SAMBA eXPerience archive

In our archive you will find impressions and information gathered at the past SAMBA eXPerience conferences:

  • talks as MP3 audio files
  • slides from the conference as PDF
  • talks as MP4 video files (NEW in 2020)

For the 2021 & 2022 recordings please have a look at our YouTube channel.

Conference program 2022

3:00 pm - 9:30 pm (CEST) Tutorial

Setting up GPOs with Samba & Disaster recovery of an Active Directory

This year's sambaXP tutorial covers two interesting topics at once:

Setting up GPOs with Samba

Using GPOs is a fundamental technique in the Windows-world to mange the access to resources or to configure systems. One of the main topics in using GPOs are roaming profiles and folder redirection. Roaming profiles makes only sense if you also use folder redirection. If you don't use them, the profiles become too big. The problem is: every time a user log in to a Windows-client the profile will be loaded via the network and if the user log off, all profile data will be send via network to the profile share. So redirection is very important. Samba can also configure the GPOs for roaming profiles and folder redirection.

In the first part we will create the GPOs and configure a Samba file server to store users home directory and roaming profiles. We will also configure folder redirection and take a look on how Samba mange to store both: user data and redirected data from the roaming profile.

In the second part we will see how Samba is managing the Linux-GPOs. Starting with Samba 4.14 it is possible to set up GPOs for Linux-hosts. In this part of the topic we will configure the domain controller to handle the Linux-GPOs and we will take a look which GPOs you can set up. We than configure a Linux-client to use the GPOs.

Disaster recovery of an Active Directory

Running an Active Directory with more than one domain controller will prevent you from a single point of failure. You should always have at least two domain controllers to store your objects and manage the user authentication. But what will happen if the whole Active Directory crashes? Then you need not only a backup of your Active Directors database, you also need a strategy how to recover your domain. We will take a look at what do you need to backup to bring your domain up again. We will backup from a running domain with “samba-tool” and recover the domain from the backup, up to the point that one domain controller will be back online.

 

What do you need to join the tutorial?

  • PC (BYOD) with “VirtualBox” and “Vagrant” installed
  • A Windows VM to test the setup and running RSAT
  • Webcam and speaker with microphone for interaction

 

Please note:

You need at least a PC with 16GB RAM to install the setup. The Vagrant-file will create 3 Linux-Hosts and you also need to install a Windows-System.

If you don't have a Windows-VM you can download an evaluation Version from Microsoft https://developer.microsoft.com/en-us/windows/downloads/virtual-machines/ Download the VirtualBox version and import the VM to VirtualBox. It's a full featured version valid for 40 days.

 

Training material:

You will get a handout including all steps to be able to recap independently after the tutorial.

All the Linux-systems will be prepared - You will get a “Vagrantfile” to set up all the Linux-VMs needed for the tutorial.

Stefan Kania
3:00 pm - 3:15 pm (CEST)

Welcome Note from SerNet

Ralph Böhme
(SerNet / Samba Team)
3:15 pm -3:30 pm (CEST)

Chairman’s note

Jeremy Allison
(Google / Samba Team)
3:30 pm - 4:15 pm (CEST)

The SINK Report: Updates on Samba in Containers & Kubernetes

It’s time for your new sambaXP tradition - an update on our efforts to containerize Samba and run and manage it under Kubernetes with our Operator. This will include a brief recap of our goals, along with a summary of some of the new developments we have made since the last sambaXP, including but not limited to clustered Samba instances. We will also have a deeper discussion of our vision of how future containerized Samba versions might work and some of the potential benefits for the general Samba ecosystem.

Slides (PDF)

John Mulligan
(Red Hat)
4:15 pm - 4:30 pm (CEST)

Break

4:30 pm - 5:15 pm (CEST)

smbd, what's next?

This talk is going to give an overview of recent changes in the Samba fileserver and an outlook on the development roadmap. Recent development has been mainly focused on security resulting in the release of Samba 4.15 last year and a rewrite of the RPC server which will ship in the upcoming 4.16.

Looking forward there are many things the Samba fileserver development team has on its todo list and this presentetation will give a first-hand insight into the making of the next Samba versions.

Slides (PDF)

Ralph Böhme
(SerNet / Samba Team)
5:15 pm - 6:00 pm (CEST)

Kerberos/Authentication Updates in Samba

On the domain controller side we got a lot of updates recently:

  • Updated Heimdal
  • Working with the latest MIT Kerberos


On the member server side we fixed some critical bugs and have plans for future improvements how a file server can avoid as much domain controller interaction as possible.

This talk will handle the following questions:

  • How Samba plans to use Kerberos FAST?
  • How you can reliable change a machine password?
  • Why it is so important to behave as exactly identical as possible compared to a Windows server?

Slides (PDF)

Stefan Metzmacher
(SerNet / Samba Team)
6:00 pm - 6:15 pm (CEST)

Break

6:15 pm - 7:00 pm (CEST)

Improvements to SMB3.1.1 and Linux: a year in review

Accessing files securely and efficiently matters. Over the past year many improvements have been made to the Linux kernel for accessing files remotely via SMB3.1.1, and it has been a great year for cifs.ko with the addition of new SMB3.1.1 features and optimizations. It continues to be the most active network/cluster file system on Linux. And now with the addition of a kernel server to Linux (ksmbd), there are multiple Linux server options (Samba and ksmbd).

Improvements to performance have been made by adding support for handle leases (deferred close), better optimizing multichannel, and by changes to read ahead caching, and directory and metadata caching and also signing improvements have been made. Offline caching (fscache) has been rewritten and improved, and support for the Witness protocol (server notification about key events like server moving), and security has improved with support for the strongest encryption, and more recently the exciting work on QUIC. This presentation will go through the features added over the past year to the Linux client (and kernel server) and demonstrate how they help common scenarios, from accessing the cloud (like Azure) to accessing Samba, Windows, Macs and the new Linux kernel server (ksmbd).

This presentation will go over what new SMB3 features for accessing files remotely from Linux have been added in the last year and also what SMB3.1.1 improvements are expected in the coming year to allow for more efficient access to remote files.
Improvements to testing, and improvements to commonly used configuration and mount options will also be described. An overview of the status of the Linux kernel server, ksmbd, will also be presented.

Slides (PDF)

Steve French
(Microsoft / Samba Team)
7:00 pm - 7:45 pm (CEST)

Certificate Auto Enrollment in Samba

This talk will discuss the addition of Certificate Auto Enrollment in Samba Group Policy, what it is and how to use it. Certificate Auto Enrollment allows devices to enroll for certificates from Active Directory Certificate Services.
 

Slides (PDF)

David Mulder
(SUSE / Samba Team)
7:45 pm - 8:00 pm (CEST)

Break

8:00 pm - 8:45 pm (CEST)

Installing and running Samba on AIX

AIX is one of the commercial UNIX flavours which is still actively supported. Installing and running Samba on AIX can be challenging though. This talk is about how to set up and manage Samba on this platform.

Slides (PDF)

Björn Jacke
(SerNet / Samba Team)
8:45 pm - 9:00 pm (CEST)

Closing Remarks First Day

Jeremy Allison
(Google / Samba Team)
3:00 pm - 3:15 pm (CEST)

Welcome Note from SerNet

Ralph Böhme
(SerNet / Samba Team)
3:15 pm - 4:00 pm (CEST)

Kerberos

In November 2021 Samba and Microsoft, rather oddly, put out a security release on the same day. Not much was said, except 'patch, patch, patch'.

In this talk Andrew describes what that was all about, what we fixed and how, as well as celebrating an incredible cross-team effort supported with engineering from 5 different companies.

We also celebrate (so far) releasing that with few regressions and think about how we can advance the state of security in this area into the future.

Slides (PDF)

Andrew Bartlett
(Catalyst / Samba Team)
4:00 pm - 4:45 pm (CEST)

The CTDB Report 2022

This is a report on the status of CTDB, similar to that presented at recent sambaXP conferences.  As usual, this presentation will look back
and summarise progress since the most recent presentation in 2020.  It will also look forward and attempt to present a realistic path for
further development.

The biggest recent change arrived in Samba 4.16.  CTDB's recovery lock is now a cluster lock and, when enabled, a race for this lock is used in place of a traditional election.  This avoids problems where an election would result in a new leader but this leader would be unable
to take the lock.  Reasons for this include races and cluster filesystem latency.

In the past we have presented grand plans, designs and frameworks. This year we will step back a bit and consider what is needed to
realise a shiny new, maintainable CTDB.

Slides (PDF)

Martin Schwenke
(DDN / Samba Team)
4:45 pm - 5:00 pm (CEST)

Break

5:00 pm - 5:45 pm (CEST)

Symlink races for dummies and how to deal with them

Jeremy Allison wants to remove symlinks from Unix (see https://lwn.net/Articles/882177/ ). Until they are gone, we will live in the legacy world with symlinks for quite a while. Jeremy Allison and Ralph Böhme have rewritten Samba to make it safe from symlink races. Ralph Böhme has presented most of this work last year at SambaXP under the covers of a general modernization of Samba's VFS.

This talk will be a sequel to Ralph's talk: Work is ongoing to build upon the rewrite of the VFS to utilize directory file descriptors in a lot more places than it is done right now. This work is driven by the hope to express symlink-safety more explicitly in the Samba code using safe directory handles. If this turns out to be successful, Samba will become more resilient against symlink races, future developments will have it easier to remain safe. Also, it will speed up Samba's path-based operations.

Slides (PDF)

Volker Lendecke
(SerNet / Samba Team)
5:45 pm - 6:45 pm (CEST)

Break

The planned talk from Alexander Bokovoy is unfortunately cancelled.

Instead of time adjustment of the following talks, we decide to add a longer break to avoid that attendees missing a scheduled talk due to last-minute changes in our agenda.

6:45 pm - 7:30 pm (CEST)

The UNIX Filesystem API is profoundly broken: What to do about it?

The UNIX Filesystem API is profoundly broken, and user-settable symbolic links are to blame. In this talk I will explain how CVE-2021-20316 made me realize that symbolic links are, introduced in 4.2BSD Unix from U.C. Berkeley, broke the previously elegant UNIX filesystem API and filesystem design. The design and implementation of symlinks has cause years worth of security flaws and API patches to fix a conceptually broken idea.

I also propose a modest suggestion in order to help Linux step away from this mess to a more secure by-design future!

Slides (PDF)

Jeremy Allison
(Google / Samba Team)
7:30 pm - 8:15 pm

Azure Files: "mount" the Cloud

Since 2015 Microsoft Azure has provided a completely managed SMB file server in the cloud.  Leveraging the Continuous Availability features of SMB3, the customer experience is an always available and reliable file share.  As we push to add the most demanded new features, the complexity and caution required to do this in a transparent and safe way presents fundamentally new kinds of challenges due to the scale of Azure's public cloud.
 
Azure Files is based on Azure tables and blobs under the hood, not a conventional file system -- let alone NTFS.  An overview of its architecture will be presented, with specific attention will be paid to those aspects that provide the seamless availability and reliability in spite of the constant din of hardware underneath it suffering failures and needing replacement.
 
An overview of recently added new feature will be used as a segue to delve into the engineering challenges of making significant changes and additions to underlying data schemas, and the code that manipulates it, while not disturbing access to those many petabytes of data, or breaking the semantics that applications depend on.

Slides (PDF)

David Goebel
(Microsoft)
8:15 pm - 8:45 pm (CEST)

Panel Discussion

Jeremy Allison
(Google / Samba Team)

Conference program 2021

3:00 pm - 9:30 pm (CEST) Tutorial

Setting up Samba as a printserver

If you have a lot of network printers in your environment it might be a good idea to set up a printserver with Samba4. Together with CUPS you are able to manage your printers for all your clients. For a Linux or MAC client you would only need CUPS, but as soon as you have Windows clients, CUPS is not enough, you need printer driver for all your printers to be installed on the clients.
If you are using Active Directory to manage all your users, groups and clients you can set up the printserver to share all printers to your Windows clients via GPOs. Not only connecting the printers via GPO but also installing the printer drivers for the printers on your Windows clients.

In this year's tutorial we will set up a printserver as part of an Active Directory and mange GPOs to connect the printers to the clients and install the drivers without user interaction.

What will we do?

1. Configure CUPS to share the printers inside your network.
2. Join the printserver into a Samba4 domain.
3. Set up the shares for spooling and printer drivers.
4. Install printer drivers.
5. Connect the printer with a driver.
6. Create a GPO to connect the printer to a client and install the driver
   without user interaction.
7. Handle unsigned drivers.

Because sambaXP will be an online event the tutorial will also be held online.

What do you need to join the tutorial?

  • PC with VirtualBox 6.x and Vagrant installed.
  • Webcam and a headset or speaker and microphone to ask questions.
  • To test the printserver you need a Windows-System that can be joined into the test domain. If you don't have a Windows-VM you can download an evaluation Version from Microsoft https://developer.microsoft.com/en-us/windows/downloads/virtual-machines/ Download the VirtualBox version and import the VM to VirtualBox. It's a full featured version valid for 40 days.

Training material:
You will get a handout including all steps to be able to recap independently
after the tutorial. For setting up the systems you will get a Vagrant file to
install the Samba4 domain controller and the printserver.

Stefan Kania
6:00 pm -8:00 pm (CEST) Workshop

Integrate SAMBA+ AIX in an existing AD domain

This free two-hour workshop shows how to integrate SAMBA+ AIX in an existing AD domain.

The workshop will start with the installation and configuration of SAMBA+ AIX and will also cover integration in an existing Active Directory domain including ID mapping.

What do you need to join the workshop?

  • A headset or speaker and microphone to ask questions.
  • There are no further technical preparations needed.
Björn Jacke
(SerNet)
3:00 pm - 3:10 pm (CEST)

Welcome Note from SerNet

The one track session takes place in Track 1.

Karolin Seeger
(SerNet / Samba Team)
3:10 pm -3:30 pm (CEST)

Chairman’s note

The one track session takes place in Track 1.

Jeremy Allison
(Google / Samba Team)
3:30 pm - 4.15 pm (CEST)

Your Server Will Be With You Shortly

The one track session takes place in Track 1.

Google Chromebooks use Samba code for Active Directory integration. Making this work efficiently on global networks with many Active Directory servers is a challenge.

This talk will tell the story of how the Samba code was improved to reduce logon times from 10+ minutes to less than 1 minute in a large customer network.

Slides (PDF)

Jeremy Allison
(Google / Samba Team)
4:15 pm - 4:30 pm (CEST)

Break

You are entering the multi tracked conference right after the break. Please use different browser if you want to follow both sessions.

4:30 pm - 5:15 pm (CEST) Track 1

Google Summer of Code 2020 results: Samba AD DC Cockpit UI

Google Summer Of Code is a yearly event that allows university students to gain more experience and help Open Source projects to improve. In 2020 Samba Team was allocated
a single seat in the program. We chose to work on a modern web UI to samba-tool to allow
automation and easier access to command line tools.

The talk will go over our experience with GSoC 2020 and will show-case its result: a Samba AD DC plugin to Cockpit UI. Cockpit is a Web UI framework to manage Linux systems in a
browser.

Slides (PDF)

Alexander Bokovoy
(Red Hat / Samba Team)
4:30 pm - 5:15 pm (CEST) Track 2

Reverse engineering the Windows SMB server

The Windows SMB server doesn't offer any way to dump the cryptographic keys used for SMB encryption. This can be very annoying when you're trying to debug your client implementation or if you simply want to decrypt traffic in Wireshark. The server is
sadly closed-source and is implemented as a kernel module, which makes debugging it more challenging.

This talk will cover some of the architecture of the Windows SMB server, how to debug the
Windows kernel, and how we can write another module to dump those keys from the server memory. All from the perspective of a Linux developer relatively new to the world of
Windows development.

Slides (PDF)

Aurélien Aptel
(SUSE / Samba Team)
5:15 pm - 6:00 pm (CEST) Track 1

Samba command line user experience

To the newcomer, Samba's command line user interface appears to be a haphazard jumble of scripts and binaries with options and design principles that fade in and out of use according to some esoteric pattern.

With Samba 4.15 there will be a major rewrite of the command line parser for Samba client utilities coming. There will be the same design principle to every tool and the same options.

The talk will look into how we solved those issues and how we will avoid issues in future. Also we will look how options changed or have been simplified to make the tools easier to use by newcomers.

Will we get shell-completion one day?

Slides (PDF)

Andreas Schneider
(Red Hat / Samba Team)
5:15 pm - 6:00 pm (CEST) Track 2

Testing Testing Testing! Updates

Last year we introduced the GlusterFS-Samba integration testing environment, a CI environment allowing us to test Samba with a GlusterFS backend. Over the last year, we have used it to test nightly Samba and GlusterFS builds and have also expanded our test coverage and test environments.

In this update, we discuss changes to the project. We also go through some obscure bugs that the CI environment helped us discover in the Samba-GlusterFS installations as well as catching regressions due to changes introduced upstream. We also discuss future directions for the project.

Slides (PDF)

Sachin Prabhu
(Red Hat / Samba Team) Günther Deschner
(Red Hat / Samba Team)
6:00 pm - 6:15 pm (CEST)

Break

You are entering the multi tracked conference again right after the break. Please use different browser if you want to follow both sessions.

6:15 pm - 7:00 pm (CEST) Track 1

Group Policy Integration

Samba is a nice software for integration in AD domain but lots of administrators want to have full-featured Samba domain with nice graphical instruments to edit and apply policies and modify domain settings.

BaseALT company developed a set of instruments to solve the task of policy application and domain management: GPOA (gpupdate) to apply policies, libnss-role to implement nested groups, GPUI to edit policies and ADMC to work with Samba domain. This is open source
software which is partially based upon Samba source code. Our team proudly presents the result of the year of efforts spent on writing code and documentation, analyzing use cases and testing various deployment scenarios.

We spent lots of efforts on integration of Group Policy Templates with ALT Linux OS settings. There are many open source components developed in-house which present in ALT distribution making it suitable for domain integration as end-user workstation.

Slides (PDF)

Igor Chudov
(BaseALT) Evgeny Sinelnikov
(BaseALT)
6:15 pm - 7:00 pm (CEST) Track 2

Samba Multi-Channel/io_uring Status Update

Samba had experimental support for multi-channel for quite a while.
SMB3 has a few concepts to replay requests safely.
We now implement them completely (and in parts better than a Windows Server).

The talk will explain how we implemented the missing features.

With the increasing amount of network throughput, we'll reach a point where a data copies are too much for a single cpu core to handle.

This talk gives an overview about how the io_uring infrastructure of the Linux kernel could be used in order to avoid copying data, as well as spreading the load between cpu cores. A prototype for this exists and shows excellent results.

  • What the current implementation status is
  • How the proposed design looks like
  • How to improve performance

Slides (PDF)

Stefan Metzmacher
(SerNet / Samba Team)
7:00 pm - 7:45 pm (CEST) Track 1

Winbind Group Policy

Winbind can now seemlessly replace Vintela's proprietary Group Policy (VGP) for linux clients. These recent developments will be discussed, along with recently added samba-tool commands for administering these policies. Plans for future improvements and possible projects will be discussed.

Slides (PDF)

David Mulder
(SUSE / Samba Team)
7:00 pm - 7:45 pm (CEST) Track 2

Access control and ID mapping on the Linux SMB client

The SMB protocol was designed long after Unix was created, and as a result supported concepts like globally unique identities and rich ACLs that are in Windows, but not in Linux. User identity and access control are very relevant to the Linux SMB3 client, as it acts as a bridge between the world of Windows-like-filesystems (including the cloud) and the world of Linux filesystems, and has the hard task of translating security information from the more complex Samba and Windows world, to the simpler Linux/POSIX model.

There are three key problems:

  1. Id-mapping: Who the user is? And how does it map to the user that the server understands?
  2. Authentication: Can the user prove his/her identity?
  3. Access control: What permissions does the user have for this file?

This talk will discuss and demonstrate the different ways that the Linux client can be configured to map POSIX permissions (mode bits) to ACLs, and the implications of using these configurations. It will discuss the different authentication choices, especially how to leverage Samba’s winbind for easy to use and highly secure Kerberos authentication and key refresh. In addition it will discuss how to integrate with Samba’s winbind to map user identities (from the local Linux client’s UIDs to globally unique SIDs) and the various alternatives like “idsfromsid”.  Recent improvements in cifs-utils for managing ACLs and auditing information remotely will also be discussed, which can make managing Samba server easier in some cases.

Slides (PDF)

Shyam Prasad
(Microsoft)
7:45 pm - 8:00 pm (CEST)

Break

You are entering the multi tracked conference again right after the break. Please use different browser if you want to follow both sessions.

8:00 pm - 8:45 pm (CEST) Track 1

Troubleshooting clustered Samba in Enterprise environments

IBM Spectrum Scale is a software defined storage offering of a clustered file system bundled with other services. Samba is included as part of the product for providing a clustered SMB file server and integration into Active Directory environments. This product is commonly used in Enterprise IT environments.

Troubleshooting problems is an essential part of supporting customers. This talk will walk through Samba troubleshooting approaches that have proven useful over the years. It will explain how for this environment Samba is configured to provide logs and indications by default. Methods for collecting additional trace data are demonstrated and how to efficiently analyze these traces. Examples will be used to illustrate debugging problems from the trace data.

Slides (PDF)

Christof Schmitt
(IBM / Samba Team)
8:00 pm - 8:45 pm (CEST) Track 2

Join me offline!

Wide-scale virtual-machine deployments of Windows clients and servers make it difficult to adapt to the classic process of domain joining. Very often there is no connection to an AD domain controller. Sometimes a larger number of virtual machines needs to be joined without the vms even being started. And sometimes machines need to be joined in locations where there are no (writeable) domain controllers available at all. For all these scenarios the concept of Offline Domain Join has been developed and is part of the Windows operating systems for quite some time now. This concept allows to detach the machine account creation on AD from the modification of the machine that is joined. In addition to the machine account credentials Group Policies and Certificates can be deployed with the Offline Domain Join mechanism and tools as well. Samba now also can take part in this process. With the latest version, Samba can provision machine accounts for offline join in Active Directory (for both Windows and Samba clients) and process offline join state information on the local, disconnected machine (with state information either generated on Windows or using Samba). This feature enables scenarios where Samba servers are deployed ad-hoc in a containerized infrastructure such as Kubernetes.

Slides (PDF)

Günther Deschner
(Red Hat / Samba Team)
8:45 pm - 9:00 pm (CEST) Track 1

Experience running a clustered Samba gateway for CERNBox

This aims to be a short contribution to get introduced to the community and share our experience in providing CERN users with direct online access to their personal storage.

CERN, the European Organization for Nuclear Research, provides its large and diverse scientific users community with a on-premise sync and share storage platform dubbed CERNBox. The underlying storage, named EOS and developed in-house, can also be mounted on Linux, and recently on Windows as well, through a ctdb driven Samba cluster.

After introducing the CERNBox ecosystem, we will briefly describe the configuration of the cluster and its peculiarities given our environment, and go through some typical shortcomings of such a setup and how they were tackled. Further, we will mention a VFS plugin we have developed, in order to support the conversion of Windows permissions to our RichACL-based storage ACLs, and we will conclude with an outlook of the service in the coming months.

Slides (PDF)

Dr. Giuseppe Lo Presti
(CERN) Aritz Brosa Iartza
(CERN)
8:45 pm - 9:00 pm (CEST) Track 2

Zambezi SMB3 Offload Update

The Zambezi SMB3 Offload project was introduced at last year's sambaXP conference.  This brief talk will provide an update on the project, where it's heading, what development has stalled, and what new progress is being made.

Slides (PDF)

Chris Hertel
(Samba Team)
9:00 pm - 9:15 pm (CEST)

Closing Remarks First Day

The one track session takes place in Track 1.

Jeremy Allison
(Google / Samba Team)
3:10 pm - 3:15 pm (CEST)

Welcome Note from SerNet

The one track session takes place in Track 1.

Karolin Seeger
(SerNet / Samba Team)
3:15 pm - 4:00 pm (CEST) Track 1

How to fuzz Samba - Part I

Over the last two years, Samba has grown fuzzing infrastructure. This has found numerous bugs given us some reassurance about the robustness of some parts of the code.

Nevertheless, most of Samba is not fuzzed, and lib/fuzzing is just another isolated subsystem that hardly any developers understand. This talk wants to fix that, walking you through the steps to add a fuzzer to Samba, and how in general to make your code fuzzable.

Slides (PDF)

Douglas Bagnall
(Catalyst IT/ Samba Team)
3:15 pm - 4:00 pm (CEST) Track 2

cifsd (ksmbd) Status Update

cifsd(ksmbd) is a new SMB3 kernel server which implements server-side SMB3 protocol. Many changes and improvements have been made since cifsd(ksmbd) was introduced to earlier sambaXP 2019.

This talk will give ksmbd overview and the current status update.

Slides (PDF)

Namjae Jeon
(Samsung)
4:00 pm - 4:45 pm (CEST) Track 1

How to fuzz Samba - Part II

Over the last two years, Samba has grown fuzzing infrastructure. This has found numerous bugs given us some reassurance about the robustness of some parts of the code.

Nevertheless, most of Samba is not fuzzed, and lib/fuzzing is just another isolated subsystem that hardly any developers understand. This talk wants to fix that, walking you through the steps to add a fuzzer to Samba, and how in general to make your code fuzzable.

Douglas Bagnall
(Catalyst IT/ Samba Team)
4:00 pm - 4:45 pm (CEST) Track 2

The New VFS

The effort to modernize Samba's VFS interface has reached a major milestone with the next release Samba 4.14.

Starting with version 4.14 Samba provides core infrastructure code that allows basing all access to the server's filesystem on file handles and not on paths. An example of this is using fstat() instead of stat(), or SMB_VFS_FSTAT() instead of SMB_VFS_STAT() in Samba parlance.

Historically Samba's fileserver code had to deal a lot with processing path based SMB requests. While the SMB protocol itself has been streamlined to be purely handle based starting with SMB2, large parts of infrastructure code remains in
place that will "degrade" handle based SMB2 requests to path based filesystem access.

In order to fully leverage the handle based nature of the SMB2 protocol we came up with a straight forward way to convert this infrastructure code, so it can be converted to make use of a purely handle based VFS interface.

The talk will present what we have achieved so far and what is left to do. It's intented audience is anyone working on the Samba fileserver code and anyone working on Samba VFS modules.

Slides (PDF)

Ralph Böhme
(SerNet / Samba Team)
4:45 pm - 5:00 pm (CEST)

Break

You are entering the multi tracked conference again right after the break. Please use different browser if you want to follow both sessions.

5:00 pm - 5:45 pm (CEST) Track 1

Life without NTLM or how to trust in FIPS

With Samba 4.14, it is possible to operate Samba services in so-called "FIPS mode". "FIPS" relates to a set of U.S. government documents that define rules, regulations, and standards of handling information by computers and by people. One particular aspect of multiple FIPS documents is a regulation of allowed cryptography algorithms and methods to process information.

FIPS mode does not allow use of many old cryptography algorithms, including the one that is widely used in Active Directory and SMB protocol: RC4 cipher which is the core of NTLM authentication. When Samba runs in FIPS mode, no use of RC4 cipher beyond a secure channel established with the help of FIPS-approved crypto is possible.

The ability to run Samba in FIPS mode means its usage in governmental organizations has expanded. Lack of a RC4 cipher support means it is not possible to authenticate users with the help of a password in Samba. Only Kerberos authentication with AES ciphers is supported.

This talk is going to look at what is possible to achieve in FIPS mode for Samba and services using Samba. We also want to discuss how to improve the state of authentication in the SMB world.

Slides (PDF)

Alexander Bokovoy
(Red Hat / Samba Team) Andreas Schneider
(Red Hat / Samba Team)
5:00 pm - 5:45 pm (CEST) Track 2

Socket activation for Samba's RPC services

The classic Samba RPC services like srvsvc, winreg and wkssvc right now are implemented as part of the smbd binary and process.

This talk will give an overview of experiments to change this architecture: Instead of implementing RPC services by linking the server implementation into smbd, an idea is to implement them as separate binaries and separately executed process.

Red Hat has in the past implemented spoolss and other RPC services as separate processes, but the attempt this talk will present goes one step further: Instead of just forking the main smbd process perform RPC server services, a separate binary can be executed.

This talk will present the architecture of this thought experiment and demonstrate the current state of the code.

Slides (PDF)

Volker Lendecke
(SerNet / Samba Team)
5:45 pm - 6:30 pm (CEST) Track 1

Samba Operator - The Next Phase

At sambaXP 2020 an introduction to Kubernetes and Operators was presented along with a prototype operator for Samba. Starting around October of 2020, the development of the Samba Operator has picked up momentum. It’s gained a new approach to configuring Samba in a radically different, modern way: Instead of configuring a monolithic Samba server, the admin can concentrate on shares and let the operator take care of the server (or servers!). Several additional features have been added and the operator has grown it’s own little ecosystem.

We will present the current state of the operator, demonstrate some of its current capabilities, and discuss future improvements both in the Samba Operator code base as well as Samba itself.

Slides (PDF)

John Mulligan
(Red Hat) Michael Adam
(Red Hat / Samba Team)
5:45 pm - 6:30 pm (CEST) Track 2

SMB3 Improvements to Linux: Summary of client status

The Linux client continues to be the most active network/cluster filesystem on Linux over the past year, and the progress on Samba server and the Linux kernel server has helped make adding new features to the SMB3.1.1 client in Linux even more important.

It has been a great year for SMB with the addition of many security improvements, many performance improvements including to caching and RDMA (smbdirect) as well as dramatic improvements to multichannel. Support for the Witness protocol (allowing transparent movement to a different server) has been added, as well as the new more feature rich Linux mount API. In addition support for the final piece of the optional SMB 3.1.1 POSIX protocol extensions was completed. Tooling has been improved with many new features added to tools like smbinfo, and support for easily getting and setting more auditing and security information.

This presentation will go through some of the new features added to the Linux client over the past year, and demonstrate the great progress in access various types of network storage, including the cloud (e.g. Azure), Samba and the new Linux kernel server.

Slides (PDF)

Steve French
(Microsoft / Samba Team)
6:30 pm - 6:45 pm (CEST)

Break

You are entering the multi tracked conference again right after the break. Please use different browser if you want to follow both sessions.

6:45 pm - 7:30 pm (CEST) Track 1

SMB over QUIC – Files without VPN

The SMB3 protocol is broadly deployed in enterprise networks and contains strong protection to enable its use more broadly. However, historically port 445 is blocked and management of servers on TCP have been slow to emerge. SMB3 now is able to communicate over QUIC, a new internet standard transport which is being broadly adopted for web and other application access. In this talk, we will provided updated details on the SMB3 over QUIC protocol and explore the necessary ecosystem such as certificate provisioning, firewall and traffic management and enhancements to SMB server and client configuration.

Thomas Salemy
(Microsoft) Sudheer Dantuluri
(Microsoft)
6:45 pm - 7:30 pm (CEST) Track 2

How compliant is the Linux client?

A Deep Dive into testing the Linux client against Samba - to see which Linux APIs are supported, which POSIX features work and what still needs to be addressed

File systems in Linux are complex, having to support over a hundred system calls (far more than POSIX specified), and Linux continues to evolve, adding new file system features and system calls every year. How compliant is the Linux client when mounted to Samba or other common servers? What about if the SMB3.1.1 POSIX Extensions are used? What works now with and without the extensions?

This presentation will summarize what we have found out from analyzing results of the standard Linux file system functional test suite ("xfstests") as well as other Linux tests and customer problems - showing what we have fixed, what works to most servers now (and how to configure best for these), what types of applications require mounting with the SMB3.1.1 POSIX extensions to work, and also show what is missing in the protocol and how we might address these holes.

This is a great opportunity to discuss what minor extensions are needed to the protocol to enable even more Linux workloads over SMB. "xfstests," since they are run against every major Linux filesystem, has been invaluable in pointing out what we need to address in Samba and the Linux client as Linux file system requirements continue to evolve. This presentation will help understand what workloads work well today, and what we have to do for SMB3.1.1 protocol to optimally handle the ever broader set of Linux workloads in the future.

Slides (PDF)

Steve French
(Microsoft / Samba Team)
7:30 pm - 8:15 pm (CEST) Track 1

FreeNAS, TrueNAS, and Samba

This talk is a status update on TrueNAS and FreeNAS and Samba.

Andrew Walker
(iXsystems / Samba Team)
7:30 pm - 8:15 pm (CEST) Track 2

Inside your Samba security release

A look at what the Samba team does to make a new Samba security release, from the point of report to the packages or source users
install.

Following Samba Security Process but putting flesh on the bones to give a real idea of the behind-the-curtain effort and care taken to ensure that Samba security issues are addressed promptly, responsibly and carefully.

Slides (PDF)

Andrew Bartlett
(Catalyst / Samba Team)
8:15 pm - 8:45 pm (CEST)

Panel Discussion

The one track session takes place in Track 1.

Jeremy Allison
(Google / Samba Team)
54 hours from May 5th 3:00 pm (CEST) - May 7th 9:00 pm (CEST)

SMB Interoperability Lab

The SMB3 IO Lab is free and will run online from Wednesday, May 5th 2021 through Friday, May 7th 2021 with access to the online lab environment available 24 hours each day.

The purpose of this IO Lab is for vendors to bring their implementations of SMB3 to test, identify, and fix bugs in a collaborative setting with the goal of providing a forum in which companies can develop interoperable products.  The 2021 SMB3 IO Lab will be held online on Microsoft Teams, provided by Microsoft, using a virtual private network, creating a collaborative framework for testing.  The participants of the IO Lab work together to define the testing process, assuring that objectives are accomplished.

Is it worth it to attend the SMB3 IO Lab this year?

In a word, Yes! SMB is changing and here’s your opportunity to be the first to learn more about the new functionality, to get your questions answered by the experts, and to test it out.

For example, here’s a quick look at some of the new features that have recently been added to the SMB3 protocol:

  • SMB3 now is able to communicate over QUIC, a new internet standard transport which is being broadly adopted for web and other application access
  • Support for AES-GMAC authentication
  • Support for share compression
  • Support for encryption over RDMA

The IO Lab offers access to:

  • The latest Windows client and server software from Microsoft, including test suites that help verify interoperability on various features of SMB protocols
  • Technical support from SMB engineers to look at traces and help with diagnosing problems
  • IO Lab participants are covered by a non-disclosure agreement and access is restricted to registrants only (NDA will sent to you close to the start of the IO Lab)

If you are reluctant to participate because you feel that your SMB implementation is "not ready", you should still participate! The SMB Interoperability Lab is also a development opportunity, not just a testing opportunity. Implementations still in development are encouraged to participate.  It's a great opportunity to get help and learn from the experts!

This IO Lab is sponsored and featured by Microsoft.

Stay tuned for more information how participation will work.

Past Conferences

Looking for slides, audio files or pictures older than 2021? Please visit the directory preserving our old sambaXP archive and browse through the years.

 

sambaXP archive