Modern networks must support several platforms and services. Of these services, few are more important than file and printer sharing and authentication. While UNIX runs the backends of many companies, Windows is a major desktop player in the business world. Interoperability is essential.
Samba, the SMB/CIFS file and print server, is an important piece of the puzzle. It runs on several platforms, including UNIX, Linux, and FreeBSD, and supports several advanced features. Most UNIX administrators are already familiar with Samba, insofar as they are conscious of its mission and accomplishments. However, few are really aware of how far it has come, nor do they know where the Samba team plans to go.
This article will cover many of the new and exciting features both in Samba 2.2 (the current stable version at the time of writing is 2.2.4) and the upcoming 3.0 release. My goal is not to provide a technical guide to implementing Samba. There are many excellent articles and books covering this topic already. Rather, my objective is to discuss how remarkable Samba is now and where it will improve in the future.
Before that, let's review the basics. Samba is itself a collection of services running primarily on UNIX and UNIX-workalikes. It primarily offers Windows file and printer sharing. Samba also provides authentication services and integrates into PAM (Pluggable Authentication Module) aware systems such as Linux and Solaris.
What benefits does Samba bring to an organization? Primarily, Samba is highly reliable. Several network appliances use it for just that reason. More and more appliances use Windows these days, but Samba has proven itself in this niche for one simple reason: it just works.
Besides reliability, Samba offers high performance. Many benchmarks have pitted it against Windows 2000. Despite some conflicting reports, Samba usually prevails. Because of its high performance, the software can be found running at both workgroup and departmental levels.
The final major benefit is cost. Windows and even other UNIX-based commercial SMB/CIFS server solutions have initial and per user connection costs. Samba is truly free. For a large organization, investing in server software and client access licenses may be a small part of the overall purchasing decision. For many groups, it's hard to beat Samba's pricetag, leaving only the costs of hardware and support staff. Because of Samba's reliability and consistent configuration, support costs will also typically be lower.
As of version 2.2, the Samba team has made significant headway in enabling Samba servers to act as Primary Domain Controllers (PDC) in Windows NT 4 domains. This feature has existed in the past few minor releases, but has truly come into its own in version 2.2. It's very easy to use Samba as a PDC. Simply enable a few options in the Samba configuration file, add users to the local Samba password database, and build machine accounts for each Windows NT machine on the network.
Unfortunately, Samba still cannot work as a Backup Domain Controller (BDC),
nor can Samba push its local password database to a BDC as would a Windows PDC
with the Security Accounts Manager (SAM) database. However, if you are strictly
running Samba servers as domain controllers, you can get around this limitation
using tools such as
rsync to copy the local database. This
provides a level of redundancy which will allow you to use Samba PDCs at many
levels of your organization.
Newer releases contain two features to improve both performance and
compatibility. With opportunistic locks, or oplocks, Windows clients obtain
special read and write locks on files offered by Samba. In the past, this
feature has had compatibility issues. Version 2.2 addresses many of these
issues, working even more seamlessly in a Windows NT, 2000, or XP environment.
(For prior releases, a simple solution is to disable oplock support using the
The other feature shares locks between Samba and NFS. By offering this level of transparency between SMB/CIFS and NFS, sharing files between Windows and UNIX users no longer has the risk of file corruptions. Samba now makes an even better file sharing bridge between UNIX and Windows networks.
For the many administrators who wish to squeeze out every last bit of file server performance, Samba now offers internal profiling. Counters within the Samba software can now track the time spent in various functions and transactions. This will prove very useful for users who wish to track Samba's behavior under very high loads.
Samba 2.2 also offers better print serving capabilities in a Windows 2000 network. Windows clients can now easily download print drivers for Windows 95, 98, NT, 2000, and XP. Administrators can add drivers through the Windows Add Printer Wizard, or via Imprints. Imprints is shaping up to be quite a powerful tool to maintain a central database of print drivers that can be pushed to remote clients as from a Windows NT server.
Until recently, Samba has lacked Access Control List (ACL) support, with only a few adjustable permissions based on the traditional UNIX owner, group, and world model. Samba 2.2 offers full ACL support as long as the underlying operating system and file system support ACLs. This is possible in Linux with a small kernel patch.
Want to use Microsoft's Distributed
File System (Dfs)? Samba 2.2 makes it amazingly simple. Add a
[Dfs] section to your Samba configuration file, create a directory
[Dfs] share, and then create symbolic links for each Dfs
What about Single
Sign-On (SSO)? Samba supports increased SSO support with the
daemon, which works with PAM-aware services to integrate those services into a
Windows NT 4 domain. (Keep in mind that Active Directory (AD) can and often
does support NT 4 domains, and by extension, Samba and
Winbind.) If you want to
allow users to log into PAM-aware services such as Apache, FTP, or in-house
applications, go right ahead.
Unfortunately, Samba 2.2 does not yet provide Active Directory support. The upcoming Samba 3.0 release will support authentication against AD and access to other AD resources. As organizations continue to roll out directory services, AD support will be crucial.
Supporting AD in Samba 3.0 requires two other open source components, OpenLDAP and MIT Kerberos. OpenLDAP provices access to LDAP capabilities, and MIT Kerberos provides authentication access, an essential ingredient in Active Directory. If you have a test network, you can test the Active Directory support with the Samba 3.0 alpha.
Samba 3.0 also promises to support Windows NT Domain trust relationships. This will please larger organizations that rely on Samba. Trust relationships make it easier to support large classes of users even across domains.
On a lighter note, the Samba team definitely seems eager to help administrators move away from NT-based PDCs. Samba 3.0 will include tools to migrate accounts from native NT servers to Samba. If you aren't running a large domain then automated migration may not seem important. For users who are, this tool should ease their jobs.
Samba has come quite far from its humble roots as a simple SMB/CIFS file server. The Samba 2.2 release has introduced and tuned a sizeable number of features. These features, in conjunction with Samba's high reliability and performance, make Samba a great choice for workgroups, departments, and even the enterprise. Samba 3.0 will provide tighter integration into Active Directory networks, meaning better control for administrators and more transparency for users.
Dustin Puryear is a consultant providing expertise in managing and integrating UNIX and Windows systems and services, with a strong focus on open source.
Return to the Linux DevCenter.
Copyright © 2009 O'Reilly Media, Inc.