAGS="-ltcmalloc -lprofiler" ./configure --enable-developer ..... <br />
<br />
This also works for CFLAGS<br />
<br />
= Configure a Windows Client to join a Samba 4 Active Directory =<br />
<br />
Active Directory is a powerful administration service which enables an administrator to centrally manage a network of Windows 2000, Windows XP Pro, Windows 2003, and Windows Vista Business Edition effectively. To test the real Samba 4 capability, we use Windows XP Pro as testing environment (Windows XP Home doesn't include Active Directory functionality and won't work).<br />
<br />
To allow Samba 4 Active Directory or Microsoft Active Directory to manage a computer, we need to join the computer into the active directory.<br />
It involves:<br />
<br />
# Configuring DNS Setting<br />
# Configuring date/time and time zone<br />
# Joining the domain<br />
<br />
== Step 1: Configure DNS Setting for Windows ==<br />
<br />
Before we configure the DNS setting, verify that you are able to ping the Server's IP Address. If you are not able to ping the server, double check your IP address, firewall, routing, etc.<br />
<br />
Once you have verified network connectivity between the Samba server and client,<br />
<br />
# Right Click My Network Places -> Properties<br />
# Double click local area network->Properties<br />
# Double click tcp/ip<br />
# Use static dns server, add the Samba 4 server's ip address inside the primary dns server column.<br />
#:[[Image:Samba4dnsclient.jpg]]<br />
# Press ok, ok, ok again until finished.<br />
# Open a command prompt, type 'ping servername.your.realm' (change to suit your custom realm per your provision)<br />
<br />
If you get replies, then it means your Windows XP settings are correct (for DNS) and Samba4 Server's DNS services is working as well.<br />
<br />
== Step 2: Configure date/time and time zone ==<br />
<br />
Active Directory uses Kerberos as the backend for authentication. Kerberos requires that the system clock on the client and server be synchronized to within a few seconds of each other. If they are not synchronized, authentication will fail for apparently no reason.<br />
<br />
# Change the timezone in Windows XP Pro so that server and client using same time zone. In my computer, I use Asia/Kuala_Lumpur (I come from Malaysia).<br />
#:[[Image:Samba4timezone.jpg]]<br />
# Change the date/time so the client have same HH:MM with the server.<br />
#:[[Image:Samba4time.jpg]]<br />
<br />
== Step 3: Joining the Windows client into domain ==<br />
<br />
Now your Windows is ready to join the Active Directory (AD) domain,<br />
<br />
As administrator:-<br />
<br />
# Right Click my Computer-> Properties<br />
# Choose Computer Name, click change..<br />
# Click option 'Domain', insert YOUR.REALM (if you failed, try YOURDOM)([[Image:Samba4joindomain.jpg]]<br />
# When it request username/password, type '''administrator''' as username, '''SOMEPASSWORD''' as password (per your earlier provision).<br />
# It will tell you the Windows XP has successfully join into Active Directory Domain, and you need to restart.<br />
# After restart, you should get the normal domain logon dialog<br />
# Choose domain YOURDOM, insert username '''administrator''' as username, '''SOMEPASSWORD''' as password (again, per your earlier provision)<br />
# If you login successfully, then you able to enjoy samba 4 active directory services at next section.<br />
<br />
= Viewing Samba 4 Active Directory object from Windows =<br />
<br />
We need install windows 2003 adminpak into windows XP in order to use<br />
GUI tools to manage the domain. Before begin, make sure the domain<br />
administrator have administrative right to control your computer.(To<br />
give any user administrative right, in Windows XP Pro, right click my<br />
computer, press manage-> choose groups-> double click administrators<br />
and add members from domain into the member list. During you add<br />
member from active directory as member, it will prompt you to enter<br />
active directory username/password).<br />
<br />
== Step 1: Installing Windows Remote Administration Tools onto Windows ==<br />
<br />
=== Windows7 ===<br />
<br />
#Download the Windows Remote Administration Tools from<br />
#: http://www.microsoft.com/downloads/details.aspx?FamilyID=7D2F6AD7-656B-4313-A005-4E344E43997D&displaylang=en<br />
#and follow the "Install RSAT" instructions<br />
<br />
=== Vista ===<br />
<br />
Download the Windows Remote Administration Tools from<br />
* http://www.microsoft.com/downloads/details.aspx?FamilyId=9FF6E897-23CE-4A36-B7FC-D52065DE9960&displaylang=en<br />
<br />
and follow the "Install RSAT" instruction described at<br />
* http://support.microsoft.com/kb/941314<br />
<br />
=== Windows XP Pro ===<br />
<br />
# In Windows XP, download adminpak and supporttools from <br />
#* http://www.microsoft.com/downloads/en/details.aspx?FamilyID=86b71a4f-4122-44af-be79-3f101e533d95<br />
#* http://download.microsoft.com/download/3/e/4/3e438f5e-24ef-4637-abd1-981341d349c7/WindowsServer2003-KB892777-SupportTools-x86-ENU.exe<br />
#:If you installed an older version of the adminpak, you'll notice the dial-in tab is missing from property pages. Just follow the link above to get SP2 which does not have this issue.<br />
# Run through the installation.<br />
# Press start->run, type 'dsa.msc', if a window 'active directory users and computers' prompt up, it mean you had install adminpak it successfully. You can also find this at Start>Programs>Administrative Tools, which should have a lot more items now.<br />
# Go to c:\Program Files\Support Tools to check whether the support tools were installed correctly; if yes, then your XP workstation is ready to manage the Samba 4 Active Directory.<br />
<br />
== Step 2: Viewing samba 4 active directory content ==<br />
<br />
# Login as domain 'testing1.org' administrator, press start->run.<br />
# type dsa.msc<br />
#:[[Image:Samba4run.jpg ]]<br />
# Expand the testing1.org tree to see existing object in domain. [[Image:Samba4dsa.msc.jpg]]<br />
<br />
= Managing Samba 4 Active Directory From Windows XP Pro =<br />
One of Samba4's goals is to integrate with (and replace) Active Directory as a system. At this point, if everything has worked correctly you should have an "Administrative Tools" menu under Programs. If, under Administrative Tools you have "Active Directory Users and Computers", that is a very good sign. Most times, if there is a configuration or bug in Samba4, the AD Users & Computers (among other interfaces) won't show up as an option. You can run it by hand (Start->Run->dsa.msc) but it's unlikely to work correctly.<br />
<br />
<br />
== Step 1: Adding user into Samba 4 Active Directory ==<br />
Unlike Samba3, Samba4 does not require a local unix user for each Samba user that is created.<br />
<br />
To create a Samba user, use the command <br />
<br />
samba-tool user add USERNAME<br />
<br />
To inspect the allocated user ID and SID, use wbinfo<br />
<br />
$ bin/wbinfo --name-to-sid USERNAME<br />
S-1-5-21-4036476082-4153129556-3089177936-1005 SID_USER (1)<br />
<br />
$ bin/wbinfo --sid-to-uid S-1-5-21-4036476082-4153129556-3089177936-1005<br />
3000011<br />
<br />
If you want to change this mapping, then use ldbedit on the idmap.idb,<br />
like this:<br />
<br />
$ bin/ldbedit -e emacs -H /usr/local/samba/private/idmap.ldb objectsid=S-1-5-21-4036476082-4153129556-3089177936-1005<br />
<br />
You will find records that look like this:<br />
<br />
# record 1<br />
dn: CN=S-1-5-21-4036476082-4153129556-3089177936-1005<br />
cn: S-1-5-21-4036476082-4153129556-3089177936-1005<br />
objectClass: sidMap<br />
objectSid: S-1-5-21-4036476082-4153129556-3089177936-1005<br />
type: ID_TYPE_BOTH<br />
xidNumber: 3000011<br />
distinguishedName: CN=S-1-5-21-4036476082-4153129556-3089177936-1005<br />
<br />
If you change the xidNumber attribute and save your editor then exit,<br />
then Samba will update the mapping to between the SID and the user<br />
ID. Updating group mappings works in the same way.<br />
<br />
You can also manage users using the normal Windows AD user management<br />
tools.<br />
<br />
= Setting Up Roaming Profiles (Windows 7) =<br />
<br />
1. You will need to create a share for the profiles, typically named '''profiles'''. Edit the ''/usr/local/samba/etc/smb.conf'' to include:<br />
<br />
[profiles]<br />
path = /usr/local/samba/var/profiles<br />
read only = no<br />
<br />
2. Create the directory above using:<br />
<br />
$ sudo mkdir /usr/local/samba/var/profiles<br />
<br />
3. On windows start the ''Active Directory Users and Computers'', select all the users, right click and hit properties<br />
<br />
4. Under the profile tab, in the ''Profile path'' type the path to your share along with %USERNAME% as follows:<br />
<br />
\\sambaserver.samdom.example.com\profiles\%USERNAME%<br />
<br />
5. click OK, logout and login as one of those users. When you logout again, you should see that the profile has been synced onto the samba server.<br />
<br />
= Adding organization unit (OU) into samba 4 domain =<br />
<br />
Organizational Unit (OU), is a powerful feature in active<br />
directory. This is a type of container which allows you to drag & drop<br />
users and/or computers into it.<br />
<br />
We can link several kind of group policy to an OU, and the settings<br />
will deploy to all users/computers under the OU. With a single domain<br />
we can have as many OU and sub OU as you like. So the result is that<br />
it can greatly reduce administrative overhead because you are able to<br />
manage everything via an OU. The implementation of group policy will<br />
be discussed in the next chapter.<br />
<br />
Before we create an OU, we must know what an OU looks like. By default<br />
we can see a sample OU 'Domain Controllers', which uses a different<br />
icon in the Windows management tools to the 'users' and 'computers'<br />
container. We can deploy group policy to users or computers container.<br />
<br />
# To create an OU, as the domain administrator, use start -> run -> dsa.msc<br />
# right click on your domain.<br />
# choose new -> organizational unit<br />
# type OU Demo'<br />
# Then you will see an new OU appear, with the name 'OU Demo'.<br />
# You can drag your user 'demo' into the new OU (Don't move other users! Unless you want to get stuck!)<br />
# Right Click the 'OU Demo', you can create a sub OU with New->Organizational.<br />
<br />
Normally we create OU based the departmental setup of your<br />
organization. Be careful not to confuse groups and OUs, groups are<br />
used to control permissions, OU are used for deployment settings to<br />
all users/computers within the OU.<br />
<br />
= Implementing Group Policies (GPO) in a Samba4 domain =<br />
<br />
Samba4 Active Directory has support for group policies, and can create<br />
the group policy on the fly. The basic idea of group policies is:-<br />
<br />
# Group Policies have 2 kind of settings, computers and users.<br />
# Computer settings apply to computers, user settings apply to users<br />
# We link the group policy to a particular OU, and the group policy will effect all computers/users under the OU.<br />
# To add a group policy, right click 'OU Demo' OU->properties<br />
# Choose group policy<br />
# Press new, name as 'GP Demo'<br />
# Press edit to edit the policy.<br />
# Here will demonstrate how to block user from access the control panel. Open the tree 'User Configuration'->'Administrative Templates'->'control panel'.<br />
# Double click on 'Prohibit access to the Control Panel'<br />
# Press enabled and then press OK. Now the all users under 'OU Demo' won't able to access to the control panel.<br />
# Make sure user demo is inside the 'OU Demo' (You can drag and drop it). <br />
# Logout and login as user 'demo'<br />
# You'll find user demo is not able to access control panel<br />
<br />
;Note :that user configuration will take effect once you logout and login.<br />
;Computer :configuration will take effect when you restart the computer<br />
<br />
To learn more about managing and implementing organizational units, group policy, and active directory, try a web search for Google in Windows 2003 Active Directory implementation.<br />
<br />
== Installing the Group Policy Management Console ==<br />
<br />
You may also find the Group Policy Management console useful. You can<br />
download it from:<br />
http://www.microsoft.com/downloads/details.aspx?FamilyId=0A6D4C24-8CBD-4B35-9272-DD3CBFC81887&displaylang=en<br />
<br />
This is primarily useful for when you have larger installs and<br />
are managing many machines. You may need to download the .NET<br />
framework first.<br />
<br />
= Joining a Windows domain controller as an additional DC in a domain =<br />
<br />
Once you have a Samba domain controller setup, you can choose to join<br />
additional domain controllers to the domain, whether they be<br />
additional Samba domain controllers, or additional Windows domain<br />
controllers.<br />
<br />
If you wish to join an additional Samba domain controller to a domain,<br />
then please see the [[Samba4/HOWTO/Join a domain as a DC|Joining a domain as a DC]] page. The instructions<br />
on that page are the same for joining Samba to a Windows domain as<br />
they are for joining Samba to an existing Samba domain.<br />
<br />
If you wish to join a new Windows domain controller to a Samba domain,<br />
then you should use the 'dcpromo' tool on the Windows machine. Please<br />
see the normal instructions for installing dcpromo on Windows, with<br />
the exception that you should not tick the 'DNS server' option box<br />
when it is offered. Right now you should either use Windows for DNS,<br />
or use Samba and bind9 for DNS. Mixing the two can work, but it is an<br />
advanced topic that is beyond the scope of this howto.<br />
<br />
= Migrating an Existing Samba3 Domain to Samba4 =<br />
<br />
It is very likely that you already have a running Samba3 domain on your network. The question is, how do you migrate that domain and all of its users and machines over to a new Samba4 based domain, without needing to move every user profile and machine to the new domain? The answer is the [[Samba4/samba-tool/domain/classicupgrade/HOWTO|samba-tool domain classicupgrade]] function.<br />
<br />
= Report your success/failure! =<br />
<br />
Samba4 as a replicating domain controller is still developing rapidly,<br />
and we like to hear from users about their successes and<br />
failures. While Samba4 is still in alpha release we would encourage<br />
you to report both your successes and failures to the samba-technical<br />
mailing list on http://lists.samba.org<br />
<br />
Please be aware that Samba4 is not complete, so you should deploy it<br />
carefully until it is ready for a non-alpha release.</div>Ekacnethttps://wiki.samba.org/index.php?title=Setting_up_Samba_as_an_Active_Directory_Domain_Controller&diff=6691Setting up Samba as an Active Directory Domain Controller2012-07-01T21:26:03Z<p>Ekacnet: /* smbclient */</p>
<hr />
<div>= Samba4 HOWTO =<br />
<br />
This document explains how to setup a simple Samba4<br />
server. This is aimed at people who are already familiar with Samba3<br />
and wish to participate in Samba4 development or test the alpha<br />
releases of Samba4. This is not aimed at general production use of<br />
Samba4, although some brave sites are running Samba4 in production<br />
based on these instructions.<br />
<br />
== Video demonstrations of this HOWTO ==<br />
<br />
A set of [[samba4/videos|demonstration videos]] is available that<br />
may provide a useful overview of this contents of this HOWTO<br />
<br />
== A note on alpha/beta versions ==<br />
<br />
Samba4 is developing very rapidly. This HOWTO is frequently updated to reflect the latest changes in the Samba git repository. Please see the Samba4 [[Samba4/Status|Status]] Wiki for more specifics on project status.<br />
<br />
== Step 1: Download Samba4 ==<br />
<br />
If you have downloaded the Samba4 code via a tarball released from the<br />
samba.org website, Step 1 has already been completed for you. For testing<br />
with the version released in the tarball, you may continue on to Step 2.<br />
<br />
Note that the references below to the top-level directory named<br />
"samba-master" will instead be based on the name of the tarball<br />
downloaded (e.g. "samba-4.0.0alpha13" for the tarball<br />
samba-4.0.0alpha13.tar.gz). Also note that in the "master" branch the<br />
samba4 code in our current git tree is now located in the top level<br />
directory.<br />
<br />
Otherwise there are two methods for downloading the current samba version:<br />
<br />
* via git<br />
* via rsync<br />
<br />
If you don't have rsync or git then install one of them, or stick to the latest tarball release.<br />
If you have a choice, we strongly recommend using the git method for<br />
downloading Samba, as it makes getting updates easier, and also allows<br />
you to integrate test patches from Samba developers more easily in<br />
case of problems.<br />
<br />
=== git ===<br />
<br />
$ git clone git://git.samba.org/samba.git samba-master; cd samba-master<br />
<br />
or via http:<br />
<br />
$ git clone http://gitweb.samba.org/samba.git samba-master; cd samba-master<br />
<br />
This will create a directory called "samba-master" in the current<br />
directory.<br />
<br />
If you want to update the tree to the latest version run:<br />
<br />
$ git pull<br />
<br />
=== rsync ===<br />
<br />
$ rsync -avz samba.org::ftp/unpacked/samba_4_0_test/ samba-master<br />
<br />
Note that the above rsync command will give you a checked out git<br />
repository, but it needs some changes so that you can update it using git:<br />
<br />
$ cd samba-master/<br />
$ rm .git/refs/tags/*<br />
$ rm -r .git/refs/remotes/<br />
$ git config remote.origin.url git://git.samba.org/samba.git<br />
$ git config --add remote.origin.fetch +refs/tags/*:refs/tags/* (this line is optional)<br />
$ git fetch<br />
<br />
Note you can ignore this error from git fetch:<br />
error: refs/heads/master does not point to a valid object!<br />
<br />
You can update it to the latest version at some future date using:<br />
<br />
$ git pull<br />
<br />
If you get an error like this:<br />
fatal: Unable to create '[...]/samba_master/.git/index.lock': File exists.<br />
remove the lock file and try running "git pull" again.<br />
<br />
== Step 2: Compile Samba4 ==<br />
<br />
Required development libraries:<br />
*Python development libraries (python-dev in Debian/Ubuntu) required to compile<br />
<br />
Recommended optional development libraries:<br />
*acl and xattr development libraries (libacl1-dev, libattr1-dev packages in Debian/Ubuntu)<br />
*blkid development libraries (libblkid-dev package in Debian/Ubuntu)<br />
*gnutls (libgnutls-dev package in Debian/Ubuntu)<br />
*readline (libreadline-dev package in Debian/Ubuntu)<br />
*openldap (libldap2-dev package in Debian/Ubuntu; openldap2-devel in openSUSE) is required to build the Samba3 components with LDAP support. Lacking this library the build will complete but attempts to provision (via upgrade) an Active Directory domain from an existing Samba3 LDAP backend will fail.<br />
<br />
For Debian/Ubuntu:<br />
$ apt-get install build-essential libacl1-dev libattr1-dev \<br />
libblkid-dev libgnutls-dev libreadline-dev python-dev \<br />
python-dnspython gdb pkg-config libpopt-dev libldap2-dev \<br />
bind9utils dnsutils<br />
<br />
For Fedora:<br />
<br />
$ yum install libacl-devel libblkid-devel gnutls-devel \<br />
readline-devel python-devel gdb pkgconfig<br />
<br />
For Red Hat Enterprise Linux 6.x or CentOS 6.x:<br />
<br />
$ yum install libacl-devel libblkid-devel gnutls-devel \<br />
readline-devel python-devel gdb pkgconfig krb5-workstation<br />
$ yum install zlib-devel setroubleshoot-server \<br />
setroubleshoot-plugins policycoreutils-python \<br />
libsemanage-python setools-libs-python setools-libs \<br />
popt-devel libpcap-devel sqlite-devel libidn-devel \<br />
libxml2-devel libacl-devel libsepol-devel libattr-devel \<br />
keyutils-libs-devel cyrus-sasl-devel<br />
<br />
For openSUSE 11.4 or openSUSE 12.1:<br />
<br />
$ zypper install libacl-devel python-selinux autoconf make \<br />
python-devel gdb sqlite3-devel libgnutls-devel binutils \<br />
policycoreutils-python setools-libs selinux-policy \<br />
setools-libs popt-devel libpcap-devel keyutils-devel \<br />
libidn-devel libxml2-devel libacl-devel libsepol-devel \<br />
libattr-devel zlib-devel cyrus-sasl-devel gcc \<br />
krb5-client openldap2-devel libopenssl-devel<br />
<br />
For Gentoo:<br />
<br />
$ USE="dlz python gssapi" emerge cyrus-sasl heimdal bind bind-tools gnutls dnspython gdb libidn subunit<br />
$ ACCEPT_KEYWORDS="~amd64" USE="python" emerge =sys-libs/tdb-1.2.10 =sys-libs/tevent-0.9.15 =sys-libs/ldb-1.1.6<br />
Obviously that would be ~x86 instead of ~amd64 on a x86 arch, also don't forget to <br />
$ eselect python set 1<br />
where 1 is python 2.X (3.X is not yet supported) if you don't know which version you are using, '''eselect python list''' will give you a list of available ones.<br />
<br />
To build, run this:<br />
<br />
$ cd samba-master<br />
$ ./configure.developer<br />
$ make<br />
<br />
The above command will setup Samba4 to install in /usr/local/samba. If<br />
you want Samba to install somewhere else then you should use the<br />
--prefix option to configure.developer.<br />
<br />
The reason we recommend using configure.developer rather than<br />
configure for Samba4 alpha releases is that it will include extra<br />
debug information that will help us diagnose problems in case of<br />
failures. It will also allow you to run the various builtin automatic<br />
tests.<br />
<br />
== Step 3: Install Samba4 ==<br />
<br />
Run this as a user who have permission to write to the install<br />
directory (which defaults to /usr/local/samba). Use --prefix option to<br />
configure.developer above to change this.<br />
<br />
$ make install<br />
<br />
For the rest of this HOWTO we will assume that you have installed<br />
Samba4 in the default location, which is /usr/local/samba.<br />
<br />
== Step 4: Provision Samba4 ==<br />
<br />
The "provision" step sets up a basic user database, and is used when you are setting up your Samba4<br />
server in its own domain. If you instead want to setup your Samba4 server as an additional domain controller<br />
in an existing domain, then please see the separate page on [[Samba4 joining a domain]]. If you want to migrate an existing Samba3 domain to Samba4, see the [[#Migrating an Existing Samba3 Domain to Samba4|Migrating an Existing Samba3 Domain to Samba4]] section on this page.<br />
<br />
In the following examples we will assume your DNS domain name is<br />
'samdom.example.com' and your short (also known as NT4) domain name is<br />
'samdom'. We will assume that your Samba servers hostname is samba.<br />
<br />
It must be run as a user with permission to write to the install directory (which means you may need to run this command with sudo)<br />
<br />
# /usr/local/samba/sbin/provision \<br />
--realm=samdom.example.com --domain=SAMDOM \<br />
--adminpass=SOMEPASSWORD --server-role=dc<br />
<br />
If you get an error like this:<br />
tdb_open_ex: could not open file /usr/local/samba/private/sam.ldb.d/DC=SAMDOM,DC=EXAMPLE,DC=COM. ldb: Permission denied<br />
then you need to rerun with sudo<br />
<br />
Troubleshooting note:<br />
you may need to rm the smb.conf file if you failed to pass valid names and provision previously failed<br />
<br />
There are many other options you can pass to the 'provision' command, run it with the --help option to see a list of them.<br />
<br />
*Note: when using debian SID samba4 package, provision script and samba4 installation will abort if <tt>hostname -d</tt> is returning an empty string (domainname not found). Indeed debian4.config script get REALM as follow <tt>REALM=`hostname -d | tr 'a-z' 'A-Z'`</tt>. So check /etc/resolv.conf contains:<br />
domain ''samdom.example.com''<br />
<br />
== Step 5: Starting Samba4 ==<br />
<br />
If you are planning to run Samba4 as a production server, then just run the "samba" binary as root<br />
<br />
# samba<br />
<br />
That will run Samba4 in 'standard' mode, which is suitable for<br />
production use. Samba4 alpha13 doesn't yet have init scripts included<br />
for each platform, but making one for your platform should not be<br />
difficult. There are some example scripts (for RedHat/Fedora and Debian/Ubuntu) on the [[Samba4/InitScript]] page.<br />
<br />
If you are running Samba4 as a developer you may find<br />
the following more useful:<br />
<br />
# samba -i -M single<br />
<br />
that means start "samba" with messages in stdout, and running a<br />
single process. That mode of operation makes debugging "samba" with gdb<br />
particularly easy. If you want to launch it under gdb, then the following<br />
example could be useful:<br />
<br />
$ sudo gdb --args bin/samba -i -M single<br />
<br />
Note that if you are running any Samba3 smbd or nmbd processes<br />
they need to be stopped before starting "samba" from Samba 4.<br />
<br />
Make sure you put the bin and sbin directories from your new install<br />
in your $PATH or you may end up running the wrong version. You can see what version <br />
you have by running "samba -V".<br />
<br />
Note: in older developer versions of samba4 "samba" was still called "smbd".<br />
<br />
== Step 6: Testing Samba4 ==<br />
<br />
First check you have the right version of smbclient in your $PATH<br />
<br />
$ smbclient --version<br />
<br />
This should show you a version starting with "Version 4.0.XXXXX". <br />
<br />
Now try this command:<br />
<br />
$ smbclient -L localhost -U%<br />
<br />
That should show you a list of shares available on your server. For example:<br />
<br />
Sharename Type Comment<br />
--------- ---- -------<br />
netlogon Disk<br />
sysvol Disk<br />
IPC$ IPC IPC Service (Samba 4.0.0alpha12-GIT-5e755e9)<br />
ADMIN$ Disk DISK Service (Samba 4.0.0alpha12-GIT-5e755e9)<br />
<br />
The 'netlogon' and 'sysvol' shares are basic shares needed for Active Directory server<br />
operation. <br />
<br />
To test that authentication is working, you should try to connect to the netlogon share<br />
using the administrator password you set earlier.<br />
<br />
$ smbclient //localhost/netlogon -Uadministrator%PASSWORD<br />
<br />
You should get a "smb>" prompt, and access to your netlogon directory.<br />
<br />
== Step 7 Create a share in smb.conf ==<br />
<br />
The provisioning will create a very simple smb.conf with no shares by<br />
default. For the server to be useful you will need to update it to<br />
have at least one share. For example:<br />
<br />
[test]<br />
path = /data/test<br />
read only = no<br />
<br />
Note that in current alpha versions of Samba4 you need to restart Samba<br />
to make new shares visible. This will be fixed in a future release.<br />
<br />
== Step 8 Configure DNS ==<br />
<br />
A working DNS setup is essential to the correct operation of<br />
Samba4. Without the right DNS entries, kerberos won't work, which in<br />
turn means that many of the basic features of Samba4 won't work.<br />
<br />
It is worth spending some extra time to ensure your DNS setup is just<br />
right, as debugging problems caused by mis-configured DNS can take a<br />
lot of time later on.<br />
<br />
The simplest way to get a working DNS setup for Samba4 is to start<br />
with the DNS configuration file that are created by the<br />
'provision' step above. If you look in /usr/local/samba/private<br />
directory, you'll find a file called 'named.conf'.<br />
<br />
Assuming your have a bind9.8.x or newer DNS server installed, you can<br />
activate the configuration that the provision has created by adding a<br />
line like this to /etc/bind/named.conf.local:<br />
<br />
include "/usr/local/samba/private/named.conf";<br />
<br />
After adding that line you should restart your bind server and check<br />
in the system logs for any problems.<br />
<br />
Note that the /usr/local/samba/private/named.conf requires at least<br />
bind 9.8.x to function and you may need to edit the <br />
/usr/local/samba/private/named.conf file to use the bind 9.9.x module<br />
(need to verify this).<br />
<br />
One common problem is that many modern Linux distributions activate<br />
'Apparmor' or 'SELinux' by default, and these may be configured to<br />
deny access to bind for your the named.conf and zone files created in<br />
the provision. If your bind logs show that bind is getting a access<br />
denied error accessing these files then please see your local system<br />
documentation for how to enable access to these files in bind (hint:<br />
for Apparmor systems such as Ubuntu, the command aa-logprof may be<br />
useful).<br />
<br />
Now you need to test that DNS is working correctly. Check that your<br />
/etc/resolv.conf is pointing correctly at your local DNS server, then<br />
run the following commands:<br />
<br />
$ host -t SRV _ldap._tcp.samdom.example.com.<br />
_ldap._tcp.samdom.example.com has SRV record 0 100 389 samba.samdom.example.com.<br />
<br />
$ host -t SRV _kerberos._udp.samdom.example.com.<br />
_kerberos._udp.samdom.example.com has SRV record 0 100 88 samba.samdom.example.com.<br />
<br />
$ host -t A samba.samdom.example.com.<br />
samba.samdom.example.com has address 10.0.0.1<br />
<br />
Check that you get answers similar to the ones above (adjusted for<br />
your DNS domain name and hostname). If you get any errors then<br />
carefully check your system logs to find and fix the problem.<br />
<br />
*Note: One of the problems I've had on Debian system is that the zone autogeneration always detects, and uses, 127.0.1.1 as the domain controller's IP address. That works fine until you 1) Don't have a 127.0.1.1 interface on the machine or 2) Go to join your first client to the domain. In /usr/local/samba/private/named.conf you might need to change 127.0.1.1 to reflect the actual IP address of the server you're setting up.<br />
*Note: On debian SID (bind9 package), /etc/bind/named.conf.options is missing and prevent named daemon to be started and installation to be completed (create an empty file or comment out corresponding line in /etc/bind/named.conf see syslog messages)<br />
<br />
== Step 9: Testing kerberos ==<br />
Once DNS is working, you should test that kerberos server builtin to<br />
Samba4 is working correctly.<br />
<br />
Before testing, first configure the krb.conf file (/etc/krb.conf on RHEL like systems), replace the existing one with the sample from /usr/local/samba/share/setup/krb5.conf.<br />
Edit the file and replace ${REALM} with you domain name.<br />
<br />
The easiest test is to use the kinit command like this:<br />
<br />
$ kinit administrator@SAMDOM.EXAMPLE.COM<br />
Password:<br />
<br />
''Note:''<br><br />
: You have to give your 'domain realm SAMDOM.EXAMPLE.COM' in <b>uppercase letters</b> to kinit.<br />
<br />
The kinit should completely successfully. After it completes you can<br />
examine the received ticket like this:<br />
<br />
$ klist -e<br />
Ticket cache: FILE:/tmp/krb5cc_1000<br />
Default principal: administrator@SAMDOM.EXAMPLE.COM<br />
<br />
Valid starting Expires Service principal<br />
02/10/10 19:39:48 02/11/10 19:39:46 krbtgt/SAMDOM.EXAMPLE.COM@SAMDOM.EXAMPLE.COM<br />
Etype (skey, tkt): ArcFour with HMAC/md5, ArcFour with HMAC/md5<br />
<br />
If you find you don't have kinit or klist, you may need to install them. On debian based<br />
systems (such as Ubuntu) the packages are called krb5-config and krb5-user.<br />
<br />
You can also test kerberos form a remote client, just make sure you have configure the<br />
krb5.conf and the resolve.conf to point to the domain controller IP address.<br />
<br />
''Note:''<br><br />
: If you are using a client behind NAT then you have to add the following to the krb5.conf on the domain controller server:<br />
<br />
[kdc]<br />
check-ticket-addresses = false<br />
<br />
== Step 10 Configure kerberos DNS dynamic updates (optional) ==<br />
<br />
To setup dynamic DNS updates you need to have a recent version of bind9 installed. It is highly recommended that you install at least version 9.8.0 as that version includes a set of patches from the Samba Team to make dynamic DNS updates much more robust and easier to configure. In the instructions below we give instructions for both bind 9.7.2 and 9.8.0, but please use 9.8.0 or later if at all possible.<br />
<br />
For Debian Lenny:<br />
<br />
If you also want to use Dynamically Loadable Zones (DLZ) then you should add the corresponding option (dlopen) depending on your version of bind.<br />
If you are about to compile a downloaded tarball you might need these libraries: libkrb5-dev and libssl-dev<br />
<br />
$ apt-get install libkrb5-dev libssl-dev<br />
$ tar -zxvf bind9.x.x.tar.gz<br />
$ cd bind9.x.x<br />
<br />
Bind9.8.0<br />
<br />
$ ./configure --with-gssapi=/usr/include/gssapi --with-dlz-dlopen=yes<br />
<br />
Bind9.8.1<br />
<br />
$ ./configure --with-gssapi=/usr/include/gssapi --with-dlopen=yes<br />
<br />
$ make<br />
$ make install<br />
<br />
You can tell what version of bind9 you have using the command "/usr/sbin/named -V". If your OS does not have bind9 9.8.0 or later, then please consider getting it from a package provided by a 3rd party (for example, on Ubuntu there is a ppa available with the newer versions of bind9).<br />
<br />
=== Instructions for bind9 9.8.0 or later ===<br />
<br />
When using bind9 9.8.0 or later you should add a line like the following to the options section of your bind9 config:<br />
options {<br />
[...]<br />
tkey-gssapi-keytab "/usr/local/samba/private/dns.keytab";<br />
[...]<br />
};<br />
<br />
On some systems (such as Ubuntu) this is located in /etc/bind/named.conf.options. Otherwise look for the "options {" part of your bind9 configuration.<br />
<br />
You also need an include line pointing at the named.conf in the private directory of your Samba install (this file is created by the provision command):<br />
<br />
include "/usr/local/samba/private/named.conf";<br />
<br />
On Debian based systems (such as Ubuntu) this include line is normally put in /etc/bind/named.conf.local. On RedHat based systems it goes in /etc/named.conf.<br />
<br />
=== Instructions for bind9 9.7.x ===<br />
<br />
If you have bind9 9.7.x (specifically 9.7.2 or later), then first determine if you can <br />
at all possibly run bind 9.8. You will have far fewer problems. Otherwise, follow these instructions.<br />
<br />
The Samba provision will have created a custom named.conf.update configuration file in the private directory of your Samba install. You need to include in your master named.conf to allow Samba/Kerberos DNS updates to automatically take place. Be advised that if you include this file in Bind versions that don't support it, Bind will fail to start.<br />
<br />
You additionally need to set two environment variables for bind9 when using bind9 version 9.7.x:<br />
<br />
KEYTAB_FILE="/usr/local/samba/private/dns.keytab"<br />
KRB5_KTNAME="/usr/local/samba/private/dns.keytab"<br />
export KEYTAB_FILE<br />
export KRB5_KTNAME<br />
<br />
These should be put in your settings file for bind9. On Debian based<br />
systems (including Ubuntu) this is in /etc/default/bind9. On RedHat and SUSE derived systems it is<br />
in /etc/sysconfig/named. Strictly speaking you only either need<br />
KEYTAB_FILE or KRB5_KTNAME, but which you need depends on your distro,<br />
so it's easier to just set both.<br />
<br />
The dns.keytab must be readable by the bind server user this could be accomplished by executing:<br />
$ chown named.named /usr/local/samba/private/dns.keytab<br />
<br />
(the provision should have setup these permissions for you automatically).<br />
<br />
Then in your /etc/bind/named.conf.options you need this:<br />
<br />
tkey-gssapi-credential "DNS/server.samdom.example.com";<br />
tkey-domain "SAMDOM.EXAMPLE.COM";<br />
<br />
The last part of the credential in the first line must match the dns name of the server you have set up.<br />
<br />
=== Debugging dynamic DNS updates ===<br />
<br />
The way the automatic DNS update in Samba works is that the provision<br />
will create a file /usr/local/samba/private/dns_update_list, which<br />
contains a list of DNS entries that Samba will try to dynamically<br />
update at startup and every 10 minutes thereafter using samba_dnsupdate utility.<br />
Updates will only happen if the DNS entries do not already exist.<br />
Remember that you need nsupdate utility from bind distribution<br />
for all these to work (dnsutils package in Debian/Ubuntu).<br />
<br />
If you want to debug this process, then please run this as root:<br />
<br />
/usr/local/samba/sbin/samba_dnsupdate --verbose<br />
<br />
that will give you more information on the updates that Samba is doing<br />
at runtime, and show you any errors that are generated.<br />
<br />
=== Interaction with apparmor or SELinux ===<br />
<br />
Now you have to ensure that bind can read the dns.keytab file, the<br />
named.conf file and the zone file. It also needs to be able to write<br />
the zone file. The Samba provision tries to setup the permissions<br />
correctly for these files, but you may find you need to make changes<br />
in your Apparmor or SELinux configuration if you are running either of<br />
those. If you are using Apparmor then the aa-logprof command may help<br />
you add any missing permissions you need to add after you start Samba<br />
and bind9 for the first time after configuring them.<br />
<br />
You should also carefully check the permissions on the private/dns directory to ensure it is writeable by bind.<br />
<br />
== Step 11 Configure NTP (optional) ==<br />
<br />
RedHat 6.x:<br />
Redhat does not provide a recent NTP version to support signed ntp so a newer version is required.<br />
<br />
1. Download NTP =>4.2.6 release from ntp.org ( verify md5 sum )<br />
<br />
2. Download the Redhat 6.1 ntp source rpm file from RedHat and install.<br />
<br />
3. Edit the ntp.spec and remove all lines regarding patches and correct the version number.<br />
<br />
4. Here is a <b>partial</b> diff showing required edits then run <i>$ rpmbuild -ba ntp.spec</i><br />
218c115<br />
< --enable-linuxcaps<br />
---<br />
> --enable-linuxcaps --enable-ntp-signd<br />
327a225<br />
> %{_sbindir}/sntp<br />
345,346c243,244<br />
< %{_mandir}/man8/ntptime.8*<br />
< %{_mandir}/man8/tickadj.8*<br />
---<br />
> %{_mandir}/man8/ntpdtime.8*<br />
> #%{_mandir}/man8/tickadj.8*<br />
352c250<br />
< %{_mandir}/man8/ntp-wait.8*<br />
---<br />
> #%{_mandir}/man8/ntp-wait.8*<br />
<br />
For Debian/Ubuntu:<br />
<br />
Recent versions of Debian/Ubuntu already contain a version of ntp with support for signing. For older versions (Debian Squeeze, Ubuntu < 11.04), get a recent version of ntp:<br />
<br />
$ tar -zxvf ntp-4.x.x.tar.gz<br />
$ cd ntp-4.x.x<br />
$ ./configure --enable-ntp-signd<br />
$ make<br />
$ make install<br />
<br />
5. TODO ( add example ntp.conf changes )<br />
<br />
# A simple ntp.conf tested in Debian Lenny<br />
# Using the hardware clock<br />
server 127.127.1.1<br />
fudge 127.127.1.1 stratum 12<br />
ntpsigndsocket /usr/local/samba/var/run/ntp_signd/<br />
restrict default mssntp<br />
[...]<br />
<br />
== NOTES on permissions, SELinux labeling and policy ==<br />
<br />
RedHat 6.X:<br />
<br />
There is still more work TODO in regards of creating a Samba4 specific SELinux policy but for now you should be<br />
able to have everything working *without* disabling SELinux.<br />
<br />
Based on the provision example above set this ENV for commands below :<br />
MYREALM="samdom.example.com"<br />
<br />
Change permissions:<br />
chown named:named /usr/local/samba/private/dns<br />
chgrp named /usr/local/samba/private/dns.keytab<br />
chmod g+r /usr/local/samba/private/dns.keytab<br />
chmod 775 /usr/local/samba/private/dns<br />
<br />
Label files ( ensure $MYREALM is correct ):<br />
chcon -t named_conf_t /usr/local/samba/private/dns.keytab<br />
chcon -t named_conf_t /usr/local/samba/private/named.conf.update<br />
chcon -t named_var_run_t /usr/local/samba/private/dns<br />
chcon -t named_var_run_t /usr/local/samba/private/dns/${MYREALM}.zone<br />
<br />
<br />
Needed for persistence of labels ( ensure $MYREALM is correct ):<br />
semanage fcontext -a -t named_conf_t /usr/local/samba/private/dns.keytab<br />
semanage fcontext -a -t named_conf_t /usr/local/samba/private/named.conf<br />
semanage fcontext -a -t named_conf_t /usr/local/samba/private/named.conf.update<br />
semanage fcontext -a -t named_var_run_t /usr/local/samba/private/dns<br />
semanage fcontext -a -t named_var_run_t /usr/local/samba/private/dns/${MYREALM}.zone<br />
semanage fcontext -a -t named_var_run_t /usr/local/samba/private/dns/${MYREALM}.zone.jnl<br />
semanage fcontext -a -t ntpd_t /usr/local/samba/var/run/ntp_signd<br />
<br />
NOTE: Multiple attempts to set the context for ntp failed so (below) policy was needed for windows clients time sync after joining the DOMAIN.<br />
$ chcon -u system_u -t ntpd_t /usr/local/samba/var/run/ntp_signd<br />
$ chcon -u system_u -t ntpd_t /usr/local/samba/var/run/<br />
$ chcon -t ntpd_t /usr/local/samba/var/run/ntp_signd/socket<br />
<br />
samba4.te policy:<br />
module samba4 1.0;<br />
<br />
<br />
require {<br />
type ntpd_t;<br />
type usr_t;<br />
type initrc_t;<br />
class sock_file write;<br />
class unix_stream_socket connectto;<br />
}<br />
<br />
#============= ntpd_t ==============<br />
allow ntpd_t usr_t:sock_file write;<br />
<br />
#============= ntpd_t ==============<br />
allow ntpd_t initrc_t:unix_stream_socket connectto;<br />
<br />
Check and load policy:<br />
$ checkmodule -M -m -o samba4.mod samba4.te <br />
$ semodule_package -o samba4.pp -m samba4.mod<br />
$ semodule -i samba4.pp<br />
<br />
== NOTE about filesystem support ==<br />
<br />
To use the advanced features of Samba4 you need a filesystem that<br />
supports both the "user" and "system" xattr namespaces.<br />
<br />
If you run Linux with a 2.6 kernel and ext3 this means you need to<br />
include the option "user_xattr" in your /etc/fstab. For example:<br />
<br />
/dev/hda3 /home ext3 user_xattr 1 1<br />
<br />
You also need to compile your kernel with the XATTR and SECURITY<br />
options for your filesystem. For ext3 that means you need:<br />
<br />
CONFIG_EXT3_FS_XATTR=y<br />
CONFIG_EXT3_FS_SECURITY=y<br />
<br />
If you are running a Linux 2.6 kernel with CONFIG_IKCONFIG_PROC<br />
defined you can check this with the following command:<br />
<br />
$ zgrep CONFIG_EXT3_FS /proc/config.gz<br />
<br />
If you don't have a filesystem with xattr support, then you can<br />
simulate it by using the option:<br />
<br />
posix:eadb = /usr/local/samba/eadb.tdb<br />
<br />
that will place all extra file attributes (NT ACLs, DOS EAs, streams<br />
etc), in that tdb. It is not efficient, and doesn't scale well, but at<br />
least it gives you a choice when you don't have a modern filesystem.<br />
<br />
=== Testing your filesystem ===<br />
<br />
To test your filesystem support, install the 'attr' package and run<br />
the following 4 commands as root:<br />
<br />
# touch test.txt<br />
# setfattr -n user.test -v test test.txt<br />
# setfattr -n security.test -v test2 test.txt<br />
# getfattr -d test.txt<br />
# getfattr -n security.test -d test.txt<br />
<br />
You should see output like this:<br />
<br />
# file: test.txt<br />
user.test="test"<br />
<br />
# file: test.txt<br />
security.test="test2"<br />
<br />
If you get any "Operation not supported" errors then it means your<br />
kernel is not configured correctly, or your filesystem is not mounted<br />
with the right options.<br />
<br />
If you get any "Operation not permitted" errors then it probably means<br />
you didn't try the test as root.<br />
<br />
If you are using the posix:eadb option then you don't need to test your filesystem in this manner.<br />
<br />
== Profiling with google-perftools ==<br />
<br />
LDFLAGS="-ltcmalloc -lprofiler" ./configure --enable-developer ..... <br />
<br />
This also works for CFLAGS<br />
<br />
= Configure a Windows Client to join a Samba 4 Active Directory =<br />
<br />
Active Directory is a powerful administration service which enables an administrator to centrally manage a network of Windows 2000, Windows XP Pro, Windows 2003, and Windows Vista Business Edition effectively. To test the real Samba 4 capability, we use Windows XP Pro as testing environment (Windows XP Home doesn't include Active Directory functionality and won't work).<br />
<br />
To allow Samba 4 Active Directory or Microsoft Active Directory to manage a computer, we need to join the computer into the active directory.<br />
It involves:<br />
<br />
# Configuring DNS Setting<br />
# Configuring date/time and time zone<br />
# Joining the domain<br />
<br />
== Step 1: Configure DNS Setting for Windows ==<br />
<br />
Before we configure the DNS setting, verify that you are able to ping the Server's IP Address. If you are not able to ping the server, double check your IP address, firewall, routing, etc.<br />
<br />
Once you have verified network connectivity between the Samba server and client,<br />
<br />
# Right Click My Network Places -> Properties<br />
# Double click local area network->Properties<br />
# Double click tcp/ip<br />
# Use static dns server, add the Samba 4 server's ip address inside the primary dns server column.<br />
#:[[Image:Samba4dnsclient.jpg]]<br />
# Press ok, ok, ok again until finished.<br />
# Open a command prompt, type 'ping servername.your.realm' (change to suit your custom realm per your provision)<br />
<br />
If you get replies, then it means your Windows XP settings are correct (for DNS) and Samba4 Server's DNS services is working as well.<br />
<br />
== Step 2: Configure date/time and time zone ==<br />
<br />
Active Directory uses Kerberos as the backend for authentication. Kerberos requires that the system clock on the client and server be synchronized to within a few seconds of each other. If they are not synchronized, authentication will fail for apparently no reason.<br />
<br />
# Change the timezone in Windows XP Pro so that server and client using same time zone. In my computer, I use Asia/Kuala_Lumpur (I come from Malaysia).<br />
#:[[Image:Samba4timezone.jpg]]<br />
# Change the date/time so the client have same HH:MM with the server.<br />
#:[[Image:Samba4time.jpg]]<br />
<br />
== Step 3: Joining the Windows client into domain ==<br />
<br />
Now your Windows is ready to join the Active Directory (AD) domain,<br />
<br />
As administrator:-<br />
<br />
# Right Click my Computer-> Properties<br />
# Choose Computer Name, click change..<br />
# Click option 'Domain', insert YOUR.REALM (if you failed, try YOURDOM)([[Image:Samba4joindomain.jpg]]<br />
# When it request username/password, type '''administrator''' as username, '''SOMEPASSWORD''' as password (per your earlier provision).<br />
# It will tell you the Windows XP has successfully join into Active Directory Domain, and you need to restart.<br />
# After restart, you should get the normal domain logon dialog<br />
# Choose domain YOURDOM, insert username '''administrator''' as username, '''SOMEPASSWORD''' as password (again, per your earlier provision)<br />
# If you login successfully, then you able to enjoy samba 4 active directory services at next section.<br />
<br />
= Viewing Samba 4 Active Directory object from Windows =<br />
<br />
We need install windows 2003 adminpak into windows XP in order to use<br />
GUI tools to manage the domain. Before begin, make sure the domain<br />
administrator have administrative right to control your computer.(To<br />
give any user administrative right, in Windows XP Pro, right click my<br />
computer, press manage-> choose groups-> double click administrators<br />
and add members from domain into the member list. During you add<br />
member from active directory as member, it will prompt you to enter<br />
active directory username/password).<br />
<br />
== Step 1: Installing Windows Remote Administration Tools onto Windows ==<br />
<br />
=== Windows7 ===<br />
<br />
#Download the Windows Remote Administration Tools from<br />
#: http://www.microsoft.com/downloads/details.aspx?FamilyID=7D2F6AD7-656B-4313-A005-4E344E43997D&displaylang=en<br />
#and follow the "Install RSAT" instructions<br />
<br />
=== Vista ===<br />
<br />
Download the Windows Remote Administration Tools from<br />
* http://www.microsoft.com/downloads/details.aspx?FamilyId=9FF6E897-23CE-4A36-B7FC-D52065DE9960&displaylang=en<br />
<br />
and follow the "Install RSAT" instruction described at<br />
* http://support.microsoft.com/kb/941314<br />
<br />
=== Windows XP Pro ===<br />
<br />
# In Windows XP, download adminpak and supporttools from <br />
#* http://www.microsoft.com/downloads/en/details.aspx?FamilyID=86b71a4f-4122-44af-be79-3f101e533d95<br />
#* http://download.microsoft.com/download/3/e/4/3e438f5e-24ef-4637-abd1-981341d349c7/WindowsServer2003-KB892777-SupportTools-x86-ENU.exe<br />
#:If you installed an older version of the adminpak, you'll notice the dial-in tab is missing from property pages. Just follow the link above to get SP2 which does not have this issue.<br />
# Run through the installation.<br />
# Press start->run, type 'dsa.msc', if a window 'active directory users and computers' prompt up, it mean you had install adminpak it successfully. You can also find this at Start>Programs>Administrative Tools, which should have a lot more items now.<br />
# Go to c:\Program Files\Support Tools to check whether the support tools were installed correctly; if yes, then your XP workstation is ready to manage the Samba 4 Active Directory.<br />
<br />
== Step 2: Viewing samba 4 active directory content ==<br />
<br />
# Login as domain 'testing1.org' administrator, press start->run.<br />
# type dsa.msc<br />
#:[[Image:Samba4run.jpg ]]<br />
# Expand the testing1.org tree to see existing object in domain. [[Image:Samba4dsa.msc.jpg]]<br />
<br />
= Managing Samba 4 Active Directory From Windows XP Pro =<br />
One of Samba4's goals is to integrate with (and replace) Active Directory as a system. At this point, if everything has worked correctly you should have an "Administrative Tools" menu under Programs. If, under Administrative Tools you have "Active Directory Users and Computers", that is a very good sign. Most times, if there is a configuration or bug in Samba4, the AD Users & Computers (among other interfaces) won't show up as an option. You can run it by hand (Start->Run->dsa.msc) but it's unlikely to work correctly.<br />
<br />
<br />
== Step 1: Adding user into Samba 4 Active Directory ==<br />
Unlike Samba3, Samba4 does not require a local unix user for each Samba user that is created.<br />
<br />
To create a Samba user, use the command <br />
<br />
samba-tool user add USERNAME<br />
<br />
To inspect the allocated user ID and SID, use wbinfo<br />
<br />
$ bin/wbinfo --name-to-sid USERNAME<br />
S-1-5-21-4036476082-4153129556-3089177936-1005 SID_USER (1)<br />
<br />
$ bin/wbinfo --sid-to-uid S-1-5-21-4036476082-4153129556-3089177936-1005<br />
3000011<br />
<br />
If you want to change this mapping, then use ldbedit on the idmap.idb,<br />
like this:<br />
<br />
$ bin/ldbedit -e emacs -H /usr/local/samba/private/idmap.ldb objectsid=S-1-5-21-4036476082-4153129556-3089177936-1005<br />
<br />
You will find records that look like this:<br />
<br />
# record 1<br />
dn: CN=S-1-5-21-4036476082-4153129556-3089177936-1005<br />
cn: S-1-5-21-4036476082-4153129556-3089177936-1005<br />
objectClass: sidMap<br />
objectSid: S-1-5-21-4036476082-4153129556-3089177936-1005<br />
type: ID_TYPE_BOTH<br />
xidNumber: 3000011<br />
distinguishedName: CN=S-1-5-21-4036476082-4153129556-3089177936-1005<br />
<br />
If you change the xidNumber attribute and save your editor then exit,<br />
then Samba will update the mapping to between the SID and the user<br />
ID. Updating group mappings works in the same way.<br />
<br />
You can also manage users using the normal Windows AD user management<br />
tools.<br />
<br />
= Setting Up Roaming Profiles (Windows 7) =<br />
<br />
1. You will need to create a share for the profiles, typically named '''profiles'''. Edit the ''/usr/local/samba/etc/smb.conf'' to include:<br />
<br />
[profiles]<br />
path = /usr/local/samba/var/profiles<br />
read only = no<br />
<br />
2. Create the directory above using:<br />
<br />
$ sudo mkdir /usr/local/samba/var/profiles<br />
<br />
3. On windows start the ''Active Directory Users and Computers'', select all the users, right click and hit properties<br />
<br />
4. Under the profile tab, in the ''Profile path'' type the path to your share along with %USERNAME% as follows:<br />
<br />
\\sambaserver.samdom.example.com\profiles\%USERNAME%<br />
<br />
5. click OK, logout and login as one of those users. When you logout again, you should see that the profile has been synced onto the samba server.<br />
<br />
= Adding organization unit (OU) into samba 4 domain =<br />
<br />
Organizational Unit (OU), is a powerful feature in active<br />
directory. This is a type of container which allows you to drag & drop<br />
users and/or computers into it.<br />
<br />
We can link several kind of group policy to an OU, and the settings<br />
will deploy to all users/computers under the OU. With a single domain<br />
we can have as many OU and sub OU as you like. So the result is that<br />
it can greatly reduce administrative overhead because you are able to<br />
manage everything via an OU. The implementation of group policy will<br />
be discussed in the next chapter.<br />
<br />
Before we create an OU, we must know what an OU looks like. By default<br />
we can see a sample OU 'Domain Controllers', which uses a different<br />
icon in the Windows management tools to the 'users' and 'computers'<br />
container. We can deploy group policy to users or computers container.<br />
<br />
# To create an OU, as the domain administrator, use start -> run -> dsa.msc<br />
# right click on your domain.<br />
# choose new -> organizational unit<br />
# type OU Demo'<br />
# Then you will see an new OU appear, with the name 'OU Demo'.<br />
# You can drag your user 'demo' into the new OU (Don't move other users! Unless you want to get stuck!)<br />
# Right Click the 'OU Demo', you can create a sub OU with New->Organizational.<br />
<br />
Normally we create OU based the departmental setup of your<br />
organization. Be careful not to confuse groups and OUs, groups are<br />
used to control permissions, OU are used for deployment settings to<br />
all users/computers within the OU.<br />
<br />
= Implementing Group Policies (GPO) in a Samba4 domain =<br />
<br />
Samba4 Active Directory has support for group policies, and can create<br />
the group policy on the fly. The basic idea of group policies is:-<br />
<br />
# Group Policies have 2 kind of settings, computers and users.<br />
# Computer settings apply to computers, user settings apply to users<br />
# We link the group policy to a particular OU, and the group policy will effect all computers/users under the OU.<br />
# To add a group policy, right click 'OU Demo' OU->properties<br />
# Choose group policy<br />
# Press new, name as 'GP Demo'<br />
# Press edit to edit the policy.<br />
# Here will demonstrate how to block user from access the control panel. Open the tree 'User Configuration'->'Administrative Templates'->'control panel'.<br />
# Double click on 'Prohibit access to the Control Panel'<br />
# Press enabled and then press OK. Now the all users under 'OU Demo' won't able to access to the control panel.<br />
# Make sure user demo is inside the 'OU Demo' (You can drag and drop it). <br />
# Logout and login as user 'demo'<br />
# You'll find user demo is not able to access control panel<br />
<br />
;Note :that user configuration will take effect once you logout and login.<br />
;Computer :configuration will take effect when you restart the computer<br />
<br />
To learn more about managing and implementing organizational units, group policy, and active directory, try a web search for Google in Windows 2003 Active Directory implementation.<br />
<br />
== Installing the Group Policy Management Console ==<br />
<br />
You may also find the Group Policy Management console useful. You can<br />
download it from:<br />
http://www.microsoft.com/downloads/details.aspx?FamilyId=0A6D4C24-8CBD-4B35-9272-DD3CBFC81887&displaylang=en<br />
<br />
This is primarily useful for when you have larger installs and<br />
are managing many machines. You may need to download the .NET<br />
framework first.<br />
<br />
= Joining a Windows domain controller as an additional DC in a domain =<br />
<br />
Once you have a Samba domain controller setup, you can choose to join<br />
additional domain controllers to the domain, whether they be<br />
additional Samba domain controllers, or additional Windows domain<br />
controllers.<br />
<br />
If you wish to join an additional Samba domain controller to a domain,<br />
then please see the [[Samba4/HOWTO/Join a domain as a DC|Joining a domain as a DC]] page. The instructions<br />
on that page are the same for joining Samba to a Windows domain as<br />
they are for joining Samba to an existing Samba domain.<br />
<br />
If you wish to join a new Windows domain controller to a Samba domain,<br />
then you should use the 'dcpromo' tool on the Windows machine. Please<br />
see the normal instructions for installing dcpromo on Windows, with<br />
the exception that you should not tick the 'DNS server' option box<br />
when it is offered. Right now you should either use Windows for DNS,<br />
or use Samba and bind9 for DNS. Mixing the two can work, but it is an<br />
advanced topic that is beyond the scope of this howto.<br />
<br />
= Migrating an Existing Samba3 Domain to Samba4 =<br />
<br />
It is very likely that you already have a running Samba3 domain on your network. The question is, how do you migrate that domain and all of its users and machines over to a new Samba4 based domain, without needing to move every user profile and machine to the new domain? The answer is the [[Samba4/samba-tool/domain/classicupgrade/HOWTO|samba-tool domain classicupgrade]] function.<br />
<br />
= Report your success/failure! =<br />
<br />
Samba4 as a replicating domain controller is still developing rapidly,<br />
and we like to hear from users about their successes and<br />
failures. While Samba4 is still in alpha release we would encourage<br />
you to report both your successes and failures to the samba-technical<br />
mailing list on http://lists.samba.org<br />
<br />
Please be aware that Samba4 is not complete, so you should deploy it<br />
carefully until it is ready for a non-alpha release.</div>Ekacnethttps://wiki.samba.org/index.php?title=Samba4/s3fs&diff=6519Samba4/s3fs2012-04-27T06:39:30Z<p>Ekacnet: /* Starting s3fs */</p>
<hr />
<div>=What is s3fs=<br />
s3fs is the name that has been given to a development effort to make possible the agreed default file server configuration for Samba 4.0<br />
<br />
It was agreed at SambaXP 2010 that Samba 4.0 would release with the smbd file server in use by default, so that users upgrading from Samba 3.x DC environments would still have access to all the features of those environment that they had come to expect. <br />
<br />
=How it is implemented=<br />
Because the smbd file server has a distinct history from the ntvfs file server that the Samba4 development project has used so far, it did not natrually use the same security subsystems and other resources common the the rest of the AD server. Indeed, at a time before the [[Franky]] effort was started, it was not even in the same GIT tree, and certainly not the same build tree.<br />
<br />
==The merged build==<br />
The merged or top level build is the [[Waf]] build system. Running ./configure and make at the top level of the source tree will build all of Samba, including the previously [[Samba3]] components. As all duplicate symbol names have been merged, renamed or otherwise dealt with, the merged build has a large number of shared libraries that the whole project builds on, particuarly the IDL genreated file built using [[Pidl|PIDL]].<br />
<br />
==Common structures==<br />
Key structures describing the security, authentication and authorization state were changed to be in common. In particuar, key structures like '''struct auth_session_info''' and '''struct security_token''' now describe the authentication and authorization state across the whole project.<br />
<br />
==Common subsystems==<br />
As part of the process of building s3fs, a large number of subsystems were made common, including in particular GENSEC. smbd now uses gensec for all 'blob-based' server-side authentication, in all protocols, which has made it possible to both move to a proper implementation of SPNEGO based on GSSAPI, and allowed the activated plugins to be easily switched for AD DC operation.<br />
<br />
==Plugins==<br />
With the merged build, it then becomes possible to load or link in plugins for key subsystems, to change the behaviour of the smbd file server, as required for consistency with the rest of the AD server. <br />
<br />
===auth_samba4===<br />
perhaps the most key plugin in auth_samba4. This plugin provides 2 very important hooks. <br />
<br />
====prepare_gensec====<br />
prepare_gensec returns a '''struct gensec_security''' that is pre-initialised to use the GENSEC modules that the rest of the AD server uses, including the authentication contexts etc required to authenticate against the AD directory in [[LDBIntro|LDB]]. When the auth_samba4 module is not in use, the fallback is to the default authentication path, also expressed as a series of GENSEC modules.<br />
<br />
====make_auth4_context====<br />
make_auth4_context returns a '''struct auth4_context''' that similarly operates like the rest of the AD server, for SessionSetupAndX calls that do not use SPNEGO or NTLMSSP.<br />
<br />
===pdb_samba4===<br />
For operation of '''smbpasswd''', '''pdbedit''' and '''net sam''' tools, and to assist in the migration of Samba 3.x DC environments to Samba 4.0 AD, a passdb module was written based on pdb_ads from [[Franky]]. This module differs in that it directly calls ldb and the associated modules, allowing offline operation when the '''samba''' server process is not running. This is particuarly critical for the [[Samba4/samba3upgrade/HOWTO|samba-tool domain samba3upgrade]] tool.<br />
<br />
===vfs_samba4===<br />
This module makes the ldb calls required to implement domain DFS referrals on the AD DC, and is loaded for operation on IPC$.<br />
<br />
==IDMAP==<br />
The idmap code in smbd has been modified to accept an ID mapping type of IDMAP_BOTH, representing both a uid and a gid. This will then allow a group (such as Domain Admins) to own a file as a uid, but also be a gid when expressed as group membership.<br />
<br />
==Winbind==<br />
Currently in s3fs, the winbindd implementation in use is that in the '''samba''' binary, from the Samba4 heritige. It shares the same protocol as the Samba3 [[Winbind]] in the '''winbindd''' binary, but does not implement the full protocol. It also implements a private IRPC based protocol for communication with other parts of the *samba* binary. <br />
<br />
==Starting s3fs==<br />
s3fs is started by the code in file_server/file_server.c, by writing a private fileserver.conf that includes a preamble of smb.conf options required for operation in this mode, and then it starts the smbd binary by fork() and exec().<br />
<br />
At provision time add this option:<br />
<pre>--use-s3fs=yes</pre><br />
<br />
For instance run:<br />
<pre> ./provision --use-s3fs=yes --domain=DEMOS3FS --realm=demos3fs.samba.corp --adminpass=P@ssw0rd</pre><br />
<br />
=Testing=<br />
<br />
s3fs is tested in the '''plugin_s4_dc''' environment in '''make test'''. More tests need to be added<br />
<br />
=Using it=<br />
s3fs is not currently recommended for use, except where carefully configured by experienced developers or distributors in controlled environments. As we finish some more of this work, we hope to change this status soon.</div>Ekacnethttps://wiki.samba.org/index.php?title=Samba4/s3fs&diff=6518Samba4/s3fs2012-04-27T06:39:09Z<p>Ekacnet: /* Starting s3fs */</p>
<hr />
<div>=What is s3fs=<br />
s3fs is the name that has been given to a development effort to make possible the agreed default file server configuration for Samba 4.0<br />
<br />
It was agreed at SambaXP 2010 that Samba 4.0 would release with the smbd file server in use by default, so that users upgrading from Samba 3.x DC environments would still have access to all the features of those environment that they had come to expect. <br />
<br />
=How it is implemented=<br />
Because the smbd file server has a distinct history from the ntvfs file server that the Samba4 development project has used so far, it did not natrually use the same security subsystems and other resources common the the rest of the AD server. Indeed, at a time before the [[Franky]] effort was started, it was not even in the same GIT tree, and certainly not the same build tree.<br />
<br />
==The merged build==<br />
The merged or top level build is the [[Waf]] build system. Running ./configure and make at the top level of the source tree will build all of Samba, including the previously [[Samba3]] components. As all duplicate symbol names have been merged, renamed or otherwise dealt with, the merged build has a large number of shared libraries that the whole project builds on, particuarly the IDL genreated file built using [[Pidl|PIDL]].<br />
<br />
==Common structures==<br />
Key structures describing the security, authentication and authorization state were changed to be in common. In particuar, key structures like '''struct auth_session_info''' and '''struct security_token''' now describe the authentication and authorization state across the whole project.<br />
<br />
==Common subsystems==<br />
As part of the process of building s3fs, a large number of subsystems were made common, including in particular GENSEC. smbd now uses gensec for all 'blob-based' server-side authentication, in all protocols, which has made it possible to both move to a proper implementation of SPNEGO based on GSSAPI, and allowed the activated plugins to be easily switched for AD DC operation.<br />
<br />
==Plugins==<br />
With the merged build, it then becomes possible to load or link in plugins for key subsystems, to change the behaviour of the smbd file server, as required for consistency with the rest of the AD server. <br />
<br />
===auth_samba4===<br />
perhaps the most key plugin in auth_samba4. This plugin provides 2 very important hooks. <br />
<br />
====prepare_gensec====<br />
prepare_gensec returns a '''struct gensec_security''' that is pre-initialised to use the GENSEC modules that the rest of the AD server uses, including the authentication contexts etc required to authenticate against the AD directory in [[LDBIntro|LDB]]. When the auth_samba4 module is not in use, the fallback is to the default authentication path, also expressed as a series of GENSEC modules.<br />
<br />
====make_auth4_context====<br />
make_auth4_context returns a '''struct auth4_context''' that similarly operates like the rest of the AD server, for SessionSetupAndX calls that do not use SPNEGO or NTLMSSP.<br />
<br />
===pdb_samba4===<br />
For operation of '''smbpasswd''', '''pdbedit''' and '''net sam''' tools, and to assist in the migration of Samba 3.x DC environments to Samba 4.0 AD, a passdb module was written based on pdb_ads from [[Franky]]. This module differs in that it directly calls ldb and the associated modules, allowing offline operation when the '''samba''' server process is not running. This is particuarly critical for the [[Samba4/samba3upgrade/HOWTO|samba-tool domain samba3upgrade]] tool.<br />
<br />
===vfs_samba4===<br />
This module makes the ldb calls required to implement domain DFS referrals on the AD DC, and is loaded for operation on IPC$.<br />
<br />
==IDMAP==<br />
The idmap code in smbd has been modified to accept an ID mapping type of IDMAP_BOTH, representing both a uid and a gid. This will then allow a group (such as Domain Admins) to own a file as a uid, but also be a gid when expressed as group membership.<br />
<br />
==Winbind==<br />
Currently in s3fs, the winbindd implementation in use is that in the '''samba''' binary, from the Samba4 heritige. It shares the same protocol as the Samba3 [[Winbind]] in the '''winbindd''' binary, but does not implement the full protocol. It also implements a private IRPC based protocol for communication with other parts of the *samba* binary. <br />
<br />
==Starting s3fs==<br />
s3fs is started by the code in file_server/file_server.c, by writing a private fileserver.conf that includes a preamble of smb.conf options required for operation in this mode, and then it starts the smbd binary by fork() and exec().<br />
<br />
At provision time add this option:<br />
<pre>--use-s3fs=yes</pre><br />
<br />
For instance run:<br />
<pre> ./provision --use-s3fs=yes --domain=DEMOS3FS --realm=demos3fs.samba.corp --adminpass=P@ssw0rd<pre><br />
<br />
=Testing=<br />
<br />
s3fs is tested in the '''plugin_s4_dc''' environment in '''make test'''. More tests need to be added<br />
<br />
=Using it=<br />
s3fs is not currently recommended for use, except where carefully configured by experienced developers or distributors in controlled environments. As we finish some more of this work, we hope to change this status soon.</div>Ekacnethttps://wiki.samba.org/index.php?title=Samba_AD_schema_extensions&diff=6506Samba AD schema extensions2012-04-17T17:00:21Z<p>Ekacnet: /* Automounter */</p>
<hr />
<div>= Schema extension in Samba 4 =<br />
<br />
Samba 4 supports same kind of schema extensions as Microsoft Active Directory. Generally speaking schema update in AD is a sensitive action and you must be prepared to restore the DC holding the role of schema master if something goes wrong.<br />
<br />
This is even more true in Samba 4 not always generate some critical attributes, that are generated on Microsoft AD, this lack of attribute could lead to a unstartable samba provision.<br />
That's why currently schema updates in Samba 4 are disabled by default.<br />
<br />
In order to allow them, the option ''dsdb:schema update allowed'' has to be set to true in the ''smb.conf'' or passed on the command line.<br />
<br />
== Tested Schema extensions ==<br />
As getting an LDIF that won't ruined the provision can be hard the following of this page will list LDIFs that are known not to break the database.<br />
Perform those updates only if you need them and if '''you know how to restore the provision on the schema master'''.<br />
<br />
=== Automounter ===<br />
<br />
This extension allow you to store in LDAP automount information. In order to add this extension here are the steps:<br />
<br />
* Download [[File:Automount_template.ldif.txt|automount_template.ldif.txt]], this is a template that will be transformed in the next steps<br />
* Locate the rootDN of your provision: ''ldbsearch -H ldap://ip_of_server -U administrator -s base dn<br />
* Run ''cat automount_template.ldif | sed 's/DOMAIN_TOP_DN/value_of_rootDN_obtained_in_previous_step/' > automount.ldif ''<br />
* Stop Samba4 on the schema master<br />
* Copy ''automount.ldif'' to the schema master server (if you were working on a different server)<br />
* Apply the ldif with a command similar to: ''ldbmodify -H path_to_sam_ldb automount.ldif --option="dsdb:schema update allowed"=true</div>Ekacnethttps://wiki.samba.org/index.php?title=Main_Page&diff=6505Main Page2012-04-17T16:59:52Z<p>Ekacnet: /* Samba4 */</p>
<hr />
<div>'''Opening Windows to a Wider World'''<br />
<br />
Samba is an [http://www.opensource.org Open Source] / [http://www.gnu.org/philosophy/free-sw.html Free Software] suite that has, [http://www.samba.org/samba/docs/10years.html since 1992], provided file and print services to all manner of SMB/CIFS clients, including the numerous versions of Microsoft Windows operating systems. Samba is freely available under the [http://www.samba.org/samba/docs/GPL.html GNU General Public License].<br />
<br />
The Samba project is a member of the [http://conservancy.softwarefreedom.org/ Software Freedom Conservancy].<br />
<br />
== Samba Wiki for Developers ==<br />
<br />
Internal design docs, API descriptions, TODOs, etc. for '''developers'''.<br />
<br />
===[[Contribute|How can I contribute?]]===<br />
<br />
A short [[Contribute|introduction]] for people who would like to help the Samba project.<br />
<br />
*[[Using Git for Samba Development]]<br />
<br />
*[[CodeReview|Doing code review]]<br />
<br />
===[[SoC|Summer of Code 2011]]===<br />
<br />
Samba is once again applying for a spot on Google's [http://www.google-melange.com Summer of Code]. You can find out more on the [[SoC]] page. There, you will also find the project ideas the team would propose.<br />
<br />
===[[Samba3]]===<br />
<br />
*[[Samba3#Samba_3_Roadmap|Samba3 Roadmap]]<br />
*[[Windows7|Samba3 & Windows 7]]<br />
*[[Samba3 Release Planning]]<br />
*[[Branch Policy|Policy on checkins to branches]]<br />
*[[Clustered Samba]]<br />
*[[UNIX Extensions]]<br />
*[[Bugzilla Day]]<br />
<br />
===[[Franky]]===<br />
<br />
*[[Franky|Franky - A Samba 3/4 AD Domain Controller]]<br />
<br />
===[[Samba4]]===<br />
<br />
*[[Samba4/FAQ|FAQ]]<br />
*[[Samba4/HOWTO|HOWTO]]<br />
*[[Samba4/DRS TODO List]]<br />
*[[Samba4/Schema extenstions|Schema extensions]]<br />
*[[combined build issues]]<br />
<br />
===[[Samba Clustering (CTDB) Project]]===<br />
<br />
*[[CTDB_Project|CTDB Project]]<br />
<br />
===Decrypt Encrypted sessions with wireshark===<br />
*[[Keytab_Extraction|Keytab Extraction]]<br />
*[[Wireshark_Keytab|Using Wireshark with a keytab]]<br />
<br />
===[[ActiveProjects]]===<br />
<br />
*[[ActiveProjects| Active development projects]]<br />
<br />
===[[Testing against Windows]]===<br />
<br />
*[[WinTest| Using wintest]]<br />
<br />
== '''Samba Wiki for Users''' ==<br />
<br />
Please participate in the wiki experience to promote an alternative reference for things that aren't required or universally necessary to be in the official samba documentation.<br />
<br />
===[[:Category:Category Configuration|Configuration]]===<br />
<br />
*[[Event Logging]]<br />
*[[Samba as a print server]]<br />
*[[Multiple Server Instances]]<br />
*[[Shadow Copies with Snapshots]]<br />
*[[Replicated Failover Domain Controller and file server using LDAP]]<br />
<br />
===[[:Category:Category Documentation|Documentation]]===<br />
<br />
*[[Samba Features added/changed (by release)]]<br />
*[[Documentation Links]]<br />
*[[Event Logging]]<br />
<br />
===[[:Category:Category FAQ|FAQ]]===<br />
<br />
*[[Frequently Asked Questions]]<br />
*[[Samba Myths]]<br />
*[[Samba Troubleshooting]]<br />
<br />
===[[:Category:Category HowTos|HowTos]]===<br />
<br />
*[[Feature Specific HOWTOs]]<br />
*[[Logon scripting]]<br />
*[[Samba & Windows Profiles]]<br />
*[[Samba and Windows Policies]]<br />
*[[Software deployment on Samba]]<br />
*[[Mounting samba shares from a unix client]]<br />
*[[Capture Packets]]<br />
*[[Bug Reporting]]<br />
*[[testing development trees]]<br />
*[[Debugging individual tests]]<br />
*[[Linux Performance]]<br />
<br />
===[[:Category:Category Installation|Installation]]===<br />
<br />
*[[Distribution Specific Pages]]<br />
<br />
===[[:Category:Category Integration|Integration]]===<br />
<br />
*[[Exchange Server Alternatives]]<br />
*[[Samba & LDAP]]<br />
*[[Samba & Kerberos]]<br />
*[[Samba & Active Directory]]<br />
*[[Samba & Clustering]]<br />
<br />
===[[:Category:Category Tools|Tools]]===<br />
<br />
*[[Account Management Tools]]<br />
*[[Migration Tools]]<br />
<br />
===[[:Category:Category Links to Pages in other Languages|Links to Pages in other Languages]]===<br />
<br />
*[[ SambaHK ]]<br />
<br />
== Miscellaneous Information ==<br />
<br />
*[[OpenOffice Slide Templates]]</div>Ekacnethttps://wiki.samba.org/index.php?title=Samba_AD_schema_extensions&diff=6471Samba AD schema extensions2012-03-30T08:21:01Z<p>Ekacnet: </p>
<hr />
<div>= Schema extension in Samba 4 =<br />
<br />
Samba 4 supports same kind of schema extensions as Microsoft Active Directory. Generally speaking schema update in AD is a sensitive action and you must be prepared to restore the DC holding the role of schema master if something goes wrong.<br />
<br />
This is even more true in Samba 4 not always generate some critical attributes, that are generated on Microsoft AD, this lack of attribute could lead to a unstartable samba provision.<br />
That's why currently schema updates in Samba 4 are disabled by default.<br />
<br />
In order to allow them, the option ''dsdb:schema update allowed'' has to be set to true in the ''smb.conf'' or passed on the command line.<br />
<br />
== Tested Schema extensions ==<br />
As getting an LDIF that won't ruined the provision can be hard the following of this page will list LDIFs that are known not to break the database.<br />
Perform those updates only if you need them and if '''you know how to restore the provision on the schema master'''.<br />
<br />
=== Automounter ===<br />
<br />
This extension allow you to store in LDAP automount information. In order to add this extension here are the steps:<br />
<br />
* Download [[File:Automount_template.ldif.txt|automount_template.ldif.txt]], this is a template that will be transformed in the next steps<br />
* Locate the rootDN of your provision: ''ldbsearch -H ldap://ip_of_server -U administrator -s base dn<br />
* Run ''cat automount_template.ldif | sed 's/DOMAIN_TOP_DN/value_of_rootDN_obtained_in_previous_step/' > automount.ldif ''<br />
* Stop Samba4 on the schema master<br />
* Copy ''automount.ldif'' to the schema master server (if you were working on a different server)<br />
* Apply the ldif with a command similar to: ''ldbmodify -H path_to_sam_ldb automount.ldif --option="dsdb:schema update allowed"=true --noautocommit</div>Ekacnethttps://wiki.samba.org/index.php?title=File:Automount_template.ldif.txt&diff=6470File:Automount template.ldif.txt2012-03-30T08:09:10Z<p>Ekacnet: </p>
<hr />
<div></div>Ekacnethttps://wiki.samba.org/index.php?title=Samba_AD_schema_extensions&diff=6469Samba AD schema extensions2012-03-30T08:07:22Z<p>Ekacnet: </p>
<hr />
<div>= Schema extension in Samba 4 =<br />
<br />
Samba 4 supports same kind of schema extensions as Microsoft Active Directory. Generally speaking schema update in AD is a sensitive action and you must be prepared to restore the DC holding the role of schema master if something goes wrong.<br />
<br />
This is even more true in Samba 4 not always generate some critical attributes, that are generated on Microsoft AD, this lack of attribute could lead to a unstartable samba provision.<br />
That's why currently schema updates in Samba 4 are disabled by default.<br />
<br />
In order to allow them, the option ''dsdb:schema update allowed'' has to be set to true in the ''smb.conf'' or passed on the command line.<br />
<br />
== Tested Schema extension ==<br />
As getting an LDIF that won't ruined the provision can be hard the following of this page will list LDIFs that are known not to break the database.<br />
<br />
<br />
=== Automounter ===<br />
<br />
cat automount_template.ldif | sed 's/DOMAIN_TOP_DN/DC=s4,DC=samba,DC=home,DC=matws,DC=net/'</div>Ekacnethttps://wiki.samba.org/index.php?title=Samba_AD_schema_extensions&diff=6468Samba AD schema extensions2012-03-30T07:56:29Z<p>Ekacnet: </p>
<hr />
<div>= Schema extension in Samba 4 =<br />
<br />
Samba 4 supports same kind of schema extensions as Microsoft Active Directory. Generally speaking schema update in AD is a sensitive action and you must be prepared to restore the DC holding the role of schema master if something goes wrong.<br />
<br />
This is even more true in Samba 4 not always generate some critical attributes, that are generated on Microsoft AD, this lack of attribute could lead to a unstartable samba provision.<br />
That's why currently schema updates in Samba 4 are disabled by default.<br />
<br />
In order to allow them, the option ''dsdb:schema update allowed'' has to be set to true in the ''smb.conf'' or passed on the command line.<br />
<br />
<br />
<br />
cat automount_template.ldif | sed 's/DOMAIN_TOP_DN/DC=s4,DC=samba,DC=home,DC=matws,DC=net/'</div>Ekacnethttps://wiki.samba.org/index.php?title=Samba_AD_schema_extensions&diff=6467Samba AD schema extensions2012-03-30T07:44:00Z<p>Ekacnet: Created page with " == Schema extension in Samba 4 == cat automount_template.ldif | sed 's/DOMAIN_TOP_DN/DC=s4,DC=samba,DC=home,DC=matws,DC=net/'"</p>
<hr />
<div><br />
== Schema extension in Samba 4 ==<br />
<br />
cat automount_template.ldif | sed 's/DOMAIN_TOP_DN/DC=s4,DC=samba,DC=home,DC=matws,DC=net/'</div>Ekacnethttps://wiki.samba.org/index.php?title=Main_Page&diff=6466Main Page2012-03-30T07:42:55Z<p>Ekacnet: /* Samba4 */</p>
<hr />
<div>'''Opening Windows to a Wider World'''<br />
<br />
Samba is an [http://www.opensource.org Open Source] / [http://www.gnu.org/philosophy/free-sw.html Free Software] suite that has, [http://www.samba.org/samba/docs/10years.html since 1992], provided file and print services to all manner of SMB/CIFS clients, including the numerous versions of Microsoft Windows operating systems. Samba is freely available under the [http://www.samba.org/samba/docs/GPL.html GNU General Public License].<br />
<br />
The Samba project is a member of the [http://conservancy.softwarefreedom.org/ Software Freedom Conservancy].<br />
<br />
== Samba Wiki for Developers ==<br />
<br />
Internal design docs, API descriptions, TODOs, etc. for '''developers'''.<br />
<br />
===[[Contribute|How can I contribute?]]===<br />
<br />
A short [[Contribute|introduction]] for people who would like to help the Samba project.<br />
<br />
*[[Using Git for Samba Development]]<br />
<br />
*[[CodeReview|Doing code review]]<br />
<br />
===[[SoC|Summer of Code 2011]]===<br />
<br />
Samba is once again applying for a spot on Google's [http://www.google-melange.com Summer of Code]. You can find out more on the [[SoC]] page. There, you will also find the project ideas the team would propose.<br />
<br />
===[[Samba3]]===<br />
<br />
*[[Samba3#Samba_3_Roadmap|Samba3 Roadmap]]<br />
*[[Windows7|Samba3 & Windows 7]]<br />
*[[Samba3 Release Planning]]<br />
*[[Branch Policy|Policy on checkins to branches]]<br />
*[[Clustered Samba]]<br />
*[[UNIX Extensions]]<br />
*[[Bugzilla Day]]<br />
<br />
===[[Franky]]===<br />
<br />
*[[Franky|Franky - A Samba 3/4 AD Domain Controller]]<br />
<br />
===[[Samba4]]===<br />
<br />
*[[Samba4/FAQ|FAQ]]<br />
*[[Samba4/HOWTO|HOWTO]]<br />
*[[Samba4/DRS TODO List]]<br />
*[[Samba4/Schema extenstions]]<br />
*[[combined build issues]]<br />
<br />
===[[Samba Clustering (CTDB) Project]]===<br />
<br />
*[[CTDB_Project|CTDB Project]]<br />
<br />
===Decrypt Encrypted sessions with wireshark===<br />
*[[Keytab_Extraction|Keytab Extraction]]<br />
*[[Wireshark_Keytab|Using Wireshark with a keytab]]<br />
<br />
===[[ActiveProjects]]===<br />
<br />
*[[ActiveProjects| Active development projects]]<br />
<br />
===[[Testing against Windows]]===<br />
<br />
*[[WinTest| Using wintest]]<br />
<br />
== '''Samba Wiki for Users''' ==<br />
<br />
Please participate in the wiki experience to promote an alternative reference for things that aren't required or universally necessary to be in the official samba documentation.<br />
<br />
===[[:Category:Category Configuration|Configuration]]===<br />
<br />
*[[Event Logging]]<br />
*[[Samba as a print server]]<br />
*[[Multiple Server Instances]]<br />
*[[Shadow Copies with Snapshots]]<br />
*[[Replicated Failover Domain Controller and file server using LDAP]]<br />
<br />
===[[:Category:Category Documentation|Documentation]]===<br />
<br />
*[[Samba Features added/changed (by release)]]<br />
*[[Documentation Links]]<br />
*[[Event Logging]]<br />
<br />
===[[:Category:Category FAQ|FAQ]]===<br />
<br />
*[[Frequently Asked Questions]]<br />
*[[Samba Myths]]<br />
*[[Samba Troubleshooting]]<br />
<br />
===[[:Category:Category HowTos|HowTos]]===<br />
<br />
*[[Feature Specific HOWTOs]]<br />
*[[Logon scripting]]<br />
*[[Samba & Windows Profiles]]<br />
*[[Samba and Windows Policies]]<br />
*[[Software deployment on Samba]]<br />
*[[Mounting samba shares from a unix client]]<br />
*[[Capture Packets]]<br />
*[[Bug Reporting]]<br />
*[[testing development trees]]<br />
*[[Debugging individual tests]]<br />
*[[Linux Performance]]<br />
<br />
===[[:Category:Category Installation|Installation]]===<br />
<br />
*[[Distribution Specific Pages]]<br />
<br />
===[[:Category:Category Integration|Integration]]===<br />
<br />
*[[Exchange Server Alternatives]]<br />
*[[Samba & LDAP]]<br />
*[[Samba & Kerberos]]<br />
*[[Samba & Active Directory]]<br />
*[[Samba & Clustering]]<br />
<br />
===[[:Category:Category Tools|Tools]]===<br />
<br />
*[[Account Management Tools]]<br />
*[[Migration Tools]]<br />
<br />
===[[:Category:Category Links to Pages in other Languages|Links to Pages in other Languages]]===<br />
<br />
*[[ SambaHK ]]<br />
<br />
== Miscellaneous Information ==<br />
<br />
*[[OpenOffice Slide Templates]]</div>Ekacnethttps://wiki.samba.org/index.php?title=SoC/Ideas&diff=6447SoC/Ideas2012-03-17T08:00:26Z<p>Ekacnet: /* Implement server side GPO in Samba4 */</p>
<hr />
<div>= Google Summer of Code: Suggested Project ideas =<br />
<br />
The following are the Samba project ideas for Summer of Code.<br />
Of course you are free to come up with ideas not listed here.<br />
Please discuss the your planned project by either joining us on irc://irc.freenode.net/#samba-technical or <br />
by sending email to samba-technical@samba.org<br />
<br />
Most of our projects will require C programming skills, but the Samba4 section has a couple of Python projects.<br />
<br />
==Samba 3==<br />
<br />
===Implement a ncurses based registry editor===<br />
<br />
As Samba has a obviously a registry there are currently only two ways to access<br />
it in a readable way. One is using the 'net' command to enumerate it. You can also<br />
modify entries with it. The other is using a regedit on a Windows machine and connect<br />
over the registry remote protocol.<br />
We would like to have a ncurses based registry editor for Samba. It should be able to<br />
access the local registry directly and also a registry over the RPC protocol remotely.<br />
<br />
Details:<br />
You would implement a registry editor which supports plugin to implement the different<br />
ways to access a registry. The first plugin would be using reg_api which is the Samba3<br />
internal registry API and the second plugin would be using the winreg RPC API to access<br />
remote hosts.<br />
<br />
*Difficulty: Medium<br />
*Language(s): C<br />
*Possible Mentors: [[Obnox|Michael Adam]] and [[User:GlaDiaC|Andreas Schneider]]<br />
<br />
==Samba 4==<br />
<br />
Some additional possible GSoC topics can be found in Bugzilla in the form of bugs which are marked as "Feature request": [https://bugzilla.samba.org/buglist.cgi?query_format=advanced&short_desc=Feature%20request&bug_status=NEW&bug_status=ASSIGNED&bug_status=REOPENED&short_desc_type=allwordssubstr&product=Samba%204.0 here]. Questions regarding complexity and requirements should be directed to the technical mailing list.<br />
<br />
===Admin Utilities===<br />
<br />
We still need a few more Samba4-specific administration utilities to make Samba4 useful in real life. A Summer of Code student would be expected to do a number of these (identifying new needs from deployments), but here are some suggestions:<br />
<br />
===Setup / provision GUI for Samba (and OpenChange)===<br />
<br />
Setting up Samba and OpenChange currently requires running quite a lot of command line utilities. It should be easy for even a junior system administrator to set up Samba as a Domain Controller, RODC and general server.<br />
<br />
The windows equivalent tool is dcpromo.exe, and while you may not want/need to copy it directly, it does provide a reasonable basis for establishing what this tool should be able to provide (in terms of outcomes).<br />
<br />
Some initial work (using PyQt4) is available at http://gitorious.org/samba-openchange-gui-tools/samba-openchange-gui-setup but working with that is not essential to this task.<br />
<br />
*Difficulty: Easy<br />
*Language(s): Python<br />
*Possible mentors: Brad Hards, probably others.<br />
<br />
===Windows Search Protocol WSP client library and torture tests===<br />
<br />
The Windows Search Protocol WSP is used to implement remote full filesystem<br />
indexing (indexed search) between windows machines. We would like to<br />
support this functionality in Samba, interfacing with existing<br />
indexing tools on Unix systems (such as beagle).<br />
<br />
This is a new protocol based on SMB named pipes<br />
\pipe\ci_skads or \pipe\MSFTEWDS.<br />
See http://msdn2.microsoft.com/en-us/library/cc216195.aspx.<br />
<br />
The student should write a (un)marshalling library<br />
to push and pull PDUs and an async client library<br />
on top of the samba4 raw smb client library.<br />
<br />
The student should write sub tests for smbtorture<br />
which should demostrate how the protocol works against<br />
a windows server.<br />
<br />
The student doesn't have to implement the samba4 server code. <br />
<br />
*Difficulty: Hard<br />
*Language(s): C, (Python?)<br />
*Possible Mentors: Tridge<br />
<br />
===Browsing support in Samba 4===<br />
Samba 4 still needs support for mailslots in general and in particular for the BROWSE mailslot. Should come with tests. Documentation of the BROWSER protocol is available here:<br />
http://msdn.microsoft.com/en-us/library/cc201609(PROT.10).aspx<br />
http://ubiqx.org/cifs/Browsing.html<br />
<br />
*Difficulty: Hard<br />
*Language(s): C<br />
*Possible mentors: [[JelmerVernooij]], Stefan Metzmacher<br />
<br />
===Make samba 4 DC Group Policies (GPO) aware===<br />
Currently Samba 4 DC is able to serve GPOs to clients and they are mostly able to act according to the content of those GPOs.<br />
But even if the GPO concerns AD DCs, Samba 4 ignore them even if some parameters are meaningful in a Samba 4 context (ie. password length, password life ...).https://wiki.samba.org/index.php?title=SoC/Ideas&action=edit&section=9<br />
In order to work around this limitation, there is currently a couple of scripts that allow to set them but it's a suboptimal experience.<br />
<br />
The goal of this project is to make Samba 4 periodically check if there is a GPO for it, check if any parameter of this GPO are meaningful for Samba (as a counter example a GPO which defines the background color of the Desktop on DC is not meaningful for Samba 4) and if so to alter parameters accordingly.<br />
More details can be found in [http://lists.samba.org/archive/samba-technical/2010-April/070296.html Matthieu's samba-technical email].<br />
<br />
*Difficulty: Easy, Medium<br />
*Language(s): C, Python<br />
*Possible mentors: Matthieu Patou<br />
<br />
===Implement login / logout related counter update===<br />
For the moment the attributes related to login and logout are not <br />
updated by Samba4.<br />
The goal of this project is to understand in which case windows update <br />
the counters (ie. most probably during interactive logon but also maybe <br />
with some netlogon calls ?) and to implement counter and timestamp <br />
update is Samba code so that this information can be available.<br />
This project of course includes the development of unit tests.<br />
<br />
*Difficulty: Easy<br />
*Language(s): C<br />
*Possible mentors: Andrew Bartlett<br />
<br />
==Linux Kernel CIFS/SMB2 client improvements==<br />
Interested students should contact Steve French or Jeff Layton and discuss possible improvements to the Linux Kernel CIFS VFS client. Here are some ideas to get you started:<br />
<br />
=== SMB2 protocol improvements ===<br />
*The SMB2 protocol (followon to cifs) adds many useful performance enhancements and new features. The Linux kernel implementation is still experimental and is missing key features including SMB2.1 **dialect support (items such as lease keys) and lacks a useful credit request algorithm (which Samba server only recently added for the server side). Various performance optimizations (including **support for very large reads and writes and dispatch of more requests in parallel) are also possible.<br />
* Language: C<br />
* Difficulty: Varies, Medium to Hard<br />
* Possible Mentors: Steve French<br />
<br />
=== Support for SELinux ===<br />
* Mac Security Label support is important for virtualization and useful for improved security some workloads. Support for setting/getting these labels over the wire was investigated in the NFS version 4 workgroup. Adding support to the CIFS Unix Extensions (Linux kernel client and Samba server) should be possible, especially if this is just a new class of extended attribute. The goal would be to support this feature of SELinux to allow KVM and other applications to take advantage of security labels. Some of the background requirements are loosely related to the (nfs equivalent of) what is mentioned in: http://tools.ietf.org/html/draft-quigley-nfsv4-sec-label-01<br />
* Language: C<br />
* Difficulty: Hard<br />
* Possible Mentors: Steve French<br />
<br />
===Create GUI or command-line tools for displaying /proc/fs/cifs statistics and and mount/session status===<br />
* might also involve some cleanup of the in-kernel stats / status output<br />
* Language: some C (for kernel code), something else for GUI?<br />
* Difficulty: Easy<br />
* Possible Mentors: Steve French<br />
<br />
===Create a common uid mapping mechanism for Linux nfs and cifs vfs clients===<br />
* or maybe just figure out a way to hook cifs up to rpc.idmapd<br />
* add a way for the client to remap the uids returned by the server to uids which would be valid on the client (or to a default if such uid does not exist).<br />
* This is helpful especially when the server supports the CIFS Unix Extensions and has different uids and gids mapping than the client<br />
* Difficulty: Hard<br />
* Possible Mentors: Steve French<br />
<br />
===VFS change notification support===<br />
* add VFS support for calling into the filesystem when setting up notifications<br />
* add code to cifs/smb2 to set up and deal with notifications from the server in response to inotify/dnotify calls<br />
* Difficulty: Hard<br />
* Possible Mentors: Steve French<br />
<br />
===Support for retrieving snapshots, encrypted files, or compressed files from Windows===<br />
* Difficulty: Medium<br />
* Possible Mentors: Steve French<br />
<br />
===cifs->Samba automated test facility===<br />
* Do build verification similar to what we can now do with the Samba server and tools in the Samba build farm. Mounts from the Linux SMB2 and CIFS kernel clients could be tested with posix file i/o tests which might include modified versions of the "connectathon" and xfstest test suites and others. The goal is to quickly identify problems with newly integrated patches.<br />
* Difficulty: Hard<br />
* Possible Mentors: Steve French<br />
<br />
===Other Random Ideas===<br />
* Ideas aren't limited to these, feel free to propose something else:<br />
** Create a GUI for creating and managing Linux cifs mounts, and more easily configuring the many complex cifs mount options, statistics (/proc/fs/cifs)<br />
** Support for alternate transport protocols (other than TCP sockets). Adding support for SCTP to cifs/smb2 kernel clients and Samba server or perhaps more interesting add support for Linux's "virtio" transport to the cifs/smb2 kernel clients and Samba server (to allow optimized mounts and zero-copy transfer of data from virtualized guests to hosts on the same box)<br />
** Support for features (such as directory delegations) which NFS version 4.1 has but which current CIFS even with the most current CIFS->Samba protocol extensions (CIFS Unix Extensions) do not have -- will probably need server support too.<br />
** Add additional library support or modify Samba client libraries so they can use existing kernel cifs functions (such as sending SMBs on negotiated sessions when the kernel client already has a session to the server). With the addition of library to access cifs's pipe (in kernel), Samba client libraries or other dce/rpc code could use cifs kernel sessions for management of and over cifs mounts.<br />
** Add libraries and utilities to manage acls (cifs kernel client has an extended attribute for setting/getting "raw" cifs acls but userspace posix acl tools obviously can't be used to manage cifs specific acl features).<br />
*Difficulty: Varies<br />
*Language(s): C<br />
*Possible mentors: Steve French<br />
<br />
==Build Farm==<br />
<br />
The [[http://build.samba.org/ Build Farm]] is a set of machines with different configuration that regularly rebuild the latest snapshots of Samba and other projects on different platforms, to catch portability issues. It has a web interface and sends out emails.<br />
<br />
===Improve Build Farm look and Feel===<br />
Samba's [http://build.samba.org build farm] still hasn't adopt the new Samba graphical chart and the look and feel is not very good.<br />
With this submission we propose to address this with the following objectives:<br />
<br />
*Main ideas:<br />
** Adopt the new samba style <br />
** Improve reporting (ie. present which are the build that can't be built and which are not, daily emails, ...)<br />
** Make test errors quickly accessible, in this [http://build.samba.org/build.cgi/build/d72e624c4a62a62e8d34b0c54efc2a97c0493aa9 example], user has to scroll a long time before meeting the errors<br />
** Add the capacity to manage flaky tests, reduce emails alerts (ie. need 2 consecutive builds with the same flacky test to trigger a real error)<br />
** Improve page loading speed (ajax ?)<br />
*Difficulty: Easy to Medium<br />
*Language(s): HTML, CSS, Python<br />
*Possible mentors: Matthieu Patou, [[JelmerVernooij]]<br />
<br />
== Samba GTK+ ==<br />
<br />
[[Samba-GTK Samba-GTK]] is a set of GTK+ frontends for Samba written in Python.<br />
<br />
===Extension of the GTK+ frontends=== <br />
<br />
There are a couple of GTK+ frontends for Samba4 (see [[SambaGtk]]). These are very limited at the moment but you could work on expanding them and further integrating them with GNOME. Language: C or Python<br />
<br />
*Difficulty: Easy<br />
*Language(s): Python, perhaps C<br />
*Possible mentors: [[JelmerVernooij]]<br />
<br />
=== Port to GTK3 ===<br />
<br />
*Difficulty: Easy<br />
*Language(s): Python<br />
*Possible Mentors: [[JelmerVernooij]]</div>Ekacnethttps://wiki.samba.org/index.php?title=Keytab_Extraction&diff=6341Keytab Extraction2012-01-20T17:32:56Z<p>Ekacnet: </p>
<hr />
<div>Once you have [[Capture Packets|captured packets]] you can use Wireshark to analyze them in many case decryption of traffic is needed in order to analyze correctly an exchange.<br />
<br />
== How to Extract a keytab containing your domain's passwords ==<br />
There are two ways to obtain a keytab from an Active Directory Domain with Samba:<br />
==Using Samba4==<br />
<br />
To use samba4, it needs to be a domain controller for your domain. If it's not already the case check [[Samba4/HOWTO/Join_a_domain_as_a_DC| how to join Samba4 as domain controller]].<br />
<br />
Then, to extract the keytab run <br />
<br />
samba-tool domain exportkeytab PATH_TO_KEYTAB<br />
<br />
It will write out a keytab in ''PATH_TO_KEYTAB'' containing the current keys for every host and user.<br />
<br />
==Using Samba3==<br />
<br />
To dump a keytab, join the domain and then run:<br />
<br />
net rpc vampire keytab /path/to/keytab/file -I <ip_domain_controller> -U user_with_admin_rights <br />
<br />
Note that the path to the keytab file needs to be an absolute path, in some situations you might need to append @domain.tld at the administrative username</div>Ekacnethttps://wiki.samba.org/index.php?title=Keytab_Extraction&diff=6082Keytab Extraction2011-06-19T14:52:23Z<p>Ekacnet: </p>
<hr />
<div>Once you have [[Capture Packets|captured packets]] you can use Wireshark to analyze them in many case decryption of traffic is needed in order to analyze correctly an exchange.<br />
<br />
== How to Extract a keytab containing your domain's passwords ==<br />
There are two ways to obtain a keytab from an Active Directory Domain with Samba:<br />
==Using Samba4==<br />
<br />
To use samba4, it needs to be a domain controller for your domain. If it's not already the case check [[Samba4/HOWTO/Join_a_domain_as_a_DC| how to join Samba4 as domain controller]].<br />
<br />
Then, to extract the keytab run <br />
<br />
samba-tool export keytab PATH_TO_KEYTAB<br />
<br />
It will write out a keytab in ''PATH_TO_KEYTAB'' containing the current keys for every host and user.<br />
<br />
==Using Samba3==<br />
<br />
To dump a keytab, join the domain and then run:<br />
<br />
net rpc vampire keytab /path/to/keytab/file<br />
<br />
Note that the path to the keytab file needs to be an absolute path.</div>Ekacnethttps://wiki.samba.org/index.php?title=Keytab_Extraction&diff=6081Keytab Extraction2011-06-19T14:51:58Z<p>Ekacnet: </p>
<hr />
<div>Once you have [[Capture Packets|captured packets]] you can use Wireshark to analyze them in many case decryption of traffic is needed in order to analyze correctly an exchange.<br />
<br />
== How to Extract a keytab containing your domain's passwords ==<br />
There are two ways to obtain a keytab from an Active Directory Domain with Samba:<br />
==Using Samba4==<br />
<br />
To use samba4, it needs to be a domain controller for your domain. If it's not already the case check [[Samba4/HOWTO/Join_a_domain_as_a_DC| how to join Samba4 as domain controller]].<br />
<br />
Then, to extract the keytab run <br />
<br />
samba-tool export keytab PATH_TO_KEYTAB<br />
<br />
It will write out a keytab in ''PATH_TO_KEYTAB'' containing the current keys for every host and user.<br />
<br />
==Samba3==<br />
<br />
To dump a keytab, join the domain and then run:<br />
<br />
net rpc vampire keytab /path/to/keytab/file<br />
<br />
Note that the path to the keytab file needs to be an absolute path.</div>Ekacnethttps://wiki.samba.org/index.php?title=Keytab_Extraction&diff=6080Keytab Extraction2011-06-19T14:49:32Z<p>Ekacnet: </p>
<hr />
<div>Once you have [[Capture Packets|captured packets]] you can use Wireshark to analyze them in many case decryption of traffic is needed in order to analyze correctly an exchange.<br />
<br />
== How to Extract a keytab containing your domain's passwords ==<br />
There are two ways to obtain a keytab from an Active Directory Domain with Samba:<br />
==Using Samba4==<br />
<br />
To use samba4, it needs to be a domain controller for your domain. If it's not the case check [[Samba4/HOWTO/Join_a_domain_as_a_DC| how to join Samba4 as domain controller]]<br />
<br />
net vampire NETBIOS_DOMAIN_NAME --realm=REALM -Uadministrator<br />
<br />
Or, for a recent GIT checkout (later than 2010/10/23):<br />
<br />
samba-tool vampire NETBIOS_DOMAIN_NAME --realm=REALM -Uadministrator<br />
<br />
If everything is set up correctly, it should just work. If not, check /etc/krb5.conf in particular - ensure it can reach the KDC by setting:<br />
<br />
[libdefaults]<br />
dns_lookup_kdc = true<br />
<br />
Then, to extract the keytab run <br />
<br />
net export keytab PATH_TO_KEYAB<br />
<br />
or:<br />
<br />
samba-tool export keytab PATH_TO_KEYAB<br />
<br />
It will write out a keytab in the path specified, containing the current keys for every host.<br />
<br />
==Samba3==<br />
<br />
To dump a keytab, join the domain and then run:<br />
<br />
net rpc vampire keytab /path/to/keytab/file<br />
<br />
Note that the path to the keytab file needs to be an absolute path.</div>Ekacnethttps://wiki.samba.org/index.php?title=Keytab_Extraction&diff=6079Keytab Extraction2011-06-19T14:37:53Z<p>Ekacnet: </p>
<hr />
<div>Once you have [[Capture Packets|captured packets]] you can use Wireshark to analyze them in many case decryption of traffic is needed in order to analyze correctly an exchange.<br />
<br />
== How to Extract a keytab containing your domain's passwords ==<br />
There are two ways to obtain a keytab from an Active Directory Domain with Samba:<br />
==Samba4==<br />
<br />
To join the domain, run:<br />
<br />
net vampire NETBIOS_DOMAIN_NAME --realm=REALM -Uadministrator<br />
<br />
Or, for a recent GIT checkout (later than 2010/10/23):<br />
<br />
samba-tool vampire NETBIOS_DOMAIN_NAME --realm=REALM -Uadministrator<br />
<br />
If everything is set up correctly, it should just work. If not, check /etc/krb5.conf in particular - ensure it can reach the KDC by setting:<br />
<br />
[libdefaults]<br />
dns_lookup_kdc = true<br />
<br />
Then, to extract the keytab run <br />
<br />
net export keytab PATH_TO_KEYAB<br />
<br />
or:<br />
<br />
samba-tool export keytab PATH_TO_KEYAB<br />
<br />
It will write out a keytab in the path specified, containing the current keys for every host.<br />
<br />
==Samba3==<br />
<br />
To dump a keytab, join the domain and then run:<br />
<br />
net rpc vampire keytab /path/to/keytab/file<br />
<br />
Note that the path to the keytab file needs to be an absolute path.</div>Ekacnethttps://wiki.samba.org/index.php?title=Keytab_Extraction&diff=6078Keytab Extraction2011-06-19T14:34:17Z<p>Ekacnet: </p>
<hr />
<div>Once you have [[Capture Packets|captured packets]] you can use Wireshark to analyze them in many case decryption of traffic is needed in order to analyze correctly an exchange.<br />
<br />
=How to Extract a keytab containing your domain's passwords=<br />
The keytab, a standard format for the storage of Kerberos keys, is also the input required by Wireshark to decrypt encrypted traffic<br />
<br />
There are two ways to obtain a keytab from a Windows domain, with Samba:<br />
==Samba4==<br />
<br />
To join the domain, run:<br />
<br />
net vampire NETBIOS_DOMAIN_NAME --realm=REALM -Uadministrator<br />
<br />
Or, for a recent GIT checkout (later than 2010/10/23):<br />
<br />
samba-tool vampire NETBIOS_DOMAIN_NAME --realm=REALM -Uadministrator<br />
<br />
If everything is set up correctly, it should just work. If not, check /etc/krb5.conf in particular - ensure it can reach the KDC by setting:<br />
<br />
[libdefaults]<br />
dns_lookup_kdc = true<br />
<br />
Then, to extract the keytab run <br />
<br />
net export keytab PATH_TO_KEYAB<br />
<br />
or:<br />
<br />
samba-tool export keytab PATH_TO_KEYAB<br />
<br />
It will write out a keytab in the path specified, containing the current keys for every host.<br />
<br />
==Samba3==<br />
<br />
To dump a keytab, join the domain and then run:<br />
<br />
net rpc vampire keytab /path/to/keytab/file<br />
<br />
Note that the path to the keytab file needs to be an absolute path.</div>Ekacnethttps://wiki.samba.org/index.php?title=Capture_Packets&diff=6075Capture Packets2011-06-19T14:01:28Z<p>Ekacnet: </p>
<hr />
<div>When diagnosing a problem, Samba developers are likely to request a packet capture (or trace).<br />
<br />
== Which tool to use ? ==<br />
The best way to do this depends on the tools available on your system. It is often easiest to run the capture tool from the command-line, unless debugging a problem that requires complex capture filters to be set (to reduce the network trace).<br />
<br />
For more complex tasks the GUI based network tools, such as wireshark, may be easier for beginners to use. <br />
<br />
== Where the tracing should be done ? ==<br />
If your problem concerns file exchange then tracing can be done on the client or on the server. On the other hand if it concerns things related to authentication or Active Directory protocols it's often better to do the tracing from the server as most of the time we will need packets exchanged during the boot of the computer or during user's logon.<br />
<br />
If tracing on the server puts too much load on the server system to reproduce the problem or results in a network trace that is too large, tracing from the client can be attempted instead. <br />
<br />
== Tracing ==<br />
From the command line of the operating system type: (note: in the table below, replace ''FILENAME'' with a more descriptive file name): <br />
{|<br />
! Tool !! Commandline<br />
|-<br />
||wireshark || <pre>tshark -p -w FILENAME </pre><br />
|-<br />
|| ethereal || <pre>tethereal -p -w FILENAME</pre><br />
|-<br />
|| tcpdump || <pre>tcpdump -p -s 0 -n -w FILENAME</pre><br />
|}<br />
<br />
If you're sure the problem is only related to SMB, you can filter the traffic based on the ports:<br />
<br />
{|<br />
! Tool !! Commandline<br />
|-<br />
||wireshark || <pre>tshark -p -w FILENAME port 445 or port 139</pre><br />
|-<br />
|| ethereal || <pre>tethereal -p -w FILENAME port 445 or port 139</pre><br />
|-<br />
|| tcpdump || <pre>tcpdump -p -s 0 -w FILENAME port 445 or port 139</pre><br />
|}<br />
<br />
If you know the ip address of the client you can use the following to reduce the volume of the trace:<br />
<br />
{|<br />
! Tool !! Commandline<br />
|-<br />
||wireshark || <pre>tshark -p -w FILENAME host IP_ADDRESS_OF_THE_CLIENT</pre><br />
|-<br />
|| ethereal || <pre>tethereal -p -w FILENAME host IP_ADDRESS_OF_THE_CLIENT</pre><br />
|-<br />
|| tcpdump || <pre>tcpdump -p -s 0 -w FILENAME host IP_ADDRESS_OF_THE_CLIENT</pre><br />
|}<br />
<br />
Where ''IP_ADDRESS_OF_THE_CLIENT'' is the IP of the client, something like 192.168.1.2 or 2001:db8:0:85a3::ac1f:8001.<br />
<br />
== How to use graphical user interface ==<br />
In many cases the process is as simple as the following, from your client (e.g. Windows workstation):<br />
<br />
* Download and install [http://www.wireshark.org/download.html Wireshark].<br />
* Launch Wireshark from the Windows "All Programs" menu list<br />
* Start the capture<br />
* Do the operation that causes trouble<br />
* Stop the capture<br />
* Save the trace and send the trace to the developer working on your problem (or attach it or a URL to the saved trace file location to the bugzilla bug). <br />
<br />
== Additional remarks ==<br />
=== For SMB/SMB2 related problems ===<br />
For some type of problems it is also important that we see the beginning of the SMB connection.<br />
You can cause the Windows client to reconnect if you first kill the Samba server's smbd process which is servicing your client before starting the trace. You do not have to restart all of Samba.<br />
<br />
You can find out the smbd responsible for your client by running the tool smbstatus on the server.<br />
<br />
=== For authentication, LDAP, GPO related problems ===<br />
If the problem didn't occur at login or is reproducible while the user is logged, the tracing should be started just before the operation that fails. Nevertheless most of the time part of the traffic will be encrypted, and in order for the trace to be exploitable you will need the initial key exchange.<br />
<br />
The best way to do it is to force Windows to discard all your Kerberos tickets, so that when you'll repeat the operation in error Windows will also re-ask for Kerberos tickets and so the trace will contain all the needed information for the developer.<br />
<br />
To force Windows to discard your Kerberos tickets:<br />
* On Windows XP or Windows Server 2003<br />
You will need the program called ''kerbtray.exe'' in ''C:\Program Files\Windows Resource Kits\Tools'' you can get it from the [http://www.microsoft.com/download/en/details.aspx?id=17657 resource kit]. Once started you'll see a green ticket in the systay, to purge right click on the icon and select purge ticket as show on the capture below.<br />
<br />
[[File:Kerbtray.png]]<br />
<br />
* On Windows Vista and newer or Windows Server 2008 and newer<br />
The tool ''ktutil.exe'' is shipped with this version of Windows, to purge ticket just do the following:<br />
<code>ktutil purge</code></div>Ekacnethttps://wiki.samba.org/index.php?title=Capture_Packets&diff=6074Capture Packets2011-06-19T13:59:55Z<p>Ekacnet: </p>
<hr />
<div>When diagnosing a problem, Samba developers are likely to request a packet capture (or trace).<br />
<br />
== Which tool to use ? ==<br />
The best way to do this depends on the tools available on your system. It is often easiest to run the capture tool from the command-line, unless debugging a problem that requires complex capture filters to be set (to reduce the network trace).<br />
<br />
For more complex tasks the GUI based network tools, such as wireshark, may be easier for beginners to use. <br />
<br />
== Where the tracing should be done ? ==<br />
If your problem concerns file exchange then tracing can be done on the client or on the server. On the other hand if it concerns things related to authentication or Active Directory protocols it's often better to do the tracing from the server as most of the time we will need packets exchanged during the boot of the computer or during user's logon.<br />
<br />
If tracing on the server puts too much load on the server system to reproduce the problem or results in a network trace that is too large, tracing from the client can be attempted instead. <br />
<br />
== Tracing ==<br />
From the command line of the operating system type: (note: in the table below, replace ''FILENAME'' with a more descriptive file name): <br />
{|<br />
! Tool !! Commandline<br />
|-<br />
||wireshark || <pre>tshark -p -w FILENAME </pre><br />
|-<br />
|| ethereal || <pre>tethereal -p -w FILENAME</pre><br />
|-<br />
|| tcpdump || <pre>tcpdump -p -s 0 -n -w FILENAME</pre><br />
|}<br />
<br />
If you're sure the problem is only related to SMB, you can filter the traffic based on the ports:<br />
<br />
{|<br />
! Tool !! Commandline<br />
|-<br />
||wireshark || <pre>tshark -p -w FILENAME port 445 or port 139</pre><br />
|-<br />
|| ethereal || <pre>tethereal -p -w FILENAME port 445 or port 139</pre><br />
|-<br />
|| tcpdump || <pre>tcpdump -p -s 0 -w FILENAME port 445 or port 139</pre><br />
|}<br />
<br />
If you know the ip address of the client you can use the following to reduce the volume of the trace:<br />
<br />
{|<br />
! Tool !! Commandline<br />
|-<br />
||wireshark || <pre>tshark -p -w FILENAME host IP_ADDRESS_OF_THE_CLIENT</pre><br />
|-<br />
|| ethereal || <pre>tethereal -p -w FILENAME host IP_ADDRESS_OF_THE_CLIENT</pre><br />
|-<br />
|| tcpdump || <pre>tcpdump -p -s 0 -w FILENAME host IP_ADDRESS_OF_THE_CLIENT</pre><br />
|}<br />
<br />
Where ''IP_ADDRESS_OF_THE_CLIENT'' is the IP of the client, something like 192.168.1.2 or 2001:db8:0:85a3::ac1f:8001.<br />
<br />
== How to use graphical user interface ==<br />
In many cases the process is as simple as the following, from your client (e.g. Windows workstation):<br />
<br />
* Download and install [http://www.wireshark.org/download.html Wireshark].<br />
* Launch Wireshark from the Windows "All Programs" menu list<br />
* Start the capture<br />
* Do the operation that causes trouble<br />
* Stop the capture<br />
* Save the trace and send the trace to the developer working on your problem (or attach it or a URL to the saved trace file location to the bugzilla bug). <br />
<br />
== Additional remarks ==<br />
=== For SMB/SMB2 related problems ===<br />
For some type of problems it is also important that we see the beginning of the SMB connection.<br />
You can cause the Windows client to reconnect if you first kill the Samba server's smbd process which is servicing your client before starting the trace. You do not have to restart all of Samba.<br />
<br />
You can find out the smbd responsible for your client by running the tool smbstatus on the server.<br />
<br />
=== For authentication, LDAP, GPO related problems ===<br />
If the problem didn't occur at login or is reproducible while the user is logged, the tracing should be started just before the operation that fails. Nevertheless most of the time part of the traffic will be encrypted, and in order for the trace to be exploitable you will need the initial key exchange.<br />
<br />
The best way to do it is to force Windows to discard all your Kerberos tickets, so that when you'll repeat the operation in error Windows will also re-ask for Kerberos tickets and so the trace will contain all the needed information for the developer.<br />
<br />
To force Windows to discard your Kerberos tickets:<br />
* On Windows XP or Windows Server 2003<br />
You will need the program called ''kerbtray.exe'' in ''C:\Program Files\Windows Resource Kits\Tools'' you can get it from the [http://www.microsoft.com/download/en/details.aspx?id=17657 resource kit]. Once started you'll see a green ticket in the systay, to purge right click on the icon and select purge ticket as show on the capture below.<br />
[[File:Kerbtray.png]]</div>Ekacnethttps://wiki.samba.org/index.php?title=File:Kerbtray.png&diff=6073File:Kerbtray.png2011-06-19T13:59:16Z<p>Ekacnet: </p>
<hr />
<div></div>Ekacnethttps://wiki.samba.org/index.php?title=Capture_Packets&diff=6072Capture Packets2011-06-19T13:55:13Z<p>Ekacnet: </p>
<hr />
<div>When diagnosing a problem, Samba developers are likely to request a packet capture (or trace).<br />
<br />
== Which tool to use ? ==<br />
The best way to do this depends on the tools available on your system. It is often easiest to run the capture tool from the command-line, unless debugging a problem that requires complex capture filters to be set (to reduce the network trace).<br />
<br />
For more complex tasks the GUI based network tools, such as wireshark, may be easier for beginners to use. <br />
<br />
== Where the tracing should be done ? ==<br />
If your problem concerns file exchange then tracing can be done on the client or on the server. On the other hand if it concerns things related to authentication or Active Directory protocols it's often better to do the tracing from the server as most of the time we will need packets exchanged during the boot of the computer or during user's logon.<br />
<br />
If tracing on the server puts too much load on the server system to reproduce the problem or results in a network trace that is too large, tracing from the client can be attempted instead. <br />
<br />
== Tracing ==<br />
From the command line of the operating system type: (note: in the table below, replace ''FILENAME'' with a more descriptive file name): <br />
{|<br />
! Tool !! Commandline<br />
|-<br />
||wireshark || <pre>tshark -p -w FILENAME </pre><br />
|-<br />
|| ethereal || <pre>tethereal -p -w FILENAME</pre><br />
|-<br />
|| tcpdump || <pre>tcpdump -p -s 0 -n -w FILENAME</pre><br />
|}<br />
<br />
If you're sure the problem is only related to SMB, you can filter the traffic based on the ports:<br />
<br />
{|<br />
! Tool !! Commandline<br />
|-<br />
||wireshark || <pre>tshark -p -w FILENAME port 445 or port 139</pre><br />
|-<br />
|| ethereal || <pre>tethereal -p -w FILENAME port 445 or port 139</pre><br />
|-<br />
|| tcpdump || <pre>tcpdump -p -s 0 -w FILENAME port 445 or port 139</pre><br />
|}<br />
<br />
If you know the ip address of the client you can use the following to reduce the volume of the trace:<br />
<br />
{|<br />
! Tool !! Commandline<br />
|-<br />
||wireshark || <pre>tshark -p -w FILENAME host IP_ADDRESS_OF_THE_CLIENT</pre><br />
|-<br />
|| ethereal || <pre>tethereal -p -w FILENAME host IP_ADDRESS_OF_THE_CLIENT</pre><br />
|-<br />
|| tcpdump || <pre>tcpdump -p -s 0 -w FILENAME host IP_ADDRESS_OF_THE_CLIENT</pre><br />
|}<br />
<br />
Where ''IP_ADDRESS_OF_THE_CLIENT'' is the IP of the client, something like 192.168.1.2 or 2001:db8:0:85a3::ac1f:8001.<br />
<br />
== How to use graphical user interface ==<br />
In many cases the process is as simple as the following, from your client (e.g. Windows workstation):<br />
<br />
* Download and install [http://www.wireshark.org/download.html Wireshark].<br />
* Launch Wireshark from the Windows "All Programs" menu list<br />
* Start the capture<br />
* Do the operation that causes trouble<br />
* Stop the capture<br />
* Save the trace and send the trace to the developer working on your problem (or attach it or a URL to the saved trace file location to the bugzilla bug). <br />
<br />
== Additional remarks ==<br />
=== For SMB/SMB2 related problems ===<br />
For some type of problems it is also important that we see the beginning of the SMB connection.<br />
You can cause the Windows client to reconnect if you first kill the Samba server's smbd process which is servicing your client before starting the trace. You do not have to restart all of Samba.<br />
<br />
You can find out the smbd responsible for your client by running the tool smbstatus on the server.<br />
<br />
=== For authentication, LDAP, GPO related problems ===<br />
If the problem didn't occur at login or is reproducible while the user is logged, the tracing should be started just before the operation that fails. Nevertheless most of the time part of the traffic will be encrypted, and in order for the trace to be exploitable you will need the initial key exchange.<br />
<br />
The best way to do it is to force Windows to discard all your Kerberos tickets, so that when you'll repeat the operation in error Windows will also re-ask for Kerberos tickets and so the trace will contain all the needed information for the developer.<br />
<br />
To force Windows to discard your Kerberos tickets:<br />
* On Windows XP or Windows Server 2003<br />
You will need the program called ''kerbtray.exe'' in ''C:\Program Files\Windows Resource Kits\Tools'' you can get it from the [http://www.microsoft.com/download/en/details.aspx?id=17657 resource kit]. Once started you'll see a green ticket in the systay, to purge right click on the icon and select purge ticket as show on the capture below.</div>Ekacnethttps://wiki.samba.org/index.php?title=Capture_Packets&diff=6071Capture Packets2011-06-19T13:54:35Z<p>Ekacnet: </p>
<hr />
<div>When diagnosing a problem, Samba developers are likely to request a packet capture (or trace).<br />
<br />
== Which tool to use ? ==<br />
The best way to do this depends on the tools available on your system. It is often easiest to run the capture tool from the command-line, unless debugging a problem that requires complex capture filters to be set (to reduce the network trace).<br />
<br />
For more complex tasks the GUI based network tools, such as wireshark, may be easier for beginners to use. <br />
<br />
== Where the tracing should be done ? ==<br />
If your problem concerns file exchange then tracing can be done on the client or on the server. On the other hand if it concerns things related to authentication or Active Directory protocols it's often better to do the tracing from the server as most of the time we will need packets exchanged during the boot of the computer or during user's logon.<br />
<br />
If tracing on the server puts too much load on the server system to reproduce the problem or results in a network trace that is too large, tracing from the client can be attempted instead. <br />
<br />
== Tracing ==<br />
From the command line of the operating system type: (note: in the table below, replace ''FILENAME'' with a more descriptive file name): <br />
{|<br />
! Tool !! Commandline<br />
|-<br />
||wireshark || <pre>tshark -p -w FILENAME </pre><br />
|-<br />
|| ethereal || <pre>tethereal -p -w FILENAME</pre><br />
|-<br />
|| tcpdump || <pre>tcpdump -p -s 0 -n -w FILENAME</pre><br />
|}<br />
<br />
If you're sure the problem is only related to SMB, you can filter the traffic based on the ports:<br />
<br />
{|<br />
! Tool !! Commandline<br />
|-<br />
||wireshark || <pre>tshark -p -w FILENAME port 445 or port 139</pre><br />
|-<br />
|| ethereal || <pre>tethereal -p -w FILENAME port 445 or port 139</pre><br />
|-<br />
|| tcpdump || <pre>tcpdump -p -s 0 -w FILENAME port 445 or port 139</pre><br />
|}<br />
<br />
If you know the ip address of the client you can use the following to reduce the volume of the trace:<br />
<br />
{|<br />
! Tool !! Commandline<br />
|-<br />
||wireshark || <pre>tshark -p -w FILENAME host IP_ADDRESS_OF_THE_CLIENT</pre><br />
|-<br />
|| ethereal || <pre>tethereal -p -w FILENAME host IP_ADDRESS_OF_THE_CLIENT</pre><br />
|-<br />
|| tcpdump || <pre>tcpdump -p -s 0 -w FILENAME host IP_ADDRESS_OF_THE_CLIENT</pre><br />
|}<br />
<br />
Where ''IP_ADDRESS_OF_THE_CLIENT'' is the IP of the client, something like 192.168.1.2 or 2001:db8:0:85a3::ac1f:8001.<br />
<br />
== How to use graphical user interface ==<br />
In many cases the process is as simple as the following, from your client (e.g. Windows workstation):<br />
<br />
* Download and install [http://www.wireshark.org/download.html Wireshark].<br />
* Launch Wireshark from the Windows "All Programs" menu list<br />
* Start the capture<br />
* Do the operation that causes trouble<br />
* Stop the capture<br />
* Save the trace and send the trace to the developer working on your problem (or attach it or a URL to the saved trace file location to the bugzilla bug). <br />
<br />
== Additional remarks ==<br />
=== For SMB/SMB2 related problems ===<br />
For some type of problems it is also important that we see the beginning of the SMB connection.<br />
You can cause the Windows client to reconnect if you first kill the Samba server's smbd process which is servicing your client before starting the trace. You do not have to restart all of Samba.<br />
<br />
You can find out the smbd responsible for your client by running the tool smbstatus on the server.<br />
<br />
=== For authentication, LDAP, GPO related problems ===<br />
If the problem didn't occur at login or is reproducible while the user is logged, the tracing should be started just before the operation that fails. Nevertheless most of the time part of the traffic will be encrypted, and in order for the trace to be exploitable you will need the initial key exchange.<br />
<br />
The best way to do it is to force Windows to discard all your Kerberos tickets, so that when you'll repeat the operation in error Windows will also re-ask for Kerberos tickets and so the trace will contain all the needed information for the developer.<br />
<br />
To force Windows to discard your Kerberos tickets:<br />
* On Windows XP or Windows Server 2003, you will need the program called ''kerbtray.exe'' in ''C:\Program Files\Windows Resource Kits\Tools'' you can get it from the [http://www.microsoft.com/download/en/details.aspx?id=17657 resource kit]. Once started you'll see a green ticket in the systay, to purge right click on the icon and select purge ticket as show on the capture below.</div>Ekacnethttps://wiki.samba.org/index.php?title=Capture_Packets&diff=6070Capture Packets2011-06-19T12:15:25Z<p>Ekacnet: </p>
<hr />
<div>When diagnosing a problem, Samba developers are likely to request a packet capture (or trace).<br />
<br />
== Which tool to use ? ==<br />
The best way to do this depends on the tools available on your system. It is often easiest to run the capture tool from the command-line, unless debugging a problem that requires complex capture filters to be set (to reduce the network trace).<br />
<br />
For more complex tasks the GUI based network tools, such as wireshark, may be easier for beginners to use. <br />
<br />
== Where the tracing should be done ? ==<br />
If your problem concerns file exchange then tracing can be done on the client or on the server. On the other hand if it concerns things related to authentication or Active Directory protocols it's often better to do the tracing from the server as most of the time we will need packets exchanged during the boot of the computer or during user's logon.<br />
<br />
If tracing on the server puts too much load on the server system to reproduce the problem or results in a network trace that is too large, tracing from the client can be attempted instead. <br />
<br />
== Tracing ==<br />
From the command line of the operating system type: (note: in the table below, replace ''FILENAME'' with a more descriptive file name): <br />
{|<br />
! Tool !! Commandline<br />
|-<br />
||wireshark || <pre>tshark -p -w FILENAME </pre><br />
|-<br />
|| ethereal || <pre>tethereal -p -w FILENAME</pre><br />
|-<br />
|| tcpdump || <pre>tcpdump -p -s 0 -n -w FILENAME</pre><br />
|}<br />
<br />
If you're sure the problem is only related to SMB, you can filter the traffic based on the ports:<br />
<br />
{|<br />
! Tool !! Commandline<br />
|-<br />
||wireshark || <pre>tshark -p -w FILENAME port 445 or port 139</pre><br />
|-<br />
|| ethereal || <pre>tethereal -p -w FILENAME port 445 or port 139</pre><br />
|-<br />
|| tcpdump || <pre>tcpdump -p -s 0 -w FILENAME port 445 or port 139</pre><br />
|}<br />
<br />
If you know the ip address of the client you can use the following to reduce the volume of the trace:<br />
<br />
{|<br />
! Tool !! Commandline<br />
|-<br />
||wireshark || <pre>tshark -p -w FILENAME host IP_ADDRESS_OF_THE_CLIENT</pre><br />
|-<br />
|| ethereal || <pre>tethereal -p -w FILENAME host IP_ADDRESS_OF_THE_CLIENT</pre><br />
|-<br />
|| tcpdump || <pre>tcpdump -p -s 0 -w FILENAME host IP_ADDRESS_OF_THE_CLIENT</pre><br />
|}<br />
<br />
Where ''IP_ADDRESS_OF_THE_CLIENT'' is the IP of the client, something like 192.168.1.2 or 2001:db8:0:85a3::ac1f:8001.<br />
<br />
== How to use graphical user interface ==<br />
In many cases the process is as simple as the following, from your client (e.g. Windows workstation):<br />
<br />
* Download and install [http://www.wireshark.org/download.html Wireshark].<br />
* Launch Wireshark from the Windows "All Programs" menu list<br />
* Start the capture<br />
* Do the operation that causes trouble<br />
* Stop the capture<br />
* Save the trace and send the trace to the developer working on your problem (or attach it or a URL to the saved trace file location to the bugzilla bug). <br />
<br />
== Additional remarks ==<br />
=== For SMB/SMB2 related problems ===<br />
For some type of problems it is also important that we see the beginning of the SMB connection.<br />
You can cause the Windows client to reconnect if you first kill the Samba server's smbd process which is servicing your client before starting the trace. You do not have to restart all of Samba.<br />
<br />
You can find out the smbd responsible for your client by running the tool smbstatus on the server.<br />
<br />
=== For authentication, LDAP, GPO related problems ===<br />
If the problem didn't occur at login or is reproducible while the user is logged, the tracing should be started just before the operation that fails. Nevertheless most of the time part of the traffic will be encrypted, and in order for the trace to be exploitable you will need the initial key exchange.<br />
<br />
The best way to do it is to force Windows to discard all your Kerberos tickets, so that when you'll repeat the operation in error Windows will also re-ask for Kerberos tickets.</div>Ekacnethttps://wiki.samba.org/index.php?title=Capture_Packets&diff=6069Capture Packets2011-06-19T11:57:40Z<p>Ekacnet: </p>
<hr />
<div>When diagnosing a problem, Samba developers are likely to request a packet capture (or trace).<br />
<br />
== Which tool to use ? ==<br />
The best way to do this depends on the tools available on your system. It is often easiest to run the capture tool from the command-line, unless debugging a problem that requires complex capture filters to be set (to reduce the network trace).<br />
<br />
For more complex tasks the GUI based network tools, such as wireshark, may be easier for beginners to use. <br />
<br />
== Where the tracing should be done ? ==<br />
If your problem concerns file exchange then tracing can be done on the client or on the server. On the other hand if it concerns things related to authentication or Active Directory protocols it's often better to do the tracing from the server as most of the time we will need packets exchanged during the boot of the computer or during user's logon.<br />
<br />
If tracing on the server puts too much load on the server system to reproduce the problem or results in a network trace that is too large, tracing from the client can be attempted instead. <br />
<br />
== Tracing ==<br />
From the command line of the operating system type: (note: in the table below, replace ''FILENAME'' with a more descriptive file name): <br />
{|<br />
! Tool !! Commandline<br />
|-<br />
||wireshark || <pre>tshark -p -w FILENAME </pre><br />
|-<br />
|| ethereal || <pre>tethereal -p -w FILENAME</pre><br />
|-<br />
|| tcpdump || <pre>tcpdump -p -s 0 -n -w FILENAME</pre><br />
|}<br />
<br />
If you're sure the problem is only related to SMB, you can filter the traffic based on the ports:<br />
<br />
{|<br />
! Tool !! Commandline<br />
|-<br />
||wireshark || <pre>tshark -p -w FILENAME port 445 or port 139</pre><br />
|-<br />
|| ethereal || <pre>tethereal -p -w FILENAME port 445 or port 139</pre><br />
|-<br />
|| tcpdump || <pre>tcpdump -p -s 0 -w FILENAME port 445 or port 139</pre><br />
|}<br />
<br />
If you know the ip address of the client you can use the following to reduce the volume of the trace:<br />
<br />
{|<br />
! Tool !! Commandline<br />
|-<br />
||wireshark || <pre>tshark -p -w FILENAME host IP_ADDRESS_OF_THE_CLIENT</pre><br />
|-<br />
|| ethereal || <pre>tethereal -p -w FILENAME host IP_ADDRESS_OF_THE_CLIENT</pre><br />
|-<br />
|| tcpdump || <pre>tcpdump -p -s 0 -w FILENAME host IP_ADDRESS_OF_THE_CLIENT</pre><br />
|}<br />
<br />
Where ''IP_ADDRESS_OF_THE_CLIENT'' is the IP of the client, something like 192.168.1.2 or 2001:db8:0:85a3::ac1f:8001.<br />
<br />
== How to use graphical user interface ==<br />
In many cases the process is as simple as the following, from your client (e.g. Windows workstation):<br />
<br />
* Download and install [http://www.wireshark.org/download.html Wireshark].<br />
* Launch Wireshark from the Windows "All Programs" menu list<br />
* Start the capture<br />
* Do the operation that causes trouble<br />
* Stop the capture<br />
* Save the trace and send the trace to the developer working on your problem (or attach it or a URL to the saved trace file location to the bugzilla bug). <br />
<br />
== Additional remarks ==<br />
=== For SMB/SMB2 related problems ===<br />
For some type of problems it is also important that we see the beginning of the SMB connection.<br />
You can cause the Windows client to reconnect if you first kill the Samba server's smbd process which is servicing your client before starting the trace. You do not have to restart all of Samba.<br />
<br />
You can find out the smbd responsible for your client by running the tool smbstatus on the server.</div>Ekacnethttps://wiki.samba.org/index.php?title=Capture_Packets&diff=6068Capture Packets2011-06-19T11:48:17Z<p>Ekacnet: </p>
<hr />
<div>When diagnosing a problem, Samba developers are likely to request a packet capture (or trace).<br />
<br />
== Which tool to use ? ==<br />
The best way to do this depends on the tools available on your system. It is often easiest to run the capture tool from the command-line, unless debugging a problem that requires complex capture filters to be set (to reduce the network trace).<br />
<br />
For more complex tasks the GUI based network tools, such as wireshark, may be easier for beginners to use. <br />
<br />
== Where the tracing should be done ? ==<br />
If your problem concerns file exchange then tracing can be done on the client or on the server. On the other hand if it concerns things related to authentication or Active Directory protocols it's often better to do the tracing from the server as most of the time we will need packets exchanged during the boot of the computer or during user's logon.<br />
<br />
If tracing on the server puts too much load on the server system to reproduce the problem or results in a network trace that is too large, tracing from the client can be attempted instead. <br />
<br />
== Tracing ==<br />
From the command line of the operating system type: (note: in the table below, replace ''FILENAME'' with a more descriptive file name): <br />
{|<br />
! Tool !! Commandline<br />
|-<br />
||wireshark || <pre>tshark -p -w FILENAME </pre><br />
|-<br />
|| ethereal || <pre>tethereal -p -w FILENAME</pre><br />
|-<br />
|| tcpdump || <pre>tcpdump -p -s 0 -n -w FILENAME</pre><br />
|}<br />
<br />
If you're sure the problem is only related to SMB, you can filter the traffic based on the ports:<br />
<br />
{|<br />
! Tool !! Commandline<br />
|-<br />
||wireshark || <pre>tshark -p -w FILENAME port 445 or port 139</pre><br />
|-<br />
|| ethereal || <pre>tethereal -p -w FILENAME port 445 or port 139</pre><br />
|-<br />
|| tcpdump || <pre>tcpdump -p -s 0 -w FILENAME port 445 or port 139</pre><br />
|}<br />
<br />
If you know the ip address of the client you can use the following to reduce the volume of the trace:<br />
<br />
{|<br />
! Tool !! Commandline<br />
|-<br />
||wireshark || <pre>tshark -p -w FILENAME host IP_ADDRESS_OF_THE_CLIENT</pre><br />
|-<br />
|| ethereal || <pre>tethereal -p -w FILENAME host IP_ADDRESS_OF_THE_CLIENT</pre><br />
|-<br />
|| tcpdump || <pre>tcpdump -p -s 0 -w FILENAME host IP_ADDRESS_OF_THE_CLIENT</pre><br />
|}<br />
<br />
Where ''IP_ADDRESS_OF_THE_CLIENT'' is the IP of the client, something like 192.168.1.2 or 2001:db8:0:85a3::ac1f:8001.<br />
<br />
== How to use graphical user interface ==<br />
In many cases the process is as simple as the following, from your client (e.g. Windows workstation):<br />
<br />
* Download and install [http://www.wireshark.org Wireshark].<br />
* Launch Wireshark from the Windows "All Programs" menu list<br />
* Start the capture<br />
* Do the operation that causes trouble<br />
* Stop the capture<br />
* Save the trace and send the trace to the developer working on your problem (or attach it or a URL to the saved trace file location to the bugzilla bug). <br />
<br />
<br />
For some type of problems it is also important that we see the beginning of the SMB connection. You can cause the Windows client to reconnect if you first kill the Samba server's smbd process which is servicing your client before starting the trace. You do not have to restart all of Samba. You can find out the smbd responsible for your client by running the tool smbstatus on the server.</div>Ekacnethttps://wiki.samba.org/index.php?title=Capture_Packets&diff=6067Capture Packets2011-06-19T11:42:44Z<p>Ekacnet: </p>
<hr />
<div>When diagnosing a problem, Samba developers are likely to request a packet capture (or trace).<br />
<br />
== Which tool to use ? ==<br />
The best way to do this depends on the tools available on your system. It is often easiest to run the capture tool from the command-line, unless debugging a problem that requires complex capture filters to be set (to reduce the network trace).<br />
<br />
For more complex tasks the GUI based network tools, such as wireshark, may be easier for beginners to use. <br />
<br />
== Where the tracing should be done ? ==<br />
If your problem concerns file exchange then tracing can be done on the client or on the server. On the other hand if it concerns things related to authentication or Active Directory protocols it's often better to do the tracing from the server as most of the time we will need packets exchanged during the boot of the computer or during user's logon.<br />
<br />
If tracing on the server puts too much load on the server system to reproduce the problem or results in a network trace that is too large, tracing from the client can be attempted instead. <br />
<br />
== Tracing ==<br />
From the command line of the operating system type: (note: in the table below, replace ''FILENAME'' with a more descriptive file name): <br />
{|<br />
! Tool !! Commandline<br />
|-<br />
||wireshark || <pre>tshark -p -w FILENAME </pre><br />
|-<br />
|| ethereal || <pre>tethereal -p -w FILENAME</pre><br />
|-<br />
|| tcpdump || <pre>tcpdump -p -s 0 -n -w FILENAME</pre><br />
|}<br />
<br />
If you're sure the problem is only related to SMB, you can filter the traffic based on the ports:<br />
<br />
{|<br />
! Tool !! Commandline<br />
|-<br />
||wireshark || <pre>tshark -p -w FILENAME port 445 or port 139</pre><br />
|-<br />
|| ethereal || <pre>tethereal -p -w FILENAME port 445 or port 139</pre><br />
|-<br />
|| tcpdump || <pre>tcpdump -p -s 0 -w FILENAME port 445 or port 139</pre><br />
|}<br />
<br />
If you know the ip address of the client you can use the following to reduce the volume of the trace:<br />
<br />
{|<br />
! Tool !! Commandline<br />
|-<br />
||wireshark || <pre>tshark -p -w FILENAME host IP_ADDRESS_OF_THE_CLIENT</pre><br />
|-<br />
|| ethereal || <pre>tethereal -p -w FILENAME host IP_ADDRESS_OF_THE_CLIENT</pre><br />
|-<br />
|| tcpdump || <pre>tcpdump -p -s 0 -w FILENAME host IP_ADDRESS_OF_THE_CLIENT</pre><br />
|}<br />
<br />
Where ''IP_ADDRESS_OF_THE_CLIENT'' is the IP of the client, something like 192.168.1.2 or 2001:db8:0:85a3::ac1f:8001.<br />
<br />
<br />
<br />
In many cases the process is as simple as the following: from your client (e.g. Windows workstation), download and install wireshark (http://www.wireshark.org), launch Wireshark from the Windows "All Programs" menu list, start the capture, do the operation that causes trouble, stop the capture and send the trace to the developer working on your problem (or attach it or a URL to the saved trace file location to the bugzilla bug). For some type of problems it is also important that we see the beginning of the SMB connection. You can cause the Windows client to reconnect if you first kill the Samba server's smbd process which is servicing your client before starting the trace. You do not have to restart all of Samba. You can find out the smbd responsible for your client by running the tool smbstatus on the server.</div>Ekacnethttps://wiki.samba.org/index.php?title=Capture_Packets&diff=6066Capture Packets2011-06-19T11:42:07Z<p>Ekacnet: </p>
<hr />
<div>When diagnosing a problem, Samba developers are likely to request a packet capture (or trace).<br />
<br />
== Which tool to use ? ==<br />
The best way to do this depends on the tools available on your system. It is often easiest to run the capture tool from the command-line, unless debugging a problem that requires complex capture filters to be set (to reduce the network trace).<br />
<br />
For more complex tasks the GUI based network tools, such as wireshark, may be easier for beginners to use. <br />
<br />
== Where the tracing should be done ? ==<br />
If your problem concerns file exchange then tracing can be done on the client or on the server. On the other hand if it concerns things related to authentication or Active Directory protocols it's often better to do the tracing from the server as most of the time we will need packets exchanged during the boot of the computer or during user's logon.<br />
<br />
If tracing on the server puts too much load on the server system to reproduce the problem or results in a network trace that is too large, tracing from the client can be attempted instead. <br />
<br />
== Tracing ==<br />
From the command line of the operating system type: (note: in the table below, replace FILENAME with the descriptive file name): <br />
{|<br />
! Tool !! Commandline<br />
|-<br />
||wireshark || <pre>tshark -p -w FILENAME </pre><br />
|-<br />
|| ethereal || <pre>tethereal -p -w FILENAME</pre><br />
|-<br />
|| tcpdump || <pre>tcpdump -p -s 0 -n -w FILENAME</pre><br />
|}<br />
<br />
If you're sure the problem is only related to SMB, you can filter the traffic based on the ports:<br />
<br />
{|<br />
! Tool !! Commandline<br />
|-<br />
||wireshark || <pre>tshark -p -w FILENAME port 445 or port 139</pre><br />
|-<br />
|| ethereal || <pre>tethereal -p -w FILENAME port 445 or port 139</pre><br />
|-<br />
|| tcpdump || <pre>tcpdump -p -s 0 -w FILENAME port 445 or port 139</pre><br />
|}<br />
<br />
If you know the ip address of the client you can use the following to reduce the volume of the trace:<br />
<br />
{|<br />
! Tool !! Commandline<br />
|-<br />
||wireshark || <pre>tshark -p -w FILENAME host IP_ADDRESS_OF_THE_CLIENT</pre><br />
|-<br />
|| ethereal || <pre>tethereal -p -w FILENAME host IP_ADDRESS_OF_THE_CLIENT</pre><br />
|-<br />
|| tcpdump || <pre>tcpdump -p -s 0 -w FILENAME host IP_ADDRESS_OF_THE_CLIENT</pre><br />
|}<br />
<br />
Where ''IP_ADDRESS_OF_THE_CLIENT'' is the IP of the client, something like 192.168.1.2 or 2001:db8:0:85a3::ac1f:8001.<br />
<br />
<br />
<br />
In many cases the process is as simple as the following: from your client (e.g. Windows workstation), download and install wireshark (http://www.wireshark.org), launch Wireshark from the Windows "All Programs" menu list, start the capture, do the operation that causes trouble, stop the capture and send the trace to the developer working on your problem (or attach it or a URL to the saved trace file location to the bugzilla bug). For some type of problems it is also important that we see the beginning of the SMB connection. You can cause the Windows client to reconnect if you first kill the Samba server's smbd process which is servicing your client before starting the trace. You do not have to restart all of Samba. You can find out the smbd responsible for your client by running the tool smbstatus on the server.</div>Ekacnethttps://wiki.samba.org/index.php?title=Capture_Packets&diff=6065Capture Packets2011-06-19T11:33:30Z<p>Ekacnet: </p>
<hr />
<div>When diagnosing a problem, Samba developers are likely to request a packet capture (or trace).<br />
<br />
== Which tool to use ? ==<br />
The best way to do this depends on the tools available on your system. It is often easiest to run the capture tool from the command-line, unless debugging a problem that requires complex capture filters to be set (to reduce the network trace).<br />
<br />
For more complex tasks the GUI based network tools, such as wireshark, may be easier for beginners to use. <br />
<br />
== Where the tracing should be done ? ==<br />
If your problem concerns file exchange then tracing can be done on the client or on the server. On the other hand if it concerns things related to authentication or Active Directory protocols it's often better to do the tracing from the server as most of the time we will need packets exchanged during the boot of the computer or during user's logon.<br />
<br />
If tracing on the server puts too much load on the server system to reproduce the problem or results in a network trace that is too large, tracing from the client can be attempted instead. From the command line of the operating system type: (note: in the table below, replace FILENAME with the descriptive file name): <br />
{|<br />
! Tool !! Commandline<br />
|-<br />
||wireshark || <pre>tshark -p -w FILENAME </pre><br />
|-<br />
|| ethereal || <pre>tethereal -p -w FILENAME</pre><br />
|-<br />
|| tcpdump || <pre>tcpdump -p -s 0 -n -w FILENAME</pre><br />
|}<br />
<br />
If you're sure the problem is only related to SMB, you can filter the traffic based on the ports:<br />
<br />
{|<br />
! Tool !! Commandline<br />
|-<br />
||wireshark || <pre>tshark -p -w FILENAME port 445 or port 139</pre><br />
|-<br />
|| ethereal || <pre>tethereal -p -w FILENAME port 445 or port 139</pre><br />
|-<br />
|| tcpdump || <pre>tcpdump -p -s 0 -w FILENAME port 445 or port 139</pre><br />
|}<br />
<br />
In many cases the process is as simple as the following: from your client (e.g. Windows workstation), download and install wireshark (http://www.wireshark.org), launch Wireshark from the Windows "All Programs" menu list, start the capture, do the operation that causes trouble, stop the capture and send the trace to the developer working on your problem (or attach it or a URL to the saved trace file location to the bugzilla bug). For some type of problems it is also important that we see the beginning of the SMB connection. You can cause the Windows client to reconnect if you first kill the Samba server's smbd process which is servicing your client before starting the trace. You do not have to restart all of Samba. You can find out the smbd responsible for your client by running the tool smbstatus on the server.</div>Ekacnethttps://wiki.samba.org/index.php?title=Capture_Packets&diff=6064Capture Packets2011-06-19T11:23:22Z<p>Ekacnet: </p>
<hr />
<div>When diagnosing a problem, Samba developers are likely to request a packet capture (or trace).<br />
<br />
The best way to do this depends on the tools available on your system. It is often easiest to run the capture tool from the command-line, unless debugging a problem that requires complex capture filters to be set (to reduce the network trace).<br />
<br />
For more complex tasks the GUI based network tools, such as wireshark, may be easier for beginners to use. If your problem concerns file exchange then tracing can be done on the client or on the server. On the other hand if it concerns things related to authentication or Active Directory protocols it's often better to do the tracing from the server as most of the time we will need packets exchanged during the boot of the computer or during user's logon.<br />
<br />
If tracing on the server puts too much load on the server system to reproduce the problem or results in a network trace that is too large, tracing from the client can be attempted instead. From the command line of the operating system type: (note: in the table below, replace FILENAME with the descriptive file name): <br />
{|<br />
! Tool !! Commandline<br />
|-<br />
||wireshark || <pre>tshark -p -w FILENAME </pre><br />
|-<br />
|| ethereal || <pre>tethereal -p -w FILENAME</pre><br />
|-<br />
|| tcpdump || <pre>tcpdump -p -s 0 -n -w FILENAME</pre><br />
|}<br />
<br />
If you're sure the problem is only related to SMB, you can filter the traffic based on the ports:<br />
<br />
{|<br />
! Tool !! Commandline<br />
|-<br />
||wireshark || <pre>tshark -p -w FILENAME port 445 or port 139</pre><br />
|-<br />
|| ethereal || <pre>tethereal -p -w FILENAME port 445 or port 139</pre><br />
|-<br />
|| tcpdump || <pre>tcpdump -p -s 0 -w FILENAME port 445 or port 139</pre><br />
|}<br />
<br />
In many cases the process is as simple as the following: from your client (e.g. Windows workstation), download and install wireshark (http://www.wireshark.org), launch Wireshark from the Windows "All Programs" menu list, start the capture, do the operation that causes trouble, stop the capture and send the trace to the developer working on your problem (or attach it or a URL to the saved trace file location to the bugzilla bug). For some type of problems it is also important that we see the beginning of the SMB connection. You can cause the Windows client to reconnect if you first kill the Samba server's smbd process which is servicing your client before starting the trace. You do not have to restart all of Samba. You can find out the smbd responsible for your client by running the tool smbstatus on the server.</div>Ekacnethttps://wiki.samba.org/index.php?title=User:Ekacnet&diff=6053User:Ekacnet2011-06-10T20:53:50Z<p>Ekacnet: </p>
<hr />
<div>Hello this is my page ! <br />
I'm Matthieu Patou, you can reach me on #samba-technical with the nick ekacnet.<br />
<br />
I'm now a Samba team member (yeah !) since May 2010.<br />
<br />
I try to keep the [http://wiki.samba.org/index.php/Samba4/Andrew_and_Jelmers_Fantasy_Page fantasy page] up to date with what I'll try to do in the short term.<br />
<br />
<br />
== What I've done / For what you can blame me ! ==<br />
<br />
* Upgradeprovsion, a script to update your running provision to adapt to the perpetual changes we do in the Samba Domain controller code (aka Samba4 so far).<br />
* DFS referral resolution, so that multi DC setup can work correctly with newer client when accessing sysvol and netlogon share<br />
* Protected storage, a protocol to decrypt selected user secrets with DCs private key, used mainly for certificates<br />
* Dirsync, an LDAP control used for polling changes<br />
* Pseudobacklinks, a technical artifact so that all attributes with DN syntax are updated when the targeted DN change its name, allow moving DC between sites<br />
<br />
== Short term jobs ==<br />
<br />
* None<br />
<br />
== Medium term jobs ==<br />
<br />
* File Replication Service<br />
* Change indexing<br />
<br />
== About indexing ==<br />
<br />
For the moment LDB use DN as entries of a index, as DN can be quite long we use a lot of space and memory for this.<br />
The idea is to use instead GUID at least in indexes.<br />
<br />
Currently an indexed search on attribute samAccountName for the value ''mat'' is done like this:<br />
<br />
# search for DN: @INDEX:SAMACCOUNTNAME:MAT<br />
# get the different DNs in the @IDX attributes<br />
# fetch each objects for which the DN was return in step 2<br />
# do the filtering <br />
<br />
The idea is to do like this:<br />
# search for DN: @INDEX:SAMACCOUNTNAME:MAT (via ltdb_search_indexed)<br />
# get the different objectGUIDs in the @IDX attributes (through ltdb_index_dn or ltdb_index_dn_one is scope = ONELEVEL or directly if scope = BASE)<br />
# for each GUID search the associated DN<br />
# fetch each objects for which the DN was return in step 3 (in ltdb_index_filter)<br />
# do the filtering (in ltdb_index_filter)<br />
<br />
The following approach has the advantage of not modifying to much stuff while allowing to reduce index size, '''but''' it means that if an index contains 100 entries then we will do 201 fetchs (1 for the index, 100 for the index guid -> dn, 100 for each DN).<br />
<br />
== Ideas on how to do it ==<br />
=== Search part ===<br />
<br />
Tag new indexes with version 3 and keep version 2 for the IDXONE indexes + index from GUID to DN.<br />
<br />
The function ltdb_index_dn has to be modified to check if after the call has succeeded it should return a list of DN or a list of GUID, by default it seems more interesting to return a list of GUID (as ltdb_index_dn tends to call itself indirectly quite a lot of time). The idea is to make ltdb_index_dn mostly deal with GUID but returns a list of DN at the very last moment (in ltdb_search_indexed).<br />
<br />
Function list_intersect has to be changed to be able to do intersection on GUIDs rather than on DNs, it should also bring some speedup.<br />
<br />
Function ltdb_index_dn_simple needs to be changed to return a list of GUIDs.<br />
<br />
Function ltdb_index_dn_one needs just to translate each GUIDs in DNs.</div>Ekacnethttps://wiki.samba.org/index.php?title=User:Ekacnet&diff=6052User:Ekacnet2011-06-10T20:51:16Z<p>Ekacnet: </p>
<hr />
<div>Hello this is my page ! <br />
I'm Matthieu Patou, you can reach me on #samba-technical with the nick ekacnet.<br />
<br />
I'm now a Samba team member (yeah !) since May 2010.<br />
<br />
I try to keep the [http://wiki.samba.org/index.php/Samba4/Andrew_and_Jelmers_Fantasy_Page fantasy page] up to date with what I'll try to do in the short term.<br />
<br />
<br />
== What I've done / For what you can blame me ! ==<br />
<br />
* Upgradeprovsion, a script to update your running provision to adapt to the perpetual changes we do in the Samba Domain controller code (aka Samba4 so far).<br />
* DFS referral resolution, so that multi DC setup can work correctly with newer client when accessing sysvol and netlogon share<br />
* Protected storage, a protocol to decrypt selected user secrets with DCs private key, used mainly for certificates<br />
* Dirsync, an LDAP control used for polling changes<br />
* Pseudobacklinks, a technical artifact so that all attributes with DN syntax are updated when the targeted DN change its name, allow moving DC between sites<br />
<br />
== Short term jobs ==<br />
<br />
* None<br />
<br />
== Medium term jobs ==<br />
<br />
* File Replication Service<br />
* Change indexing<br />
<br />
== About indexing ==<br />
<br />
For the moment LDB use DN as entries of a index, as DN can be quite long we use a lot of space and memory for this.<br />
The idea is to use instead GUID at least in indexes.<br />
<br />
Currently an indexed search on attribute samAccountName for the value ''mat'' is done like this:<br />
<br />
# search for DN: @INDEX:SAMACCOUNTNAME:MAT<br />
# get the different DNs in the @IDX attributes<br />
# fetch each objects for which the DN was return in step 2<br />
# do the filtering <br />
<br />
The idea is to do like this:<br />
# search for DN: @INDEX:SAMACCOUNTNAME:MAT (via ltdb_search_indexed)<br />
# get the different objectGUIDs in the @IDX attributes (through ltdb_index_dn or ltdb_index_dn_one is scope = ONELEVEL or directly if scope = BASE)<br />
# for each GUID search the associated DN<br />
# fetch each objects for which the DN was return in step 3 (in ltdb_index_filter)<br />
# do the filtering (in ltdb_index_filter)<br />
<br />
The following approach has the advantage of not modifying to much stuff while allowing to reduce index size, '''but''' it means that if an index contains 100 entries then we will do 201 fetchs (1 for the index, 100 for the index guid -> dn, 100 for each DN).<br />
<br />
== Ideas on how to do it ==<br />
=== Search part ===<br />
<br />
Tag new indexes with version 3 and keep version 2 for the IDXONE indexes + index from GUID to DN.<br />
<br />
The function ltdb_index_dn has to be modified to check if after the call has succeeded it should return a list of DN or a list of GUID, by default it seems more interesting to return a list of GUID (as ltdb_index_dn tends to call itself indirectly quite a lot of time). The idea is to make ltdb_index_dn mostly deal with GUID but returns a list of DN at the very last moment (in ltdb_search_indexed).<br />
<br />
Function list_intersect has to be changed to be able to do intersection on GUIDs rather than on DNs, it should also bring some speedup.<br />
<br />
Function ltdb_index_dn_simple needs to be changed to return a list of GUIDs.</div>Ekacnethttps://wiki.samba.org/index.php?title=User:Ekacnet&diff=6051User:Ekacnet2011-06-10T19:26:50Z<p>Ekacnet: </p>
<hr />
<div>Hello this is my page ! <br />
I'm Matthieu Patou, you can reach me on #samba-technical with the nick ekacnet.<br />
<br />
I'm now a Samba team member (yeah !) since May 2010.<br />
<br />
I try to keep the [http://wiki.samba.org/index.php/Samba4/Andrew_and_Jelmers_Fantasy_Page fantasy page] up to date with what I'll try to do in the short term.<br />
<br />
<br />
== What I've done / For what you can blame me ! ==<br />
<br />
* Upgradeprovsion, a script to update your running provision to adapt to the perpetual changes we do in the Samba Domain controller code (aka Samba4 so far).<br />
* DFS referral resolution, so that multi DC setup can work correctly with newer client when accessing sysvol and netlogon share<br />
* Protected storage, a protocol to decrypt selected user secrets with DCs private key, used mainly for certificates<br />
* Dirsync, an LDAP control used for polling changes<br />
* Pseudobacklinks, a technical artifact so that all attributes with DN syntax are updated when the targeted DN change its name, allow moving DC between sites<br />
<br />
== Short term jobs ==<br />
<br />
* None<br />
<br />
== Medium term jobs ==<br />
<br />
* File Replication Service<br />
* Change indexing<br />
<br />
== About indexing ==<br />
<br />
For the moment LDB use DN as entries of a index, as DN can be quite long we use a lot of space and memory for this.<br />
The idea is to use instead GUID at least in indexes.<br />
<br />
Currently an indexed search on attribute samAccountName for the value ''mat'' is done like this:<br />
<br />
# search for DN: @INDEX:SAMACCOUNTNAME:MAT<br />
# get the different DNs in the @IDX attributes<br />
# fetch each objects for which the DN was return in step 2<br />
# do the filtering <br />
<br />
The idea is to do like this:<br />
# search for DN: @INDEX:SAMACCOUNTNAME:MAT (via ltdb_search_indexed)<br />
# get the different objectGUIDs in the @IDX attributes (through ltdb_index_dn or ltdb_index_dn_one is scope = ONELEVEL or directly if scope = BASE)<br />
# for each GUID search the associated DN<br />
# fetch each objects for which the DN was return in step 3 (in ltdb_index_filter)<br />
# do the filtering (in ltdb_index_filter)<br />
<br />
The following approach has the advantage of not modifying to much stuff while allowing to reduce index size, '''but''' it means that if an index contains 100 entries then we will do 201 fetchs (1 for the index, 100 for the index guid -> dn, 100 for each DN).</div>Ekacnethttps://wiki.samba.org/index.php?title=User:Ekacnet&diff=6050User:Ekacnet2011-06-10T19:09:23Z<p>Ekacnet: </p>
<hr />
<div>Hello this is my page ! <br />
I'm Matthieu Patou, you can reach me on #samba-technical with the nick ekacnet.<br />
<br />
I'm now a Samba team member (yeah !) since May 2010.<br />
<br />
I try to keep the [http://wiki.samba.org/index.php/Samba4/Andrew_and_Jelmers_Fantasy_Page fantasy page] up to date with what I'll try to do in the short term.<br />
<br />
<br />
== What I've done / For what you can blame me ! ==<br />
<br />
* Upgradeprovsion, a script to update your running provision to adapt to the perpetual changes we do in the Samba Domain controller code (aka Samba4 so far).<br />
* DFS referral resolution, so that multi DC setup can work correctly with newer client when accessing sysvol and netlogon share<br />
* Protected storage, a protocol to decrypt selected user secrets with DCs private key, used mainly for certificates<br />
* Dirsync, an LDAP control used for polling changes<br />
* Pseudobacklinks, a technical artifact so that all attributes with DN syntax are updated when the targeted DN change its name, allow moving DC between sites<br />
<br />
== Short term jobs ==<br />
<br />
* None<br />
<br />
== Medium term jobs ==<br />
<br />
* File Replication Service<br />
* Change indexing<br />
<br />
== About indexing ==<br />
<br />
For the moment LDB use DN as entries of a index, as DN can be quite long we use a lot of space and memory for this.<br />
The idea is to use instead GUID at least in indexes.<br />
<br />
Currently an indexed search on attribute samAccountName for the value ''mat'' is done like this:<br />
<br />
# search for DN: @INDEX:SAMACCOUNTNAME:MAT<br />
# get the different DNs in the @IDX attributes<br />
# fetch each objects for which the DN was return in step 2<br />
# do the filtering<br />
<br />
ltdb_index_filter</div>Ekacnethttps://wiki.samba.org/index.php?title=User:Ekacnet&diff=6049User:Ekacnet2011-06-10T19:05:16Z<p>Ekacnet: </p>
<hr />
<div>Hello this is my page ! <br />
I'm Matthieu Patou, you can reach me on #samba-technical with the nick ekacnet.<br />
<br />
I'm now a Samba team member (yeah !) since May 2010.<br />
<br />
I try to keep the [http://wiki.samba.org/index.php/Samba4/Andrew_and_Jelmers_Fantasy_Page fantasy page] up to date with what I'll try to do in the short term.<br />
<br />
<br />
== What I've done / For what you can blame me ! ==<br />
<br />
* Upgradeprovsion, a script to update your running provision to adapt to the perpetual changes we do in the Samba Domain controller code (aka Samba4 so far).<br />
* DFS referral resolution, so that multi DC setup can work correctly with newer client when accessing sysvol and netlogon share<br />
* Protected storage, a protocol to decrypt selected user secrets with DCs private key, used mainly for certificates<br />
* Dirsync, an LDAP control used for polling changes<br />
* Pseudobacklinks, a technical artifact so that all attributes with DN syntax are updated when the targeted DN change its name, allow moving DC between sites<br />
<br />
== Short term jobs ==<br />
<br />
* None<br />
<br />
== Medium term jobs ==<br />
<br />
* File Replication Service<br />
* Change indexing<br />
<br />
== About indexing ==<br />
<br />
For the moment LDB use DN as entries of a index, as DN can be quite long we use a lot of space and memory for this.<br />
The idea is to use instead GUID at least in indexes.<br />
<br />
Currently an indexed search is done like this:<br />
<br />
**<br />
ltdb_index_filter</div>Ekacnethttps://wiki.samba.org/index.php?title=User:Ekacnet&diff=6048User:Ekacnet2011-06-10T18:57:32Z<p>Ekacnet: </p>
<hr />
<div>Hello this is my page ! <br />
I'm Matthieu Patou, you can reach me on #samba-technical with the nick ekacnet.<br />
<br />
I'm now a Samba team member (yeah !) since May 2010.<br />
<br />
I try to keep the [http://wiki.samba.org/index.php/Samba4/Andrew_and_Jelmers_Fantasy_Page fantasy page] up to date with what I'll try to do in the short term.<br />
<br />
<br />
== What I've done / For what you can blame me ! ==<br />
<br />
* Upgradeprovsion, a script to update your running provision to adapt to the perpetual changes we do in the Samba Domain controller code (aka Samba4 so far).<br />
* DFS referral resolution, so that multi DC setup can work correctly with newer client when accessing sysvol and netlogon share<br />
* Protected storage, a protocol to decrypt selected user secrets with DCs private key, used mainly for certificates<br />
* Dirsync, an LDAP control used for polling changes<br />
* Pseudobacklinks, a technical artifact so that all attributes with DN syntax are updated when the targeted DN change its name, allow moving DC between sites<br />
<br />
== Short term jobs ==<br />
<br />
* None<br />
<br />
== Medium term jobs ==<br />
<br />
* File Replication Service<br />
* Change indexing<br />
<br />
== About indexing ==<br />
<br />
For the moment LDB use DN as entries of a index, as DN <br />
ltdb_index_filter</div>Ekacnethttps://wiki.samba.org/index.php?title=User:Ekacnet&diff=6047User:Ekacnet2011-06-10T18:57:15Z<p>Ekacnet: </p>
<hr />
<div>Hello this is my page ! <br />
I'm Matthieu Patou, you can reach me on #samba-technical with the nick ekacnet.<br />
<br />
I'm now a Samba team member (yeah !) since May 2010.<br />
<br />
I try to keep the [http://wiki.samba.org/index.php/Samba4/Andrew_and_Jelmers_Fantasy_Page fantasy page] up to date with what I'll try to do in the short term.<br />
<br />
<br />
== What I've done / For what you can blame me ! ==<br />
<br />
* Upgradeprovsion, a script to update your running provision to adapt to the perpetual changes we do in the Samba Domain controller code (aka Samba4 so far).<br />
* DFS referral resolution, so that multi DC setup can work correctly with newer client when accessing sysvol and netlogon share<br />
* Protected storage, a protocol to decrypt selected user secrets with DCs private key, used mainly for certificates<br />
* Dirsync, an LDAP control used for polling changes<br />
* Pseudobacklinks, a technical artifact so that all attributes with DN syntax are updated when the targeted DN change its name, allow moving DC between sites<br />
<br />
<br />
<br />
== Short term jobs ==<br />
<br />
* None<br />
<br />
== Medium term jobs ==<br />
<br />
* File Replication Service<br />
* Change indexing<br />
<br />
== About indexing ==<br />
<br />
For the moment LDB use DN as entries of a index, as DN <br />
ltdb_index_filter</div>Ekacnethttps://wiki.samba.org/index.php?title=SoC/Ideas&diff=5805SoC/Ideas2011-03-24T22:45:57Z<p>Ekacnet: /* Improve Build Farm look and Feel */</p>
<hr />
<div>= Google Summer of Code: Suggested Project ideas =<br />
<br />
The following are the Samba project ideas for Summer of Code.<br />
Of course you are free to come up with ideas not listed here.<br />
Please discuss the your planned project by either joining us on irc://irc.freenode.net/#samba-technical or <br />
by sending email to samba-technical@samba.org<br />
<br />
Most of our projects will require C programming skills, but the Samba4 section has a couple of Python projects.<br />
<br />
==Samba 3==<br />
<br />
===Add remote (RPC) support for Samba configuration===<br />
<br />
Since almost two years now, Samba has a registry based configuration backend:<br />
Configuration data is stored inside the registry key HKEY_LOCAL_MACHINE\Software\Samba\smbconf.<br />
Access to this configuration is available through a module that makes use of<br />
the "reg_api" module which is the backend code for direct local access to<br />
the registry database. The reg_api interface is similar to the WINREG rpc interface.<br />
This project would at first develop a common API for registry access local through<br />
reg_api and remote through the winreg rpc client code. This new module could be abstraced<br />
from the code of the utility "net rpc registry". With this new module, the registry<br />
configuration code could be enhanced to allow for remote configuration.<br />
<br />
Here are some more details:<br />
<br />
The basic idea behind the project is that it should be possible<br />
to use the same interface for local (direct db) and remote (rpc)<br />
access. One can see the difference between that direct local<br />
and the remote access very well when one compares the code<br />
of the "net registry" and the "net rpc registry" commands:<br />
this is utils/net_registry.c vs. utils/net_rpc_registry.c .<br />
The logic is very similar while the actual calls<br />
into registry are very different.<br />
<br />
The rpc client implementation for WINREG are the functions<br />
of the form rpccli_winreg_foo(). So the idea is to also<br />
use the rpccli_winreg_foo() functions to access the local<br />
registry db instead of direclty using the corresponding<br />
reg_foo() functions from reg_api.c.<br />
How can this be achieved? Each access to a rpc service<br />
must use an rpc_client structure that is created by an<br />
rpc bind call (which connects to a remote server, authenticates<br />
and such). Now the trick is that there is already a sort<br />
of fake local rpc bind call in samba that makes the<br />
following rpccli_x_y calls not contact a remote server<br />
over the network but call out direclty to the local<br />
server implementation. This is the function<br />
rpc_pipe_open_internal() in rpc_server/srv_pipe_hnd.c .<br />
<br />
So the idea is to create a function that uses this local<br />
bind for the WINREG service. And then maybe as a first<br />
exercise change "net registry" to use this bind and<br />
rpccli_winreg_ calls instead of reg_api calls.<br />
This will effectively make "net registry" a "--local" mode<br />
of the "net rpc registry" command.<br />
<br />
As a second stage (returning to the remote configuration<br />
topic of the project description), note that the<br />
registry based configuration uses a subsystem called libsmbconf<br />
stored in lib/smbconf/ , which has several backends, one<br />
of which is registry. The registry backend implementation<br />
could then be changed to use such a bind and rpccli_winreg_*<br />
calls. This would then after some extension make it possible<br />
to use libsmbconf and hence "net conf" to configure a remote<br />
samba server.<br />
<br />
In the sequel (probably not any more part of this gsoc project),<br />
more subsystems of Samba that use the registry could be<br />
converted to use the local-bind + rpccli_winreg scheme, until<br />
in the end, the reg_api code will only be used in the WINREG<br />
rpc server implementation. This will make it much more easy<br />
do change the registry backend code in the future.<br />
<br />
*Difficulty: Medium<br />
*Language(s): C<br />
*Possible Mentors: [[Obnox|Michael Adam]]<br />
<br />
<br />
<br />
===Make SWAT for Samba3 pretty===<br />
<br />
SWAT is the Samba Web Administration Tool, written in 1998. It still looks very 1998 as well. SWAT should get a complete redesign to match what people expect from a web application these days. The code running the web front-end will certainly need to be adapted as well. It might be viable to completely reimplement SWAT as a standalone web-app, if the current code cannot be adapted to support all features needed with a reasonable effort.<br />
<br />
* Difficulty: Medium<br />
* Language(s): JavaScript, C / possibly other language.<br />
* Possible mentors: Kai Blin<br />
<br />
==Samba 4==<br />
<br />
Some additional possible GSoC topics can be found in Bugzilla in the form of bugs which are marked as "Feature request": [https://bugzilla.samba.org/buglist.cgi?query_format=advanced&short_desc=Feature%20request&bug_status=NEW&bug_status=ASSIGNED&bug_status=REOPENED&short_desc_type=allwordssubstr&product=Samba%204.0 here]. Questions regarding complexity and requirements should be directed to the technical mailing list.<br />
<br />
===Admin Utilities===<br />
<br />
We still need a few more Samba4-specific administration utilities to make Samba4 useful in real life. A Summer of Code student would be expected to do a number of these (identifying new needs from deployments), but here are some suggestions:<br />
<br />
===Extension of the GTK+ frontends=== <br />
<br />
There are a couple of GTK+ frontends for Samba4 (see [[SambaGtk]]). These are very limited at the moment but you could work on expanding them and further integrating them with GNOME. Language: C or Python<br />
<br />
*Difficulty: Easy<br />
*Language(s): Python, perhaps C<br />
*Possible mentors: [[JelmerVernooij]]<br />
<br />
===Setup / provision GUI for Samba (and OpenChange)===<br />
<br />
Setting up Samba and OpenChange currently requires running quite a lot of command line utilities. It should be easy for even a junior system administrator to set up Samba as a Domain Controller, RODC and general server.<br />
<br />
The windows equivalent tool is dcpromo.exe, and while you may not want/need to copy it directly, it does provide a reasonable basis for establishing what this tool should be able to provide (in terms of outcomes).<br />
<br />
Some initial work (using PyQt4) is available at http://gitorious.org/samba-openchange-gui-tools/samba-openchange-gui-setup but working with that is not essential to this task.<br />
<br />
*Difficulty: Easy<br />
*Language(s): Python<br />
*Possible mentors: Brad Hards, probably others.<br />
<br />
===Windows Search Protocol WSP client library and torture tests===<br />
<br />
The Windows Search Protocol WSP is used to implement remote full filesystem<br />
indexing (indexed search) between windows machines. We would like to<br />
support this functionality in Samba, interfacing with existing<br />
indexing tools on Unix systems (such as beagle).<br />
<br />
This is a new protocol based on SMB named pipes<br />
\pipe\ci_skads or \pipe\MSFTEWDS.<br />
See http://msdn2.microsoft.com/en-us/library/cc216195.aspx.<br />
<br />
The student should write a (un)marshalling library<br />
to push and pull PDUs and an async client library<br />
on top of the samba4 raw smb client library.<br />
<br />
The student should write sub tests for smbtorture<br />
which should demostrate how the protocol works against<br />
a windows server.<br />
<br />
The student doesn't have to implement the samba4 server code. <br />
<br />
*Difficulty: Hard<br />
*Language(s): C, (Python?)<br />
*Possible Mentors: Tridge<br />
<br />
===Browsing support in Samba 4===<br />
Samba 4 still needs support for mailslots in general and in particular for the BROWSE mailslot. Should come with tests. Documentation of the BROWSER protocol is available here:<br />
http://msdn.microsoft.com/en-us/library/cc201609(PROT.10).aspx<br />
http://ubiqx.org/cifs/Browsing.html<br />
<br />
*Difficulty: Hard<br />
*Language(s): C<br />
*Possible mentors: [[JelmerVernooij]], Stefan Metzmacher<br />
<br />
===Implement server side GPO in Samba4===<br />
Currently Samba4 supports GPOs, but setting them requires calling different python scripts manually to make sure the changes are propagated from the DC to the clients. The student should implement support in Samba that would allow using existing tools like gpmc.msc to set GPOs that are propagated to the clients.<br />
More details can be found in [http://lists.samba.org/archive/samba-technical/2010-April/070296.html Matthieu's samba-technical email].<br />
<br />
*Difficulty: Medium<br />
*Language(s): C<br />
*Possible mentors: Matthieu Patou, Wilco Baan Hofman (?)<br />
<br />
===Implement login / logout related counter update===<br />
For the moment the attributes related to login and logout are not <br />
updated by Samba4.<br />
The goal of this project is to understand in which case windows update <br />
the counters (ie. most probably during interactive logon but also maybe <br />
with some netlogon calls ?) and to implement counter and timestamp <br />
update is Samba code so that this information can be available.<br />
This project of course includes the development of unit tests.<br />
<br />
*Difficulty: Easy<br />
*Language(s): C<br />
*Possible mentors: Andrew Bartlett<br />
<br />
==Linux Kernel CIFS/SMB2 client improvements==<br />
Interested students should contact Steve French or Jeff Layton and discuss possible improvements to the Linux Kernel CIFS VFS client. Here are some ideas to get you started:<br />
<br />
===Improved async/vectored i/o support (improves performance)===<br />
* add ability for cifs to issue calls in parallel and handle read/write responses asynchronously. Here's how JLayton envisions this, but there may be other ways to do it, there ar some other concerns to consider as well:<br />
** generalize callback mechanism for cifsd when it receives a response. Instead of just waking up a process, it could do more to handle a SMB response.<br />
** cifs_writepages sends write requests serially now. It should instead issue the requests rapid-fire. Don't wait for the response from the previous request before sending another.<br />
** when sending these requests, set it up so that cifsd will handle the response itself. As long as it doesn't block, it should be ok to have cifsd mark the pages clean, etc. Alternately, the write response handling could be offloaded to a workqueue or something.<br />
** this will allow cifs_writepages to return w/o waiting for a response when we're writing in the background (WB_SYNC_NONE case).<br />
** consider how to handle reconnection events, canceling requests, lack of server response, etc.<br />
** readpages could probably also use similar handling. <br />
** You might also consider merging write requests, etc. (similar to how NFS handles this)<br />
** should we move to an unstable pages model (like NFS)?<br />
* Language: C<br />
* Difficulty: Hard<br />
* Possible Mentors: Jeff Layton or Steve French<br />
<br />
<br />
=== SMB2 protocol improvements ===<br />
*The SMB2 protocol (followon to cifs) adds many useful performance enhancements and new features. The Linux kernel implementation is still experimental and is missing key features including SMB2.1 **dialect support (items such as lease keys) and lacks a useful credit request algorithm (which Samba server only recently added for the server side). Various performance optimizations (including **support for very large reads and writes and dispatch of more requests in parallel) are also possible.<br />
* Language: C<br />
* Difficulty: Varies, Medium to Hard<br />
* Possible Mentors: Steve French<br />
<br />
=== Support for SELinux ===<br />
* Mac Security Label support is important for virtualization and useful for improved security some workloads. Support for setting/getting these labels over the wire was investigated in the NFS version 4 workgroup. Adding support to the CIFS Unix Extensions (Linux kernel client and Samba server) should be possible, especially if this is just a new class of extended attribute. The goal would be to support this feature of SELinux to allow KVM and other applications to take advantage of security labels. Some of the background requirements are loosely related to the (nfs equivalent of) what is mentioned in: http://tools.ietf.org/html/draft-quigley-nfsv4-sec-label-01<br />
* Language: C<br />
* Difficulty: Hard<br />
* Possible Mentors: Steve French<br />
<br />
===Create GUI or command-line tools for displaying /proc/fs/cifs statistics and and mount/session status===<br />
* might also involve some cleanup of the in-kernel stats / status output<br />
* Language: some C (for kernel code), something else for GUI?<br />
* Difficulty: Easy<br />
* Possible Mentors: Steve French<br />
<br />
===Create a common uid mapping mechanism for Linux nfs and cifs vfs clients===<br />
* or maybe just figure out a way to hook cifs up to rpc.idmapd<br />
* add a way for the client to remap the uids returned by the server to uids which would be valid on the client (or to a default if such uid does not exist).<br />
* This is helpful especially when the server supports the CIFS Unix Extensions and has different uids and gids mapping than the client<br />
* Difficulty: Hard<br />
* Possible Mentors: Jeff Layton or Steve French<br />
<br />
===VFS change notification support===<br />
* add VFS support for calling into the filesystem when setting up notifications<br />
* add code to cifs/smb2 to set up and deal with notifications from the server in response to inotify/dnotify calls<br />
* Difficulty: Hard<br />
* Possible Mentors: Jeff Layton or Steve French<br />
<br />
===Support for retrieving snapshots, encrypted files, or compressed files from Windows===<br />
* Difficulty: Medium<br />
* Possible Mentors: Steve French<br />
<br />
===cifs->Samba automated test facility===<br />
* Do build verification similar to what we can now do with the Samba server and tools in the Samba build farm. Mounts from the Linux SMB2 and CIFS kernel clients could be tested with posix file i/o tests which might include modified versions of the "connectathon" and xfstest test suites and others. The goal is to quickly identify problems with newly integrated patches.<br />
* Difficulty: Hard<br />
* Possible Mentors: Jeff Layton or Steve French<br />
<br />
===build infrastructure for storing NTLM creds in kernel keyring===<br />
* so that the kernel can establish sessions on the fly without needing to prompt for passwords<br />
** primarily a companion project to multisession mounts, so that they don't require kerberos. It may be useful for other things too -- "regular" mounts possibly (in lieu of credential files), may even be something that could be used by smbclient.<br />
** CIFS already uses the keyctl API to do upcalls for SPNEGO and DNS requests for DFS. This would use the same API, but a little differently -- the idea would be for users to "stash" credentials in the keyring. The kernel would then be able to scrape those credentials out of the keyring whenever it needed to establish a session.<br />
** a PAM module might also be nice for this (to allow stashing of creds on login)<br />
** candidates should read the keyctl(2) and related manpages, and the keys.txt and keys-request-key.txt files in the Documentation/ directory in the Linux kernel sources for more info<br />
<br />
* Difficulty: Medium<br />
* Possible Mentors: Jeff Layton<br />
<br />
===Other Random Ideas===<br />
* Ideas aren't limited to these, feel free to propose something else:<br />
** Create a GUI for creating and managing Linux cifs mounts, and more easily configuring the many complex cifs mount options, statistics (/proc/fs/cifs)<br />
** Support for alternate transport protocols (other than TCP sockets). Adding support for SCTP to cifs/smb2 kernel clients and Samba server or perhaps more interesting add support for Linux's "virtio" transport to the cifs/smb2 kernel clients and Samba server (to allow optimized mounts and zero-copy transfer of data from virtualized guests to hosts on the same box)<br />
** Support for features (such as directory delegations) which NFS version 4.1 has but which current CIFS even with the most current CIFS->Samba protocol extensions (CIFS Unix Extensions) do not have -- will probably need server support too.<br />
** Add additional library support or modify Samba client libraries so they can use existing kernel cifs functions (such as sending SMBs on negotiated sessions when the kernel client already has a session to the server). With the addition of library to access cifs's pipe (in kernel), Samba client libraries or other dce/rpc code could use cifs kernel sessions for management of and over cifs mounts.<br />
** Add libraries and utilities to manage acls (cifs kernel client has an extended attribute for setting/getting "raw" cifs acls but userspace posix acl tools obviously can't be used to manage cifs specific acl features).<br />
*Difficulty: Varies<br />
*Language(s): C<br />
*Possible mentors: Steve French<br />
<br />
==Build Farm==<br />
===Improve Build Farm look and Feel===<br />
Samba's [http://build.samba.org build farm] still hasn't adopt the new Samba graphical chart and the look and feel is not very good.<br />
With this submission we propose to address this with the following objectives:<br />
<br />
*Main ideas:<br />
** Adopt the new samba style <br />
** Improve reporting (ie. present which are the build that can't be built and which are not, daily emails, ...)<br />
** Make test errors quickly accessible, in this [http://build.samba.org/build.cgi/build/d72e624c4a62a62e8d34b0c54efc2a97c0493aa9 example], user has to scroll a long time before meeting the errors<br />
** Add the capacity to manage flaky tests, reduce emails alerts (ie. need 2 consecutive builds with the same flacky test to trigger a real error)<br />
** Improve page loading speed (ajax ?)<br />
*Difficulty: Easy to Medium<br />
*Language(s): HTML, CSS, Python<br />
*Possible mentors: Matthieu Patou, [[JelmerVernooij]]</div>Ekacnethttps://wiki.samba.org/index.php?title=SoC/Ideas&diff=5804SoC/Ideas2011-03-24T22:45:22Z<p>Ekacnet: /* Improve Build Farm look and Feel */</p>
<hr />
<div>= Google Summer of Code: Suggested Project ideas =<br />
<br />
The following are the Samba project ideas for Summer of Code.<br />
Of course you are free to come up with ideas not listed here.<br />
Please discuss the your planned project by either joining us on irc://irc.freenode.net/#samba-technical or <br />
by sending email to samba-technical@samba.org<br />
<br />
Most of our projects will require C programming skills, but the Samba4 section has a couple of Python projects.<br />
<br />
==Samba 3==<br />
<br />
===Add remote (RPC) support for Samba configuration===<br />
<br />
Since almost two years now, Samba has a registry based configuration backend:<br />
Configuration data is stored inside the registry key HKEY_LOCAL_MACHINE\Software\Samba\smbconf.<br />
Access to this configuration is available through a module that makes use of<br />
the "reg_api" module which is the backend code for direct local access to<br />
the registry database. The reg_api interface is similar to the WINREG rpc interface.<br />
This project would at first develop a common API for registry access local through<br />
reg_api and remote through the winreg rpc client code. This new module could be abstraced<br />
from the code of the utility "net rpc registry". With this new module, the registry<br />
configuration code could be enhanced to allow for remote configuration.<br />
<br />
Here are some more details:<br />
<br />
The basic idea behind the project is that it should be possible<br />
to use the same interface for local (direct db) and remote (rpc)<br />
access. One can see the difference between that direct local<br />
and the remote access very well when one compares the code<br />
of the "net registry" and the "net rpc registry" commands:<br />
this is utils/net_registry.c vs. utils/net_rpc_registry.c .<br />
The logic is very similar while the actual calls<br />
into registry are very different.<br />
<br />
The rpc client implementation for WINREG are the functions<br />
of the form rpccli_winreg_foo(). So the idea is to also<br />
use the rpccli_winreg_foo() functions to access the local<br />
registry db instead of direclty using the corresponding<br />
reg_foo() functions from reg_api.c.<br />
How can this be achieved? Each access to a rpc service<br />
must use an rpc_client structure that is created by an<br />
rpc bind call (which connects to a remote server, authenticates<br />
and such). Now the trick is that there is already a sort<br />
of fake local rpc bind call in samba that makes the<br />
following rpccli_x_y calls not contact a remote server<br />
over the network but call out direclty to the local<br />
server implementation. This is the function<br />
rpc_pipe_open_internal() in rpc_server/srv_pipe_hnd.c .<br />
<br />
So the idea is to create a function that uses this local<br />
bind for the WINREG service. And then maybe as a first<br />
exercise change "net registry" to use this bind and<br />
rpccli_winreg_ calls instead of reg_api calls.<br />
This will effectively make "net registry" a "--local" mode<br />
of the "net rpc registry" command.<br />
<br />
As a second stage (returning to the remote configuration<br />
topic of the project description), note that the<br />
registry based configuration uses a subsystem called libsmbconf<br />
stored in lib/smbconf/ , which has several backends, one<br />
of which is registry. The registry backend implementation<br />
could then be changed to use such a bind and rpccli_winreg_*<br />
calls. This would then after some extension make it possible<br />
to use libsmbconf and hence "net conf" to configure a remote<br />
samba server.<br />
<br />
In the sequel (probably not any more part of this gsoc project),<br />
more subsystems of Samba that use the registry could be<br />
converted to use the local-bind + rpccli_winreg scheme, until<br />
in the end, the reg_api code will only be used in the WINREG<br />
rpc server implementation. This will make it much more easy<br />
do change the registry backend code in the future.<br />
<br />
*Difficulty: Medium<br />
*Language(s): C<br />
*Possible Mentors: [[Obnox|Michael Adam]]<br />
<br />
<br />
<br />
===Make SWAT for Samba3 pretty===<br />
<br />
SWAT is the Samba Web Administration Tool, written in 1998. It still looks very 1998 as well. SWAT should get a complete redesign to match what people expect from a web application these days. The code running the web front-end will certainly need to be adapted as well. It might be viable to completely reimplement SWAT as a standalone web-app, if the current code cannot be adapted to support all features needed with a reasonable effort.<br />
<br />
* Difficulty: Medium<br />
* Language(s): JavaScript, C / possibly other language.<br />
* Possible mentors: Kai Blin<br />
<br />
==Samba 4==<br />
<br />
Some additional possible GSoC topics can be found in Bugzilla in the form of bugs which are marked as "Feature request": [https://bugzilla.samba.org/buglist.cgi?query_format=advanced&short_desc=Feature%20request&bug_status=NEW&bug_status=ASSIGNED&bug_status=REOPENED&short_desc_type=allwordssubstr&product=Samba%204.0 here]. Questions regarding complexity and requirements should be directed to the technical mailing list.<br />
<br />
===Admin Utilities===<br />
<br />
We still need a few more Samba4-specific administration utilities to make Samba4 useful in real life. A Summer of Code student would be expected to do a number of these (identifying new needs from deployments), but here are some suggestions:<br />
<br />
===Extension of the GTK+ frontends=== <br />
<br />
There are a couple of GTK+ frontends for Samba4 (see [[SambaGtk]]). These are very limited at the moment but you could work on expanding them and further integrating them with GNOME. Language: C or Python<br />
<br />
*Difficulty: Easy<br />
*Language(s): Python, perhaps C<br />
*Possible mentors: [[JelmerVernooij]]<br />
<br />
===Setup / provision GUI for Samba (and OpenChange)===<br />
<br />
Setting up Samba and OpenChange currently requires running quite a lot of command line utilities. It should be easy for even a junior system administrator to set up Samba as a Domain Controller, RODC and general server.<br />
<br />
The windows equivalent tool is dcpromo.exe, and while you may not want/need to copy it directly, it does provide a reasonable basis for establishing what this tool should be able to provide (in terms of outcomes).<br />
<br />
Some initial work (using PyQt4) is available at http://gitorious.org/samba-openchange-gui-tools/samba-openchange-gui-setup but working with that is not essential to this task.<br />
<br />
*Difficulty: Easy<br />
*Language(s): Python<br />
*Possible mentors: Brad Hards, probably others.<br />
<br />
===Windows Search Protocol WSP client library and torture tests===<br />
<br />
The Windows Search Protocol WSP is used to implement remote full filesystem<br />
indexing (indexed search) between windows machines. We would like to<br />
support this functionality in Samba, interfacing with existing<br />
indexing tools on Unix systems (such as beagle).<br />
<br />
This is a new protocol based on SMB named pipes<br />
\pipe\ci_skads or \pipe\MSFTEWDS.<br />
See http://msdn2.microsoft.com/en-us/library/cc216195.aspx.<br />
<br />
The student should write a (un)marshalling library<br />
to push and pull PDUs and an async client library<br />
on top of the samba4 raw smb client library.<br />
<br />
The student should write sub tests for smbtorture<br />
which should demostrate how the protocol works against<br />
a windows server.<br />
<br />
The student doesn't have to implement the samba4 server code. <br />
<br />
*Difficulty: Hard<br />
*Language(s): C, (Python?)<br />
*Possible Mentors: Tridge<br />
<br />
===Browsing support in Samba 4===<br />
Samba 4 still needs support for mailslots in general and in particular for the BROWSE mailslot. Should come with tests. Documentation of the BROWSER protocol is available here:<br />
http://msdn.microsoft.com/en-us/library/cc201609(PROT.10).aspx<br />
http://ubiqx.org/cifs/Browsing.html<br />
<br />
*Difficulty: Hard<br />
*Language(s): C<br />
*Possible mentors: [[JelmerVernooij]], Stefan Metzmacher<br />
<br />
===Implement server side GPO in Samba4===<br />
Currently Samba4 supports GPOs, but setting them requires calling different python scripts manually to make sure the changes are propagated from the DC to the clients. The student should implement support in Samba that would allow using existing tools like gpmc.msc to set GPOs that are propagated to the clients.<br />
More details can be found in [http://lists.samba.org/archive/samba-technical/2010-April/070296.html Matthieu's samba-technical email].<br />
<br />
*Difficulty: Medium<br />
*Language(s): C<br />
*Possible mentors: Matthieu Patou, Wilco Baan Hofman (?)<br />
<br />
===Implement login / logout related counter update===<br />
For the moment the attributes related to login and logout are not <br />
updated by Samba4.<br />
The goal of this project is to understand in which case windows update <br />
the counters (ie. most probably during interactive logon but also maybe <br />
with some netlogon calls ?) and to implement counter and timestamp <br />
update is Samba code so that this information can be available.<br />
This project of course includes the development of unit tests.<br />
<br />
*Difficulty: Easy<br />
*Language(s): C<br />
*Possible mentors: Andrew Bartlett<br />
<br />
==Linux Kernel CIFS/SMB2 client improvements==<br />
Interested students should contact Steve French or Jeff Layton and discuss possible improvements to the Linux Kernel CIFS VFS client. Here are some ideas to get you started:<br />
<br />
===Improved async/vectored i/o support (improves performance)===<br />
* add ability for cifs to issue calls in parallel and handle read/write responses asynchronously. Here's how JLayton envisions this, but there may be other ways to do it, there ar some other concerns to consider as well:<br />
** generalize callback mechanism for cifsd when it receives a response. Instead of just waking up a process, it could do more to handle a SMB response.<br />
** cifs_writepages sends write requests serially now. It should instead issue the requests rapid-fire. Don't wait for the response from the previous request before sending another.<br />
** when sending these requests, set it up so that cifsd will handle the response itself. As long as it doesn't block, it should be ok to have cifsd mark the pages clean, etc. Alternately, the write response handling could be offloaded to a workqueue or something.<br />
** this will allow cifs_writepages to return w/o waiting for a response when we're writing in the background (WB_SYNC_NONE case).<br />
** consider how to handle reconnection events, canceling requests, lack of server response, etc.<br />
** readpages could probably also use similar handling. <br />
** You might also consider merging write requests, etc. (similar to how NFS handles this)<br />
** should we move to an unstable pages model (like NFS)?<br />
* Language: C<br />
* Difficulty: Hard<br />
* Possible Mentors: Jeff Layton or Steve French<br />
<br />
<br />
=== SMB2 protocol improvements ===<br />
*The SMB2 protocol (followon to cifs) adds many useful performance enhancements and new features. The Linux kernel implementation is still experimental and is missing key features including SMB2.1 **dialect support (items such as lease keys) and lacks a useful credit request algorithm (which Samba server only recently added for the server side). Various performance optimizations (including **support for very large reads and writes and dispatch of more requests in parallel) are also possible.<br />
* Language: C<br />
* Difficulty: Varies, Medium to Hard<br />
* Possible Mentors: Steve French<br />
<br />
=== Support for SELinux ===<br />
* Mac Security Label support is important for virtualization and useful for improved security some workloads. Support for setting/getting these labels over the wire was investigated in the NFS version 4 workgroup. Adding support to the CIFS Unix Extensions (Linux kernel client and Samba server) should be possible, especially if this is just a new class of extended attribute. The goal would be to support this feature of SELinux to allow KVM and other applications to take advantage of security labels. Some of the background requirements are loosely related to the (nfs equivalent of) what is mentioned in: http://tools.ietf.org/html/draft-quigley-nfsv4-sec-label-01<br />
* Language: C<br />
* Difficulty: Hard<br />
* Possible Mentors: Steve French<br />
<br />
===Create GUI or command-line tools for displaying /proc/fs/cifs statistics and and mount/session status===<br />
* might also involve some cleanup of the in-kernel stats / status output<br />
* Language: some C (for kernel code), something else for GUI?<br />
* Difficulty: Easy<br />
* Possible Mentors: Steve French<br />
<br />
===Create a common uid mapping mechanism for Linux nfs and cifs vfs clients===<br />
* or maybe just figure out a way to hook cifs up to rpc.idmapd<br />
* add a way for the client to remap the uids returned by the server to uids which would be valid on the client (or to a default if such uid does not exist).<br />
* This is helpful especially when the server supports the CIFS Unix Extensions and has different uids and gids mapping than the client<br />
* Difficulty: Hard<br />
* Possible Mentors: Jeff Layton or Steve French<br />
<br />
===VFS change notification support===<br />
* add VFS support for calling into the filesystem when setting up notifications<br />
* add code to cifs/smb2 to set up and deal with notifications from the server in response to inotify/dnotify calls<br />
* Difficulty: Hard<br />
* Possible Mentors: Jeff Layton or Steve French<br />
<br />
===Support for retrieving snapshots, encrypted files, or compressed files from Windows===<br />
* Difficulty: Medium<br />
* Possible Mentors: Steve French<br />
<br />
===cifs->Samba automated test facility===<br />
* Do build verification similar to what we can now do with the Samba server and tools in the Samba build farm. Mounts from the Linux SMB2 and CIFS kernel clients could be tested with posix file i/o tests which might include modified versions of the "connectathon" and xfstest test suites and others. The goal is to quickly identify problems with newly integrated patches.<br />
* Difficulty: Hard<br />
* Possible Mentors: Jeff Layton or Steve French<br />
<br />
===build infrastructure for storing NTLM creds in kernel keyring===<br />
* so that the kernel can establish sessions on the fly without needing to prompt for passwords<br />
** primarily a companion project to multisession mounts, so that they don't require kerberos. It may be useful for other things too -- "regular" mounts possibly (in lieu of credential files), may even be something that could be used by smbclient.<br />
** CIFS already uses the keyctl API to do upcalls for SPNEGO and DNS requests for DFS. This would use the same API, but a little differently -- the idea would be for users to "stash" credentials in the keyring. The kernel would then be able to scrape those credentials out of the keyring whenever it needed to establish a session.<br />
** a PAM module might also be nice for this (to allow stashing of creds on login)<br />
** candidates should read the keyctl(2) and related manpages, and the keys.txt and keys-request-key.txt files in the Documentation/ directory in the Linux kernel sources for more info<br />
<br />
* Difficulty: Medium<br />
* Possible Mentors: Jeff Layton<br />
<br />
===Other Random Ideas===<br />
* Ideas aren't limited to these, feel free to propose something else:<br />
** Create a GUI for creating and managing Linux cifs mounts, and more easily configuring the many complex cifs mount options, statistics (/proc/fs/cifs)<br />
** Support for alternate transport protocols (other than TCP sockets). Adding support for SCTP to cifs/smb2 kernel clients and Samba server or perhaps more interesting add support for Linux's "virtio" transport to the cifs/smb2 kernel clients and Samba server (to allow optimized mounts and zero-copy transfer of data from virtualized guests to hosts on the same box)<br />
** Support for features (such as directory delegations) which NFS version 4.1 has but which current CIFS even with the most current CIFS->Samba protocol extensions (CIFS Unix Extensions) do not have -- will probably need server support too.<br />
** Add additional library support or modify Samba client libraries so they can use existing kernel cifs functions (such as sending SMBs on negotiated sessions when the kernel client already has a session to the server). With the addition of library to access cifs's pipe (in kernel), Samba client libraries or other dce/rpc code could use cifs kernel sessions for management of and over cifs mounts.<br />
** Add libraries and utilities to manage acls (cifs kernel client has an extended attribute for setting/getting "raw" cifs acls but userspace posix acl tools obviously can't be used to manage cifs specific acl features).<br />
*Difficulty: Varies<br />
*Language(s): C<br />
*Possible mentors: Steve French<br />
<br />
==Build Farm==<br />
===Improve Build Farm look and Feel===<br />
Samba's [http://build.samba.org build farm] still hasn't adopt the new Samba graphical chart and the look and feel is not very good.<br />
With this submission we propose to address this with the following objectives:<br />
<br />
* Adopt the new samba style <br />
* Improve reporting (ie. present which are the build that can't be built and which are not, daily emails, ...)<br />
* Make test errors quickly accessible, in this [http://build.samba.org/build.cgi/build/d72e624c4a62a62e8d34b0c54efc2a97c0493aa9 example], user has to scroll a long time before meeting the errors<br />
* Add the capacity to manage flaky tests, reduce emails alerts (ie. need 2 consecutive builds with the same flacky test to trigger a real error)<br />
* Improve page loading speed (ajax ?)<br />
<br />
<br />
*Difficulty: Easy to Medium<br />
*Language(s): HTML, CSS, Python<br />
*Possible mentors: Matthieu Patou, [[JelmerVernooij]]</div>Ekacnethttps://wiki.samba.org/index.php?title=SoC/Ideas&diff=5803SoC/Ideas2011-03-24T22:04:24Z<p>Ekacnet: </p>
<hr />
<div>= Google Summer of Code: Suggested Project ideas =<br />
<br />
The following are the Samba project ideas for Summer of Code.<br />
Of course you are free to come up with ideas not listed here.<br />
Please discuss the your planned project by either joining us on irc://irc.freenode.net/#samba-technical or <br />
by sending email to samba-technical@samba.org<br />
<br />
Most of our projects will require C programming skills, but the Samba4 section has a couple of Python projects.<br />
<br />
==Samba 3==<br />
<br />
===Add remote (RPC) support for Samba configuration===<br />
<br />
Since almost two years now, Samba has a registry based configuration backend:<br />
Configuration data is stored inside the registry key HKEY_LOCAL_MACHINE\Software\Samba\smbconf.<br />
Access to this configuration is available through a module that makes use of<br />
the "reg_api" module which is the backend code for direct local access to<br />
the registry database. The reg_api interface is similar to the WINREG rpc interface.<br />
This project would at first develop a common API for registry access local through<br />
reg_api and remote through the winreg rpc client code. This new module could be abstraced<br />
from the code of the utility "net rpc registry". With this new module, the registry<br />
configuration code could be enhanced to allow for remote configuration.<br />
<br />
Here are some more details:<br />
<br />
The basic idea behind the project is that it should be possible<br />
to use the same interface for local (direct db) and remote (rpc)<br />
access. One can see the difference between that direct local<br />
and the remote access very well when one compares the code<br />
of the "net registry" and the "net rpc registry" commands:<br />
this is utils/net_registry.c vs. utils/net_rpc_registry.c .<br />
The logic is very similar while the actual calls<br />
into registry are very different.<br />
<br />
The rpc client implementation for WINREG are the functions<br />
of the form rpccli_winreg_foo(). So the idea is to also<br />
use the rpccli_winreg_foo() functions to access the local<br />
registry db instead of direclty using the corresponding<br />
reg_foo() functions from reg_api.c.<br />
How can this be achieved? Each access to a rpc service<br />
must use an rpc_client structure that is created by an<br />
rpc bind call (which connects to a remote server, authenticates<br />
and such). Now the trick is that there is already a sort<br />
of fake local rpc bind call in samba that makes the<br />
following rpccli_x_y calls not contact a remote server<br />
over the network but call out direclty to the local<br />
server implementation. This is the function<br />
rpc_pipe_open_internal() in rpc_server/srv_pipe_hnd.c .<br />
<br />
So the idea is to create a function that uses this local<br />
bind for the WINREG service. And then maybe as a first<br />
exercise change "net registry" to use this bind and<br />
rpccli_winreg_ calls instead of reg_api calls.<br />
This will effectively make "net registry" a "--local" mode<br />
of the "net rpc registry" command.<br />
<br />
As a second stage (returning to the remote configuration<br />
topic of the project description), note that the<br />
registry based configuration uses a subsystem called libsmbconf<br />
stored in lib/smbconf/ , which has several backends, one<br />
of which is registry. The registry backend implementation<br />
could then be changed to use such a bind and rpccli_winreg_*<br />
calls. This would then after some extension make it possible<br />
to use libsmbconf and hence "net conf" to configure a remote<br />
samba server.<br />
<br />
In the sequel (probably not any more part of this gsoc project),<br />
more subsystems of Samba that use the registry could be<br />
converted to use the local-bind + rpccli_winreg scheme, until<br />
in the end, the reg_api code will only be used in the WINREG<br />
rpc server implementation. This will make it much more easy<br />
do change the registry backend code in the future.<br />
<br />
*Difficulty: Medium<br />
*Language(s): C<br />
*Possible Mentors: [[Obnox|Michael Adam]]<br />
<br />
<br />
<br />
===Make SWAT for Samba3 pretty===<br />
<br />
SWAT is the Samba Web Administration Tool, written in 1998. It still looks very 1998 as well. SWAT should get a complete redesign to match what people expect from a web application these days. The code running the web front-end will certainly need to be adapted as well. It might be viable to completely reimplement SWAT as a standalone web-app, if the current code cannot be adapted to support all features needed with a reasonable effort.<br />
<br />
* Difficulty: Medium<br />
* Language(s): JavaScript, C / possibly other language.<br />
* Possible mentors: Kai Blin<br />
<br />
==Samba 4==<br />
<br />
Some additional possible GSoC topics can be found in Bugzilla in the form of bugs which are marked as "Feature request": [https://bugzilla.samba.org/buglist.cgi?query_format=advanced&short_desc=Feature%20request&bug_status=NEW&bug_status=ASSIGNED&bug_status=REOPENED&short_desc_type=allwordssubstr&product=Samba%204.0 here]. Questions regarding complexity and requirements should be directed to the technical mailing list.<br />
<br />
===Admin Utilities===<br />
<br />
We still need a few more Samba4-specific administration utilities to make Samba4 useful in real life. A Summer of Code student would be expected to do a number of these (identifying new needs from deployments), but here are some suggestions:<br />
<br />
===Extension of the GTK+ frontends=== <br />
<br />
There are a couple of GTK+ frontends for Samba4 (see [[SambaGtk]]). These are very limited at the moment but you could work on expanding them and further integrating them with GNOME. Language: C or Python<br />
<br />
*Difficulty: Easy<br />
*Language(s): Python, perhaps C<br />
*Possible mentors: [[JelmerVernooij]]<br />
<br />
===Setup / provision GUI for Samba (and OpenChange)===<br />
<br />
Setting up Samba and OpenChange currently requires running quite a lot of command line utilities. It should be easy for even a junior system administrator to set up Samba as a Domain Controller, RODC and general server.<br />
<br />
The windows equivalent tool is dcpromo.exe, and while you may not want/need to copy it directly, it does provide a reasonable basis for establishing what this tool should be able to provide (in terms of outcomes).<br />
<br />
Some initial work (using PyQt4) is available at http://gitorious.org/samba-openchange-gui-tools/samba-openchange-gui-setup but working with that is not essential to this task.<br />
<br />
*Difficulty: Easy<br />
*Language(s): Python<br />
*Possible mentors: Brad Hards, probably others.<br />
<br />
===Windows Search Protocol WSP client library and torture tests===<br />
<br />
The Windows Search Protocol WSP is used to implement remote full filesystem<br />
indexing (indexed search) between windows machines. We would like to<br />
support this functionality in Samba, interfacing with existing<br />
indexing tools on Unix systems (such as beagle).<br />
<br />
This is a new protocol based on SMB named pipes<br />
\pipe\ci_skads or \pipe\MSFTEWDS.<br />
See http://msdn2.microsoft.com/en-us/library/cc216195.aspx.<br />
<br />
The student should write a (un)marshalling library<br />
to push and pull PDUs and an async client library<br />
on top of the samba4 raw smb client library.<br />
<br />
The student should write sub tests for smbtorture<br />
which should demostrate how the protocol works against<br />
a windows server.<br />
<br />
The student doesn't have to implement the samba4 server code. <br />
<br />
*Difficulty: Hard<br />
*Language(s): C, (Python?)<br />
*Possible Mentors: Tridge<br />
<br />
===Browsing support in Samba 4===<br />
Samba 4 still needs support for mailslots in general and in particular for the BROWSE mailslot. Should come with tests. Documentation of the BROWSER protocol is available here:<br />
http://msdn.microsoft.com/en-us/library/cc201609(PROT.10).aspx<br />
http://ubiqx.org/cifs/Browsing.html<br />
<br />
*Difficulty: Hard<br />
*Language(s): C<br />
*Possible mentors: [[JelmerVernooij]], Stefan Metzmacher<br />
<br />
===Implement server side GPO in Samba4===<br />
Currently Samba4 supports GPOs, but setting them requires calling different python scripts manually to make sure the changes are propagated from the DC to the clients. The student should implement support in Samba that would allow using existing tools like gpmc.msc to set GPOs that are propagated to the clients.<br />
More details can be found in [http://lists.samba.org/archive/samba-technical/2010-April/070296.html Matthieu's samba-technical email].<br />
<br />
*Difficulty: Medium<br />
*Language(s): C<br />
*Possible mentors: Matthieu Patou, Wilco Baan Hofman (?)<br />
<br />
===Implement login / logout related counter update===<br />
For the moment the attributes related to login and logout are not <br />
updated by Samba4.<br />
The goal of this project is to understand in which case windows update <br />
the counters (ie. most probably during interactive logon but also maybe <br />
with some netlogon calls ?) and to implement counter and timestamp <br />
update is Samba code so that this information can be available.<br />
This project of course includes the development of unit tests.<br />
<br />
*Difficulty: Easy<br />
*Language(s): C<br />
*Possible mentors: Andrew Bartlett<br />
<br />
==Linux Kernel CIFS/SMB2 client improvements==<br />
Interested students should contact Steve French or Jeff Layton and discuss possible improvements to the Linux Kernel CIFS VFS client. Here are some ideas to get you started:<br />
<br />
===Improved async/vectored i/o support (improves performance)===<br />
* add ability for cifs to issue calls in parallel and handle read/write responses asynchronously. Here's how JLayton envisions this, but there may be other ways to do it, there ar some other concerns to consider as well:<br />
** generalize callback mechanism for cifsd when it receives a response. Instead of just waking up a process, it could do more to handle a SMB response.<br />
** cifs_writepages sends write requests serially now. It should instead issue the requests rapid-fire. Don't wait for the response from the previous request before sending another.<br />
** when sending these requests, set it up so that cifsd will handle the response itself. As long as it doesn't block, it should be ok to have cifsd mark the pages clean, etc. Alternately, the write response handling could be offloaded to a workqueue or something.<br />
** this will allow cifs_writepages to return w/o waiting for a response when we're writing in the background (WB_SYNC_NONE case).<br />
** consider how to handle reconnection events, canceling requests, lack of server response, etc.<br />
** readpages could probably also use similar handling. <br />
** You might also consider merging write requests, etc. (similar to how NFS handles this)<br />
** should we move to an unstable pages model (like NFS)?<br />
* Language: C<br />
* Difficulty: Hard<br />
* Possible Mentors: Jeff Layton or Steve French<br />
<br />
<br />
=== SMB2 protocol improvements ===<br />
*The SMB2 protocol (followon to cifs) adds many useful performance enhancements and new features. The Linux kernel implementation is still experimental and is missing key features including SMB2.1 **dialect support (items such as lease keys) and lacks a useful credit request algorithm (which Samba server only recently added for the server side). Various performance optimizations (including **support for very large reads and writes and dispatch of more requests in parallel) are also possible.<br />
* Language: C<br />
* Difficulty: Varies, Medium to Hard<br />
* Possible Mentors: Steve French<br />
<br />
=== Support for SELinux ===<br />
* Mac Security Label support is important for virtualization and useful for improved security some workloads. Support for setting/getting these labels over the wire was investigated in the NFS version 4 workgroup. Adding support to the CIFS Unix Extensions (Linux kernel client and Samba server) should be possible, especially if this is just a new class of extended attribute. The goal would be to support this feature of SELinux to allow KVM and other applications to take advantage of security labels. Some of the background requirements are loosely related to the (nfs equivalent of) what is mentioned in: http://tools.ietf.org/html/draft-quigley-nfsv4-sec-label-01<br />
* Language: C<br />
* Difficulty: Hard<br />
* Possible Mentors: Steve French<br />
<br />
===Create GUI or command-line tools for displaying /proc/fs/cifs statistics and and mount/session status===<br />
* might also involve some cleanup of the in-kernel stats / status output<br />
* Language: some C (for kernel code), something else for GUI?<br />
* Difficulty: Easy<br />
* Possible Mentors: Steve French<br />
<br />
===Create a common uid mapping mechanism for Linux nfs and cifs vfs clients===<br />
* or maybe just figure out a way to hook cifs up to rpc.idmapd<br />
* add a way for the client to remap the uids returned by the server to uids which would be valid on the client (or to a default if such uid does not exist).<br />
* This is helpful especially when the server supports the CIFS Unix Extensions and has different uids and gids mapping than the client<br />
* Difficulty: Hard<br />
* Possible Mentors: Jeff Layton or Steve French<br />
<br />
===VFS change notification support===<br />
* add VFS support for calling into the filesystem when setting up notifications<br />
* add code to cifs/smb2 to set up and deal with notifications from the server in response to inotify/dnotify calls<br />
* Difficulty: Hard<br />
* Possible Mentors: Jeff Layton or Steve French<br />
<br />
===Support for retrieving snapshots, encrypted files, or compressed files from Windows===<br />
* Difficulty: Medium<br />
* Possible Mentors: Steve French<br />
<br />
===cifs->Samba automated test facility===<br />
* Do build verification similar to what we can now do with the Samba server and tools in the Samba build farm. Mounts from the Linux SMB2 and CIFS kernel clients could be tested with posix file i/o tests which might include modified versions of the "connectathon" and xfstest test suites and others. The goal is to quickly identify problems with newly integrated patches.<br />
* Difficulty: Hard<br />
* Possible Mentors: Jeff Layton or Steve French<br />
<br />
===build infrastructure for storing NTLM creds in kernel keyring===<br />
* so that the kernel can establish sessions on the fly without needing to prompt for passwords<br />
** primarily a companion project to multisession mounts, so that they don't require kerberos. It may be useful for other things too -- "regular" mounts possibly (in lieu of credential files), may even be something that could be used by smbclient.<br />
** CIFS already uses the keyctl API to do upcalls for SPNEGO and DNS requests for DFS. This would use the same API, but a little differently -- the idea would be for users to "stash" credentials in the keyring. The kernel would then be able to scrape those credentials out of the keyring whenever it needed to establish a session.<br />
** a PAM module might also be nice for this (to allow stashing of creds on login)<br />
** candidates should read the keyctl(2) and related manpages, and the keys.txt and keys-request-key.txt files in the Documentation/ directory in the Linux kernel sources for more info<br />
<br />
* Difficulty: Medium<br />
* Possible Mentors: Jeff Layton<br />
<br />
===Other Random Ideas===<br />
* Ideas aren't limited to these, feel free to propose something else:<br />
** Create a GUI for creating and managing Linux cifs mounts, and more easily configuring the many complex cifs mount options, statistics (/proc/fs/cifs)<br />
** Support for alternate transport protocols (other than TCP sockets). Adding support for SCTP to cifs/smb2 kernel clients and Samba server or perhaps more interesting add support for Linux's "virtio" transport to the cifs/smb2 kernel clients and Samba server (to allow optimized mounts and zero-copy transfer of data from virtualized guests to hosts on the same box)<br />
** Support for features (such as directory delegations) which NFS version 4.1 has but which current CIFS even with the most current CIFS->Samba protocol extensions (CIFS Unix Extensions) do not have -- will probably need server support too.<br />
** Add additional library support or modify Samba client libraries so they can use existing kernel cifs functions (such as sending SMBs on negotiated sessions when the kernel client already has a session to the server). With the addition of library to access cifs's pipe (in kernel), Samba client libraries or other dce/rpc code could use cifs kernel sessions for management of and over cifs mounts.<br />
** Add libraries and utilities to manage acls (cifs kernel client has an extended attribute for setting/getting "raw" cifs acls but userspace posix acl tools obviously can't be used to manage cifs specific acl features).<br />
*Difficulty: Varies<br />
*Language(s): C<br />
*Possible mentors: Steve French<br />
<br />
==Build Farm==<br />
===Improve Build Farm look and Feel===<br />
*Difficulty: Easy to Medium<br />
*Language(s): HTML, CSS, Python<br />
*Possible mentors: Matthieu Patou, [[JelmerVernooij]]</div>Ekacnethttps://wiki.samba.org/index.php?title=SoC/Ideas&diff=5782SoC/Ideas2011-03-06T09:48:29Z<p>Ekacnet: /* Implement server side GPO in Samba4 */</p>
<hr />
<div>= Google Summer of Code: Suggested Project ideas =<br />
<br />
The following are the Samba project ideas for Summer of Code.<br />
Of course you are free to come up with ideas not listed here.<br />
Please discuss the your planned project by either joining us on irc://irc.freenode.net/#samba-technical or <br />
by sending email to samba-technical@samba.org<br />
<br />
Most of our projects will require C programming skills, but the Samba4 section has a couple of Python projects.<br />
<br />
==Samba 3==<br />
<br />
===Add remote (RPC) support for Samba configuration===<br />
<br />
Since almost two years now, Samba has a registry based configuration backend:<br />
Configuration data is stored inside the registry key HKEY_LOCAL_MACHINE\Software\Samba\smbconf.<br />
Access to this configuration is available through a module that makes use of<br />
the "reg_api" module which is the backend code for direct local access to<br />
the registry database. The reg_api interface is similar to the WINREG rpc interface.<br />
This project would at first develop a common API for registry access local through<br />
reg_api and remote through the winreg rpc client code. This new module could be abstraced<br />
from the code of the utility "net rpc registry". With this new module, the registry<br />
configuration code could be enhanced to allow for remote configuration.<br />
<br />
Here are some more details:<br />
<br />
The basic idea behind the project is that it should be possible<br />
to use the same interface for local (direct db) and remote (rpc)<br />
access. One can see the difference between that direct local<br />
and the remote access very well when one compares the code<br />
of the "net registry" and the "net rpc registry" commands:<br />
this is utils/net_registry.c vs. utils/net_rpc_registry.c .<br />
The logic is very similar while the actual calls<br />
into registry are very different.<br />
<br />
The rpc client implementation for WINREG are the functions<br />
of the form rpccli_winreg_foo(). So the idea is to also<br />
use the rpccli_winreg_foo() functions to access the local<br />
registry db instead of direclty using the corresponding<br />
reg_foo() functions from reg_api.c.<br />
How can this be achieved? Each access to a rpc service<br />
must use an rpc_client structure that is created by an<br />
rpc bind call (which connects to a remote server, authenticates<br />
and such). Now the trick is that there is already a sort<br />
of fake local rpc bind call in samba that makes the<br />
following rpccli_x_y calls not contact a remote server<br />
over the network but call out direclty to the local<br />
server implementation. This is the function<br />
rpc_pipe_open_internal() in rpc_server/srv_pipe_hnd.c .<br />
<br />
So the idea is to create a function that uses this local<br />
bind for the WINREG service. And then maybe as a first<br />
exercise change "net registry" to use this bind and<br />
rpccli_winreg_ calls instead of reg_api calls.<br />
This will effectively make "net registry" a "--local" mode<br />
of the "net rpc registry" command.<br />
<br />
As a second stage (returning to the remote configuration<br />
topic of the project description), note that the<br />
registry based configuration uses a subsystem called libsmbconf<br />
stored in lib/smbconf/ , which has several backends, one<br />
of which is registry. The registry backend implementation<br />
could then be changed to use such a bind and rpccli_winreg_*<br />
calls. This would then after some extension make it possible<br />
to use libsmbconf and hence "net conf" to configure a remote<br />
samba server.<br />
<br />
In the sequel (probably not any more part of this gsoc project),<br />
more subsystems of Samba that use the registry could be<br />
converted to use the local-bind + rpccli_winreg scheme, until<br />
in the end, the reg_api code will only be used in the WINREG<br />
rpc server implementation. This will make it much more easy<br />
do change the registry backend code in the future.<br />
<br />
*Difficulty: Medium<br />
*Language(s): C<br />
*Possible Mentors: [[Obnox|Michael Adam]]<br />
<br />
<br />
<br />
===Make SWAT for Samba3 pretty===<br />
<br />
SWAT is the Samba Web Administration Tool, written in 1998. It still looks very 1998 as well. SWAT should get a complete redesign to match what people expect from a web application these days. The code running the web front-end will certainly need to be adapted as well. It might be viable to completely reimplement SWAT as a standalone web-app, if the current code cannot be adapted to support all features needed with a reasonable effort.<br />
<br />
* Difficulty: Medium<br />
* Language(s): JavaScript, C / possibly other language.<br />
* Possible mentors: Kai Blin<br />
<br />
==Samba 4==<br />
<br />
===Admin Utilities===<br />
We still need a few more Samba4-specific administration utilities to make Samba4 useful in real life. A Summer of Code student would be expected to do a number of these (identifying new needs from deployments), but here are some suggestions:<br />
<br />
<br />
====Extension of the GTK+ frontends====<br />
There are a couple of GTK+ frontends for Samba4 (see [[SambaGtk]]). These are very limited at the moment but you could work on expanding them and further integrating them with GNOME. Language: C or Python<br />
<br />
*Difficulty: Easy<br />
*Language(s): Python, perhaps C<br />
*Possible mentors: [[JelmerVernooij]]<br />
<br />
====Setup / provision GUI for Samba (and OpenChange)====<br />
<br />
Setting up Samba and OpenChange currently requires running quite a lot of command line utilities. It should be easy for even a junior system administrator to set up Samba as a Domain Controller, RODC and general server.<br />
<br />
The windows equivalent tool is dcpromo.exe, and while you may not want/need to copy it directly, it does provide a reasonable basis for establishing what this tool should be able to provide (in terms of outcomes).<br />
<br />
Some initial work (using PyQt4) is available at http://gitorious.org/samba-openchange-gui-tools/samba-openchange-gui-setup but working with that is not essential to this task.<br />
<br />
*Difficulty: Easy<br />
*Language(s): Python<br />
*Possible mentors: Brad Hards, probably others.<br />
<br />
<br />
====Create a GUI like regedit====<br />
<br />
The idea is to have a frontend like "regedit" to edit a registry on remote machines. The easiest way would be to write such a GUI in python using pyQt and the Samba4 winreg python bindings.<br />
<br />
http://git.samba.org/?p=samba.git;a=blob;f=source4/scripting/python/examples/winreg.py;h=80b48ecfd7894022202b60173c28a9775d9d7daf;hb=master<br />
<br />
*Difficulty: Easy<br />
*Language(s): Python<br />
*Possible mentors: Jelmer Vernooij and Andreas Schneider<br />
<br />
===Windows Search Protocol WSP client library and torture tests===<br />
<br />
The Windows Search Protocol WSP is used to implement remote full filesystem<br />
indexing (indexed search) between windows machines. We would like to<br />
support this functionality in Samba, interfacing with existing<br />
indexing tools on Unix systems (such as beagle).<br />
<br />
This is a new protocol based on SMB named pipes<br />
\pipe\ci_skads or \pipe\MSFTEWDS.<br />
See http://msdn2.microsoft.com/en-us/library/cc216195.aspx.<br />
<br />
The student should write a (un)marshalling library<br />
to push and pull PDUs and an async client library<br />
on top of the samba4 raw smb client library.<br />
<br />
The student should write sub tests for smbtorture<br />
which should demostrate how the protocol works against<br />
a windows server.<br />
<br />
The student doesn't have to implement the samba4 server code. <br />
<br />
*Difficulty: Hard<br />
*Language(s): C, (Python?)<br />
*Possible Mentors: Tridge<br />
<br />
===Browsing support in Samba 4===<br />
Samba 4 still needs support for mailslots in general and in particular for the BROWSE mailslot. Should come with tests. Documentation of the BROWSER protocol is available here:<br />
http://msdn.microsoft.com/en-us/library/cc201609(PROT.10).aspx<br />
http://ubiqx.org/cifs/Browsing.html<br />
<br />
*Difficulty: Hard<br />
*Language(s): C<br />
*Possible mentors: [[JelmerVernooij]], Stefan Metzmacher<br />
<br />
===Implement server side GPO in Samba4===<br />
Currently Samba4 supports GPOs, but setting them requires calling different python scripts manually to make sure the changes are propagated from the DC to the clients. The student should implement support in Samba that would allow using existing tools like gpmc.msc to set GPOs that are propagated to the clients.<br />
More details can be found in [http://lists.samba.org/archive/samba-technical/2010-April/070296.html Matthieu's samba-technical email].<br />
<br />
*Difficulty: Medium<br />
*Language(s): C<br />
*Possible mentors: Matthieu Patou, Matthias Dieter Wallnöfer<br />
<br />
===Implement login / logout related counter update===<br />
For the moment the attributes related to login and logout are not <br />
updated by Samba4.<br />
The goal of this project is to understand in which case windows update <br />
the counters (ie. most probably during interactive logon but also maybe <br />
with some netlogon calls ?) and to implement counter and timestamp <br />
update is Samba code so that this information can be available.<br />
This project of course includes the development of unit tests.<br />
<br />
*Difficulty: Easy<br />
*Language(s): C<br />
*Possible mentors: Andrew Bartlett<br />
<br />
==Linux Kernel CIFS/SMB2 client improvements==<br />
Interested students should contact Steve French or Jeff Layton and discuss possible improvements to the Linux Kernel CIFS VFS client. Here are some ideas to get you started:<br />
<br />
===Improved async/vectored i/o support (improves performance)===<br />
* add ability for cifs to issue calls in parallel and handle read/write responses asynchronously. Here's how JLayton envisions this, but there may be other ways to do it, there ar some other concerns to consider as well:<br />
** generalize callback mechanism for cifsd when it receives a response. Instead of just waking up a process, it could do more to handle a SMB response.<br />
** cifs_writepages sends write requests serially now. It should instead issue the requests rapid-fire. Don't wait for the response from the previous request before sending another.<br />
** when sending these requests, set it up so that cifsd will handle the response itself. As long as it doesn't block, it should be ok to have cifsd mark the pages clean, etc. Alternately, the write response handling could be offloaded to a workqueue or something.<br />
** this will allow cifs_writepages to return w/o waiting for a response when we're writing in the background (WB_SYNC_NONE case).<br />
** consider how to handle reconnection events, canceling requests, lack of server response, etc.<br />
** readpages could probably also use similar handling. <br />
** You might also consider merging write requests, etc. (similar to how NFS handles this)<br />
** should we move to an unstable pages model (like NFS)?<br />
* Language: C<br />
* Difficulty: Hard<br />
* Possible Mentors: Jeff Layton or Steve French<br />
<br />
===Create GUI or command-line tools for displaying /proc/fs/cifs statistics and and mount/session status===<br />
* might also involve some cleanup of the in-kernel stats / status output<br />
* Language: some C (for kernel code), something else for GUI?<br />
* Difficulty: Easy<br />
* Possible Mentors: Steve French<br />
<br />
===Create a common uid mapping mechanism for Linux nfs and cifs vfs clients===<br />
* or maybe just figure out a way to hook cifs up to rpc.idmapd<br />
* add a way for the client to remap the uids returned by the server to uids which would be valid on the client (or to a default if such uid does not exist).<br />
* This is helpful especially when the server supports the CIFS Unix Extensions and has different uids and gids mapping than the client<br />
* Difficulty: Hard<br />
* Possible Mentors: Jeff Layton or Steve French<br />
<br />
===VFS change notification support===<br />
* add VFS support for calling into the filesystem when setting up notifications<br />
* add code to cifs/smb2 to set up and deal with notifications from the server in response to inotify/dnotify calls<br />
* Difficulty: Hard<br />
* Possible Mentors: Jeff Layton or Steve French<br />
<br />
===Integration of CIFS/SMB2 client with fscache===<br />
* allows offline caching of files on the client<br />
* maybe also consider some disconnected operation<br />
* Difficulty: Hard<br />
* Possible Mentors: Jeff Layton or Steve French<br />
<br />
I (Suresh Jayaraman) have a working prototype that can be found here: <br />
http://www.kernel.org/pub/linux/kernel/people/jays/patches/<br />
<br />
(mentioning here to avoid any possible duplication of work)<br />
<br />
===Overhaul reconnection behavior===<br />
* based on "serial numbers" rather than the complex flags that we have today<br />
* maybe also use sk_state_change callback from socket layer<br />
* Difficulty: Medium/Hard<br />
* Possible Mentors: Jeff Layton<br />
<br />
===Support for retrieving snapshots, encrypted files, or compressed files from Windows===<br />
* Difficulty: Hard?<br />
* Possible Mentors: Steve French<br />
<br />
===cifs->Samba automated test facility===<br />
* Do build verification similar to what we can now do with the Samba server and tools in the Samba build farm<br />
* Difficulty: Hard<br />
* Possible Mentors: Jeff Layton or Steve French<br />
<br />
===build infrastructure for storing NTLM creds in kernel keyring===<br />
* so that the kernel can establish sessions on the fly without needing to prompt for passwords<br />
** primarily a companion project to multisession mounts, so that they don't require kerberos. It may be useful for other things too -- "regular" mounts possibly (in lieu of credential files), may even be something that could be used by smbclient.<br />
** CIFS already uses the keyctl API to do upcalls for SPNEGO and DNS requests for DFS. This would use the same API, but a little differently -- the idea would be for users to "stash" credentials in the keyring. The kernel would then be able to scrape those credentials out of the keyring whenever it needed to establish a session.<br />
** a PAM module might also be nice for this (to allow stashing of creds on login)<br />
** candidates should read the keyctl(2) and related manpages, and the keys.txt and keys-request-key.txt files in the Documentation/ directory in the Linux kernel sources for more info<br />
<br />
* Difficulty: Medium<br />
* Possible Mentors: Jeff Layton<br />
<br />
===Other Random Ideas===<br />
* Ideas aren't limited to these, feel free to propose something else:<br />
** Prototype SMB2 client -- seems unfeasible for GSoC project<br />
** Create a GUI for creating and managing Linux cifs mounts, and more easily configuring the many complex cifs mount options -- doesn't seem very useful since it'll have to run as root. Will also quickly go out of date<br />
** Support for alternate transport protocols (other than TCP sockets) -- is there server support for this?<br />
** Support for features (such as directory delegations) which NFS version 4.1 has but which current CIFS even with the most current CIFS->Samba protocol extensions (CIFS Unix Extensions) do not have -- will probably need server support too.<br />
*Difficulty: Varies<br />
*Language(s): C<br />
*Possible mentors: Steve French</div>Ekacnethttps://wiki.samba.org/index.php?title=Setting_up_Samba_as_an_Active_Directory_Domain_Controller&diff=5595Setting up Samba as an Active Directory Domain Controller2010-10-08T21:32:27Z<p>Ekacnet: </p>
<hr />
<div>= Samba4 HOWTO =<br />
tridge@samba.org, December 2004<br />
<br />
Updates:<br />
asn@redhat.com, December 2009<br />
tridge@samba.org, February 2010 (for alpha12)<br />
mat@samba.org, July 2010 (adapt to waf build)<br />
<br />
<br />
This is a very basic document on how to setup a simple Samba4<br />
server. This is aimed at people who are already familiar with Samba3<br />
and wish to participate in Samba4 development or test the alpha<br />
releases of Samba4. This is not aimed at general production use of<br />
Samba4, although some brave sites are running Samba4 in production<br />
based on these instructions.<br />
<br />
== Video demonstrations of this HOWTO ==<br />
<br />
A set of [[samba4/videos|demonstration videos]] is available that<br />
may provide a useful overview of this contents of this HOWTO<br />
<br />
== A note on alpha versions ==<br />
<br />
Samba4 is developing very rapidly. This HOWTO has recently been<br />
updated to reflect the changes made up to September 2010 in preparation<br />
for the Samba4-alpha13 release.<br />
<br />
== Step 1: Download Samba4 ==<br />
<br />
If you have downloaded the Samba4 code via a tarball released from the<br />
samba.org website, Step 1 has already been completed for you. For testing<br />
with the version released in the tarball, you may continue on to Step 2.<br />
<br />
Note that the references below to the top-level directory named<br />
"samba-master" will instead be based on the name of the tarball<br />
downloaded (e.g. "samba-4.0.0alpha13" for the tarball<br />
samba-4.0.0alpha13.tar.gz). Also note that in the "master" branch the<br />
samba4 code is located in in the "source4/" subdirectory.<br />
<br />
Otherwise there is currently two methods for downloading current samba version:<br />
<br />
* via git<br />
* via rsync<br />
<br />
If you don't have git then install it, or stick to the latest tarball release.<br />
If you have a choice, we strongly recommend using the git method for<br />
downloading Samba, as it makes getting updates easier, and also allows<br />
you to integrate test patches from Samba developers more easily in<br />
case of problems.<br />
<br />
=== git ===<br />
<br />
$ git clone git://git.samba.org/samba.git samba-master; cd samba-master<br />
<br />
This will create a directory called "samba-master" in the current<br />
directory.<br />
<br />
If you want to update the tree to the latest version run:<br />
<br />
$ git pull<br />
<br />
=== rsync ===<br />
<br />
$ rsync -avz samba.org::ftp/unpacked/samba_4_0_test/ samba-master<br />
<br />
Note that the above rsync command will give you a checked out git<br />
repository, but it's is missing all git objects. To turn it into<br />
a working git repository you need to do the following steps:<br />
<br />
$ cd samba-master/<br />
$ rm .git/objects/info/alternates<br />
$ rm .git/refs/tags/*<br />
$ rm -r .git/refs/remotes/<br />
$ git config remote.origin.url git://git.samba.org/samba.git<br />
$ git config --add remote.origin.fetch +refs/tags/*:refs/tags/* (this line is optional)<br />
$ git fetch<br />
<br />
Note you can ignore this error from git fetch:<br />
error: refs/heads/master does not point to a valid object!<br />
<br />
Also note that the git fetch will download the complete git history<br />
(about 160 MB with all the tags and about 125 MB without old tags).<br />
<br />
You can update it to the latest version at some future date using:<br />
<br />
$ git pull<br />
<br />
<br />
== Step 2: Compile Samba4 ==<br />
<br />
Recommended optional development libraries:<br />
*acl and xattr development libraries (libattr1-dev package in Debian/Ubuntu)<br />
*blkid development libraries (libblkid-dev package in Debian/Ubuntu)<br />
*gnutls (libgnutls-dev package in Debian/Ubuntu)<br />
*readline (libreadline5-dev package in Debian/Ubuntu)<br />
*Python development libraries (python-dev in Debian/Ubuntu) required to compile<br />
<br />
Combined<br />
For Debian:<br />
$ apt-get install build-essential libattr1-dev libblkid-dev libgnutls-dev libreadline5-dev python-dev autoconf python-dnspython gdb pkg-config bind9utils<br />
<br />
For Fedora:<br />
<br />
$ yum install libacl-devel libblkid-devel gnutls-devel readline-devel python-devel gdb pkgconfig<br />
<br />
Since only released versions of Samba contain a pre-generated configure script, <br />
you will have to generate it by hand if you downloaded the source with rsync or git:<br />
<br />
$ cd samba-master/source4<br />
$ ./autogen-waf.sh<br />
<br />
Run this:<br />
<br />
$ cd samba-master/source4<br />
$ ./configure.developer<br />
$ make<br />
<br />
The above command will setup Samba4 to install in /usr/local/samba. If<br />
you want Samba to install somewhere else then you should use the<br />
--prefix option to configure.developer.<br />
<br />
The reason we recommend using configure.developer rather than<br />
configure for Samba4 alpha releases is that it will include extra<br />
debug information that will help us diagnose problems in case of<br />
failures. It will also allow you to run the various builtin automatic<br />
tests.<br />
<br />
After building Samba, we recommend that you run<br />
<br />
$ make quicktest<br />
<br />
That will run a short (approximately 2 minute) set of tests to<br />
validate your build of Samba. While we try to be careful to ensure<br />
that all builds of Samba in the git repository are usable, sometimes a<br />
bug slips through, and 'make quicktest' is a fast way of checking that<br />
your build passes basic tests.<br />
<br />
The output of 'make quicktest' should end in a "ALL OK" message. If it<br />
doesn't, then please ask on the samba-technical mailing list or <br />
the #samba-technical IRC channel.<br />
<br />
== Step 3: Install Samba4 ==<br />
<br />
Run this as a user who have permission to write to the install<br />
directory (which defaults to /usr/local/samba). Use --prefix option to<br />
configure.developer above to change this.<br />
<br />
$ make install<br />
<br />
For the rest of this HOWTO we will assume that you have installed<br />
Samba4 in the default location, which is /usr/local/samba.<br />
<br />
== Step 4: Provision Samba4 ==<br />
<br />
The "provision" step sets up a basic user database, and is used when you are setting up your Samba4<br />
server in its own domain. If you instead want to setup your Samba4 server as an additional domain controller<br />
in an existing domain, then please see the separate page on [[Samba4 joining a domain]].<br />
<br />
In the following examples we will assume your DNS domain name is<br />
'samdom.example.com' and your short (also known as NT4) domain name is<br />
'samdom'. We will assume that your Samba servers hostname is samba.<br />
<br />
It must be run as a user with permission to write to the install directory (which means you may need to run this command with sudo)<br />
<br />
$ cd samba-master/source4<br />
$ ./setup/provision --realm=samdom.example.com --domain=SAMDOM --adminpass=SOMEPASSWORD --server-role='domain controller'<br />
<br />
If you get an error like this:<br />
tdb_open_ex: could not open file /usr/local/samba/private/sam.ldb.d/DC=SAMDOM,DC=EXAMPLE,DC=COM. ldb: Permission denied<br />
then you need to rerun with sudo<br />
<br />
Troubleshooting note:<br />
you may need to rm the smb.conf file if you failed to pass valid names and provision previously failed<br />
<br />
There are many other options you can pass to the 'provision' command, run it with the --help option to see a list of them.<br />
<br />
== Step 5: Starting Samba4 ==<br />
<br />
If you are planning to run Samba4 as a production server, then just run the "samba" binary as root<br />
<br />
# samba<br />
<br />
That will run Samba4 in 'standard' mode, which is suitable for<br />
production use. Samba4 alpha13 doesn't yet have init scripts included<br />
for each platform, but making one for your platform should not be<br />
difficult.<br />
<br />
If you are running Samba4 as a developer you may find<br />
the following more useful:<br />
<br />
# samba -i -M single<br />
<br />
that means start "samba" with messages in stdout, and running a<br />
single process. That mode of operation makes debugging "samba" with gdb<br />
particularly easy. If you want to launch it under gdb, then the following<br />
example could be useful:<br />
<br />
$ sudo gdb --args bin/samba -i -M single<br />
<br />
Note that if you are running any Samba3 smbd or nmbd processes<br />
they need to be stopped before starting "samba" from Samba 4.<br />
<br />
Make sure you put the bin and sbin directories from your new install<br />
in your $PATH or you may end up running the wrong version. You can see what version <br />
you have by running "samba -V".<br />
<br />
Note: in older developer versions of samba4 "samba" was still called "smbd".<br />
<br />
== Step 6: Testing Samba4 ==<br />
<br />
=== smbclient ===<br />
<br />
Try this command:<br />
<br />
$ smbclient -L localhost -U%<br />
<br />
That should show you a list of shares available on your server. For example:<br />
<br />
Sharename Type Comment<br />
--------- ---- -------<br />
test Disk<br />
netlogon Disk<br />
sysvol Disk<br />
IPC$ IPC IPC Service (Samba 4.0.0alpha12-GIT-5e755e9)<br />
ADMIN$ Disk DISK Service (Samba 4.0.0alpha12-GIT-5e755e9)<br />
<br />
The 'netlogon' and 'sysvol' shares are basic shares needed for Active Directory server<br />
operation. <br />
<br />
To test that authentication is working, you should try to connect to the netlogon share<br />
using the administrator password you set earlier.<br />
<br />
$ smbclient //localhost/netlogon -Uadministrator%PASSWORD<br />
<br />
You should get a "smb>" prompt, and access to your netlogon directory.<br />
<br />
<br />
<br />
== Step 7 Create a share in smb.conf ==<br />
<br />
The provisioning will create a very simple smb.conf with no shares by<br />
default. For the server to be useful you will need to update it to<br />
have at least one share. For example:<br />
<br />
[test]<br />
path = /data/test<br />
read only = no<br />
<br />
Note that in current alpha versions of Samba4 you need to restart Samba<br />
to make new shares visible. This will be fixed in a future release.<br />
<br />
== Step 8 Configure DNS ==<br />
<br />
A working DNS setup is essential to the correct operation of<br />
Samba4. Without the right DNS entries, kerberos won't work, which in<br />
turn means that many of the basic features of Samba4 won't work.<br />
<br />
It is worth spending some extra time to ensure your DNS setup is just<br />
right, as debugging problems caused by mis-configured DNS can take a<br />
lot of time later on.<br />
<br />
The simplest way to get a working DNS setup for Samba4 is to start<br />
with the DNS zone and configuration files that are created by the<br />
'provision' step above. If you look in /usr/local/samba/private<br />
directory, you'll find a file called 'named.conf' and another one<br />
called samdom.example.com.zone (adjusted for your real DNS domain name<br />
of course!).<br />
<br />
Assuming your have a bind9 DNS server installed, you can activate the<br />
configuration that the provision has created by adding a line like<br />
this to /etc/bind/named.conf.local:<br />
<br />
include "/usr/local/samba/private/named.conf";<br />
<br />
After adding that line you should restart your bind server and check<br />
in the system logs for any problems.<br />
<br />
One common problem is that many modern Linux distributions activate<br />
'Apparmor' or 'SELinux' by default, and these may be configured to<br />
deny access to bind for your the named.conf and zone files created in<br />
the provision. If your bind logs show that bind is getting a access<br />
denied error accessing these files then please see your local system<br />
documentation for how to enable access to these files in bind (hint:<br />
for Apparmor systems such as Ubuntu, the command aa-logprof may be<br />
useful).<br />
<br />
Now you need to test that DNS is working correctly. Check that your<br />
/etc/resolv.conf is pointing correctly at your local DNS server, then<br />
run the following commands:<br />
<br />
$ host -t SRV _ldap._tcp.samdom.example.com.<br />
_ldap._tcp.samdom.example.com has SRV record 0 100 389 samba.samdom.example.com.<br />
<br />
$ host -t SRV _kerberos._udp.samdom.example.com.<br />
_kerberos._udp.samdom.example.com has SRV record 0 100 88 samba.samdom.example.com.<br />
<br />
$ host -t A samba.samdom.example.com.<br />
samba.samdom.example.com has address 10.0.0.1<br />
<br />
Check that you get answers similar to the ones above (adjusted for<br />
your DNS domain name and hostname). If you get any errors then<br />
carefully check your system logs to find and fix the problem.<br />
<br />
*Note: One of the problems I've had on Debian system is that the zone autogeneration always detects, and uses, 127.0.1.1 as the domain controller's IP address. That works fine until you 1) Don't have a 127.0.1.1 interface on the machine or 2) Go to join your first client to the domain. In /usr/local/samba/private/named.conf you might need to change 127.0.1.1 to reflect the actual IP address of the server you're setting up.<br />
<br />
== Step 9: Testing kerberos ==<br />
<br />
Once DNS is working, you should test that kerberos server builtin to<br />
Samba4 is working correctly. The easiest test is to use the kinit<br />
command like this:<br />
<br />
$ kinit administrator@SAMDOM.EXAMPLE.COM<br />
Password:<br />
<br />
''Note:''<br><br />
: You have to give your 'domain realm SAMDOM.EXAMPLE.COM' in <b>uppercase letters</b> to kinit.<br />
<br />
The kinit should completely successfully. After it completes you can<br />
examine the received ticket like this:<br />
<br />
$ klist -e<br />
Ticket cache: FILE:/tmp/krb5cc_1000<br />
Default principal: administrator@SAMDOM.EXAMPLE.COM<br />
<br />
Valid starting Expires Service principal<br />
02/10/10 19:39:48 02/11/10 19:39:46 krbtgt/SAMDOM.EXAMPLE.COM@SAMDOM.EXAMPLE.COM<br />
Etype (skey, tkt): ArcFour with HMAC/md5, ArcFour with HMAC/md5<br />
<br />
If you find you don't have kinit or klist, you may need to install them. On debian based<br />
systems (such as Ubuntu) the packages are called krb5-config and krb5-user.<br />
<br />
You can also test kerberos form a remote client, just make sure you have configure the<br />
krb5.conf and the resolve.conf to point to the domain controller IP address.<br />
<br />
''Note:''<br><br />
: If you are using a client behind NAT then you have to add the following to the krb5.conf on the domain controller server:<br />
<br />
[kdc]<br />
check-ticket-addresses = false<br />
<br />
== Step 10 Configure kerberos DNS dynamic updates ==<br />
<br />
If you have a current version of bind9 (tested with bind version 9.6.1<br />
on Ubuntu), then the current Samba4 git tree will automatically setup<br />
and configure a file called /usr/local/samba/private/named.conf.update, which you can include in your master named.conf to allow Samba/Kerberos DNS updates to automatically take place. Be advised that if you include this file in Bind versions that don't support it, Bind will fail to start.<br />
<br />
You additionally need to set two environment variables for bind9:<br />
<br />
KEYTAB_FILE="/usr/local/samba/private/dns.keytab"<br />
KRB5_KTNAME="/usr/local/samba/private/dns.keytab"<br />
export KEYTAB_FILE<br />
export KRB5_KTNAME<br />
<br />
These should be put in your settings file for bind9. On Debian based<br />
systems this is in /etc/default/bind9.<br />
On RedHat derived systems it is<br />
in /etc/sysconfig/named. Strictly speaking you only either need<br />
KEYTAB_FILE or KRB5_KTNAME, but which you need depends on your distro,<br />
so it's easier to just set both.<br />
<br />
Then in your /etc/bind/named.conf.options you need this:<br />
<br />
tkey-gssapi-credential "DNS/samba.samdom.example.com";<br />
tkey-domain "SAMDOM.EXAMPLE.COM";<br />
<br />
The hostname in the first line must match the 'additional' response from<br />
a SOA lookup on your domain name (you can check that with "host -v -t SOA samdom.example.com")<br />
<br />
The way the automatic DNS update in Samba works is that the provision<br />
will create a file /usr/local/samba/private/dns_update_list, which<br />
contains a list of DNS entries that Samba will try to dynamically<br />
update at startup and every 10 minutes thereafter. Updates will only<br />
happen if the DNS entries do not already exist.<br />
<br />
If you want to debug this process, then please run this as root:<br />
<br />
/usr/local/samba/sbin/samba_dnsupdate --verbose<br />
<br />
that will give you more information on the updates that Samba is doing<br />
at runtime, and show you any errors that are generated.<br />
<br />
If you are joining Samba4 to an existing Windows DNS domain, or you<br />
are using a Windows DNS server instead of bind9, then you need<br />
bind version 9.7.2rc1 (or higher) for the nsupdate command to correctly work<br />
with recent versions of Windows. If you don't have bind 9.7.2rc1 or better,<br />
recent Windows clients (such as Windows7 and Win2K8) won't be able to<br />
do dynamic DNS updates to your bind9 server, and bind9 won't be able<br />
to do dynamic DNS updates against a Windows DNS server.<br />
<br />
Until your distribution's Bind package is updated,<br />
you can get an appropriate version like this (Applies for current Debian/Ubuntu-based systems).<br />
<br />
$ sudo apt-get build-dep bind9<br />
$ sudo apt-get install ccache<br />
$ wget http://ftp.isc.org/isc/bind9/9.7.2/bind-9.7.2.tar.gz<br />
$ tar -xvf bind-9.7.2.tar.gz<br />
$ cd bind-9.7.2<br />
<br />
For some installations, you may want to change your prefix to /usr/local and keep the rest of the options. Alternatively, you can just build and install.<br />
<br />
$ ./configure<br />
$ make<br />
$ sudo make install<br />
<br />
Now you have to ensure that bind can read the dns.keytab file, the<br />
named.conf file and the zone file. It also needs to be able to write<br />
the zone file. The Samba provision tries to setup the permissions<br />
correctly for these files, but you may find you need to make changes<br />
in your Apparmor or SELinux configuration if you are running either of<br />
those. If you are using Apparmor then the aa-logprof command may help<br />
you add any missing permissions you need to add after you start Samba<br />
and bind9 for the first time after configuring them.<br />
<br />
You should also carefully check the permissions on the private/dns directory to ensure it is writable by bind. <br />
<br />
On some systems you may also find that you need to symlink the dns.keytab file as<br />
/etc/krb5.keytab, as bind may not honor the environment variables for the location<br />
of this file.<br />
<br />
== NOTE about filesystem support ==<br />
<br />
To use the advanced features of Samba4 you need a filesystem that<br />
supports both the "user" and "system" xattr namespaces.<br />
<br />
If you run Linux with a 2.6 kernel and ext3 this means you need to<br />
include the option "user_xattr" in your /etc/fstab. For example:<br />
<br />
/dev/hda3 /home ext3 user_xattr 1 1<br />
<br />
You also need to compile your kernel with the XATTR and SECURITY<br />
options for your filesystem. For ext3 that means you need:<br />
<br />
CONFIG_EXT3_FS_XATTR=y<br />
CONFIG_EXT3_FS_SECURITY=y<br />
<br />
If you are running a Linux 2.6 kernel with CONFIG_IKCONFIG_PROC<br />
defined you can check this with the following command:<br />
<br />
$ zgrep CONFIG_EXT3_FS /proc/config.gz<br />
<br />
If you don't have a filesystem with xattr support, then you can<br />
simulate it by using the option:<br />
<br />
posix:eadb = /usr/local/samba/eadb.tdb<br />
<br />
that will place all extra file attributes (NT ACLs, DOS EAs, streams<br />
etc), in that tdb. It is not efficient, and doesn't scale well, but at<br />
least it gives you a choice when you don't have a modern filesystem.<br />
<br />
=== Testing your filesystem ===<br />
<br />
To test your filesystem support, install the 'attr' package and run<br />
the following 4 commands as root:<br />
<br />
# touch test.txt<br />
# setfattr -n user.test -v test test.txt<br />
# setfattr -n security.test -v test2 test.txt<br />
# getfattr -d test.txt<br />
# getfattr -n security.test -d test.txt<br />
<br />
You should see output like this:<br />
<br />
# file: test.txt<br />
user.test="test"<br />
<br />
# file: test.txt<br />
security.test="test2"<br />
<br />
If you get any "Operation not supported" errors then it means your<br />
kernel is not configured correctly, or your filesystem is not mounted<br />
with the right options.<br />
<br />
If you get any "Operation not permitted" errors then it probably means<br />
you didn't try the test as root.<br />
<br />
If you are using the posix:eadb option then you don't need to test your filesystem in this manner.<br />
<br />
= Configure a Windows Client to join a Samba 4 Active Directory =<br />
<br />
Active Directory is a powerful administration service which enables an administrator to centrally manage a network of Windows 2000, Windows XP Pro, Windows 2003, and Windows Vista Business Edition effectively. To test the real Samba 4 capability, we use Windows XP Pro as testing environment (Windows XP Home doesn't include Active Directory functionality and won't work).<br />
<br />
To allow Samba 4 Active Directory or Microsoft Active Directory to manage a computer, we need to join the computer into the active directory.<br />
It involves:<br />
<br />
# Configuring DNS Setting<br />
# Configuring date/time and time zone<br />
# Joining the domain<br />
<br />
== Step 1: Configure DNS Setting for Windows ==<br />
<br />
Before we configure the DNS setting, verify that you are able to ping the Server's IP Address. If you are not able to ping the server, double check your IP address, firewall, routing, etc.<br />
<br />
Once you have verified network connectivity between the Samba server and client,<br />
<br />
# Right Click My Network Places -> Properties<br />
# Double click local area network->Properties<br />
# Double click tcp/ip<br />
# Use static dns server, add the Samba 4 server's ip address inside the primary dns server column. [[:Image:http://www.extraknowledge.org/xoops/images/samba/dnsclient.jpg]]<br />
# Press ok, ok, ok again until finished.<br />
# Open a command prompt, type 'ping servername.your.realm' (change to suit your custom realm per your provision)<br />
<br />
If you get replies, then it means your Windows XP settings are correct (for DNS) and Samba4 Server's DNS services is working as well.<br />
<br />
== Step 2: Configure date/time and time zone ==<br />
<br />
Active Directory uses Kerberos as the backend for authentication. Kerberos requires that the system clock on the client and server be synchronized to within a few seconds of each other. If they are not synchronized, authentication will fail for apparently no reason.<br />
<br />
# Change the timezone in Windows XP Pro so that server and client using same time zone. In my computer, I use Asia/Kuala_Lumpur (I come from Malaysia).[[:Image:http://www.extraknowledge.org/xoops/images/samba/timezone.jpg]]<br />
# Change the date/time so the client have same HH:MM with the server [[:Image:http://www.extraknowledge.org/xoops/images/samba/time.jpg]]<br />
<br />
== Step 3: Joining the Windows client into domain ==<br />
<br />
Now your Windows is ready to join the Active Directory (AD) domain,<br />
<br />
As administrator:-<br />
<br />
# Right Click my Computer-> Properties<br />
# Choose Computer Name, click change..<br />
# Click option 'Domain', insert YOUR.REALM (if you failed, try YOURDOM)([[:Image:http://www.extraknowledge.org/xoops/images/samba/joindomain.jpg]]<br />
# When it request username/password, type '''administrator''' as username, '''SOMEPASSWORD''' as password (per your earlier provision).<br />
# It will tell you the Windows XP has successfully join into Active Directory Domain, and you need to restart.<br />
# After restart, you should get the normal domain logon dialog<br />
# Choose domain YOURDOM, insert username '''administrator''' as username, '''SOMEPASSWORD''' as password (again, per your earlier provision)<br />
# If you login successfully, then you able to enjoy samba 4 active directory services at next section.<br />
<br />
= Viewing Samba 4 Active Directory object from Windows XP Pro =<br />
<br />
We need install windows 2003 adminpak into windows XP in order to use<br />
GUI tools to manage the domain. Before begin, make sure the domain<br />
administrator have administrative right to control your computer.(To<br />
give any user administrative right, in Windows XP Pro, right click my<br />
computer, press manage-> choose groups-> double click administrators<br />
and add members from domain into the member list. During you add<br />
member from active directory as member, it will prompt you to enter<br />
active directory username/password).<br />
<br />
== Step 1: Installing Windows Remote Administration Tools onto Windows ==<br />
<br />
= Windows7 =<br />
<br />
Download the Windows Remote Administration Tools from<br />
http://www.microsoft.com/downloads/details.aspx?FamilyID=7D2F6AD7-656B-4313-A005-4E344E43997D&displaylang=en<br />
<br />
and follow the "Install RSAT" instructions<br />
<br />
= Vista =<br />
<br />
Download the Windows Remote Administration Tools from<br />
http://www.microsoft.com/downloads/details.aspx?FamilyId=9FF6E897-23CE-4A36-B7FC-D52065DE9960&displaylang=en<br />
<br />
and follow the "Install RSAT" instruction described at<br />
http://support.microsoft.com/kb/941314<br />
<br />
= Windows XP Pro =<br />
<br />
# In Windows XP, download adminpak and supporttools from <br />
http://www.microsoft.com/downloads/details.aspx?FamilyID=c16ae515-c8f4-47ef-a1e4-a8dcbacff8e3&displaylang=en<br />
http://download.microsoft.com/download/3/e/4/3e438f5e-24ef-4637-abd1-981341d349c7/WindowsServer2003-KB892777-SupportTools-x86-ENU.exe<br />
<br />
# Run through the installation.<br />
# Press start->run, type 'dsa.msc', if a window 'active directory users and computers' prompt up, it mean you had install adminpak it successfully. You can also find this at Start>Programs>Administrative Tools, which should have a lot more items now.<br />
# Go to c:\Program Files\Support Tools to check whether the support tools were installed correctly; if yes, then your XP workstation is ready to manage the Samba 4 Active Directory.<br />
<br />
== Step 2: Viewing samba 4 active directory content ==<br />
<br />
# Login as domain 'testing1.org' administrator, press start->run.<br />
# type dsa.msc<br />
**[[:Image:http://www.extraknowledge.org/xoops/images/samba/run.jpg ]]<br />
# Expand the testing1.org tree to see existing object in domain. [[:Image:http://www.extraknowledge.org/xoops/images/samba/dsa.msc.jpg]]<br />
<br />
= Managing Samba 4 Active Directory From Windows XP Pro =<br />
One of Samba4's goals is to integrate with (and replace) Active Directory as a system. At this point, if everything has worked correctly you should have an "Administrative Tools" menu under Programs. If, under Administrative Tools you have "Active Directory Users and Computers", that is a very good sign. Most times, if there is a configuration or bug in Samba4, the AD Users & Computers (among other interfaces) won't show up as an option. You can run it by hand (Start->Run->dsa.msc) but it's unlikely to work correctly.<br />
<br />
<br />
== Step 1: Adding user into Samba 4 Active Directory ==<br />
Unlike Samba3, Samba4 does not require a local unix user for each Samba user that is created.<br />
<br />
To create a Samba user, use the command <br />
<br />
net newuser USERNAME<br />
<br />
If you get this error message :<br />
<br />
ImportError: No module named samba.netcmd<br />
<br />
run this command<br />
<br />
export PYTHONPATH=/usr/local/samba/lib/python2.6/site-packages/<br />
<br />
Make sure you run the Samba4 version of net, if you also have Samba3 installed.<br />
<br />
To inspect the allocated user ID and SID, use wbinfo<br />
<br />
$ bin/wbinfo --name-to-sid USERNAME<br />
S-1-5-21-4036476082-4153129556-3089177936-1005 SID_USER (1)<br />
<br />
$ bin/wbinfo --sid-to-uid S-1-5-21-4036476082-4153129556-3089177936-1005<br />
3000011<br />
<br />
If you want to change this mapping, then use ldbedit on the idmap.idb,<br />
like this:<br />
<br />
$ bin/ldbedit -e emacs -H /usr/local/samba/private/idmap.ldb objectsid=S-1-5-21-4036476082-4153129556-3089177936-1005<br />
<br />
You will find records that look like this:<br />
<br />
# record 1<br />
dn: CN=S-1-5-21-4036476082-4153129556-3089177936-1005<br />
cn: S-1-5-21-4036476082-4153129556-3089177936-1005<br />
objectClass: sidMap<br />
objectSid: S-1-5-21-4036476082-4153129556-3089177936-1005<br />
type: ID_TYPE_BOTH<br />
xidNumber: 3000011<br />
distinguishedName: CN=S-1-5-21-4036476082-4153129556-3089177936-1005<br />
<br />
If you change the xidNumber attribute and save your editor then exit,<br />
then Samba will update the mapping to between the SID and the user<br />
ID. Updating group mappings works in the same way.<br />
<br />
You can also manage users using the normal Windows AD user management<br />
tools.<br />
<br />
= Setting Up Roaming Profiles (Windows 7) =<br />
<br />
1. You will need to create a share for the profiles, typically named '''profiles'''. Edit the ''/usr/local/samba/etc/smb.conf'' to include:<br />
<br />
[profiles]<br />
path = /usr/local/samba/var/profiles<br />
read only = no<br />
<br />
2. Create the directory above using:<br />
<br />
$ sudo mkdir /usr/local/samba/var/profiles<br />
<br />
3. On windows start the ''Active Directory Users and Computers'', select all the users, right click and hit properties<br />
<br />
4. Under the profile tab, in the ''Profile path'' type the path to your share along with %USERNAME% as follows:<br />
<br />
\\sambaserver.samdom.example.com\profiles\%USERNAME%<br />
<br />
5. click OK, logout and login as one of those users. When you logout again, you should see that the profile has been synced onto the samba server.<br />
<br />
= Adding organization unit (OU) into samba 4 domain =<br />
<br />
Organizational Unit (OU), is a powerful feature in active<br />
directory. This is a type of container which allows you to drag & drop<br />
users and/or computers into it.<br />
<br />
We can link several kind of group policy to an OU, and the settings<br />
will deploy to all users/computers under the OU. With a single domain<br />
we can have as many OU and sub OU as you like. So the result is that<br />
it can greatly reduce administrative overhead because you are able to<br />
manage everything via an OU. The implementation of group policy will<br />
be discussed in the next chapter.<br />
<br />
Before we create an OU, we must know what an OU looks like. By default<br />
we can see a sample OU 'Domain Controllers', which uses a different<br />
icon in the Windows management tools to the 'users' and 'computers'<br />
container. We can deploy group policy to users or computers container.<br />
<br />
# To create an OU, as the domain administrator, use start -> run -> dsa.msc<br />
# right click on your domain.<br />
# choose new -> organizational unit<br />
# type OU Demo'<br />
# Then you will see an new OU appear, with the name 'OU Demo'.<br />
# You can drag your user 'demo' into the new OU (Don't move other users! Unless you want to get stuck!)<br />
# Right Click the 'OU Demo', you can create a sub OU with New->Organizational.<br />
<br />
Normally we create OU based the departmental setup of your<br />
organization. Be careful not to confuse groups and OUs, groups are<br />
used to control permissions, OU are used for deployment settings to<br />
all users/computers within the OU.<br />
<br />
= Implementing Group Policies (GPO) in a Samba4 domain =<br />
<br />
Samba4 Active Directory has support for group policies, and can create<br />
the group policy on the fly. The basic idea of group policies is:-<br />
<br />
# Group Policies have 2 kind of settings, computers and users.<br />
# Computer settings apply to computers, user settings apply to users<br />
# We link the group policy to a particular OU, and the group policy will effect all computers/users under the OU.<br />
<br />
# To add a group policy, right click 'OU Demo' OU->properties<br />
# Choose group policy<br />
# Press new, name as 'GP Demo'<br />
# Press edit to edit the policy.<br />
# Here will demonstrate how to block user from access the control panel. Open the tree 'User Configuration'->'Administrative Templates'->'control panel'.<br />
# Double click on 'Prohibit access to the Control Panel'<br />
# Press enabled and then press OK. Now the all users under 'OU Demo' won't able to access to the control panel.<br />
# Make sure user demo is inside the 'OU Demo' (You can drag and drop it). <br />
# Logout and login as user 'demo'<br />
# You'll find user demo is not able to access control panel<br />
<br />
* Note that user configuration will take effect once you logout and login.<br />
* Computer configuration will take effect when you restart the computer<br />
<br />
To learn more about managing and implementing organizational units, group policy, and active directory, try a web search for Google in Windows 2003 Active Directory implementation.<br />
<br />
== Installing the Group Policy Management Console ==<br />
<br />
You may also find the Group Policy Management console useful. You can<br />
download it from:<br />
http://www.microsoft.com/downloads/details.aspx?FamilyId=0A6D4C24-8CBD-4B35-9272-DD3CBFC81887&displaylang=en<br />
<br />
This is primarily useful for when you have larger installs and<br />
are managing many machines. You may need to download the .NET<br />
framework first.<br />
<br />
= Joining a Windows domain controller as an additional DC in a domain =<br />
<br />
Once you have a Samba domain controller setup, you can choose to join<br />
additional domain controllers to the domain, whether they be<br />
additional Samba domain controllers, or additional Windows domain<br />
controllers.<br />
<br />
If you wish to join an additional Samba domain controller to a domain,<br />
then please see the [[Samba4/HOWTO/Join a domain as a DC|Joining a domain as a DC]] page. The instructions<br />
on that page are the same for joining Samba to a Windows domain as<br />
they are for joining Samba to an existing Samba domain.<br />
<br />
If you wish to join a new Windows domain controller to a Samba domin,<br />
then you should use the 'dcpromo' tool on the Windows machine. Please<br />
see the normal instructions for installing dcpromo on Windows, with<br />
the exception that you should not tick the 'DNS server' option box<br />
when it is offered. Right now you should either use Windows for DNS,<br />
or use Samba and bind9 for DNS. Mixing the two can work, but it is an<br />
advanced topic that is beyond the scope of this howto.<br />
<br />
== Report your success/failure! ==<br />
<br />
Samba4 as a replicating domain controller is still developing rapidly,<br />
and we like to hear from users about their successes and<br />
failures. While Samba4 is still in alpha release we would encourage<br />
you to report both your successes and failures to the samba-technical<br />
mailing list on http://lists.samba.org<br />
<br />
Please be aware that Samba4 is not complete, so you should deploy it<br />
carefully until it is ready for a non-alpha release.</div>Ekacnethttps://wiki.samba.org/index.php?title=Setting_up_Samba_as_an_Active_Directory_Domain_Controller&diff=5594Setting up Samba as an Active Directory Domain Controller2010-10-08T21:23:02Z<p>Ekacnet: </p>
<hr />
<div>= Samba4 HOWTO =<br />
tridge@samba.org, December 2004<br />
<br />
Updates:<br />
asn@redhat.com, December 2009<br />
tridge@samba.org, February 2010 (for alpha12)<br />
mat@samba.org, July 2010 (adapt to waf build)<br />
<br />
<br />
This is a very basic document on how to setup a simple Samba4<br />
server. This is aimed at people who are already familiar with Samba3<br />
and wish to participate in Samba4 development or test the alpha<br />
releases of Samba4. This is not aimed at general production use of<br />
Samba4, although some brave sites are running Samba4 in production<br />
based on these instructions.<br />
<br />
== Video demonstrations of this HOWTO ==<br />
<br />
A set of [[samba4/videos|demonstration videos]] is available that<br />
may provide a useful overview of this contents of this HOWTO<br />
<br />
== A note on alpha versions ==<br />
<br />
Samba4 is developing very rapidly. This HOWTO has recently been<br />
updated to reflect the changes made up to September 2010 in preparation<br />
for the Samba4-alpha13 release.<br />
<br />
== Step 1: Download Samba4 ==<br />
<br />
If you have downloaded the Samba4 code via a tarball released from the<br />
samba.org website, Step 1 has already been completed for you. For testing<br />
with the version released in the tarball, you may continue on to Step 2.<br />
<br />
Note that the references below to the top-level directory named<br />
"samba-master" will instead be based on the name of the tarball<br />
downloaded (e.g. "samba-4.0.0alpha13" for the tarball<br />
samba-4.0.0alpha13.tar.gz). Also note that in the "master" branch the<br />
samba4 code is located in in the "source4/" subdirectory.<br />
<br />
Otherwise there is currently two methods for downloading current samba version:<br />
<br />
* via git<br />
* via rsync<br />
<br />
If you don't have git then install it, or stick to the latest tarball release.<br />
If you have a choice, we strongly recommend using the git method for<br />
downloading Samba, as it makes getting updates easier, and also allows<br />
you to integrate test patches from Samba developers more easily in<br />
case of problems.<br />
<br />
=== git ===<br />
<br />
$ git clone git://git.samba.org/samba.git samba-master; cd samba-master<br />
<br />
This will create a directory called "samba-master" in the current<br />
directory.<br />
<br />
If you want to update the tree to the latest version run:<br />
<br />
$ git pull<br />
<br />
=== rsync ===<br />
<br />
$ rsync -avz samba.org::ftp/unpacked/samba_4_0_test/ samba-master<br />
<br />
Note that the above rsync command will give you a checked out git<br />
repository, but it's is missing all git objects. To turn it into<br />
a working git repository you need to do the following steps:<br />
<br />
$ cd samba-master/<br />
$ rm .git/objects/info/alternates<br />
$ rm .git/refs/tags/*<br />
$ rm -r .git/refs/remotes/<br />
$ git config remote.origin.url git://git.samba.org/samba.git<br />
$ git config --add remote.origin.fetch +refs/tags/*:refs/tags/* (this line is optional)<br />
$ git fetch<br />
<br />
Note you can ignore this error from git fetch:<br />
error: refs/heads/master does not point to a valid object!<br />
<br />
Also note that the git fetch will download the complete git history<br />
(about 160 MB with all the tags and about 125 MB without old tags).<br />
<br />
You can update it to the latest version at some future date using:<br />
<br />
$ git pull<br />
<br />
<br />
== Step 2: Compile Samba4 ==<br />
<br />
Recommended optional development libraries:<br />
*acl and xattr development libraries (libattr1-dev package in Debian/Ubuntu)<br />
*blkid development libraries (libblkid-dev package in Debian/Ubuntu)<br />
*gnutls (libgnutls-dev package in Debian/Ubuntu)<br />
*readline (libreadline5-dev package in Debian/Ubuntu)<br />
*Python development libraries (python-dev in Debian/Ubuntu) required to compile<br />
*Autoconf for autogen.<br />
<br />
Combined<br />
For Debian:<br />
$ apt-get install build-essential libattr1-dev libblkid-dev libgnutls-dev libreadline5-dev python-dev autoconf python-dnspython gdb pkg-config bind9utils<br />
<br />
For Fedora:<br />
<br />
$ yum install libacl-devel libblkid-devel gnutls-devel readline-devel python-devel gdb pkgconfig<br />
<br />
Since only released versions of Samba contain a pre-generated configure script, <br />
you will have to generate it by hand if you downloaded the source with rsync or git:<br />
<br />
$ cd samba-master/source4<br />
$ ./autogen.sh<br />
<br />
Run this:<br />
<br />
$ cd samba-master/source4<br />
$ ./configure.developer<br />
$ make<br />
<br />
The above command will setup Samba4 to install in /usr/local/samba. If<br />
you want Samba to install somewhere else then you should use the<br />
--prefix option to configure.developer.<br />
<br />
The reason we recommend using configure.developer rather than<br />
configure for Samba4 alpha releases is that it will include extra<br />
debug information that will help us diagnose problems in case of<br />
failures. It will also allow you to run the various builtin automatic<br />
tests.<br />
<br />
After building Samba, we recommend that you run<br />
<br />
$ make quicktest<br />
<br />
That will run a short (approximately 2 minute) set of tests to<br />
validate your build of Samba. While we try to be careful to ensure<br />
that all builds of Samba in the git repository are usable, sometimes a<br />
bug slips through, and 'make quicktest' is a fast way of checking that<br />
your build passes basic tests.<br />
<br />
The output of 'make quicktest' should end in a "ALL OK" message. If it<br />
doesn't, then please ask on the samba-technical mailing list or <br />
the #samba-technical IRC channel.<br />
<br />
== Step 3: Install Samba4 ==<br />
<br />
Run this as a user who have permission to write to the install<br />
directory (which defaults to /usr/local/samba). Use --prefix option to<br />
configure.developer above to change this.<br />
<br />
$ make install<br />
<br />
For the rest of this HOWTO we will assume that you have installed<br />
Samba4 in the default location, which is /usr/local/samba.<br />
<br />
== Step 4: Provision Samba4 ==<br />
<br />
The "provision" step sets up a basic user database, and is used when you are setting up your Samba4<br />
server in its own domain. If you instead want to setup your Samba4 server as an additional domain controller<br />
in an existing domain, then please see the separate page on [[Samba4 joining a domain]].<br />
<br />
In the following examples we will assume your DNS domain name is<br />
'samdom.example.com' and your short (also known as NT4) domain name is<br />
'samdom'. We will assume that your Samba servers hostname is samba.<br />
<br />
It must be run as a user with permission to write to the install directory (which means you may need to run this command with sudo)<br />
<br />
$ cd samba-master/source4<br />
$ ./setup/provision --realm=samdom.example.com --domain=SAMDOM --adminpass=SOMEPASSWORD --server-role='domain controller'<br />
<br />
If you get an error like this:<br />
tdb_open_ex: could not open file /usr/local/samba/private/sam.ldb.d/DC=SAMDOM,DC=EXAMPLE,DC=COM. ldb: Permission denied<br />
then you need to rerun with sudo<br />
<br />
Troubleshooting note:<br />
you may need to rm the smb.conf file if you failed to pass valid names and provision previously failed<br />
<br />
There are many other options you can pass to the 'provision' command, run it with the --help option to see a list of them.<br />
<br />
== Step 5: Starting Samba4 ==<br />
<br />
If you are planning to run Samba4 as a production server, then just run the "samba" binary as root<br />
<br />
# samba<br />
<br />
That will run Samba4 in 'standard' mode, which is suitable for<br />
production use. Samba4 alpha13 doesn't yet have init scripts included<br />
for each platform, but making one for your platform should not be<br />
difficult.<br />
<br />
If you are running Samba4 as a developer you may find<br />
the following more useful:<br />
<br />
# samba -i -M single<br />
<br />
that means start "samba" with messages in stdout, and running a<br />
single process. That mode of operation makes debugging "samba" with gdb<br />
particularly easy. If you want to launch it under gdb, then the following<br />
example could be useful:<br />
<br />
$ sudo gdb --args bin/samba -i -M single<br />
<br />
Note that if you are running any Samba3 smbd or nmbd processes<br />
they need to be stopped before starting "samba" from Samba 4.<br />
<br />
Make sure you put the bin and sbin directories from your new install<br />
in your $PATH or you may end up running the wrong version. You can see what version <br />
you have by running "samba -V".<br />
<br />
Note: in older developer versions of samba4 "samba" was still called "smbd".<br />
<br />
== Step 6: Testing Samba4 ==<br />
<br />
=== smbclient ===<br />
<br />
Try this command:<br />
<br />
$ smbclient -L localhost -U%<br />
<br />
That should show you a list of shares available on your server. For example:<br />
<br />
Sharename Type Comment<br />
--------- ---- -------<br />
test Disk<br />
netlogon Disk<br />
sysvol Disk<br />
IPC$ IPC IPC Service (Samba 4.0.0alpha12-GIT-5e755e9)<br />
ADMIN$ Disk DISK Service (Samba 4.0.0alpha12-GIT-5e755e9)<br />
<br />
The 'netlogon' and 'sysvol' shares are basic shares needed for Active Directory server<br />
operation. <br />
<br />
To test that authentication is working, you should try to connect to the netlogon share<br />
using the administrator password you set earlier.<br />
<br />
$ smbclient //localhost/netlogon -Uadministrator%PASSWORD<br />
<br />
You should get a "smb>" prompt, and access to your netlogon directory.<br />
<br />
<br />
<br />
== Step 7 Create a share in smb.conf ==<br />
<br />
The provisioning will create a very simple smb.conf with no shares by<br />
default. For the server to be useful you will need to update it to<br />
have at least one share. For example:<br />
<br />
[test]<br />
path = /data/test<br />
read only = no<br />
<br />
Note that in current alpha versions of Samba4 you need to restart Samba<br />
to make new shares visible. This will be fixed in a future release.<br />
<br />
== Step 8 Configure DNS ==<br />
<br />
A working DNS setup is essential to the correct operation of<br />
Samba4. Without the right DNS entries, kerberos won't work, which in<br />
turn means that many of the basic features of Samba4 won't work.<br />
<br />
It is worth spending some extra time to ensure your DNS setup is just<br />
right, as debugging problems caused by mis-configured DNS can take a<br />
lot of time later on.<br />
<br />
The simplest way to get a working DNS setup for Samba4 is to start<br />
with the DNS zone and configuration files that are created by the<br />
'provision' step above. If you look in /usr/local/samba/private<br />
directory, you'll find a file called 'named.conf' and another one<br />
called samdom.example.com.zone (adjusted for your real DNS domain name<br />
of course!).<br />
<br />
Assuming your have a bind9 DNS server installed, you can activate the<br />
configuration that the provision has created by adding a line like<br />
this to /etc/bind/named.conf.local:<br />
<br />
include "/usr/local/samba/private/named.conf";<br />
<br />
After adding that line you should restart your bind server and check<br />
in the system logs for any problems.<br />
<br />
One common problem is that many modern Linux distributions activate<br />
'Apparmor' or 'SELinux' by default, and these may be configured to<br />
deny access to bind for your the named.conf and zone files created in<br />
the provision. If your bind logs show that bind is getting a access<br />
denied error accessing these files then please see your local system<br />
documentation for how to enable access to these files in bind (hint:<br />
for Apparmor systems such as Ubuntu, the command aa-logprof may be<br />
useful).<br />
<br />
Now you need to test that DNS is working correctly. Check that your<br />
/etc/resolv.conf is pointing correctly at your local DNS server, then<br />
run the following commands:<br />
<br />
$ host -t SRV _ldap._tcp.samdom.example.com.<br />
_ldap._tcp.samdom.example.com has SRV record 0 100 389 samba.samdom.example.com.<br />
<br />
$ host -t SRV _kerberos._udp.samdom.example.com.<br />
_kerberos._udp.samdom.example.com has SRV record 0 100 88 samba.samdom.example.com.<br />
<br />
$ host -t A samba.samdom.example.com.<br />
samba.samdom.example.com has address 10.0.0.1<br />
<br />
Check that you get answers similar to the ones above (adjusted for<br />
your DNS domain name and hostname). If you get any errors then<br />
carefully check your system logs to find and fix the problem.<br />
<br />
*Note: One of the problems I've had on Debian system is that the zone autogeneration always detects, and uses, 127.0.1.1 as the domain controller's IP address. That works fine until you 1) Don't have a 127.0.1.1 interface on the machine or 2) Go to join your first client to the domain. In /usr/local/samba/private/named.conf you might need to change 127.0.1.1 to reflect the actual IP address of the server you're setting up.<br />
<br />
== Step 9: Testing kerberos ==<br />
<br />
Once DNS is working, you should test that kerberos server builtin to<br />
Samba4 is working correctly. The easiest test is to use the kinit<br />
command like this:<br />
<br />
$ kinit administrator@SAMDOM.EXAMPLE.COM<br />
Password:<br />
<br />
''Note:''<br><br />
: You have to give your 'domain realm SAMDOM.EXAMPLE.COM' in <b>uppercase letters</b> to kinit.<br />
<br />
The kinit should completely successfully. After it completes you can<br />
examine the received ticket like this:<br />
<br />
$ klist -e<br />
Ticket cache: FILE:/tmp/krb5cc_1000<br />
Default principal: administrator@SAMDOM.EXAMPLE.COM<br />
<br />
Valid starting Expires Service principal<br />
02/10/10 19:39:48 02/11/10 19:39:46 krbtgt/SAMDOM.EXAMPLE.COM@SAMDOM.EXAMPLE.COM<br />
Etype (skey, tkt): ArcFour with HMAC/md5, ArcFour with HMAC/md5<br />
<br />
If you find you don't have kinit or klist, you may need to install them. On debian based<br />
systems (such as Ubuntu) the packages are called krb5-config and krb5-user.<br />
<br />
You can also test kerberos form a remote client, just make sure you have configure the<br />
krb5.conf and the resolve.conf to point to the domain controller IP address.<br />
<br />
''Note:''<br><br />
: If you are using a client behind NAT then you have to add the following to the krb5.conf on the domain controller server:<br />
<br />
[kdc]<br />
check-ticket-addresses = false<br />
<br />
== Step 10 Configure kerberos DNS dynamic updates ==<br />
<br />
If you have a current version of bind9 (tested with bind version 9.6.1<br />
on Ubuntu), then the current Samba4 git tree will automatically setup<br />
and configure a file called /usr/local/samba/private/named.conf.update, which you can include in your master named.conf to allow Samba/Kerberos DNS updates to automatically take place. Be advised that if you include this file in Bind versions that don't support it, Bind will fail to start.<br />
<br />
You additionally need to set two environment variables for bind9:<br />
<br />
KEYTAB_FILE="/usr/local/samba/private/dns.keytab"<br />
KRB5_KTNAME="/usr/local/samba/private/dns.keytab"<br />
export KEYTAB_FILE<br />
export KRB5_KTNAME<br />
<br />
These should be put in your settings file for bind9. On Debian based<br />
systems this is in /etc/default/bind9.<br />
On RedHat derived systems it is<br />
in /etc/sysconfig/named. Strictly speaking you only either need<br />
KEYTAB_FILE or KRB5_KTNAME, but which you need depends on your distro,<br />
so it's easier to just set both.<br />
<br />
Then in your /etc/bind/named.conf.options you need this:<br />
<br />
tkey-gssapi-credential "DNS/samba.samdom.example.com";<br />
tkey-domain "SAMDOM.EXAMPLE.COM";<br />
<br />
The hostname in the first line must match the 'additional' response from<br />
a SOA lookup on your domain name (you can check that with "host -v -t SOA samdom.example.com")<br />
<br />
The way the automatic DNS update in Samba works is that the provision<br />
will create a file /usr/local/samba/private/dns_update_list, which<br />
contains a list of DNS entries that Samba will try to dynamically<br />
update at startup and every 10 minutes thereafter. Updates will only<br />
happen if the DNS entries do not already exist.<br />
<br />
If you want to debug this process, then please run this as root:<br />
<br />
/usr/local/samba/sbin/samba_dnsupdate --verbose<br />
<br />
that will give you more information on the updates that Samba is doing<br />
at runtime, and show you any errors that are generated.<br />
<br />
If you are joining Samba4 to an existing Windows DNS domain, or you<br />
are using a Windows DNS server instead of bind9, then you need<br />
bind version 9.7.2rc1 (or higher) for the nsupdate command to correctly work<br />
with recent versions of Windows. If you don't have bind 9.7.2rc1 or better,<br />
recent Windows clients (such as Windows7 and Win2K8) won't be able to<br />
do dynamic DNS updates to your bind9 server, and bind9 won't be able<br />
to do dynamic DNS updates against a Windows DNS server.<br />
<br />
Until your distribution's Bind package is updated,<br />
you can get an appropriate version like this (Applies for current Debian/Ubuntu-based systems).<br />
<br />
$ sudo apt-get build-dep bind9<br />
$ sudo apt-get install ccache<br />
$ wget http://ftp.isc.org/isc/bind9/9.7.2/bind-9.7.2.tar.gz<br />
$ tar -xvf bind-9.7.2.tar.gz<br />
$ cd bind-9.7.2<br />
<br />
For some installations, you may want to change your prefix to /usr/local and keep the rest of the options. Alternatively, you can just build and install.<br />
<br />
$ ./configure<br />
$ make<br />
$ sudo make install<br />
<br />
Now you have to ensure that bind can read the dns.keytab file, the<br />
named.conf file and the zone file. It also needs to be able to write<br />
the zone file. The Samba provision tries to setup the permissions<br />
correctly for these files, but you may find you need to make changes<br />
in your Apparmor or SELinux configuration if you are running either of<br />
those. If you are using Apparmor then the aa-logprof command may help<br />
you add any missing permissions you need to add after you start Samba<br />
and bind9 for the first time after configuring them.<br />
<br />
You should also carefully check the permissions on the private/dns directory to ensure it is writable by bind. <br />
<br />
On some systems you may also find that you need to symlink the dns.keytab file as<br />
/etc/krb5.keytab, as bind may not honor the environment variables for the location<br />
of this file.<br />
<br />
== NOTE about filesystem support ==<br />
<br />
To use the advanced features of Samba4 you need a filesystem that<br />
supports both the "user" and "system" xattr namespaces.<br />
<br />
If you run Linux with a 2.6 kernel and ext3 this means you need to<br />
include the option "user_xattr" in your /etc/fstab. For example:<br />
<br />
/dev/hda3 /home ext3 user_xattr 1 1<br />
<br />
You also need to compile your kernel with the XATTR and SECURITY<br />
options for your filesystem. For ext3 that means you need:<br />
<br />
CONFIG_EXT3_FS_XATTR=y<br />
CONFIG_EXT3_FS_SECURITY=y<br />
<br />
If you are running a Linux 2.6 kernel with CONFIG_IKCONFIG_PROC<br />
defined you can check this with the following command:<br />
<br />
$ zgrep CONFIG_EXT3_FS /proc/config.gz<br />
<br />
If you don't have a filesystem with xattr support, then you can<br />
simulate it by using the option:<br />
<br />
posix:eadb = /usr/local/samba/eadb.tdb<br />
<br />
that will place all extra file attributes (NT ACLs, DOS EAs, streams<br />
etc), in that tdb. It is not efficient, and doesn't scale well, but at<br />
least it gives you a choice when you don't have a modern filesystem.<br />
<br />
=== Testing your filesystem ===<br />
<br />
To test your filesystem support, install the 'attr' package and run<br />
the following 4 commands as root:<br />
<br />
# touch test.txt<br />
# setfattr -n user.test -v test test.txt<br />
# setfattr -n security.test -v test2 test.txt<br />
# getfattr -d test.txt<br />
# getfattr -n security.test -d test.txt<br />
<br />
You should see output like this:<br />
<br />
# file: test.txt<br />
user.test="test"<br />
<br />
# file: test.txt<br />
security.test="test2"<br />
<br />
If you get any "Operation not supported" errors then it means your<br />
kernel is not configured correctly, or your filesystem is not mounted<br />
with the right options.<br />
<br />
If you get any "Operation not permitted" errors then it probably means<br />
you didn't try the test as root.<br />
<br />
If you are using the posix:eadb option then you don't need to test your filesystem in this manner.<br />
<br />
= Configure a Windows Client to join a Samba 4 Active Directory =<br />
<br />
Active Directory is a powerful administration service which enables an administrator to centrally manage a network of Windows 2000, Windows XP Pro, Windows 2003, and Windows Vista Business Edition effectively. To test the real Samba 4 capability, we use Windows XP Pro as testing environment (Windows XP Home doesn't include Active Directory functionality and won't work).<br />
<br />
To allow Samba 4 Active Directory or Microsoft Active Directory to manage a computer, we need to join the computer into the active directory.<br />
It involves:<br />
<br />
# Configuring DNS Setting<br />
# Configuring date/time and time zone<br />
# Joining the domain<br />
<br />
== Step 1: Configure DNS Setting for Windows ==<br />
<br />
Before we configure the DNS setting, verify that you are able to ping the Server's IP Address. If you are not able to ping the server, double check your IP address, firewall, routing, etc.<br />
<br />
Once you have verified network connectivity between the Samba server and client,<br />
<br />
# Right Click My Network Places -> Properties<br />
# Double click local area network->Properties<br />
# Double click tcp/ip<br />
# Use static dns server, add the Samba 4 server's ip address inside the primary dns server column. [[:Image:http://www.extraknowledge.org/xoops/images/samba/dnsclient.jpg]]<br />
# Press ok, ok, ok again until finished.<br />
# Open a command prompt, type 'ping servername.your.realm' (change to suit your custom realm per your provision)<br />
<br />
If you get replies, then it means your Windows XP settings are correct (for DNS) and Samba4 Server's DNS services is working as well.<br />
<br />
== Step 2: Configure date/time and time zone ==<br />
<br />
Active Directory uses Kerberos as the backend for authentication. Kerberos requires that the system clock on the client and server be synchronized to within a few seconds of each other. If they are not synchronized, authentication will fail for apparently no reason.<br />
<br />
# Change the timezone in Windows XP Pro so that server and client using same time zone. In my computer, I use Asia/Kuala_Lumpur (I come from Malaysia).[[:Image:http://www.extraknowledge.org/xoops/images/samba/timezone.jpg]]<br />
# Change the date/time so the client have same HH:MM with the server [[:Image:http://www.extraknowledge.org/xoops/images/samba/time.jpg]]<br />
<br />
== Step 3: Joining the Windows client into domain ==<br />
<br />
Now your Windows is ready to join the Active Directory (AD) domain,<br />
<br />
As administrator:-<br />
<br />
# Right Click my Computer-> Properties<br />
# Choose Computer Name, click change..<br />
# Click option 'Domain', insert YOUR.REALM (if you failed, try YOURDOM)([[:Image:http://www.extraknowledge.org/xoops/images/samba/joindomain.jpg]]<br />
# When it request username/password, type '''administrator''' as username, '''SOMEPASSWORD''' as password (per your earlier provision).<br />
# It will tell you the Windows XP has successfully join into Active Directory Domain, and you need to restart.<br />
# After restart, you should get the normal domain logon dialog<br />
# Choose domain YOURDOM, insert username '''administrator''' as username, '''SOMEPASSWORD''' as password (again, per your earlier provision)<br />
# If you login successfully, then you able to enjoy samba 4 active directory services at next section.<br />
<br />
= Viewing Samba 4 Active Directory object from Windows XP Pro =<br />
<br />
We need install windows 2003 adminpak into windows XP in order to use<br />
GUI tools to manage the domain. Before begin, make sure the domain<br />
administrator have administrative right to control your computer.(To<br />
give any user administrative right, in Windows XP Pro, right click my<br />
computer, press manage-> choose groups-> double click administrators<br />
and add members from domain into the member list. During you add<br />
member from active directory as member, it will prompt you to enter<br />
active directory username/password).<br />
<br />
== Step 1: Installing Windows Remote Administration Tools onto Windows ==<br />
<br />
= Windows7 =<br />
<br />
Download the Windows Remote Administration Tools from<br />
http://www.microsoft.com/downloads/details.aspx?FamilyID=7D2F6AD7-656B-4313-A005-4E344E43997D&displaylang=en<br />
<br />
and follow the "Install RSAT" instructions<br />
<br />
= Vista =<br />
<br />
Download the Windows Remote Administration Tools from<br />
http://www.microsoft.com/downloads/details.aspx?FamilyId=9FF6E897-23CE-4A36-B7FC-D52065DE9960&displaylang=en<br />
<br />
and follow the "Install RSAT" instruction described at<br />
http://support.microsoft.com/kb/941314<br />
<br />
= Windows XP Pro =<br />
<br />
# In Windows XP, download adminpak and supporttools from <br />
http://www.microsoft.com/downloads/details.aspx?FamilyID=c16ae515-c8f4-47ef-a1e4-a8dcbacff8e3&displaylang=en<br />
http://download.microsoft.com/download/3/e/4/3e438f5e-24ef-4637-abd1-981341d349c7/WindowsServer2003-KB892777-SupportTools-x86-ENU.exe<br />
<br />
# Run through the installation.<br />
# Press start->run, type 'dsa.msc', if a window 'active directory users and computers' prompt up, it mean you had install adminpak it successfully. You can also find this at Start>Programs>Administrative Tools, which should have a lot more items now.<br />
# Go to c:\Program Files\Support Tools to check whether the support tools were installed correctly; if yes, then your XP workstation is ready to manage the Samba 4 Active Directory.<br />
<br />
== Step 2: Viewing samba 4 active directory content ==<br />
<br />
# Login as domain 'testing1.org' administrator, press start->run.<br />
# type dsa.msc<br />
**[[:Image:http://www.extraknowledge.org/xoops/images/samba/run.jpg ]]<br />
# Expand the testing1.org tree to see existing object in domain. [[:Image:http://www.extraknowledge.org/xoops/images/samba/dsa.msc.jpg]]<br />
<br />
= Managing Samba 4 Active Directory From Windows XP Pro =<br />
One of Samba4's goals is to integrate with (and replace) Active Directory as a system. At this point, if everything has worked correctly you should have an "Administrative Tools" menu under Programs. If, under Administrative Tools you have "Active Directory Users and Computers", that is a very good sign. Most times, if there is a configuration or bug in Samba4, the AD Users & Computers (among other interfaces) won't show up as an option. You can run it by hand (Start->Run->dsa.msc) but it's unlikely to work correctly.<br />
<br />
<br />
== Step 1: Adding user into Samba 4 Active Directory ==<br />
Unlike Samba3, Samba4 does not require a local unix user for each Samba user that is created.<br />
<br />
To create a Samba user, use the command <br />
<br />
net newuser USERNAME<br />
<br />
If you get this error message :<br />
<br />
ImportError: No module named samba.netcmd<br />
<br />
run this command<br />
<br />
export PYTHONPATH=/usr/local/samba/lib/python2.6/site-packages/<br />
<br />
Make sure you run the Samba4 version of net, if you also have Samba3 installed.<br />
<br />
To inspect the allocated user ID and SID, use wbinfo<br />
<br />
$ bin/wbinfo --name-to-sid USERNAME<br />
S-1-5-21-4036476082-4153129556-3089177936-1005 SID_USER (1)<br />
<br />
$ bin/wbinfo --sid-to-uid S-1-5-21-4036476082-4153129556-3089177936-1005<br />
3000011<br />
<br />
If you want to change this mapping, then use ldbedit on the idmap.idb,<br />
like this:<br />
<br />
$ bin/ldbedit -e emacs -H /usr/local/samba/private/idmap.ldb objectsid=S-1-5-21-4036476082-4153129556-3089177936-1005<br />
<br />
You will find records that look like this:<br />
<br />
# record 1<br />
dn: CN=S-1-5-21-4036476082-4153129556-3089177936-1005<br />
cn: S-1-5-21-4036476082-4153129556-3089177936-1005<br />
objectClass: sidMap<br />
objectSid: S-1-5-21-4036476082-4153129556-3089177936-1005<br />
type: ID_TYPE_BOTH<br />
xidNumber: 3000011<br />
distinguishedName: CN=S-1-5-21-4036476082-4153129556-3089177936-1005<br />
<br />
If you change the xidNumber attribute and save your editor then exit,<br />
then Samba will update the mapping to between the SID and the user<br />
ID. Updating group mappings works in the same way.<br />
<br />
You can also manage users using the normal Windows AD user management<br />
tools.<br />
<br />
= Setting Up Roaming Profiles (Windows 7) =<br />
<br />
1. You will need to create a share for the profiles, typically named '''profiles'''. Edit the ''/usr/local/samba/etc/smb.conf'' to include:<br />
<br />
[profiles]<br />
path = /usr/local/samba/var/profiles<br />
read only = no<br />
<br />
2. Create the directory above using:<br />
<br />
$ sudo mkdir /usr/local/samba/var/profiles<br />
<br />
3. On windows start the ''Active Directory Users and Computers'', select all the users, right click and hit properties<br />
<br />
4. Under the profile tab, in the ''Profile path'' type the path to your share along with %USERNAME% as follows:<br />
<br />
\\sambaserver.samdom.example.com\profiles\%USERNAME%<br />
<br />
5. click OK, logout and login as one of those users. When you logout again, you should see that the profile has been synced onto the samba server.<br />
<br />
= Adding organization unit (OU) into samba 4 domain =<br />
<br />
Organizational Unit (OU), is a powerful feature in active<br />
directory. This is a type of container which allows you to drag & drop<br />
users and/or computers into it.<br />
<br />
We can link several kind of group policy to an OU, and the settings<br />
will deploy to all users/computers under the OU. With a single domain<br />
we can have as many OU and sub OU as you like. So the result is that<br />
it can greatly reduce administrative overhead because you are able to<br />
manage everything via an OU. The implementation of group policy will<br />
be discussed in the next chapter.<br />
<br />
Before we create an OU, we must know what an OU looks like. By default<br />
we can see a sample OU 'Domain Controllers', which uses a different<br />
icon in the Windows management tools to the 'users' and 'computers'<br />
container. We can deploy group policy to users or computers container.<br />
<br />
# To create an OU, as the domain administrator, use start -> run -> dsa.msc<br />
# right click on your domain.<br />
# choose new -> organizational unit<br />
# type OU Demo'<br />
# Then you will see an new OU appear, with the name 'OU Demo'.<br />
# You can drag your user 'demo' into the new OU (Don't move other users! Unless you want to get stuck!)<br />
# Right Click the 'OU Demo', you can create a sub OU with New->Organizational.<br />
<br />
Normally we create OU based the departmental setup of your<br />
organization. Be careful not to confuse groups and OUs, groups are<br />
used to control permissions, OU are used for deployment settings to<br />
all users/computers within the OU.<br />
<br />
= Implementing Group Policies (GPO) in a Samba4 domain =<br />
<br />
Samba4 Active Directory has support for group policies, and can create<br />
the group policy on the fly. The basic idea of group policies is:-<br />
<br />
# Group Policies have 2 kind of settings, computers and users.<br />
# Computer settings apply to computers, user settings apply to users<br />
# We link the group policy to a particular OU, and the group policy will effect all computers/users under the OU.<br />
<br />
# To add a group policy, right click 'OU Demo' OU->properties<br />
# Choose group policy<br />
# Press new, name as 'GP Demo'<br />
# Press edit to edit the policy.<br />
# Here will demonstrate how to block user from access the control panel. Open the tree 'User Configuration'->'Administrative Templates'->'control panel'.<br />
# Double click on 'Prohibit access to the Control Panel'<br />
# Press enabled and then press OK. Now the all users under 'OU Demo' won't able to access to the control panel.<br />
# Make sure user demo is inside the 'OU Demo' (You can drag and drop it). <br />
# Logout and login as user 'demo'<br />
# You'll find user demo is not able to access control panel<br />
<br />
* Note that user configuration will take effect once you logout and login.<br />
* Computer configuration will take effect when you restart the computer<br />
<br />
To learn more about managing and implementing organizational units, group policy, and active directory, try a web search for Google in Windows 2003 Active Directory implementation.<br />
<br />
== Installing the Group Policy Management Console ==<br />
<br />
You may also find the Group Policy Management console useful. You can<br />
download it from:<br />
http://www.microsoft.com/downloads/details.aspx?FamilyId=0A6D4C24-8CBD-4B35-9272-DD3CBFC81887&displaylang=en<br />
<br />
This is primarily useful for when you have larger installs and<br />
are managing many machines. You may need to download the .NET<br />
framework first.<br />
<br />
= Joining a Windows domain controller as an additional DC in a domain =<br />
<br />
Once you have a Samba domain controller setup, you can choose to join<br />
additional domain controllers to the domain, whether they be<br />
additional Samba domain controllers, or additional Windows domain<br />
controllers.<br />
<br />
If you wish to join an additional Samba domain controller to a domain,<br />
then please see the [[Samba4/HOWTO/Join a domain as a DC|Joining a domain as a DC]] page. The instructions<br />
on that page are the same for joining Samba to a Windows domain as<br />
they are for joining Samba to an existing Samba domain.<br />
<br />
If you wish to join a new Windows domain controller to a Samba domin,<br />
then you should use the 'dcpromo' tool on the Windows machine. Please<br />
see the normal instructions for installing dcpromo on Windows, with<br />
the exception that you should not tick the 'DNS server' option box<br />
when it is offered. Right now you should either use Windows for DNS,<br />
or use Samba and bind9 for DNS. Mixing the two can work, but it is an<br />
advanced topic that is beyond the scope of this howto.<br />
<br />
== Report your success/failure! ==<br />
<br />
Samba4 as a replicating domain controller is still developing rapidly,<br />
and we like to hear from users about their successes and<br />
failures. While Samba4 is still in alpha release we would encourage<br />
you to report both your successes and failures to the samba-technical<br />
mailing list on http://lists.samba.org<br />
<br />
Please be aware that Samba4 is not complete, so you should deploy it<br />
carefully until it is ready for a non-alpha release.</div>Ekacnethttps://wiki.samba.org/index.php?title=Setting_up_Samba_as_an_Active_Directory_Domain_Controller&diff=5590Setting up Samba as an Active Directory Domain Controller2010-10-08T09:38:38Z<p>Ekacnet: /* Samba4 HOWTO */</p>
<hr />
<div>= Samba4 HOWTO =<br />
tridge@samba.org, December 2004<br />
<br />
Updates:<br />
asn@redhat.com, December 2009<br />
tridge@samba.org, February 2010 (for alpha12)<br />
mat@samba.org, July 2010 (adapt to waf build)<br />
mat@samba.org, Oct 2010 (update rsync link)<br />
<br />
<br />
This is a very basic document on how to setup a simple Samba4<br />
server. This is aimed at people who are already familiar with Samba3<br />
and wish to participate in Samba4 development or test the alpha<br />
releases of Samba4. This is not aimed at general production use of<br />
Samba4, although some brave sites are running Samba4 in production<br />
based on these instructions.<br />
<br />
== Video demonstrations of this HOWTO ==<br />
<br />
A set of [[samba4/videos|demonstration videos]] is available that<br />
may provide a useful overview of this contents of this HOWTO<br />
<br />
== A note on alpha versions ==<br />
<br />
Samba4 is developing very rapidly. This HOWTO has recently been<br />
updated to reflect the changes made in February 2010 in preparation<br />
for the Samba4-alpha12 release. As of today, the alpha12 release has<br />
not been done, although we expect it to be made soon. To completely<br />
follow these instructions you will need an up to date git version of<br />
Samba4, checked out on February 26th 2010 or later.<br />
<br />
== Step 1: Download Samba4 ==<br />
<br />
If you have downloaded the Samba4 code via a tarball released from the<br />
samba.org website, Step 1 has already been completed for you. For testing<br />
with the version released in the tarball, you may continue on to Step 2.<br />
<br />
Note that the references below to the top-level directory named<br />
"samba-master" will instead be based on the name of the tarball<br />
downloaded (e.g. "samba-4.0.0alpha13" for the tarball<br />
samba-4.0.0alpha13.tar.gz). Also note that in the "master" branch the<br />
samba4 code is located in in the "source4/" subdirectory (it was in<br />
"source/" subdirectory in the "v4-0-test" branch).<br />
<br />
There is currently only one method (the rsync method currently produces a broken source tree):<br />
<br />
* via git<br />
<br />
This will create a directory called "samba-master" in the current<br />
directory. If you don't have git then install it, or stick to the latest tarball release.<br />
<br />
If you have a choice, we strongly recommend using the git method for<br />
downloading Samba, as it makes getting updates easier, and also allows<br />
you to integrate test patches from Samba developers more easily in<br />
case of problems.<br />
<br />
=== git ===<br />
<br />
$ git clone git://git.samba.org/samba.git samba-master; cd samba-master<br />
<br />
If you want to update the tree to the latest version run:<br />
<br />
$ git pull<br />
<br />
== Step 2: Compile Samba4 ==<br />
<br />
Recommended optional development libraries:<br />
*acl and xattr development libraries (libattr1-dev package in Debian/Ubuntu)<br />
*blkid development libraries (libblkid-dev package in Debian/Ubuntu)<br />
*gnutls (libgnutls-dev package in Debian/Ubuntu)<br />
*readline (libreadline5-dev package in Debian/Ubuntu)<br />
*Python development libraries (python-dev in Debian/Ubuntu) required to compile<br />
*Autoconf for autogen.<br />
<br />
Combined<br />
For Debian:<br />
$ apt-get install build-essential libattr1-dev libblkid-dev libgnutls-dev libreadline5-dev python-dev autoconf python-dnspython gdb<br />
<br />
For Fedora:<br />
<br />
$ yum install libacl-devel libblkid-devel gnutls-devel readline-devel python-devel gdb<br />
<br />
Since only released versions of Samba contain a pre-generated configure script, <br />
you will have to generate it by hand if you downloaded the source with rsync or git:<br />
<br />
$ cd samba-master/source4<br />
$ ./autogen.sh<br />
<br />
Run this:<br />
<br />
$ cd samba-master/source4<br />
$ ./configure.developer<br />
$ make<br />
<br />
The above command will setup Samba4 to install in /usr/local/samba. If<br />
you want Samba to install somewhere else then you should use the<br />
--prefix option to configure.developer.<br />
<br />
The reason we recommend using configure.developer rather than<br />
configure for Samba4 alpha releases is that it will include extra<br />
debug information that will help us diagnose problems in case of<br />
failures. It will also allow you to run the various builtin automatic<br />
tests.<br />
<br />
After building Samba, we recommend that you run<br />
<br />
$ make quicktest<br />
<br />
That will run a short (approximately 2 minute) set of tests to<br />
validate your build of Samba. While we try to be careful to ensure<br />
that all builds of Samba in the git repository are usable, sometimes a<br />
bug slips through, and 'make quicktest' is a fast way of checking that<br />
your build passes basic tests.<br />
<br />
The output of 'make quicktest' should end in a "ALL OK" message. If it<br />
doesn't, then please ask on the samba-technical mailing list or <br />
the #samba-technical IRC channel.<br />
<br />
== Step 3: Install Samba4 ==<br />
<br />
Run this as a user who have permission to write to the install<br />
directory (which defaults to /usr/local/samba). Use --prefix option to<br />
configure.developer above to change this.<br />
<br />
$ make install<br />
<br />
For the rest of this HOWTO we will assume that you have installed<br />
Samba4 in the default location, which is /usr/local/samba.<br />
<br />
== Step 4: Provision Samba4 ==<br />
<br />
The "provision" step sets up a basic user database, and is used when you are setting up your Samba4<br />
server in its own domain. If you instead want to setup your Samba4 server as an additional domain controller<br />
in an existing domain, then please see the separate page on [[Samba4 joining a domain]].<br />
<br />
In the following examples we will assume your DNS domain name is<br />
'samdom.example.com' and your short (also known as NT4) domain name is<br />
'samdom'. We will assume that your Samba servers hostname is samba.<br />
<br />
It must be run as a user with permission to write to the install directory (which means you may need to run this command with sudo)<br />
<br />
$ cd samba-master/source4<br />
$ ./setup/provision --realm=samdom.example.com --domain=SAMDOM --adminpass=SOMEPASSWORD --server-role='domain controller'<br />
<br />
If you get an error like this:<br />
tdb_open_ex: could not open file /usr/local/samba/private/sam.ldb.d/DC=SAMDOM,DC=EXAMPLE,DC=COM. ldb: Permission denied<br />
then you need to rerun with sudo<br />
<br />
Troubleshooting note:<br />
you may need to rm the smb.conf file if you failed to pass valid names and provision previously failed<br />
<br />
There are many other options you can pass to the 'provision' command, run it with the --help option to see a list of them.<br />
<br />
== Step 5: Starting Samba4 ==<br />
<br />
If you are planning to run Samba4 as a production server, then just run the "samba" binary as root<br />
<br />
# samba<br />
<br />
That will run Samba4 in 'standard' mode, which is suitable for<br />
production use. Samba4 alpha12 doesn't yet have init scripts included<br />
for each platform, but making one for your platform should not be<br />
difficult.<br />
<br />
If you are running Samba4 as a developer you may find<br />
the following more useful:<br />
<br />
# samba -i -M single<br />
<br />
that means start "samba" with messages in stdout, and running a<br />
single process. That mode of operation makes debugging "samba" with gdb<br />
particularly easy. If you want to launch it under gdb, then the following<br />
example could be useful:<br />
<br />
$ sudo gdb --args bin/samba -i -M single<br />
<br />
Note that if you are running any Samba3 smbd or nmbd processes<br />
they need to be stopped before starting "samba" from Samba 4.<br />
<br />
Make sure you put the bin and sbin directories from your new install<br />
in your $PATH or you may end up running the wrong version. You can see what version <br />
you have by running "samba -V".<br />
<br />
Note: in older developer versions of samba4 "samba" was still called "smbd".<br />
<br />
== Step 6: Testing Samba4 ==<br />
<br />
=== smbclient ===<br />
<br />
Try this command:<br />
<br />
$ smbclient -L localhost -U%<br />
<br />
That should show you a list of shares available on your server. For example:<br />
<br />
Sharename Type Comment<br />
--------- ---- -------<br />
test Disk<br />
netlogon Disk<br />
sysvol Disk<br />
IPC$ IPC IPC Service (Samba 4.0.0alpha12-GIT-5e755e9)<br />
ADMIN$ Disk DISK Service (Samba 4.0.0alpha12-GIT-5e755e9)<br />
<br />
The 'netlogon' and 'sysvol' shares are basic shares needed for Active Directory server<br />
operation. <br />
<br />
To test that authentication is working, you should try to connect to the netlogon share<br />
using the administrator password you set earlier.<br />
<br />
$ smbclient //localhost/netlogon -Uadministrator%PASSWORD<br />
<br />
You should get a "smb>" prompt, and access to your netlogon directory.<br />
<br />
<br />
<br />
== Step 7 Create a share in smb.conf ==<br />
<br />
The provisioning will create a very simple smb.conf with no shares by<br />
default. For the server to be useful you will need to update it to<br />
have at least one share. For example:<br />
<br />
[test]<br />
path = /data/test<br />
read only = no<br />
<br />
Note that in current alpha versions of Samba4 you need to restart Samba<br />
to make new shares visible. This will be fixed in a future release.<br />
<br />
== Step 8 Configure DNS ==<br />
<br />
A working DNS setup is essential to the correct operation of<br />
Samba4. Without the right DNS entries, kerberos won't work, which in<br />
turn means that many of the basic features of Samba4 won't work.<br />
<br />
It is worth spending some extra time to ensure your DNS setup is just<br />
right, as debugging problems caused by mis-configured DNS can take a<br />
lot of time later on.<br />
<br />
The simplest way to get a working DNS setup for Samba4 is to start<br />
with the DNS zone and configuration files that are created by the<br />
'provision' step above. If you look in /usr/local/samba/private<br />
directory, you'll find a file called 'named.conf' and another one<br />
called samdom.example.com.zone (adjusted for your real DNS domain name<br />
of course!).<br />
<br />
Assuming your have a bind9 DNS server installed, you can activate the<br />
configuration that the provision has created by adding a line like<br />
this to /etc/bind/named.conf.local:<br />
<br />
include "/usr/local/samba/private/named.conf";<br />
<br />
After adding that line you should restart your bind server and check<br />
in the system logs for any problems.<br />
<br />
One common problem is that many modern Linux distributions activate<br />
'Apparmor' or 'SELinux' by default, and these may be configured to<br />
deny access to bind for your the named.conf and zone files created in<br />
the provision. If your bind logs show that bind is getting a access<br />
denied error accessing these files then please see your local system<br />
documentation for how to enable access to these files in bind (hint:<br />
for Apparmor systems such as Ubuntu, the command aa-logprof may be<br />
useful).<br />
<br />
Now you need to test that DNS is working correctly. Check that your<br />
/etc/resolv.conf is pointing correctly at your local DNS server, then<br />
run the following commands:<br />
<br />
$ host -t SRV _ldap._tcp.samdom.example.com.<br />
_ldap._tcp.samdom.example.com has SRV record 0 100 389 samba.samdom.example.com.<br />
<br />
$ host -t SRV _kerberos._udp.samdom.example.com.<br />
_kerberos._udp.samdom.example.com has SRV record 0 100 88 samba.samdom.example.com.<br />
<br />
$ host -t A samba.samdom.example.com.<br />
samba.samdom.example.com has address 10.0.0.1<br />
<br />
Check that you get answers similar to the ones above (adjusted for<br />
your DNS domain name and hostname). If you get any errors then<br />
carefully check your system logs to find and fix the problem.<br />
<br />
*Note: One of the problems I've had on Debian system is that the zone autogeneration always detects, and uses, 127.0.1.1 as the domain controller's IP address. That works fine until you 1) Don't have a 127.0.1.1 interface on the machine or 2) Go to join your first client to the domain. In /usr/local/samba/private/named.conf you might need to change 127.0.1.1 to reflect the actual IP address of the server you're setting up.<br />
<br />
== Step 9: Testing kerberos ==<br />
<br />
Once DNS is working, you should test that kerberos server builtin to<br />
Samba4 is working correctly. The easiest test is to use the kinit<br />
command like this:<br />
<br />
$ kinit administrator@SAMDOM.EXAMPLE.COM<br />
Password:<br />
<br />
''Note:''<br><br />
: You have to give your 'domain realm SAMDOM.EXAMPLE.COM' in <b>uppercase letters</b> to kinit.<br />
<br />
The kinit should completely successfully. After it completes you can<br />
examine the received ticket like this:<br />
<br />
$ klist -e<br />
Ticket cache: FILE:/tmp/krb5cc_1000<br />
Default principal: administrator@SAMDOM.EXAMPLE.COM<br />
<br />
Valid starting Expires Service principal<br />
02/10/10 19:39:48 02/11/10 19:39:46 krbtgt/SAMDOM.EXAMPLE.COM@SAMDOM.EXAMPLE.COM<br />
Etype (skey, tkt): ArcFour with HMAC/md5, ArcFour with HMAC/md5<br />
<br />
If you find you don't have kinit or klist, you may need to install them. On debian based<br />
systems (such as Ubuntu) the packages are called krb5-config and krb5-user.<br />
<br />
You can also test kerberos form a remote client, just make sure you have configure the<br />
krb5.conf and the resolve.conf to point to the domain controller IP address.<br />
<br />
''Note:''<br><br />
: If you are using a client behind NAT then you have to add the following to the krb5.conf on the domain controller server:<br />
<br />
[kdc]<br />
check-ticket-addresses = false<br />
<br />
== Step 10 Configure kerberos DNS dynamic updates ==<br />
<br />
If you have a current version of bind9 (tested with bind version 9.6.1<br />
on Ubuntu), then the current Samba4 git tree will automatically setup<br />
and configure a file called /usr/local/samba/private/named.conf.update, which you can include in your master named.conf to allow Samba/Kerberos DNS updates to automatically take place. Be advised that if you include this file in Bind versions that don't support it, Bind will fail to start.<br />
<br />
You additionally need to set two environment variables for bind9:<br />
<br />
KEYTAB_FILE="/usr/local/samba/private/dns.keytab"<br />
KRB5_KTNAME="/usr/local/samba/private/dns.keytab"<br />
export KEYTAB_FILE<br />
export KRB5_KTNAME<br />
<br />
These should be put in your settings file for bind9. On Debian based<br />
systems this is in /etc/default/bind9. On RedHat derived systems it is<br />
in /etc/sysconfig/named. Strictly speaking you only either need<br />
KEYTAB_FILE or KRB5_KTNAME, but which you need depends on your distro,<br />
so it's easier to just set both.<br />
<br />
Then in your /etc/bind/named.conf.options you need this:<br />
<br />
tkey-gssapi-credential "DNS/samba.samdom.example.com";<br />
tkey-domain "SAMDOM.EXAMPLE.COM";<br />
<br />
The hostname in the first line must match the 'additional' response from<br />
a SOA lookup on your domain name (you can check that with "host -v -t SOA samdom.example.com")<br />
<br />
The way the automatic DNS update in Samba works is that the provision<br />
will create a file /usr/local/samba/private/dns_update_list, which<br />
contains a list of DNS entries that Samba will try to dynamically<br />
update at startup and every 10 minutes thereafter. Updates will only<br />
happen if the DNS entries do not already exist.<br />
<br />
If you want to debug this process, then please run this as root:<br />
<br />
/usr/local/samba/sbin/samba_dnsupdate --verbose<br />
<br />
that will give you more information on the updates that Samba is doing<br />
at runtime, and show you any errors that are generated.<br />
<br />
If you are joining Samba4 to an existing Windows DNS domain, or you<br />
are using a Windows DNS server instead of bind9, then you need<br />
bind version 9.7.2rc1 (or higher) for the nsupdate command to correctly work<br />
with recent versions of Windows. If you don't have bind 9.7.2rc1 or better,<br />
recent Windows clients (such as Windows7 and Win2K8) won't be able to<br />
do dynamic DNS updates to your bind9 server, and bind9 won't be able<br />
to do dynamic DNS updates against a Windows DNS server.<br />
<br />
Until your distribution's Bind package is updated,<br />
you can get an appropriate version like this (Applies for current Debian/Ubuntu-based systems).<br />
<br />
$ sudo apt-get build-dep bind9<br />
$ sudo apt-get install ccache<br />
$ wget http://ftp.isc.org/isc/bind9/9.7.2/bind-9.7.2.tar.gz<br />
$ tar -xvf bind-9.7.2.tar.gz<br />
$ cd bind-9.7.2<br />
<br />
For some installations, you may want to change your prefix to /usr/local and keep the rest of the options. Alternatively, you can just build and install.<br />
<br />
$ ./configure<br />
$ make<br />
$ sudo make install<br />
<br />
Now you have to ensure that bind can read the dns.keytab file, the<br />
named.conf file and the zone file. It also needs to be able to write<br />
the zone file. The Samba provision tries to setup the permissions<br />
correctly for these files, but you may find you need to make changes<br />
in your Apparmor or SELinux configuration if you are running either of<br />
those. If you are using Apparmor then the aa-logprof command may help<br />
you add any missing permissions you need to add after you start Samba<br />
and bind9 for the first time after configuring them.<br />
<br />
You should also carefully check the permissions on the private/dns directory to ensure it is writable by bind. <br />
<br />
On some systems you may also find that you need to symlink the dns.keytab file as<br />
/etc/krb5.keytab, as bind may not honor the environment variables for the location<br />
of this file.<br />
<br />
== NOTE about filesystem support ==<br />
<br />
To use the advanced features of Samba4 you need a filesystem that<br />
supports both the "user" and "system" xattr namespaces.<br />
<br />
If you run Linux with a 2.6 kernel and ext3 this means you need to<br />
include the option "user_xattr" in your /etc/fstab. For example:<br />
<br />
/dev/hda3 /home ext3 user_xattr 1 1<br />
<br />
You also need to compile your kernel with the XATTR and SECURITY<br />
options for your filesystem. For ext3 that means you need:<br />
<br />
CONFIG_EXT3_FS_XATTR=y<br />
CONFIG_EXT3_FS_SECURITY=y<br />
<br />
If you are running a Linux 2.6 kernel with CONFIG_IKCONFIG_PROC<br />
defined you can check this with the following command:<br />
<br />
$ zgrep CONFIG_EXT3_FS /proc/config.gz<br />
<br />
If you don't have a filesystem with xattr support, then you can<br />
simulate it by using the option:<br />
<br />
posix:eadb = /usr/local/samba/eadb.tdb<br />
<br />
that will place all extra file attributes (NT ACLs, DOS EAs, streams<br />
etc), in that tdb. It is not efficient, and doesn't scale well, but at<br />
least it gives you a choice when you don't have a modern filesystem.<br />
<br />
=== Testing your filesystem ===<br />
<br />
To test your filesystem support, install the 'attr' package and run<br />
the following 4 commands as root:<br />
<br />
# touch test.txt<br />
# setfattr -n user.test -v test test.txt<br />
# setfattr -n security.test -v test2 test.txt<br />
# getfattr -d test.txt<br />
# getfattr -n security.test -d test.txt<br />
<br />
You should see output like this:<br />
<br />
# file: test.txt<br />
user.test="test"<br />
<br />
# file: test.txt<br />
security.test="test2"<br />
<br />
If you get any "Operation not supported" errors then it means your<br />
kernel is not configured correctly, or your filesystem is not mounted<br />
with the right options.<br />
<br />
If you get any "Operation not permitted" errors then it probably means<br />
you didn't try the test as root.<br />
<br />
If you are using the posix:eadb option then you don't need to test your filesystem in this manner.<br />
<br />
= Configure a Windows Client to join a Samba 4 Active Directory =<br />
<br />
Active Directory is a powerful administration service which enables an administrator to centrally manage a network of Windows 2000, Windows XP Pro, Windows 2003, and Windows Vista Business Edition effectively. To test the real Samba 4 capability, we use Windows XP Pro as testing environment (Windows XP Home doesn't include Active Directory functionality and won't work).<br />
<br />
To allow Samba 4 Active Directory or Microsoft Active Directory to manage a computer, we need to join the computer into the active directory.<br />
It involves:<br />
<br />
# Configuring DNS Setting<br />
# Configuring date/time and time zone<br />
# Joining the domain<br />
<br />
== Step 1: Configure DNS Setting for Windows ==<br />
<br />
Before we configure the DNS setting, verify that you are able to ping the Server's IP Address. If you are not able to ping the server, double check your IP address, firewall, routing, etc.<br />
<br />
Once you have verified network connectivity between the Samba server and client,<br />
<br />
# Right Click My Network Places -> Properties<br />
# Double click local area network->Properties<br />
# Double click tcp/ip<br />
# Use static dns server, add the Samba 4 server's ip address inside the primary dns server column. [[:Image:http://www.extraknowledge.org/xoops/images/samba/dnsclient.jpg]]<br />
# Press ok, ok, ok again until finished.<br />
# Open a command prompt, type 'ping servername.your.realm' (change to suit your custom realm per your provision)<br />
<br />
If you get replies, then it means your Windows XP settings are correct (for DNS) and Samba4 Server's DNS services is working as well.<br />
<br />
== Step 2: Configure date/time and time zone ==<br />
<br />
Active Directory uses Kerberos as the backend for authentication. Kerberos requires that the system clock on the client and server be synchronized to within a few seconds of each other. If they are not synchronized, authentication will fail for apparently no reason.<br />
<br />
# Change the timezone in Windows XP Pro so that server and client using same time zone. In my computer, I use Asia/Kuala_Lumpur (I come from Malaysia).[[:Image:http://www.extraknowledge.org/xoops/images/samba/timezone.jpg]]<br />
# Change the date/time so the client have same HH:MM with the server [[:Image:http://www.extraknowledge.org/xoops/images/samba/time.jpg]]<br />
<br />
== Step 3: Joining the Windows client into domain ==<br />
<br />
Now your Windows is ready to join the Active Directory (AD) domain,<br />
<br />
As administrator:-<br />
<br />
# Right Click my Computer-> Properties<br />
# Choose Computer Name, click change..<br />
# Click option 'Domain', insert YOUR.REALM (if you failed, try YOURDOM)([[:Image:http://www.extraknowledge.org/xoops/images/samba/joindomain.jpg]]<br />
# When it request username/password, type '''administrator''' as username, '''SOMEPASSWORD''' as password (per your earlier provision).<br />
# It will tell you the Windows XP has successfully join into Active Directory Domain, and you need to restart.<br />
# After restart, you should get the normal domain logon dialog<br />
# Choose domain YOURDOM, insert username '''administrator''' as username, '''SOMEPASSWORD''' as password (again, per your earlier provision)<br />
# If you login successfully, then you able to enjoy samba 4 active directory services at next section.<br />
<br />
= Viewing Samba 4 Active Directory object from Windows XP Pro =<br />
<br />
We need install windows 2003 adminpak into windows XP in order to use<br />
GUI tools to manage the domain. Before begin, make sure the domain<br />
administrator have administrative right to control your computer.(To<br />
give any user administrative right, in Windows XP Pro, right click my<br />
computer, press manage-> choose groups-> double click administrators<br />
and add members from domain into the member list. During you add<br />
member from active directory as member, it will prompt you to enter<br />
active directory username/password).<br />
<br />
== Step 1: Installing Windows Remote Administration Tools onto Windows ==<br />
<br />
= Windows7 =<br />
<br />
Download the Windows Remote Administration Tools from<br />
http://www.microsoft.com/downloads/details.aspx?FamilyID=7D2F6AD7-656B-4313-A005-4E344E43997D&displaylang=en<br />
<br />
and follow the "Install RSAT" instructions<br />
<br />
= Vista =<br />
<br />
Download the Windows Remote Administration Tools from<br />
http://www.microsoft.com/downloads/details.aspx?FamilyId=9FF6E897-23CE-4A36-B7FC-D52065DE9960&displaylang=en<br />
<br />
and follow the "Install RSAT" instruction described at<br />
http://support.microsoft.com/kb/941314<br />
<br />
= Windows XP Pro =<br />
<br />
# In Windows XP, download adminpak and supporttools from <br />
http://www.microsoft.com/downloads/details.aspx?FamilyID=c16ae515-c8f4-47ef-a1e4-a8dcbacff8e3&displaylang=en<br />
http://download.microsoft.com/download/3/e/4/3e438f5e-24ef-4637-abd1-981341d349c7/WindowsServer2003-KB892777-SupportTools-x86-ENU.exe<br />
<br />
# Run through the installation.<br />
# Press start->run, type 'dsa.msc', if a window 'active directory users and computers' prompt up, it mean you had install adminpak it successfully. You can also find this at Start>Programs>Administrative Tools, which should have a lot more items now.<br />
# Go to c:\Program Files\Support Tools to check whether the support tools were installed correctly; if yes, then your XP workstation is ready to manage the Samba 4 Active Directory.<br />
<br />
== Step 2: Viewing samba 4 active directory content ==<br />
<br />
# Login as domain 'testing1.org' administrator, press start->run.<br />
# type dsa.msc<br />
**[[:Image:http://www.extraknowledge.org/xoops/images/samba/run.jpg ]]<br />
# Expand the testing1.org tree to see existing object in domain. [[:Image:http://www.extraknowledge.org/xoops/images/samba/dsa.msc.jpg]]<br />
<br />
= Managing Samba 4 Active Directory From Windows XP Pro =<br />
One of Samba4's goals is to integrate with (and replace) Active Directory as a system. At this point, if everything has worked correctly you should have an "Administrative Tools" menu under Programs. If, under Administrative Tools you have "Active Directory Users and Computers", that is a very good sign. Most times, if there is a configuration or bug in Samba4, the AD Users & Computers (among other interfaces) won't show up as an option. You can run it by hand (Start->Run->dsa.msc) but it's unlikely to work correctly.<br />
<br />
<br />
== Step 1: Adding user into Samba 4 Active Directory ==<br />
Unlike Samba3, Samba4 does not require a local unix user for each Samba user that is created.<br />
<br />
To create a Samba user, use the command <br />
<br />
net newuser USERNAME<br />
<br />
If you get this error message :<br />
<br />
ImportError: No module named samba.netcmd<br />
<br />
run this command<br />
<br />
export PYTHONPATH=/usr/local/samba/lib/python2.6/site-packages/<br />
<br />
Make sure you run the Samba4 version of net, if you also have Samba3 installed.<br />
<br />
To inspect the allocated user ID and SID, use wbinfo<br />
<br />
$ bin/wbinfo --name-to-sid USERNAME<br />
S-1-5-21-4036476082-4153129556-3089177936-1005 SID_USER (1)<br />
<br />
$ bin/wbinfo --sid-to-uid S-1-5-21-4036476082-4153129556-3089177936-1005<br />
3000011<br />
<br />
If you want to change this mapping, then use ldbedit on the idmap.idb,<br />
like this:<br />
<br />
$ bin/ldbedit -e emacs -H /usr/local/samba/private/idmap.ldb objectsid=S-1-5-21-4036476082-4153129556-3089177936-1005<br />
<br />
You will find records that look like this:<br />
<br />
# record 1<br />
dn: CN=S-1-5-21-4036476082-4153129556-3089177936-1005<br />
cn: S-1-5-21-4036476082-4153129556-3089177936-1005<br />
objectClass: sidMap<br />
objectSid: S-1-5-21-4036476082-4153129556-3089177936-1005<br />
type: ID_TYPE_BOTH<br />
xidNumber: 3000011<br />
distinguishedName: CN=S-1-5-21-4036476082-4153129556-3089177936-1005<br />
<br />
If you change the xidNumber attribute and save your editor then exit,<br />
then Samba will update the mapping to between the SID and the user<br />
ID. Updating group mappings works in the same way.<br />
<br />
You can also manage users using the normal Windows AD user management<br />
tools.<br />
<br />
= Setting Up Roaming Profiles (Windows 7) =<br />
<br />
1. You will need to create a share for the profiles, typically named '''profiles'''. Edit the ''/usr/local/samba/etc/smb.conf'' to include:<br />
<br />
[profiles]<br />
path = /usr/local/samba/var/profiles<br />
read only = no<br />
<br />
2. Create the directory above using:<br />
<br />
$ sudo mkdir /usr/local/samba/var/profiles<br />
<br />
3. On windows start the ''Active Directory Users and Computers'', select all the users, right click and hit properties<br />
<br />
4. Under the profile tab, in the ''Profile path'' type the path to your share along with %USERNAME% as follows:<br />
<br />
\\sambaserver.samdom.example.com\profiles\%USERNAME%<br />
<br />
5. click OK, logout and login as one of those users. When you logout again, you should see that the profile has been synced onto the samba server.<br />
<br />
= Adding organization unit (OU) into samba 4 domain =<br />
<br />
Organizational Unit (OU), is a powerful feature in active<br />
directory. This is a type of container which allows you to drag & drop<br />
users and/or computers into it.<br />
<br />
We can link several kind of group policy to an OU, and the settings<br />
will deploy to all users/computers under the OU. With a single domain<br />
we can have as many OU and sub OU as you like. So the result is that<br />
it can greatly reduce administrative overhead because you are able to<br />
manage everything via an OU. The implementation of group policy will<br />
be discussed in the next chapter.<br />
<br />
Before we create an OU, we must know what an OU looks like. By default<br />
we can see a sample OU 'Domain Controllers', which uses a different<br />
icon in the Windows management tools to the 'users' and 'computers'<br />
container. We can deploy group policy to users or computers container.<br />
<br />
# To create an OU, as the domain administrator, use start -> run -> dsa.msc<br />
# right click on your domain.<br />
# choose new -> organizational unit<br />
# type OU Demo'<br />
# Then you will see an new OU appear, with the name 'OU Demo'.<br />
# You can drag your user 'demo' into the new OU (Don't move other users! Unless you want to get stuck!)<br />
# Right Click the 'OU Demo', you can create a sub OU with New->Organizational.<br />
<br />
Normally we create OU based the departmental setup of your<br />
organization. Be careful not to confuse groups and OUs, groups are<br />
used to control permissions, OU are used for deployment settings to<br />
all users/computers within the OU.<br />
<br />
= Implementing Group Policies (GPO) in a Samba4 domain =<br />
<br />
Samba4 Active Directory has support for group policies, and can create<br />
the group policy on the fly. The basic idea of group policies is:-<br />
<br />
# Group Policies have 2 kind of settings, computers and users.<br />
# Computer settings apply to computers, user settings apply to users<br />
# We link the group policy to a particular OU, and the group policy will effect all computers/users under the OU.<br />
<br />
# To add a group policy, right click 'OU Demo' OU->properties<br />
# Choose group policy<br />
# Press new, name as 'GP Demo'<br />
# Press edit to edit the policy.<br />
# Here will demonstrate how to block user from access the control panel. Open the tree 'User Configuration'->'Administrative Templates'->'control panel'.<br />
# Double click on 'Prohibit access to the Control Panel'<br />
# Press enabled and then press OK. Now the all users under 'OU Demo' won't able to access to the control panel.<br />
# Make sure user demo is inside the 'OU Demo' (You can drag and drop it). <br />
# Logout and login as user 'demo'<br />
# You'll find user demo is not able to access control panel<br />
<br />
* Note that user configuration will take effect once you logout and login.<br />
* Computer configuration will take effect when you restart the computer<br />
<br />
To learn more about managing and implementing organizational units, group policy, and active directory, try a web search for Google in Windows 2003 Active Directory implementation.<br />
<br />
== Installing the Group Policy Management Console ==<br />
<br />
You may also find the Group Policy Management console useful. You can<br />
download it from:<br />
http://www.microsoft.com/downloads/details.aspx?FamilyId=0A6D4C24-8CBD-4B35-9272-DD3CBFC81887&displaylang=en<br />
<br />
This is primarily useful for when you have larger installs and<br />
are managing many machines. You may need to download the .NET<br />
framework first.<br />
<br />
= Joining a Windows domain controller as an additional DC in a domain =<br />
<br />
Once you have a Samba domain controller setup, you can choose to join<br />
additional domain controllers to the domain, whether they be<br />
additional Samba domain controllers, or additional Windows domain<br />
controllers.<br />
<br />
If you wish to join an additional Samba domain controller to a domain,<br />
then please see the [[Samba4/HOWTO/Join a domain as a DC|Joining a domain as a DC]] page. The instructions<br />
on that page are the same for joining Samba to a Windows domain as<br />
they are for joining Samba to an existing Samba domain.<br />
<br />
If you wish to join a new Windows domain controller to a Samba domin,<br />
then you should use the 'dcpromo' tool on the Windows machine. Please<br />
see the normal instructions for installing dcpromo on Windows, with<br />
the exception that you should not tick the 'DNS server' option box<br />
when it is offered. Right now you should either use Windows for DNS,<br />
or use Samba and bind9 for DNS. Mixing the two can work, but it is an<br />
advanced topic that is beyond the scope of this howto.<br />
<br />
== Report your success/failure! ==<br />
<br />
Samba4 as a replicating domain controller is still developing rapidly,<br />
and we like to hear from users about their successes and<br />
failures. While Samba4 is still in alpha release we would encourage<br />
you to report both your successes and failures to the samba-technical<br />
mailing list on http://lists.samba.org<br />
<br />
Please be aware that Samba4 is not complete, so you should deploy it<br />
carefully until it is ready for a non-alpha release.</div>Ekacnethttps://wiki.samba.org/index.php?title=Samba4/Andrew_and_Jelmers_Fantasy_Page/2010&diff=5498Samba4/Andrew and Jelmers Fantasy Page/20102010-07-11T14:21:11Z<p>Ekacnet: /* Plans for fortnight ending 19th July 2010 */</p>
<hr />
<div>=Plans for fortnight ending 19th July 2010=<br />
*Start hacking around [http://msdn.microsoft.com/en-us/library/cc224123%28v=PROT.13%29.aspx MS-BKRP] aka protected storage (Matthieu)<br />
==Achievements==<br />
* Made a page about [[UpgradeprovisionPlans | upgradeprovision plans]] (Matthieu)<br />
* Finished all the patches about upgradeprovision to keep up with the pace of current development (Matthieu)<br />
* Add options to net to manipulate service principal names (a bit like addspn): net spn (Matthieu)<br />
<br />
=Plans for fortnight ending 5th July 2010=<br />
*Make upgradeprovision able to change synchronize msds-keyversionnumber (Matthieu)<br />
*Start hacking around [http://msdn.microsoft.com/en-us/library/cc224123%28v=PROT.13%29.aspx MS-BKRP] aka protected storage (Matthieu)<br />
*Review Andrews s3compat auth patches. (Jelmer)<br />
*Infrastructure for testing net from within Python. (Jelmer)<br />
==Achievements==<br />
*Make upgradeprovision is now able to change synchronize msds-keyversionnumber (Matthieu)<br />
=Plans for fortnight ending 19 June 2010=<br />
*Upload Debian packages (Jelmer)<br />
*Fix build against system Heimdal (Jelmer)<br />
==Achievements==<br />
*More Python cleanups (Jelmer)<br />
*Fix Samba 4 build to install everything necessary for OpenChange again (Jelmer)<br />
*Review Matthieu's patches (Jelmer)<br />
*Push major update for upgradeprovision both in terms of update capacity and reliability (Matthieu)<br />
*Use standard python logging infrastructure in Python code (Jelmer)<br />
*Re-upload Debian packages based on waf build (Jelmer)<br />
*Started [[MergeRequests]] page (Jelmer)<br />
<br />
=Plans for fortnight ending 5 June 2010=<br />
*Make the whole redesign of upgradeprovision go in Master (Matthieu)<br />
*Develop more unit tests around upgradeprovision (Matthieu)<br />
==Achievements==<br />
=Plans for fortnight ending 22 May 2010=<br />
*Make client DFS referral support for sysvol go in Master (Matthieu)<br />
*Develop torture test for DFS (at least for the domain referral part) (Matthieu)<br />
*Make the whole redesign of upgradeprovision go in Master (Matthieu)<br />
*Develop more unit tests around upgradeprovision (Matthieu)<br />
*Merged some waf patches from Thomas. (Jelmer)<br />
*Cherry-picked some of the patches I pair-programmed with Matthieu during SambaXP (Jelmer)<br />
==Achievements==<br />
*DFS responses to client referral request are ok for Domain, DC and SYSVOL/NETLOGON (Matthieu)<br />
*Torture tests ok (Matthieu)<br />
*Update Debian packages for talloc, tdb, ldb and tevent. (Jelmer<br />
=Plans for fortnight ending 24 Apr 2010=<br />
SambaXP!<br />
==Achievements==<br />
*Played with the waf build (Jelmer)<br />
*Pair-programmed on upgradeprovision unit tests (Jelmer, Matthieu)<br />
*Initial Python bindings for libpolicy (Jelmer) <br />
=Plans for fortnight ending 10 Apr 2010=<br />
Slacking<br />
=Plans for fortnight ending 27 Mar 2010=<br />
Slacking.<br />
=Plans for fortnight ending 13 Mar 2010=<br />
Slacking.<br />
=Plans for fortnight ending 27 Feb 2010=<br />
==Achievements==<br />
*More work to automate the correct setup of BIND for DNS (Andrew)<br />
*Work with tridge to demonstrate 'waf' as a build system for Samba (Andrew)<br />
=Plans for fortnight ending 13 Feb 2010=<br />
==Achievements==<br />
*Work with Tridge on Samba HOWTO (Andrew)<br />
*More work to automate the correct setup of BIND for DNS (Andrew)<br />
*Improve Samba4 RPC proxy to handle a non-zero if_version (Andrew)<br />
**This is needed to ensure we proxy the full if_version from an RPC bind to the endpoint mapper and subsequent bind on another RPC server. <br />
**Add testsuite to ensure the RPC proxy (rpc_server/remote) does not bitrot further. <br />
<br />
=Plans for fortnight ending 30 January 2010=<br />
==Achievements==<br />
*Successful presentation at linux.conf.au Sysadmin mini-conf (Andrew)<br />
*Holiday on South Island of NZ (Andrew)<br />
<br />
=Plans for fortnight ending 16 January 2010=<br />
==Achievements==<br />
*Samba4 Alpha 11 release (Andrew)<br />
*DRS pair programming with Tridge (Andrew)<br />
*Preparation for linux.conf.au SysAdmin mini-conf presentation<br />
<br />
=Plans for fortnight ending 2 January 2010=<br />
==Achievements==<br />
*DRS pair programming with Tridge (Andrew)<br />
**Success with replicating with Windows 2008 again (mostly Tridge)<br />
*Christmas Holidays (Andrew)<br />
<br />
=Plans for fortnight ending 19 December 2009=<br />
*Password work completed (Matthias)<br />
==Achievements==<br />
*DRS pair programming with Tridge (Andrew)<br />
**Working on linked attribute replication with AD<br />
**Rework duplicate code into utility functions<br />
<br />
=Plans for fortnight ending 5 December 2009=<br />
==Achieved so far==<br />
*Alpha release (Andrew)<br />
*Fixed nasty "primaryGroupToken" crash bug (Andrew)<br />
<br />
=Plans for fortnight ending 21 November 2009=<br />
*Fix up group membership (Andrew)<br />
**The PAC should not include builtin groups, but the local token must<br />
<br />
=Plans for fortnight ending 7 November 2009=<br />
*Fix up Binary+DN format DNs after the Vampire sprint. (Andrew)<br />
**The code developed at the interop event with Microsoft needs some rough edges filed off...<br />
<br />
==Achieved so far==<br />
*Finished Dynamic creation of partitions (Andrew)<br />
*Posted implemention of Binary+DN changes, awaiting review (Andrew)<br />
*Reviewed patches by mdw for const and passwords (Andrew)<br />
*Reviewed karminim's prefixmap patches (Andrew)<br />
<br />
=Plans for fortnight ending 23 October 2009=<br />
*Finish Dynamic creation of partitions (Andrew)<br />
<br />
==Achieved so far==<br />
*Dynamic creation of partitions (Andrew)<br />
**Merged many of the pre-requisite patches that are required towards<br />
<br />
=Plans for fortnight ending 9 October 2009=<br />
<br />
==Achieved so far==<br />
*Dynamic creation of partitions (Andrew)<br />
**Continued work started at plugfest. <br />
*Reproduced DRS replication (Andrew)<br />
**i.e., the things tridge achived at the plugfest. <br />
**Published generalised versions of tridge's helper scripts<br />
*Pair-programming with Tridge on merging his DRS work (Andrew)<br />
<br />
=Plans for fortnight ending 26 September 2009=<br />
*Implement clever nTSecurityDescriptor update (Matthieu)<br />
*Merge Calin's work into Samba-GTK. (Jelmer)<br />
*Test and Debianize SWAT. (Jelmer)<br />
<br />
==Achieved so far==<br />
*Merged outstanding patches. (Jelmer)<br />
*CIFS plugfest (Andrew)<br />
**Merged to common code parts required for a lmhosts implementation in Samba4<br />
**Discussions around LDAP and Kerberos backends for Samba4<br />
**[http://people.samba.org/people/2009/10/05#cifs-2009-conference blog article]<br />
*Kerberos Salting<br />
**Reworked 'join domain' code to always use the python 'set secrets' code<br />
**This ensures we then set saltPrincipal, which was previously incorrect<br />
*Microsoft interop (Andrew)<br />
**Ran Microsoft's LDAP testsuite against Samba4<br />
**Added objectClass hierarchy restrictions<br />
**Added allowed RDN restrictions<br />
**Started 'dynamic partitions' work<br />
**Don't allow creation of 'isDefunct' objectClasses<br />
**Add new module to handle 'lazyCommit' control (ignored for now)<br />
**Handle NULL RDN<br />
**Merge 'relax' control to allow us to specify objectGUID in provision, but ban their specification normally<br />
**Learnt how the online interop environment will be set up<br />
***Should allow us to run the tests remotely.<br />
**Assistance where required for the DRS replication challenge tridge was running<br />
<br />
=Plans for fortnight ending 12 September 2009=<br />
*Demonstrate Samba<->Samba replication over DRS (Andrew, tridge)<br />
*Finally import LDB index patches<br />
*More work on the SAMLDB module (Matthias)<br />
<br />
==Achieved so far==<br />
*Worked with tridge to: (Andrew)<br />
**Add support for linked attribute replication over DRS<br />
**Fix LDB to be more robust in handling errors in callback-based modules<br />
**Fix failures on older python installs for the 'dcerpc' tests<br />
**Rework LDB and Samba4's modules to correctly handle two-stage commits<br />
*Investigated LDB index performance and proposed patches to fix it<br />
*Implement correct behavior with supportedEnc field in GetDomainInfo rpc (Matthieu)<br />
*Refactor rebuildextendeddn so it can be integrated in main repo (Matthieu)<br />
<br />
=Plans for fortnight ending 29 August 2009=<br />
*Finish basic functions for update script (ie. allow updating at least the schema and adding simple objects) (Matthieu)<br />
*Push rebuildextendeddn.py to the central repo (Matthieu)<br />
*Return full ctr6 structure in dcesrv_drsuapi_DsGetNCChanges (Anatoliy)<br />
*Start digging in linked attributes (Anatoliy)<br />
*Test case for "urgent replication" (Kamen)<br />
*Test case for DsGetNCChanges() (Kamen)<br />
==Achieved so far==<br />
*Explanation of Zahari's ACL problem (Andrew)<br />
*Add and improve ldb python wrappers to assist test and conversion script development (Andrew)<br />
*Fix 'show_deleted' module not to linearise the search filter (should improve performance) (Andrew)<br />
<br />
=Plans for fortnight ending 15 August 2009=<br />
*Really start working on a tool for provision update (mainly due to schema update) (Matthieu)<br />
*Investigate and fix issues with Windows 2008 and Samba4 (as a Windows 2008 level DC) (Andrew)<br />
==Achieved so far==<br />
*Review of Matthias's 'Computer information in AD' patch (Andrew) <br />
**Matthias was finally able to merge his patch!<br />
*More questions to Microsoft (AES key use) (Andrew)<br />
*Create a script (rebuildextendeddn.py) to (re)build extended, usefull for upgrading a long time running setup (Matthieu)<br />
<br />
=Plans for fortnight ending 1 August 2009=<br />
*Continue investigation on bug 6273 (unable to access windows 2008 share from XP/Samba4) (Matthieu)<br />
*Start working on a tool for provision update (mainly due to schema update) (Matthieu)<br />
*Display specifiers (Andrew, Matthias)<br />
*Prepare for an alpha with vampire capability (Andrew)<br />
*Add flag to ldb to force canonical form (Andrew)<br />
*Investigate file server bugs (Andrew)<br />
*Investigate domain trusts again (Andrew)<br />
==Achieved so far==<br />
*Computer informations in AD (Matthias)<br />
*Nested groups (Matthias)<br />
*Forwarded question to Microsoft for their comment in Windows 2008 access issue (Andrew)<br />
*Review of Matthias's 'Computer information in AD' patch (Andrew)<br />
*Fixed Zahari's segfault in his python wrapper for libnet_ChangePassword (Andrew)<br />
*Implemented 'net export keytab' to extract a keytab from a Samba4 DC (Andrew)<br />
*Fixed a number of trivial failures in Samba4's 'make test' (Andrew)<br />
**This should make real bugs easier to see<br />
*Fix provision on FreeBSD (Andrew)<br />
*Find core problem for bug 6273, proposed a patch (Matthieu)<br />
<br />
=Plans for fortnight ending 18 July 2009=<br />
<br />
*Prepare for an alpha with vampire capability (Andrew)<br />
*Add flag to ldb to force canonical form (Andrew)<br />
**This is things such as making large 32 bit integers negative, sids always to binary etc<br />
*Research possibilities how to use Kerberos from within Python code (Zahari)<br />
*Catch up with Andrew Tridgell on replication (Anatoliy, Kamen)<br />
*Communicate with Microsoft to establish the correct nTSecurityDescriptors for the partitions in a clean installation, how is the defaultSecurityDescriptor used, how the default DACL of a security token is created, and the function of the extended rights (Nadya)<br />
*Finish debugging the descriptor inheritance (Nadya)<br />
*Define tests for descriptor inheritance to be added to unit tests (Nadya)<br />
*Improve Netlogon dissector in order to drill down on bugs 6272 and 6273 (Matthieu)<br />
*Investigate the problems with Windows 2008 as a SMB client for Windows XP bug 6272 (Matthieu)<br />
<br />
==Achieved so far==<br />
*Found the problem for bug 6272, issued a patch that should be integrated by Heimdal (Matthieu)<br />
*Netlogon dissector of wireshark is now able to decrypt schannel encrypted dialogs, patch sent to samba-technical for comments (Matthieu) <br />
*Found and fixed python and ldb/talloc issues shown up by nTsecurityDescriptor test by Zahari (Andrew)<br />
*Fixed Windows7 Join against Samba4 (Andrew)<br />
**It was failing for the 'add' case.<br />
*Finalize schemaUpdateNow patch and test(Anatoliy)<br />
**It does not break possibleInferiors test and the schema update is ok now<br />
**We should focus on schema consistency checker at some point<br />
*Make Samba4 report Windows 2008 functional level by default (Andrew)<br />
*Update to current Heimdal again (as patches have been accepted) (Andrew)<br />
*Sort out issues with various tests (schemaUpdateNow etc) and get outstanding patches applied (Andrew)<br />
*Working with NTP.org community to finally integrate the MS-SNTP signing of NTP replies (Andrew)<br />
*Discussions with Microsoft to get 'Display specifiers' released under an acceptable licence (Andrew)<br />
**This should allow an import into Samba4<br />
<br />
=Plans for fortnight ending 4 July 2009=<br />
*Sort out nTsecurityDescriptor problems from Zahari (Andrew)<br />
*Work with summer of code students (Andrew)<br />
<br />
==Achieved so far==<br />
*Worked with tridge to show DRS replication from windows works again (Andrew)<br />
*Applied patch queue from Matthias (Andrew)<br />
<br />
=Plans for fortnight ending 20 June 2009=<br />
*Improve automated setup of OpenLDAP backend (Andrew)<br />
*Finish subunit separation (Jelmer)<br />
*Maybe WMI..<br />
==Achieved so far==<br />
*Samba4 alpha (Andrew)<br />
*Heimdal merge (Andrew)<br />
*Fixing Python rpcecho test and Python ldb test<br />
*Work with Don Davis on Samba4's Kerberos lib requirements (Andrew)<br />
<br />
=Plans for fortnight ending 6 June 2009=<br />
*rpcecho.python test (Jelmer)<br />
*Attempt Heimdal merge (Andrew)<br />
*More work on Kerberos requirements (Andrew)<br />
==Achived so far==<br />
*Documentation of Kerberos requirements (in particular requiremnts that a MIT Kerberos swich would require) (Andrew with Don Davis)<br />
*Fix SAMR tests (Andrew)<br />
*Fix build with older libnet on Fedora 10<br />
*LDB performance issues with many users (Andrew and Tridge)<br />
*Unique indexes in LDB (Andrew and Tridge)<br />
*Fixed one-level indexes in LDB (Andrew and Tridge)<br />
*Worked with Howard Chu to chase down nasty crash bugs in OpenLDAP under Samba4's 'make test'<br />
<br />
=Plans for fortnight ending 23 May 2009=<br />
*Rework Samba4 DC to support only one realm at a time (Andrew)<br />
**This is not related to trusted domains, but to how we look at our database<br />
*Fix krbtgt expiry causing kpasswd account to be disabled (Andrew)<br />
==Achieved so far==<br />
*'make test' failures with OpenLDAP backend (Andrew)<br />
**Reproduced on current code<br />
**Fedora 11 VM prepared and supplied to Howard Chu for further investigation<br />
*str_list code (Andrew)<br />
**str_list_make_v3 added to Samba3 while I was away<br />
**Investigate why this 'v3' version is required<br />
**Add unit tests for all aspects of 'common' str_list behaviour<br />
**Attempt (but not committed) to re-merge all the str_list code<br />
<br />
=Plans for fortnight ending 9 May 2009=<br />
==Achieved so far==<br />
*Documentation build system improvements (Jelmer)<br />
**Changed the docs build system to use dblatex rather than db2latex<br />
**Remove cruft from docs<br />
=Plans for fortnight ending 25 April 2009=<br />
*SambaXP conference<br />
**Samba4 status report presentation<br />
**Samba4 and Microsoft presentation<br />
==Achieved so far==<br />
*libcli/auth merge (without ldb and Samba3 server-side components) (Andrew)<br />
*Fix RPC python tests (Andrew, Jelmer)<br />
<br />
=Plans for fortnight ending 11 April 2009=<br />
==Achieved so far==<br />
*Use Full WSPP Microsoft schema in Samba4 (Andrew and Tridge)<br />
**Required a lot of work to make ldb more efficient with a full set of schema<br />
**Create and test possibleInferiors attribute for AD schema<br />
**Integrate work by Sreepathi Pai to convert the WSPP schema into LDIF for the provision<br />
*Prepare merge of charcnv code<br />
**Required cutting down patch from all code to just sharing a common API<br />
<br />
=Plans for fortnight ending 28 March 2009=<br />
*Improve the implementation of netr_DsRGetDCNameEx2 (Andrew)<br />
*Include full AD schema when permitted by Microsoft to do so (Andrew)<br />
*libcli/auth merge between Samba3 and Samba4 (Andrew)<br />
*charcvn merge between Samba3 and Samba4 (Andrew)<br />
*libregistry merge (Jelmer)<br />
*Samba3 DCE/RPC async (Jelmer)<br />
*WMI (Jelmer)<br />
*Fix kpasswd when the krbtgt account has expired (Andrew)<br />
==Achived so far==<br />
*Pair programming of restoring minschema to operation<br />
*Implementation (with Tridge) of UID handling for recursion to a new event context in the VFS layer (Andrew)<br />
<br />
=Plans for fortnight ending 14 March 2009=<br />
*Improve the implementation of netr_DsRGetDCNameEx2 (Andrew)<br />
*Include full AD schema when permitted by Microsoft to do so (Andrew)<br />
==Achieved so far==<br />
*Proposal for fixes for the 'wrong UID' problem with recursion to a new event context in the VFS layer<br />
*Improve performance of Samba will a full schema (Andrew)<br />
=Plans for fortnight ending 27 February=<br />
==Achieved so far==<br />
*Release of alpha7 (Andrew)<br />
*Work on the trusted domains and IPA proposal (Andrew)<br />
*Remove dependency of GENSEC on the Samba4 auth subsystem (Andrew)<br />
*Travel plans for SambaXP (Andrew)<br />
*Work with Microsoft on importing the full AD schema<br />
=Plans for fortnight ending 13 February 2009=<br />
*Prepare alpha7<br />
*Prepare proposal for linking IPA with AD via Samba4 (Andrew)<br />
*Windows7 join to Samba4<br />
**Work to add the AES schannel type<br />
**Fix Samba4 to accept Windows 7 joins<br />
==Achieved so far==<br />
*Phone call with Microsoft over Windows 7 and Samba issues (Andrew)<br />
*Initial work on IPA proposal (Andrew)<br />
**See http://wiki.samba.org/index.php/Samba4/Proposal_for_IPA_to_AD_trust<br />
<br />
=Plans for fortnight ending 24 January 2009=<br />
*More work reintegrating WMI (Jelmer)<br />
*Finish full epmapper implementation (Jelmer)<br />
*Fix random failures of samba4.ldb.python tests (Jelmer)<br />
*Use subunit in submissions to the buildfarm (Jelmer)<br />
==Achieved so far==<br />
*Alpha 6 ! (Andrew, Jelmer)<br />
=Plans for fortnight ending 10 January 2009=<br />
=Plans for fortnight ending 27 December 2008=<br />
*Trusted domains (Andrew)<br />
**Reproduce metze's sucess trusting a Win2k3 domain <br />
**Reproduce metze's issue being trusted by a Samba3 domain<br />
*Make preperations for a alpha release<br />
**Fixing build farm failures (Andrew and Jelmer)<br />
**Testing a 'real' deployment (Andrew)<br />
**Write release notes (Jelmer)<br />
==Achieved so far==<br />
*Proper Extended DN support (Andrew)<br />
**Pushed into the master branch<br />
*Shared object files for gen_ndr files between Samba 3 and Samba 4 (Jelmer)<br />
*rewrote SWIG-based Python modules in manual C (Jelmer)<br />
*made Samba 4 in merged build use shared libraries when possible (Jelmer)<br />
*fixed several issues building the standalone libraries (Jelmer)<br />
*prepared Debian package of tevents and packaged new versions of talloc, tdb and ldb (Jelmer)<br />
<br />
=Plans for fortnight ending 13 December 2008=<br />
==Achieved so far==<br />
*Added interactive mode to setup/provision (Jelmer)<br />
*Proper Extended DN support (Andrew)<br />
**Published final patch to list for review<br />
*Use Microsoft's full AD Schema in Samba4 (Andrew)<br />
**Conversion script taken on by Sreepathi Pai<br />
**Working with Microsoft to correct errors in the schema<br />
<br />
=Plans for fortnight ending 29 November 2008=<br />
==Archived so far==<br />
*Proper Extended DN support (Andrew)<br />
**continued work on implementation and testing<br />
<br />
=Plans for fortnight ending 15 November 2008=<br />
*Research to check about transitive trusts between AD and MIT realms (Andrew)<br />
*Proper Extended DN support (Andrew)<br />
**Needed for Samba3 domain members in a Samba4 domain.<br />
*Make a Samba4 release<br />
**Needed for OpenChange, and to give users a solid alpha to test<br />
==Achieved so far==<br />
*Increase to tridge's blood pressure (Andrew)<br />
**Tridge and I worked to learn python and start an 'upgrade_samba4' script to assist users who have to re-provision but do not wish to loose data.<br />
*Proper Extended DN support (Andrew)<br />
**Posted initial implementation to mailing list for comment<br />
<br />
=Plans for fortnight ending 1 November 2008=<br />
*Finish 'unicode' password issues with integration of new charset (Andrew)<br />
**The character set conversion needs to change invalid sequences to a known 'bad' value<br />
*Proper Extended DN support (Andrew)<br />
**Needed for Samba3 domain members in a Samba4 domain.<br />
*Unique Index support (Andrew)<br />
**Needed to ensure we don't have more than one 'Administrator' in a domain (for example)<br />
*Allow registration in endpoint mapper (Jelmer)<br />
*ncacn_http (Jelmer)<br />
*Research to check about transitive trusts between AD and MIT realms (Andrew)<br />
==Achieved so far==<br />
*Fix kpasswd server to not 'exit(10)' the whole of Samba (Andrew)<br />
**Found by Apple at the CIFS plugfest<br />
*Reconciled more library code between Samba 3 and 4 (Jelmer)<br />
** lib/util<br />
** librpc/gen_ndr<br />
** librpc/ndr<br />
*Repel pstring to nsswitch/ (Jelmer)<br />
*Move crypt() replacement to libreplace (Jelmer)<br />
*Enable merged-build automatically in developer builds (Jelmer)<br />
*Merged Matthias' registry server improvements (Jelmer)<br />
*Split up selftest code into a Samba4-specific and a generic part (Jelmer)<br />
*Fix blackbox tests on IPv6-only hosts (Jelmer)<br />
*[http://people.samba.org/people/2008/10/22#a-year-since-microsofts-appeal-failed Blog posting] about interopability with Microsoft (Andrew)<br />
**Now found on [http://lwn.net/Articles/304499/ LWN] and [http://linux.slashdot.org/linux/08/10/23/1441200.shtml Slashdot]<br />
<br />
=Plans for fortnight ending 18 October 2008=<br />
*Use separate structure for gensec settings (Jelmer)<br />
*Share DEBUG() code between Samba 3 and Samba 4 (Jelmer)<br />
**In preparation of merging my libutil-share branch<br />
*More work getting WMI back to work (Jelmer)<br />
==Achieved so far==<br />
*Implement a 'unicode' password pass-down mechanism in LDB<br />
**This fixes domain trust problems where member servers select a compleatly random password<br />
**We still need to fix this for kerberos hash types (awating charset work by tridge)<br />
<br />
=Plans for fortnight ending 4 October 2008=<br />
*Implement a 'unicode' password pass-down mechanism in LDB, or otherwise avoid UCS2 -> UTF8 -> UCS2 problems<br />
*Trusted domain support (LSA and KDC portions) (Andrew)<br />
==Achieved so far==<br />
*Separate out and add tests for Subunit (Jelmer)<br />
*Remove global_loadparm use in a couple more places (Jelmer)<br />
*Restructure some of the installation bits together with Matthias (Jelmer)<br />
<br />
=Plans for fortnight ending 20 september 2008=<br />
*wmi integration (Jelmer)<br />
*hdb_samba4 (Jelmer)<br />
*eliminate last EJS (minschema.js, samba3sam.js (Jelmer))<br />
*Trusted domain support (LSA and KDC portions) (Andrew)<br />
==Achieved so far==<br />
*Committed merged build patch to Samba 3 (Jelmer)<br />
*Made Samba 3 and Samba 4 use the same copy of tdb, talloc, compression, replace, nss_wrapper, socket_wrapper, popt (Jelmer)<br />
*Committed WMI support to the repository (doesn't compile completely yet though) (Jelmer)<br />
*Fixed samba3sam.js and removed remaining JavaScript support. (Jelmer)<br />
*Implemented WSGI standard (http://www.python.org/dev/peps/pep-0333/) support in web_server.<br />
<br />
=Plans for fortnight ending 6 september 2008=<br />
*wmi integration (Jelmer)<br />
*upload samba-gtk into Debian (Jelmer)<br />
*hdb_samba4 (Jelmer)<br />
*send out patch for merged franky build (Jelmer)<br />
*Use franky build for personal Samba4 development (Andrew)<br />
*eliminate last EJS (minschema.js, samba3sam.js (Jelmer))<br />
*Trusted domain support (LSA and KDC portions) (Andrew)<br />
==Achieved so far==<br />
*Update NTP patch (Andrew)<br />
*Respond to comments and suggestions on RPMs for Fedora (Andrew)<br />
*(partial) Trusted domain support (LSA and KDC portions) (Andrew)<br />
*PAC Verification support over NETLOGON (Andrew)<br />
*Sent out franky merged build patch, more prerequisites fixed for Franky (Jelmer)<br />
<br />
=Plans for fortnight ending 23 august 2008=<br />
==Achieved so far==<br />
* slacking off (Jelmer)<br />
* Lots of questions to Microsoft on trusted domains and PAC validation (Andrew)<br />
* Build indexes and attributes directly from the schema, not a hard-coded list (Andrew)<br />
* Generate the cn=Aggregate schema in Samba4, rather than in minschema.js<br />
**This prepares us for adding arbitrary schema into Samba4<br />
* Integrate patches for multi-master OpenLDAP configuration (Andrew)<br />
** This allows a Samba4 provision-backend to create a multi-master backend, without hand-manipulation by the admin<br />
* Start of work on trusted domains<br />
**In our KDC, start with a special case for handling the trusted domains principals<br />
**In the drsblobs.idl, parse the trustAuthIncoming and trustAuthOutgoing blobs<br />
<br />
=Plans for fortnight ending 9 August 2008=<br />
*Fix AES compatability with Windows 2008/Vista. (Andrew)<br />
**It turns out that Metze was starting to chase the same bug<br />
**The fix is to implement gss_wrap_ex() - ie AEAD, the signing of headers in DCE/RPC packets. <br />
**Earlier 'use Heimdal for SPNEGO' work is forming a very useful basis for this work<br />
*Look at smartcard login again (Andrew)<br />
**Bugs in Dogtag have been allegedly fixed.<br />
*Trusted domains (Andrew)<br />
**Add support for trusted domains in our KDC<br />
==Achieved so far==<br />
<br />
=Plans for fortnight ending 26 July 2008=<br />
==Achieved so far==<br />
*Fix LDAP backend to be secure (not anonymous access) (Andrew)<br />
*Partially Fix vista join bugs due to AES and GSSAPI CFX (Andrew with Tridge)<br />
**Session keys for smb signing are original length (ie, 32 in this case)<br />
**Session keys for SAMR encryption are 16 (ie, truncated)<br />
**Still need to fix GSSAPI encryption for the AES case (it uses AEAD, as seen in NTLM2)<br />
*Phone calls with Microsoft (Andrew)<br />
**I now have a regular phone hookup with Microsoft to go over pending issues in the WSPP process<br />
*Fix 'file not found' errors from clients (Andrew with Tridge)<br />
**Due to an uninitialised variable, introduced in some recent SMB2 work<br />
**shows up on systems with extended attributes (typically those using SeLinux, such as Fedora)<br />
**Perhaps a good reason to push out a new alpha soon<br />
<br />
=Plans for fortnight ending 12 July 2008=<br />
*wmi integration (Jelmer)<br />
*upload openchange and samba-gtk into Debian (Jelmer)<br />
*hdb_samba4 (Jelmer)<br />
*eliminate last EJS (minschema.js, samba3sam.js)<br />
*Improve LDAP backend from a technology preview to a deployable system (Andrew)<br />
==Achieved so far==<br />
*Continue packaging of OpenChange and Samba4 for Fedora<br />
*Start work on smart card login (Andrew)<br />
**Including setting up DogTag certificate system (Andrew)<br />
**At least to the stage of the first crashes...<br />
*Rework schema handling to know about auxillary classes (Andrew)<br />
**Try to do this in common between ad2OLschema and the kludge_acl and objectclass modules.<br />
<br />
=Plans for fortnight ending 28 June 2008=<br />
*external Heimdal use (Andrew)<br />
==Achievements==<br />
*Created Samba 4 and OpenChange RPM packages (Andrew)<br />
*test TEST_LDAP=yes (Andrew)<br />
*Fixed Franky build for odd make versions (Jelmer)<br />
<br />
=Plans for fortnight ending 14 June 2008=<br />
*Linked attributes for 'net vampire' (Andrew)<br />
*AES Key support (check with docs and Win2008 on format) in samdb (Andrew)<br />
*Work to make ldb merge easier for Simo (andrew)<br />
*Any work required to merge NTP patch with ntp.org distribution (Andrew)<br />
*Work with alpha testers on any issues that come up in production deployments of Samba4 (Andrew)<br />
==Achieved so far==<br />
*Samba4 alpha4 release (andrew)<br />
**without LDB merge, which seems a while off yet<br />
*Sync ldap.py test with it's (now obsolete) ldap.js predecessor (andrew)<br />
*Add python bindings for NetBIOS (Jelmer)<br />
*Improve portability of Franky build (Jelmer)<br />
*Asked Microsoft about AES key formats (Andrew)<br />
**Just getting the data from Win2008 failed due to other reasons<br />
*Continued the battle with Microsoft over NTP documentation (Andrew)<br />
*Worked on package of Heimdal for Fedora (Andrew)<br />
**As a preview to packaging Samba4 for Fedora<br />
<br />
=Plans for fortnight ending 31 May 2008=<br />
*Linked attributes for 'net vampire' (andrew)<br />
*Make a Samba 4.0 alpha4 release if the ldb branch gets merged<br />
http://packages.debian.org/testing/python/python-wmi (Jelmer)<br />
==Achieved so far==<br />
*Implement NTP signing (andrew)<br />
**Patch posted to ntp.org for consideration: [http://bugs.ntp.org/1028 NTP bugzilla item with patch]<br />
**ntp_signd now started by default in samba4<br />
*Finish CLDAP and NBT netlogon parsing. (Andrew) <br />
**Including expected value tests (critical to ensuring we return the *right* answer)<br />
**This should help things like Group Policy, which rely on this 'DC ping' functionality<br />
*Merge Simo's ldb branch with current v4-0-test (abartlet)<br />
**Should make Simo's merge task easier. <br />
*Removed smbpython and restructured Python modules hierarchy to not clutter Python namespace (Jelmer)<br />
*Merged improvements made by Wilco and Jelmer to the registry during SambaXP (Jelmer)<br />
*Added documentation to most Python modules and improved descriptions. (Jelmer)<br />
*Fixed memory bug in autogenerated DCE/RPC Python bindings (Jelmer)<br />
*Several test infrastructure improvements. (Jelmer)<br />
**Print full test path for easy inclusion in knownfail lists<br />
**Make test case name part of test name to allow a test to have different results against different test cases<br />
**Set PYTHONPATH during test runs<br />
*Removed unused old EJS DCE/RPC bindings and testscripts (Jelmer)<br />
*Make it easier to use various libraries externally without including all of Samba 4's build system (Jelmer)<br />
*Updated Samba 4, OpenChange and Samba-Gtk Debian packages, now passes lintian. (Jelmer)<br />
** Announced on the OpenChange website (http://www.openchange.org/index.php?option=com_content&task=blogsection&id=7&Itemid=77)<br />
*Added Python bindings for IRPC / Messaging interfaces (Jelmer)<br />
**Rewrote smbstatus in Python<br />
*Added mechanism for doing "raw" DCE/RPC requests from Python (Jelmer)<br />
**Also initial work on a script that should attempt to figure out IDL by probing<br />
*Exposed more DCE/RPC internals from Python bindings (Jelmer)<br />
*Initial work on [http://www.python.org/dev/peps/pep-0333/ WSGI] implementation in web_server/ (Jelmer)<br />
*Added combined buildsystem for [[Franky]]<br />
<br />
=Plans for fortnight ending 17 May 2008=<br />
*Fix our CLDAP netlogon processing to match description in [MS-ADTS] 7.3.3 (andrew)<br />
**Use this to fix and test group policy handling on Win2000 and WinXP clients<br />
==Achieved so far==<br />
*Partial security=server implementation, awaiting VFS proxy merge for testing (Andrew)<br />
*Removed a large number of dead build farm hosts in response to automated mails (Andrew)<br />
*Brought back old (D)COM code and made it compile again (Jelmer)<br />
*Merged GNU make branch (Jelmer)<br />
**Now allows using system Python with Samba Python modules<br />
*Finished Samba 4 Debian package together with Christian (Jelmer)<br />
*Updated Debian packages for OpenChange and Samba-Gtk (Jelmer)<br />
*Most of the parsing work towards the CLDAP/NBT netlogon consolidation (Andrew)<br />
<br />
=Plans for fortnight ending 3 May 2008=<br />
*Build Farm improvements<br />
**See if we can use SQLite to get a bit more done<br />
**make build farm summary page use sqlite<br />
**host list, by last reported time<br />
**last reported time on host individual page<br />
*Finish security=server re-implementation in Samba4<br />
*Finish ncacn_http implementation<br />
==Achieved so far==<br />
*Very useful Visit to Sam's home company for 2 days<br />
**Chat with principals to encourage them<br />
**Jelmer prepared WAFS branch for merging<br />
***Looks like further development will be upstream, which is great<br />
**Jelmer did some initial work on tests for proxy code<br />
**Andrew Started work on 'security=server' re-implementation for Samba4<br />
***This will allow WAFS to hijack an unsigned connection as a man in the middle attack. <br />
**Andrew fixed 'make test' to fail if PIDL tests fail<br />
*Build Farm<br />
**make build farm send e-mails to dead hosts (based on SQLite database)<br />
=Achievements for fortnight ending ending 19 April 2008=<br />
==SambaXP==<br />
*Successfully gave 3 presentations<br />
**Samba4 status report (Both)<br />
**Samba4 and the LDAP backend / Little barber shop of horrors (Andrew)<br />
**RPC Scripting using Python (Jelmer)<br />
*Worked with Sam Liddicott<br />
**He has implemented the start of a WAFS (latency reducing) proxy for Samba4<br />
**Organised to visit his companies office<br />
*Improved code coverage to give better 'headline' figure for presentation (Andrew)<br />
**Working with Kai's winbind work to run metze's structure based tests<br />
**Kai worked on blackbox tests<br />
**Required fixing up parts of winbind (untested code is broken code, Andrew)<br />
*Fixed bugs in Pidl reported by Volker (Jelmer)<br />
*Added knownfailure support in test code (Jelmer)<br />
*Split out policy library into separate git repository (Jelmer)<br />
*Worked with Wilco on more registry tests (Jelmer)<br />
*Fixed several Python usability bits (Jelmer)<br />
*Fixed duplication in blackbox tests (Jelmer)<br />
*Initial work on ncacn_http support (Jelmer)<br />
*Discussions with Guenther, Michael about reconciling registry, libsmbdotconf and smbdotconf in Samba 3 and 4 (Jelmer)</div>Ekacnethttps://wiki.samba.org/index.php?title=UpgradeprovisionPlans&diff=5497UpgradeprovisionPlans2010-07-11T14:18:15Z<p>Ekacnet: </p>
<hr />
<div>== Futur plans for upgradeprovision ==<br />
<br />
=== Close futur ===<br />
<br />
* Handle updates on provision with user amended schema (patch available already at [[http://git.samba.org/?p=mat/samba.git;a=shortlog;h=refs/heads/upgradeprovision-misc| my upgradeprovison-misc branch]])<br />
* Handle renaming of default GPO to correct GUID<br />
* Handle RID stuff in a better way<br />
<br />
=== A bit less closer ===<br />
<br />
* Allow migration from Openldap backend to ldb backend<br />
<br />
=== Even more away ===<br />
<br />
* Handle migration of samba3 provision to samba4<br />
* Allow migration from ldb backend to Openldap backen</div>Ekacnethttps://wiki.samba.org/index.php?title=Samba4/Andrew_and_Jelmers_Fantasy_Page/2010&diff=5496Samba4/Andrew and Jelmers Fantasy Page/20102010-07-11T14:09:05Z<p>Ekacnet: /* Plans for fortnight ending 19th July 2010 */</p>
<hr />
<div>=Plans for fortnight ending 19th July 2010=<br />
*Start hacking around [http://msdn.microsoft.com/en-us/library/cc224123%28v=PROT.13%29.aspx MS-BKRP] aka protected storage (Matthieu)<br />
==Achievements==<br />
* Made a page about [[UpgradeprovisionPlans | upgradeprovision plans]] (Matthieu)<br />
* Finished all the patches about upgradeprovision to keep up with the pace of current development (Matthieu)<br />
<br />
=Plans for fortnight ending 5th July 2010=<br />
*Make upgradeprovision able to change synchronize msds-keyversionnumber (Matthieu)<br />
*Start hacking around [http://msdn.microsoft.com/en-us/library/cc224123%28v=PROT.13%29.aspx MS-BKRP] aka protected storage (Matthieu)<br />
*Review Andrews s3compat auth patches. (Jelmer)<br />
*Infrastructure for testing net from within Python. (Jelmer)<br />
==Achievements==<br />
*Make upgradeprovision is now able to change synchronize msds-keyversionnumber (Matthieu)<br />
=Plans for fortnight ending 19 June 2010=<br />
*Upload Debian packages (Jelmer)<br />
*Fix build against system Heimdal (Jelmer)<br />
==Achievements==<br />
*More Python cleanups (Jelmer)<br />
*Fix Samba 4 build to install everything necessary for OpenChange again (Jelmer)<br />
*Review Matthieu's patches (Jelmer)<br />
*Push major update for upgradeprovision both in terms of update capacity and reliability (Matthieu)<br />
*Use standard python logging infrastructure in Python code (Jelmer)<br />
*Re-upload Debian packages based on waf build (Jelmer)<br />
*Started [[MergeRequests]] page (Jelmer)<br />
<br />
=Plans for fortnight ending 5 June 2010=<br />
*Make the whole redesign of upgradeprovision go in Master (Matthieu)<br />
*Develop more unit tests around upgradeprovision (Matthieu)<br />
==Achievements==<br />
=Plans for fortnight ending 22 May 2010=<br />
*Make client DFS referral support for sysvol go in Master (Matthieu)<br />
*Develop torture test for DFS (at least for the domain referral part) (Matthieu)<br />
*Make the whole redesign of upgradeprovision go in Master (Matthieu)<br />
*Develop more unit tests around upgradeprovision (Matthieu)<br />
*Merged some waf patches from Thomas. (Jelmer)<br />
*Cherry-picked some of the patches I pair-programmed with Matthieu during SambaXP (Jelmer)<br />
==Achievements==<br />
*DFS responses to client referral request are ok for Domain, DC and SYSVOL/NETLOGON (Matthieu)<br />
*Torture tests ok (Matthieu)<br />
*Update Debian packages for talloc, tdb, ldb and tevent. (Jelmer<br />
=Plans for fortnight ending 24 Apr 2010=<br />
SambaXP!<br />
==Achievements==<br />
*Played with the waf build (Jelmer)<br />
*Pair-programmed on upgradeprovision unit tests (Jelmer, Matthieu)<br />
*Initial Python bindings for libpolicy (Jelmer) <br />
=Plans for fortnight ending 10 Apr 2010=<br />
Slacking<br />
=Plans for fortnight ending 27 Mar 2010=<br />
Slacking.<br />
=Plans for fortnight ending 13 Mar 2010=<br />
Slacking.<br />
=Plans for fortnight ending 27 Feb 2010=<br />
==Achievements==<br />
*More work to automate the correct setup of BIND for DNS (Andrew)<br />
*Work with tridge to demonstrate 'waf' as a build system for Samba (Andrew)<br />
=Plans for fortnight ending 13 Feb 2010=<br />
==Achievements==<br />
*Work with Tridge on Samba HOWTO (Andrew)<br />
*More work to automate the correct setup of BIND for DNS (Andrew)<br />
*Improve Samba4 RPC proxy to handle a non-zero if_version (Andrew)<br />
**This is needed to ensure we proxy the full if_version from an RPC bind to the endpoint mapper and subsequent bind on another RPC server. <br />
**Add testsuite to ensure the RPC proxy (rpc_server/remote) does not bitrot further. <br />
<br />
=Plans for fortnight ending 30 January 2010=<br />
==Achievements==<br />
*Successful presentation at linux.conf.au Sysadmin mini-conf (Andrew)<br />
*Holiday on South Island of NZ (Andrew)<br />
<br />
=Plans for fortnight ending 16 January 2010=<br />
==Achievements==<br />
*Samba4 Alpha 11 release (Andrew)<br />
*DRS pair programming with Tridge (Andrew)<br />
*Preparation for linux.conf.au SysAdmin mini-conf presentation<br />
<br />
=Plans for fortnight ending 2 January 2010=<br />
==Achievements==<br />
*DRS pair programming with Tridge (Andrew)<br />
**Success with replicating with Windows 2008 again (mostly Tridge)<br />
*Christmas Holidays (Andrew)<br />
<br />
=Plans for fortnight ending 19 December 2009=<br />
*Password work completed (Matthias)<br />
==Achievements==<br />
*DRS pair programming with Tridge (Andrew)<br />
**Working on linked attribute replication with AD<br />
**Rework duplicate code into utility functions<br />
<br />
=Plans for fortnight ending 5 December 2009=<br />
==Achieved so far==<br />
*Alpha release (Andrew)<br />
*Fixed nasty "primaryGroupToken" crash bug (Andrew)<br />
<br />
=Plans for fortnight ending 21 November 2009=<br />
*Fix up group membership (Andrew)<br />
**The PAC should not include builtin groups, but the local token must<br />
<br />
=Plans for fortnight ending 7 November 2009=<br />
*Fix up Binary+DN format DNs after the Vampire sprint. (Andrew)<br />
**The code developed at the interop event with Microsoft needs some rough edges filed off...<br />
<br />
==Achieved so far==<br />
*Finished Dynamic creation of partitions (Andrew)<br />
*Posted implemention of Binary+DN changes, awaiting review (Andrew)<br />
*Reviewed patches by mdw for const and passwords (Andrew)<br />
*Reviewed karminim's prefixmap patches (Andrew)<br />
<br />
=Plans for fortnight ending 23 October 2009=<br />
*Finish Dynamic creation of partitions (Andrew)<br />
<br />
==Achieved so far==<br />
*Dynamic creation of partitions (Andrew)<br />
**Merged many of the pre-requisite patches that are required towards<br />
<br />
=Plans for fortnight ending 9 October 2009=<br />
<br />
==Achieved so far==<br />
*Dynamic creation of partitions (Andrew)<br />
**Continued work started at plugfest. <br />
*Reproduced DRS replication (Andrew)<br />
**i.e., the things tridge achived at the plugfest. <br />
**Published generalised versions of tridge's helper scripts<br />
*Pair-programming with Tridge on merging his DRS work (Andrew)<br />
<br />
=Plans for fortnight ending 26 September 2009=<br />
*Implement clever nTSecurityDescriptor update (Matthieu)<br />
*Merge Calin's work into Samba-GTK. (Jelmer)<br />
*Test and Debianize SWAT. (Jelmer)<br />
<br />
==Achieved so far==<br />
*Merged outstanding patches. (Jelmer)<br />
*CIFS plugfest (Andrew)<br />
**Merged to common code parts required for a lmhosts implementation in Samba4<br />
**Discussions around LDAP and Kerberos backends for Samba4<br />
**[http://people.samba.org/people/2009/10/05#cifs-2009-conference blog article]<br />
*Kerberos Salting<br />
**Reworked 'join domain' code to always use the python 'set secrets' code<br />
**This ensures we then set saltPrincipal, which was previously incorrect<br />
*Microsoft interop (Andrew)<br />
**Ran Microsoft's LDAP testsuite against Samba4<br />
**Added objectClass hierarchy restrictions<br />
**Added allowed RDN restrictions<br />
**Started 'dynamic partitions' work<br />
**Don't allow creation of 'isDefunct' objectClasses<br />
**Add new module to handle 'lazyCommit' control (ignored for now)<br />
**Handle NULL RDN<br />
**Merge 'relax' control to allow us to specify objectGUID in provision, but ban their specification normally<br />
**Learnt how the online interop environment will be set up<br />
***Should allow us to run the tests remotely.<br />
**Assistance where required for the DRS replication challenge tridge was running<br />
<br />
=Plans for fortnight ending 12 September 2009=<br />
*Demonstrate Samba<->Samba replication over DRS (Andrew, tridge)<br />
*Finally import LDB index patches<br />
*More work on the SAMLDB module (Matthias)<br />
<br />
==Achieved so far==<br />
*Worked with tridge to: (Andrew)<br />
**Add support for linked attribute replication over DRS<br />
**Fix LDB to be more robust in handling errors in callback-based modules<br />
**Fix failures on older python installs for the 'dcerpc' tests<br />
**Rework LDB and Samba4's modules to correctly handle two-stage commits<br />
*Investigated LDB index performance and proposed patches to fix it<br />
*Implement correct behavior with supportedEnc field in GetDomainInfo rpc (Matthieu)<br />
*Refactor rebuildextendeddn so it can be integrated in main repo (Matthieu)<br />
<br />
=Plans for fortnight ending 29 August 2009=<br />
*Finish basic functions for update script (ie. allow updating at least the schema and adding simple objects) (Matthieu)<br />
*Push rebuildextendeddn.py to the central repo (Matthieu)<br />
*Return full ctr6 structure in dcesrv_drsuapi_DsGetNCChanges (Anatoliy)<br />
*Start digging in linked attributes (Anatoliy)<br />
*Test case for "urgent replication" (Kamen)<br />
*Test case for DsGetNCChanges() (Kamen)<br />
==Achieved so far==<br />
*Explanation of Zahari's ACL problem (Andrew)<br />
*Add and improve ldb python wrappers to assist test and conversion script development (Andrew)<br />
*Fix 'show_deleted' module not to linearise the search filter (should improve performance) (Andrew)<br />
<br />
=Plans for fortnight ending 15 August 2009=<br />
*Really start working on a tool for provision update (mainly due to schema update) (Matthieu)<br />
*Investigate and fix issues with Windows 2008 and Samba4 (as a Windows 2008 level DC) (Andrew)<br />
==Achieved so far==<br />
*Review of Matthias's 'Computer information in AD' patch (Andrew) <br />
**Matthias was finally able to merge his patch!<br />
*More questions to Microsoft (AES key use) (Andrew)<br />
*Create a script (rebuildextendeddn.py) to (re)build extended, usefull for upgrading a long time running setup (Matthieu)<br />
<br />
=Plans for fortnight ending 1 August 2009=<br />
*Continue investigation on bug 6273 (unable to access windows 2008 share from XP/Samba4) (Matthieu)<br />
*Start working on a tool for provision update (mainly due to schema update) (Matthieu)<br />
*Display specifiers (Andrew, Matthias)<br />
*Prepare for an alpha with vampire capability (Andrew)<br />
*Add flag to ldb to force canonical form (Andrew)<br />
*Investigate file server bugs (Andrew)<br />
*Investigate domain trusts again (Andrew)<br />
==Achieved so far==<br />
*Computer informations in AD (Matthias)<br />
*Nested groups (Matthias)<br />
*Forwarded question to Microsoft for their comment in Windows 2008 access issue (Andrew)<br />
*Review of Matthias's 'Computer information in AD' patch (Andrew)<br />
*Fixed Zahari's segfault in his python wrapper for libnet_ChangePassword (Andrew)<br />
*Implemented 'net export keytab' to extract a keytab from a Samba4 DC (Andrew)<br />
*Fixed a number of trivial failures in Samba4's 'make test' (Andrew)<br />
**This should make real bugs easier to see<br />
*Fix provision on FreeBSD (Andrew)<br />
*Find core problem for bug 6273, proposed a patch (Matthieu)<br />
<br />
=Plans for fortnight ending 18 July 2009=<br />
<br />
*Prepare for an alpha with vampire capability (Andrew)<br />
*Add flag to ldb to force canonical form (Andrew)<br />
**This is things such as making large 32 bit integers negative, sids always to binary etc<br />
*Research possibilities how to use Kerberos from within Python code (Zahari)<br />
*Catch up with Andrew Tridgell on replication (Anatoliy, Kamen)<br />
*Communicate with Microsoft to establish the correct nTSecurityDescriptors for the partitions in a clean installation, how is the defaultSecurityDescriptor used, how the default DACL of a security token is created, and the function of the extended rights (Nadya)<br />
*Finish debugging the descriptor inheritance (Nadya)<br />
*Define tests for descriptor inheritance to be added to unit tests (Nadya)<br />
*Improve Netlogon dissector in order to drill down on bugs 6272 and 6273 (Matthieu)<br />
*Investigate the problems with Windows 2008 as a SMB client for Windows XP bug 6272 (Matthieu)<br />
<br />
==Achieved so far==<br />
*Found the problem for bug 6272, issued a patch that should be integrated by Heimdal (Matthieu)<br />
*Netlogon dissector of wireshark is now able to decrypt schannel encrypted dialogs, patch sent to samba-technical for comments (Matthieu) <br />
*Found and fixed python and ldb/talloc issues shown up by nTsecurityDescriptor test by Zahari (Andrew)<br />
*Fixed Windows7 Join against Samba4 (Andrew)<br />
**It was failing for the 'add' case.<br />
*Finalize schemaUpdateNow patch and test(Anatoliy)<br />
**It does not break possibleInferiors test and the schema update is ok now<br />
**We should focus on schema consistency checker at some point<br />
*Make Samba4 report Windows 2008 functional level by default (Andrew)<br />
*Update to current Heimdal again (as patches have been accepted) (Andrew)<br />
*Sort out issues with various tests (schemaUpdateNow etc) and get outstanding patches applied (Andrew)<br />
*Working with NTP.org community to finally integrate the MS-SNTP signing of NTP replies (Andrew)<br />
*Discussions with Microsoft to get 'Display specifiers' released under an acceptable licence (Andrew)<br />
**This should allow an import into Samba4<br />
<br />
=Plans for fortnight ending 4 July 2009=<br />
*Sort out nTsecurityDescriptor problems from Zahari (Andrew)<br />
*Work with summer of code students (Andrew)<br />
<br />
==Achieved so far==<br />
*Worked with tridge to show DRS replication from windows works again (Andrew)<br />
*Applied patch queue from Matthias (Andrew)<br />
<br />
=Plans for fortnight ending 20 June 2009=<br />
*Improve automated setup of OpenLDAP backend (Andrew)<br />
*Finish subunit separation (Jelmer)<br />
*Maybe WMI..<br />
==Achieved so far==<br />
*Samba4 alpha (Andrew)<br />
*Heimdal merge (Andrew)<br />
*Fixing Python rpcecho test and Python ldb test<br />
*Work with Don Davis on Samba4's Kerberos lib requirements (Andrew)<br />
<br />
=Plans for fortnight ending 6 June 2009=<br />
*rpcecho.python test (Jelmer)<br />
*Attempt Heimdal merge (Andrew)<br />
*More work on Kerberos requirements (Andrew)<br />
==Achived so far==<br />
*Documentation of Kerberos requirements (in particular requiremnts that a MIT Kerberos swich would require) (Andrew with Don Davis)<br />
*Fix SAMR tests (Andrew)<br />
*Fix build with older libnet on Fedora 10<br />
*LDB performance issues with many users (Andrew and Tridge)<br />
*Unique indexes in LDB (Andrew and Tridge)<br />
*Fixed one-level indexes in LDB (Andrew and Tridge)<br />
*Worked with Howard Chu to chase down nasty crash bugs in OpenLDAP under Samba4's 'make test'<br />
<br />
=Plans for fortnight ending 23 May 2009=<br />
*Rework Samba4 DC to support only one realm at a time (Andrew)<br />
**This is not related to trusted domains, but to how we look at our database<br />
*Fix krbtgt expiry causing kpasswd account to be disabled (Andrew)<br />
==Achieved so far==<br />
*'make test' failures with OpenLDAP backend (Andrew)<br />
**Reproduced on current code<br />
**Fedora 11 VM prepared and supplied to Howard Chu for further investigation<br />
*str_list code (Andrew)<br />
**str_list_make_v3 added to Samba3 while I was away<br />
**Investigate why this 'v3' version is required<br />
**Add unit tests for all aspects of 'common' str_list behaviour<br />
**Attempt (but not committed) to re-merge all the str_list code<br />
<br />
=Plans for fortnight ending 9 May 2009=<br />
==Achieved so far==<br />
*Documentation build system improvements (Jelmer)<br />
**Changed the docs build system to use dblatex rather than db2latex<br />
**Remove cruft from docs<br />
=Plans for fortnight ending 25 April 2009=<br />
*SambaXP conference<br />
**Samba4 status report presentation<br />
**Samba4 and Microsoft presentation<br />
==Achieved so far==<br />
*libcli/auth merge (without ldb and Samba3 server-side components) (Andrew)<br />
*Fix RPC python tests (Andrew, Jelmer)<br />
<br />
=Plans for fortnight ending 11 April 2009=<br />
==Achieved so far==<br />
*Use Full WSPP Microsoft schema in Samba4 (Andrew and Tridge)<br />
**Required a lot of work to make ldb more efficient with a full set of schema<br />
**Create and test possibleInferiors attribute for AD schema<br />
**Integrate work by Sreepathi Pai to convert the WSPP schema into LDIF for the provision<br />
*Prepare merge of charcnv code<br />
**Required cutting down patch from all code to just sharing a common API<br />
<br />
=Plans for fortnight ending 28 March 2009=<br />
*Improve the implementation of netr_DsRGetDCNameEx2 (Andrew)<br />
*Include full AD schema when permitted by Microsoft to do so (Andrew)<br />
*libcli/auth merge between Samba3 and Samba4 (Andrew)<br />
*charcvn merge between Samba3 and Samba4 (Andrew)<br />
*libregistry merge (Jelmer)<br />
*Samba3 DCE/RPC async (Jelmer)<br />
*WMI (Jelmer)<br />
*Fix kpasswd when the krbtgt account has expired (Andrew)<br />
==Achived so far==<br />
*Pair programming of restoring minschema to operation<br />
*Implementation (with Tridge) of UID handling for recursion to a new event context in the VFS layer (Andrew)<br />
<br />
=Plans for fortnight ending 14 March 2009=<br />
*Improve the implementation of netr_DsRGetDCNameEx2 (Andrew)<br />
*Include full AD schema when permitted by Microsoft to do so (Andrew)<br />
==Achieved so far==<br />
*Proposal for fixes for the 'wrong UID' problem with recursion to a new event context in the VFS layer<br />
*Improve performance of Samba will a full schema (Andrew)<br />
=Plans for fortnight ending 27 February=<br />
==Achieved so far==<br />
*Release of alpha7 (Andrew)<br />
*Work on the trusted domains and IPA proposal (Andrew)<br />
*Remove dependency of GENSEC on the Samba4 auth subsystem (Andrew)<br />
*Travel plans for SambaXP (Andrew)<br />
*Work with Microsoft on importing the full AD schema<br />
=Plans for fortnight ending 13 February 2009=<br />
*Prepare alpha7<br />
*Prepare proposal for linking IPA with AD via Samba4 (Andrew)<br />
*Windows7 join to Samba4<br />
**Work to add the AES schannel type<br />
**Fix Samba4 to accept Windows 7 joins<br />
==Achieved so far==<br />
*Phone call with Microsoft over Windows 7 and Samba issues (Andrew)<br />
*Initial work on IPA proposal (Andrew)<br />
**See http://wiki.samba.org/index.php/Samba4/Proposal_for_IPA_to_AD_trust<br />
<br />
=Plans for fortnight ending 24 January 2009=<br />
*More work reintegrating WMI (Jelmer)<br />
*Finish full epmapper implementation (Jelmer)<br />
*Fix random failures of samba4.ldb.python tests (Jelmer)<br />
*Use subunit in submissions to the buildfarm (Jelmer)<br />
==Achieved so far==<br />
*Alpha 6 ! (Andrew, Jelmer)<br />
=Plans for fortnight ending 10 January 2009=<br />
=Plans for fortnight ending 27 December 2008=<br />
*Trusted domains (Andrew)<br />
**Reproduce metze's sucess trusting a Win2k3 domain <br />
**Reproduce metze's issue being trusted by a Samba3 domain<br />
*Make preperations for a alpha release<br />
**Fixing build farm failures (Andrew and Jelmer)<br />
**Testing a 'real' deployment (Andrew)<br />
**Write release notes (Jelmer)<br />
==Achieved so far==<br />
*Proper Extended DN support (Andrew)<br />
**Pushed into the master branch<br />
*Shared object files for gen_ndr files between Samba 3 and Samba 4 (Jelmer)<br />
*rewrote SWIG-based Python modules in manual C (Jelmer)<br />
*made Samba 4 in merged build use shared libraries when possible (Jelmer)<br />
*fixed several issues building the standalone libraries (Jelmer)<br />
*prepared Debian package of tevents and packaged new versions of talloc, tdb and ldb (Jelmer)<br />
<br />
=Plans for fortnight ending 13 December 2008=<br />
==Achieved so far==<br />
*Added interactive mode to setup/provision (Jelmer)<br />
*Proper Extended DN support (Andrew)<br />
**Published final patch to list for review<br />
*Use Microsoft's full AD Schema in Samba4 (Andrew)<br />
**Conversion script taken on by Sreepathi Pai<br />
**Working with Microsoft to correct errors in the schema<br />
<br />
=Plans for fortnight ending 29 November 2008=<br />
==Archived so far==<br />
*Proper Extended DN support (Andrew)<br />
**continued work on implementation and testing<br />
<br />
=Plans for fortnight ending 15 November 2008=<br />
*Research to check about transitive trusts between AD and MIT realms (Andrew)<br />
*Proper Extended DN support (Andrew)<br />
**Needed for Samba3 domain members in a Samba4 domain.<br />
*Make a Samba4 release<br />
**Needed for OpenChange, and to give users a solid alpha to test<br />
==Achieved so far==<br />
*Increase to tridge's blood pressure (Andrew)<br />
**Tridge and I worked to learn python and start an 'upgrade_samba4' script to assist users who have to re-provision but do not wish to loose data.<br />
*Proper Extended DN support (Andrew)<br />
**Posted initial implementation to mailing list for comment<br />
<br />
=Plans for fortnight ending 1 November 2008=<br />
*Finish 'unicode' password issues with integration of new charset (Andrew)<br />
**The character set conversion needs to change invalid sequences to a known 'bad' value<br />
*Proper Extended DN support (Andrew)<br />
**Needed for Samba3 domain members in a Samba4 domain.<br />
*Unique Index support (Andrew)<br />
**Needed to ensure we don't have more than one 'Administrator' in a domain (for example)<br />
*Allow registration in endpoint mapper (Jelmer)<br />
*ncacn_http (Jelmer)<br />
*Research to check about transitive trusts between AD and MIT realms (Andrew)<br />
==Achieved so far==<br />
*Fix kpasswd server to not 'exit(10)' the whole of Samba (Andrew)<br />
**Found by Apple at the CIFS plugfest<br />
*Reconciled more library code between Samba 3 and 4 (Jelmer)<br />
** lib/util<br />
** librpc/gen_ndr<br />
** librpc/ndr<br />
*Repel pstring to nsswitch/ (Jelmer)<br />
*Move crypt() replacement to libreplace (Jelmer)<br />
*Enable merged-build automatically in developer builds (Jelmer)<br />
*Merged Matthias' registry server improvements (Jelmer)<br />
*Split up selftest code into a Samba4-specific and a generic part (Jelmer)<br />
*Fix blackbox tests on IPv6-only hosts (Jelmer)<br />
*[http://people.samba.org/people/2008/10/22#a-year-since-microsofts-appeal-failed Blog posting] about interopability with Microsoft (Andrew)<br />
**Now found on [http://lwn.net/Articles/304499/ LWN] and [http://linux.slashdot.org/linux/08/10/23/1441200.shtml Slashdot]<br />
<br />
=Plans for fortnight ending 18 October 2008=<br />
*Use separate structure for gensec settings (Jelmer)<br />
*Share DEBUG() code between Samba 3 and Samba 4 (Jelmer)<br />
**In preparation of merging my libutil-share branch<br />
*More work getting WMI back to work (Jelmer)<br />
==Achieved so far==<br />
*Implement a 'unicode' password pass-down mechanism in LDB<br />
**This fixes domain trust problems where member servers select a compleatly random password<br />
**We still need to fix this for kerberos hash types (awating charset work by tridge)<br />
<br />
=Plans for fortnight ending 4 October 2008=<br />
*Implement a 'unicode' password pass-down mechanism in LDB, or otherwise avoid UCS2 -> UTF8 -> UCS2 problems<br />
*Trusted domain support (LSA and KDC portions) (Andrew)<br />
==Achieved so far==<br />
*Separate out and add tests for Subunit (Jelmer)<br />
*Remove global_loadparm use in a couple more places (Jelmer)<br />
*Restructure some of the installation bits together with Matthias (Jelmer)<br />
<br />
=Plans for fortnight ending 20 september 2008=<br />
*wmi integration (Jelmer)<br />
*hdb_samba4 (Jelmer)<br />
*eliminate last EJS (minschema.js, samba3sam.js (Jelmer))<br />
*Trusted domain support (LSA and KDC portions) (Andrew)<br />
==Achieved so far==<br />
*Committed merged build patch to Samba 3 (Jelmer)<br />
*Made Samba 3 and Samba 4 use the same copy of tdb, talloc, compression, replace, nss_wrapper, socket_wrapper, popt (Jelmer)<br />
*Committed WMI support to the repository (doesn't compile completely yet though) (Jelmer)<br />
*Fixed samba3sam.js and removed remaining JavaScript support. (Jelmer)<br />
*Implemented WSGI standard (http://www.python.org/dev/peps/pep-0333/) support in web_server.<br />
<br />
=Plans for fortnight ending 6 september 2008=<br />
*wmi integration (Jelmer)<br />
*upload samba-gtk into Debian (Jelmer)<br />
*hdb_samba4 (Jelmer)<br />
*send out patch for merged franky build (Jelmer)<br />
*Use franky build for personal Samba4 development (Andrew)<br />
*eliminate last EJS (minschema.js, samba3sam.js (Jelmer))<br />
*Trusted domain support (LSA and KDC portions) (Andrew)<br />
==Achieved so far==<br />
*Update NTP patch (Andrew)<br />
*Respond to comments and suggestions on RPMs for Fedora (Andrew)<br />
*(partial) Trusted domain support (LSA and KDC portions) (Andrew)<br />
*PAC Verification support over NETLOGON (Andrew)<br />
*Sent out franky merged build patch, more prerequisites fixed for Franky (Jelmer)<br />
<br />
=Plans for fortnight ending 23 august 2008=<br />
==Achieved so far==<br />
* slacking off (Jelmer)<br />
* Lots of questions to Microsoft on trusted domains and PAC validation (Andrew)<br />
* Build indexes and attributes directly from the schema, not a hard-coded list (Andrew)<br />
* Generate the cn=Aggregate schema in Samba4, rather than in minschema.js<br />
**This prepares us for adding arbitrary schema into Samba4<br />
* Integrate patches for multi-master OpenLDAP configuration (Andrew)<br />
** This allows a Samba4 provision-backend to create a multi-master backend, without hand-manipulation by the admin<br />
* Start of work on trusted domains<br />
**In our KDC, start with a special case for handling the trusted domains principals<br />
**In the drsblobs.idl, parse the trustAuthIncoming and trustAuthOutgoing blobs<br />
<br />
=Plans for fortnight ending 9 August 2008=<br />
*Fix AES compatability with Windows 2008/Vista. (Andrew)<br />
**It turns out that Metze was starting to chase the same bug<br />
**The fix is to implement gss_wrap_ex() - ie AEAD, the signing of headers in DCE/RPC packets. <br />
**Earlier 'use Heimdal for SPNEGO' work is forming a very useful basis for this work<br />
*Look at smartcard login again (Andrew)<br />
**Bugs in Dogtag have been allegedly fixed.<br />
*Trusted domains (Andrew)<br />
**Add support for trusted domains in our KDC<br />
==Achieved so far==<br />
<br />
=Plans for fortnight ending 26 July 2008=<br />
==Achieved so far==<br />
*Fix LDAP backend to be secure (not anonymous access) (Andrew)<br />
*Partially Fix vista join bugs due to AES and GSSAPI CFX (Andrew with Tridge)<br />
**Session keys for smb signing are original length (ie, 32 in this case)<br />
**Session keys for SAMR encryption are 16 (ie, truncated)<br />
**Still need to fix GSSAPI encryption for the AES case (it uses AEAD, as seen in NTLM2)<br />
*Phone calls with Microsoft (Andrew)<br />
**I now have a regular phone hookup with Microsoft to go over pending issues in the WSPP process<br />
*Fix 'file not found' errors from clients (Andrew with Tridge)<br />
**Due to an uninitialised variable, introduced in some recent SMB2 work<br />
**shows up on systems with extended attributes (typically those using SeLinux, such as Fedora)<br />
**Perhaps a good reason to push out a new alpha soon<br />
<br />
=Plans for fortnight ending 12 July 2008=<br />
*wmi integration (Jelmer)<br />
*upload openchange and samba-gtk into Debian (Jelmer)<br />
*hdb_samba4 (Jelmer)<br />
*eliminate last EJS (minschema.js, samba3sam.js)<br />
*Improve LDAP backend from a technology preview to a deployable system (Andrew)<br />
==Achieved so far==<br />
*Continue packaging of OpenChange and Samba4 for Fedora<br />
*Start work on smart card login (Andrew)<br />
**Including setting up DogTag certificate system (Andrew)<br />
**At least to the stage of the first crashes...<br />
*Rework schema handling to know about auxillary classes (Andrew)<br />
**Try to do this in common between ad2OLschema and the kludge_acl and objectclass modules.<br />
<br />
=Plans for fortnight ending 28 June 2008=<br />
*external Heimdal use (Andrew)<br />
==Achievements==<br />
*Created Samba 4 and OpenChange RPM packages (Andrew)<br />
*test TEST_LDAP=yes (Andrew)<br />
*Fixed Franky build for odd make versions (Jelmer)<br />
<br />
=Plans for fortnight ending 14 June 2008=<br />
*Linked attributes for 'net vampire' (Andrew)<br />
*AES Key support (check with docs and Win2008 on format) in samdb (Andrew)<br />
*Work to make ldb merge easier for Simo (andrew)<br />
*Any work required to merge NTP patch with ntp.org distribution (Andrew)<br />
*Work with alpha testers on any issues that come up in production deployments of Samba4 (Andrew)<br />
==Achieved so far==<br />
*Samba4 alpha4 release (andrew)<br />
**without LDB merge, which seems a while off yet<br />
*Sync ldap.py test with it's (now obsolete) ldap.js predecessor (andrew)<br />
*Add python bindings for NetBIOS (Jelmer)<br />
*Improve portability of Franky build (Jelmer)<br />
*Asked Microsoft about AES key formats (Andrew)<br />
**Just getting the data from Win2008 failed due to other reasons<br />
*Continued the battle with Microsoft over NTP documentation (Andrew)<br />
*Worked on package of Heimdal for Fedora (Andrew)<br />
**As a preview to packaging Samba4 for Fedora<br />
<br />
=Plans for fortnight ending 31 May 2008=<br />
*Linked attributes for 'net vampire' (andrew)<br />
*Make a Samba 4.0 alpha4 release if the ldb branch gets merged<br />
http://packages.debian.org/testing/python/python-wmi (Jelmer)<br />
==Achieved so far==<br />
*Implement NTP signing (andrew)<br />
**Patch posted to ntp.org for consideration: [http://bugs.ntp.org/1028 NTP bugzilla item with patch]<br />
**ntp_signd now started by default in samba4<br />
*Finish CLDAP and NBT netlogon parsing. (Andrew) <br />
**Including expected value tests (critical to ensuring we return the *right* answer)<br />
**This should help things like Group Policy, which rely on this 'DC ping' functionality<br />
*Merge Simo's ldb branch with current v4-0-test (abartlet)<br />
**Should make Simo's merge task easier. <br />
*Removed smbpython and restructured Python modules hierarchy to not clutter Python namespace (Jelmer)<br />
*Merged improvements made by Wilco and Jelmer to the registry during SambaXP (Jelmer)<br />
*Added documentation to most Python modules and improved descriptions. (Jelmer)<br />
*Fixed memory bug in autogenerated DCE/RPC Python bindings (Jelmer)<br />
*Several test infrastructure improvements. (Jelmer)<br />
**Print full test path for easy inclusion in knownfail lists<br />
**Make test case name part of test name to allow a test to have different results against different test cases<br />
**Set PYTHONPATH during test runs<br />
*Removed unused old EJS DCE/RPC bindings and testscripts (Jelmer)<br />
*Make it easier to use various libraries externally without including all of Samba 4's build system (Jelmer)<br />
*Updated Samba 4, OpenChange and Samba-Gtk Debian packages, now passes lintian. (Jelmer)<br />
** Announced on the OpenChange website (http://www.openchange.org/index.php?option=com_content&task=blogsection&id=7&Itemid=77)<br />
*Added Python bindings for IRPC / Messaging interfaces (Jelmer)<br />
**Rewrote smbstatus in Python<br />
*Added mechanism for doing "raw" DCE/RPC requests from Python (Jelmer)<br />
**Also initial work on a script that should attempt to figure out IDL by probing<br />
*Exposed more DCE/RPC internals from Python bindings (Jelmer)<br />
*Initial work on [http://www.python.org/dev/peps/pep-0333/ WSGI] implementation in web_server/ (Jelmer)<br />
*Added combined buildsystem for [[Franky]]<br />
<br />
=Plans for fortnight ending 17 May 2008=<br />
*Fix our CLDAP netlogon processing to match description in [MS-ADTS] 7.3.3 (andrew)<br />
**Use this to fix and test group policy handling on Win2000 and WinXP clients<br />
==Achieved so far==<br />
*Partial security=server implementation, awaiting VFS proxy merge for testing (Andrew)<br />
*Removed a large number of dead build farm hosts in response to automated mails (Andrew)<br />
*Brought back old (D)COM code and made it compile again (Jelmer)<br />
*Merged GNU make branch (Jelmer)<br />
**Now allows using system Python with Samba Python modules<br />
*Finished Samba 4 Debian package together with Christian (Jelmer)<br />
*Updated Debian packages for OpenChange and Samba-Gtk (Jelmer)<br />
*Most of the parsing work towards the CLDAP/NBT netlogon consolidation (Andrew)<br />
<br />
=Plans for fortnight ending 3 May 2008=<br />
*Build Farm improvements<br />
**See if we can use SQLite to get a bit more done<br />
**make build farm summary page use sqlite<br />
**host list, by last reported time<br />
**last reported time on host individual page<br />
*Finish security=server re-implementation in Samba4<br />
*Finish ncacn_http implementation<br />
==Achieved so far==<br />
*Very useful Visit to Sam's home company for 2 days<br />
**Chat with principals to encourage them<br />
**Jelmer prepared WAFS branch for merging<br />
***Looks like further development will be upstream, which is great<br />
**Jelmer did some initial work on tests for proxy code<br />
**Andrew Started work on 'security=server' re-implementation for Samba4<br />
***This will allow WAFS to hijack an unsigned connection as a man in the middle attack. <br />
**Andrew fixed 'make test' to fail if PIDL tests fail<br />
*Build Farm<br />
**make build farm send e-mails to dead hosts (based on SQLite database)<br />
=Achievements for fortnight ending ending 19 April 2008=<br />
==SambaXP==<br />
*Successfully gave 3 presentations<br />
**Samba4 status report (Both)<br />
**Samba4 and the LDAP backend / Little barber shop of horrors (Andrew)<br />
**RPC Scripting using Python (Jelmer)<br />
*Worked with Sam Liddicott<br />
**He has implemented the start of a WAFS (latency reducing) proxy for Samba4<br />
**Organised to visit his companies office<br />
*Improved code coverage to give better 'headline' figure for presentation (Andrew)<br />
**Working with Kai's winbind work to run metze's structure based tests<br />
**Kai worked on blackbox tests<br />
**Required fixing up parts of winbind (untested code is broken code, Andrew)<br />
*Fixed bugs in Pidl reported by Volker (Jelmer)<br />
*Added knownfailure support in test code (Jelmer)<br />
*Split out policy library into separate git repository (Jelmer)<br />
*Worked with Wilco on more registry tests (Jelmer)<br />
*Fixed several Python usability bits (Jelmer)<br />
*Fixed duplication in blackbox tests (Jelmer)<br />
*Initial work on ncacn_http support (Jelmer)<br />
*Discussions with Guenther, Michael about reconciling registry, libsmbdotconf and smbdotconf in Samba 3 and 4 (Jelmer)</div>Ekacnet