Samba 4.7.0 (Samba AD for the Enterprise)


Enterprise distributions like Red Hat or SUSE are required to ship with MIT Kerberos. The reason is that several institutions or governments have a hard requirement for a special Kerberos implementation. It is the reason why the distributions by these vendors (Fedora, RHEL, openSUSE, SLES) only package Samba FS and not the AD component. To get Samba AD into RHEL some day it was clear, that we need to port it to MIT Kerberos. In 2013 we started to think about this. The question which arise first was: How do we run the tests if we port to MIT Kerberos? We want to start the krb5kdc daemon. This was more or less the birth of the cwrap project! Think of…

Microsoft Catalog Files and Digital Signatures decoded


TL;DR: Parse and print .cat files: parsemscat Introduction Günther Deschner and myself are looking into the new Microsoft Printing Protocol [MS-PAR]. Printing always means you have to deal with drivers. Microsoft package-aware v3 print drivers and v4 print drivers contain Microsoft Catalog files. A Catalog file (.cat) is a digitally-signed file. To be more precise it is a PKCS7 certificate with embedded data. Before I started to look into the problem understanding them I've searched the web, if someone already decoded them. I found a post by Richard Hughes: Building a better catalog file. Richard described some of the things we already discovered and some new details. It looks like he gave up when it came down to understand the…

Understanding Winbind


I recently fixed a bug resolving Domain Local groups in Winbind. I was asked how to reproduce it with a more complex setup, so I had to dig through the Winbind code to understand everything in more detail. I have documented my findings here, in order to retain what I've learned and to help others understand how Winbind works. The Setup We have a forest with two AD domains: level1.discworld.site and level2.discworld.site. The two domains have a two way trust. User accounts are created on LEVEL1, groups and machine accounts are on LEVEL2. We have a Linux machine named 'linux', with Winbind joined to LEVEL2. I will describe everything from the perspective of Winbind, so LEVEL2 inside of Winbind is…

Documenting the Source


As you maybe know I have a new job since last December and I'm working on Samba4 now. Samba4 is a monster so I've asked for some simple tasks to get started. The task was to migrate some code to a new Samba library called tsocket. The problem was I didn't know what to do and how. Some functions of the API were documented but not all. So I had to guess from the names what the function is doing and read the code to understand it. Then I've started to work with the interface and I had to look again the the code to find out possible return values. In the end I spent a lot of time jumping…

Automatic testing of PAM modules


Last week at the SambaXP conference I had a discussion with Günther Deschner about the testing of PAM modules. What we want to do is automatic testing. To achieve this in the Samba build farm you need a separate "pam.d" config directory for testing. You should be able to change the config and mess it up without getting locked out. I've introduced a new function to PAM called pam_start_test() which takes and additional argument where you can specify the config directory. After this I've changed the call in pamtester and added a commandline option for the config directory. To do automatic testing I've added another commandline option to specify the password to use for authentication. gladiac@maximegalon:~> pamtester -v -C/tmp/pam.d -Psecret…

Roaming Home Directories for Linux


An interesting feature of Active Directory is Roaming Profiles. You can login on different workstations and you have all you data with you. If you use a Notebook you have the same and the ability to work offline. As soon as you're connected to you network again the data will be automatically synchronized again and you have a backup of your data. Now the time has come to introduce Roaming Home Directories for Linux. Yesterday I've released a new version of csync and the first version of pam_csync. With both components you're able to use an Active Directory environment to share your data between workstation and notebooks and work offline. Currently only the SMB protocol is supported but I will…

csync 0.42.0 alpha1


I've released the first alpha version of csync. csync is a client only bidirectional file synchronizer. You can use csync for different things. The intention is to provide Roaming Home Directories for Linux but you can use it to synchronize your music collection or create a backup of a directory. This is *not* intended for production environments and is designed for testing purposes only. This version is fully functional and you can sync two local directories or a local directory with a samba share. More at http://www.csync.org/