Results 1 to 10 of 10

Thread: Samba 4.0 Dances Closer To Release

Hybrid View

  1. #1
    Join Date
    Jan 2007
    Posts
    15,119

    Default Samba 4.0 Dances Closer To Release

    Phoronix: Samba 4.0 Dances Closer To Release

    After a very long and exhausting development process that's been going on since 2003, while simultaneously developing the Samba 3.x series, Samba 4.0 is dancing closer to an official release this year...

    http://www.phoronix.com/vr.php?view=MTA0ODg

  2. #2
    Join Date
    Mar 2008
    Posts
    575

    Default

    I can't wait Samba4 stable comes out. I have a lot of samba primary domain controllers around (that work perfectly) but it's time to change to a Active Directory since it's way more advanced. The fact it has an internal ldap and kerberos server is just great.

    Good work samba team!

  3. #3
    Join Date
    Nov 2011
    Posts
    48

    Default

    Quote Originally Posted by bulletxt View Post
    I can't wait Samba4 stable comes out. I have a lot of samba primary domain controllers around (that work perfectly) but it's time to change to a Active Directory since it's way more advanced. The fact it has an internal ldap and kerberos server is just great.

    Good work samba team!

    If the Samba folks can successfully pull off an Active Directory domain controller that integrates properly with Windows servers, it will be quite an accomplishment.

    Having said that(and being an Active Directory SME), I really don't think that's the way forward.

    If anybody feels like developing "the future"(tm), here's my idea for Linux networking that I never have time to start because of my other 3 software projects:

    1. A LDAP server that serves user tokens via Apache and SOAP, based on a real database backend like PostgreSQL, with a db schema that isn't completely stupid(like AD), with proper indexing for fast searches(unlike AD). This also creates a perfect SSO system for web applcations.
    2. A login client for authenticating Windows machines.
    3. A login client for authenticating *NIX machines
    4. An API to authenticate other applications SSO style.
    5. An FTP share system that uses it, so people can stop using SMB/CIFS shares, and just install a modded Filezilla like application to share files on the network.

    Somebody please steal this idea from me, a highly motivated and skilled developer could probably write it all in a month with enough coffee.

  4. #4

    Default

    Quote Originally Posted by leeenux View Post
    If the Samba folks can successfully pull off an Active Directory domain controller that integrates properly with Windows servers, it will be quite an accomplishment.

    Having said that(and being an Active Directory SME), I really don't think that's the way forward.

    If anybody feels like developing "the future"(tm), here's my idea for Linux networking that I never have time to start because of my other 3 software projects:

    1. A LDAP server that serves user tokens via Apache and SOAP, based on a real database backend like PostgreSQL, with a db schema that isn't completely stupid(like AD), with proper indexing for fast searches(unlike AD). This also creates a perfect SSO system for web applcations.
    2. A login client for authenticating Windows machines.
    3. A login client for authenticating *NIX machines
    4. An API to authenticate other applications SSO style.
    5. An FTP share system that uses it, so people can stop using SMB/CIFS shares, and just install a modded Filezilla like application to share files on the network.

    Somebody please steal this idea from me, a highly motivated and skilled developer could probably write it all in a month with enough coffee.
    Nobody is going to even come close to finishing that in a month even if you discount testing entirely. Having said that, if someone is looking for alternatives, http://freeipa.org/ might be of interest.

  5. #5
    Join Date
    Feb 2010
    Posts
    4

    Default

    Quote Originally Posted by leeenux View Post
    If the Samba folks can successfully pull off an Active Directory domain controller that integrates properly with Windows servers, it will be quite an accomplishment.

    Having said that(and being an Active Directory SME), I really don't think that's the way forward.

    If anybody feels like developing "the future"(tm), here's my idea for Linux networking that I never have time to start because of my other 3 software projects:

    1. A LDAP server that serves user tokens via Apache and SOAP, based on a real database backend like PostgreSQL, with a db schema that isn't completely stupid(like AD), with proper indexing for fast searches(unlike AD). This also creates a perfect SSO system for web applcations.
    2. A login client for authenticating Windows machines.
    3. A login client for authenticating *NIX machines
    4. An API to authenticate other applications SSO style.
    5. An FTP share system that uses it, so people can stop using SMB/CIFS shares, and just install a modded Filezilla like application to share files on the network.

    Somebody please steal this idea from me, a highly motivated and skilled developer could probably write it all in a month with enough coffee.
    What you are describing is easy if you just assume all of your components can be trusted, which is very naive. In order to have a secure authentication system, all components must have explicit trust defined and be able to audit transactions at any point. This is why standards like Kerberos exist. Microsoft actually did a very respectable job in their AAA implementation in AD.

  6. #6
    Join Date
    Nov 2011
    Posts
    48

    Default

    What you are describing is easy if you just assume all of your components can be trusted, which is very naive
    Ummmm, Active Directory is wide open, any authenticated user can query the directory(which is why you should never store sensitive information in it), and OUs, Domains, Forests can only be modified by users with sufficient rights to do so, as defined in the individual directory. There is nothing complicated about implementing that, and trust can easily be thrown in by leveraging existing certificate authority setups.


    To all of the haters, I present to you, the 30-day, 1-developer Active Directory replacement cycle:

    Day 1: Implement an LDAP schema in your database of choice. Too easy.
    Days 2 through 4: Write the Apache/SOAP/HTTPS server for serving authentication requests and queries. Could probably be done in 500 to 1000 lines of PHP.
    Days 5 through 7: Write a PHP API for authenticating web users SSO style and getting either a list of user groups from an authentication request, or returning the results of a generic query. Could probably be done in 500 lines of PHP. Other languages can come later.
    Days 8 through 10: Write a library to query the directory and parse the results. libcurl and tinyxml already cover 90% of what you need, there would probably only be 300 lines of code.
    Days 11 through 12: Pick an existing FOSS login client for Windows and Linux, and modify it to use the library you wrote for authentication. It's probably a matter of replacing a single function.
    Days 13 through 14: Implement a certificate authority for the domain controller using existing FOSS code, in order to define which machines are part of the domain
    Days 15 through 20: Domain controller replication. Shouldn't be too hard if you picked your database well.
    Days 21 through 30: Quality control, writing automated tests.


    The only 2 parts that have a real potential for failure are:

    1. The developer sucks at developing database schemas
    2. The developer sucks at developing secure PHP applications

    Nobody is going to even come close to finishing that in a month even if you discount testing entirely. Having said that, if someone is looking for alternatives, http://freeipa.org/ might be of interest.

    Now, mind you, when I said "finished in 30 days" I didn't mean that it would be 100% ready to be mainlined into the next release of RHEL at this point, but it could certainly be driving a virtual network of 5 or VMs running on my developer's workstation. Frankly, the biggest thing holding me back from doing it is that I don't want to waste my time if no major distros are going to adopt it, and it's a bit difficult to ask them to support something I haven't written yet; the chicken or egg, which came first? paradigm.


    EDIT: I forgot to include an administration interface. Take 3 days out of QC to write a basic one, the super advanced slick one with javascript animations and flash video can come later.
    Last edited by leeenux; 01-28-2012 at 01:06 PM.

  7. #7
    Join Date
    Feb 2010
    Posts
    4

    Thumbs down

    Quote Originally Posted by leeenux View Post
    Ummmm, Active Directory is wide open, any authenticated user can query the directory(which is why you should never store sensitive information in it), and OUs, Domains, Forests can only be modified by users with sufficient rights to do so, as defined in the individual directory. There is nothing complicated about implementing that, and trust can easily be thrown in by leveraging existing certificate authority setups.
    Active Directory LDAP is "wide open." Big deal. Nothing private is stored in LDAP. Authentication data is not stored in AD LDAP. Authentication is handled by Kerberos, which was designed for the expressed purpose of authentication and establishing trust.

    Also, Using PKI would only establish implicit trust of a connection; trust is not established at the authentication protocol level. Since certificate validation occurs in a different layer, your system would have to take the word of yet another component that everything is "on the level." Not that it is entirely invalid to do this, but it does not achieve the level of trust a good authentication requires.


    To all of the haters, I present to you, the 30-day, 1-developer Active Directory replacement cycle:

    Day 1: Implement an LDAP schema in your database of choice. Too easy.
    Days 2 through 4: Write the Apache/SOAP/HTTPS server for serving authentication requests and queries. Could probably be done in 500 to 1000 lines of PHP.
    Days 5 through 7: Write a PHP API for authenticating web users SSO style and getting either a list of user groups from an authentication request, or returning the results of a generic query. Could probably be done in 500 lines of PHP. Other languages can come later.
    Days 8 through 10: Write a library to query the directory and parse the results. libcurl and tinyxml already cover 90% of what you need, there would probably only be 300 lines of code.
    Days 11 through 12: Pick an existing FOSS login client for Windows and Linux, and modify it to use the library you wrote for authentication. It's probably a matter of replacing a single function.
    Days 13 through 14: Implement a certificate authority for the domain controller using existing FOSS code, in order to define which machines are part of the domain
    Days 15 through 20: Domain controller replication. Shouldn't be too hard if you picked your database well.
    Days 21 through 30: Quality control, writing automated tests.

    The only 2 parts that have a real potential for failure are:
    1. The developer sucks at developing database schemas
    2. The developer sucks at developing secure PHP applications

    Now, mind you, when I said "finished in 30 days" I didn't mean that it would be 100% ready to be mainlined into the next release of RHEL at this point, but it could certainly be driving a virtual network of 5 or VMs running on my developer's workstation. Frankly, the biggest thing holding me back from doing it is that I don't want to waste my time if no major distros are going to adopt it, and it's a bit difficult to ask them to support something I haven't written yet; the chicken or egg, which came first? paradigm.
    I am reminded of Fry in the Futurama episode "Why Must I Be a Crustacean in Love?". [Paraphrased] Fry: I can have any girl I want... I'm just too busy.

    If you could implement your system, people would pay you large sums of money to implement it and continue working on it; open-source or not. MIT would give you an honorary doctorate. You would have your pick of any employer on the planet.

    I will end with a Stephen King quote: "Money talks. Bullshit walks." I smell bullshit.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •