Samba in the Enterprise : Samba 3.0 and beyond - FTP site. - Samba
Samba in the Enterprise : Samba 3.0 and beyond - FTP site. - Samba
Samba in the Enterprise : Samba 3.0 and beyond - FTP site. - Samba
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
<strong>Samba</strong> <strong>in</strong> <strong>the</strong> <strong>Enterprise</strong> : <strong>Samba</strong> <strong>3.0</strong><br />
<strong>and</strong> <strong>beyond</strong><br />
By Jeremy Allison<br />
jra@samba.org<br />
jeremy.allison@hp.com
Where we are now : <strong>Samba</strong> 2.2<br />
The current <strong>Samba</strong> is a credible replacement for a<br />
W<strong>in</strong>dows server provid<strong>in</strong>g file <strong>and</strong> pr<strong>in</strong>t services.<br />
More robust than W<strong>in</strong>dows, scales to larger<br />
mach<strong>in</strong>es than W<strong>in</strong>dows.<br />
Provides better performance than W<strong>in</strong>dows on<br />
identical hardware (when used with L<strong>in</strong>ux).<br />
¡ See : PC Magaz<strong>in</strong>e report (details on next slides).<br />
¡ <strong>Samba</strong> certa<strong>in</strong>ly can't be beaten on cost.
Performance Figures (thoughput)<br />
From PC Magaz<strong>in</strong>e.
Performance Figures (response time).
Mov<strong>in</strong>g <strong>beyond</strong> <strong>the</strong> workgroup<br />
As L<strong>in</strong>ux exp<strong>and</strong>s <strong>in</strong>to <strong>the</strong> <strong>Enterprise</strong>, <strong>Samba</strong><br />
must change <strong>in</strong> order to grow with it.<br />
Directory services, s<strong>in</strong>gle sign on, account<br />
controls become much more important.<br />
Integration with <strong>Enterprise</strong> security systems such<br />
as Kerberos are needed.<br />
Better management <strong>and</strong> configuration tools are<br />
needed to h<strong>and</strong>le large number of servers.
<strong>Samba</strong> <strong>3.0</strong> Roadmap<br />
Currently <strong>in</strong> alpha, rapidly mov<strong>in</strong>g towards<br />
production release.<br />
¡ The aim is to ship <strong>in</strong> spr<strong>in</strong>g 2003.<br />
¡ This is software, don't take <strong>the</strong> above seriously .<br />
Uses UNICODE <strong>in</strong> talk<strong>in</strong>g to clients.<br />
¡ Allows true multi-l<strong>in</strong>gual file name storage (when file<br />
names are <strong>in</strong> UTF8 – <strong>the</strong> default <strong>in</strong> RedHat 8).<br />
Full Kerberos 5 <strong>and</strong> NTLMv2 support.<br />
¡ S<strong>in</strong>gle sign-on when us<strong>in</strong>g a W<strong>in</strong>dows 2000 Doma<strong>in</strong>.
<strong>Samba</strong> <strong>3.0</strong> Roadmap (cont<strong>in</strong>ued).<br />
Full support for LDAP directory <strong>in</strong>frastructure<br />
us<strong>in</strong>g st<strong>and</strong>ard LDAP v3 calls.<br />
¡ Provided by any LDAP directory server with correct<br />
schema.<br />
W<strong>in</strong>dows 2000 ADS<br />
OpenLDAP<br />
O<strong>the</strong>r proprietary LDAP servers (Novell, IPlanet etc.).<br />
Dynamic password backend selection.<br />
¡ Plug-<strong>in</strong>s with fallback support.
<strong>Samba</strong> <strong>3.0</strong> File <strong>and</strong> Pr<strong>in</strong>t<br />
Enhancements.<br />
Better mapp<strong>in</strong>g from W<strong>in</strong>dows access control<br />
lists (ACLs) to POSIX ACLs.<br />
¡ POSIX ACLs are start<strong>in</strong>g to ship as st<strong>and</strong>ard <strong>in</strong> many<br />
L<strong>in</strong>ux distributions.<br />
'Stack<strong>in</strong>g' VFS (virtual file system) layer allows<br />
dynamic check<strong>in</strong>g of file access.<br />
¡ Virus scann<strong>in</strong>g, audit<strong>in</strong>g, security.<br />
Scalable pr<strong>in</strong>t<strong>in</strong>g – Major goal for HP.<br />
¡ The aim is to support more than 1000 pr<strong>in</strong>t queues.<br />
Integrated Microsoft DFS support.
<strong>Samba</strong> <strong>3.0</strong> Example Module Stack<br />
W<strong>in</strong>dows<br />
Client<br />
Open/Write<br />
Request<br />
Storage<br />
Filesystem<br />
<strong>Samba</strong> Server<br />
Audit Module<br />
Anti-Virus Module<br />
Secure log<br />
area.<br />
Virus<br />
Check<strong>in</strong>g<br />
Program
Doma<strong>in</strong> Integration – Account<br />
Control<br />
<strong>Samba</strong> <strong>3.0</strong> will support all <strong>the</strong> restrictions a<br />
W<strong>in</strong>dows 2000 server does.<br />
¡ Password expiration, logon time restrictions, client<br />
mach<strong>in</strong>e restrictions etc.<br />
¡ All can be retrieved from an Active Directory PDC or<br />
set locally <strong>in</strong> <strong>Samba</strong>'s own account databases.<br />
¡ W<strong>in</strong>dows Doma<strong>in</strong> groups can be mapped onto local<br />
UNIX groups for greater control.<br />
Similar to ' Local' groups on a W<strong>in</strong>dows server.<br />
Idea is to make <strong>in</strong>tegrat<strong>in</strong>g <strong>Samba</strong> servers easy.
Kerberos <strong>and</strong> NTLMv2 Security<br />
<strong>Samba</strong> <strong>3.0</strong> uses MIT Kerberos libraries to<br />
<strong>in</strong>teroperate with W<strong>in</strong>dows 2000 Doma<strong>in</strong>s.<br />
¡ Despite what you may hear, Microsoft Kerberos is<br />
st<strong>and</strong>ard enough to support UNIX kerberos.<br />
So long as you' re not try<strong>in</strong>g to serve logons to Microsoft<br />
clients.....<br />
¡ Just tell <strong>the</strong> <strong>Samba</strong> server your Kerberos Realm name<br />
<strong>the</strong>n add it to <strong>the</strong> W<strong>in</strong>dows 2000 Doma<strong>in</strong> (us<strong>in</strong>g <strong>the</strong><br />
new 'net' comm<strong>and</strong>).<br />
New NTLMv2 code allows security to be<br />
'upgraded' on W<strong>in</strong>dows networks<br />
¡ So long as you don' t have W<strong>in</strong>9x clients.
Management <strong>and</strong> Configuration<br />
Tools.<br />
The new 'net' comm<strong>and</strong>.<br />
¡ Allows comm<strong>and</strong> l<strong>in</strong>e manipulation of a W<strong>in</strong>dows or<br />
<strong>Samba</strong> file <strong>and</strong> pr<strong>in</strong>t server.<br />
¡ Designed to be familiar to W<strong>in</strong>dows adm<strong>in</strong>istators<br />
mov<strong>in</strong>g to L<strong>in</strong>ux.<br />
Several Microsoft Management (MMC) plug<strong>in</strong>s<br />
work aga<strong>in</strong>st <strong>Samba</strong> servers.<br />
¡ The goal over <strong>the</strong> <strong>3.0</strong> series is to keep add<strong>in</strong>g<br />
additional MMC support to <strong>Samba</strong>.<br />
Currently all good <strong>Enterprise</strong> level file server<br />
configuration tools are proprietary.
<strong>Samba</strong> as a Doma<strong>in</strong> Controller<br />
Replacement.<br />
Potentially <strong>the</strong> most useful <strong>Samba</strong> function.<br />
¡ Frees an <strong>Enterprise</strong> from pay<strong>in</strong>g Microsoft client<br />
license fees.<br />
Currently only older Doma<strong>in</strong> protocols supported.<br />
¡ W<strong>in</strong>dows 2000 protocols are (of course)<br />
undocumented.<br />
Support for W<strong>in</strong>dows 2000 clients as an Active Directory<br />
replacement with OpenLDAP is be<strong>in</strong>g actively worked on.<br />
New 'net vampire' comm<strong>and</strong> allows Doma<strong>in</strong><br />
account <strong>in</strong>formation to be transparently moved to<br />
<strong>Samba</strong>.
<strong>Samba</strong> as a Pr<strong>in</strong>t Server<br />
<strong>Samba</strong> now supports all <strong>the</strong> W<strong>in</strong>dows pr<strong>in</strong>ter<br />
driver download calls.<br />
¡ Most W<strong>in</strong>dows pr<strong>in</strong>ter functions can be replaced with<br />
<strong>Samba</strong>.<br />
¡ The only issue is pr<strong>in</strong>ter driver <strong>in</strong>itialization on non-<br />
Intel platforms.<br />
Due to L<strong>in</strong>ux/UNIX scalability, <strong>Samba</strong> serves<br />
many more pr<strong>in</strong>t clients than W<strong>in</strong>dows.<br />
HP is test<strong>in</strong>g 1000 simultaneous pr<strong>in</strong>t queue<br />
systems us<strong>in</strong>g large HPUX servers.
HP <strong>Samba</strong> Sucesses<br />
HP ships CIFS/9000 – a <strong>Samba</strong> product on HPUX<br />
¡ Replaces old W<strong>in</strong>dows code based product.<br />
Some typical uses :<br />
¡ 5-node rp7400 (N-Class) cluster serv<strong>in</strong>g 8000 clients.<br />
¡ 3-node rp5400 (L-Class) cluster serv<strong>in</strong>g 2000 clients.<br />
¡ 3 rp5400 (L-Class) servers, 500 users each.<br />
Serv<strong>in</strong>g everyth<strong>in</strong>g from Microsoft Office, to<br />
CAD/CAM to ClearCase files...<br />
¡ If an application works to a W<strong>in</strong>dows file server, it' ll<br />
work to a <strong>Samba</strong> file server.
<strong>Samba</strong> Development – Who is<br />
<strong>in</strong>volved ?<br />
HP employs 5 full time <strong>Samba</strong> developers<br />
¡ Not even count<strong>in</strong>g <strong>the</strong> CIFS/9000 Team.<br />
IBM employs 3 full time <strong>Samba</strong> developers.<br />
SGI, Sun <strong>and</strong> Apple all have people assigned to<br />
<strong>Samba</strong> on permanent staff.<br />
L<strong>in</strong>ux Vendors perform security audits aga<strong>in</strong>st<br />
<strong>Samba</strong> (SuSE, SCO <strong>in</strong> particular).<br />
In addition to <strong>the</strong> 'students liv<strong>in</strong>g <strong>in</strong> basements'<br />
<strong>Samba</strong> <strong>in</strong>stallation <strong>and</strong> configuration help can be<br />
found worldwide.
Sun/Cobalt Servers<br />
<strong>Samba</strong> is everywhere....<br />
(even if users don't know it )<br />
HP Pr<strong>in</strong>t Server Appliance<br />
All L<strong>in</strong>ux based NAS<br />
Servers.<br />
PizzaBox Server
<strong>Samba</strong> web <strong>site</strong> :<br />
¡ www.samba.org<br />
¡ World wide mirrors.<br />
<strong>Samba</strong> mail<strong>in</strong>g list :<br />
¡ samba@samba.org<br />
References<br />
<strong>Samba</strong> developers mail<strong>in</strong>g list :<br />
¡ samba-technical@samba.org
Questions ?