Deploying IPv6-only Samba 4 Environments

Similar documents
Deploying Samba in IPv6 Networks

Samba and Vista with IPv6

IPv6 Enabling CIFS/SMB Applications

Procedure: You can find the problem sheet on Drive D: of the lab PCs. 1. IP address for this host computer 2. Subnet mask 3. Default gateway address

IPv6-only hosts in a dual stack environnment

IPv6 Trace Analysis using Wireshark Nalini Elkins, CEO Inside Products, Inc.

Personal Firewall Default Rules and Components

IPv4 and IPv6 Integration. Formation IPv6 Workshop Location, Date

Overview. Lecture 16: IP variations: IPv6, multicast, anycast. I think we have a problem. IPv6. IPv6 Key Features

Introduction to IP v6

Use Domain Name System and IP Version 6

Workshop on Scientific Applications for the Internet of Things (IoT) March

IPv6 Advantages. Yanick Pouffary.

How will the Migration from IPv4 to IPv6 Impact Voice and Visual Communication?

IPv6 Fundamentals: A Straightforward Approach

Joe Davies. Principal Writer Windows Server Information Experience. Presented at: Seattle Windows Networking User Group June 1, 2011

Firewalls und IPv6 worauf Sie achten müssen!

ProCurve Networking IPv6 The Next Generation of Networking

Troubleshooting Tools

Homework 3 TCP/IP Network Monitoring and Management

464XLAT: Breaking Free of IPv4. APRICOT 2014

464XLAT: Breaking Free of IPv4. T-Mobile.com NANOG 61 June 2014

Vicenza.linux.it\LinuxCafe 1

Guideline for setting up a functional VPN

Client Server Networks

IPv6 Transition Work in the IETF

About the Technical Reviewers

Setting Up Scan to SMB on TaskALFA series MFP s.

Millbeck Communications. Secure Remote Access Service. Internet VPN Access to N3. VPN Client Set Up Guide Version 6.0

Industry Automation White Paper Januar 2013 IPv6 in automation technology

Recent advances in IPv6 insecurities Marc van Hauser Heuse Deepsec 2010, Vienna Marc Heuse

IPv6 Fundamentals, Design, and Deployment

Are You Ready to Teach IPv6?

Advanced IPv6 Design and Deployment for

Network Configuration Settings

IP network tools & troubleshooting. AFCHIX 2010 Nairobi, Kenya October 2010

7 TRANSMISSION CONTROL PROTOCOL/ INTERNET PROTOCOL (TCP/IP)

Chapter 12 Supporting Network Address Translation (NAT)

Guide to Network Defense and Countermeasures Third Edition. Chapter 2 TCP/IP

IPv6 Fundamentals Ch t ap 1 er I : ntroducti ti t on I o P IPv6 Copyright Cisco Academy Yannis Xydas

Course Overview: Learn the essential skills needed to set up, configure, support, and troubleshoot your TCP/IP-based network.

Introduction to IPv6 and Benefits of IPv6

NAT Tutorial. Dan Wing, IETF78, Maastricht July 25, 2010

Internet Protocol: IP packet headers. vendredi 18 octobre 13

Chapter 6. About This Chapter. Before You Begin. Windows 2000 Naming Schemes. [Previous] [Next]

MS Configuring Windows 8.1

Securing the Transition Mechanisms

SMB a protocol example

Linux Administrator (Advance)

6LoWPAN: An Open IoT Networking Protocol

Challenges in NetFlow based Event Logging

Release Notes. Pre-Installation Recommendations... 1 Platform Compatibility... 1 Known Issues... 2 Resolved Issues... 2 Troubleshooting...

Personal Telepresence. Place the VidyoPortal/VidyoRouter on a public Static IP address

Univention Corporate Server. Operation of a Samba domain based on Windows NT domain services

Administration guide. Océ LF Systems. Connectivity information for Scan-to-File

New DNS Technologies in the LAN

Behavioral Differences Regarding DNS Queries and Domain Name Resolution in Different OSs

Hands On Activities: TCP/IP Network Monitoring and Management

Debugging With Netalyzr

Chapter 9. IP Secure

IPv6 Security from point of view firewalls

IPv6 in Axis Video Products

Chapter 5 Customizing Your Network Settings

Software changes for Website and Application IPv6 Readiness

IP addressing and forwarding Network layer

Carrier Grade NAT. Requirements and Challenges in the Real World. Amir Tabdili Cypress Consulting

Samba on HP StorageWorks Enterprise File Services (EFS) Clustered File System Software

CS155 - Firewalls. Simon Cooper <sc@sgi.com> CS155 Firewalls 22 May 2003

Use Shrew Soft VPN Client to connect with IPSec VPN Server on RV130 and RV130W

8.2 The Internet Protocol

Protocols for Dummies

Using IPM to Measure Network Performance

Updates to Understanding IPv6

How To - Configure Virtual Host using FQDN How To Configure Virtual Host using FQDN

How to Setup Scan to SMB to a Microsoft Vista Workstation Using a bizhub C451/ C550

NAT TCP SIP ALG Support

Matt Ryanczak Network Operations Manager

Firewall Defaults, Public Server Rule, and Secondary WAN IP Address

Lab 2. CS-335a. Fall 2012 Computer Science Department. Manolis Surligas

IPv6 for SMB s: Easy or Hard?

Controlling Ashly Products From a Remote PC Location

WHITE PAPER. Best Practices for Deploying IPv6 over Broadband Access

INFUSION BUSINESS SOFTWARE Installation and Upgrade Guide

1 Data information is sent onto the network cable using which of the following? A Communication protocol B Data packet

Network Layers. CSC358 - Introduction to Computer Networks

How To Connect To Bloomerg.Com With A Network Card From A Powerline To A Powerpoint Terminal On A Microsoft Powerbook (Powerline) On A Blackberry Or Ipnet (Powerbook) On An Ipnet Box On

Chapter 4 Customizing Your Network Settings

IPv6 and DNS. Secure64

SSVVP SIP School VVoIP Professional Certification

MCSA Windows 8 (Exam )

Exam : Title : TS: Windows Server 2008 Network Infrastructure, Configuring Ver :

Dynamic Host Configuration Protocol (DHCP) 02 NAT and DHCP Tópicos Avançados de Redes

IETF IPv6 Request for Comments (RFCs) Updated

Transcription:

Deploying IPv6-only Samba 4 Environments Samba XP 2015 Dr David Holder CEng FIET MIEEE david.holder@erion.co.uk http://www.erion.co.uk

Deploying IPv6-only Samba 4 Environments Why IPv6 and why IPv6-only? History of Samba support for IPv6 Status of Samba4 support for IPv6 Benefits of IPv6-only Samba4 Deploying IPv6-only Samba4 Preparing your infrastructure for IPv6 Deploying IPv6 with Samba 4 Conclusions

WHY IPV6 AND IPV6 ONLY?

Why IPv6? No more IPv4 addresses Today 70% of a dual-stack user s traffic is IPv6 Over 46% of top web sites are IPv6 enabled Number of IPv6-capable users doubles annually At this rate everyone will be using IPv6 by 2020 Please sir can I have some more?

What is driving IPv6-only? Easier to manage one protocol rather than two No multi-islands of private address space No Network Address Translation (NAT) No Carrier Grade NAT (CGN) CGN increasingly common Can break most things, even simple web sites No NAT/CGN traversal required: No need for: ICE, STUN, UPnP, PCP, TURN, port forwarding, ALGs etc... Restores possibility of end-to-end connectivity Use new IPv6 features (?)

Samba Must Support IPv6- only Operation IPv6-only is becoming increasingly common Large fixed and mobile operators Data centres and cloud providers Has significant operational benefits Samba is used in all these environments

HISTORY AND STATUS OF IPV6 AND SAMBA

History of Samba & IPv6 IPng standards process IPv6 Standards released Microsoft Research IPv6 Stack Windows 2000 Technology Preview Windows with Production IPv6 Stack & Components Vista and Windows Server 2008 support for CIFS and AD over IPv6 Windows 2000 CIFS IPv6 Windows XP Production Stack Windows 2003 Production Stack Windows Server 2008/Vista IPv6 Everything Samba 4.0+? IPv6 Support Added Samba 3.2+ 3.6+ Best IPv6 Support Works Linux CIFS Client No IPv6 support (IPv6 support will not be added) IPv6 Patch Not Recommended Samba Pre 3.2 Samba Pre 2.2 1 1993 1995 1997 1999 2001 2003 2005 2007 2009 2011 2013 2015

Differences in IPv6 Windows Networks IPv4 NBT/NetBIOS Yes No WINS Yes No NT Domains Yes No SMB/CIFS Windows XP Yes Yes File Sharing IPv6 Windows 2003 Yes Yes Active Directory Windows Vista Yes Yes Including file sharing and everything Windows 7 Yes Yes Windows Server 2008 Yes Yes

Windows/Samba and IPv6 Name Resolution Options NetBIOS name resolution WINS Hosts file Link-local Multicast Name Resolution (LLMNR) DNS Literal Addresses IPv4 Only IPv4 Only IPv4 and IPv6 IPv4 and IPv6 Note: Windows Only IPv4 and IPv6 IPv4 and IPv6 Linux/Unix NSS module

Samba 4 and IPv6 Status Samba 4 is IPv6 ready Dual-stack environment (IPv4 & IPv6) works Majority of functionality is IPv6 ready IPv6-only environment problematic Some features retain IPv4-only code Some issues remain Workarounds possible Almost, but not quite, suitable for production use Future versions of Samba 4 will be able to operate in IPv6-only environment

IPv6 only Potential Issues Bugs in Samba (fixed in next release?) Configuring /etc/hosts aliases Dynamic DNS updates with samba-tool or nsupdate expect IPv6 addresses to be written in full will all zeros included - no shorthand Anything that needs NetBIOS name resolution or WINS must be changed to use DNS Can t use LLMNR for link-local addresses Configuration issues Support for legacy IPv4 (use NAT64?)

BENEFITS OF IPV6-ONLY SAMBA 4

IPv6-Only Benefits Real benefit for IPv6-only Samba 4 Supporting current and future IPv6-only users who have been driven to deploy IPv6-only environments for operational reasons This is the most important driver for IPv6-only Samba Theoretical benefits for Samba 4 Potential (theoretical) performance improvements Potential benefits from new features Lets look at some potential benefits...

Samba 4 and Jumbograms IPv6 supports multi-megabyte datagrams Performance benefits in specific scenarios IPv4 is limited to max MTU of 64KB Possible performance benefit with Samba? SMB 2.1 allows for Multi-Credit (Large MTU) Increases maximum size from 64KB to 1MB Has to be supported in datalink for IPv6 to make any difference; TCP over IPv6 jumbograms is supported, but still needs datalink with large MTU (Note: Infiniband with Samba?) Possible IPv6 future benefit but requires datalink

IPv6-only Samba 4 and MTUs Possible to use large MTUs in internal network (improving file sharing performance) without fragmentation IPv6 avoids fragmentation using Path MTU discovery no downside IPv4 may result in lots of fragmentation MTU=9000 MTU=1500 MTU=1500 MTU=1500

IPv6 only Samba 4 no NAT No NAT (or CGN) means: Global access to AD domain no need for VPNs! SMB connections can be secured using IPsec (no NAT traversal required) Microsoft solution: DirectAccess In IPv4, NAT (or CGN) makes: End-to-end connectivity difficult or impossible It difficult to secure traffic end-to-end using IPsec Application Servers Client Internet Domain Controller / DNS Server Intranet

Evolution of NAT and CGN Public Addresses Pre NAT44 Post NAT44 Post CGN Content Provider Content Provider Applications become NAT aware Content Provider Applications become NAT and CGN aware Some applications will not work IPv4 Internet IPv4 Internet IPv4 Internet P PE IPv4 ISP Access Network P PE IPv4 ISP Access Network P PE IPv4 ISP Access Network CGN? ALGs?? PCP?? Port Forwarding?? Shared Addresses RFC6598 CPE IPv4 Subscriber Network CPE IPv4 Subscriber Network NAT44 ALGs UPnP NAT-PMP STUN TURN ICE PCP Port Forwarding CPE IPv4 Subscriber Network NAT44 ALGs UPnP NAT-PMP STUN TURN ICE PCP?? Port Forwarding?? End User End User End User One IP = 1 Node One IP = 1 End User Network One IP = MANY End User NETWORKS Private Addresses RFC1918 Erion Ltd 2004-2015 - All rights reserved

There are other Benefits Mobility IPv6 provides only realistic option for global mobile IP nodes Quality of Service Flow label makes IntServ realistic possibility where low latency is paramount Ve (4) Traffic Class (8) Payload Length (16) Next Header (8) Source Address (128) Flow Label (20) Destination Address (128) Hop Limit (8)

DEPLOYING IPV6-ONLY SAMBA 4

How to: IPv6-only Samba 4 Configure IPv6 networks See previous presentations at Samba XP Configure IPv6-only nodes No IPv4 addresses Build/Install Samba 4 with bug fixes for IPv6 Provision DC Configure member servers Join domain Manage Samba

Build/Install Samba 4 You can use current versions of Samba 4 to create IPv6-only environment, but: Manual workarounds required Some features/tools will not work Samba 4 is being fixed for IPv6-only operation Small number of current patches will make this possible in next release However, still a number of issues that need addressing

Configure IPv6-only Nodes Configure IPv6 manually, using SLAAC or DHCPv6 See Samba XP 2011 Presentation http://www.ipv6consultancy.com/ipv6blog/?p=76 Do not configure IPv4

IPv6-only Name Resolution Configure hosts file (/etc/hosts) 2045::1 erion.erionv6.com erion Ensure FQDN comes first (it should do) DNS resolver (e.g /etc/resolv.conf) On domain controller ::1 erion.erionv6.com erion On member server 2045::1 erion.erionv6.com erion Do not configure WINS or NetBIOS broadcasts these won t work with IPv6

Literal Addresses NSS Optionally configure Literal Addresses http://www.samba.org/~idra/code/nss-ipv6literal/ Thanks to Simo Sorce Linux/Unix (/etc/nsswitch.conf) hosts: Just works files ipv6literal dns # ping6 2045-5249-4f4e--2.ipv6-literal.net PING 2045-5249-4f4e--2.ipv6-literal.net(fc12 64 bytes from fc12.example.com.: icmp_seq=1

Link-local Multicast Name Resolution (LLMNR) Microsoft s multicast DNS (not mdns!) No true open source option Not required in an AD domain as only resolves link-local addresses Bounty source implementation at http://www.vx68k.org/xllmnrd I have not tested this... Open source NSS based solution would be useful in rare cases

IPv6-only Provision # samba-tool domain provision --option="interfaces=lo eth0" -- option="bind interfaces only=yes" --use-rfc2307 --interactive Realm [ERIONV6.COM]: Domain [ERIONV6]: Server Role (dc, member, standalone) [dc]: DNS backend (SAMBA_INTERNAL, BIND9_FLATFILE, BIND9_DLZ, NONE) [SAMBA_INTERNAL]: DNS forwarder IP address (write 'none' to disable forwarding) [none]: Administrator password: Retype password: Looking up IPv4 addresses No IPv4 address will be assigned Looking up IPv6 addresses... Server Role: Hostname: NetBIOS Domain: DNS Domain: DOMAIN SID: active directory domain controller erion ERIONV6 erionv6.com S-1-5-21-1196754207-3207730780-3488315545

IPv6-only DC Listeners # netstat -an --inet6 -p Active Internet connections (servers and established) Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name tcp 0 0 2045::1:53 :::* LISTEN 58017/samba tcp 0 0 ::1:53 :::* LISTEN 58017/samba tcp 0 0 2045::1:88 :::* LISTEN 58010/samba tcp 0 0 ::1:88 :::* LISTEN 58010/samba tcp 0 0 2045::1:636 :::* LISTEN 58008/samba tcp 0 0 ::1:636 :::* LISTEN 58008/samba tcp 0 0 ::1:445 :::* LISTEN 58005/smbd tcp 0 0 2045::1:445 :::* LISTEN 58005/smbd tcp 0 0 2045::1:1024 :::* LISTEN 58004/samba tcp 0 0 ::1:1024 :::* LISTEN 58004/samba tcp 0 0 2045::1:3268 :::* LISTEN 58008/samba tcp 0 0 ::1:3268 :::* LISTEN 58008/samba tcp 0 0 2045::1:3269 :::* LISTEN 58008/samba tcp 0 0 2045::1:389 :::* LISTEN 58008/samba tcp 0 0 ::1:3269 :::* LISTEN 58008/samba tcp 0 0 ::1:389 :::* LISTEN 58008/samba tcp 0 0 2045::1:135 :::* LISTEN 58004/samba tcp 0 0 ::1:135 :::* LISTEN 58004/samba tcp 0 0 ::1:139 :::* LISTEN 58005/smbd tcp 0 0 2045::1:139 :::* LISTEN 58005/smbd tcp 0 0 2045::1:464 :::* LISTEN 58010/samba tcp 0 0 ::1:464 :::* LISTEN 58010/samba udp 0 0 Notice 2045::1:53 that Samba is :::* not listening on link-local addresses 58017/samba udp 0 0 ::1:53 :::* 58017/samba udp 0 0 This 2045::1:464 is a BUG but for :::* most use cases it will still work 58010/samba udp 0 0 ::1:464 :::* 58010/samba udp 0 0 2045::1:88 :::* 58010/samba udp 0 0 ::1:88 :::* 58010/samba udp 0 0 2045::1:389 :::* 58009/samba udp 0 0 ::1:389 :::* 58009/samba This is a result of using --option="interfaces=lo eth0" -- option="bind interfaces only=yes during the domain provision Without these options Samba listens on IPv6 wildcard address

IPv6-only Works But... Most things work on patched Samba 4 We have tested a range of scenarios and most Samba tools General AD operations and file services work 99% of most common functionality is OK However... there are still a few issues

Some Things Fail Problems remain most are trivial IPv6 DDNS updates to Samba internal DNS fail Some command line tools fail # net ads dns gethostbyname 2045::1 member.erionv6.com do_gethostbyname returned ERROR_DNS_SUCCESS (0) Not success!! Occasional syntax constraints # samba-tool dns delete erion.erionsmb.com erionsmb.com member \ AAAA 2045:5249:4f4e:a00::2 Password for [administrator@erionsmb.com]: ERROR: Record does not exist # samba-tool dns delete erion.erionsmb.com erionsmb.com member AAAA \ 2045:5249:4f4e:0a00:0000:0000:0000:0002 Password for [administrator@erionsmb.com]: Record deleted successfully Both address formats are legal Samba internal DNS does not support EDNS0

Other Issues Tests all combinations need to be considered IPv4 only IPv4 & IPv6 dual stack IPv6 only Cannot assume correct by just testing IPv4 Code sometimes not IPv6 best practice Mix of approaches Major functionality is good

Conclusion It is possible to use Samba 4 in an IPv6-only environment Requires workarounds Nearly production ready Problems will be fixed soon Necessary for increasing number of IPv6-only environments Greatly simplifies network management Has potential performance benefits Allows for end-to-end connectivity outside of internal Intranet

IPv6 and Samba References EU IPv6 Curricula Day http://www.ipv6consultancy.com/ipv6blog/?p=70 Samba XP 2011 Presentation http://www.ipv6consultancy.com/ipv6blog/?p=76 Storage Developers Association 2010 http://www.ipv6consultancy.com/ipv6blog/?p=64 SambaXP 2008 Presentation http://www.ipv6consultancy.com/ipv6blog/?p=34 Google IPv6 Conference 2008 (YouTube) http://youtube.com/watch?v=ik0nzdtzjvm Google CIFS Workshop Presentation http://www.ipv6consultancy.com/ipv6blog/?p=21 SambaXP 2007 Presentation http://www.sambaxp.org/files/sambaxp2007-pdf/holder- SambaVistawithIPv6V2.pdf http://www.ipv6consultancy.com/ipv6blog/?p=8 Linux CIFS Client http://www.ipv6consultancy.com/ipv6blog/?p=9 Samba4 Hack (old version don t use) http://www.ipv6consultancy.com/ipv6blog/?p=12

Further Information IPv6 Services http://www.erion.co.uk/ipv6.html IPv6 Blog http://www.ipv6consultancy.com/ipv6blog IPv6 Training http://www.ipv6training.com IPv6 Consultancy http://www.ipv6consultancy.com Contact david.holder@erion.co.uk

Profile: David Holder Co-Founder and Managing Director Erion Ltd Over 25 years experience in IT industry senior technical and IT management posts Chairman of IPv6 Task Force Scotland Founder of IPv6 Future Enablers conference Regular speaker at global conferences on IPv6 Extensive experience of IPv6 spanning over a sixteen years Customers include; Microsoft, IBM, HP, Cisco, RIM, Orange, Ofcom, BT, Dell, Sophos, Deloittes, Atos Origin PhD in electronic engineering (Microwave Semiconductor Devices) Fellow of IET (FIET) Member of IEEE (MIEEE) Chartered Engineer (CEng)

Questions Thank you for listening

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information