SAMBA eXPerience archive

In our archive you will find impressions and information gathered at the past SAMBA eXPerience conferences:

  • talks as MP3 audio files
  • slides from the conference as PDF
  • talks as MP4 video files (NEW in 2020)

For the 2021 & 2022 recordings please have a look at our YouTube channel.

Conference program 2023

How to set up a Samba Domain?

This tutorial is about the basics of setting up a Samba domain. The previous tutorials were always dedicated to specific topics. This time it addresses especially those who are faced with the following question: Should an Active Directory domain be set up with Samba or Windows? But even if you already have a Samba domain in use, there might be some interesting topics you can take away from this tutorial.

In this tutorial you will learn how easy and fast a domain can be set up with Samba and how data can be provided via Samba file servers. The topic of different client operating systems will also be addressed. After setting up the domain the topic of Windows-compliant permissions will be taken care of, so that there is no difference between the permissions in a Samba domain and a Windows domain.

By the end of the tutorial you will have set up a domain with two domain controllers and a file server. Also users will be able to log on different clients in the domain and access the data.

The following content will be discussed and set up:

- Setup of a first domain controller
- Failover of the domain by installing a second domain controller
- Replication of the share SYSVOL
- Integration of a Samba file server
- First shares and permissions
- Integration of Windows and Linux clients into the domain

What do you need to join the tutorial?

  •  PC (BYOD) with “VirtualBox” and “Vagrant” installed
  •  A Windows VM to test the setup and running RSAT

Please note:

You need at least a PC with 16GB RAM (32 GB would be better) to install the setup. The Vagrant-file will create 4 Linux-Hosts and you also need to install a Windows-System.

If you don't have a Windows-VM you can download an evaluation Version from Microsoft:
developer.microsoft.com/en-us/windows/downloads/virtual-machines/.

Download the VirtualBox version and import the VM to VirtualBox. It's a full featured version that is valid for 40 days.

 

Training material:

You will get a handout including all steps to be able to recap independently after the tutorial.

All the Linux-systems will be prepared. You will get a “Vagrantfile” to set up all the Linux-VMs needed for the tutorial.

Registration

Welcome Note from SerNet

Chairman’s note

Recording

SoS: Samba on (a large) Scale: exploring ctdb Alternatives

Scale-out clustered Samba uses its homegrown distributed database "ctdb" as a storage backend for maintaining coherent fileserver state. "ctdb" predates most, if not all, cloudy distributed NoSQL databases that came to rise on the wings of the likes of Google Bigtable, Amazon Dynamo and Apache Cassandra in the late 2000's to early 2010's.

"ctdb" has worked extremely well for the high performance scale-out NAS use-case, but the emerging shift to the cloud entails serious scalability, elasticity and manageability challenges. So are there alternatives to ctdb? In this presentation we're going to explore Samba's requirements on a distributed database, candidates being Apache Cassandra, Ceph librados, etcd, ScyllaDB, FoundationDB, TiKV and others.

In order to allow rapid prototyping and testing with different database, we've sketched a Python backend for Samba's database abstraction "dbwrap" that calls out to external Python code implementing the abstract interface which allows for quick prototyping and testing. At the end of the presentation we'll share the result of the functional evaluation and some performance metrics.

Slides (PDF)

Recording

Lunch Break

From an OpenLDAP back-end for Samba to a Samba back-end for OpenLDAP

The effort to integrate the Samba AD service with OpenLDAP has been going, off and on, for a few years now. While the idea to replace Samba's LDAP server with OpenLDAP is far from dead, the actual implementation plan has evolved, largely because of the progress Samba has made over the years, such as its LMDB back-end. What started as an effort to revive the long defunct OpenLDAP back-end for Samba and use it as a base to gradually port Samba functionality as overlay modules, is being transformed into a different type of integration - execute Samba's LDB module stack inside OpenLDAP, with the possibility to optimize it for better performance. The purpose of this talk is to give some history on the project development so far, explain the new direction, and present the challenges it faces.

Slides (PDF)

Recording

SINK: Does it still float? - An update on samba-operator, samba-container & friends

At sambaXP 2020, the samba-in-kubernetes project (aka “SINK”) was introduced which aims at running Samba in containers to offer SMB shares in Kubernetes. In 2021 and 2022, we presented progress updates on these efforts.
This year, we will give a similar general progress report on our projects. We will discuss some of the new challenges that have appeared as our corner of the overall Samba community grows. One way we have tried to expand our reach is to frequently emphasize that many of our component projects are not just restricted to a Kubernetes environment. So, we’ll take a look at some of the other container engines and orchestration platforms one can run on - and demonstrate that –despite its name– the SINK organization is not all Kubernetes.

Slides (PDF)

Recording

Fuzzing: how is it going

For a while now we have been fuzzing many parts of Samba using OSS-Fuzz and private runs. What have we learnt?

Slides (PDF)

Recording

Samba AD / MIT Kerberos: path out of experimental

Samba Active Directory domain controller can be built using both Heimdal Kebreros or MIT Kerberos. Since the beginning of the Samba AD project in 2004, Heimdal Kerberos was used to experiment and later build supported Samba AD releases. Samba AD has been ported to use MIT Kerberos in 2016 and has since that time kept an ‘experimental’ build status. With both Samba team and MIT Kerberos advancing the supported functionality, is it now a time to graduate out of the experimental state?

The talk will look at functional and feature differences between the MIT Kerberos and Heimdal builds of Samba AD, what is supported and what is not by each version.

Slides (PDF)

Recording

Break

Linux Group Policy: Latest Developments, Use Cases, Integration, and Best Practices

Join me for an informative and interactive session as we explore the latest developments in Linux Group Policy. We'll dive into the various policies and how they can help you manage and secure your organization's network infrastructure. Additionally, I'll be highlighting new documentation, which provides step-by-step instructions on setting up Linux Group Policy.

Slides (PDF)

Recording

Updates on distributed file system access via the new VFS

With the past 1-2 releases Samba has matured itself on the new VFS implementation rooted on the handle based approach for accessing the underlying UNIX file systems. Irrespective of the type of file system beneath it Samba successfully tackles the symbolic link race condition to the fullest. GlusterFS being a software defined distributed file system has always tried to keep up with the major changes in Samba to make use of safe and sound mechanisms in providing data access to SMB clients. But what are the challenges involved? How do we comply with pathref changes in Samba to ensure seamless service to end-users? In this talk we closely look at the changes done at the VFS module for GlusterFS as an attempt to adapt itself to the new VFS structure. As we move forward we also highlight the bugs (and improvements) discovered in this process with a note on overall performance impact on such distributed file systems.

Slides (PDF)

Recording

FIPS 140-3 and Samba/FreeIPA challenges in RHEL 9: take 2

SambaXP 2022 was supposed to give a perspective on RHEL 9.0 experience in making Active Directory interoperability possible in FIPS 140-3-compliant environments. The talk was canceled for health reasons. Since that time, we have found a few more stumbling stones on the path to make Samba and FreeIPA interoperate with Active Directory while being compliant with FIPS 140-3. This talk aims to cover our progress in understanding and solving tightened crypto requirements within the authentication and identity management area.

Slides (PDF)

Recording

io_uring status update

With the increasing amount of network throughput, we'll reach a point where a data copies are too much for a single cpu core to handle.

This talk gives an overview about how the io_uring infrastructure of the Linux kernel could be used in order to avoid copying data, as well as spreading the load between cpu cores. A prototype for this exists for quite some time and shows excellent results.

The talk will explain:

  • What the current implementation status is
  • How the proposed design looks like
  • What challenges we are hitting in bringing it upstream

Slides (PDF)

Recording

Social Event at the conference hotel

Opening Note from SerNet

SMB3 POSIX Extensions: Reparse Points current status

To implement smb2 unix extensions, smbd needs to implement ntfs reparse points to present symlinks, sockets and other special files to clients. This talk will present an overview of what reparse points are at their core and where Samba stands to implement them. This talk will serve as the basis for discussion about how Samba should go forward to implement smb2 unix extensions.

Slides (PDF)

Recording

Introduction to The Microsoft Interoperability Commitment

An overview of the available interoperability resources and programs. This talk will introduce the Open Specifications and highlight all major technology areas of the site – Windows, Office, SharePoint, Exchange, SQL, as well as types of content – Protocols, Standards, File Formats, Data Portability and Languages.

Slides (PDF)

Recording

Continuation SMB3 POSIX Extensions: Reparse Points current status

Integrate the Power of Office365 through Co-Auth and File Synchronization Protocols

WOPI and FSSHTTP are important protocols in the overall Office protocol landscape. This session will provide an overview of how the WOPI and FSSHTTP protocols function and provide resources that will allow you to learn more. 

Slides (PDF)

Recording

Passwordless Linux and directory services: where are we?

For the past several years FreeIPA and SSSD teams have been working on enabling end to end passwordless access in centralized and local environments, be it corporate or home deployment. This talk will go into details of our progress in passwordless access implementation for Linux systems. What can be shared across FreeIPA and Samba AD in this area?
In 2022 FreeIPA project introduced the ability to authenticate users against OAuth2 identity providers (IdPs). This functionality allows to obtain Kerberos credentials after authentication and authorization has been done by the external IdP. As many OAuth2 IdPs allow passwordless authentication with WebAuthn tokens, a true passwordless transition across Linux systems is now available, from login to console, raising privileges within PAM services (e.g. sudo access), to accessing remote systems over SSH. We hope to expand this support with native FIDO2/WebAuthn integration as well.
The work is not complete yet and needs a lot of collaboration across multiple open source projects. Come to the talk to see a demo and discuss how we can improve our passwordless experience together.

Slides (PDF)

Recording

Use the Capabilities of Azure Artificial Intelligence with the Open XML SDK to Protect Personally Identifiable Information

Learn about the Office Open XML file format and Azure Cognitive Services by using just a few lines of code and the Open XML SDK with Azure Cognitive Services for Language, to redact personally identifiable information from a Word document and save it to a new file.

Slides (PDF)

Recording

Break

Active Directory Claims and conditional ACEs: how do they work and what are they for?

Samba will soon have full support for AD claims and conditional ACEs. But what are these good for apart from being able to tout functional level 2012 support? And what do these words actually mean? We'll try to find answers.

Slides (PDF)

Recording

File Sharing test suites overview and demo

Cover the latest updates of the Microsoft Protocol Test Suites for File Sharing protocols such as MS-SMB2.  The Test Suites tools were originally developed for in-house testing of the Microsoft Open Specifications and have been used extensively during Interoperability (IO) Labs to test partner implementations.   

We would also like to get your feedback on File Sharing parsers as we explore partners' needs and usage.  

Slides (PDF)

Recording

Improved logging in winbind

Starting with Samba 4.17 we enhanced the the logging functionality of winbind. The code flow is easier to follow and the log message have been improved. Thanks to the introduction of a traceid requests can be tracked from the parent winbind down to the childs and back. Trace indentation using the nesting level of sub-requests is added. The talk will dive into the details of the improved logging and demo the tools to make log inspection easier.

Slides (PDF)

Recording

SMB3.1.1 POSIX Extensions

Now that Samba server has support for the SMB3.1.1 POSIX Extensions, this presentation will give a demo of some of the features enabled by the SMB3.1.1 POSIX extensions (with examples to multiple servers including Samba and ksmbd) – and how this can help common workloads.    

As Linux continues to evolve, adding syscalls every year – this presentation will also cover some of the places where additional extensions (or emulation) could help.  

Slides (PDF)

Recording

WSP Update

After some neglect I have restarted some effort around WSP (windows search protocol) support
There is currently an upstream merge request to add a simple WSP search client for samba.

This talk will recap the previous WSP efforts, additionally it will introduce the client and what you can do with it.

What about the server side ? I'll talk about my plans about that too and also some of the choices and challenges around that.
 

Slides (PDF)

Recording

Accessing files remotely from the smallest to the largest devices (and the cloud): SMB3.1.1 improvements to the Linux client

The Linux SMB3.1.1 client continues to be one of the most active filesystems in Linux, with many improvements added each year, enhancing its ability to securely, reliably and efficiently access remote data. This presentation will cover new features added to the Linux client, and new features you can expect to see over the coming year. 

Slides (PDF)

Recording

Lunch Break

GPL Compliance for Samba in Consumer Devices

Eleven years ago, Samba's non-profit organization, Software Freedom Conservancy, took over GPL compliance and enforcement work for the Samba project.  In the larger industry of servers and industrial-grade appliances, the results have been excellent.  Large companies, who primarily operate in business-to-business services have reputations to protect; they comply with the GPL and convincing them to comply is a simple education effort.

However, the end-user consumer electronics sector remains a conundrum.  GPL violations are common, and the mid-range devices (such as wireless routers with a USB port) provide file sharing services for the local network, and thus contain not just “usual suspects” such as BusyBox and Linux, but Samba as well.

In this talk, Kuhn will present the full details of this systemic problem, propose various potential ideas, and discuss interactively with the Samba developer community about how they can help.

Recording

Panel Discussion: Inside the Samba project

SambaXP chairman Jeremy Allison invites all Samba team members from around the globe to present and discuss there ongoing and planned work.

Conference program 2022

Setting up GPOs with Samba & Disaster recovery of an Active Directory

This year's sambaXP tutorial covers two interesting topics at once:

Setting up GPOs with Samba

Using GPOs is a fundamental technique in the Windows-world to mange the access to resources or to configure systems. One of the main topics in using GPOs are roaming profiles and folder redirection. Roaming profiles makes only sense if you also use folder redirection. If you don't use them, the profiles become too big. The problem is: every time a user log in to a Windows-client the profile will be loaded via the network and if the user log off, all profile data will be send via network to the profile share. So redirection is very important. Samba can also configure the GPOs for roaming profiles and folder redirection.

In the first part we will create the GPOs and configure a Samba file server to store users home directory and roaming profiles. We will also configure folder redirection and take a look on how Samba mange to store both: user data and redirected data from the roaming profile.

In the second part we will see how Samba is managing the Linux-GPOs. Starting with Samba 4.14 it is possible to set up GPOs for Linux-hosts. In this part of the topic we will configure the domain controller to handle the Linux-GPOs and we will take a look which GPOs you can set up. We than configure a Linux-client to use the GPOs.

Disaster recovery of an Active Directory

Running an Active Directory with more than one domain controller will prevent you from a single point of failure. You should always have at least two domain controllers to store your objects and manage the user authentication. But what will happen if the whole Active Directory crashes? Then you need not only a backup of your Active Directors database, you also need a strategy how to recover your domain. We will take a look at what do you need to backup to bring your domain up again. We will backup from a running domain with “samba-tool” and recover the domain from the backup, up to the point that one domain controller will be back online.

 

What do you need to join the tutorial?

  • PC (BYOD) with “VirtualBox” and “Vagrant” installed
  • A Windows VM to test the setup and running RSAT
  • Webcam and speaker with microphone for interaction

 

Please note:

You need at least a PC with 16GB RAM to install the setup. The Vagrant-file will create 3 Linux-Hosts and you also need to install a Windows-System.

If you don't have a Windows-VM you can download an evaluation Version from Microsoft https://developer.microsoft.com/en-us/windows/downloads/virtual-machines/ Download the VirtualBox version and import the VM to VirtualBox. It's a full featured version valid for 40 days.

 

Training material:

You will get a handout including all steps to be able to recap independently after the tutorial.

All the Linux-systems will be prepared - You will get a “Vagrantfile” to set up all the Linux-VMs needed for the tutorial.

Welcome Note from SerNet

Chairman’s note

The SINK Report: Updates on Samba in Containers & Kubernetes

It’s time for your new sambaXP tradition - an update on our efforts to containerize Samba and run and manage it under Kubernetes with our Operator. This will include a brief recap of our goals, along with a summary of some of the new developments we have made since the last sambaXP, including but not limited to clustered Samba instances. We will also have a deeper discussion of our vision of how future containerized Samba versions might work and some of the potential benefits for the general Samba ecosystem.

Slides (PDF)

Break

smbd, what's next?

This talk is going to give an overview of recent changes in the Samba fileserver and an outlook on the development roadmap. Recent development has been mainly focused on security resulting in the release of Samba 4.15 last year and a rewrite of the RPC server which will ship in the upcoming 4.16.

Looking forward there are many things the Samba fileserver development team has on its todo list and this presentetation will give a first-hand insight into the making of the next Samba versions.

Slides (PDF)

Kerberos/Authentication Updates in Samba

On the domain controller side we got a lot of updates recently:

  • Updated Heimdal
  • Working with the latest MIT Kerberos


On the member server side we fixed some critical bugs and have plans for future improvements how a file server can avoid as much domain controller interaction as possible.

This talk will handle the following questions:

  • How Samba plans to use Kerberos FAST?
  • How you can reliable change a machine password?
  • Why it is so important to behave as exactly identical as possible compared to a Windows server?

Slides (PDF)

Break

Improvements to SMB3.1.1 and Linux: a year in review

Accessing files securely and efficiently matters. Over the past year many improvements have been made to the Linux kernel for accessing files remotely via SMB3.1.1, and it has been a great year for cifs.ko with the addition of new SMB3.1.1 features and optimizations. It continues to be the most active network/cluster file system on Linux. And now with the addition of a kernel server to Linux (ksmbd), there are multiple Linux server options (Samba and ksmbd).

Improvements to performance have been made by adding support for handle leases (deferred close), better optimizing multichannel, and by changes to read ahead caching, and directory and metadata caching and also signing improvements have been made. Offline caching (fscache) has been rewritten and improved, and support for the Witness protocol (server notification about key events like server moving), and security has improved with support for the strongest encryption, and more recently the exciting work on QUIC. This presentation will go through the features added over the past year to the Linux client (and kernel server) and demonstrate how they help common scenarios, from accessing the cloud (like Azure) to accessing Samba, Windows, Macs and the new Linux kernel server (ksmbd).

This presentation will go over what new SMB3 features for accessing files remotely from Linux have been added in the last year and also what SMB3.1.1 improvements are expected in the coming year to allow for more efficient access to remote files.
Improvements to testing, and improvements to commonly used configuration and mount options will also be described. An overview of the status of the Linux kernel server, ksmbd, will also be presented.

Slides (PDF)

Certificate Auto Enrollment in Samba

This talk will discuss the addition of Certificate Auto Enrollment in Samba Group Policy, what it is and how to use it. Certificate Auto Enrollment allows devices to enroll for certificates from Active Directory Certificate Services.
 

Slides (PDF)

Break

Installing and running Samba on AIX

AIX is one of the commercial UNIX flavours which is still actively supported. Installing and running Samba on AIX can be challenging though. This talk is about how to set up and manage Samba on this platform.

Slides (PDF)

Closing Remarks First Day

Welcome Note from SerNet

Kerberos

In November 2021 Samba and Microsoft, rather oddly, put out a security release on the same day. Not much was said, except 'patch, patch, patch'.

In this talk Andrew describes what that was all about, what we fixed and how, as well as celebrating an incredible cross-team effort supported with engineering from 5 different companies.

We also celebrate (so far) releasing that with few regressions and think about how we can advance the state of security in this area into the future.

Slides (PDF)

The CTDB Report 2022

This is a report on the status of CTDB, similar to that presented at recent sambaXP conferences.  As usual, this presentation will look back
and summarise progress since the most recent presentation in 2020.  It will also look forward and attempt to present a realistic path for
further development.

The biggest recent change arrived in Samba 4.16.  CTDB's recovery lock is now a cluster lock and, when enabled, a race for this lock is used in place of a traditional election.  This avoids problems where an election would result in a new leader but this leader would be unable
to take the lock.  Reasons for this include races and cluster filesystem latency.

In the past we have presented grand plans, designs and frameworks. This year we will step back a bit and consider what is needed to
realise a shiny new, maintainable CTDB.

Slides (PDF)

Break

Symlink races for dummies and how to deal with them

Jeremy Allison wants to remove symlinks from Unix (see https://lwn.net/Articles/882177/ ). Until they are gone, we will live in the legacy world with symlinks for quite a while. Jeremy Allison and Ralph Böhme have rewritten Samba to make it safe from symlink races. Ralph Böhme has presented most of this work last year at SambaXP under the covers of a general modernization of Samba's VFS.

This talk will be a sequel to Ralph's talk: Work is ongoing to build upon the rewrite of the VFS to utilize directory file descriptors in a lot more places than it is done right now. This work is driven by the hope to express symlink-safety more explicitly in the Samba code using safe directory handles. If this turns out to be successful, Samba will become more resilient against symlink races, future developments will have it easier to remain safe. Also, it will speed up Samba's path-based operations.

Slides (PDF)

Break

The planned talk from Alexander Bokovoy is unfortunately cancelled.

Instead of time adjustment of the following talks, we decide to add a longer break to avoid that attendees missing a scheduled talk due to last-minute changes in our agenda.

The UNIX Filesystem API is profoundly broken: What to do about it?

The UNIX Filesystem API is profoundly broken, and user-settable symbolic links are to blame. In this talk I will explain how CVE-2021-20316 made me realize that symbolic links are, introduced in 4.2BSD Unix from U.C. Berkeley, broke the previously elegant UNIX filesystem API and filesystem design. The design and implementation of symlinks has cause years worth of security flaws and API patches to fix a conceptually broken idea.

I also propose a modest suggestion in order to help Linux step away from this mess to a more secure by-design future!

Slides (PDF)

Azure Files: "mount" the Cloud

Since 2015 Microsoft Azure has provided a completely managed SMB file server in the cloud.  Leveraging the Continuous Availability features of SMB3, the customer experience is an always available and reliable file share.  As we push to add the most demanded new features, the complexity and caution required to do this in a transparent and safe way presents fundamentally new kinds of challenges due to the scale of Azure's public cloud.
 
Azure Files is based on Azure tables and blobs under the hood, not a conventional file system -- let alone NTFS.  An overview of its architecture will be presented, with specific attention will be paid to those aspects that provide the seamless availability and reliability in spite of the constant din of hardware underneath it suffering failures and needing replacement.
 
An overview of recently added new feature will be used as a segue to delve into the engineering challenges of making significant changes and additions to underlying data schemas, and the code that manipulates it, while not disturbing access to those many petabytes of data, or breaking the semantics that applications depend on.

Slides (PDF)

Panel Discussion

Conference program 2021

Setting up Samba as a printserver

If you have a lot of network printers in your environment it might be a good idea to set up a printserver with Samba4. Together with CUPS you are able to manage your printers for all your clients. For a Linux or MAC client you would only need CUPS, but as soon as you have Windows clients, CUPS is not enough, you need printer driver for all your printers to be installed on the clients.
If you are using Active Directory to manage all your users, groups and clients you can set up the printserver to share all printers to your Windows clients via GPOs. Not only connecting the printers via GPO but also installing the printer drivers for the printers on your Windows clients.

In this year's tutorial we will set up a printserver as part of an Active Directory and mange GPOs to connect the printers to the clients and install the drivers without user interaction.

What will we do?

1. Configure CUPS to share the printers inside your network.
2. Join the printserver into a Samba4 domain.
3. Set up the shares for spooling and printer drivers.
4. Install printer drivers.
5. Connect the printer with a driver.
6. Create a GPO to connect the printer to a client and install the driver
   without user interaction.
7. Handle unsigned drivers.

Because sambaXP will be an online event the tutorial will also be held online.

What do you need to join the tutorial?

  • PC with VirtualBox 6.x and Vagrant installed.
  • Webcam and a headset or speaker and microphone to ask questions.
  • To test the printserver you need a Windows-System that can be joined into the test domain. If you don't have a Windows-VM you can download an evaluation Version from Microsoft https://developer.microsoft.com/en-us/windows/downloads/virtual-machines/ Download the VirtualBox version and import the VM to VirtualBox. It's a full featured version valid for 40 days.

Training material:
You will get a handout including all steps to be able to recap independently
after the tutorial. For setting up the systems you will get a Vagrant file to
install the Samba4 domain controller and the printserver.

Integrate SAMBA+ AIX in an existing AD domain

This free two-hour workshop shows how to integrate SAMBA+ AIX in an existing AD domain.

The workshop will start with the installation and configuration of SAMBA+ AIX and will also cover integration in an existing Active Directory domain including ID mapping.

What do you need to join the workshop?

  • A headset or speaker and microphone to ask questions.
  • There are no further technical preparations needed.

Welcome Note from SerNet

The one track session takes place in Track 1.

Chairman’s note

The one track session takes place in Track 1.

Your Server Will Be With You Shortly

The one track session takes place in Track 1.

Google Chromebooks use Samba code for Active Directory integration. Making this work efficiently on global networks with many Active Directory servers is a challenge.

This talk will tell the story of how the Samba code was improved to reduce logon times from 10+ minutes to less than 1 minute in a large customer network.

Slides (PDF)

Break

You are entering the multi tracked conference right after the break. Please use different browser if you want to follow both sessions.

Google Summer of Code 2020 results: Samba AD DC Cockpit UI

Google Summer Of Code is a yearly event that allows university students to gain more experience and help Open Source projects to improve. In 2020 Samba Team was allocated
a single seat in the program. We chose to work on a modern web UI to samba-tool to allow
automation and easier access to command line tools.

The talk will go over our experience with GSoC 2020 and will show-case its result: a Samba AD DC plugin to Cockpit UI. Cockpit is a Web UI framework to manage Linux systems in a
browser.

Slides (PDF)

Reverse engineering the Windows SMB server

The Windows SMB server doesn't offer any way to dump the cryptographic keys used for SMB encryption. This can be very annoying when you're trying to debug your client implementation or if you simply want to decrypt traffic in Wireshark. The server is
sadly closed-source and is implemented as a kernel module, which makes debugging it more challenging.

This talk will cover some of the architecture of the Windows SMB server, how to debug the
Windows kernel, and how we can write another module to dump those keys from the server memory. All from the perspective of a Linux developer relatively new to the world of
Windows development.

Slides (PDF)

Samba command line user experience

To the newcomer, Samba's command line user interface appears to be a haphazard jumble of scripts and binaries with options and design principles that fade in and out of use according to some esoteric pattern.

With Samba 4.15 there will be a major rewrite of the command line parser for Samba client utilities coming. There will be the same design principle to every tool and the same options.

The talk will look into how we solved those issues and how we will avoid issues in future. Also we will look how options changed or have been simplified to make the tools easier to use by newcomers.

Will we get shell-completion one day?

Slides (PDF)

Testing Testing Testing! Updates

Last year we introduced the GlusterFS-Samba integration testing environment, a CI environment allowing us to test Samba with a GlusterFS backend. Over the last year, we have used it to test nightly Samba and GlusterFS builds and have also expanded our test coverage and test environments.

In this update, we discuss changes to the project. We also go through some obscure bugs that the CI environment helped us discover in the Samba-GlusterFS installations as well as catching regressions due to changes introduced upstream. We also discuss future directions for the project.

Slides (PDF)

Break

You are entering the multi tracked conference again right after the break. Please use different browser if you want to follow both sessions.

Group Policy Integration

Samba is a nice software for integration in AD domain but lots of administrators want to have full-featured Samba domain with nice graphical instruments to edit and apply policies and modify domain settings.

BaseALT company developed a set of instruments to solve the task of policy application and domain management: GPOA (gpupdate) to apply policies, libnss-role to implement nested groups, GPUI to edit policies and ADMC to work with Samba domain. This is open source
software which is partially based upon Samba source code. Our team proudly presents the result of the year of efforts spent on writing code and documentation, analyzing use cases and testing various deployment scenarios.

We spent lots of efforts on integration of Group Policy Templates with ALT Linux OS settings. There are many open source components developed in-house which present in ALT distribution making it suitable for domain integration as end-user workstation.

Slides (PDF)

Samba Multi-Channel/io_uring Status Update

Samba had experimental support for multi-channel for quite a while.
SMB3 has a few concepts to replay requests safely.
We now implement them completely (and in parts better than a Windows Server).

The talk will explain how we implemented the missing features.

With the increasing amount of network throughput, we'll reach a point where a data copies are too much for a single cpu core to handle.

This talk gives an overview about how the io_uring infrastructure of the Linux kernel could be used in order to avoid copying data, as well as spreading the load between cpu cores. A prototype for this exists and shows excellent results.

  • What the current implementation status is
  • How the proposed design looks like
  • How to improve performance

Slides (PDF)

Winbind Group Policy

Winbind can now seemlessly replace Vintela's proprietary Group Policy (VGP) for linux clients. These recent developments will be discussed, along with recently added samba-tool commands for administering these policies. Plans for future improvements and possible projects will be discussed.

Slides (PDF)

Access control and ID mapping on the Linux SMB client

The SMB protocol was designed long after Unix was created, and as a result supported concepts like globally unique identities and rich ACLs that are in Windows, but not in Linux. User identity and access control are very relevant to the Linux SMB3 client, as it acts as a bridge between the world of Windows-like-filesystems (including the cloud) and the world of Linux filesystems, and has the hard task of translating security information from the more complex Samba and Windows world, to the simpler Linux/POSIX model.

There are three key problems:

  1. Id-mapping: Who the user is? And how does it map to the user that the server understands?
  2. Authentication: Can the user prove his/her identity?
  3. Access control: What permissions does the user have for this file?

This talk will discuss and demonstrate the different ways that the Linux client can be configured to map POSIX permissions (mode bits) to ACLs, and the implications of using these configurations. It will discuss the different authentication choices, especially how to leverage Samba’s winbind for easy to use and highly secure Kerberos authentication and key refresh. In addition it will discuss how to integrate with Samba’s winbind to map user identities (from the local Linux client’s UIDs to globally unique SIDs) and the various alternatives like “idsfromsid”.  Recent improvements in cifs-utils for managing ACLs and auditing information remotely will also be discussed, which can make managing Samba server easier in some cases.

Slides (PDF)

Break

You are entering the multi tracked conference again right after the break. Please use different browser if you want to follow both sessions.

Troubleshooting clustered Samba in Enterprise environments

IBM Spectrum Scale is a software defined storage offering of a clustered file system bundled with other services. Samba is included as part of the product for providing a clustered SMB file server and integration into Active Directory environments. This product is commonly used in Enterprise IT environments.

Troubleshooting problems is an essential part of supporting customers. This talk will walk through Samba troubleshooting approaches that have proven useful over the years. It will explain how for this environment Samba is configured to provide logs and indications by default. Methods for collecting additional trace data are demonstrated and how to efficiently analyze these traces. Examples will be used to illustrate debugging problems from the trace data.

Slides (PDF)

Join me offline!

Wide-scale virtual-machine deployments of Windows clients and servers make it difficult to adapt to the classic process of domain joining. Very often there is no connection to an AD domain controller. Sometimes a larger number of virtual machines needs to be joined without the vms even being started. And sometimes machines need to be joined in locations where there are no (writeable) domain controllers available at all. For all these scenarios the concept of Offline Domain Join has been developed and is part of the Windows operating systems for quite some time now. This concept allows to detach the machine account creation on AD from the modification of the machine that is joined. In addition to the machine account credentials Group Policies and Certificates can be deployed with the Offline Domain Join mechanism and tools as well. Samba now also can take part in this process. With the latest version, Samba can provision machine accounts for offline join in Active Directory (for both Windows and Samba clients) and process offline join state information on the local, disconnected machine (with state information either generated on Windows or using Samba). This feature enables scenarios where Samba servers are deployed ad-hoc in a containerized infrastructure such as Kubernetes.

Slides (PDF)

Experience running a clustered Samba gateway for CERNBox

This aims to be a short contribution to get introduced to the community and share our experience in providing CERN users with direct online access to their personal storage.

CERN, the European Organization for Nuclear Research, provides its large and diverse scientific users community with a on-premise sync and share storage platform dubbed CERNBox. The underlying storage, named EOS and developed in-house, can also be mounted on Linux, and recently on Windows as well, through a ctdb driven Samba cluster.

After introducing the CERNBox ecosystem, we will briefly describe the configuration of the cluster and its peculiarities given our environment, and go through some typical shortcomings of such a setup and how they were tackled. Further, we will mention a VFS plugin we have developed, in order to support the conversion of Windows permissions to our RichACL-based storage ACLs, and we will conclude with an outlook of the service in the coming months.

Slides (PDF)

Zambezi SMB3 Offload Update

The Zambezi SMB3 Offload project was introduced at last year's sambaXP conference.  This brief talk will provide an update on the project, where it's heading, what development has stalled, and what new progress is being made.

Slides (PDF)

Closing Remarks First Day

The one track session takes place in Track 1.

Welcome Note from SerNet

The one track session takes place in Track 1.

How to fuzz Samba - Part I

Over the last two years, Samba has grown fuzzing infrastructure. This has found numerous bugs given us some reassurance about the robustness of some parts of the code.

Nevertheless, most of Samba is not fuzzed, and lib/fuzzing is just another isolated subsystem that hardly any developers understand. This talk wants to fix that, walking you through the steps to add a fuzzer to Samba, and how in general to make your code fuzzable.

Slides (PDF)

cifsd (ksmbd) Status Update

cifsd(ksmbd) is a new SMB3 kernel server which implements server-side SMB3 protocol. Many changes and improvements have been made since cifsd(ksmbd) was introduced to earlier sambaXP 2019.

This talk will give ksmbd overview and the current status update.

Slides (PDF)

How to fuzz Samba - Part II

Over the last two years, Samba has grown fuzzing infrastructure. This has found numerous bugs given us some reassurance about the robustness of some parts of the code.

Nevertheless, most of Samba is not fuzzed, and lib/fuzzing is just another isolated subsystem that hardly any developers understand. This talk wants to fix that, walking you through the steps to add a fuzzer to Samba, and how in general to make your code fuzzable.

The New VFS

The effort to modernize Samba's VFS interface has reached a major milestone with the next release Samba 4.14.

Starting with version 4.14 Samba provides core infrastructure code that allows basing all access to the server's filesystem on file handles and not on paths. An example of this is using fstat() instead of stat(), or SMB_VFS_FSTAT() instead of SMB_VFS_STAT() in Samba parlance.

Historically Samba's fileserver code had to deal a lot with processing path based SMB requests. While the SMB protocol itself has been streamlined to be purely handle based starting with SMB2, large parts of infrastructure code remains in
place that will "degrade" handle based SMB2 requests to path based filesystem access.

In order to fully leverage the handle based nature of the SMB2 protocol we came up with a straight forward way to convert this infrastructure code, so it can be converted to make use of a purely handle based VFS interface.

The talk will present what we have achieved so far and what is left to do. It's intented audience is anyone working on the Samba fileserver code and anyone working on Samba VFS modules.

Slides (PDF)

Break

You are entering the multi tracked conference again right after the break. Please use different browser if you want to follow both sessions.

Life without NTLM or how to trust in FIPS

With Samba 4.14, it is possible to operate Samba services in so-called "FIPS mode". "FIPS" relates to a set of U.S. government documents that define rules, regulations, and standards of handling information by computers and by people. One particular aspect of multiple FIPS documents is a regulation of allowed cryptography algorithms and methods to process information.

FIPS mode does not allow use of many old cryptography algorithms, including the one that is widely used in Active Directory and SMB protocol: RC4 cipher which is the core of NTLM authentication. When Samba runs in FIPS mode, no use of RC4 cipher beyond a secure channel established with the help of FIPS-approved crypto is possible.

The ability to run Samba in FIPS mode means its usage in governmental organizations has expanded. Lack of a RC4 cipher support means it is not possible to authenticate users with the help of a password in Samba. Only Kerberos authentication with AES ciphers is supported.

This talk is going to look at what is possible to achieve in FIPS mode for Samba and services using Samba. We also want to discuss how to improve the state of authentication in the SMB world.

Slides (PDF)

Socket activation for Samba's RPC services

The classic Samba RPC services like srvsvc, winreg and wkssvc right now are implemented as part of the smbd binary and process.

This talk will give an overview of experiments to change this architecture: Instead of implementing RPC services by linking the server implementation into smbd, an idea is to implement them as separate binaries and separately executed process.

Red Hat has in the past implemented spoolss and other RPC services as separate processes, but the attempt this talk will present goes one step further: Instead of just forking the main smbd process perform RPC server services, a separate binary can be executed.

This talk will present the architecture of this thought experiment and demonstrate the current state of the code.

Slides (PDF)

Samba Operator - The Next Phase

At sambaXP 2020 an introduction to Kubernetes and Operators was presented along with a prototype operator for Samba. Starting around October of 2020, the development of the Samba Operator has picked up momentum. It’s gained a new approach to configuring Samba in a radically different, modern way: Instead of configuring a monolithic Samba server, the admin can concentrate on shares and let the operator take care of the server (or servers!). Several additional features have been added and the operator has grown it’s own little ecosystem.

We will present the current state of the operator, demonstrate some of its current capabilities, and discuss future improvements both in the Samba Operator code base as well as Samba itself.

Slides (PDF)

SMB3 Improvements to Linux: Summary of client status

The Linux client continues to be the most active network/cluster filesystem on Linux over the past year, and the progress on Samba server and the Linux kernel server has helped make adding new features to the SMB3.1.1 client in Linux even more important.

It has been a great year for SMB with the addition of many security improvements, many performance improvements including to caching and RDMA (smbdirect) as well as dramatic improvements to multichannel. Support for the Witness protocol (allowing transparent movement to a different server) has been added, as well as the new more feature rich Linux mount API. In addition support for the final piece of the optional SMB 3.1.1 POSIX protocol extensions was completed. Tooling has been improved with many new features added to tools like smbinfo, and support for easily getting and setting more auditing and security information.

This presentation will go through some of the new features added to the Linux client over the past year, and demonstrate the great progress in access various types of network storage, including the cloud (e.g. Azure), Samba and the new Linux kernel server.

Slides (PDF)

Break

You are entering the multi tracked conference again right after the break. Please use different browser if you want to follow both sessions.

SMB over QUIC – Files without VPN

The SMB3 protocol is broadly deployed in enterprise networks and contains strong protection to enable its use more broadly. However, historically port 445 is blocked and management of servers on TCP have been slow to emerge. SMB3 now is able to communicate over QUIC, a new internet standard transport which is being broadly adopted for web and other application access. In this talk, we will provided updated details on the SMB3 over QUIC protocol and explore the necessary ecosystem such as certificate provisioning, firewall and traffic management and enhancements to SMB server and client configuration.

How compliant is the Linux client?

A Deep Dive into testing the Linux client against Samba - to see which Linux APIs are supported, which POSIX features work and what still needs to be addressed

File systems in Linux are complex, having to support over a hundred system calls (far more than POSIX specified), and Linux continues to evolve, adding new file system features and system calls every year. How compliant is the Linux client when mounted to Samba or other common servers? What about if the SMB3.1.1 POSIX Extensions are used? What works now with and without the extensions?

This presentation will summarize what we have found out from analyzing results of the standard Linux file system functional test suite ("xfstests") as well as other Linux tests and customer problems - showing what we have fixed, what works to most servers now (and how to configure best for these), what types of applications require mounting with the SMB3.1.1 POSIX extensions to work, and also show what is missing in the protocol and how we might address these holes.

This is a great opportunity to discuss what minor extensions are needed to the protocol to enable even more Linux workloads over SMB. "xfstests," since they are run against every major Linux filesystem, has been invaluable in pointing out what we need to address in Samba and the Linux client as Linux file system requirements continue to evolve. This presentation will help understand what workloads work well today, and what we have to do for SMB3.1.1 protocol to optimally handle the ever broader set of Linux workloads in the future.

Slides (PDF)

FreeNAS, TrueNAS, and Samba

This talk is a status update on TrueNAS and FreeNAS and Samba.

Inside your Samba security release

A look at what the Samba team does to make a new Samba security release, from the point of report to the packages or source users
install.

Following Samba Security Process but putting flesh on the bones to give a real idea of the behind-the-curtain effort and care taken to ensure that Samba security issues are addressed promptly, responsibly and carefully.

Slides (PDF)

Panel Discussion

The one track session takes place in Track 1.

SMB Interoperability Lab

The SMB3 IO Lab is free and will run online from Wednesday, May 5th 2021 through Friday, May 7th 2021 with access to the online lab environment available 24 hours each day.

The purpose of this IO Lab is for vendors to bring their implementations of SMB3 to test, identify, and fix bugs in a collaborative setting with the goal of providing a forum in which companies can develop interoperable products.  The 2021 SMB3 IO Lab will be held online on Microsoft Teams, provided by Microsoft, using a virtual private network, creating a collaborative framework for testing.  The participants of the IO Lab work together to define the testing process, assuring that objectives are accomplished.

Is it worth it to attend the SMB3 IO Lab this year?

In a word, Yes! SMB is changing and here’s your opportunity to be the first to learn more about the new functionality, to get your questions answered by the experts, and to test it out.

For example, here’s a quick look at some of the new features that have recently been added to the SMB3 protocol:

  • SMB3 now is able to communicate over QUIC, a new internet standard transport which is being broadly adopted for web and other application access
  • Support for AES-GMAC authentication
  • Support for share compression
  • Support for encryption over RDMA

The IO Lab offers access to:

  • The latest Windows client and server software from Microsoft, including test suites that help verify interoperability on various features of SMB protocols
  • Technical support from SMB engineers to look at traces and help with diagnosing problems
  • IO Lab participants are covered by a non-disclosure agreement and access is restricted to registrants only (NDA will sent to you close to the start of the IO Lab)

If you are reluctant to participate because you feel that your SMB implementation is "not ready", you should still participate! The SMB Interoperability Lab is also a development opportunity, not just a testing opportunity. Implementations still in development are encouraged to participate.  It's a great opportunity to get help and learn from the experts!

This IO Lab is sponsored and featured by Microsoft.

Stay tuned for more information how participation will work.

Past Conferences

Looking for slides, audio files or pictures older than 2021? Please visit the directory preserving our old sambaXP archive and browse through the years.

 

sambaXP archive