Sponsored by:

Ort

Zoom

Datum

April 16-18, 2024

Opening windows
sambaXP 2024

sambaXP is the annual meeting of the international Samba team and its ecosystem of developers, users and vendors all around the globe since 2002. The 23rd conference will take place on 17th and 18th of April 2024. It will be held from 3pm to 9pm German time zone (CEST) as a digital event via Zoom - open mic and video will allow the community to interact in a better way.

Speakers will give their presentations live from their desks and participants can follow the conference from anywhere in the world via the internet. As in the past, the talks will be recorded and published with the consent of the speakers.
Traditionally there will be a few webinars on different topics in Samba on the day before the conference (Tuesday, 16th April 2024). For the webinar program, please have a look at the agenda below.

Attending the conference and webinars is free of charge. All you need to do is register below.

About sambaXP

sambaXP provides a platform for developers, system administrators, and users to come together and delve into various aspects of the Samba open-source software suite, which enables interoperability between Windows and Unix/Linux systems. The conference features presentations, workshops, and discussions on topics such as Samba development, deployment, security, performance optimization, and integration with other technologies. It also offers opportunities for networking, knowledge sharing, and collaboration among individuals passionate about Samba and its related technologies.

Registration

Within our event offer, functions and contents of the service pretix, offered by rami.io GmbH, Berthold-Mogel-Straße 1, 69126 Heidelberg, Germany, are integrated. This includes the ticket store, which is integrated via a JavaScript widget. When you buy a ticket, pretix uses a technically necessary cookie to enable the ordering process and to remember which shopping cart belongs to you. The cookie is set as soon as you interact with the widget. pretix does not store IP addresses, browser information or other unnecessary metadata beyond the duration of your request. You can find more information about data protection at pretix here: pretix.eu/about/de/privacy

SerNet's privacy policy can be found at www.sernet.de/en/data-protection-declaration.

According to German law the place where the service is rendered is Goettingen, Germany, therefore value added tax must be paid under the German Added Tax Act (§ 3 a Abs. 2 Nr. 3 a Umsatzsteuergesetz.)

Conference program 2024

Making NFS clusters highly available with CTDB

This webinar will show that CTDB can not only make SMB shares highly available, but is also able to ensure the high availability of NFS servers. CTDB together with GlusterFS and Bind9 transform the NFS kernel server into a highly available NFS environment. DNS-round-robin, which is performed by Bind9, can then also be used for DNS load balancing.

CTDB is already prepared for use with NFS, but out of the box only the Ganesha NFS server with NFSv3 is supported. The webinar shows how the configuration of CTDB can be adapted so that the NFS kernel server can be used with NFSv4. It is also briefly explained how a GlusterFS can be used as storage. File locking is always important when using NFS in order to protect the data in a highly available environment with shared access from different clients. The webinar shows how CTDB and Gluster ensure smooth operation.

Please note that this webinar will be held in English via zoom.

Cómo configurar un dominio Samba 4 de Active Directory

Durante las tres horas de éste webinar veremos los pasos para configurar un Dominio de Active Directory Samba 4 con todo lo necesario (Bind 9, NTP, DHCP, Kerberos y otros servicios Linux) para su correcto funcionamiento. También conectaremos al menos un cliente Windows desde el cual vamos a administrar vía RSAT nuestro dominio.

En nuestro lab tendremos:

No será necesario seguir paso a paso durante el webinar pero se proveerá de una guía para desarrollarlo.

El escenario (lab) se utilizarán máquinas virtuales en Qemu-KVM, pero puedes utilizar el hypervisor de tu preferencia.

El webinario tiene lugar a través de Zoom y se imparten en español.

Setting up SAMBA on AIX and picking the low and the higher hanging fruits

This webinar will show  how to set up Samba on AIX using SAMBA+ and how to integrate it into an Active Directory environment. It will be shown how easy it is to run SAMBA+ on an AIX server and how to avoid potential pitfalls. The webinar will also cover how to manage ways to set up user und group  mappings with different idmap configurations. This is an essential part in a Samba setup that many administrators struggle with.

Please note that this webinar will be held in English via zoom.

Welcome Note from SerNet

Chairman's note

ksmbd status update

ksmbd is a high-performance SMB3 kernel server which was merged into linux-5.15 kernel. This talk will give recent changes, improvements and plans for the next in ksmbd.

Break

This Time, with Tentacles: Containerized Samba on Ceph

For the previous three sambaXP conferences John Mulligan has been involved in presentations regarding running Samba in containers and within Container Orchestration systems - including Docker and Kubernetes. This year is no different, and yet there's something totally new - his efforts are now targeting the Ceph clustered storage system. In particular, he will be talking about running Samba Containers as part of Ceph Orchestration. There will be a brief overview of how Ceph Orchestration is unique and some similarities with Orchestration systems we are already familiar with. Mulligan will discuss the progress that has been made so far as well as the plans for the near and longer-term future.

Improving the network stack: progress on QUIC and SMB3.1.1 for Linux

There has been recent progress in creating an experimental Linux kernel driver for QUIC. QUIC avoids many of the performance problems that TCP/IP has (and adds encryption support as well) and is supported by other non-Linux platforms for SMB3.1.1 as an alternative to being forced to connect to the server using TCP. This presentation will describe the current state of testing and development of use of the new kernel QUIC driver with SMB3.1.1 mounts on Linux, and what we have observed as we tested the new driver. As the kernel QUIC driver improves, it could be used even more broadly (not just for avoiding the "port 445" problem that some SMB3.1.1 users experience when they can't access remote servers due to port blockage but also for improving performance of many network use cases).

Break

POSIX identities out of OAuth2 identity providers: how to redesign SSSD and Samba?

With a move to cloud-based hosting of the application servers, a typical application is not a member of the same corporate IT environment anymore. Application servers often use OAuth 2.0 protocol flows to identify their users. Identity Providers (IdPs) provide OAuth 2.0 endpoints to applications and pull over the tasks of authenticating and authorizing users’ access to application resources. They become a central point of interaction between enterprise domains, if those still in use in the organization, and applications. This approach allows to integrate both in-house applications and cloud-based SaaS applications provided by third parties.

The separation of enterprise IT architecture and an enterprise domain structure, however, leads to a larger issue. While in the past management of the application servers was part of the enterprise domain services (Active Directory, RHEL IdM, …) where regular users and application developers were present at the same time. Maintaining common access to these servers was easy: since the application server is enrolled into the domain, it can consume domain identities. Not anymore: there is no such guarantee to have both application servers and application developers belonging to the same domain. Effectively, there is a need to access information that is only available in a federated way: through some broker, like IdP. On top of that, the broker might not be able to pass through a certain type of information that might simply not exist on the other side. For example, for Linux servers working together as a compute capacity, it is crucial to have a uniform view on POSIX information about users and groups. But an IdP might simply lack this information because there might be no need for it at the place where a user account is defined.

This talk aims to define a common set of requirements and approaches to represent a secure POSIX identity management integration with OAuth 2.0-based identity providers. Aside from requirements towards client software on the Linux platform, we aim to define possible requirements towards other components of the integration, based on our experience developing Samba, SSSD, and FreeIPA.

Testing Testing Testing - Updates 2024!

The Samba Integration testing environment introduced here at sambaXP has had some big updates and a new home. Apart from GlusterFS, we now also regularly test CephFS and support for other clustered filesystems are in the pipeline. The test coverage has expanded with the introduction of new testing facilities and we are moving towards running the tests from windows client as well.

In this update, Sachin Prabhu and Anoop C S discuss the new changes which increases test coverage, new types of tests and changes to enable us to run the tests on the windows environment. They also describe how the testing infrastructure is helping us with the development of the new CephFS VFS module.

Break

SoS: Scale Out Samba: The comeback of Ceph

tbd

tbd

Get rid of NTLM or become passwordless: choose both?

In November 2023 Microsoft announced a path forward to remove NTLM from Windows. Their choice is easy: use Kerberos everywhere. How can Samba be made compatible with this approach?

At the same time, a lot of Samba users ask for making it possible to authenticate and interoperate with Entra ID and other OAuth2-based services. It might not be a surprise that Entra ID also has support for Kerberos. Can we build a solution that solves both problems?

In this talk we’ll cover an experiment to reuse Kerberos infrastructure we built over years in FreeIPA to make Samba NTLM-less while improving overall security of the SMB authentication process.

SMB and NFS compared

To a long-time SMB developer the NFSv4 RFC looks remarkably familiar. In an effort to provide interoperable locking infrastructure, I have taken a closer look at what NFSv4 provides. This talk will present my current understanding of where NFSv4 and SMB provide similarities and where a common infrastructure could benefit both protocols

Improving Access to Remote Files from Linux: review of recent progress in the SMB3.1.1 client

Another great year of progress in improving access to Samba and other servers from Linux. The Linux SMB3.1.1 client, cifs.ko, continues to be one of the most active filesystems in Linux. With many improvements added each year to securely, reliably and efficiently access remote data, it has been an exciting year. This presentation will cover new features added to the Linux client, and new features you can expect to see over the coming year. Whether accessing data from the smallest devices or the largest (and even the cloud), getting at remote files matters. Over the past year, significant improvements have been made to metadata and directory caching, multichannel performance, POSIX/Linux compatibility, security enhancements, symlink handling, remote swapfiles, improved readahead, better file caching, improved TMPFILE support, and broader support for special file types.

Break

Winbind varlink service? What is it and what is it for?

When samba is joined to a domain, the domain users and groups are available in the local system so one can for example set a file owner to an AD user. This mechanism works thanks to the Name Service Switch (NSS), the mechanism used to retrieve user information from different services, each one providing a pluggable module in the form of a dynamic loadable library. Samba provides the nss_winbind.so module, which uses libwbclient to talk to Winbind daemon, to resolve user and group information from a Windows Domain.

This just works fine for traditional servers, but the world is moving to containerized workloads and this presents new challenges for Samba. What happens for example if we want to run winbindd in a container and smbd in another one? Or if we want to run winbindd in a container but have AD users available on the host? Do we need to install nss_winbind.so and libwbclient everywhere?

This talk will present the systemd's User and Group lookup API and the implementation of the io.systemd.UserDatabase interface in winbind, which provides user and group name resolution through nss_systemd as an alternative to nss_winbind. There will also be a demo to show how it can help in the exposed scenario.

Introduction to The Microsoft Interoperability Commitment

Welcome to the sambaXP 2024 Microsoft Interoperability Track!

We will start with a brief overview of the Open Specifications program and other interoperability resources that can help your development efforts. Then, a deep dive into SMB testing and parsing and a chance to meet and chat with the SMB development team. The track will also feature a taste of the M365 Interoperability for Teams and Exchange.

SMB Witness Service in Samba

Samba 4.20 will ship with rpcd_witness, which provides a service for MS-SWN within a ctdb cluster. This service can be used by a client in order to monitor cluster nodes and gives an administrator the chance to move specific connection to another node.
This talk explains the current state, the design and some strange things a Windows client is doing.

File Sharing Test Suites Updates and Overview of SMB2 Dissectors on Wireshark

Discuss the latest updates of the Microsoft Protocol Test Suites for File Sharing and provide an overview of our implementations and contributions to SMB2 dissectors on Wireshark.

The Test Suites tools were originally developed for in-house testing of the Microsoft Open Specifications and have been used extensively during Interoperability (IO) Labs to test against partner implementations.

Break

Bronze-Bit attack mitigation for old MIT Kerberos versions

The FreeIPA project relies on MIT Kerberos for its KDC service. Fixing the Bronze-Bit vulnerability (CVE-2020-17049) has been particularly challenging on CentOS Stream/RHEL 8, because the solution designed by Microsoft was not practicable in this context.

In this presentation, I explain what this vulnerability is, how it is meant to be fixed, and how it was actually handled on CentOS Stream/RHEL 8. I support these explanations with step-by-step sequence diagrams.

SMB Product Group Q&A

Join a Q&A session with the SMB product team. Hear about the latest updates and get a chance to ask questions and chat with the experts.

Bridging Worlds: Linux and Azure AD

Unlock the secrets behind connecting Linux seamlessly with Entra ID (formerly Azure AD). Dive deep into the intricacies of device joins, OAuth2 authentication, and TGT retrieval. Explore hands-on experiences using Rust. Join me in bridging the gap between Linux and Entra ID, unlocking a world of possibilities for enhanced integration.

Teams Interoperability

Microsoft Teams is cloud-based team collaboration software that is part of the Microsoft 365 and Office 365 suite of applications. Learn how to develop an App that leverages Microsoft Graph or other publicly available APIs to get M365 content seamlessly.

Break

What does the KCC do?

In Active Directory, KCC stands for “Knowledge Consistency Checker”, which is an outstandingly non-descriptive term even by the standards of the field. It is periodically run on all DCs to calculate a replication graph for the domain, so that changes on each DC are replicated to the others via an efficient route.

The KCC runs independently on each DC, using the network description in the database, and it needs to come up with the same answer on all DCs. For the perhaps obsolete reason of economizing on inter-site traffic, it creates a sparse tree between sites but well connected graphs within sites.

The algorithm needs to be robust at all networks scales, and cope with changes over time and with mixed networks of different versions of Windows and Samba.

Samba's KCC implementation was written in Python, largely by people who didn't really know what they were doing (for example, me). It has some terrible workarounds for the Python binding bugs we had at the time.

The combination of inherently complex algorithm and some awful Python is enhanced by a tersely written specification. This makes it hard for anyone to work out what the KCC is actually doing, and whether what it is doing is what it means. I will try to explain what is going on, and maybe add some words about what we could do differently.

Exchange Protocol 2024 update

Overview of Exchange Server Protocols and Documentation. How to communicate with on-prem Exchange Server, what protocol family to choose, and introduction to alternative APIs (MS Graph).

Panel Discussion & Conference Closing

Program Committee

Chairman of the 23rd samba eXPerience conference is Jeremy Allison – one of the founding members of the Samba Team.

The program of talks and other contributions is supervised by the program committee:

  • Jeremy Allison, CIQ
  • Stefan Kania, author
  • Ralph Boehme, SerNet

 

Local Organizing Committee

The local organizing committee (LOC) is responsible for all activities during the conference:

  • Ms. Nadine Dreymann, SerNet
  • Ms. Alma Altergott, SerNet
  • Mr. Dr. Johannes Loxen, SerNet

Do not hesitate to contact them via loc@remove-this.sambaxp.org.

Contact

sambaXP is organised by SerNet:

SerNet GmbH
Bahnhofsallee 1b
37081 Goettingen
Germany

phone: +49 551 370000-0
email: contact@remove-this.sernet.de

Managing Directors: Dr. Johannes Loxen, Reinhild Jung

Datenschutzerklärungdata protection declaration

everything that matters sambaXP:

phone: +49 551 370000-0
e-mail: loc@remove-this.sambaxp.org