OpenBSD Journal

Samba 3.0 Promises

Contributed by jose on from the windows-administration dept.

More from The O'Reilly Network people. This one is about what is forthcoming in the 3.0 release of Samba . Samba provides file sharing and authentication services for Windows hosts from UNIX systems and is in OpenBSD ports . From the description of 3.0 , this one looks like its worth trying out: active directory support and Kerberos look to be on the table.

Has anyone tried this on OpenBSD?

(Comments are closed)


Comments
  1. By Rob Lessard () on

    Haven't tried it yet but suspect issues with the ldap_pam compatibility. Samba seems to be sticking with that authentication avenue which has prevented "true" nt integration of group functionality on OBSD so far (paticularly for the ntfs permissions model). Since this update is geared towards the domain controllers and hosting a password ldap, it will likely work fine in that sense. Question is, for OBSD, whether the file servers will be able to authenticate from the ldap without pam/winbind support. Plan on testing it out soon though.

    Comments
    1. By Anonymous Coward () on

      let us know how it goes.

    2. By James Moss () moss at acmeunix dot org on mailto:moss at acmeunix dot org

      sure would be nice if OpenBSD used pam. Don't suppose anyone knows why it doesn't or if there are plans of adding it in the near future.

      I realize, seemingly a while ago now, pam had a few security issues, but I haven't heard anything for quite some time about these issues.

      Comments
      1. By Brad () brad@comstyle.com on mailto:brad@comstyle.com

        OpenBSD will never have PAM. We have BSD auth, bsd_auth(3).

  2. By Anonymous Coward () on

    sweeeeeeeeeeeeeeeeet!

  3. By Anonymous Coward () on

    smbmount is the only thing that I miss on OpenBSD. I don't know much about what it takes to write something like smbmount; anyone know why it isn't available for OpenBSD? Technical problems? Political differences? Lack of interest?

    (Yes, I know about smbclient and Sharity [light].)

    Comments
    1. By Anonymous Coward () on

      For smbmount to work, you need support for smbfs (Samba share as a filesystem)...

      SMBFS has been partially created (rumoured to be fairly functional) on FreeBSD, it's definitely a fixer-upper, but there's some base code at http://people.freebsd.org/~bp/smben.html

      Comments
      1. By Anonymous Coward () on

        smbfs is in both FreeBSD STABLE and CURRENT for a while. I doubt that page is up to date. I've used it before, and it seems to work just dandy.

    2. By RC () on

      Forget SMBFS, what we need (IMHO) is an SCPFS. Secure, encrypted filesystem, which already has key management implimented, is standard, and a huge number of systems already support it (manually).

      Why bother with tunneling NFS over SSH? Why bother with AFS and Kerberos, which have had numerous serious bugs, and require a full-fledged network infrastructure?

      Comments
      1. By Jacob () on

        I agree. Any idea why this hasn't happened already? Apple has included mount_ftp in darwin, would an ssh implementation of this be totally different?

      2. By Jan J () on

        The thing i could find on SCPFS was a remote filesystem over SSH. If this is what you mean I must ask you to send me a box of whatever your are smoking.

        I work with AFS and it rocks socks. Need another terrabyte just jack in a server (or extra disk) and of you go. Move data while it is beeing accessed, paths don't change and so on.

        However it should be said that setting up an AFS cell is not the easiest task, developemnt stod still for five years put many interesting things is on the way.

        Comments
        1. By Anonymous Coward () on

          > The thing i could find on SCPFS was a remote filesystem over SSH.

          Umm, what?

          > I work with AFS and it rocks socks.

          I didn't say it's a bad remote filesystem by any means. However:

          * It has had several security issues.
          * There is a large installed base of SSH servers.
          * Kerberos isn't the best system for inter-network security (eg. overlapping, independent administration)...
          * Public-key is a much better security system over something such as the internet.
          * I like TCP.
          * SSH already has good compression built-in
          * SSH has multiple ciphers of variable strength that can be negotiated both by the server, and the client.

          And those are just the things that instantly come to mind.

          Comments
          1. By Hans Insulander () hin@openbbsd.org on mailto:hin@openbbsd.org

            You have no idea wtf you're talking about.

            You're comparing a key distribution protocol to a remote login protocol.

          2. By Jan J () on

            As I can see it AFS and filesystem over SSH/SFS solves two different problems.

            AFS is enterprise stuff, it has alot of nice features when working with larger data amounts (think terra byte).

            SFS(/SSH FS) is great for the homehacker who wants to share files with friends.

            An example:
            Your fileserver runs out of CPU or DISK.

            AFS: Add another server/disk move some data (while people are using the same data) and you are done.

            SFS: Either have downtime to exchange the server/disk or add another server/disk and get upset users when you tell them their file is now on foo:/bar instead of kaka:/bulle.



          3. By Jan J () on

            > * It has had several security issues.

            Development started 1984, what had security back then?

            > * There is a large installed base of SSH servers.

            Irrelevant, how it solves the problem is what is relevant.

            > * Kerberos isn't the best system for inter-network security (eg. overlapping, independent administration)...

            I am not sure how you mean. It serves our needs very well. Better than anything I have seen. (1300 users that need to login to 300 different machines both windows and UNIX with one password).

            > * Public-key is a much better security system over something such as the internet.

            Public-key is good but has a big problem. How do you exchange your keys? Either you trust verisign or you call the admin "Is this the correct key?" (Private-key has the same problem).

            > * I like TCP.

            I like ice-cream.

            > * SSH already has good compression built-in

            Yeah compression is such a huge problem. It almost impossible to implement.

            > * SSH has multiple ciphers of variable strength that can be negotiated both by the server, and the client.

            Keberos 5 has multiple cipers. This is irrelevant for the filesystem. A filesystem that needs crypto only needs one good cipher and a way to make sure the crypto is setup properly.

            AFS has crypto. Not many use it because of overhead. Future versions will be able to tell what volumes/directories that should be encrypted saving CPU on files that are public anyway.

      3. By scott () ess see oh tee tee AT mutiny.net on mailto:ess see oh tee tee AT mutiny.net

        Something like this?

        http://www.fs.net/

        SFS is a secure, global network file system with completely decentralized control. SFS lets you access your files from anywhere and share them with anyone, anywhere. Anyone can set up an SFS server, and any user can access any server from any client. SFS lets you share files across administrative realms without involving administrators or certification authorities.

        Comments
        1. By RC () on

          It's... nice... But why have another protocol? Why not use SCP in it's current form? It already has everything needed, we just need to be able to mount a server as part of the filesystem, rather than needing to use scp/sftp from the commandline.

    3. By Anonymous Coward () on

      ... at least for me anyways.

      I've tried to resolve the issue to no avail. A base openbsd install and sharity installed either from ports or packages both fails. I've used sharity-light under all the previous versions of obsd with the same commands with no problem.

      Any ideas on why sharity isn't working properly?
      after axecuting this command:
      (/usr/local/sbin/shlight //servername/share /localmount -n
      I always get this error:
      error connecting to server: [1] Operation not
      permitted

      Comments
      1. By Guruh () on

        You should try to use the parameter -P "" instead of -n, ive had trouble with -n but with -P "" it worked flawlessly.

      2. By Anonymous Coward () on

        /usr/local/sbin/shlight //compname/sharename_on_compname /root/mnt/blaat -U username_on_compname -u 0 -g 0 -f 755 -d 755

        also check the man

        that's what i use, works fine :) but i'd rather have smbmount, or like someone else said scpfs/sshfs because sharity-light works rather slow.

  4. By Nisse () .. on ..

    Is there anyone else than me that have problem with samba hangning obsd boxes, under heavy traffic?

    And no the hw is not crappy ;)

    Comments
    1. By Anonymous Coward () on

      We had ...and with 'non crappy hardware' too.
      It turned out to be an IRQ conflict (with either the VGA or the SCSI cards I cannot remember) It was solved by moving the ethernet card (fxp) to another PCI slot.

      Comments
      1. By rX () on

        anyone know how to change the dma mode
        at boot ?
        mine start in mode 2 and must downgrade with errors..
        thanks

  5. By Rob Lessard () on

    Started working with the samba-3.0alpha20 from the samba download site. I looked in the latest OBSD ports tree dated 1-6-03 and saw 2.2.7 as the latest version.

    Anyway, the samba ADS (active directory) how to, states that the Heimdal libraries will not work in setting up a samba 3 system for kerberos authentication in an ADS environment. You must use the MIT libraries.

    The implication was that you have a win2k domain controller running ADS, a win2k kdc and you are replacing a file or application server with a samba 3 system. This is making the assumption that the samba system would have to conform to the win2k standards.

    I do not know what the impact of the above would be if you were attempting to use OBSD/samba 3 to replace the password servers/kdc and would therefore be authenticating to a heimdal system.

  6. By Bolke de Bruin () bolke@skoll.nl on http://www.skoll.nl

    I have been using 3.0alpha9 for about 1.5 years now; very nice indeed especially with usergroups in place.

    No ldap used yet though, I might when they start mimicing a AD DC.

  7. By Anonymous Coward () on

    I wonder if good software is one of the promises this time.

Credits

Copyright © - Daniel Hartmeier. All rights reserved. Articles and comments are copyright their respective authors, submission implies license to publish on this web site. Contents of the archive prior to as well as images and HTML templates were copied from the fabulous original deadly.org with Jose's and Jim's kind permission. This journal runs as CGI with httpd(8) on OpenBSD, the source code is BSD licensed. undeadly \Un*dead"ly\, a. Not subject to death; immortal. [Obs.]