Sponsored by:

Ort

Datum

Opening windows
sambaXP 2018

The SAMBA eXPerience 2018 will take place from June 5th – 7th 2018 in Goettingen, Germany. It will be the 17th international SAMBA conference for users and developers. Attendees will meet the SAMBA Team, discuss requirements, new features and get an update on current developments. The conference is organized by SerNet.
 

program 2018     register 2018  

Conference program 2018

Securing a Samba-Fileserver inside an Active Directory

Topics:

  1. Securing the operating system
    • deactivating unwanted IP Protocols
    • partitioning the system
    • mount options
    • securing ssh
    • testing system security with nmap
    • setting up a firewall
  2. Securing Samba
    • choosing the right distribution
    • choosing the right Samba version
    • disable netbios
    • disable unwanted ports
    • filesystem security
    • creating shares
    • checking security with nmap

Start of the sambaXP conference

Conference registration at Hotel Freizeit In Göttingen 

Welcome Note from SerNet

Chairman’s note

Microsoft SMB – Looking Forward

Microsoft will present a look into the state of the SMB3 protocol and ongoing development, in Windows products and related services, especially as they relate to Samba. Many familiar themes will be recognized, but new and existing avenues of possible innovation will be explored. The long history of cooperation between Microsoft and Samba can continue and expand.

Samba and ChromeOS - the Start of a Beautiful Friendship

Learn how Samba is being used inside ChromeOS to integrate Chromebooks better into Active Directory environments.

Lunch

The workstation account, netlogon schannel and credentials

Establishing a trustworthy communication channel between a Samba domain member and an Active Directory Domain Controller is a multi-step process.

In 2017, the client code for this critical piece of code has seen some refactoring. This talk will describe this multi-step protocol in sufficient detail to understand the code required to implement it. It will show the subtleties that a multi-process and multi-node domain member implementation has to take care of implementing this protocol in a scalable fashion.

SMB3.1.1 and beyond: Optimizing access from Linux to Samba and advanced SMB3.1.1 servers

With the recent improvements to the Linux kernel client, many advanced protocol features are available. This presentation will discuss the state of the Linux client, what features are available when mounting to Samba, what new features have been added in the last year, and how to configure it for optimal access.

Some of the exciting features that have been added recently include:
- RDMA support (SMB Direct)
- Much improved performance (including more efficient use of compounding to recent network traffic)
- Improved metadata handling, enhanced SMB3 DFS support, and improved security (not just the upgrade of the default dialect, so CIFS is no longer requested by default).

In addition, the presentation will describe in which scenarios SMB3 mounts to Samba do particularly well, and in which cases SMB3 is less well suited.

A Distributed Filesystem Replication (DFS-R) client for Samba

DFS-R is a protocol that replicates folders between servers, and since Windows 2008, it is used to replicate the SYSVOL share among Active Directory Domain Controllers in multi-DC environments.

This talk will delve into the DFS-R protocol, will demonstrate a client-side implementation for Samba and finally will discuss alternatives to implement the server-side.

Implement SMB Direct for Linux SMB kernel client

Introduced in SMB 3.0 with Windows Server 2012, SMB Direct uses RDMA to transfer SMB packets over Infiniband, RoCE or iWARP.

This talk is going to give an in-depth tour on how SMB Direct is implemented in the Linux SMB kernel client. The following aspects of the implementation will be discussed:
1. Introduction to SMB Direct and RDMA
2. Linux kernel RDMA layer
3. Zero-copy and software stack by-pass
4. Kernel-mode fast memory registration
5. Optimization for interrupts and interaction with threads
6. Implication for page caches
7. Transparent transport error handling and recovery

SMB Direct is now an experimental feature in Linux SMB client in upstream kernel. We are going to discuss how to use it and look at benchmark data over Infiniband and iWARP. Followed by discussion on current limitations and future work.

Break

Service Layering - Integrating Samba with existing DNS infrastructure

In my network reliability philosophy, I distinguish between "basic" network services and "productive" network services, a basic network service being defined as one that serves as the basis (e.g. DHCP and DNS) for consumption of higher level services that possess actual production value (e.g. Samba). Basic network services are ideal candidates for running on specialized embedded devices to rule out service failures due to hard disk failures etc.

As an Active Directory encompasses not only LDAP and Kerberos but also DNS and there are funny things Microsoft does with DNS (dynamic updates, special SRV records to locate hosts etc.), running Samba as an Active Directory domain controller means running either the built-in DNS server or bind with a special DLZ plugin. dnsmasq integration had been discussed but seems to have been abandoned not so much for technical reasons than rather for lack of real interest on both sides.

This however means that I would have to either rely on Samba's built-in DNS server, giving up my initially described separation between basic and productive network services, or on bind, which does not really lend itself to running on embedded devices and is also not necessarily an admin's best friend with its zone files and what not.

In this talk I want to discuss a usage scenario in which I take advantage of DNS delegations to get the best of both worlds, a basic DNS service with improved reliability and Samba's DNS server blending in just nicely.

Release the Kraken: Samba and Ceph

This presentation will look at the state of Ceph and Samba integration.
Following an overview of Ceph's distributed object store and filesystem architecture, this talk will cover current and future challenges, such as cross-protocol interoperability, scalability, performance and access control.

Custom Vendor Group Policy Extensions for Samba Clients

With the introduction of Group Policy for the Samba KDC in 4.8, Samba can now process and apply security and kerberos policies. Policies for client machines will follow shortly, which will add the ability for vendors to implement custom Group Policy extensions. This talk will demonstrate how to implement custom Group Policy extensions. Custom extensions can be added for the KDC and client machines, while user policies will soon follow.

Unit testing and mocking in Samba development

The talk will cover the introduction of cmocka as a unit testing framework in Samba. It will give an overview about what features cmocka offers, how to write a simple unit test and integrate them in Samba. The talk will also explain mocking and show what you can do with it. It will give examples and live workshop like hacking.

Break

Let's Rust in Samba

In my "Samba, quo vadis?" talk last year, I took three modern programming languages for a spin: Python 3, Go, and Rust. I did not manage to successfully implement the Kerberos Key Distribution Center Proxy in Rust due to some issues in the ASN1 libraries available at that time. Despite these issues, the security-minded systems programming approach made Rust the most popular language of the three.

As it is not feasible to rewrite all of Samba in a new programming language from scratch, an important feature is how easily modules written in Rust can be integrated into the Samba codebase. Rust's compile-time memory safety features are especially interesting for parsing incoming network packages. Writing a Rust-based parsing layer for Samba's internal DNS server seems like a good choice.

This talk will take a closer look at calling into Rust libraries using Rust's foreign function interface for a real-world use case within Samba.

Microsoft Windows Protocols – Active Support

Microsoft Support presents an opportunity to Samba community. Beyond protocols documentation assistance, engagement with partners is essential for greater interoperability. We reflect on the decade-long cooperation between Microsoft and Samba. Protocols Support is omni-present at plugfests, conferences, and interop labs. With the model of regular calls with Catalyst’s Samba AD team, we encourage Samba’s proactive engagement.

Patterns and anti-patterns in Samba development

Samba a great project with a great history. This talk is about that history and the patterns of software development and inter-personal interaction that we have accumulated to date.

I'll look at which patterns are really good (some even ahead of their time) such as pre-commit CI and Code Review and which patterns there would be a case to change, such as rarely painting a bigger picture or roadmap.

As an engineer I'll look at tooling changes we could consider, that re-enforce the good practices that we like, and how we might change our process around other parts of our daily development.

Finally, I'll talk about taking a step back from development to write a Samba internals overview and what I learnt when trying to explain Samba to others.

Bringing thread-safety and fd-passing to socket-wrapper

socket_wrapper is a core component of Samba's self-test infrastructure that enables the emulation of complex network setups between local processes without the use of any OS-specific virtualization or containerization technique. It achieves that via library pre-loading where we use a custom version of a library call for intercepting normal network calls and mimics the same over using unix domain sockets. Now that socket_wrapper is increasingly used by other projects than just Samba, thread-saftey has become a desired feature. Those multi-threaded use cases would require corresponding support in socket_wrapper so that various network calls are handled separately in individual thread contexts. On a related note making socket_wrapper thread-safe is one of the main preparatory work for implementing fd-passing within socket_wrapper. The technique of fd-passing is very handy when two or more unrelated processes are in need of sharing open file descriptors between them over unix domain sockets. But the only big difference here is that we need to handle the real socket file descriptors which becomes tricky in nature. Support for fd-passing in socket_wrapper will in turn help Samba to be capable of running SMB3 Multi-channel test scenarios effectively within its self-test suite. After going through the basics of socket_wrapper the talk will explain on how thread safety is being ensured and the various challenges involved in implementing the same. It will then detail on how the subsequent objective of making socket_wrapper perform fd-passing is achieved. 

Social Event

The social event will take place in Hotel Freizeit In Orient-Lounge this time!

State of the SMB3 POSIX Extensions

Better supporting POSIX clients such as Linux, Unix, and Mac is critical for SMB3. The SMB3 POSIX Extensions have been proposed to address this in order to provide more optimal interoperability. We will discuss the state of the current (proposed) SMB3 POSIX extensions and their real world effect on Linux compatibility.

Performance analisys of Samba with Distributed File System

In this talk I would like to give an insight on the performance problems we encountered with Samba backed with Gluster (DFS), the bottlesnecks we encountered, some of the solutions that we adapted.

Trusts Status Update

Samba 4.8 got a lot of improvements regarding trusted domain support as active directory domain controller. In addition there are more important improvements planned for Samba 4.9. This presentation will explore the details of what is currently supported and what will be supported in the future.

Current state of Samba with glusterfs as seen by Performance QE

The glusterfs has evolved so much to handle the Samba workloads from the state it was in earlier stages and how the user is now using it. The workloads in question would be large files, small files and metadata intensive with multiple tunings like metadata-caching, parallel readdirs, negative lookups. The talk will comprise of the performance Samba has made with multi channeling and how other protocols are compared with it.

Break

CTDB, you have changed!

For the last few years we have been foreshadowing major changes in CTDB. The ideas have gradually solidified, infrastructure has been built and changes were made behind the scenes. However, despite our good intentions and dreams, nothing really changed.

Until now!

Samba 4.9 will include a radically different CTDB. There will be well structured configuration, including a Samba-style ctdb.conf for daemons and related tools. Service management will be split out from the main daemon into a new component. Failover management, including connection tracking, will also be in a separate component. Although there will be separate components, they should make various concepts easier to understand. In some ways there will be a little less magic, with configuration items causing more obvious and direct effects.

Before SambaXP 2018 we will get at least this far, maybe further...

Cluster around the lectern at this presentation to be amazed by the current status and future plans... and to celebrate improvements!

Goodbye SWAT, welcome Cockpit? A view on how to improve Samba user experience

This talk will look into how usability of configuration of Samba can be improved using contemporary tools and together with other projects.
Samba configuration has long been a nightmare to understand and deploy. With more than four hundred options available in smb.conf configuration, users wanted tools to automate configuration management and easily understand a deployed configuration.

For several years Samba did include a configuration portal, SWAT, which allowed to approach configuration in a visual and structured way. As many management tools, SWAT required root privileges to operate on Samba configuration and databases. SWAT was a web application and it proved to be a hard task to maintain security without being web development experts. Thus, it was removed from the Samba source tree.

Command line tools provided by Samba allowed to reduce the manageability gap for some tasks. One of the most known utilities, net, allows to operate on the existing configuration for a variety of tasks but lacks means to start a new deployment. With release of Samba AD domain controller, samba-tool utility was born: samba-tool makes it simple to create new domain controllers, establish trust between domains and forests, and manage users and groups. Introduction of Samba AD features, at the same time, made Samba Team responsible to explain how to configure Kerberos KDC and DNS servers.

What can we do to improve Samba configuration and deployment user experience?

CTDB database vacuuming for geniuses!

CTDB has a special distributed database model which loses data in case of a failure. This lossy database model has been evolved to enable high-speed local access and to avoid the latency of a round-trip to CTDB. Maintaining such a distributed database has it's own challenges.

CTDB database vacuuming handles deletion of records from a distributed database. It goes to the very core of the details of the distributed database model and some clever engineering. This talk will present the overview of the lossy distributed database model in CTDB and the magic behind database vacuuming.

smbcmp: a handy network capture diff tool for SMB traffic

While debugging client and server issues we often have to do captures of the "working" case and the "failing" case and look very hard at them to spot differences. But expanding and contracting fields in Wireshark with the mouse is tiring, especially if you do it on two windows for many packets... After painfully doing this for far too long I came up with this idea of a diff tool for network traces specially made for SMB traffic. The talk will hopefully include a debugging session demonstration featuring the tool.

Lunch

Global Samba4 AD Domain Tips and Tricks

Indeed continues to expand its Active Directory Domain exclusively with Samba, but not without some pitfalls along the way. Come join us for an informative presentation on administering a Samba4 AD at scale. We will discuss our configuration choices as well as the variety of monitoring tools we employ to keep Samba up and running smoothly.

LMDB for Samba: The real experience at scale

This talk will look at the LMDB database backed for LMDB, prototyped in 2016 by Jakub Hrozek.

In 2017 and 2018 a Garming Sam and Gary Lockyer led an effort to bring this to production, scheduled for first release with Samba 4.9.

Attendees will learn the new scale that Samba's AD DC can be taken to, the limiting factors (both at the DB level and beyond) and what is next for very-large-scale Samba.

Break

Persistent handles: a dbwrap approach

This talk will present a new internal Samba database abstraction backend that combines the performance and durability properties of the existing volatile and persistent database models and an API that allows choosing the database model on a per-record basis. The talk will then describe the various required changes to the durable handles model in Samba to implement persistent handles atop of the new dbwrap backend.

SMB3 multichannel with Samba/CTDB and Gluster

Implementing SMB3 multichannel in a clustered Samba/CTDB environment comes with some extra challenges. While multichannel in Samba itself is available as an experimental feature for some time already, the integration with Samba's HA component controlling assignement of IP addresses was still missing. In order to enable this network performance and availability enhancing feature we also needed to make multichannel work with oplock and lease break scenarios. This call will discuss the obstacles we identified while working on the Samba implementation and will conclude with a demonstration of the code in place.

Samba AD, going up the ladder new challenges, new opportunities

Active Directory is at the heart of IT security. It manages users, machines and it controls access to ressources.
Since its first release in 2012, Samba-AD has grown from a "it does the job" system for free software enthousiasts to being a security cornerstone for some very large organisations.
Samba-AD is rapidly improving in performance, stability and security, driven by customer demand and Samba team's exceptional talent.
In this talk we'd like to outline the many security challenges Samba-AD has already overcome and the ones that we will have to face tomorrow.

Closing Session

Registration for sambaXP 2018

conference - Online Event Management with the ticketing solution from XING Events

Call for Papers and Deadlines

Please note the following deadlines concerning paper submission:

  • until February 28th, 2018: call for papers
  • until March 8th, 2018: notification of accepted talks

Preparations for the 2018 SAMBA eXPerience Conference are under way. SerNet and the SAMBA Team wish to receive submissions of interest and proposals for papers, presentations, and talks about SAMBA and the broader challenges of data management at the sambaXP 2018 conference.

There will be opportunity for technical talks, user reports, presentations, and technical papers. Preference is given to English language materials although proposals in English for an other language will be gladly considered.

Talk should last 45 minutes including discussion.

Paper registration and paper submission can be done online only via the registration form on this Website. You may upload your presentation (any format, PDF or PostScript is preferred) together with the paper registration. After acceptance by the program committee your contribution will be published in a conference transcript as handout.

Program Committee

Chairman of the 17th samba eXPerience conference is Jeremy Allison – one of the founding members of the Samba Team.

The program of talks and other contributions is supervised by the program committee:

  • Jens-Peter Akelbein, University of Darmstadt
  • Jeremy Allison, Google
  • Stefan Kania, author
  • Sven Oehme, IBM
  • Thomas Pfenning, Microsoft
  • Karolin Seeger, SerNet

Local Organizing Committee

The local organizing committee (LOC) is responsible for all activities during the conference:

  • Ms. Dr. Chen-Yu Lin, SerNet
  • Mr. Dr. Johannes Loxen, SerNet

Do not hesitate to contact them via loc@remove-this.sambaxp.org.

Venue

Hotel FREIZEIT IN

Dransfelder Straße 3
37079 Göttingen, Germany

Tel: +49 551 9001-0
Fax: +49 551 9001-100
E-Mail: info@remove-this.freizeit-in.de

Get Direction 

Room 

Contact

sambaXP is organized by SerNet:

SerNet GmbH
Bahnhofsallee 1b
37081 Goettingen
Germany

phone: +49 551 370000-0
email: contact@remove-this.sernet.de

everything that matters sambaXP:

phone: +49 551 370000-0
e-mail: loc@remove-this.sambaxp.org