Sponsored by:

Opening windows
sambaXP 2022 is online again

SambaXP is the annual meeting of the international Samba team and its ecosystem of developers, users and vendors all around the globe since 2002.

The 21st international conference around the OpenSource software Samba will take place from 31st of May - 2nd of June 2022. Due to the current COVID-19 situation the organizing committee is planning adigital edition of the popular conference for 2022 again. The conference itself is free of charge - Please register below.

The conference will again be held via Zoom - open mic and video will allow the community to interact in a better way.

Speakers will give their presentations live from their desks an participants can follow the conference from anywhere in the world via the Internet. The event will be recorded and published with the consent of speakers.

Lectures are scheduled for the period from 3pm to 9pm german time zone (CEST).

The traditional tutorial by Stefan Kania will also be held as a webinar on the day before the conference (Tuesday, 31st May 2022). This year's topics: "Setting up GPOs wit Samba & Disaster recovery of an Active Directory".

Please note: Due to scheduling changes the virtual Microsoft's SMB3 Interoperability Lab (IO Lab) will run on June 14 – June 16 2022, as part of the SNIA EMEA SMB3 IO Lab. We hope you take advantage of this opportunity to test your SMB3 implementation.The purpose of this IO Lab is for vendors to bring their implementations of SMB3 to test, identify, and fix bugs in a collaborative setting with the goal of providing a forum in which companies can develop interoperable products. For any question or concern, please contact Hagit Galatzer at hagala@remove-this.microsoft.com.

Best regards - your sambaXP team at SerNet

 

Registration

Please note: During the registration process you will be asked for a password - If you enter a password there, you will create a personal XING accounct. If you don't want to create a personal account, then please do not fill in this field. A XING account is not necessary for registration and participation.

The registration process of this conference is managed by XING Events, in particular ticket sales and payment handling. The purpose and scope of the data collection and the ongoing processing and use of data by XING Events as well as your rights in this regard and related setting options to protect your personal privacy are listed in the Privacy Policy of XING Events.

According to German law the place where the service is rendered is Goettingen, Germany, therefore value added tax must be paid under the German Added Tax Act (§ 3 a Abs. 2 Nr. 3 a Umsatzsteuergesetz.

Conference program 2022

Setting up GPOs with Samba & Disaster recovery of an Active Directory

This year's sambaXP tutorial covers two interesting topics at once:

Setting up GPOs with Samba

Using GPOs is a fundamental technique in the Windows-world to mange the access to resources or to configure systems. One of the main topics in using GPOs are roaming profiles and folder redirection. Roaming profiles makes only sense if you also use folder redirection. If you don't use them, the profiles become too big. The problem is: every time a user log in to a Windows-client the profile will be loaded via the network and if the user log off, all profile data will be send via network to the profile share. So redirection is very important. Samba can also configure the GPOs for roaming profiles and folder redirection.

In the first part we will create the GPOs and configure a Samba file server to store users home directory and roaming profiles. We will also configure folder redirection and take a look on how Samba mange to store both: user data and redirected data from the roaming profile.

In the second part we will see how Samba is managing the Linux-GPOs. Starting with Samba 4.14 it is possible to set up GPOs for Linux-hosts. In this part of the topic we will configure the domain controller to handle the Linux-GPOs and we will take a look which GPOs you can set up. We than configure a Linux-client to use the GPOs.

Disaster recovery of an Active Directory

Running an Active Directory with more than one domain controller will prevent you from a single point of failure. You should always have at least two domain controllers to store your objects and manage the user authentication. But what will happen if the whole Active Directory crashes? Then you need not only a backup of your Active Directors database, you also need a strategy how to recover your domain. We will take a look at what do you need to backup to bring your domain up again. We will backup from a running domain with “samba-tool” and recover the domain from the backup, up to the point that one domain controller will be back online.

 

What do you need to join the tutorial?

  • PC (BYOD) with “VirtualBox” and “Vagrant” installed
  • A Windows VM to test the setup and running RSAT
  • Webcam and speaker with microphone for interaction

 

Please note:

You need at least a PC with 16GB RAM to install the setup. The Vagrant-file will create 3 Linux-Hosts and you also need to install a Windows-System.

If you don't have a Windows-VM you can download an evaluation Version from Microsoft https://developer.microsoft.com/en-us/windows/downloads/virtual-machines/ Download the VirtualBox version and import the VM to VirtualBox. It's a full featured version valid for 40 days.

 

Training material:

You will get a handout including all steps to be able to recap independently after the tutorial.

All the Linux-systems will be prepared - You will get a “Vagrantfile” to set up all the Linux-VMs needed for the tutorial.

Welcome Note from SerNet

Chairman’s note

The SINK Report: Updates on Samba in Containers & Kubernetes

It’s time for your new sambaXP tradition - an update on our efforts to containerize Samba and run and manage it under Kubernetes with our Operator. This will include a brief recap of our goals, along with a summary of some of the new developments we have made since the last sambaXP, including but not limited to clustered Samba instances. We will also have a deeper discussion of our vision of how future containerized Samba versions might work and some of the potential benefits for the general Samba ecosystem.

Break

Symlink races for dummies and how to deal with them

Jeremy Allison wants to remove symlinks from Unix (see lwn.net/Articles/882177/). Until they are gone, we will live in the legacy world with symlinks for quite a while. Jeremy Allison and Ralph Böhme have rewritten Samba to make it safe from symlink races. Ralph Böhme has presented most of this work last year at SambaXP under the covers of a general modernization of Samba's VFS.

This talk will be a sequel to Ralph's talk: Work is ongoing to build upon the rewrite of the VFS to utilize directory file descriptors in a lot more places than it is done right now. This work is driven by the hope to express symlink-safety more explicitly in the Samba code using safe directory handles. If this turns out to be successful, Samba will become more resilient against symlink races, future developments will have it easier to remain safe. Also, it will speed up Samba's path-based operations.

Kerberos/Authentication Updates in Samba

On the domain controller side we got a lot of updates recently:

  • Updated Heimdal
  • Working with the latest MIT Kerberos


On the member server side we fixed some critical bugs and have plans for future improvements how a file server can avoid as much domain controller interaction as possible.

This talk will handle the following questions:

  • How Samba plans to use Kerberos FAST?
  • How you can reliable change a machine password?
  • Why it is so important to behave as exactly identical as possible compared to a Windows server?

Break

Improvements to SMB3.1.1 and Linux: a year in review

Accessing files securely and efficiently matters. Over the past year many improvements have been made to the Linux kernel for accessing files remotely via SMB3.1.1, and it has been a great year for cifs.ko with the addition of new SMB3.1.1 features and optimizations. It continues to be the most active network/cluster file system on Linux. And now with the addition of a kernel server to Linux (ksmbd), there are multiple Linux server options (Samba and ksmbd).

Improvements to performance have been made by adding support for handle leases (deferred close), better optimizing multichannel, and by changes to read ahead caching, and directory and metadata caching and also signing improvements have been made. Offline caching (fscache) has been rewritten and improved, and support for the Witness protocol (server notification about key events like server moving), and security has improved with support for the strongest encryption, and more recently the exciting work on QUIC. This presentation will go through the features added over the past year to the Linux client (and kernel server) and demonstrate how they help common scenarios, from accessing the cloud (like Azure) to accessing Samba, Windows, Macs and the new Linux kernel server (ksmbd).

This presentation will go over what new SMB3 features for accessing files remotely from Linux have been added in the last year and also what SMB3.1.1 improvements are expected in the coming year to allow for more efficient access to remote files.
Improvements to testing, and improvements to commonly used configuration and mount options will also be described. An overview of the status of the Linux kernel server, ksmbd, will also be presented.

Certificate Auto Enrollment in Samba

This talk will discuss the addition of Certificate Auto Enrollment in Samba Group Policy, what it is and how to use it. Certificate Auto Enrollment allows devices to enroll for certificates from Active Directory Certificate Services.
 

Break

Installing and running Samba on AIX

AIX is one of the commercial UNIX flavours which is still actively supported. Installing and running Samba on AIX can be challenging though. This talk is about how to set up and manage Samba on this platform.

Closing Remarks First Day

Welcome Note from SerNet

Kerberos

In November 2021 Samba and Microsoft, rather oddly, put out a security release on the same day. Not much was said, except 'patch, patch, patch'.

In this talk Andrew describes what that was all about, what we fixed and how, as well as celebrating an incredible cross-team effort supported with engineering from 5 different companies.

We also celebrate (so far) releasing that with few regressions and think about how we can advance the state of security in this area into the future.

The CTDB Report 2022

This is a report on the status of CTDB, similar to that presented at recent sambaXP conferences.  As usual, this presentation will look back
and summarise progress since the most recent presentation in 2020.  It will also look forward and attempt to present a realistic path for
further development.

The biggest recent change arrived in Samba 4.16.  CTDB's recovery lock is now a cluster lock and, when enabled, a race for this lock is used in place of a traditional election.  This avoids problems where an election would result in a new leader but this leader would be unable
to take the lock.  Reasons for this include races and cluster filesystem latency.

In the past we have presented grand plans, designs and frameworks. This year we will step back a bit and consider what is needed to
realise a shiny new, maintainable CTDB.

Break

smbd, what's next?

This talk is going to give an overview of recent changes in the Samba fileserver and an outlook on the development roadmap. Recent development has been mainly focused on security resulting in the release of Samba 4.15 last year and a rewrite of the RPC server which will ship in the upcoming 4.16.

Looking forward there are many things the Samba fileserver development team has on its todo list and this presentetation will give a first-hand insight into the making of the next Samba versions.

Afterlife with FIPS 140-3

In SambaXP 2021 we looked at how to get Samba working in environments where FIPS 140-2 compliance was required. With RHEL 9 release Samba and FreeIPA will have to work in the environments compliant with FIPS 140-3 requirements.

The talk will describe our progress on making Samba and FreeIPA interoperable with Active Directory with those requirements in place.

Break

The UNIX Filesystem API is profoundly broken: What to do about it?

The UNIX Filesystem API is profoundly broken, and user-settable symbolic links are to blame. In this talk I will explain how CVE-2021-20316 made me realize that symbolic links are, introduced in 4.2BSD Unix from U.C. Berkeley, broke the previously elegant UNIX filesystem API and filesystem design. The design and implementation of symlinks has cause years worth of security flaws and API patches to fix a conceptually broken idea.

I also propose a modest suggestion in order to help Linux step away from this mess to a more secure by-design future!

tba

Panel Discussion

Program Committee

Chairman of the 21th samba eXPerience conference is Jeremy Allison – one of the founding members of the Samba Team.

The program of talks and other contributions is supervised by the program committee:

  • Jeremy Allison, Google
  • Stefan Kania, author
  • Ralph Boehme, SerNet

 

Local Organizing Committee

The local organizing committee (LOC) is responsible for all activities during the conference:

  • Ms. Nadine Dreymann, SerNet
  • Mr. Dr. Johannes Loxen, SerNet

Do not hesitate to contact them via loc@remove-this.sambaxp.org.

Contact

sambaXP is organised by SerNet:

SerNet GmbH
Bahnhofsallee 1b
37081 Goettingen
Germany

phone: +49 551 370000-0
email: contact@remove-this.sernet.de

Managing Directors: Dr. Johannes Loxen, Reinhild Jung

Datenschutzerklärungdata protection declaration

everything that matters sambaXP:

phone: +49 551 370000-0
e-mail: loc@remove-this.sambaxp.org