SAMBA eXPerience archive

In our archive you will find impressions and information gathered at the past SAMBA eXPerience conferences:

  • talks as MP3 audio files
  • slides from the conference as PDF
  • pictures in JPG format

Conference program 2017

Creating a Samba 4 Active Directory with DDNS

This year I will show in my tutorial how to setup a Samba 4 Active Directory with two Domaincontrollers. The DNS-Backend I will use is bind9. In addition we will install isc-dhcp-server to set up a DDNS, so that all clients get the IP-configuration via a dhcp-Server and register there hostname and IP-address dynamically to the forward- and reverse-zone. The ic-dhcp-server will be configured on both DCs, so that the DHCP-Service is fault-tolerant. Topics: - Setting up a Debian Server as first ADDC - Configure bind9 as DNS-backend - Setting up the DHCP-server on the first ADDC - Configuring the second ADDC with bind9 DNS-backend - Setting up the DHCP-server als failover on the seconf DC - configure sysvol-replication via rsync - setting up a debian-client as Domainmember                                                                 

Start of the sambaXP conference

Conference registration at Hotel FreizeitIn Göttingen 

Welcome Note from SerNet

Chairman’s note

Keynote:Samba/Microsoft alignment:possible future directions

Samba has always had an important place in Microsoft’s customer ecosystem, and over time the growing importance of cloud computing, multivendor applications and multiplatform convergence bring Samba and Microsoft even closer. A number of Samba-related efforts are underway at Microsoft, spanning cloud services, high performance file sharing, and potentially growing into opportunities for advanced low-latency remote storage through networked persistent memory. This talk will explore ones the speaker finds most relevant and most exciting, and encourage focused thinking of how the Samba project and Microsoft can continue to engage in future ubiquitous high performance remote storage.

Slides (PDF)

Fixing a mess: Symlinks and security

Recently a security bug was fixed in Samba that had its origin in the very design of Samba and POSIX itself. This talk will discuss what the problem was, how it was addressed, and how to avoid such problems in the future when creating SMB3 UNIX extensions.

Slides (PDF)


Pushing the Boundaries of SMB3: Status of the Linux kernel client and interoperability with Samba

With continued progress in the Linux kernel client (cifs.ko), interoperability has improved, and key SMB3 features such as per-share encryption and snapshots are now fully supported in the kernel client. The Linux kernel client also has dramatically improved performance of asynchronous I/O which enhances the speed of file transfers to Samba and other SMB3 servers. This paper will discuss the recent progress in the SMB3 kernel client for Linux and the state of interoperability with Samba and Windows servers.

Audio (MP3)

Slides (PDF)

Samba, quo vadis?

In the opening session to last year's Samba XP conference, Jeremy Allison stated that "the [Samba] project does need to consider the use of other, safer languages". This talk investigates a number of modern languages that would be contenders for use in the Samba project: Python 3, Rust, and Go. In order to realistically evaluate the usability of the respective languages, a network service is implemented that provides a Kerberos Key Distribution Center Proxy (KKDCP) protocol server. The KKDCP protocol is a method to allow clients to contact a Kerberos KDC server over the internet using a Kerberos message encapsulated in an HTTP(S) POST request to a KKDCP server which relays the request to an appropriate KDC. The KKDCP server then relays the KDC's response back to the client. The example project is to implement a KKDCP server using concurrent programming techniques, while following the respective language's standards regarding testing and documentation. The implementations in the different languages are then benchmarked for performance and compared regarding their ease of implementation. This talk will give a first look at contenders for a possible new language to write Samba code in.

Slides (PDF)

Windows Search Protocol recap & update

An introduction/recap of the windows search protocol and the work in progress samba implementation. The talk will describe the current server implementation, outline some of the problems encountered and existing issues and some of the features currently implemented. Additionally the talk will introduce the new client implementation.

Audio (MP3)

Slides (PDF)

Samba and Python 3

About 7% of Samba's codebase is written in Python -- in Python 2, for which extended upstream support will end in 2020. We are working on patches to port Samba to Python 3 well before that date. We will explain why a backwards incompatible version of Python was created, highlight the major changes, and debunk some myths concerning Python 3, in relation to Samba and C developers. Also, we will discuss the porting strategy we chose for Samba, and compare it with other possible approaches and upstream recommendations.


Something must be done

...or how I learned to love perf. Analyzing and improving fileserver performance for small file copy workloads and directory enumeration in clustered Samba.

CTDB remix – 1st movement – dreaming the fantasy

CTDB development has been fraught with many pitfalls owing to its organically evolved, monolithic code base. The only reasonable way forward seemed to split the code into multiple daemons to make the code manageable. After addition of more than 30,000 lines of code creating new abstractions, separating protocol marshalling and re-implementing the client API, the dream of splitting CTDB daemon code seems closer than ever. The most important aspect of CTDB is the clustered database used by Samba. Today CTDB also does cluster management, IP failover and service management. These functions can be taken out and potentially be replaced with something else. This talk will present a new design that will be sculpted incrementally. Over past few years, small bits of code have been split into separate helpers like the lock helper. The client API re-implementation has enabled us to split recovery and takeover helpers. Addition of new abstractions helped split code that is long-lived like the event daemon. The next steps will be laying the foundations for the new design to emerge.

Measuring Samba performance

To make Samba faster we need to understand why it is slow. To help with this we have developed tools that rest on top of the Samba self-test framework and Linux perf and tracing frameworks. Using a variety of munging and visualization scripts, we can see Samba performance changes across versions and under various workloads. These tools can be turned to any part of Samba, testing workloads of varying degrees of artifice, by writing new tests or borrowing existing ones from the self-test framework.

CTDB remix – 2nd movement – designing the reality

CTDB development has been fraught with many pitfalls owing to its organically evolved, monolithic code base. The only reasonable way forward seemed to split the code into multiple daemons to make the code manageable. After addition of more than 30,000 lines of code creating new abstractions, separating protocol marshalling and re-implementing the client API, the dream of splitting CTDB daemon code seems closer than ever. There have been questions whether CTDB can be used with a 3rd party cluster manager such as etcd. Similar questions have been asked about integration with 3rd party high availability and load balancing tools. To achieve such integration, CTDB will move towards a set of loosely coupled, separate deamons for cluster management, failover and service management. Glue will be needed so that 3rd party tools can be integrated in a way that satisfies some simple assumptions that CTDB needs to make. Though some services, such as NFS Ganesha's lock management, introduce challenges to the loose coupling, this plan looks to be achievable. If we can get there then we can leave a slim clustered database to help achieve highly scalable clustered Samba.


New printing protocols in Samba

For a long time Samba's printing support remained relatively unchanged and was based on features that were present already since the release of Windows 2000. Just recently it became necessary to start adding more modern printing features to Samba as Windows clients start depending on them. The required changes include support for the "Print System Asynchronous Remote Protocol" (PAR). With the addition of this DCE/RPC protocol, Samba can then finally provide support for Printer Driver Packages including security signatures. The talk will discuss the interesting challenges we met while implementing the PAR protocol.

Samba at Scale: 100,000 user AD Domains

As Samba use grows, so does the use of Samba at large organizations. Recent performance work has taken Samba from a scale at around 10,000 - 20,000 objects to happily operating at the 100,000 object scale. Samba 4.5 and 4.6 brings significant improvement in our scale, to around 30,000 users, and this talk will look at how we got there, share some war stories along the way, and what have done for Samba 4.7, where we expect to be at the 100,000 size and beyond. We will look at what worked, but also the 'obvious' things that should have helped, but actually didn't. For example, while many suggested replacing our database layer, one quite ambitious project (the OpenLDAP backend) never got beyond prototypes, and another (using LMDB) showed little advantage until the major overriding issues were first addressed. We will take a look at the tools we found most helpful - linux perf and the FlameGraphs project in particular, and the issues they illuminated. For example, we found that no matter how much we might hope, using unlikely() still doesn't mean the branch is free! The talk will advocate for incremental, rather than fundmental rewrites of badly performing code, celebrate the victories so

Social Event

Distributed Filesystem (DFS) in cifs.ko: what’s new and ideas for future improvements

The cifs kernel module recently got DFS (Distributed Filesystem) support for SMB2 and above. This talk will be brief introduction to DFS and overview of how cifs.ko works, what changes were needed for this new feature and finally what can be improved from there.

Global Catalog implementation in FreeIPA

FreeIPA supports forest trust to Active Directory with the help of Samba and a number of plugins to 389-ds directory server. Forest trust implementation in FreeIPA allows for efficient use of FreeIPA resources when majority of users and groups are defined in Active Directory. It does not allow, however, to get access to Active Directory resources to users defined in FreeIPA. In the talk I'll explain how implementation of a Global Catalog service in FreeIPA enables access to Windows-based environments for users defined in FreeIPA.

Samba KCC: Saying No to Full-Mesh Replication

With Samba 4.5, the new site-aware Samba Knowledge Consistency Checker (KCC) has been turned on by default. Instead of using full mesh replication between every DC, the KCC will set up connections to optimize replication latency and cost (using site links to calculate the routes). Although there is more effort required in establishing effective site topologies, it has enabled users to create larger and more distributed networks without any of the previous replication penalties. It has also meant that Samba AD can be aware of particular details of a network (such as satellite links or certain firewall restrictions) to ensure that information flows through the network in a reasonable way. The aim is to look at how sites in AD generally work, what role the KCC performs, and what implications this new feature has on a range of different networks.

Samba AD for the Enterprise

After several years of development Samba 4.7 will ship with Samba AD using MIT Kerberos for the KDC. This will make it possible for Enterprise distributions to provide packages and a secure AD environment. The talk will give some details why it took so long and show the features which will be available with the first release.


Can we Fake a Failover?

Samba does not (yet) provide support for Continuous Availability. That is, Samba doesn't support Persistent Handles. Samba does, however, provide support for Durable Handles, which are designed to survive short network outages that disrupt the TCP connection between client and server. Samba also exposes Durable Handle support via the VFS layer. So... what if we could take that support for Durable Handles and turn it into something more? Can we use Durable Handles to survive a failover situation? Can we maintain Durable Handle state across a cluster, and move an IP address from a failed server node fast enough to fool the client? The Samba Team has a history of innovating with the tight confines of the SMB protocol. This presentation will explore the possibility, explain what could be done with such a feature, what needs to be done to make it work, and how that may inform further development of cluster support.

The Important Details Of Windows Authentication

This talk gives an overview about the authentication protocols implemented in Samba, e.g. Kerberos, NTLMSSP and Netlogon Secure Channel. What are the missing new pieces in Windows 2012(R2) and 2016 active directory domains. The limitations the protocols give, especially in respect to trusts. The difference between the different trust types.

How to write a Samba VFS module

Writing a correct Samba VFS module has been more of a black art than a science. This talk, part tutorial, will cover the basics on getting started in writing a VFS module suitable for upstreaming into Samba, and how to keep it up to date as the Samba VFS evolves and changes.

Samba Group Policy for AD DC

Group Policy is an essential component of an AD DC. This presentation will discuss the design details of a GPO implementation started by a GSoC project. Future work will include better testing, more settings, such as Kerberos Policies, and GPO creation. Will also discuss the possibility of User policy application and reading various vendor GPO implementations.


Is Samba 4 AD Ready for Global Enterprise?

Indeed has over 5,000 employees in over 20 offices on 5 continents and solely uses Samba for its Active Directory implementation. Samba serves all network authentication in all of our offices as well as our VPN. Numerous applications and 3rd party services have integrated naturally with Samba and it's adoption at Inded is growing. However, this was not always the case. Deploying Samba at scale has not been without its challenges! Our success story with Samba is deeply tied to the continued development by the Samba Team and the open source community. Starting as an intern project in 2013, a Samba 4.0.8 domain was provisioned as a test for domain logon and group policy. That success started a rapid rollout of Samba DCs which lead us to encountering the performance problems of a fully meshed replication topology. KCC changes introduced in Samba 4.3 and furthered in 4.4 helped us scale the number of sites and DCs we could effectively support. As Indeed continued to grow, so did our database of users and groups. Despite being able to reduce the number of replication partners, the amount of time spent in replication with a single partner began to impact timely authentication. Tombstones, deleted

Playing with domains not the Windows way

SaMBa is a perfect example of the technical superiority of Free Software. With SaMBa, you have a fifth freedom, the one to serve your network better with less effort. We want to share with you our experience of how you can put to use the inner workings of SaMBa-AD to your best advantage, and how easy it is with SaMBa to merge domains, rename domains, modify domain objects, etc. Here python and LDB are kings and queens. That's the server part to reorganizing your domain. Then there is the client part to reorganizing your domain : SID / profile migration, domain join, etc. That's why we want to show you SaMBa-AD's best companion, WAPT. WAPT is Robin when SaMBa is Batman. WAPT, developed by Tranquil IT Systems is apt-get for Windows, a software deployment and configuration management tool for Windows platforms. SaMBa-AD, combined with the use of WAPT, gives superhero powers to system administrators to manage effectively their domains and networks.


SMB3 and Clustering – A discussion

Samba/CTDB has been providing clustered file services for over a decade. Microsoft introduced it's own take on clustered file services via SMB3. To support Microsoft style clustered file services or cluster-aware clients, Samba needs to implement SMB3 features like persistent file handles, witness protocol etc. This talk invites Samba developers to a discussion on following topics:

  • Failover in Samba/CTDB cluster versus Microsoft cluster
  • Witness support for cluster-aware clients
  • Persistent file handles in Clustered Samba

Panel Discussion

Past Conferences

Looking for slides, audio files or pictures older than 2017? Please visit the directory preserving our old sambaXP archive and browse through the years.