U nforki ng Sam ba4: The Success! Presented by A ndrew Bartl - - PowerPoint PPT Presentation

Presented by A ndrew Bartl ett

• f

C atal yst / / 2015- 05- 21

U nforki ng Sam ba4: The Success!

A ndrew B artl ett

• Sam ba

Team m em ber f

• r

14 years

• K ey

devel

• per
• n

the Sam ba A D D C com ponent

• Based

i n W el l i ngton N Z

• Thank

you to:

–

M y em pl

• yer

, C atal yst f

• r

thei r great support

–

Tranqui l I T f

• r

f undi ng m y travel to Europe

The great success

• W e

rel eased Sam ba 4.

–

I w i sh I had been here f

• r

the party!

–

I t took ti m e, but w e di dn' t l

• ose

si ght

• f

the goal

• I

n doi ng so, w e reuni ted as a Team

–

Stronger together!

• Taki

ng

• n

new chal l enges l i ke SM B3 and i nter- f

• rest

trust

O ur rol l er-coaster ri de

• Sam ba

f

• rked

–

W e di dn' t l i ke to say i t, but that i s the real i ty

–

Both a soci al and a techni cal f

• rk
• M any,

m any team m em bers w orked real l y hard to undo the dam age

–

I w i l l speak m ostl y about the areas I w as i nvol ved i n

–

M uch great w ork m any

• thers
• W i

th Sam ba 4. 0, w e final l y m erged agai n

H ow di d w e get to 4. 0? – a ti m el i ne

• Techni

cal and soci al steps

• M erge

team m otto:

–

“Sol vi ng soci al probl em s w i th techni cal sol uti

• ns

si nce. . . ”

2004 2008 Sam ba4 D evel

• pm ent

starts Franky proposal C om bi ned G I T tree I D L fil es m erged N am ed pi pe f

• rw ardi

ng 2010 w af i ntroduced s3com pat net4 » sam ba- tool 2011 C om bi ned bui l d Si ngl e m ake test ' as i s' rel ease s3f s proposed 2012 G EN SEC s3f s done 4. rel eased!

B eyond 4. 0, m erge w ork to 4. 2 and beyond

• A

decade l ater , and w e sti l l have w ork to do

–

W i l l w e ever get beyond source3/ source4?

2004 2013 Sam ba4 D evel

• pm ent

starts A utoconf rem oved 4. 1 rel eased 2014 W i nbi ndd m erge 2015 4. 2 rel eased D atagram m essagi ng 2016 W hat next?

U nl

• cki

ng possi bi l i ti es

• Each

m erge step enabl es another

• N am ed

pi pe f

• rw ardi

ng show ed thi s w as possi bl e

• M ergi

ng the tree stopped versi

• n

skew

• M ergi

ng the I D L avoi ded poi ntl ess di versi

• n
• M ergi

ng the bui l d system s enabl ed a m erged test

• M ergi

ng l

• adparm

w rappers enabl ed shari ng

• f

m ore com pl ex code

• Passdb

and auth m odul es provi ded the gl ue

• M ergi

ng G EN SEC enabl ed m ergi ng schannel f ul l y

• M ergi

ng w i nbi ndd enabl ed i nter-f

• rest

trusts

N ot the

• nl

y w ay i t coul d have been done

• I

' m not i nterested i n re- argui ng the past

–

But I do have som e apol

• gi

es f

• r

m y tone and behavi

• ur

at poi nts

• I

am i nterested i n expl ai ni ng w hy w e di d w hat w e di d

• Sam ba

conti nues to evol ve

N am ed pi pe forw ardi ng

• The

first and l

• ngest-

l asti ng part

• f

the Franky ef f

• rt
• A l

l

• w s

ncacn_np connecti

• ns

to be answ ered by the A D D C

U si ng com m on I D L and PI D L

• W e

had tw o di vergent sets

• f

I D L

–

M erged

• W e

had hand- generated N D R

–

Repl aced

• W e

had di f f erent copi es

• f

pi dl

–

M erged

A uthenti cati

• n
• The

m ost sensi ti ve area

• f

the m erge

–

A key part

• f

the

• ri

gi nal s3com pat ef f

• rt

–

Perhaps si ngl e- handedl y derai l ed that m erge

• K ey

requi rem ent:

–

C onsi stent behavi

• ur
• K ey

i m pl em entati

• n

pattern

–

C ode m erge w here possi bl e

–

Pl ugi n- based code repl acem ent

• therw i

se

C om m on I D L and structures i n auth

• A uthenti

cati

• n

–

auth_usersuppl i ed_i nf

• m ade

com m on

–

auth4_context m ade avai l abl e i n com m on

• A uthori

zati

• n

–

auth_sessi

• n_i

nf

• m ade

i n com m on

–

Repl aced netr_Sam I nf

• 3

i n nam ed_pi pe_auth. i dl

–

Repl aced auth_serversuppl i ed_i nf

• w i

th auth_sessi

• n_i

nf

• (

sl

• w l

y)

N TLM SSP m erge

• W e

had:

–

tw o N TLM SSP cl i ents

–

tw o N TLM SSP servers

• W e

m erged the N TLM SSP servers i nto l i bcl i / auth

• A nd

m oved the source4 N TLM SSP cl i ent i nto l i bcl i / auth

• A

G EN SEC m odul e w as bui l t around the new com m on code

auth_generi c – the Troj an horse

• A

very poor di sgui se f

• r

G EN SEC

• I

ni ti al l y

• nl

y the rpc_server code

–

N om i nal l y w rappi ng the N TLM SSP gensec m odul e

–

But w ri tten such that i t coul d w rap anythi ng

• A l

so uni fied the code i n the SM B / SM B2 servers

G EN SEC

• G EN SEC

w as m erged i nto com m on

• Repl

aced the si m i l ar gse l ayer i n the source3 RPC server

–

gse_krb5 becam e a gensec m odul e

• Rem oved

dupl i cati

• n
• f

code i n the SM B / SM B2 fil e server

• C reated

a com m on abstracti

• n

–

• ver

the rem ai ni ng exi sti ng source3 code

–

A bl e to be repl aced by pl ugi n f rom the source4 code

Ful l G SSA PI for SM B

• The

bi g ' not i ncrem ental ' step w as to

–

Rem ove the f ake G SSA PI server f rom source3

–

Repl ace i t w i th

• ne

usi ng gse_krb5

• Thi

s i s w hat i ncreased the M I T krb5 m i ni m um to 1. 8

auth_sam ba4

• M uch

m ore than a norm al auth m odul e

–

Si m pl y l

• adi

ng auth_sam ba4 causes hook f uncti

• ns

to run

–

Forces A D D C m ode

• n

the rest

• f

the auth/ G EN SEC subsystem s

• Total

l y

• verri

des al l the G EN SEC pl ugi ns

–

A l l

• w s

a di f f erence, f

• rced

set

• f

m odul es to run

• Local

group handl i ng and i dm ap l

• okup

f

• rced

vi a A D D C codepaths

• The

' norm al ' N TLM f uncti

• ns

are

• nl

y cal l ed f rom w i nbi ndd

–

For l

• cal

user authenti cati

• n
• n

a RW D C

R egardi ng auth_netl

• gond?
• I

' m not proud

• f

m y behavi

• ur

i n rem ovi ng that code

• M ovi

ng the N TLM auth to an I PC m echani sm m ay sti l l be possi bl e

PA SSD B

• I

m portant so that exi sti ng tool s keep w orki ng

–

sm bpassw d

–

net

–

pdbedi t

• A l

so used i n w i nbi ndd and i n sm bd

–

Very hel pf ul hook f

• r

i dm ap

• verri

de

• A n

i m portant access m ethod f

• r

upgrades

–

Sam ba-tool dom ai n cl assi cupgrade

pdb_sam ba_dsdb

• Bui

l t f

• r

the needs

• f

cl assi cupgrade first

–

O f fli ne access w as requi red

• no

D C unti l provi si

• n

fini shed

–

U ses the LD B A PI ( hel per f uncti

• ns)

–

Based

• n

pdb_ads by Vol ker

• I

dm ap hooks read the l

• cal

i dm ap. l db used i n the A D D C

• G et/Set

trusted dom ai n credenti al s

R egardi ng pdb_ads?

• I

' m not proud

• f

m y behavi

• ur

i n rem ovi ng that code

• pdb_sam ba_dsdb

can use l dapi : / / U RLs i f desi red,

• nce

the server i s runni ng

B ui l d system s

• The

com bi ned w af bui l d has been cri ti cal

• Rem ovi

ng autoconf w as even m ore i m portant i n the l

• ng

term

–

N o m ore hand- craf ted

• bj

ect l i sts

Testi ng

• C om bi

ned m ake test

• Tests

A D dom ai n m em ber agai nst

• ur

A D D C f

• r

exam pl e

• A l

l run f rom sel f test. pl i n sel f test/

• G l

ued together rather than i ntegrated

–

D one earl y i n the process to reduce breakage and i m prove tests

Test code i n sm btorture{ 3, 4}

• Even

at the darkest poi nts

• f

the spl i t, tests w ri tten i n sm btorture4

• The

' m erged bui l d' w as f

• r

bui l di ng sm btorture4

• But

m any si m pl e tests sti l l added to sm btorture3

• Bl

ackbox test scri pts scattered

• ver

the codebase

Test envi ronm ents

• sel

f test/ target/Sam ba. pm i s the gl ue

–

sel f test/ target/Sam ba3. pm

–

sel f test/ target/Sam ba4. pm

• Lef

t

• ver

f rom w hen w e had to be abl e to test autoconf al

• ne
• M i

chael A dam di d a l

• ng
• ver-

due renam e i n 2015

M essagi ng

• W e

now use a com m on datagram - based m essagi ng bus

–

Thanks to Vol ker Lendecke

• I

ni ti al use i s f

• r

sm bcontrol to

• btai

n a tal l

• c

report

Fi l e server

• Fi

l e server started f rom i nsi de sam ba w i th exec( )

• Python

bi ndi ngs added to the V FS

–

A l l

• w s

provi si

• n

to w ri te A C Ls to di sk

• U nf
• rtunate

nam e

• f

s3f s

–

Thi s happens i f you don' t check f

• r

nam e confli cts first. . .

Loadparm

• l

i b/ param i m ported f rom source4

• l
• adparm _i

ni t_s3( ) hook al l

• w s

usi ng a ' source3' l

• adparm
• Param eter

tabl e m erged

–

I ni ti al l y w i th #i ncl ude

• f

a C fil e!

–

N ow properl y shared as a norm al C fil e

• Param eter

l i st now autogenerated f rom XM L docs

W i nbi ndd

• W i

th Sam ba 4. 2 w e now use the source3 w i nbi ndd

• M ai

n task w as addi ng an I RPC l i stener and f

• rw arder
• M ay

have been possi bl e f

• r

4. i n hi ndsi ght

• K ey

task f

• r

i nter- f

• rest

trusts

–

But not enough

• n

i t' s

• w n,

but m etze doi ng great w ork

N etl

• gon

SC H A N N EL

• M erged

and A ES support added

–

G reat to have that enabl ed i n both servers at

• nce
• Potenti

al f

• r

f urther m ergi ng

• f

N ETLO G N servers

• N ow

a com m on G EN SEC m odul e

–

Rem ovi ng a l ayer

• f

w rappi ng

R PC B i ndi ng H andl es

• A l

l

• w s

i m pl em entati

• n-

agnosti c RPC cl i ents

–

Even i n python!

• Enabl

ed the A ES SC H A N N EL w ork to be i n com m on

Sti l l TO D O

• N TLM SSP

cl i ent code

• G SSA PI

cl i ent and server code

• Loadparm

code

–

Regi stry l

• adparm

i n parti cul ar

• Sm bcl

i ent4

• C om m and-

l i ne syntax di f f erences

TO D O : Test pl ans rem ai n m ostl y separate

• Source3/

sel f test/ tests. py

• Source4/

sel f test/ tests. py

• Sel

f test/ tests. py

• Som e

cross-

• ver
• f

tests vs envi ronm ents

–

Tests i n source3 run agai nst ad_dc envi ronm ent

TO D O : R em ove i nternal w i nbi nd

• W e

do not need tw o w i nbi nd i m pl em entati

• ns
• W e

shoul d rem ove source4/w i nbi nd

–

O nce l ast com pati bi l i ty i ssues are fixed

–

Just need to f

• rce

sync

• f

secrets. tdb

• n

startup

W hat about the N TV FS fil e server?

• K i

l l i t

–

R evenge? I t w as w hat started thi s w ar!

–

R educe nom i nal securi ty exposure f

• r

vendors?

• K eep

i t ( behi nd a . / configure

• pti
• n)

?

–

Sti l l

• nl

y protocol l evel C I FS / SM B1 proxy

• Sti

l l a good w orki ng m odel f

• r

a N TV FS l ayer

–

W hat

• ur

com peti tors at l i kew i se, as I understand i t

–

Avoi ds m atchi ng cl i ent / server bugs betw een sm btorture / sm bd

Structural R eform

• C onti

nue to de- em phasi se source3 / source4

–

Perhaps w e shoul d renam e som e

• f

these parts?

–

I f

• und

a m ai l recentl y w hen I argued agai nst that. . .

• RPC

server handl ers

–

I t w oul d be great i f the parse and handl er i nterf ace w as shared

• C onti

nue to find com m on code and m erge i t

O ne team / B randi ng

• C oul

d w e m ove beyond Sam ba 4. x as a ( conf usi ng) versi

• n

num ber?

–

W e m ay need som e better brands

–

U nf

• rtunate

to di scard sam ba4 as a brand, as i t i s sti l l strong

–

Sam ba A D D C j ust doesn' t resonate i n the sam e w ay

–

M ake the next rel ease Sam ba 5. x?

• C onti

nue to avoi d ref erri ng to and thi nki ng

• f

team m em bers as ' sam ba3' / ' sam ba4' devel

• pers?

A voi di ng a repeat i n the future

• W e

f

• rked

tw i ce al ready, and that hurt

–

Sam ba TN G

–

Sam ba4

• Avoi

d l

• ng-runni

ng f eature branches?

–

' N ot requi red' by gi t

–

B ut m ay be requi red to keep the team a team

• D el

i beratel y take an i nterest

• utsi

de

• ur
• w n

areas?

• Recogni

se and cel ebrate

• ur

di verse users and f eatures!

C oncl usi

• n
• W e

di d i t!

–

W e f

• cussed
• n

the task,

–

uni ted

• n

the goal and w orked as a team

• W e

have m uch sti l l to do,

–

but havi ng com e thi s f ar

–

w hat rem ai ns i s enti rel y practi cal

• W oul

d you l i ke to hel p?

C atal yst: U si ng, bui l di ng and supporti ng Sam ba and B eyond

• W orl

dw i de O f fices i n W el l i ngton N Z, Bri ghton U K and A ustral i a

• Sam ba

Support and D evel

• pm ent
• Sam ba

and W i ndow s i ntegrati

• n