The changes also push Samba 3 along its path toward making Linux machines behave a bit more like Windows, said Samba release manager Jerry Carter.
Offline logon support
First and foremost, offline logon support that was originally installed into the 3.0.23 source code is being revamped thanks to a month of testing since the last preview release. The Samba team, a group of more than 20 core developers worldwide, routinely submits preview releases to the Samba mailing list for testing by the overall Samba community.
The result of the current round of testing prompted the Samba team to make Linux machines support disconnected logons just like in Windows, Carter said. "So, for example, you can join a Linux host to a Windows domain, unplug it and go on the road and still be able to log on using your domain user account," he said.
Joining Active Directory domains
"We also have the capability now to register the host's domain name system [DNS] records when joining an Active Directory (AD) domain just like Windows does," Carter said. This capability can also be integrated into DHCP client hooks on Unix and Linux servers to ensure the DNS records are up to date whenever the server obtains a new IP address.
This new Active Directory site support also allows winbind and other applications in the Samba suite to locate the closest domain controller based on the site partitions configured in AD. When a new machine moves to a new location, you can be guaranteed that it will find a domain controller in its own site rather than contacting one at the other end of potentially expensive WAN links.
Winbind is a component of Samba that addresses the unified logon problem. Winbind uses a Unix implementation of Microsoft remote procedure calls, pluggable authentication modules (PAM) and the name service switch (NSS) to allow Windows NT domain users to appear and operate as Unix users on a Unix machine. Getting stuff to "just work" between Linux, Unix and Windows boxes has been described by the Samba team and other developers as a holy grail of technological achievements -- especially when you begin to talk about a unified logon between each of these operating systems.
Winbind and IDMAP
When it launches in April, the production 3.0.25 release of Samba will include a rewritten IDMAP interface for winbind that replaces the "idmap backend" parameter. The primary purpose of the new IDMAP interface, Carter said, is to allow winbind to use Active Directory SID/uid/gid (security ID, user ID and group ID) mapping tables on a per-domain basis. The preview release tested this functionality extensively to make it ready in time for launch.
With that in place, Samba will be able to better leverage information contained within Active Directory. "If the Samba host is joined to an Active Directory domain supporting Unix schema attributes -- like RFC2307 or the SFU schema -- winbind could retrieve that information from AD while mapping domain users and groups in a trusted Samba domain using the underlying Name Service Switch interface," Carter wrote in an email.
This is important to note, because mapping SIDs to uids/gids is one of the most critical pieces to server interoperability between Unix/Linux and Windows hosts. The additional flexibility gives an administrator more control over selecting the right application for a company's network.
Finally, the changes to the Samba Virtual File System interface will allow the Samba server daemon (smbd) to support multiple Access Control List implementations without having to recompile the server. With this configuration, smbd can load providers for interfacing with NFSv4 ACLs and local POSIX ACLs at the same time for different file shares.