Sponsored by:

Opening windows
sambaXP 2021

sambaXP is the annual meeting of the international Samba team and its ecosystem of developers, users and vendors all around the globe since 2002.

The 20th international conference around the OpenSource software Samba will take place from 4th - 6th of May 2021. Due to the current COVID-19 situation the organizing committee is planning a digital edition of the popular conference for 2021 again.

Speakers will give their presentations live from their desks an participants can follow the conference from anywhere in the world via the Internet. The event will be recorded and published with the consent of speakers.

The conference will again be held via Zoom and will be more open compared to last year‘s event: Open mic and video as well as other channels will allow the community to interact in a better way – stay tuned!

The conference itself is free of charge.

Lectures are scheduled for the period from 3pm to 9pm german time zone (CEST) – We try to consider best time slots for all speakers regarding their time zone. Furthermore it is possible that speakers record their presentation before and we play it during the event. However, we would like to ask you to use this option only in exceptional cases as not to lose the character of the live event.

The traditional tutorial by Stefan Kania will also be held as a webinar on the day before the conference (Tuesday, 4th May 2021). This year's topic: "Setting up Samba as a printserver".

In addition there will be also a free workshop with the topic "Integrate SAMBA+ AIX in an existing AD domain" on Tuesday, 4th May 2021.

We are further pleased to announce that an SMB Interoperability Lab (IO Lab) will take place online from Wednesday to Friday (May 5th 3:00 pm to 7th 9:00 pm) as part of sambaXP. During the lab participants work together and test, identify and fix bugs in a collaborative setting. Please register if you are interested in attending and see the agenda for upcoming new details during the next weeks.

Do not hesitate to contact the organizers at loc@sambaXP.org

Best regards - your sambaXP team at SerNet.

Registration

The registration process of this conference is managed by XING Events, in particular ticket sales and payment handling. The purpose and scope of the data collection and the ongoing processing and use of data by XING Events as well as your rights in this regard and related setting options to protect your personal privacy are listed in the Privacy Policy of XING Events.

According to German law the place where the service is rendered is Goettingen, Germany, therefore value added tax must be paid under the German Added Tax Act (§ 3 a Abs. 2 Nr. 3 a Umsatzsteuergesetz.

Conference program 2021

Setting up Samba as a printserver

If you have a lot of network printers in your environment it might be a good idea to set up a printserver with Samba4. Together with CUPS you are able to manage your printers for all your clients. For a Linux or MAC client you would only need CUPS, but as soon as you have Windows clients, CUPS is not enough, you need printer driver for all your printers to be installed on the clients.
If you are using Active Directory to manage all your users, groups and clients you can set up the printserver to share all printers to your Windows clients via GPOs. Not only connecting the printers via GPO but also installing the printer drivers for the printers on your Windows clients.

In this year's tutorial we will set up a printserver as part of an Active Directory and mange GPOs to connect the printers to the clients and install the drivers without user interaction.

What will we do?

1. Configure CUPS to share the printers inside your network.
2. Join the printserver into a Samba4 domain.
3. Set up the shares for spooling and printer drivers.
4. Install printer drivers.
5. Connect the printer with a driver.
6. Create a GPO to connect the printer to a client and install the driver
   without user interaction.
7. Handle unsigned drivers.

Because sambaXP will be an online event the tutorial will also be held online.

What do you need to join the tutorial?

  • PC with VirtualBox 6.x and Vagrant installed.
  • Webcam and a eadset or speaker and microphone to ask questions.
  • To test the printserver you need a Windows-System that can be joined into the test domain. If you don't have a Windows-VM you can download an evaluation Version from Microsoft https://developer.microsoft.com/en-us/windows/downloads/virtual-machines/ Download the VirtualBox version and import the VM to VirtualBox. It's a full featured version valid for 40 days.

Training material:
You will get a handout including all steps to be able to recap independently
after the tutorial. For setting up the systems you will get a Vagrant file to
install the Samba4 domain controller and the printserver.

Integrate SAMBA+ AIX in an existing AD domain

This free two-hour workshop shows how to integrate SAMBA+ AIX in an existing AD domain.

The workshop will start with the installation and configuration of SAMBA+ AIX and will also cover integration in an existing Active Directory domain including ID mapping.

What do you need to join the workshop?

  • A headset or speaker and microphone to ask questions.
  • There are no further technical preparations needed.

 

Welcome Note from SerNet

The one track session takes place in Track 1.

Chairman’s note

The one track session takes place in Track 1.

Your Server Will Be With You Shortly

The one track session takes place in Track 1.

Google Chromebooks use Samba code for Active Directory integration. Making this work efficiently on global networks with many Active Directory servers is a challenge.

This talk will tell the story of how the Samba code was improved to reduce logon times from 10+ minutes to less than 1 minute in a large customer network.

Break

You are entering the multi tracked conference right after the break. Please use different browser if you want to follow both sessions.

Google Summer of Code 2020 results: Samba AD DC Cockpit UI

Google Summer Of Code is a yearly event that allows university students to gain more experience and help Open Source projects to improve. In 2020 Samba Team was allocated
a single seat in the program. We chose to work on a modern web UI to samba-tool to allow
automation and easier access to command line tools.

The talk will go over our experience with GSoC 2020 and will show-case its result: a Samba AD DC plugin to Cockpit UI. Cockpit is a Web UI framework to manage Linux systems in a
browser.

Reverse engineering the Windows SMB server

The Windows SMB server doesn't offer any way to dump the cryptographic keys used for SMB encryption. This can be very annoying when you're trying to debug your client implementation or if you simply want to decrypt traffic in Wireshark. The server is
sadly closed-source and is implemented as a kernel module, which makes debugging it more challenging.

This talk will cover some of the architecture of the Windows SMB server, how to debug the
Windows kernel, and how we can write another module to dump those keys from the server memory. All from the perspective of a Linux developer relatively new to the world of
Windows development.

Samba command line user experience

To the newcomer, Samba's command line user interface appears to be a haphazard jumble of scripts and binaries with options and design principles that fade in and out of use according to some esoteric pattern.

With Samba 4.15 there will be a major rewrite of the command line parser for Samba client utilities coming. There will be the same design principle to every tool and the same options.

The talk will look into how we solved those issues and how we will avoid issues in future. Also we will look how options changed or have been simplified to make the tools easier to use by newcomers.

Will we get shell-completion one day?

Testing Testing Testing! Updates

Last year we introduced the GlusterFS-Samba integration testing environment, a CI environment allowing us to test Samba with a GlusterFS backend. Over the last year, we have used it to test nightly Samba and GlusterFS builds and have also expanded our test coverage and test environments.

In this update, we discuss changes to the project. We also go through some obscure bugs that the CI environment helped us discover in the Samba-GlusterFS installations as well as catching regressions due to changes introduced upstream. We also discuss future directions for the project.

Break

You are entering the multi tracked conference again right after the break. Please use different browser if you want to follow both sessions.

Group Policy Integration

Samba is a nice software for integration in AD domain but lots of administrators want to have full-featured Samba domain with nice graphical instruments to edit and apply policies and modify domain settings.

BaseALT company developed a set of instruments to solve the task of policy application and domain management: GPOA (gpupdate) to apply policies, libnss-role to implement nested groups, GPUI to edit policies and ADMC to work with Samba domain. This is open source
software which is partially based upon Samba source code. Our team proudly presents the result of the year of efforts spent on writing code and documentation, analyzing use cases and testing various deployment scenarios.

We spent lots of efforts on integration of Group Policy Templates with ALT Linux OS settings. There are many open source components developed in-house which present in ALT distribution making it suitable for domain integration as end-user workstation.

Samba Multi-Channel/io_uring Status Update

Samba had experimental support for multi-channel for quite a while.
SMB3 has a few concepts to replay requests safely.
We now implement them completely (and in parts better than a Windows Server).

The talk will explain how we implemented the missing features.

With the increasing amount of network throughput, we'll reach a point where a data copies are too much for a single cpu core to handle.

This talk gives an overview about how the io_uring infrastructure of the Linux kernel could be used in order to avoid copying data, as well as spreading the load between cpu cores. A prototype for this exists and shows excellent results.

  • What the current implementation status is
  • How the proposed design looks like
  • How to improve performance

Winbind Group Policy

Winbind can now seemlessly replace Vintela's proprietary Group Policy (VGP) for linux clients. These recent developments will be discussed, along with recently added samba-tool commands for administering these policies. Plans for future improvements and possible projects will be discussed.

Access control and ID mapping on the Linux SMB client

The SMB protocol was designed long after Unix was created, and as a result supported concepts like globally unique identities and rich ACLs that are in Windows, but not in Linux. User identity and access control are very relevant to the Linux SMB3 client, as it acts as a bridge between the world of Windows-like-filesystems (including the cloud) and the world of Linux filesystems, and has the hard task of translating security information from the more complex Samba and Windows world, to the simpler Linux/POSIX model.

There are three key problems:

  1. Id-mapping: Who the user is? And how does it map to the user that the server understands?
  2. Authentication: Can the user prove his/her identity?
  3. Access control: What permissions does the user have for this file?

This talk will discuss and demonstrate the different ways that the Linux client can be configured to map POSIX permissions (mode bits) to ACLs, and the implications of using these configurations. It will discuss the different authentication choices, especially how to leverage Samba’s winbind for easy to use and highly secure Kerberos authentication and key refresh. In addition it will discuss how to integrate with Samba’s winbind to map user identities (from the local Linux client’s UIDs to globally unique SIDs) and the various alternatives like “idsfromsid”.  Recent improvements in cifs-utils for managing ACLs and auditing information remotely will also be discussed, which can make managing Samba server easier in some cases.

Break

You are entering the multi tracked conference again right after the break. Please use different browser if you want to follow both sessions.

Troubleshooting clustered Samba in Enterprise environments

IBM Spectrum Scale is a software defined storage offering of a clustered file system bundled with other services. Samba is included as part of the product for providing a clustered SMB file server and integration into Active Directory environments. This product is commonly used in Enterprise IT environments.

Troubleshooting problems is an essential part of supporting customers. This talk will walk through Samba troubleshooting approaches that have proven useful over the years. It will explain how for this environment Samba is configured to provide logs and indications by default. Methods for collecting additional trace data are demonstrated and how to efficiently analyze these traces. Examples will be used to illustrate debugging problems from the trace data.

Join me offline!

Wide-scale virtual-machine deployments of Windows clients and servers make it difficult to adapt to the classic process of domain joining. Very often there is no connection to an AD domain controller. Sometimes a larger number of virtual machines needs to be joined without the vms even being started. And sometimes machines need to be joined in locations where there are no (writeable) domain controllers available at all. For all these scenarios the concept of Offline Domain Join has been developed and is part of the Windows operating systems for quite some time now. This concept allows to detach the machine account creation on AD from the modification of the machine that is joined. In addition to the machine account credentials Group Policies and Certificates can be deployed with the Offline Domain Join mechanism and tools as well. Samba now also can take part in this process. With the latest version, Samba can provision machine accounts for offline join in Active Directory (for both Windows and Samba clients) and process offline join state information on the local, disconnected machine (with state information either generated on Windows or using Samba). This feature enables scenarios where Samba servers are deployed ad-hoc in a containerized infrastructure such as Kubernetes.

Experience running a clustered Samba gateway for CERNBox

This aims to be a short contribution to get introduced to the community and share our experience in providing CERN users with direct online access to their personal storage.

CERN, the European Organization for Nuclear Research, provides its large and diverse scientific users community with a on-premise sync and share storage platform dubbed CERNBox. The underlying storage, named EOS and developed in-house, can also be mounted on Linux, and recently on Windows as well, through a ctdb driven Samba cluster.

After introducing the CERNBox ecosystem, we will briefly describe the configuration of the cluster and its peculiarities given our environment, and go through some typical shortcomings of such a setup and how they were tackled. Further, we will mention a VFS plugin we have developed, in order to support the conversion of Windows permissions to our RichACL-based storage ACLs, and we will conclude with an outlook of the service in the coming months.

Zambezi SMB3 Offload Update

Closing Remarks First Day

The one track session takes place in Track 1.

Welcome Note from SerNet

The one track session takes place in Track 1.

How to fuzz Samba - Part I

Over the last two years, Samba has grown fuzzing infrastructure. This has found numerous bugs given us some reassurance about the robustness of some parts of the code.

Nevertheless, most of Samba is not fuzzed, and lib/fuzzing is just another isolated subsystem that hardly any developers understand. This talk wants to fix that, walking you through the steps to add a fuzzer to Samba, and how in general to make your code fuzzable.

cifsd (ksmbd) Status Update

cifsd(ksmbd) is a new SMB3 kernel server which implements server-side SMB3 protocol. Many changes and improvements have been made since cifsd(ksmbd) was introduced to earlier sambaXP 2019.

This talk will give ksmbd overview and the current status update.

How to fuzz Samba - Part II

Over the last two years, Samba has grown fuzzing infrastructure. This has found numerous bugs given us some reassurance about the robustness of some parts of the code.

Nevertheless, most of Samba is not fuzzed, and lib/fuzzing is just another isolated subsystem that hardly any developers understand. This talk wants to fix that, walking you through the steps to add a fuzzer to Samba, and how in general to make your code fuzzable.

The New VFS

The effort to modernize Samba's VFS interface has reached a major milestone with the next release Samba 4.14.

Starting with version 4.14 Samba provides core infrastructure code that allows basing all access to the server's filesystem on file handles and not on paths. An example of this is using fstat() instead of stat(), or SMB_VFS_FSTAT() instead of SMB_VFS_STAT() in Samba parlance.

Historically Samba's fileserver code had to deal a lot with processing path based SMB requests. While the SMB protocol itself has been streamlined to be purely handle based starting with SMB2, large parts of infrastructure code remains in
place that will "degrade" handle based SMB2 requests to path based filesystem access.

In order to fully leverage the handle based nature of the SMB2 protocol we came up with a straight forward way to convert this infrastructure code, so it can be converted to make use of a purely handle based VFS interface.

The talk will present what we have achieved so far and what is left to do. It's intented audience is anyone working on the Samba fileserver code and anyone working on Samba VFS modules.

Break

You are entering the multi tracked conference again right after the break. Please use different browser if you want to follow both sessions.

Life without NTLM or how to trust in FIPS

With Samba 4.14, it is possible to operate Samba services in so-called "FIPS mode". "FIPS" relates to a set of U.S. government documents that define rules, regulations, and standards of handling information by computers and by people. One particular aspect of multiple FIPS documents is a regulation of allowed cryptography algorithms and methods to process information.

FIPS mode does not allow use of many old cryptography algorithms, including the one that is widely used in Active Directory and SMB protocol: RC4 cipher which is the core of NTLM authentication. When Samba runs in FIPS mode, no use of RC4 cipher beyond a secure channel established with the help of FIPS-approved crypto is possible.

The ability to run Samba in FIPS mode means its usage in governmental organizations has expanded. Lack of a RC4 cipher support means it is not possible to authenticate users with the help of a password in Samba. Only Kerberos authentication with AES ciphers is supported.

This talk is going to look at what is possible to achieve in FIPS mode for Samba and services using Samba. We also want to discuss how to improve the state of authentication in the SMB world.

Socket activation for Samba's RPC services

The classic Samba RPC services like srvsvc, winreg and wkssvc right now are implemented as part of the smbd binary and process.

This talk will give an overview of experiments to change this architecture: Instead of implementing RPC services by linking the server implementation into smbd, an idea is to implement them as separate binaries and separately executed process.

Red Hat has in the past implemented spoolss and other RPC services as separate processes, but the attempt this talk will present goes one step further: Instead of just forking the main smbd process perform RPC server services, a separate binary can be executed.

This talk will present the architecture of this thought experiment and demonstrate the current state of the code.

Samba Operator - The Next Phase

At sambaXP 2020 an introduction to Kubernetes and Operators was presented along with a prototype operator for Samba. Starting around October of 2020, the development of the Samba Operator has picked up momentum. It’s gained a new approach to configuring Samba in a radically different, modern way: Instead of configuring a monolithic Samba server, the admin can concentrate on shares and let the operator take care of the server (or servers!). Several additional features have been added and the operator has grown it’s own little ecosystem.

We will present the current state of the operator, demonstrate some of its current capabilities, and discuss future improvements both in the Samba Operator code base as well as Samba itself.

SMB3 Improvements to Linux: Summary of client status

The Linux client continues to be the most active network/cluster filesystem on Linux over the past year, and the progress on Samba server and the Linux kernel server has helped make adding new features to the SMB3.1.1 client in Linux even more important.

It has been a great year for SMB with the addition of many security improvements, many performance improvements including to caching and RDMA (smbdirect) as well as dramatic improvements to multichannel. Support for the Witness protocol (allowing transparent movement to a different server) has been added, as well as the new more feature rich Linux mount API. In addition support for the final piece of the optional SMB 3.1.1 POSIX protocol extensions was completed. Tooling has been improved with many new features added to tools like smbinfo, and support for easily getting and setting more auditing and security information.

This presentation will go through some of the new features added to the Linux client over the past year, and demonstrate the great progress in access various types of network storage, including the cloud (e.g. Azure), Samba and the new Linux kernel server.

Break

You are entering the multi tracked conference again right after the break. Please use different browser if you want to follow both sessions.

to be determined

How compliant is the Linux client?

A Deep Dive into testing the Linux client against Samba - to see which Linux APIs are supported, which POSIX features work and what still needs to be addressed

File systems in Linux are complex, having to support over a hundred system calls (far more than POSIX specified), and Linux continues to evolve, adding new file system features and system calls every year. How compliant is the Linux client when mounted to Samba or other common servers? What about if the SMB3.1.1 POSIX Extensions are used? What works now with and without the extensions?

This presentation will summarize what we have found out from analyzing results of the standard Linux file system functional test suite ("xfstests") as well as other Linux tests and customer problems - showing what we have fixed, what works to most servers now (and how to configure best for these), what types of applications require mounting with the SMB3.1.1 POSIX extensions to work, and also show what is missing in the protocol and how we might address these holes.

This is a great opportunity to discuss what minor extensions are needed to the protocol to enable even more Linux workloads over SMB. "xfstests," since they are run against every major Linux filesystem, has been invaluable in pointing out what we need to address in Samba and the Linux client as Linux file system requirements continue to evolve. This presentation will help understand what workloads work well today, and what we have to do for SMB3.1.1 protocol to optimally handle the ever broader set of Linux workloads in the future.

 

Panel Discussion

The one track session takes place in Track 1.

SMB Interoperability Lab

This IO Lab will take place online Wednesday, May 5 2021, 3:00 pm CEST through Friday, May 7 2021, 9 pm CEST, during the virtual sambaXP 2021. The purpose of this IO Lab is for vendors to bring their implementations of SMB3 to test, identify, and fix bugs in a collaborative setting with the goal of providing a forum in which companies can develop interoperable products.  The 2021 SMB3 IO Lab will be held online on Microsoft Teams, provided by Microsoft, using a virtual private network, creating a collaborative framework for testing.  The participants of the IO Lab work together to define the testing process, assuring that objectives are accomplished.

The IO Lab offers access to:

  • The latest Windows client and server software from Microsoft, including test suites that help verify interoperability on various features of SMB protocols
  • Technical support from SMB engineers to look at traces and help with diagnosing problems
  • IO Lab participants are covered by a non-disclosure agreement and access is restricted to registrants only

If you are reluctant to participate because you feel that your SMB implementation is "not ready", you should still participate! The SMB Interoperability Lab is also a development opportunity, not just a testing opportunity. Implementations still in development are encouraged to participate.  It's a great opportunity to get help and learn from the experts!

This IO Lab is sponsored and featured by Microsoft. Stay tuned for more information how participation will work.

Program Committee

Chairman of the 20th samba eXPerience conference is Jeremy Allison – one of the founding members of the Samba Team.

The program of talks and other contributions is supervised by the program committee:

  • Jeremy Allison, Google
  • Stefan Kania, author
  • Karolin Seeger, SerNet

 

Local Organizing Committee

The local organizing committee (LOC) is responsible for all activities during the conference:

  • Ms. Nadine Dreymann, SerNet
  • Mr. Dr. Johannes Loxen, SerNet

Do not hesitate to contact them via loc@remove-this.sambaxp.org.

Contact

sambaXP is organised by SerNet:

SerNet GmbH
Bahnhofsallee 1b
37081 Goettingen
Germany

phone: +49 551 370000-0
email: contact@remove-this.sernet.de

Managing Directors: Dr. Johannes Loxen, Reinhild Jung

Datenschutzerklärungdata protection declaration

everything that matters sambaXP:

phone: +49 551 370000-0
e-mail: loc@remove-this.sambaxp.org