History of Samba Active Directory
The NetBios protocol
At the beginning of the 1980’s, micro-computers started to arrive. Historically, computing was based on large Main Frame servers located in server rooms on which programs ran, and dumb terminals with no intelligence and no processing power on users’ desktops for data entry and display.
With the advent of micro-computing, the traditional model began to be shaken. Micro-computers (IBM-PC, Apple Macintosh, Commodore, Amiga, etc.) were being equipped with processing power that allowed to run programs locally, such as word processors, accounting, applications, etc.
This change of model generated to needs:
File sharing: before, all users worked on the same Main Frame machine, so files were naturally shared. Now that users work on different machines, the need arises to access files that are stored on someone else’s computer;
Mutual authentication: before, users connected all to the same Main Frame machine from a dumb terminal, so authentication was centralised and easy to do. Now that there are many more independant small machines, how does one know that he connects to the right machine? How does on know whether the person that tries to connect is really who he prétends to be?
There have been several attempts to address these problems. We are going to address the first problem.
File sharing on a Local Area Network
In 1983, the company Sitek developed a new protocole, NetBIOS, to facilitate communication between machines. The NetBIOS protocol allows an abstraction layer between the application layer (ex: file shares) and the transport layer (TCP/IP, TokenRing, IPX, etc). In those days, transport protocols were more diverse than today.
A standard LAN API being available, a higher level protocol, SMB, is launched by IBM in 1985. It is a protocol for sharing resources over a network. SMB works as a client/server protocol: the client sends specific requests and the server sends a response. Several companies adopt IBM’s protocol and adapt it to their needs. A very serious challenger to IBM was Novell with its Netware product. To compete with Netware and its high performance file sharing service, Microsoft collaborated with IBM and 3com and developed Lan Manager that was then integrated in OS/2. LAN Manager embeds IBM’s SMB protocol as well as NetBUI to allow OS/2 to share files, printers and other networked resources.
The NetBIOS protocol becomes the normative standard RFC1001 in 1987.
IBM quickly saw the interest and adopted the technology for its IBM-PCs. At that time IBM was the Microsoft of the 1990s-2000 or the Google of today. IBM defined the standards. So other IT companies, including Microsoft, have all developed their NetBIOS layer to interface with other systems.
At first the NetBIOS protocol was very limited, with a maximum of 80 machines. The machine names were set to 16 bytes, with the last byte reserved to define the suffix that defines the machine type (file server, user workstation, etc.). That’s why today you can’t have a machine name longer than 15 characters!
Security Principles
With the advent of client-server environments, it was necessary to ensure that the client and the server recognized each other.
To this end, three concepts have been introduced:
Identification, which consists in establishing the identity of the user or the identity of the host.
Authentication, which consists in verifying the user’s identity.
Authorization that allow or deny the user access to certain resources.
LAN Manager uses these three principles to secure access to its data. From these ideas will later be born the Kerberos projects or NTLM.
History of Kerberos
The Athena project
The Athena project, supported by a consortium of IT players, was launched in May 1983 for a period of 5 years. Its goal was to develop strategies, as well as software, within the framework of a client/server network system. Athena was originally intended to be used only by MIT.
Systems and protocols still in use today will be designed, such as the NFS and the X server (the basis of the graphical interface for Unix systems).
The idea of an authentication system originated within MIT when it became clear that students would be allowed to access file servers on a high-value network with their own computers.
The development of the identification and authentication mechanism was then linked to the Athena project. The objective of this project was to develop an authentication network protocol that would centralize trust management on a few closely monitored and controlled machines.
Authentication communications between these trusted servers and other computers on the network would be encrypted so that they would not be intercepted (secure).
Since its conception within the Athena project, the Kerberos protocol has undergone significant changes, making it easier to use, more modular and safer.
Introducing Samba
The Samba project is identified on its official website as a software suite that allows interoperability between Windows and UNIX / Linux environments. The technology at the heart of this interoperability is the communication and file sharing protocol SMB, hence the name of the software: Samba. Microsoft’s widespread presence in companies, the public sector and the education sector, coupled with the quality of the implementation of free software Samba, will allow the SMB protocol to gradually impose itself as the standard for exchanging files on networks with Windows, Linux and Mac devices.
This includes:
Centralized identification and authentication management in Active Directory and NT4 domain mode.
Centralized group management.
File sharing according to the version of the Microsoft SMB protocol.
Centralized management of access rights to files and directories.
Sharing printers.
Samba1
The Samba1 version was released in the early 1990s and provided a simple implementation of LAN Manager protocols and workgroup support.
Samba2
With the Samba2.2 version released in 2002, Samba began providing NT4-style domain controller services to Windows workstations that are members of a domain.
Samba3
The different versions of Samba3 have improved support for NT4 domain features and new versions of the SMB protocol (SMB2.2, SMB3).
Samba4
The Samba4 project was launched in 2005. The initial objective was to completely rewrite Samba based on the official specifications unveiled by Microsoft following the European Union’s lawsuit against Microsoft for abuse of its dominant position.
At the same time, the Samba3 code base was becoming difficult to maintain. Until then, Samba had been developed gradually by reverse engineering Microsoft protocols; Samba developers had been studying how Windows workstations and servers communicated with each other, and from the data collected they had developed Samba empirically to reproduce the behavior of the Microsoft protocols.
Since then, the project has had more free access to Microsoft’s official specifications, which has greatly facilitated development. To consolidate the interoperability approach, the various actors and stakeholders of the SMB protocols meet each year at an event called PlugFest to test their different implementations of the SMB protocol. Interest in Samba4 took off in 2010-2011 when the various actors understood that Andrew Bartlett’s rather ambitious objectives were beginning to be achieved.
In 2012, as interest in Samba4 grew, it became apparent that the implementation exclusively from Microsoft’s SMB protocol specifications was not functional and that the SMB protocol implemented by Microsoft was much more complex and poorly documented.
The Samba3 version had been developed empirically and not from official documentation. Samba3 therefore worked well for file and printer sharing functions. Historically, Microsoft has been very cautious about backward compatibility, and server behaviors in earlier versions are carried over into new versions.
The Samba4 rewrite involved 3 major components:
The Active Directory component.
The file sharing smbd component.
The user mapping winbindd component.
In September 2012, it was decided to take over the smbd3 code base to provide file and printer sharing functions. The Samba4 code would only provide the Active Directory function. The work of reintegrating the Samba3 code base into Samba4 resulted in the first stable version of Samba4 in version 4.0.0 in December 2012.
Samba’s corrective maintenance and security policy
The limited staff of the Samba project does not allow a large number of versions of Samba to be updated in corrective maintenance mode.
This is why the Samba project has adopted the following approach:
Version under development, considered as non-stable N+1, currently 4.21.
Version in stable production N, currently 4.20.
Version in corrective maintenance N-1, currently 4.20.
Version in security maintenance, N-2, currently 4.19.
However, a commercial ecosystem exists around Samba software, and companies with a particular interest in a specific version of Samba can invest development resources and backport a specific bug in an unofficially maintained version.
Samba3 is no longer maintained; it is therefore necessary to prepare for a migration to Samba4. Since the Samba3 code base is integrated in Samba4, it is possible to use Samba4 even in NT4 operation. This allows you to benefit from the patches and new features that have become available since the end of 3.x version support.
Samba4 and Linux distributions
The fact that Samba4 has incorporated the code base of Samba3 has caused great confusion among individuals and teams involved in packaging Linux distributions. Most of the distributions did not want to immediately abandon their version of Samba3, with which their users were familiar. And so the Samba4 Linux packages, which partially reintegrated Samba3 code, were in conflict with the Samba3 Linux packages. A good example of this confusion that had led to a version conflict is the Debian samba4.0rc2 package, which is completely unusable.
The SMB protocol
Client-server architecture
SMB is a file/printer resource sharing protocol defined by IBM in 1985 by Barry Feigenbaum. SMB works via a client-server structure, the client will send specific requests and the file server will respond to them. The protocol is optimized for use on a local network, but it can also be used on the Internet.
The different implementations of the protocol
Several companies or entities have adopted the standard and adapted it:
Samba by Andrew Tridgell, Samba’s founding father;
Microsoft Windows Workgroups 3.x;
Microsoft Windows NT;
LAN Server from IBM;
The PATHWORKS family of products from Digital;
LAN Manager;
VisionFS;
TotalNET Advanced Server;
Advanced Server for Unix;
CIFS is one of the latest definitions of this protocol. It is developed by Microsoft and other vendors such as Digital Equipment, Data General, SCO, Network Appliance Corp. etc. This version is public. From Windows Vista, it is called SMB2.
The different versions of the SMB protocol
SMB was initially designed to work on top of the NetBIOS/ NetBEUI API (usually implemented with NetBIOS on IPX/ SPX). Since Windows 2000, SMB has been running, by default, with a thin layer over TCP, using TCP port 445 instead of TCP port 139, a feature known as the direct SMB host.
SMB1
The SMBv1 protocol dates back to the early 1980s. It is an old and very verbose protocol that is quite limited on modern networks. It doesn’t support latency well on VPN networks and its verbose nature makes it impossible to fully exploit the bandwidth of modern networks.
Moreover the different layers of the protocol make its architecture complicated and it is quite buggy, especially with security holes (e.g. the Wannacry flaw). It is recommended to remove this protocol on corporate networks to improve security. The latest versions of Windows disable this protocol by default, and now Samba disables it as well by default.
SMB2
Microsoft introduced SMB2 with Windows Vista in 2006, and later improved it in Windows 7, with subsequent major revisions of 2.1 and 3.0 from 2012. SMB2 reduces the chatting of the SMB 1.0 protocol by reducing the number of requests, it has pipeline processing mechanisms, i.e. it sends additional requests before the response to a previous request arrives, thus improving performance on high latency links. SMB2 includes support for symbolic links.
Windows Vista / Server 2008 and later versions use SMB2 when communicating with other machines that are also capable of using SMB2.
SMB1 continues to be used for connections with older versions of Windows, as well as Samba and NAS systems. Samba 3.5 also includes experimental support for SMB2. Samba 3.6 fully supports SMB2, with the exception of changing user quotas using Windows quota management tools.
SMB 2.1 is introduced with Windows 7 and Server 2008 R2, it brings minor performance improvements.
SMB3
SMB 3.0 (previously named SMB 2.2) was introduced with Windows 8 and Windows Server 2012.
The protocol introduces several important changes, such as the SMB Direct (SMB over RDMA) and multi-channel SMB protocol (several connections per SMB session), which aim to add functionality and improve SMB2 performance, especially in virtualized data centers.
It also introduces several security enhancements, such as end-to-end encryption and a new AES-based signature algorithm.