Mon, 05 Oct 2009

The great DRS success!

After a long an exhausting week in Santa Clara, five Samba4 developers
made their way to Redmond Washington, for a week working with
Microsoft on the Directory Replication Service (DRS). Our single
biggest aim was to finish what was started before the conference -
moving from 'Samba4 to Samba4' replication to 'Samba4 and AD

We had some idea what to expect - we had been here last year, and
Andrew Tridgell (tridge) had a great time testing Samba4's LSA server,
while I investigated why Windows would not establish a trust with a
Samba4 domain.

We also had a lot of ground to make up - the week-long CIFS conference
had given us some time, but not quite enough to feel we were ready for
the week at Microsoft. With a long year before the next event, we
really wanted to make the best of it. The entire weekend was spent in
the hotel lobby hacking away at Samba, desperate to ensure it was as in
as good a position as possible for the start on Monday.

Compared to the previous event, this year the roles were reversed -
tridge powered on with his work to make Samba4 an acceptable DRS
server to Windows 2008 R2, while I took on testing Samba4's LDAP

Also in attendance were Stefan Metzmacher (metze), Anatoliy Atanasov
(aatanasov) and Nadezhda Ivanova (nivanova). nivanova worked with
Microsoft to better understand the ACL implementation she had been
developing for the past few months, while metze and aatanasov powered
on with DRS implementation and providing assistance to tridge when

For myself, I was largely an observer of the DRS work, as I was working
with Sasi (an engineer from Microsoft's documentation test development
team) to test our LDAP server. We made great progress, fixing a
number of important deficiencies in the Samba4 LDB layer. (In short,
we didn't check very many of the values the client supplied, and
Sasi's testing helped pinpoint some easy cases where we could check
things more carefully.)

But it was tridge who was truly the center of attention for the week -
he paired up with Hongwei Sun from Microsoft to make repeated
attempts to join an Windows 2008 R2 server into a Samba4 hosted
domain. This was truly impressive to watch, as with each run, another
failure condition would trigger, a trace log would be generated for
Hongwei to load into a debugger. Without Hongwei's ability to match
failures back to Windows source (they providing much more detail and
context to the failure) this effort would have taken much, much

As the days and nights dragged on, greater progress began, and the
Windows 2008 R2 server being joined progressively accepted more and
more data from Samba4. But just as things looked bright, another
failure would rob us of victory, and Hongwei would be sent another
trace to analyse.

(We knew the data being sent was 'mostly correct', as it had itself
originated from yet another Windows 2008 R2 server, by means of a 'net
vampire'. This function we have had for a number of months now, and
was perfected in the weeks leading up to the CIFS conference).

Come Friday, it seemed we would not get any further before we had to
leave. But we were so close - but also so busy that come lunchtime,
our usual break from the screen and chance to collect our thoughts, it
was plain that tridge was not about to leave this puzzle. I was
dispatched to the cafeteria with instructions and cash, so that he
would not have to loose his concentration.

As the hours before tridge's taxi to the airport counted down, so did
the hurdles remaining - each one so tantalisingly close, but still
ending in failure. Both metze aatanasov joined in the week long
effort, assisting with debugging and implementing new RPCs and features
as required, often pair-programming with tridge.

But as the final minutes arrived, there was time for one final run...
Cameras were at the ready, as we waited impatiently for the Windows DC
to join, and it was with total shock that, with 15 seconds to spare
(and tridge's taxi no doubt already waiting), the Windows domain controller

This was the first time that Samba4 had hosted an AD domain that a
Windows DC found sufficiently acceptable to replicate the whole
directory, and be comfortable to set itself up as a peer domain

With this (after some refinement), we will be able to show Samba4 as a
viable option to be peer domain controller in any AD domain, able to
host such domains alone or in partnership with Microsoft's Windows.

This amazing week would not have been possible without the plugfest,
or the dedication of those from all those involved both on the Samba
Team and from Microsoft. Thankyou all!

Andrew Bartlett

posted at: 07:40 | path: /abartlet | permanent link to this entry

A week at the CIFS plugfest

Hot on the heals of the success with Samba4 to Samba4 replication, the
Samba Team converged on Santa Clara California to participate in the
annual CIFS conference - a great chance to meet up in person, but also
a chance to test Samba against a wide variety of CIFS implementers.

For Samba4, this means setting up as an AD domain controller, and
seeing what clients can and cannot connect. While I can't disclose
the results, I was very pleased to find more clients working with
Samba4 out of the box, and that fixes for some of the others were
developed over the week.

I also very much enjoyed to watch Kai Blin give his talk 'Samba ARMed
and Ready: Running an AD DC on 2 Watts', showing off what has always
been a Samba4 goal: An embedded Samba4 DC. While not quite up to the
full enterprise, it more than easily provides for the domain control
needs of a small office, using a truly tiny platform.

Towards the end of the plugfest I had to duck out of the main plugfest for
a separate, but quite important meeting - an LDAP and Kerberos
backends 'BOF' (Birds of a Feather meeting) on the conference
sidelines. Here we had a great chance to talk about such diverse
things as Red Hat's hopes to integrate Samba4 and MIT Kerberos, and
the future possibilities around the LDAP backend.

Much to my surprise (because I've not organised such a thing in the
past), this turned out to be very, very productive: the face to face
discussions rattled out a possible solution for the 'use an MIT KDC'
requirement (the MIT KDC could use IRPC to talk to Samba4's database
backend at the Heimdal HDB layer), and found Howard Chu quite keen to
implement the required components for AD's native Directory
Replication Services (DRS) replication in OpenLDAP. (We never
imagined it would interest him).

We also had a Samba Team meeting, where we welcomed Nadezhda Ivanova
and Anatoliy Atanasov to the team. It has been a great pleasure to
work with them on Samba4 for well over a year now, and they rightfully
deserve a place on the team.

It was a very successful week, but this was only the prelude. After
some end-of-week meetings at Cisco (where I now work, but for whom I
don't speak), a small gaggle of Samba4 developers took a Friday night
flight to Seattle, for the next weeks meetings with Microsoft.

Andrew Bartlett

posted at: 06:10 | path: /abartlet | permanent link to this entry

The world of Samba4 powers on with DRS replication!

Samba4 has made some great leaps and bounds over the past two months -
building solid foundations into 'real world' technology.

The first big achievement was back in mid September when Andrew
Tridgell (tridge) demonstrated the first Samba4 to Samba4 'vampire'.

What tridge showed is the ability to run a second Samba4 DC, using the LDB
backend, and have it replicate a full database between the two domain
controllers, using the native AD Directory Replication Services (DRS) protocol.

He took to work done over the past few months by Anatoliy Atanasov
(aatanasov) to build a DRS server, the extensive infrastructure
constructed by Stefan Metzmacher (metze) myself and others and brought
them into together into an integrated solution.

For some time now, we have supported AD replication using an external
LDAP backend - most typically OpenLDAP. But this work takes a
different approach using a replication technology that is compatible
(in principal) with that used natively by Microsoft's Active Directory.

Two-way Samba4 to Samba4 replication is a critical step towards
two-way Samba4 to AD replication - joining Samba4 as an additional
domain controller in a corporate domain.

This work was very timely, as it lead into the annual CIFS conference
(to test interoperability with other CIFS vendors), and what turned
out to be an incredibly successful meeting in Redmond with Microsoft
for one-on-one inter-op testing with Microsoft!

In my next two blogs, I'll try to describe how the trip went, and the
success we achieved there.

Andrew Bartlett

posted at: 04:00 | path: /abartlet | permanent link to this entry