Registration

Google Summer Of Code is a yearly event that allows university students to gain more experience and help Open Source projects to improve. In 2020 Samba Team was allocated
a single seat in the program. We chose to work on a modern web UI to samba-tool to allow
automation and easier access to command line tools.

The talk will go over our experience with GSoC 2020 and will show-case its result: a Samba AD DC plugin to Cockpit UI. Cockpit is a Web UI framework to manage Linux systems in a
browser.

The Windows SMB server doesn't offer any way to dump the cryptographic keys used for SMB encryption. This can be very annoying when you're trying to debug your client implementation or if you simply want to decrypt traffic in Wireshark. The server is
sadly closed-source and is implemented as a kernel module, which makes debugging it more challenging.

This talk will cover some of the architecture of the Windows SMB server, how to debug the
Windows kernel, and how we can write another module to dump those keys from the server memory. All from the perspective of a Linux developer relatively new to the world of
Windows development.

To the newcomer, Samba's command line user interface appears to be a haphazard jumble of scripts and binaries with options and design principles that fade in and out of use according to some esoteric pattern.

With Samba 4.15 there will be a major rewrite of the command line parser for Samba client utilities coming. There will be the same design principle to every tool and the same options.

The talk will look into how we solved those issues and how we will avoid issues in future. Also we will look how options changed or have been simplified to make the tools easier to use by newcomers.

Will we get shell-completion one day?

Samba had experimental support for multi-channel for quite a while.
SMB3 has a few concepts to replay requests safely.
We now implement them completely (and in parts better than a Windows Server).

The talk will explain how we implemented the missing features.

With the increasing amount of network throughput, we'll reach a point where a data copies are too much for a single cpu core to handle.

This talk gives an overview about how the io_uring infrastructure of the Linux kernel could be used in order to avoid copying data, as well as spreading the load between cpu cores. A prototype for this exists and shows excellent results.

• What the current implementation status is
• How the proposed design looks like
• How to improve performance

Winbind can now seemlessly replace Vintela's proprietary Group Policy (VGP) for linux clients. These recent developments will be discussed, along with recently added samba-tool commands for administering these policies. Plans for future improvements and possible projects will be discussed.

The SMB protocol was designed long after Unix was created, and as a result supported concepts like globally unique identities and rich ACLs that are in Windows, but not in Linux. User identity and access control are very relevant to the Linux SMB3 client, as it acts as a bridge between the world of Windows-like-filesystems (including the cloud) and the world of Linux filesystems, and has the hard task of translating security information from the more complex Samba and Windows world, to the simpler Linux/POSIX model.

There are three key problems:

1. Id-mapping: Who the user is? And how does it map to the user that the server understands?
2. Authentication: Can the user prove his/her identity?
3. Access control: What permissions does the user have for this file?

This talk will discuss and demonstrate the different ways that the Linux client can be configured to map POSIX permissions (mode bits) to ACLs, and the implications of using these configurations. It will discuss the different authentication choices, especially how to leverage Samba’s winbind for easy to use and highly secure Kerberos authentication and key refresh. In addition it will discuss how to integrate with Samba’s winbind to map user identities (from the local Linux client’s UIDs to globally unique SIDs) and the various alternatives like “idsfromsid”.  Recent improvements in cifs-utils for managing ACLs and auditing information remotely will also be discussed, which can make managing Samba server easier in some cases.

IBM Spectrum Scale is a software defined storage offering of a clustered file system bundled with other services. Samba is included as part of the product for providing a clustered SMB file server and integration into Active Directory environments. This product is commonly used in Enterprise IT environments.

Troubleshooting problems is an essential part of supporting customers. This talk will walk through Samba troubleshooting approaches that have proven useful over the years. It will explain how for this environment Samba is configured to provide logs and indications by default. Methods for collecting additional trace data are demonstrated and how to efficiently analyze these traces. Examples will be used to illustrate debugging problems from the trace data.

Wide-scale virtual-machine deployments of Windows clients and servers make it difficult to adapt to the classic process of domain joining. Very often there is no connection to an AD domain controller. Sometimes a larger number of virtual machines needs to be joined without the vms even being started. And sometimes machines need to be joined in locations where there are no (writeable) domain controllers available at all. For all these scenarios the concept of Offline Domain Join has been developed and is part of the Windows operating systems for quite some time now. This concept allows to detach the machine account creation on AD from the modification of the machine that is joined. In addition to the machine account credentials Group Policies and Certificates can be deployed with the Offline Domain Join mechanism and tools as well. Samba now also can take part in this process. With the latest version, Samba can provision machine accounts for offline join in Active Directory (for both Windows and Samba clients) and process offline join state information on the local, disconnected machine (with state information either generated on Windows or using Samba). This feature enables scenarios where Samba servers are deployed ad-hoc in a containerized infrastructure such as Kubernetes.

Over the last two years, Samba has grown fuzzing infrastructure. This has found numerous bugs given us some reassurance about the robustness of some parts of the code.

Nevertheless, most of Samba is not fuzzed, and lib/fuzzing is just another isolated subsystem that hardly any developers understand. This talk wants to fix that, walking you through the steps to add a fuzzer to Samba, and how in general to make your code fuzzable.

cifsd(ksmbd) is a new SMB3 kernel server which implements server-side SMB3 protocol. Many changes and improvements have been made since cifsd(ksmbd) was introduced to earlier sambaXP 2019.

This talk will give ksmbd overview and the current status update.

Over the last two years, Samba has grown fuzzing infrastructure. This has found numerous bugs given us some reassurance about the robustness of some parts of the code.

Nevertheless, most of Samba is not fuzzed, and lib/fuzzing is just another isolated subsystem that hardly any developers understand. This talk wants to fix that, walking you through the steps to add a fuzzer to Samba, and how in general to make your code fuzzable.

The effort to modernize Samba's VFS interface has reached a major milestone with the next release Samba 4.14.

Starting with version 4.14 Samba provides core infrastructure code that allows basing all access to the server's filesystem on file handles and not on paths. An example of this is using fstat() instead of stat(), or SMB_VFS_FSTAT() instead of SMB_VFS_STAT() in Samba parlance.

Historically Samba's fileserver code had to deal a lot with processing path based SMB requests. While the SMB protocol itself has been streamlined to be purely handle based starting with SMB2, large parts of infrastructure code remains in
place that will "degrade" handle based SMB2 requests to path based filesystem access.

In order to fully leverage the handle based nature of the SMB2 protocol we came up with a straight forward way to convert this infrastructure code, so it can be converted to make use of a purely handle based VFS interface.

The talk will present what we have achieved so far and what is left to do. It's intented audience is anyone working on the Samba fileserver code and anyone working on Samba VFS modules.

The classic Samba RPC services like srvsvc, winreg and wkssvc right now are implemented as part of the smbd binary and process.

This talk will give an overview of experiments to change this architecture: Instead of implementing RPC services by linking the server implementation into smbd, an idea is to implement them as separate binaries and separately executed process.

Red Hat has in the past implemented spoolss and other RPC services as separate processes, but the attempt this talk will present goes one step further: Instead of just forking the main smbd process perform RPC server services, a separate binary can be executed.

This talk will present the architecture of this thought experiment and demonstrate the current state of the code.

The Linux client continues to be the most active network/cluster filesystem on Linux over the past year, and the progress on Samba server and the Linux kernel server has helped make adding new features to the SMB3.1.1 client in Linux even more important.

It has been a great year for SMB with the addition of many security improvements, many performance improvements including to caching and RDMA (smbdirect) as well as dramatic improvements to multichannel. Support for the Witness protocol (allowing transparent movement to a different server) has been added, as well as the new more feature rich Linux mount API. In addition support for the final piece of the optional SMB 3.1.1 POSIX protocol extensions was completed. Tooling has been improved with many new features added to tools like smbinfo, and support for easily getting and setting more auditing and security information.

This presentation will go through some of the new features added to the Linux client over the past year, and demonstrate the great progress in access various types of network storage, including the cloud (e.g. Azure), Samba and the new Linux kernel server.

A Deep Dive into testing the Linux client against Samba - to see which Linux APIs are supported, which POSIX features work and what still needs to be addressed

File systems in Linux are complex, having to support over a hundred system calls (far more than POSIX specified), and Linux continues to evolve, adding new file system features and system calls every year. How compliant is the Linux client when mounted to Samba or other common servers? What about if the SMB3.1.1 POSIX Extensions are used? What works now with and without the extensions?

This presentation will summarize what we have found out from analyzing results of the standard Linux file system functional test suite ("xfstests") as well as other Linux tests and customer problems - showing what we have fixed, what works to most servers now (and how to configure best for these), what types of applications require mounting with the SMB3.1.1 POSIX extensions to work, and also show what is missing in the protocol and how we might address these holes.

This is a great opportunity to discuss what minor extensions are needed to the protocol to enable even more Linux workloads over SMB. "xfstests," since they are run against every major Linux filesystem, has been invaluable in pointing out what we need to address in Samba and the Linux client as Linux file system requirements continue to evolve. This presentation will help understand what workloads work well today, and what we have to do for SMB3.1.1 protocol to optimally handle the ever broader set of Linux workloads in the future.