From Fedora Project Wiki
 
(26 intermediate revisions by 4 users not shown)
Line 4: Line 4:
<!-- The actual name of your feature page should look something like: Features/Your_Feature_Name.  This keeps all features in the same namespace -->
<!-- The actual name of your feature page should look something like: Features/Your_Feature_Name.  This keeps all features in the same namespace -->


= Samba4 <!-- The name of your feature --> =
= Samba 4.0 <!-- The name of your feature --> =


== Summary ==
== Summary ==
<!-- A sentence or two summarizing what this feature is and what it will do.  This information is used for the overall feature summary page for each release. -->
<!-- A sentence or two summarizing what this feature is and what it will do.  This information is used for the overall feature summary page for each release. -->


The Samba Team is working on a release of Samba4. Yesterday Samba 4.0 beta4 has been released. This is important
The Samba Team is working on a final release of Samba 4.0. On Monday, 16th of July 2012, Beta4 of Samba 4.0 has been released. This is important
milestone in a more than 8 years of Samba 4 development. This page attempts to explain what will be and will not be available in
milestone in a more than 8 years of Samba 4 development. This page attempts to explain what will be and will not be available in
Fedora.
Fedora.
'''NOTE''': State of progress since Fedora 18 (as of May 2013) is available as a talk at SambaXP conference: http://sambaxp.org/fileadmin/user_upload/SambaXP2013-DATA/thu/track2/Alexander_Bokovoy_Simo_Sorce-Samba-4-Fedora.pdf
Additionally, you can see progress of Samba development, which includes integration of Samba AD DC and MIT Kerberos, at https://wiki.samba.org/index.php/Samba_Next_Goals


== Owner ==
== Owner ==
Line 22: Line 26:
== Current status ==
== Current status ==
* Targeted release: [[Releases/18 | Fedora 18 ]]  
* Targeted release: [[Releases/18 | Fedora 18 ]]  
* Last updated: 2012-07-18
* Last updated: 2012-10-10
* Percentage of completion: 99%
* Percentage of completion: 100%


<!-- CHANGE THE "FedoraVersion" TEMPLATES ABOVE TO PLAIN NUMBERS WHEN YOU COMPLETE YOUR PAGE. -->
<!-- CHANGE THE "FedoraVersion" TEMPLATES ABOVE TO PLAIN NUMBERS WHEN YOU COMPLETE YOUR PAGE. -->
Line 34: Line 38:
functionality as an integrated Kerberos DC, LDAP server, DNS server,  
functionality as an integrated Kerberos DC, LDAP server, DNS server,  
and SMB/CIFS server.
and SMB/CIFS server.
The following is a detailed description of the Kerberos problem that we have in Fedora.


Samba 4 AD DC functionality relies heavily on Heimdal Kerberos
Samba 4 AD DC functionality relies heavily on Heimdal Kerberos
Line 43: Line 49:


Fedora uses MIT Kerberos implementation, both server and client side.
Fedora uses MIT Kerberos implementation, both server and client side.
Heimdal and MIT Kerberos are targetting to implement the same Keberos V
Heimdal and MIT Kerberos are targetting to implement the same Kerberos V
protocol but have their own extensions API and certain semantical
protocol but have their own extensions API and certain semantical
differences. They also have slightly different meaning to Kerberos
differences. They also have slightly different meaning to Kerberos
Line 64: Line 70:
MIT Kerberos does not give option of embedding Kerebros KDC server within
MIT Kerberos does not give option of embedding Kerebros KDC server within
another process which is required for Samba 4 AD DC functionality. Thus,
another process which is required for Samba 4 AD DC functionality. Thus,
when compiled with MIT Kerberos, Samba 4 currently does not provice Active
'''when compiled with MIT Kerberos, Samba 4 currently does not provide Active Directory Domain Controller functionality at all, only client side libraries and tools to the extent that does not involve AD DC operations'''. Also, smbd is compiled against MIT Kerberos and provides
Directory Domain Controller functionality at all, only client side
libraries and tools to the extent that does not involve AD DC
operations. Also, smbd is compiled against MIT Kerberos and provides
functionality equivalent to what is provided by Samba 3's smbd.
functionality equivalent to what is provided by Samba 3's smbd.


Line 80: Line 83:
infrastructure. You can get details about implementation from our talk
infrastructure. You can get details about implementation from our talk
at SambaXP 2012 conference (http://abbra.fedorapeople.org/freeipa.pdf) and
at SambaXP 2012 conference (http://abbra.fedorapeople.org/freeipa.pdf) and
earlier roadmap talk at Fedora Devconf in Brno in February 2012
earlier roadmap talk at Developer Conference Brno in February 2012
(http://blip.tv/fedoracz/dmitripal-idenitymanagementroadmap-6071539)
(http://blip.tv/fedoracz/dmitripal-idenitymanagementroadmap-6071539)


Line 95: Line 98:
What is available in Rawhide right now?
What is available in Rawhide right now?


* samba4-* 4.0.0-53beta1 packages are built against system-wide MIT Kerberos libraries. These packages are made conflicting with samba-* packages in areas where they provide the same binaries and/or libraries. You don't need to install samba4-* packages unless you want to use Evolution MAPI plugin and (soon FreeIPA v3 server).
* samba4-* 4.0.0-128.fc18.beta4 packages are built against system-wide MIT Kerberos libraries. These packages are made conflicting with samba-* packages in areas where they provide the same binaries and/or libraries. You don't need to install samba4-* packages unless you want to use Evolution MAPI plugin and (soon FreeIPA v3 server).


* openchange is built to provide client-side libraries to allow Evolution MAPI plugin to work.
* openchange is built to provide client-side libraries to allow Evolution MAPI plugin to work.
Line 101: Line 104:
* Evolution MAPI plugin is rebuilt against new openchange build.
* Evolution MAPI plugin is rebuilt against new openchange build.


What will not be available in Rawhide in time for Fedora 18?
What will not be available in Rawhide in time for Fedora 18, 19, 20?


* Samba 4 AD DC implementation
* Samba 4 AD DC implementation
Line 145: Line 148:


HOWTO:
HOWTO:
0. You need physical hardware or virtual machines with a Windows Active Directory Server installed, a Windows Client installation and a Fedora installation.
0. You need physical hardware or virtual machines with a Windows Active Directory Server installed, a Windows Client installation and a Fedora installation.
1. You install the AD server and created users, then you join the Windows client to AD and setup FreeIPA.
1. You install the AD server and created users, then you join the Windows client to AD and setup FreeIPA.
2. Create a two way trust relationship using ipa-trust-install.
2. Create a two way trust relationship using ipa-trust-install.
3. Login to the Windows client and use putty to connect to the FreeIPA server via SSH.
3. Login to the Windows client and use putty to connect to the FreeIPA server via SSH.
4. This should work without putty asking you for a password.
4. This should work without putty asking you for a password.


== User Experience ==
== User Experience ==
<!-- If this feature is noticeable by its target audience, how will their experiences change as a result?  Describe what they will see or notice. -->
<!-- If this feature is noticeable by its target audience, how will their experiences change as a result?  Describe what they will see or notice. -->
Users will enjoy the features for the new SMB protocols and FreeIPA user will be happy to be able to created trust relationships with Active Directory.


== Dependencies ==
== Dependencies ==
<!-- What other packages (RPMs) depend on this package?  Are there changes outside the developers' control on which completion of this feature depends?  In other words, completion of another feature owned by someone else and might cause you to not be able to finish on time or that you would need to coordinate?  Other upstream projects like the kernel (if this is not a kernel feature)? -->
<!-- What other packages (RPMs) depend on this package?  Are there changes outside the developers' control on which completion of this feature depends?  In other words, completion of another feature owned by someone else and might cause you to not be able to finish on time or that you would need to coordinate?  Other upstream projects like the kernel (if this is not a kernel feature)? -->
FreeIPA and OpenChange depend on libraries provided by Samba4. The samba4-libs package can be installed on the system without any conflict to other Samba packages. The FreeIPA feature for trust relationships between Active Directory requires the samba4 package in addition. This means it conflicts with the samba package.
As this package doesn't provide the DC functionality yet cause of MIT KRB5 OpenChange is not able to provide the server component.


== Contingency Plan ==
== Contingency Plan ==
<!-- If you cannot complete your feature by the final development freeze, what is the backup plan?  This might be as simple as "None necessary, revert to previous release behaviour."  Or it might not.  If you feature is not completed in time we want to assure others that other parts of Fedora will not be in jeopardy.  -->
<!-- If you cannot complete your feature by the final development freeze, what is the backup plan?  This might be as simple as "None necessary, revert to previous release behaviour."  Or it might not.  If you feature is not completed in time we want to assure others that other parts of Fedora will not be in jeopardy.  -->
In case the Samba4 is not fully complete by the end of the final development freeze, Fedora can still ship it. The samba4-libs package which is needed by OpenChange can be installed without any conflicts with the samba (Samba 3.6) packages. All other packages conflict with the samba packages.


== Documentation ==
== Documentation ==
<!-- Is there upstream documentation on this feature, or notes you have written yourself?  Link to that material here so other interested developers can get involved. -->
<!-- Is there upstream documentation on this feature, or notes you have written yourself?  Link to that material here so other interested developers can get involved. -->
*
* [https://wiki.samba.org/index.php/Main_Page The Samba Wiki]
* The Procotol documention is available at the [http://msdn.microsoft.com/en-us/library/dd208104%28PROT.10%29.aspx Microsoft Open Specifications Portal]
* The Samba4 Manpages


== Release Notes ==
== Release Notes ==
<!-- The Fedora Release Notes inform end-users about what is new in the release.  Examples of past release notes are here: http://docs.fedoraproject.org/release-notes/ -->
<!-- The Fedora Release Notes inform end-users about what is new in the release.  Examples of past release notes are here: http://docs.fedoraproject.org/release-notes/ -->
<!-- The release notes also help users know how to deal with platform changes such as ABIs/APIs, configuration or data file formats, or upgrade concerns.  If there are any such changes involved in this feature, indicate them here.  You can also link to upstream documentation if it satisfies this need.  This information forms the basis of the release notes edited by the documentation team and shipped with the release. -->
<!-- The release notes also help users know how to deal with platform changes such as ABIs/APIs, configuration or data file formats, or upgrade concerns.  If there are any such changes involved in this feature, indicate them here.  You can also link to upstream documentation if it satisfies this need.  This information forms the basis of the release notes edited by the documentation team and shipped with the release. -->
*
* Samba 4.0 beta supports the new SMB2.2 and SMB3 protocols.
 
* Samba 4.0 beta ships with a LSA Service Daemon for FreeIPA trust relationship support.
 
* A new scripting interface has been added to Samba 4, allowing Python programs to interface to Samba's internals, and many tools and internal workings of the DC code is now implemented in python.


== Comments and Discussion ==
== Comments and Discussion ==
Line 173: Line 190:




[[Category:FeaturePageIncomplete]]
[[Category:FeatureAcceptedF18]]
<!-- When your feature page is completed and ready for review -->
<!-- When your feature page is completed and ready for review -->
<!-- remove Category:FeaturePageIncomplete and change it to Category:FeatureReadyForWrangler -->
<!-- remove Category:FeaturePageIncomplete and change it to Category:FeatureReadyForWrangler -->
<!-- After review, the feature wrangler will move your page to Category:FeatureReadyForFesco... if it still needs more work it will move back to Category:FeaturePageIncomplete-->
<!-- After review, the feature wrangler will move your page to Category:FeatureReadyForFesco... if it still needs more work it will move back to Category:FeaturePageIncomplete-->
<!-- A pretty picture of the page category usage is at: https://fedoraproject.org/wiki/Features/Policy/Process -->
<!-- A pretty picture of the page category usage is at: https://fedoraproject.org/wiki/Features/Policy/Process -->

Latest revision as of 20:39, 8 November 2013


Samba 4.0

Summary

The Samba Team is working on a final release of Samba 4.0. On Monday, 16th of July 2012, Beta4 of Samba 4.0 has been released. This is important milestone in a more than 8 years of Samba 4 development. This page attempts to explain what will be and will not be available in Fedora.

NOTE: State of progress since Fedora 18 (as of May 2013) is available as a talk at SambaXP conference: http://sambaxp.org/fileadmin/user_upload/SambaXP2013-DATA/thu/track2/Alexander_Bokovoy_Simo_Sorce-Samba-4-Fedora.pdf

Additionally, you can see progress of Samba development, which includes integration of Samba AD DC and MIT Kerberos, at https://wiki.samba.org/index.php/Samba_Next_Goals

Owner

  • Email: asn@redhat.com

Current status

  • Targeted release: Fedora 18
  • Last updated: 2012-10-10
  • Percentage of completion: 100%


Detailed Description

Samba 4 is a combined set of daemons, client utilities, and Python bindings that allow communicating using SMB1, SMB2, and soon SMB3 protocols. It also implements Active Directory domain controller (DC) functionality as an integrated Kerberos DC, LDAP server, DNS server, and SMB/CIFS server.

The following is a detailed description of the Kerberos problem that we have in Fedora.

Samba 4 AD DC functionality relies heavily on Heimdal Kerberos implementation. Samba 4 includes the embedded Heimdal, if your system misses it, like we have in Fedora. When embedded Heimdal is in use, all Samba 4 code is compiled against this Kerberos implementation, including client side libraries and tools, and traditional file serving smbd daemon we know as 'samba' package in Fedora.

Fedora uses MIT Kerberos implementation, both server and client side. Heimdal and MIT Kerberos are targetting to implement the same Kerberos V protocol but have their own extensions API and certain semantical differences. They also have slightly different meaning to Kerberos credential cache files format where Kerberos-aware applications store their Kerberos keys. While this is not an issue for client-server communication over a network (a Heimdal client does talk the same Kerberos V protocol that MIT Kerberos server understands and vice versa), interoperability of the client or server code using the same credential cache files on the same system is much less supported for advanced features like S4U2Proxy and S4U2Self.

It is generally not advisable to load two different API implementations into the same address space either. When the rest of the system libraries is compiled against MIT Kerberos, use of them within Samba 4 code brings in MIT Kerberos as well. This happens, for example, when linking against OpenLDAP client libraries and using SASL authentication.

As part of work we are doing on FreeIPA v3, we have made possible to compile Samba 4 code against MIT Kerberos implementation. Unfortunately, MIT Kerberos does not give option of embedding Kerebros KDC server within another process which is required for Samba 4 AD DC functionality. Thus, when compiled with MIT Kerberos, Samba 4 currently does not provide Active Directory Domain Controller functionality at all, only client side libraries and tools to the extent that does not involve AD DC operations. Also, smbd is compiled against MIT Kerberos and provides functionality equivalent to what is provided by Samba 3's smbd.

We are intending to make possible use of AD DC functionality with MIT Kerberos but this is longer term project that requires cooperation between Samba, MIT, and FreeIPA.

For GNU/Linux-based clients FreeIPA already provides functionality similar to the one of Active Directory. With FreeIPA v3 we'll have cross-realm trusts support with Active Directory that will allow seamlessly integrating GNU/Linux-based machines into existing AD-based infrastructure. You can get details about implementation from our talk at SambaXP 2012 conference (http://abbra.fedorapeople.org/freeipa.pdf) and earlier roadmap talk at Developer Conference Brno in February 2012 (http://blip.tv/fedoracz/dmitripal-idenitymanagementroadmap-6071539)

One consequence of Samba 4 built with MIT Kerberos is that Openchange server code will not be working in Fedora either. Openchange server code requires working Samba 4 DC server with proper AD provisioning. This only affects server side and does not affect Openchange client side support which is used in Evolution MAPI plugin, which will continue to work.

Rawhide is already providing Samba 4 built with MIT Kerberos, and Openchange package was modified to include only client side support. The latter also submitted and merged to Openchange upstream.

What is available in Rawhide right now?

  • samba4-* 4.0.0-128.fc18.beta4 packages are built against system-wide MIT Kerberos libraries. These packages are made conflicting with samba-* packages in areas where they provide the same binaries and/or libraries. You don't need to install samba4-* packages unless you want to use Evolution MAPI plugin and (soon FreeIPA v3 server).
  • openchange is built to provide client-side libraries to allow Evolution MAPI plugin to work.
  • Evolution MAPI plugin is rebuilt against new openchange build.

What will not be available in Rawhide in time for Fedora 18, 19, 20?

  • Samba 4 AD DC implementation

What about samba and samba4 packages?

As samba4 is a superset of Samba 3 packages in Fedora, we are also considering to discuss renaming samba4 back to samba. As all existing API and ABI for smbd/nmbd/winbindd and libsmbclient library will be the same, the switch is not going to be problematic. However, there is still need to stabilize code through beta and pre-releases before doing that.

We also intend to work with upstream and other distributions on making common set of instructions on configuring and setting up different facets of Samba (AD DC, file server, member server, ...).

Benefit to Fedora

The benefit for Fedora will be that we will provide a Samba file server with SMB3 support and support for FreeIPA trusted domains. The daemons are still the same but provide the latest features of the Samba file server and id mapping.

Scope

The work is mostly done. We need to decide if we rename the package from samba4 to samba. The other thing is if we still want to provide 3.6 packages.

How To Test

Samba provides a full features test suite which covers all of it main features. Beside that FreeIPA need to be able to establish a trust relationship with Active directory using the samba4-libs, python bindings and the smbd daemon.

HOWTO:

0. You need physical hardware or virtual machines with a Windows Active Directory Server installed, a Windows Client installation and a Fedora installation.
1. You install the AD server and created users, then you join the Windows client to AD and setup FreeIPA.
2. Create a two way trust relationship using ipa-trust-install.
3. Login to the Windows client and use putty to connect to the FreeIPA server via SSH.
4. This should work without putty asking you for a password.

User Experience

Users will enjoy the features for the new SMB protocols and FreeIPA user will be happy to be able to created trust relationships with Active Directory.

Dependencies

FreeIPA and OpenChange depend on libraries provided by Samba4. The samba4-libs package can be installed on the system without any conflict to other Samba packages. The FreeIPA feature for trust relationships between Active Directory requires the samba4 package in addition. This means it conflicts with the samba package.

As this package doesn't provide the DC functionality yet cause of MIT KRB5 OpenChange is not able to provide the server component.

Contingency Plan

In case the Samba4 is not fully complete by the end of the final development freeze, Fedora can still ship it. The samba4-libs package which is needed by OpenChange can be installed without any conflicts with the samba (Samba 3.6) packages. All other packages conflict with the samba packages.

Documentation

Release Notes

  • Samba 4.0 beta supports the new SMB2.2 and SMB3 protocols.
  • Samba 4.0 beta ships with a LSA Service Daemon for FreeIPA trust relationship support.
  • A new scripting interface has been added to Samba 4, allowing Python programs to interface to Samba's internals, and many tools and internal workings of the DC code is now implemented in python.

Comments and Discussion