Opening windows
sambaXP 2025
24th International User and Developer Conference
April 7 & 8, 2025
Opening windows
sambaXP 2025
Samba eXPerience is the yearly meeting of the Samba team and the ecosystem of developers, users and vendors all around the globe since 2002 – organized by SerNet.
The 24th international conference dedicated to the OpenSource software Samba will take place from April 7th to 8th 2025 in Goettingen, Germany. Attendees can meet the Samba Team, discuss requirements as well as new features and get updated on current development projects.
New this year – following sambaXP on April 8th to 10th, there will be an onsite SMB3 Interoperability Lab, sponsored by Microsoft and organized by SNIA.This offers developers the unique opportunity to test their SMB3 implementations in a real test environment and ensure interoperability with other solutions. If you are interested in participating, please check the related box in the sambaXP registration process and complete the separate Interoperability Lab registration via SNIA.
Further information regarding the venue and room booking will be available soon down on this page.
To pass the time, take a look at our archive or YouTube Channel and find recordings of past events.
Conference review 2025
Welcome Note
Key Note: The Government and the Art of Infrastructure Maintenance
The Sovereign Tech Agency is a state-funded organization in Germany dedicated to strengthening the open-source ecosystem in the public interest. This talk provides insights into its mission, key initiatives, and the diverse programs in its portfolio. Mirko, who has over 15 years of experience in software engineering across various roles and environments, is particularly interested in how engineering communities organize to achieve sustainable productivity. Since last year, he has been leading the Sovereign Tech Fund and continues to drive efforts to support open-source infrastructure from his base in Dresden, Germany.
SMB3, NFS4, A View From Above
Tom Talpey, our presenter of this talk, has a deep and long-term involvement with both protocols, and has (perhaps) a unique perspective to share. No, he is not going to propose merging them or replacing one with the other. He's not going to touch ACLs with a 40-foot pole. But the protocol differences and similarities are important, and necessary to understand. This will be a high-level view, focusing on the role of the protocols, rather than the implementations. Agree, disagree or differ, it may give you a new perspective on the protocols, moving forward.
Introduction to The Microsoft Interoperability Commitment
This session provides a comprehensive overview of the available interoperability resources and programs. It introduces the Open Specifications and covers key technology areas, including Windows, Office, SharePoint, Exchange, and SQL. Additionally, it highlights various content types and related resources to support effective utilization.
Lunch break
Azure Entra ID Auth in Samba: Introducing the Himmelblau Daemon
This talk explores the integration of Azure Entra ID authentication in Samba using the Himmelblaud daemon. It examines the challenges of securely storing sensitive enrollment details and the risks associated with unauthorized access. Additionally, the session provides a status update on Microsoft's cooperation in documenting enrollment processes and enabling access to Intune policy enforcement capabilities.
SMB3 Test Suite Overview
This session provides an in-depth overview of the SMB3 Test Suite architecture, test methodology, and practical guidelines for testing both server and client SMB3 implementations. It also offers valuable insights and techniques to ensure accurate and reliable SMB3 deployments.
localkdc - A general local authentication hub
For several decades we used simple username/password authentication to access services, being them at home, somewhere in the internet or in an enterprise environment. We started to get Single-Sign-On (SSO) support, first via Kerberos and later via web authentication mechanism.
A local Kerberos Key Distribution Center (KDC) is not a new invention. It is a useful tool in combination with the Kerberos IAKerb extension but also allows to map SSO from a web authentication to local authentication or in a network environment isolated from the rest of the enterprise environment.
This talk aims to show a prototype of a common set of requirements and approaches to represent a secure POSIX identity management integration with OAuth 2.0-based identity providers. We also show how use of NTLM in SMB protocol will be replaced by a localkdc in combination with IAKerb.
Working with the Office Open XML File Format and Azure AI
In this talk, learn how to use the Open XML SDK to work with the Office Open XML File Format and integrate it with Azure AI for enhanced document processing and automation.
Coffee break
The CTDB Report 2025
New Outlook (Monarch) Overview
In this talk, we will compare the features of New Outlook and Classic Outlook, highlighting key differences and improvements. Additionally, we will explore the product roadmap and upcoming developments.
Unleashing authentication for the Linux CIFS client with gssproxy
The CIFS client in the Linux kernel relies on the cifs.upcall helper to obtain user credentials in a Kerberos environment. While traditionally implemented with native Kerberos library calls only, the upcall has been extended with an option to use the standardized GSSAPI. This also means that cifs.upcall can now interact with gssproxy, a generic daemon for credential management that opens up several use cases, especially when combined with either regular or Resource-based Constrained Delegation to secure non-interactive filesystem access.
This presentation shows how SMB-based filesystem mounts can make use of gssproxy's features in typical usage scenarios. It also delves into the properties of Resource-based Constrained Delegation, and the pitfalls of kerberized filesystems on current Linux versions.
SMB in Windows Server 2025 and Beyond
Join Microsoft’s SMB team to discuss the new SMB capabilities that shipped with Windows Server 2025. This session will also provide early thoughts on the roadmap for SMB beyond Windows Server 2025.
Social Event
Registration & Welcome
Welcome Note
Redefining CephFS bridge with the new VFS module for Ceph
To better align with the handle-based approach, libcephfs initially provided low-level APIs, while the high-level ones remained unused in the existing Ceph module. But was this the only reason for developing a parallel VFS module for Ceph? This presentation explores the motivation and background behind introducing a new VFS module in Samba to bridge CephFS. Additionally, it examines the evolution of the ceph_new module over the past 6–8 months, highlighting its stabilization through CI/CD pipelines.
How do LDB indexes work?
The Samba AD DC relies on the LDB database, which uses indexes to accelerate attribute searches. While these indexes are typically effective, the underlying code can sometimes appear complex and difficult to follow.
This talk will explore the history of LDB indexes and propose potential improvements for the future. Visual diagrams will be included to clearly explain the concepts and ideas presented.
Scaling Ceph-Samba connections
As a continuation of the discussion on integrating CephFS with Samba, this talk explores the challenges encountered when scaling SMB services in Ceph. The SMB service utilizes a Samba container to export CephFS volumes via the vfs_ceph_new plugin. However, scaling the number of client connections led to resource exhaustion on the server host, traced back to Samba's forking model and libcephfs caching behavior. This presentation delves into the root cause of the issue and introduces the proposed solution—the multiplexing proxy. Additionally, we will discuss planned enhancements to further improve the proxy's efficiency and scalability.
New keytab generation
Starting with Samba 4.21, keytab generation has been significantly improved. The new smb.conf parameter, sync machine password to keytab, enables the creation of multiple keytabs with fine-grained content control. These keytabs are automatically updated whenever the machine password changes, including during the regular Winbind password update. This talk will explore the details of the configuration parameters, their functionality, and the motivation behind these enhancements.
Coffee break
Managed SMB Support in Ceph: The New SMB MGR Module
In this talk, we introduce the Ceph SMB Manager (MGR) module, designed to streamline the deployment and management of SMB shares backed by CephFS. This module provides an interface for orchestrating Samba services, enabling Active Directory authentication, and seamlessly integrating SMB into Ceph storage clusters.
We will explore two management approaches—imperative and declarative—offering flexibility in configuring SMB clusters and shares. Additionally, we will discuss the earmarking feature, which prevents cross-protocol conflicts between SMB and NFS by tagging subvolumes for exclusive use, reducing the risk of data inconsistencies.
The session will conclude with a live demo, showcasing the full end-to-end workflow—from enabling the module to setting up SMB shares and connecting Windows and Linux clients.
A Deep Dive Into OAuth 2.0: Part 1
OAuth2 has become the de facto standard for web-based single sign-on, gradually replacing technologies like SAML. Its influence has extended beyond websites to platform logins, including its adoption in Azure AD.
In the first part of this talk, we will compare OAuth2 with existing authentication technologies such as LDAP, Kerberos, and on-premises Active Directory. We will explore how OAuth2 works, its strengths and weaknesses, and key extensions like OpenID Connect (OIDC) and their role in the authentication ecosystem.
By the end of this session, you will understand key concepts such as claims, the impact of scopes on authorization, and why OAuth2 has become a powerful choice for identity management services.
A Deep Dive Into OAuth 2.0: Part 2
This presentation explores the complexities of Azure Entra ID's OAuth 2.0 implementation, with a particular focus on Microsoft’s proprietary extensions, as defined in the [MS-OAPX] and [MS-OAPXBC] standards. Through in-depth analysis, practical examples, and live demonstrations, we will break down these extensions and their impact on authentication and authorization workflows.
A key component of this ecosystem is the Broker client, a privileged intermediary responsible for managing access tokens across multiple applications and services. We will examine its role, including its implementation on Linux as a DBus system service.
By understanding the intricate interplay between these elements, developers and architects will gain the knowledge needed to navigate the challenges and opportunities within Azure Entra ID’s OAuth framework effectively.
Accessing remote storage better from Linux
Accessing Samba and other servers from Linux over SMB3.1.1 continues to improve . We will explore some of the exciting recent enhancements to the Linux SMB3.1.1 client for better access to remote storage across the wide variety of SMB3 file servers (Samba, Azure, ksmbd, Windows, Netapp, Macs and many others). Improvements have been made to security (including adding new auth mechanisms and making password rotation easier to leverage), performance (e.g. improved use of directory leases and better metadata caching, and improvements to netfs/folios for better data caching), and many new features have been added (including better support for the SMB3.1.1 POSIX Extensions), and even some new Linux system calls have been added. The Linux SMB3.1.1 client, cifs.ko, continues to be one of the most active filesystems in Linux, and the userspace tooling has also had excellent improvements over the past year.
This presentation will describe many of these SMB3.1.1 features and improvements, and what to expect in the coming months, and how to best use these new features to improve your workloads.
Leveraging eBPF for Analysing Performance of the Linux SMB Client
Linux users often ask: Why is my application slow? How can I improve performance? Why did it crash?
This presentation introduces new diagnostic tools from the Azure Files team for troubleshooting Linux SMB client issues. After a brief overview of existing tools for latency and diagnostics, the focus will shift to new eBPF-based (BPF CO-RE) scripts. A technical overview and live demonstration will show how these tools collect and analyze key data in common failure scenarios.
Attendees will also get a glimpse of the upcoming Always-On Diagnostics project, aimed at enhancing debugging on the Linux SMB client. Feedback is welcome to refine these tools and improve Linux SMB performance analysis.
SMB3 POSIX Extensions in the Linux client, Update on Current Implementations
Enhancing compatibility with applications that rely on Linux and POSIX file semantics is crucial. This presentation explores the current state of SMB3.1.1 POSIX Extensions across various clients and multiple servers. Over the past year, significant improvements have been made to these implementations. The session includes a live demonstration of key features enabled by SMB3.1.1 POSIX Extensions, showcasing examples with multiple servers, including Samba and ksmbd, and their impact on common workloads. Additionally, the discussion will cover requests for new features as Linux filesystem syscalls and capabilities continue to evolve.
Coffee break
SMB3 POSIX Extensions in Samba, current status
Significant progress was made in 2024 toward completing the SMB3 Unix extension, particularly in handling special files and symlinks on the server side. This talk will provide an overview of the current state of SMB3 symlink implementation and highlight the remaining gaps for achieving a seamless Linux-to-Linux mount experience over SMB.
Panel Discussion
Program Committee
Chairman of the 24th samba eXPerience conference is Jeremy Allison – one of the founding members of the Samba Team.
The program of talks and other contributions is supervised by the program committee:
- Jeremy Allison, CIQ
- Stefan Kania, author
- Ralph Boehme, SerNet
Local Organizing Committee
The local organizing committee (LOC) is responsible for all activities during the conference:
- Ms. Friederike Rottmann, SerNet
- Mr. Dr. Johannes Loxen, SerNet
Do not hesitate to contact them via loc@sambaxp.org.
© OpenStreetMap-Mitwirkende. Tiles style by Humanitarian OpenStreetMap Team
Contact
sambaXP is organised by SerNet:
SerNet GmbH
Bahnhofsallee 1b
37081 Goettingen
Germany
phone: +49 551 370000-0
email: contact@sernet.de
Managing Directors: Dr. Johannes Loxen, Reinhild Jung
Datenschutzerklärung / data protection declaration
everything that matters sambaXP:
phone: +49 551 370000-0
e-mail: loc@sambaxp.org
