The Samba Team is working on a final release of Samba 4.0. On Monday, 16th of July 2012, Beta4 of Samba 4.0 has been released. This is important milestone in a more than 8 years of Samba 4 development. This page attempts to explain what will be and will not be available in Fedora.
NOTE: State of progress since Fedora 18 (as of May 2013) is available as a talk at SambaXP conference: http://sambaxp.org/fileadmin/user_upload/SambaXP2013-DATA/thu/track2/Alexander_Bokovoy_Simo_Sorce-Samba-4-Fedora.pdf
Additionally, you can see progress of Samba development, which includes integration of Samba AD DC and MIT Kerberos, at https://wiki.samba.org/index.php/Samba_Next_Goals
- Name: Andreas Schneider
- Email: email@example.com
- Targeted release: Fedora 18
- Last updated: 2012-10-10
- Percentage of completion: 100%
Samba 4 is a combined set of daemons, client utilities, and Python bindings that allow communicating using SMB1, SMB2, and soon SMB3 protocols. It also implements Active Directory domain controller (DC) functionality as an integrated Kerberos DC, LDAP server, DNS server, and SMB/CIFS server.
The following is a detailed description of the Kerberos problem that we have in Fedora.
Samba 4 AD DC functionality relies heavily on Heimdal Kerberos implementation. Samba 4 includes the embedded Heimdal, if your system misses it, like we have in Fedora. When embedded Heimdal is in use, all Samba 4 code is compiled against this Kerberos implementation, including client side libraries and tools, and traditional file serving smbd daemon we know as 'samba' package in Fedora.
Fedora uses MIT Kerberos implementation, both server and client side. Heimdal and MIT Kerberos are targetting to implement the same Kerberos V protocol but have their own extensions API and certain semantical differences. They also have slightly different meaning to Kerberos credential cache files format where Kerberos-aware applications store their Kerberos keys. While this is not an issue for client-server communication over a network (a Heimdal client does talk the same Kerberos V protocol that MIT Kerberos server understands and vice versa), interoperability of the client or server code using the same credential cache files on the same system is much less supported for advanced features like S4U2Proxy and S4U2Self.
It is generally not advisable to load two different API implementations into the same address space either. When the rest of the system libraries is compiled against MIT Kerberos, use of them within Samba 4 code brings in MIT Kerberos as well. This happens, for example, when linking against OpenLDAP client libraries and using SASL authentication.
As part of work we are doing on FreeIPA v3, we have made possible to compile Samba 4 code against MIT Kerberos implementation. Unfortunately, MIT Kerberos does not give option of embedding Kerebros KDC server within another process which is required for Samba 4 AD DC functionality. Thus, when compiled with MIT Kerberos, Samba 4 currently does not provide Active Directory Domain Controller functionality at all, only client side libraries and tools to the extent that does not involve AD DC operations. Also, smbd is compiled against MIT Kerberos and provides functionality equivalent to what is provided by Samba 3's smbd.
We are intending to make possible use of AD DC functionality with MIT Kerberos but this is longer term project that requires cooperation between Samba, MIT, and FreeIPA.
For GNU/Linux-based clients FreeIPA already provides functionality similar to the one of Active Directory. With FreeIPA v3 we'll have cross-realm trusts support with Active Directory that will allow seamlessly integrating GNU/Linux-based machines into existing AD-based infrastructure. You can get details about implementation from our talk at SambaXP 2012 conference (http://abbra.fedorapeople.org/freeipa.pdf) and earlier roadmap talk at Developer Conference Brno in February 2012 (http://blip.tv/fedoracz/dmitripal-idenitymanagementroadmap-6071539)
One consequence of Samba 4 built with MIT Kerberos is that Openchange server code will not be working in Fedora either. Openchange server code requires working Samba 4 DC server with proper AD provisioning. This only affects server side and does not affect Openchange client side support which is used in Evolution MAPI plugin, which will continue to work.
Rawhide is already providing Samba 4 built with MIT Kerberos, and Openchange package was modified to include only client side support. The latter also submitted and merged to Openchange upstream.
What is available in Rawhide right now?
- samba4-* 4.0.0-128.fc18.beta4 packages are built against system-wide MIT Kerberos libraries. These packages are made conflicting with samba-* packages in areas where they provide the same binaries and/or libraries. You don't need to install samba4-* packages unless you want to use Evolution MAPI plugin and (soon FreeIPA v3 server).
- openchange is built to provide client-side libraries to allow Evolution MAPI plugin to work.
- Evolution MAPI plugin is rebuilt against new openchange build.
What will not be available in Rawhide in time for Fedora 18, 19, 20?
- Samba 4 AD DC implementation
What about samba and samba4 packages?
As samba4 is a superset of Samba 3 packages in Fedora, we are also considering to discuss renaming samba4 back to samba. As all existing API and ABI for smbd/nmbd/winbindd and libsmbclient library will be the same, the switch is not going to be problematic. However, there is still need to stabilize code through beta and pre-releases before doing that.
We also intend to work with upstream and other distributions on making common set of instructions on configuring and setting up different facets of Samba (AD DC, file server, member server, ...).
Benefit to Fedora
The benefit for Fedora will be that we will provide a Samba file server with SMB3 support and support for FreeIPA trusted domains. The daemons are still the same but provide the latest features of the Samba file server and id mapping.
The work is mostly done. We need to decide if we rename the package from samba4 to samba. The other thing is if we still want to provide 3.6 packages.
How To Test
Samba provides a full features test suite which covers all of it main features. Beside that FreeIPA need to be able to establish a trust relationship with Active directory using the samba4-libs, python bindings and the smbd daemon.
0. You need physical hardware or virtual machines with a Windows Active Directory Server installed, a Windows Client installation and a Fedora installation. 1. You install the AD server and created users, then you join the Windows client to AD and setup FreeIPA. 2. Create a two way trust relationship using ipa-trust-install. 3. Login to the Windows client and use putty to connect to the FreeIPA server via SSH. 4. This should work without putty asking you for a password.
Users will enjoy the features for the new SMB protocols and FreeIPA user will be happy to be able to created trust relationships with Active Directory.
FreeIPA and OpenChange depend on libraries provided by Samba4. The samba4-libs package can be installed on the system without any conflict to other Samba packages. The FreeIPA feature for trust relationships between Active Directory requires the samba4 package in addition. This means it conflicts with the samba package.
As this package doesn't provide the DC functionality yet cause of MIT KRB5 OpenChange is not able to provide the server component.
In case the Samba4 is not fully complete by the end of the final development freeze, Fedora can still ship it. The samba4-libs package which is needed by OpenChange can be installed without any conflicts with the samba (Samba 3.6) packages. All other packages conflict with the samba packages.
- The Samba Wiki
- The Procotol documention is available at the Microsoft Open Specifications Portal
- The Samba4 Manpages
- Samba 4.0 beta supports the new SMB2.2 and SMB3 protocols.
- Samba 4.0 beta ships with a LSA Service Daemon for FreeIPA trust relationship support.
- A new scripting interface has been added to Samba 4, allowing Python programs to interface to Samba's internals, and many tools and internal workings of the DC code is now implemented in python.