Difference between revisions of "Franky"

From SambaWiki
Line 22: Line 22:
passdb backend = ads
passdb backend = ads
auth methods = guest netlogond
auth methods = guest netlogond

Revision as of 22:15, 10 February 2011

On May 8, 2008, a gaggle of samba developers came together in a sambaXP followup meeting in Göttingen at SerNet, and the idea was born to combine the best parts of Samba3 and Samba4 to form Franky - a complete Samba Active Directory server that is also a performant file server and a print server.

The Idea - A Hybrid Samba Active Directory Controller

The Samba4 and Samba3 daemons should run in parallel and the tasks should be distributed among the processes. The various deamons should communicate via unix domain sockets.

How to run it

  • Compile and make install Samba4
  • Compile and make install Samba3 with the same prefix
  • Provision Samba4 (sbin/provision)
  • Configure Samba4 so that it does not run the smb service. This can be done by putting

server services = rpc nbt wrepl ldap cldap kdc drepl winbind ntp_signd kcc dnsupdate web

into its [global] section. This is the default set of services without the string "smb".

  • Start Samba4 (sbin/samba)
  • Configure nss_winbind and winbind using Samba3's winbind configuration options and configure /etc/nsswitch.conf for winbind.
  • Start Samba3's winbind.
  • Configure lib/smb.conf (the Samba3 configuration file) with the workgroup and realm that you provisioned Samba4 with. Add

passdb backend = ads

auth methods = guest netlogond

and start Samba3 smbd.

  • Try to connect using smbclient using the Administrator credentials you gave to Samba4's provisioning

The Plumbing Design

This is the basic idea of how to distribute the tasks:

  • The main daemon to be run is the Samba4 samba daemon.
  • samba4 listens on the Kerberos, LDAP, CLDAP, GC, Endpoint mapper and WINS ports.
  • samba4 offers the named pipes samr, lsa, netlogon, epm, and drsuapi
  • samba4 forks smbd3 (and other samba3 daemons)
  • smbd3 listens on the smb ports (139/445)
  • smbd3 offers the named pipes spoolss and possibly winreg
  • nmbd3 offers browsing (138) (forwarding ntlogon/netlogon mailslots to s4 cldap)
  • winbindd3 talks to trusted domains

The daemons have to talk to each other in order for the scenario to work.

See the notes from the meeting for more details.

The Plumbing Design, revised

During another Göttingen meeting another idea was born: pdb_ads.

In the last 12 months, in particular Günther Deschner has done a tremendous amount of work in the Samba 3 RPC server area, making it likely that the RPC services in Samba 3 are sufficient to provide enough infrastructure to provide AD-like services to Windows clients. The things that Samba 3 does not have and probably will not have for the foreseeable future are LDAP and Kerberos services.

The missing piece to provide interoperability between Samba 3 and Samba 4's LDAP/Kerberos services is a way to access the AD-style LDAP database Samba 4 provides from Samba 3. The new pdb_ads module uses the existing passdb infrastructure in Samba 3 to do exactly that.

pdb_ads configuration

At this moment, you need to compile Samba using the merged build. This means, compile Samba 3 with --enable-developer=yes which enables both the merged build and the pdb_ads passdb module. Then, do a setup/provision in the S3 build directory. You will want to configure Samba4 as a domain controller with "server services = ldap, cldap, kdc". Then do a normal S3 DC setup with "passdb backend = ads". Voila, your AD DC is ready.

At the time of this writing (June 12, 2009), none of this is actually expected to work. Feel free to show up on the mailing lists or the #samba-technical irc channel on freenode.net.

Update on July 9th: The basic samba3 utilities like smbpasswd and net sam work fine. Smbd can authenticate well in a pdb_ads setting. Samba 3 joins a pdb_ads domain with "net ads join". XP almost joins, a fake join of a machine "XP" to a branch "SAMBA.ORG" worked fine in a private branch. What's missing right now is an a bit more complete DsCrackNames server implementation. Working on that right now.

Name Of The Game

The codename Franky was coined for the combined Samba branch.


  • make smbd4 talk to samba3 winbind (using async wbclient library, in progress).
  • extend the samba4 endpoint mapper to allow registering external services dynamically (in progress)
  • make the command line tools talk to samba using RPC calls instead of editing databases directly

At some later point:

  • reconcile configuration files and options (some parts finished already)
  • make winbindd3 connect to local DC to allow samba4-style users without requiring unix user accounts

And along the way:

  • make the changes necessary so that libsmbclient is thread-safe. A checklist of areas to review is available to track pending thread-safe work.


All of the Franky work is now happening in the samba.git master branch.

Updating your branches to the combined build

Because we had to rewrite the history to be able to merge Samba3's source dir to source3 and Samba4's source dir as source4, your branches will not apply to the combined tree anymore. Here is a quick guide how to move your branches to the combined tree.

Let's assume we have a branch tracking the v3-devel branch, this will work alike for other branches.

First, extract your patches from your branch using git format-patch.

$ git format-patch --stdout origin/v3-devel | sed -e 's#+++ b/source#+++ b/source3#' | sed -e 's#--- a/source#--- a/source3#' > ~/my_branch.mbox

Notice that we cheat and rewrite the diff locations of the files from source/ to source3/. For a Samba4 branch, you would do the same, changing the replacement to source4 instead.

Once we're done with that, we can cd into the merged tree, recreate the branch and apply our patches using git am.

$ git checkout -b my_branch origin/master
$ git am ~/my_branch.mbox

And we're done.


To build the integrated Samba:

$ cd source3
$ ./configure --enable-merged-build

After that, proceed as usual:

$ make

This should build all of Samba 3 as well as Samba 4's samba daemon and smbtorture.