"We believe that just because a company may choose to run Microsoft Windows as a desktop OS [operating system], they should not be compelled to run Microsoft's servers," said Andrew Bartlett, a member of the Samba Team, a group of about 30 people from all over the world who contribute regularly to Samba.
Samba 4 is about expansion. It expands Samba beyond its Windows client-based file and print sharing roots into new roles by bringing greater Active Directory (AD) functionality than Samba 3 offers. Greater authentication and a new role as a login server are also coming.
Boosting Active Directory
Samba is already popular among Windows administrators for its ability to "drop-in" Linux file and print sharing services into a Windows environment. With today's Samba 3, for example, a best practice executed by many administrators is joining the application to a Windows Active Directory domain. The advantages of domain membership include central management and single sign-on.
Unfortunately, implementing AD functionality in Samba -- while very important -- has been a pain in mixed environments, according to Bartlett. Making the Samba-AD relationship more harmonious was a key goal in creating a new release.
Samba 3 has support for being a member of an Active Directory domain, as well as its ability to be a Windows NT 4.0-compatible DC. Samba 4 takes this approach further and will be aimed at integrating the newer AD logon protocols that Windows clients prefer to use, according to Bartlett.
"Samba 4 is very important, as the native login protocols of Windows clients are not standard and not documented," he added.
Existing features in Samba 3 allow a user to have single sign-on, and other similar features to a Microsoft server, via a Samba LDAP server with Kerberos. Lightweight Directory Access Protocol (LDAP) is a networking protocol for querying and modifying directory services. In this sense, Samba 3 is "almost equivalent or comparable" to Microsoft Server 2003 for file and print services, said Mark Hinkle, vice president of strategy/business development for Emu Software Inc., an open source configuration management company in Cary, N.C.
"Users can use Samba and sign on through an AD server, but not as easily as a Windows administrator," Hinkle said. "The big issue is that [with Samba 3] there are a number of steps you have to go through to authenticate AD via Samba."
Hinkle thinks the authentication process is too hard today. For instance, when you drop Samba print and file services into a Windows environment, there are too many protocols that need to be enacted to authenticate off an LDAP directory.
Kerberos at the gate
By providing an Active Directory-compatible login server, called the Domain Controller, the Samba Team hopes to move Samba beyond NT4. In particular, Bartlett wants to enable Kerberos logins from Windows workstations. Indeed, he said, the role of Kerberos will be important because this network authentication protocol is one of the essential ones found in Active Directory.
Kerberos allows individuals communicating over an insecure network to prove their identity to one another in a secure manner. It prevents eavesdropping or replay attacks and ensures data integrity. Kerberos designers at the Massachusetts Institute of Technology focused on a client-server model, so this tool provides mutual authentication; both the user and the server verify each other's identity.
Kerberos in Samba not only reduces network load, but it introduces the ability to do things like smart card login as well. "Microsoft extended Kerberos to provide authorization information along with proof of identity in a controversial extension known as the PAC (privilege attribute certificate)," Bartlett said. "Samba 4 includes its own key distribution center (KDC), the center of a 'Kerberized' network, which issues tickets to Windows clients and servers in the way they expect that from AD, including the infamous PAC."
Virtual files, virtual machines
The Samba Team is building a more expansive Microsoft Virtual File System (VFS) layer into Samba 4.
VFS should enable filesystem writers to grow new and interesting features that Windows clients desire, according to Bartlett. With that added capability, Samba can be modified to export those facilities to those clients. "In past versions of Samba, the VFS was very much based around posix filesystem semantics," he said.
The VFS layer could serve as a common Internet file system (CIFS) proxy. "While nobody is putting company names to it, some of the inquiries we have seen on the [Samba] mailing list indicate interest here," said Bartlett. "There is a lot of venture capitalist money in the CIFS accelerator space, and I think Samba 4 would be a cool basis for such a product."
CIFS work is integral to the Samba project because of the importance of the SMB (server message block) protocol in interacting with the Windows platform. Samba was created to provide a free means of compatibility between SMB's Windows-based clients and servers running non-Microsoft operating systems.
Reaching beyond file and print service
Through three full versions, Samba has become an authentication and login server, has provided a client library, domain member management utilities and many other things. Today, Bartlett and the team at Samba.org see it extending its file-sharing focus to provide better Linux-to-Linux file sharing.
"Samba 4 is striving far beyond being a file and print server," Bartlett said. "The role of the AD-compatible domain controller is a key goal of the Samba 4 effort."
To help reach those goals, the Samba Team needs input from users and urges them to try out the preview available now and for the upcoming betas. "Code beats vaporware every time," Bartlett said.