Establishing a trustworthy communication channel between a Samba domain member and an Active Directory Domain Controller is a multi-step process.

In 2017, the client code for this critical piece of code has seen some refactoring. This talk will describe this multi-step protocol in sufficient detail to understand the code required to implement it. It will show the subtleties that a multi-process and multi-node domain member implementation has to take care of implementing this protocol in a scalable fashion.

With the recent improvements to the Linux kernel client, many advanced protocol features are available. This presentation will discuss the state of the Linux client, what features are available when mounting to Samba, what new features have been added in the last year, and how to configure it for optimal access.

Some of the exciting features that have been added recently include:
- RDMA support (SMB Direct)
- Much improved performance (including more efficient use of compounding to recent network traffic)
- Improved metadata handling, enhanced SMB3 DFS support, and improved security (not just the upgrade of the default dialect, so CIFS is no longer requested by default).

In addition, the presentation will describe in which scenarios SMB3 mounts to Samba do particularly well, and in which cases SMB3 is less well suited.

DFS-R is a protocol that replicates folders between servers, and since Windows 2008, it is used to replicate the SYSVOL share among Active Directory Domain Controllers in multi-DC environments.

This talk will delve into the DFS-R protocol, will demonstrate a client-side implementation for Samba and finally will discuss alternatives to implement the server-side.

Introduced in SMB 3.0 with Windows Server 2012, SMB Direct uses RDMA to transfer SMB packets over Infiniband, RoCE or iWARP.

This talk is going to give an in-depth tour on how SMB Direct is implemented in the Linux SMB kernel client. The following aspects of the implementation will be discussed:
1. Introduction to SMB Direct and RDMA
2. Linux kernel RDMA layer
3. Zero-copy and software stack by-pass
4. Kernel-mode fast memory registration
5. Optimization for interrupts and interaction with threads
6. Implication for page caches
7. Transparent transport error handling and recovery

SMB Direct is now an experimental feature in Linux SMB client in upstream kernel. We are going to discuss how to use it and look at benchmark data over Infiniband and iWARP. Followed by discussion on current limitations and future work.

In my network reliability philosophy, I distinguish between "basic" network services and "productive" network services, a basic network service being defined as one that serves as the basis (e.g. DHCP and DNS) for consumption of higher level services that possess actual production value (e.g. Samba). Basic network services are ideal candidates for running on specialized embedded devices to rule out service failures due to hard disk failures etc.

As an Active Directory encompasses not only LDAP and Kerberos but also DNS and there are funny things Microsoft does with DNS (dynamic updates, special SRV records to locate hosts etc.), running Samba as an Active Directory domain controller means running either the built-in DNS server or bind with a special DLZ plugin. dnsmasq integration had been discussed but seems to have been abandoned not so much for technical reasons than rather for lack of real interest on both sides.

This however means that I would have to either rely on Samba's built-in DNS server, giving up my initially described separation between basic and productive network services, or on bind, which does not really lend itself to running on embedded devices and is also not necessarily an admin's best friend with its zone files and what not.

In this talk I want to discuss a usage scenario in which I take advantage of DNS delegations to get the best of both worlds, a basic DNS service with improved reliability and Samba's DNS server blending in just nicely.

This presentation will look at the state of Ceph and Samba integration.
Following an overview of Ceph's distributed object store and filesystem architecture, this talk will cover current and future challenges, such as cross-protocol interoperability, scalability, performance and access control.

With the introduction of Group Policy for the Samba KDC in 4.8, Samba can now process and apply security and kerberos policies. Policies for client machines will follow shortly, which will add the ability for vendors to implement custom Group Policy extensions. This talk will demonstrate how to implement custom Group Policy extensions. Custom extensions can be added for the KDC and client machines, while user policies will soon follow.

The talk will cover the introduction of cmocka as a unit testing framework in Samba. It will give an overview about what features cmocka offers, how to write a simple unit test and integrate them in Samba. The talk will also explain mocking and show what you can do with it. It will give examples and live workshop like hacking.

In my "Samba, quo vadis?" talk last year, I took three modern programming languages for a spin: Python 3, Go, and Rust. I did not manage to successfully implement the Kerberos Key Distribution Center Proxy in Rust due to some issues in the ASN1 libraries available at that time. Despite these issues, the security-minded systems programming approach made Rust the most popular language of the three.

As it is not feasible to rewrite all of Samba in a new programming language from scratch, an important feature is how easily modules written in Rust can be integrated into the Samba codebase. Rust's compile-time memory safety features are especially interesting for parsing incoming network packages. Writing a Rust-based parsing layer for Samba's internal DNS server seems like a good choice.

This talk will take a closer look at calling into Rust libraries using Rust's foreign function interface for a real-world use case within Samba.

Microsoft Support presents an opportunity to Samba community. Beyond protocols documentation assistance, engagement with partners is essential for greater interoperability. We reflect on the decade-long cooperation between Microsoft and Samba. Protocols Support is omni-present at plugfests, conferences, and interop labs. With the model of regular calls with Catalyst’s Samba AD team, we encourage Samba’s proactive engagement.

Samba a great project with a great history. This talk is about that history and the patterns of software development and inter-personal interaction that we have accumulated to date.

I'll look at which patterns are really good (some even ahead of their time) such as pre-commit CI and Code Review and which patterns there would be a case to change, such as rarely painting a bigger picture or roadmap.

As an engineer I'll look at tooling changes we could consider, that re-enforce the good practices that we like, and how we might change our process around other parts of our daily development.

Finally, I'll talk about taking a step back from development to write a Samba internals overview and what I learnt when trying to explain Samba to others.

socket_wrapper is a core component of Samba's self-test infrastructure that enables the emulation of complex network setups between local processes without the use of any OS-specific virtualization or containerization technique. It achieves that via library pre-loading where we use a custom version of a library call for intercepting normal network calls and mimics the same over using unix domain sockets. Now that socket_wrapper is increasingly used by other projects than just Samba, thread-saftey has become a desired feature. Those multi-threaded use cases would require corresponding support in socket_wrapper so that various network calls are handled separately in individual thread contexts. On a related note making socket_wrapper thread-safe is one of the main preparatory work for implementing fd-passing within socket_wrapper. The technique of fd-passing is very handy when two or more unrelated processes are in need of sharing open file descriptors between them over unix domain sockets. But the only big difference here is that we need to handle the real socket file descriptors which becomes tricky in nature. Support for fd-passing in socket_wrapper will in turn help Samba to be capable of running SMB3 Multi-channel test scenarios effectively within its self-test suite. After going through the basics of socket_wrapper the talk will explain on how thread safety is being ensured and the various challenges involved in implementing the same. It will then detail on how the subsequent objective of making socket_wrapper perform fd-passing is achieved. 

Better supporting POSIX clients such as Linux, Unix, and Mac is critical for SMB3. The SMB3 POSIX Extensions have been proposed to address this in order to provide more optimal interoperability. We will discuss the state of the current (proposed) SMB3 POSIX extensions and their real world effect on Linux compatibility.

In this talk I would like to give an insight on the performance problems we encountered with Samba backed with Gluster (DFS), the bottlesnecks we encountered, some of the solutions that we adapted.

Samba 4.8 got a lot of improvements regarding trusted domain support as active directory domain controller. In addition there are more important improvements planned for Samba 4.9. This presentation will explore the details of what is currently supported and what will be supported in the future.

The glusterfs has evolved so much to handle the Samba workloads from the state it was in earlier stages and how the user is now using it. The workloads in question would be large files, small files and metadata intensive with multiple tunings like metadata-caching, parallel readdirs, negative lookups. The talk will comprise of the performance Samba has made with multi channeling and how other protocols are compared with it.

For the last few years we have been foreshadowing major changes in CTDB. The ideas have gradually solidified, infrastructure has been built and changes were made behind the scenes. However, despite our good intentions and dreams, nothing really changed.

Until now!

Samba 4.9 will include a radically different CTDB. There will be well structured configuration, including a Samba-style ctdb.conf for daemons and related tools. Service management will be split out from the main daemon into a new component. Failover management, including connection tracking, will also be in a separate component. Although there will be separate components, they should make various concepts easier to understand. In some ways there will be a little less magic, with configuration items causing more obvious and direct effects.

Before SambaXP 2018 we will get at least this far, maybe further...

Cluster around the lectern at this presentation to be amazed by the current status and future plans... and to celebrate improvements!

This talk will look into how usability of configuration of Samba can be improved using contemporary tools and together with other projects.
Samba configuration has long been a nightmare to understand and deploy. With more than four hundred options available in smb.conf configuration, users wanted tools to automate configuration management and easily understand a deployed configuration.

For several years Samba did include a configuration portal, SWAT, which allowed to approach configuration in a visual and structured way. As many management tools, SWAT required root privileges to operate on Samba configuration and databases. SWAT was a web application and it proved to be a hard task to maintain security without being web development experts. Thus, it was removed from the Samba source tree.

Command line tools provided by Samba allowed to reduce the manageability gap for some tasks. One of the most known utilities, net, allows to operate on the existing configuration for a variety of tasks but lacks means to start a new deployment. With release of Samba AD domain controller, samba-tool utility was born: samba-tool makes it simple to create new domain controllers, establish trust between domains and forests, and manage users and groups. Introduction of Samba AD features, at the same time, made Samba Team responsible to explain how to configure Kerberos KDC and DNS servers.

What can we do to improve Samba configuration and deployment user experience?

CTDB has a special distributed database model which loses data in case of a failure. This lossy database model has been evolved to enable high-speed local access and to avoid the latency of a round-trip to CTDB. Maintaining such a distributed database has it's own challenges.

CTDB database vacuuming handles deletion of records from a distributed database. It goes to the very core of the details of the distributed database model and some clever engineering. This talk will present the overview of the lossy distributed database model in CTDB and the magic behind database vacuuming.

While debugging client and server issues we often have to do captures of the "working" case and the "failing" case and look very hard at them to spot differences. But expanding and contracting fields in Wireshark with the mouse is tiring, especially if you do it on two windows for many packets... After painfully doing this for far too long I came up with this idea of a diff tool for network traces specially made for SMB traffic. The talk will hopefully include a debugging session demonstration featuring the tool.

Implementing SMB3 multichannel in a clustered Samba/CTDB environment comes with some extra challenges. While multichannel in Samba itself is available as an experimental feature for some time already, the integration with Samba's HA component controlling assignement of IP addresses was still missing. In order to enable this network performance and availability enhancing feature we also needed to make multichannel work with oplock and lease break scenarios. This call will discuss the obstacles we identified while working on the Samba implementation and will conclude with a demonstration of the code in place.

This talk will look at the LMDB database backed for LMDB, prototyped in 2016 by Jakub Hrozek.

In 2017 and 2018 a Garming Sam and Gary Lockyer led an effort to bring this to production, scheduled for first release with Samba 4.9.

Attendees will learn the new scale that Samba's AD DC can be taken to, the limiting factors (both at the DB level and beyond) and what is next for very-large-scale Samba.

This talk will present a new internal Samba database abstraction backend that combines the performance and durability properties of the existing volatile and persistent database models and an API that allows choosing the database model on a per-record basis. The talk will then describe the various required changes to the durable handles model in Samba to implement persistent handles atop of the new dbwrap backend.

Active Directory is at the heart of IT security. It manages users, machines and it controls access to ressources.
Since its first release in 2012, Samba-AD has grown from a "it does the job" system for free software enthousiasts to being a security cornerstone for some very large organisations.
Samba-AD is rapidly improving in performance, stability and security, driven by customer demand and Samba team's exceptional talent.
In this talk we'd like to outline the many security challenges Samba-AD has already overcome and the ones that we will have to face tomorrow.