Hey Ubuntu fans – ever wanted a domain controller with an LDAP back end for a server but couldn’t bring yourself to run Windows? Well, the guys over at HowtoForge assembled a great how-to guide for setting up a Samba Domain Controller with an OpenLDAP directory that authenticates like a Windows Server 2003 Domain Controller. The Samba LDAP configuration doesn’t make for a fully comparable Windows domain controller, but it does give your Ubuntu server LDAP authentication (so you have that going for you, which is nice). And the author also points out that this setup can be expanded to spread out authentication over multiple networks to include slave servers and Microsoft XP boxes.

If that interests you, check out the sample chapter on OpenLDAP and the guide to Samba and Active Directory on SearchEnterpriseLinux.com.

(Does the Caddyshack reference make up for the shameless plug?)

Samba release manage Jerry Carter once told me that the majority of “bugs” in Samba that get reported by users are actually misconfigurations of that user’s system, or a problem with Microsoft Windows, and are not the fault of Samba.

In one of the rare tips I’ve written for SearchEnterpriseLinux.com, Carter said the next time a user comes knocking on your door with an Access Denied error message and blames it on Samba, tell them to slow down. Most of the time, it’s not Samba’s fault, he said. “Our motto is ‘Bug for bug, feature for feature, we are completely compatible with Microsoft Windows,'’ Carter said.

However, Carter also said that if there was a legitimate bug, the Samba team had no problem admitting it existed and working post haste to get it resolved. Today, the Samba team reported a security issue with Samba’s code, as well as a patch to fix it.

Description
===========

Secunia Research reported a vulnerability that allows for the execution of arbitrary code in nmbd. This defect may only be exploited when the “wins support” parameter has been enabled in smb.conf.

Patch Availability
==================

A patch addressing this defect has been posted to

http://www.samba.org/samba/security/

Additionally, Samba 3.0.27 has been issued as a security release to correct the defect.

Workaround
==========

Samba administrators may avoid this security issue by disabling the “wins support” feature in the hosts smb.conf file.

Credits
=======

This vulnerability was reported to Samba developers by Alin Rad Pop, Secunia Research.

The time line is as follows:

• Oct 30, 2007: Initial report to security@samba.org.
• Oct 30, 2007: First response from Samba developers confirming the bug along with a proposed patch.
• Nov 15, 2007: Public security advisory to be made available.

“Our Code, Our Bugs, Our Responsibility.” – The Samba Team

From HowtoForge comes a timely tip and tutorial about the installation of a Samba fileserver on Ubuntu 7.10. The tutorial, submitted by Falko Timme, a system developer based in Germany, also lists how to configure files erver to share files over the SMB protocol and how to add users.

“Samba is configured as standalone server, not as a domain controller. For this setup, I will use the Ubuntu Server installation CD but the same installation procedure will work on an Ubuntu desktop as well,” Timme said.

I’d be remiss if I didn’t also pitch SearchEnterpriseLinux.com’s wealth of Samba tips and news, some of which, coincidentally enough, were compiled by yours truly.

But you want more? You can also check out our Exploring Samba and Active Directory integration options landing page that was compiled by site expert Sander van Vugt. In that compilation, van Vugt discusses everything from Samba basics, to installation, to administration and migration. If you have no idea what Samba is, I salute you for reading this far, but I still encourage you to check out Sander’s tips — he defines Samba in the first paragraph

Check it out.

This news broke on Sept. 28, but I was so excited about October that I thought it would be cool to post it on October 1. OK, now that I’ve sufficiently covered my butt with an excuse, I give you the 3.2.0 preview release of Samba.

Cue the streamers:

Major enhancements in Samba 3.2.0 include:

File Serving:

• Use of IDL generated parsing layer for several DCE/RPC interfaces.
• Removal of the 1024 byte limit on pathnames and 256 byte limit on filename components to honor the MAX_PATH setting from the host OS.
• Introduction of a registry based configuration system.
• Improved CIFS Unix Extensions support.
• Experimental support for file serving clusters.

Winbind and Active Directory Integration:

• Full support for Windows 2003 cross-forest, transitive trusts and one-way domain trusts
• Support for userPrincipalName logons via pam_winbind and NSS lookups.
• Support in pam_winbind for logging on using the userPrincipalName.
• Expansion of nested domain groups via NSS calls.
• Support for Active Directory LDAP Signing policy.

Users & Groups:

• New ldb backend for local group mapping tables
• Raised level of security defaults for authentication operations.

Note that this is also the first time that Samba is being released under the GPLv3. The Samba Team adopted version 3.0 of the GNU General Public License for the 3.2 and later releases as of September.

We just put a Samba tip up the other day regarding bugs and bug fixes, so it’s kind of ironic that Jerry Carter, release manager for the Samba team, sent out a few bug updates today to the mailing list.

The first, complete with patch availability:

===========
Description
===========

The idmap_ad.so library provides an nss_info extension to Winbind for retrieving a user’s home directory path, login shell and primary group id from an Active Directory domain controller. This functionality is enabled by defining the “winbind nss info”smb.conf option to either “sfu” or “rfc2307″.

Both the Windows “Identity Management for Unix” and “Services for Unix” MMC plug-ins allow a user to be assigned a primary group for Unix clients that differs from the user’s Windows primary group.
When the rfc2307 or sfu nss_info plugin has been enabled, in the absence of either the RFC2307 or SFU primary group attribute, Winbind will assign a primary group ID of 0 to the domain user queried using the getpwnam() C library call.

==================
Patch Availability
==================

A patch addressing this defect has been posted to

http://www.samba.org/samba/security/

Additionally, Samba 3.0.26 has been issued as a security release to correct the defect.

==========
Workaround
==========

Samba and Active Directory administrators may avoid this security issue by two methods:

(a) Ensure that all user’s stored in AD are properly assigned a Unix primary group, or
(b) Discontinue use of the sfu or rfc2307 “winbind nss info” plugin until a patched version of the idmap_ad.so library can be installed.

Note that the problem is only evident on servers using the sfu or rfc2307 “winbind nss info” plugin and not those only making use of Winbind’s idmap_ad IDMap backend interface.

There is also version 3.0.26a available for download today, complete with bug fix (Memory leaks in Winbind’s IDMap manager).

The uncompressed tarballs and patch files have been signed using GnuPG (ID 6568B7EA). The source code can be downloaded from:

http://download.samba.org/samba/ftp/

The release notes are available online at:

http://www.samba.org/samba/history/samba-3.0.26a.html

Binary packages will be made available on a volunteer basis at

http://download.samba.org/samba/ftp/Binary_Packages/

Consider this the first in an occasional, meandering series of articles on Linux done right. These aren’t meant to boost the sales of any particular vendor, but instead are meant to show other end users, IT managers and decision makers what to look for when vetting applications and operating system migrations. It can be support, migrations strategies, execution or anything and everything in between. If it’s Linux done right, then you’ll find it here.

I initially spoke with John Flores, a system administrator with the University of Texas at San Antonio, earlier this year for a broad SearchEnterpriseLinux.com article on Linux support. The article focused on the good, the bad and the ugly of working with commercial Linux distributors, as well as with the alternatives like CentOS and Debian. It was also a comparison of the past, present and future of Linux support as a whole.

Flores and his data center — like many data centers today — were at a crossroads. He was using Windows NT as his domain controller, but it was update time as a few Dell servers were past their prime and new ones were set to be introduced in the summer of 2006.

“We had an old Dell 6300 that was to be put out of service … it was what was running the NT 4.0,” Flores told me. “Rather than move NT 4.0 to a new server, we were looking for an OS that could put onto a new server and it was going to be either Linux or MS.”

But old servers weren’t the only issue at the U of T that summer. Flores explained that NT 4.0 had become “unstable, mostly due to age.” The software configurations were also old and difficult to maintain, he said. and a lot of “junk” had accumulated over the years. The clutter was quickly becoming a maintenance issue for the IT staff, he said.”We were having a server failure almost once every two weeks. A server would have a major problem so we’d have to reboot it and bring it back up again,” Flores said. But then things got even worse.

“Because this is a university environment, we have a whole new set of something like 5,000 users changing over every semester. We have to log all those IDs and passwords every semester.” Read more »

A Samba4 update from Andrew Bartlett hit my Inbox this morning with an overview of all the new features.

NEW FEATURES
============

Samba4 supports the server-side of the Active Directory logon environment used by Windows 2000 and later, so we can do full domain join and domain logon operations with these clients.

Our Domain Controller (DC) implementation includes our own built-in LDAP server and Kerberos Key Distribution Center (KDC) as well as the Samba3-like logon services provided over CIFS. We correctly generate the infamous Kerberos PAC, and include it with the Kerberos tickets we issue.

The new VFS features in Samba 4 adapts the filesystem on the server to match the Windows client semantics, allowing Samba 4 to better match windows behaviour and application expectations. This includes file annotation information (in streams) and NT ACLs in particular. The VFS is backed with an extensive automated test suite.

A new scripting interface has been added to Samba 4, allowing JavaScript programs to interface to Samba’s internals.
The Samba 4 architecture is based around an LDAP-like database that can use a range of modular backends. One of the backends supports standards compliant LDAP servers (including OpenLDAP), and we are working on modules to map between AD-like behaviours and this backend.
We are aiming for Samba 4 to be powerful frontend to large directories.

There’s also a warning to read, because this is NOT a production level release!

Bartlett:

Samba4 alpha1 is not a final Samba release. That is more a reference to Samba4’s lack of the features we expect you will need than a statement of code quality, but clearly it hasn’t seen a broad deployment yet. If you were to upgrade Samba3 (or indeed Windows) to Samba4, you would find many things work, but that other key features you may have relied on simply are not there yet.

For example, while Samba 3.0 is an excellent member of a Active Directory domain, Samba4 is happier as a domain controller: (This is where we have done most of the research and development).

While Samba4 is subjected to an awesome battery of tests on an automated basis, and we have found Samba4 to be very stable in it’s behaviour, we have to recommend against upgrading production servers from Samba 3 to Samba 4 at this stage. If you are upgrading an experimental server, or looking to develop and test Samba, you should backup all configuration and data.

You can check out an interview I did with Samba’a release manager Jerry Carter (who actually works more on Samba 3.025, fyi) about how Samba4 is making Active Directory “Linux friendlier.”

If I had a klaxon I’d be sounding it right now, because there’s some Samba 4 news to bring to you this afternoon. No, not Samba 3 — 4.0! It’s a rare treat, and one that we haven;t had the pleaause of digesting for quite a while now.

Via the Samba News page: 

Samba 4 is the ambitious next version of the Samba suite that is being developed in parallel to the stable 3.0 series. The main emphasis in this branch is support for the Active Directory logon protocols used by Windows 2000 and above.

Samba 4 is currently not yet in a state where it is usable in production environments. Note the WARNINGS in WHATSNEW.txt in the source and the STATUS file which aims to document what should and should not work.

Samba4 alpha1 is the culmination of 4.5 years of development under our belt since Tridge first proposed a new Virtual File System (VFS) layer for Samba3 (a project which eventually lead to our Active Directory efforts), and 1.5 years since we first released a Technology Preview. We wish to allow users, managers and developers to see how we have progressed, and to invite feedback and support.

This release has been signed using GPG with Andrew Barlett’s GPG key (28B436BB). The source code can be downloaded now.

Remember, there are two distinct development efforts going on at Samba right now. This is a different beast from the 3.0 release, and should be treated as such!

It’s always a fun morning when the Samba team fires off another stable production release of their namesake open source project. Today, Samba’s Jerry Carter mailed the Samba mailing list with an update on 3.0.25c — it’s available!

This is the latest production release of the Samba 3.0.25 code base and is the version that servers should be run for for all current bug fixes.

Major bug fixes included in Samba 3.0.25c are:

• File sharing with Widows 9x clients.
• Winbind running out of file descriptors due to stalled child processes.
• MS-DFS interoperability issues.

The source code can be downloaded from: http://download.samba.org/samba/ftp/

The release notes are available online at: http://www.samba.org/samba/history/samba-3.0.25c.html

Binary packages are available at http://download.samba.org/samba/ftp/Binary_Packages/

Enjoy!

A letter from Samba contributor Jeremy Allison confirmed today that the Samba Team has decided to adopt the GPLv3 and LGPLv3 licenses for all future releases of Samba.

The GPLv3 is the updated version of the GPLv2 license under which Samba is currently distributed. Over the course of the past year the Freedom Software Foundation (FSF) has held an open vetting process with its members and members of the open source software community at large to update the license. Areas of focus, according to GPL inventor Richard Stallman, include compatibility with other licenses and to make it easier to adopt internationally.

When contacted by SearchEnterpriseLinux.com, Samba project release manager Jerry Carter said the differences between the GPLv2 and GPLv3 will primarily be of interest to people developing Samba and/or redistributing Samba. “End users of Samba, whether they received packages from a vendor or downloaded the source directly from samba.org, should be able to proceed with business as usual,” he said.

Mind your Samba release numbers

“To allow people to distinguish which Samba version is released with the new GPLv3 license, we are updating our next version release number,” Allison said.

The next planned version Samba release was to be 3.0.26, but this will now be renumbered so the GPLv3 version release will be 3.2.0 instead. To be clear, all versions of Samba numbered 3.2 and later will be under the GPLv3, all versions of Samba numbered 3.0.x and before remain under the GPLv2.

New code contributions will be accepted in exactly the same way as before, Allison said. “As Samba has always accepted code with the ‘or (at your option) any later version’ of the GPL, contributors do not need to change anything about their submissions,” he said.

As with previous major version changes, the Samba team will continue to provide security fixes for 3.0.25b releases for as long as this code base is widely used. All new features will only be developed for the new 3.2.x or later GPLv3 versions, however.

GPLV2 vs. GPLv3

The Samba Team currently releases libraries under two licenses: the GPLv3 and the LGPLv3. According to members of the Samba team, if a contributor’s code is released under a “GPLv2 or later” license, it is compatible with both the GPLv3 and the LGPLv3 licensed Samba code. However, if your code is released under a “GPLv2 only” license, it is not compatible with the Samba libraries released under the GPLv3 or LGPLv3 as the wording of the “GPLv2 only” license prevents mixing with other licenses.

“If you wish to use libraries released under the LGPLv3 with your ‘GPLv2 only’ code then you will need to modify the license on your code,” Allison said.

Software patent covenants

Patent covenant deals done after March 28, 2007, are explicitly incompatible with the license if they are “discriminatory” under section 11 of the GPLv3.

Samba distributors who have made such patent covenant agreements after that date will not have the right to distribute any version of Samba covered by the GPLv3 (Samba 3.2 or later). The rights of vendors to ship 3.0.25b and previous versions is unchanged and remains as it was under the GPLv2. Consult legal advice if you are in doubt.

This particular passage in the GPLv3 was made specifically by the FSF to target deals similar to the one struck by Microsoft and Novell Inc. in November 2006. As part of that deal, Microsoft offers sales support for Novell’s SUSE Linux Enterprise Server (SLES). The two companies also have announced plans to simplify running Windows and SUSE Linux in mixed operating system environments.