Sponsored by:

Opening windows
sambaXP 2017

The SAMBA eXPerience 2017 will take place from May 2nd – 4th 2017. It will be the 16th international SAMBA conference for users and developers. Attendants will meet the SAMBA Team, discuss requirements, new features and get an update on current developments. The conference is organized by SerNet.

program Register 2017

Jeremy Allison
(Chairman of sambaXP)

Remembrance

The sambaXP 2017 is dedicated to the remembrance of Lars „Lieschen“ Müller, who passed away on October 1st 2016 at the age of 46. Lars Müller was a long term Samba Team member, a good friend of many people at SerNet and a diligent sambaXP participant. But first of all Lars was a brave, honest and modest person, never afraid of sharing his valuable opinions that always came with great self-irony and reflection. He will be missed and never forgotten.

Lars "Lieschen" Müller

Registration for sambaXP 2017

Konferenz - Online Event Management mit der Ticketing-Lösung von XING Events

Conference program 2017

Creating a Samba 4 Active Directory with DDNS

This year I will show in my tutorial how to setup a Samba 4 Active Directory with two Domaincontrollers. The DNS-Backend I will use is bind9. In addition we will install isc-dhcp-server to set up a DDNS, so that all clients get the IP-configuration via a dhcp-Server and register there hostname and IP-address dynamically to the forward- and reverse-zone. The ic-dhcp-server will be configured on both DCs, so that the DHCP-Service is fault-tolerant. Topics: - Setting up a Debian Server as first ADDC - Configure bind9 as DNS-backend - Setting up the DHCP-server on the first ADDC - Configuring the second ADDC with bind9 DNS-backend - Setting up the DHCP-server als failover on the seconf DC - configure sysvol-replication via rsync - setting up a debian-client as Domainmember

Start of the sambaXP conference

Conference registration at Hotel FreizeitIn Göttingen

Welcome Note from SerNet

Chairman’s note

Keynote

Security Talk

Lunch

Remote Storage at Ultra-Low Latency

Persistent Memory is emerging as a standard feature of upcoming Server hardware platforms. In the form of NVDIMM, 3D Crosspoint (3DXP), and battery-optimized DRAM save/restore, it promises to offer terabytes of memory-class storage latencies. Embracing the benefits of this technology in SMB3 was the subject of my SambaXP talk last year, and much has happened since then. This year's talk will update the status of these efforts across the industry among platform, network and software sectors, and further motivate the benefits of Samba addressing it going forward.

Samba, quo vadis?

In the opening session to last year's Samba XP conference, Jeremy Allison stated that "the [Samba] project does need to consider the use of other, safer languages". This talk investigates a number of modern languages that would be contenders for use in the Samba project: Python 3, Rust, and Go. In order to realistically evaluate the usability of the respective languages, a network service is implemented that provides a Kerberos Key Distribution Center Proxy (KKDCP) protocol server. The KKDCP protocol is a method to allow clients to contact a Kerberos KDC server over the internet using a Kerberos message encapsulated in an HTTP(S) POST request to a KKDCP server which relays the request to an appropriate KDC. The KKDCP server then relays the KDC's response back to the client. The example project is to implement a KKDCP server using concurrent programming techniques, while following the respective language's standards regarding testing and documentation. The implementations in the different languages are then benchmarked for performance and compared regarding their ease of implementation. This talk will give a first look at contenders for a possible new language to write Samba code in.

t.b.a.

Samba and Python 3

About 7% of Samba's codebase is written in Python -- in Python 2, for which extended upstream support will end in 2020. We are working on patches to port Samba to Python 3 well before that date. We will explain why a backwards incompatible version of Python was created, highlight the major changes, and debunk some myths concerning Python 3, in relation to Samba and C developers. Also, we will discuss the porting strategy we chose for Samba, and compare it with other possible approaches and upstream recommendations.

Break

Pushing the Boundaries of SMB3: Status of the Linux kernel client and interoperability with Samba

With continued progress in the Linux kernel client (cifs.ko), interoperability has improved, and key SMB3 features such as per-share encryption and snapshots are now fully supported in the kernel client. The Linux kernel client also has dramatically improved performance of asynchronous I/O which enhances the speed of file transfers to Samba and other SMB3 servers. This paper will discuss the recent progress in the SMB3 kernel client for Linux and the state of interoperability with Samba and Windows servers.

CTDB remix – 1st movement – dreaming the fantasy

CTDB development has been fraught with many pitfalls owing to its organically evolved, monolithic code base. The only reasonable way forward seemed to split the code into multiple daemons to make the code manageable. After addition of more than 30,000 lines of code creating new abstractions, separating protocol marshalling and re-implementing the client API, the dream of splitting CTDB daemon code seems closer than ever. The most important aspect of CTDB is the clustered database used by Samba. Today CTDB also does cluster management, IP failover and service management. These functions can be taken out and potentially be replaced with something else. This talk will present a new design that will be sculpted incrementally. Over past few years, small bits of code have been split into separate helpers like the lock helper. The client API re-implementation has enabled us to split recovery and takeover helpers. Addition of new abstractions helped split code that is long-lived like the event daemon. The next steps will be laying the foundations for the new design to emerge.

Libsmb2: A new smb2+ client. The why, what and how

Libsmb2 is a new userspace client implementation for SMB2 and later dialects. It aims to have low footprint, few dependencies and be easy to port across platforms. In this talk I will present the current state of libsmb2, the future roadmap and why I think the world needs yet another cifs client. This talk is aimed at application developers wanting to have built-in SMB support as well as developers that want to contribute to the library.

CTDB remix – 2nd movement – designing the reality

CTDB development has been fraught with many pitfalls owing to its organically evolved, monolithic code base. The only reasonable way forward seemed to split the code into multiple daemons to make the code manageable. After addition of more than 30,000 lines of code creating new abstractions, separating protocol marshalling and re-implementing the client API, the dream of splitting CTDB daemon code seems closer than ever. There have been questions whether CTDB can be used with a 3rd party cluster manager such as etcd. Similar questions have been asked about integration with 3rd party high availability and load balancing tools. To achieve such integration, CTDB will move towards a set of loosely coupled, separate deamons for cluster management, failover and service management. Glue will be needed so that 3rd party tools can be integrated in a way that satisfies some simple assumptions that CTDB needs to make. Though some services, such as NFS Ganesha's lock management, introduce challenges to the loose coupling, this plan looks to be achievable. If we can get there then we can leave a slim clustered database to help achieve highly scalable clustered NAS in systems such as IBM's Spectrum Scale.

Break

winbind and trusted domains

With Samba 4.6 winbind has become significantly better in handling trusted domains. This talk will present the new implementation and will give an overview of what we are still missing. The main flaw of winbind's design is a dependency on enumerating trusted domains and potentially contacting trusted domain controllers. This is not possible in the general case. Some of the internal dependencies have been removed, work is ongoing in this area. Handling of completely unknown domains is also insufficient in both the Samba DC as well as winbind. The talk will present the current work in this area.

Samba at Scale: 100,000 user AD Domains

As Samba use grows, so does the use of Samba at large organizations. Recent performance work has taken Samba from a scale at around 10,000 - 20,000 objects to happily operating at the 100,000 object scale. Samba 4.5 and 4.6 brings significant improvement in our scale, to around 30,000 users, and this talk will look at how we got there, share some war stories along the way, and what have done for Samba 4.7, where we expect to be at the 100,000 size and beyond. We will look at what worked, but also the 'obvious' things that should have helped, but actually didn't. For example, while many suggested replacing our database layer, one quite ambitious project (the OpenLDAP backend) never got beyond prototypes, and another (using LMDB) showed little advantage until the major overriding issues were first addressed. We will take a look at the tools we found most helpful - linux perf and the FlameGraphs project in particular, and the issues they illuminated. For example, we found that no matter how much we might hope, using unlikely() still doesn't mean the branch is free! The talk will advocate for incremental, rather than fundmental rewrites of badly performing code, celebrate the victories so

Bringing thread-safety and fd-passing to socket-wrapper

socket_wrapper is a core component of Samba's self-test infrastructure that enables the emulation of complex network setups between local processes without the use of any OS-specific virtualization or containerization technique. It achieves that via library pre-loading where we use a custom version of a library call for intercepting normal network calls and mimics the same over using unix domain sockets. Now that socket_wrapper is increasingly used by other projects than just Samba, thread-saftey has become a desired feature. Those multi-threaded use cases would require corresponding support in socket_wrapper so that various network calls are handled separately in individual thread contexts. On a related note making socket_wrapper thread-safe is one of the main preparatory work for implementing fd-passing within socket_wrapper. The technique of fd-passing is very handy when two or more unrelated processes are in need of sharing open file descriptors between them over unix domain sockets. But the only big difference here is that we need to handle the real socket file descriptors which becomes tricky in nature. Support for fd-passing in socket_wrapper will in turn help Samba to be capable of running SMB3 Multi-channel test scenarios effectively within its self-test suite. After going through the basics of socket_wrapper

Measuring Samba performance

To make Samba faster we need to understand why it is slow. To help with this we have developed tools that rest on top of the Samba self-test framework and Linux perf and tracing frameworks. Using a variety of munging and visualization scripts, we can see Samba performance changes across versions and under various workloads. These tools can be turned to any part of Samba, testing workloads of varying degrees of artifice, by writing new tests or borrowing existing ones from the self-test framework.

Social Event

Distributed Filesystem (DFS) in cifs.ko: what’s new and ideas for future improvements

The cifs kernel module recently got DFS (Distributed Filesystem) support for SMB2 and above. This talk will be brief introduction to DFS and overview of how cifs.ko works, what changes were needed for this new feature and finally what can be improved from there.

Global Catalog implementation in FreeIPA

FreeIPA supports forest trust to Active Directory with the help of Samba and a number of plugins to 389-ds directory server. Forest trust implementation in FreeIPA allows for efficient use of FreeIPA resources when majority of users and groups are defined in Active Directory. It does not allow, however, to get access to Active Directory resources to users defined in FreeIPA. In the talk I'll explain how implementation of a Global Catalog service in FreeIPA enables access to Windows-based environments for users defined in FreeIPA.

Samba KCC: Saying No to Full-Mesh Replication

With Samba 4.5, the new site-aware Samba Knowledge Consistency Checker (KCC) has been turned on by default. Instead of using full mesh replication between every DC, the KCC will set up connections to optimize replication latency and cost (using site links to calculate the routes). Although there is more effort required in establishing effective site topologies, it has enabled users to create larger and more distributed networks without any of the previous replication penalties. It has also meant that Samba AD can be aware of particular details of a network (such as satellite links or certain firewall restrictions) to ensure that information flows through the network in a reasonable way. The aim is to look at how sites in AD generally work, what role the KCC performs, and what implications this new feature has on a range of different networks.

Samba AD for the Enterprise

After several years of development Samba 4.7 will ship with Samba AD using MIT Kerberos for the KDC. This will make it possible for Enterprise distributions to provide packages and a secure AD environment. The talk will give some details why it took so long and show the features which will be available with the first release.

Break

Can we Fake a Failover?

Samba does not (yet) provide support for Continuous Availability. That is, Samba doesn't support Persistent Handles. Samba does, however, provide support for Durable Handles, which are designed to survive short network outages that disrupt the TCP connection between client and server. Samba also exposes Durable Handle support via the VFS layer. So... what if we could take that support for Durable Handles and turn it into something more? Can we use Durable Handles to survive a failover situation? Can we maintain Durable Handle state across a cluster, and move an IP address from a failed server node fast enough to fool the client? The Samba Team has a history of innovating with the tight confines of the SMB protocol. This presentation will explore the possibility, explain what could be done with such a feature, what needs to be done to make it work, and how that may inform further development of cluster support.

The Important Details Of Windows Authentication

This talk gives an overview about the authentication protocols implemented in Samba, e.g. Kerberos, NTLMSSP and Netlogon Secure Channel. What are the missing new peaces in Windows 2012(R2) and 2016 active directory domains. The limitations the protocols give, especially in respect to trusts. The difference between the different trust types.

How to write a Samba VFS module

Writing a correct Samba VFS module has been more of a black art than a science. This talk, part tutorial, will cover the basics on getting started in writing a VFS module suitable for upstreaming into Samba, and how to keep it up to date as the Samba VFS evolves and changes.

Samba Group Policy for AD DC

Group Policy is an essential component of an AD DC. This presentation will discuss the design details of a GPO implementation started by a GSoC project. Future work will include better testing, more settings, such as Kerberos Policies, and GPO creation. Will also discuss the possibility of User policy application and reading various vendor GPO implementations.

Lunch

Playing with domains not the Windows way

SaMBa is a perfect example of the technical superiority of Free Software. With SaMBa, you have a fifth freedom, the one to serve your network better with less effort. We want to share with you our experience of how you can put to use the inner workings of SaMBa-AD to your best advantage, and how easy it is with SaMBa to merge domains, rename domains, modify domain objects, etc. Here python and LDB are kings and queens. That's the server part to reorganizing your domain. Then there is the client part to reorganizing your domain : SID / profile migration, domain join, etc. That's why we want to show you SaMBa-AD's best companion, WAPT. WAPT is Robin when SaMBa is Batman. WAPT, developed by Tranquil IT Systems is apt-get for Windows, a software deployment and configuration management tool for Windows platforms. SaMBa-AD, combined with the use of WAPT, gives superhero powers to system administrators to manage effectively their domains and networks.

Something must be done

...or how I learned to love perf. Analyzing and improving fileserver performance for small file copy workloads and directory enumeration in clustered Samba.

Is Samba 4 AD Ready for Global Enterprise?

Indeed has over 5,000 employees in over 20 offices on 5 continents and solely uses Samba for its Active Directory implementation. Samba serves all network authentication in all of our offices as well as our VPN. Numerous applications and 3rd party services have integrated naturally with Samba and it's adoption at Inded is growing. However, this was not always the case. Deploying Samba at scale has not been without its challenges! Our success story with Samba is deeply tied to the continued development by the Samba Team and the open source community. Starting as an intern project in 2013, a Samba 4.0.8 domain was provisioned as a test for domain logon and group policy. That success started a rapid rollout of Samba DCs which lead us to encountering the performance problems of a fully meshed replication topology. KCC changes introduced in Samba 4.3 and furthered in 4.4 helped us scale the number of sites and DCs we could effectively support. As Indeed continued to grow, so did our database of users and groups. Despite being able to reduce the number of replication partners, the amount of time spent in replication with a single partner began to impact timely authentication. Tombstones, deleted

Performance analisys of Samba with Distributed File System

In this talk i would like to give an insight on the performance problems we encountered with Samba backed with Gluster(DFS), the bottlesnecks we encountered, some of the solutions that we adapted.

Break

Windows Search Protocol recap & update

An introduction/recap of the windows search protocol and the work in progress samba implementation. The talk will describe the current server implementation, outline some of the problems encountered and existing issues and some of the features currently implemented. Additionally the talk will introduce the new client implementation.

New printing protocols in Samba

For a long time Samba's printing support remained relatively unchanged and was based on features that were present already since the release of Windows 2000. Just recently it became necessary to start adding more modern printing features to Samba as Windows clients start depending on them. The required changes include support for the "Print System Asynchronous Remote Protocol" (PAR). With the addition of this DCE/RPC protocol, Samba can then finally provide support for Printer Driver Packages including security signatures. The talk will discuss the interesting challenges we met while implementing the PAR protocol.

Break

SMB3 and Clustering – A discussion

Samba/CTDB has been providing clustered file services for over a decade. Microsoft introduced it's own take on clustered file services via SMB3. To support Microsoft style clustered file services or cluster-aware clients, Samba needs to implement SMB3 features like persistent file handles, witness protocol etc. This talk invites Samba developers to a discussion on following topics:
  • Failover in Samba/CTDB cluster versus Microsoft cluster
  • Witness support for cluster-aware clients
  • Persistent file handles in Clustered Samba

Panel Discussion

Program Committee

Chairman of the 16th samba eXPerience conference is Jeremy Allison – one of the founding members of the Samba Team.

The program of talks and other contributions is supervised by the program committee:

  • Jens-Peter Akelbein, University of Darmstadt
  • Jeremy Allison, Google
  • Stefan Kania, author
  • Sven Oehme, IBM
  • Thomas Pfenning, Microsoft
  • Karolin Seeger, SerNet

Local Organizing Committee

The local organizing committee (LOC) is responsible for all activities during the conference:

  • Ms. Dr. Chen-Yu Lin, SerNet
  • Mr. Dr. Johannes Loxen, SerNet

Do not hesitate to contact them via loc@sambaxp.org.

Venue

Hotel FREIZEIT IN

Dransfelder Straße 3
37079 Göttingen, Germany

Tel: +49 551 9001-0
Fax: +49 551 9001-100
E-Mail: info@freizeit-in.de

Get Direction Room

Contact

sambaXP is organized by SerNet:

SerNet GmbH
Bahnhofsallee 1b
37081 Goettingen
Germany

phone: +49 551 370000-0
email: contact@sernet.de

everything that matters sambaXP:

phone: +49 551 370000-0
e-mail: loc@sambaxp.org