"The French Government, he said, plans to migrate whole departments to Samba in the near future."
A department is what, 30 people? Sounds like Sambe still has scaling issues...
File and print services project Samba will fix a slew of bugs that have made it hard for the project to scale in version 4.8, due in March. Samba developer Andrew Bartlett yesterday gave a speech at LinuxConfAU, titled Fixing tridge's mistakes: Taking Samba AD to scale, in which he admitted that in 2009 the project’s founding …
... but there is a possibility you don't know what a "Department" is in France. Might want to look it up. For example, the Department of Calvados has around 700,000 people in it.
Beer icon, because there isn't one for ... well, guess :-)
 The only one I know the population of off the top of my head.
So, the year is 2018. We have 10,000 solutions for "cloud storage" which make use of HTTPS based APIs for identity services as well as file and print services.
SMB has evolved at Microsoft as a protocol for providing back end storage sharding/replication as well as VM migration on closed networks with Azure/Hyper-V environments.
IPP is the preferred local printing protocol. mDNS is the preferred method of printer/service discovery.
ActiveDirectory is practically dead as more and more corporate PCs are not even registered in the Active Directory. For example, I am waiting for my new PC at my new company to arrive, it will ship in April (a top model Surface Book 2 15"). I specifically asked for it to not be domain joined. I don't need it. If I ever need domain joined, I'll use a virtual machine. I can access my mail through web mail. Besides, Outlook contacts suck, I much prefer the webmail contacts. I will however run Outlook on my iPhone.
So file services. Every single company out there has Microsoft OneDrive for business. Open Windows Server, add the Sharepoint feature and let the users login using OneDrive for Business to access their files.
File shares are a BAD IDEA!!!! They let viruses run rampant and they don't have transaction history. They're not based on blob storage. They're just an all around bad idea. In fact, SMB should be disabled all through the organization and using a locally hosted OneDrive or DropBox or any other virtual file system with proper history and backup as well as secured access through more advanced user authentication provided through proper secure identity providers...
So.. SMB is dead... ditch it, kill it, burn it.
The rate exception would be in video production. But even then, they're using SMB because they have nothing better to work with at the moment. The BBC created a system called Ingex a long while back which was basically the start of an amazing object storage system for production assets. It provided a Samba module that would allow the server to provide virtual access to different resolutions and qualities even though the media itself was stored raw. Someone should pick that up and standardize it and replace the SMB with a virtual file system driver over HTTPS/UDP
Anyway... I loved Samba and used to teach it as a course in the late 90's. I used it heavily for years in the early 2000s. But this is 2018... what in the world would you ever use SMB for anymore?
Development costs are negligible at this stage. Some people track down and fix obscure bugs for fun. It still has niches (as you yourself pointed out).So basically, it costs nearly nothing and some derive some use from it. Might as well keep it around as a historical curiosity, if nothing else!
File shares do let you use large files without downloading it all when reading and uploading it all when writing. With OneDrive, Dropbox etc your local storage limits what remote files you can use. So the discs are huge these days? Yes, and so is the amount of crap that accumulates on them!
Also, if you need to log file accesses, you can do it with Samba down to painful details.
I'm not sure whether I want to agree with you because you're right and pragmatic or disagree with you because you simply shouldn't be right :/
There is no particular reason why object storage systems have to be all-or-none solutions. By employing virtual file systems (basically how OneDrive and Dropbox integrate with Windows), it should be possible to support random access within reason. The S3 API has grown to become somewhat of a completely unmanageable beast. But it does have random access abilities. There should be no particular reason why a virtual file system couldn't be implemented which supports mapping remote files.
An example would be that if you connected to a shared OneDrive folder and the folder would be marked as "Online use only" and then pass requests over the API. SMB is substantially more efficient for this purpose, but at least in my experience... the most common use for large files these days is ISO files and software installations.
ISO files can be easily mapped by the systems that use them as iSCSI which is actually still quite a bit more efficient for this form of media than SMB. In addition, but of course security becomes a concern as iSCSI pretty much tops out at CHAP. However, iSCSI over IPv6 can be a big improvement when using IPv6 security. A better RBAC solution could of course be warranted. iSCSI also has pretty good directory services if SNS is configured appropriately.
As for installation media... I can safely say that I've found myself far too often using USB drives in recent history for lack of a good remote file system solution. Again, this could likely be resolved using S3 random access and with virtual file system drivers. I know there's a few commercial ones for Windows out there now and a quick search on Google found some "work in progress" open source ones as well. I don't know whether they support random access especially since S3 generally isn't used on premises, but it would be great if they do.
HTTPS overhead would probably have a pretty severe effect on performance, but it would be a pretty good option from a security perspective. Unlike the security in most other protocols, TLS tends to be hardware accelerated at both client and server. It also receives updates constantly when the client or server use the OS libraries.
As for logs... yeh... Samba is amazing for that. I use it as a model in my own software development. Actually had to remove a pile of logs from my current development project recently since 99.4% of my CPU usage was actually due to excessive logging. But to be fair, all protocols should be implemented with a LOT of logging as an option. :)
Thanks for the comment... as I said... I believe you're right but wish you were wrong :)
So file services. Every single company out there has Microsoft OneDrive for business. Open Windows Server, add the Sharepoint feature
Several factories with potentially hackable SCADA on the network, a Hotel where the (an) internal LAN controls the lighting scenes switching over 10,000 lights in sequence, a similar system managing access control at several highly secure facilities (this just stuff I have a personal interest in) ..... and your recommendation is to open an external intrusion gateway so functions can be ported to "cloud" based alternates? I think not.
There are certainly potential alternatives, but OneDrive, Dropbox and "Login with your FarceBorg ID!" aren't on the shortlist. In related news, porting everything to NodeJS, NoSQL, GraphQL, AWS just because it is "2018" isn't on the agenda either.
What exactly are you talking about?
I said nothing about storing your files in the public cloud. You even quoted where I specifically said "Open Window Server, add the Sharepoint feature".
This means that instead of using the public cloud, you would host it in-house in the private cloud.
And public identity servers do make sense. You need to be identified from the outside reliably when you're using VPNs, Citrix, etc... using a company who devotes massive resources to identity is logical. This allows you to always be up to date on security patches and what not. OpenConnect ID, SAML v2.0, and a few others are extremely secure by nature. Then you can run federation services in-house whether through Windows or a plethora of alternative options.
As someone with experience coding SAML and OpenConnect ID identity providers as well as Radius and TACACS+ servers... I can safely say that I've almost never encountered anyone (with or without certification from respected vendors) that actually understand secure login. I've never met a network engineer with the first clue of how EAP actually works. I've never met a Windows Server "expert" that has the first clue of how Kerberos works.
That said, I will gladly use a company such as Microsoft, Google, IBM or Amazon who have entire internal organizations of people with actual educations in these topics to provide and maintain identity.
As for NodeJS, NoSQL, etc... yes... these are great tools. I highly recommend against coding against proprietary systems like AWS Lambda, but I am fond of Microsoft Azure Functions since they are open source and can easily be hosted in house on Azure Stack.
As for SCADA on the network, control systems should definitely never be in the public cloud and should actually be 100% disconnected from any IP network that can be accessed from the Internet.
Oh... and when I finally settle my butt down and start coding today, I'll be working on a network management system for an offline network for a government organization. My normal customer list is primarily companies which are 100% offline. US DHS, DoD, several NATO militaries, national banks, etc. I live and die by FIPS140-2. And I am extremely security focused. And this is why I generally look for alternatives to file sharing protocols. They are generally designed for performance, not security. They are nasty gateways into networks since most often the only actual security enforcement in these protocols is within the operating system kernels themselves. Implementations of SMB like the one found in the Darwin kernel make me cringe in fear.
On these closed networks, we're investigating using Azure Stack as an option for identity. This will allow us to stay up to date using offline networks. Azure is among a few of the most actively secured identity providers out there. As such, when Microsoft eventually makes Azure Stack capable of operating 100% off-line, it will be an excellent option for identity. This is because Amazon, Google and Facebook are not likely to start shipping their IDp servers as a product any time soon. But by using Azure Stack in-house, it should be possible to have a department in charge of downloading and applying patches daily from Microsoft.
I only feat that "security experts" will start selectively choosing which patches to apply and I hope Microsoft applies an "all or none" approach to it. More security problems have been associated to "super intelligent IT guys" selectively patching.
As for SCADA on the network, control systems should definitely never be in the public cloud and should actually be 100% disconnected from any IP network that can be accessed from the Internet.
Exactly, they are, and because there is so much embedded stuff on there that does not have and will never have conventional PC access control, security is a perimeter issue. If someone gets on the control network then it's game over. Hundreds to thousands of PIC16 and ARM microcontrollers which are never going to implement TLS or any other strong cryptography because they simply don't have the MIPS for it, particularly with concurrent hard RT hardware control tasks. That's also what makes high-performance file access with minimal overhead essential one level up where the Linux based management nodes sit.
You're right, I misunderstood what you were implying regarding OneDrive etc, but my real point is that not all networks are built for humans. I have networks with over 10,000 active clients, only three of whom are human and only about 100 of which have support for any sort of "user interface" besides a ModBus or SNMP API and file sharing/exchange.
"Secure Login" therefore mostly consists of an MCU reading its hard coded identifier from EEPROM and transmitting it in plaintext over TCP/IP to a server and "authentication" consists of appearing on an IP address whitelist (insufficient RAM for SNMP v3).
The assumption that "Every single company out there has Microsoft OneDrive for business" is wrong, as is the assumption that all networks exist to facilitate humans using email, web browsing, CRM, ERP and MS/Libre Office. In the cases I referred to, none of those facilities exist because they're not relevant to what the network (and associated file sharing) is for.
It started its life this way, but that was long ago. Since then it has become a central authentication authority based on standard Kerberos (now with both MIT and Heimdal implementations available) in the local network, with integrated directory services for both humans and machines, based on standard LDAP. Also, it is a go-to solution for making the enterprise scale distributed filesystems available to Windows machines, thanks to CTDB - for example see page 12 in Lustre Architecture whitepaper. Not everyone needs distributed filesystem; I will grant you that. But that does not mean that Samba is less useful as an authentication authority or directory service.
It can also work as an Active Directory domain controller - which you may like it or not became quite common in many networks.
But when you have people boasting the won't join their machine to the company domain - as if it was a clever thing to do, exactly because all the authentication, authorization, auditing, and directory features - you wonder how much people really know about that.
BTW: a non domain joined machine DOESN'T USE Kerberos for authentication and authorization. It falls back to NTLM, in a Windows network, because of course it can't get Kerberos tickets from a domain controller - even if the credential you use match AD credentials.
The assumption that "Every single company out there has Microsoft OneDrive for business" is wrong, as is the assumption that all networks exist to facilitate humans using email, web browsing, CRM, ERP and MS/Libre Office.
Very well said. There are far too many people in IT that think the 'office environment' is the be all and end all of IT and totally forget the factory and industrial plant without which they would be out of a job.
You even quoted where I specifically said "Open Window Server, add the Sharepoint feature".
What window server would that be?
Since we don't use windows it would be rather difficult to do here. So I have to ask 'how does your proposal stack up in the real world'?
So I have to ask 'how does your proposal stack up in the real world'?
In my experience - very badly..
(Every large corporate, small corporate, SMB or public body I've every worked at since the late '90s has used AD or some similar feature..)
 Benn employed at, turned up and been paid etc etc...
He also thinks mDNS can replace a directory service - it works in his bedroom LAN, so it has to work in an enterprise LAN, right? What are those "subnets", "VLANs", "routers"? Maybe he don't know such kind of broadcast sis exactly what you like to get rid of in a large network....
Indeed- [RedactedCo] has a requirement of 'corporate data can be stored ONLY on servers located on-prem'.
Does Microsoft have a version of OneDrive that's not cloud connected and is on-prem only? (and presumably sucks less than the file sharing services/DFS bodge they've been using for the past decade)
Even in a cloud-first world people still use SMB, even if only with legacy apps. There's a reason that Microsoft allow direct SMB access into the Azure Cloud.
Many of the cloud-gateway vendors I'm sure people are avid fans of use Samba under the hood to gateway existing useful applications into backend cloud storage.
We have some life in the old dog yet ! :-).
Free for R/W shares for file exchange are surely danger. And SMB had its shares of big vulnerabilities, sure.
Specific shares for specific use, with well set permissions are not. Even under Linux you may have to use NFS for specific scenarios, because other ways will be just too cumbersome to use, or won't work.
"So.. SMB is dead... ditch it, kill it, burn it."
RLY? You are obviously not daft but your experience is a bit lacking. SMB is used to throw a lot of data around the place and it has changed somewhat between 2000 and 2018. When you enable signing and encryption you get security and authenticity. Your comment alludes to it but I would humbly suggest that "tools for the job" is a bit shorter.
One Drive for Bus.: I own my business (we are an MS reseller as well) and I'll keep my data in the UK, on my gear, with NextCloud.
File shares do not have logs but systems do. Mine end up in a bloody great ES cluster with Graylog on the front.
Dude, if you think Active Directory "is dead", you're having a laugh. I don't care where in the world you upload your crap, if there's any security on it, you're using authentication and authorisation services.
As it happens, the core of Azure is still based on AD technologies - yeah, sure, SAML wrappers etc, but what do you think is validating your claims?
Having directory services combined with Kerberos with minimal configuration required was a killer feature. I still don't think Samba has caught up with AD services, except for basic stuff, but there's nothing wrong with the LDAP + Kerberos stack.
As for SMB, I don't think it's that great myself, but it's a sh*tload better than SharePoint. Try storing multi-gigabyte binary files inside a SQL database and see what your DBAs say. Try storing 27 million files of 5-150 bytes in size in SharePoint (which exactly what is in a directory on one of our file servers right now ... and I *wish* they'd ingest those into a database!)
And if you want to store a bunch of docs and spreadsheets on a web server, SharePoint is still shite. A simple WebDAV is better. The only benefit I can think of with SharePoint is in a clustered instance, where you've got your stuff spread across a large farm. And that's only because of the clustering technology, not because it's a great way to store and retrieve files.
".....thanks to the fact that HPE recently came calling with a request to get Samba working on HP-UX...." Hmmmm, did I step into a timewarp?!?!? Samba has worked fine (well, as fine as it can) on HP-UX for years! I remember testing Samba (version 2.something, IIRC) on hp-ux 10.20 with Windows clients for Y2K compliancy, and hp-ux has had a full-blown CIFS capability (named with typical HP "dead-fish" marketing, CIFS/9000) since at least hp-ux 11.0.
As a weird aside, I also (vaguely) recall that HP-UX 9 had some version of Microsoft's lanmanager software to allow it to understand NetBIOS and emulate an NT4 server....? Any hp-ux dinosaurs out there remember that?
Samba is a PITA to build, though - mainly because it uses the weird as fck Python2-based Waf build system rather than anything "normal" (ie. cmake, meson etc.)
With Python2 support officially ending in a little over 2 years, Python2 already being dropped by some distributions, and no plans from samba.org to support Python3 in their customised version of Waf, supporting Samba is not going to get any easier.
"Where I work, that's the biggest impediment to scaling.
If the VFS plug-in being used allocates 1GB, 1000 clients == 1TB of RAM. (Or 1GiB x 1024 clients = 1TiB of RAM.)"
You might want to read about copy-on-write. It has been around for the past couple of decades. When a process forks, only the changed portion is copied, not the entire process. Samba doesn't allocate a lot of buffers, and lets the OS do mostly everything. So the processes are pretty small to begin with. The stackable VFS modules are loaded before the fork, so there would never been any more than one copy in memory.
Is that the Gluster of Ceph VFS module ? Sounds like the gluster one. That's a design bug in the gluster client libraries IMHO. They are assuming only one process connects from a client and so are profligate with resources. I think Red Hat is working on fixing that.
Biting the hand that feeds IT © 1998–2019