Samba Status FFG 2016

Similar documents
Samba 4.2. Cebit 2015 Hannover

Samba 4 AD + Fileserver

<Samba status report>

SerNet. Samba Status Update. Linuxkongress Hamburg October 10, Volker Lendecke SerNet Samba Team. Network Service in a Service Network

Scalable NAS Cluster With Samba And CTDB Source Talk Tage 2010

SerNet. Clustered Samba. Nürnberg April 29, Volker Lendecke SerNet Samba Team. Network Service in a Service Network


SerNet. Samba Status Update. Munich 13. March Volker Lendecke SerNet Samba Team. Network Service in a Service Network

PROTECTING DATA IN TRANSIT WITH ENCRYPTION IN M-FILES

Univention Corporate Server. Operation of a Samba domain based on Windows NT domain services

Clustered CIFS For Everybody Clustering Samba With CTDB. LinuxTag 2009

FreeIPA Cross Forest Trusts

Active Directory network protocols and traffic

Migration of Windows Intranet domain to Linux Domain Moving Linux to a Wider World

Exploiting Transparent User Identification Systems

SKV PROPOSAL TO CLT FOR ACTIVE DIRECTORY AND DNS IMPLEMENTATION

SPI for MS Active Directory. Replication Monitoring. Introduction. How It Works

Enterprise Manager. Version 6.2. Installation Guide

Module 10: Maintaining Active Directory

The Win32 Network Management APIs

Network Defense Tools

qliqdirect Active Directory Guide

SB 1386 / AB 1298 California State Senate Bill 1386 / Assembly Bill 1298

Integrating LANGuardian with Active Directory

State of Wisconsin DET File Transfer Protocol Service Offering Definition (FTP & SFTP)

USER GUIDE. Lightweight Directory Access Protocol (LDAP) Schoolwires Centricity

SuSE File and Print Services with

HP A-IMC Firewall Manager

RSA Security Analytics

General DBA Best Practices

Architecture and Data Flow Overview. BlackBerry Enterprise Service Version: Quick Reference

Freshservice Discovery Probe User Guide

Background Deployment 3.1 (1003) Installation and Administration Guide

SECURITY BEST PRACTICES FOR CISCO PERSONAL ASSISTANT (1.4X)

Dell Active Administrator 8.0

v7.8.2 Release Notes for Websense Content Gateway

# Windows Internet Name Serving Support Section: # WINS Support - Tells the NMBD component of Samba to enable its WINS Server ; wins support = no

Virtualizing your Datacenter

Solaris For The Modern Data Center. Taking Advantage of Solaris 11 Features

LockoutGuard v1.2 Documentation

Centralized Mac Home Directories On Windows Servers: Using Windows To Serve The Mac

HDFS Users Guide. Table of contents

Understand Troubleshooting Methodology

BlackBerry Enterprise Service 10. Secure Work Space for ios and Android Version: Security Note

FUNCTIONAL OVERVIEW

HP IMC Firewall Manager

Active Directory. By: Kishor Datar 10/25/2007

QliqDIRECT Active Directory Guide

BlackBerry Enterprise Service 10. Version: Configuration Guide

WINDOWS 2000 Training Division, NIC

Microsoft SQL Server Guide. Best Practices and Backup Procedures

Windows Server 2008 Active Directory Resource Kit

SoftNAS Application Guide: In-Flight Encryption 12/7/2015 SOFTNAS LLC

GlobalSCAPE DMZ Gateway, v1. User Guide

RSA SecurID Ready Implementation Guide

Multi-site Best Practices

Integration with Active Directory. Jeremy Allison Samba Team

Integrating Red Hat Enterprise Linux 6 with Microsoft Active Directory Presentation

Websense Support Webinar: Questions and Answers

Database Configuration Guide

Cisco Secure Access Control Server 4.2 for Windows

WhiteWave's Integrated Managed File Transfer (MFT)

Orixcloud Backup Client. Frequently Asked Questions

User Identification (User-ID) Tips and Best Practices

Using Samba to play nice with Windows. Bill Moran Potential Technologies

Running SMB3.x over RDMA on Linux platforms

Xerox PrintSafe Software

Assignment # 1 (Cloud Computing Security)

Lustre SMB Gateway. Integrating Lustre with Windows

GoGrid Implement.com Configuring a SQL Server 2012 AlwaysOn Cluster

25. DECUS München e.v. Symposium C02. EFS / Recovery

Homework 5b: Homework 5b: Samba

5053A: Designing a Messaging Infrastructure Using Microsoft Exchange Server 2007

Samba. Samba. Samba 2.2.x. Limitations of Samba 2.2.x 1. Interoperating with Windows. Implements Microsoft s SMB protocol

ZooKeeper. Table of contents

Active Directory Comapatibility with ExtremeZ-IP A Technical Best Practices Whitepaper

Volume SYNAMETRICS TECHNOLOGIES. A Division of IndusSoft Technologies, Inc. DeltaCopy User s Guide

CSE 120 Principles of Operating Systems. Modules, Interfaces, Structure

NT 3.5 / 4.0 Domains for UNIX

Novell File Reporter 2.5 Who Has What?

IBM Tivoli Composite Application Manager for Microsoft Applications: Microsoft Hyper-V Server Agent Version Fix Pack 2.

Samba's AD DC: Samba 4.2 and Beyond. Presented by Andrew Bartlett of Catalyst //

SQL Server on Azure An e2e Overview. Nosheen Syed Principal Group Program Manager Microsoft

1 hours, 30 minutes, 38 seconds Heavy scan. All scanned network resources. Copyright 2001, FTP access obtained

PANDORA FMS NETWORK DEVICES MONITORING

Zmanda Cloud Backup Frequently Asked Questions

Parallels Plesk Panel

Oracle EXAM - 1Z Oracle Weblogic Server 11g: System Administration I. Buy Full Product.

Matisse Server Administration Guide

2 Downloading Access Manager 3.1 SP4 IR1

Oracle Database Security and Audit

How to Logon with Domain Credentials to a Server in a Workgroup

Installing GFI LANguard Network Security Scanner

Mobile Admin Security

Host Hardening. OS Vulnerability test. CERT Report on systems vulnerabilities. (March 21, 2011)

11.1. Performance Monitoring

Download/Install IDENTD

Monitoreando Active Directory usando OpManager

Introduction to Mobile Access Gateway Installation

Authentication in a Heterogeneous Environment

Transcription:

Samba Status FFG 2016 Köln Volker Lendecke Samba Team / SerNet 2016-02-25

vl Samba Status (2 / 15) SerNet SLA based support for more than 650 customers firewalls, VPN, certificates, audits based on open standards wherever possible Support for many OS: Linux, Cisco IOS, Windows etc. Compliant with BSI Grundschutz and ISO 27001 and other international regulations SerNet and Samba technological leadership of SerNet worldwide SerNet distributes up-to-date Samba packages samba experience May 10-12 in Göttingen, www.sambaxp.org

vl Samba Status (3 / 15) Samba 4.3 New FileChangeNotify subsystem Profiling code Improved security for winbind SMB 3.1.1: Better security AD DC: Trust support Samba KCC improved, but still disabled Samba 4.4: Mostly small changes, clustering improvements

vl Samba Status (4 / 15) Release Cycles Regular release cycle is nine months Current release fully supported (4.3) Bug fixes, some new features Previous release (4.2) Only bug fixes Next to previous (4.1) Security fixes only Samba 4.0 went out of security fix support with 4.3 All code from 3.6 continues to live File server, print server, NT-style DC

vl Samba Status (5 / 15) What is FileChangeNotify? MSDN on Obtaining Directory Change Notifications : An application can monitor the contents of a directory and its subdirectories by using change notifications. Client queries a directory handle for changes Filters are sent for just specific events: I m only interested in new and deleted files Please tell me when a file size changes... API parameter bwatchsubtree: If this parameter is TRUE, the function monitors the directory tree rooted at the specified directory.

vl Samba Status (6 / 15) FileChangeNotify in Samba On every change, Samba has to check for interested clients Four implementations Samba 3.0 Timeout-based polling of directories per smbd Tridge s Samba4 implementation Tridge figured out how much more of the protocol One big array of all Notify Requests in every smbd Messaging-based notification Ported to Samba 3.2 Samba 4.0 notify index.tdb Starts to make notify possible in a cluster Samba 4.3 notifyd

vl Samba Status (7 / 15) FileChangeNotify in 4.3 notifyd notify trigger: This function is called a lot... For every directory component in a new/changed/removed file, we must check for interested clients (bwatchsubtree!) This function (notify trigger) is O(n) in the number of path components Notify events must be as cheap as possible FileChangeNotify is asynchronous notify trigger now delegated to another process (notifyd) Samba now has cheap inter-process messaging based on unix domain datagram sockets

vl Samba Status (8 / 15) notifyd Benefits One message per metadata modification Unix domain datagram messages do roughly 150k/sec (on my Laptop) Less load on inotify One notify listener instead of every smbd Clusterwide file change notify Many cluster file systems do not provide clusterwide inotify inotify works locally, notifyd tells others External event sources (Ganesha?) A single unix dgram per event Extremely simple protocol

vl Samba Status (9 / 15) Profiling code Samba measures request counts, request times, VFS calls, latencies, etc Lots of probe points Low performance impact necessary How to collect performance data from hundreds of smbd processes Only shared memory is fast enough Samba used (shock, horror...) sysv IPC shared memory Every smbd just incremented counters in a central mmap area Atomicity, NUMA effects were just ignored Samba has a very good mmap abstraction: tdb With Samba 4.3 every smbd maintains its own tdb record for profiling Once a second, data is assembled into one record

vl Samba Status (10 / 15) winbind changes Tightened security settings Are we talking to the right DC? For the most sensitive authentication requests (NETLOGON SamLogon) RPC is encrypted and authenticated Winbind does lots of other calls, many over SMB SMB signing now requrired when talking to a domain controller All AD controllers offer signing Old Samba domains might require server signing = auto New idmap script Flexible idmap backend for special configurations Shell script called for idmap requests 4.3 idmap script is sequential, parallel version available now

vl Samba Status (11 / 15) SMB 3.1.1 New dialect introduced with Windows 10 Improved security Both Samba client as well as Samba server support 3.1.1 Much improved secure negotiation Before 3.1.1, downgrade attacks for protocol features were possible Complete protocol exchange until after successful authentication now checksummed and signed New encryption algorithm: AES-GCM-128 MUCH too slow in software only, so only Samba s second choice Very fast performance with CPU support, Samba needs to support this

vl Samba Status (12 / 15) smb encryption With SMB3 (Windows 8+) transport encryption is standard Session key ultimately based on user password With Kerberos and NTLM a lot of key generation magic takes place SMB encryption is totally controlled by the server Samba parameter: smb encrypt smb encrypt = off : No encryption smb encrypt = desired : Encryption enforced for SMB3 clients, SMB2 clients allowed unencrypted smb encrypt = mandatory : Only encryption-capable SMB3 clients allowed Two levels of encryption Per Session: Everything encrypted after user login, smb encrypt in [global] Per Share: smb encrypt in share definition

vl Samba Status (13 / 15) Active Directory DC Improved trusted domain support Inbound and outbound trusts work Transitive trusts works for Kerberos, but not for NTLM KCC much improved Samba DC replicates with all other DCs This does not scale in larger networks Microsoft DCs replicate sparsely Samba now has an experimental implementation of the MS algorithms for the replica graph Disabled by default

vl Samba Status (14 / 15) CTDB changes (4.4) Parallel recovery: Avoid deadlocks between smbd and ctdbd ctdb volatile databases in tmpfs Usually TDB files live in /var on rotating rust locking.tdb and other TDB files can see a LOT of churn, flushd can saturate slow local disks Samba restart recreates them ctdb now can create a tmpfs for volatile tdbs Continuous work to separate out tasks from main single-threaded ctdbd

vl Samba Status (15 / 15) Questions? vl@samba.org / vl@sernet.de http://www.sambaxp.org/

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information