U nforki ng Sam ba4: The Success! Presented by A ndrew Bartl ett of C atal yst / / 2015- 05- 21
A ndrew B artl ett ● Sam ba Team m em ber f or 14 years ● K ey devel oper on the Sam ba A D D C com ponent ● Based i n W el l i ngton N Z ● Thank you to: – M y em pl oyer , C atal yst f or thei r great support – Tranqui l I T f or f undi ng m y travel to Europe
The great success ● W e rel eased Sam ba 4. 0 – I w i sh I had been here f or the party! – I t took ti m e, but w e di dn' t l oose si ght of the goal ● I n doi ng so, w e reuni ted as a Team – Stronger together! ● Taki ng on new chal l enges l i ke SM B3 and i nter- f orest trust
O ur rol l er-coaster ri de ● Sam ba f orked – W e di dn' t l i ke to say i t, but that i s the real i ty – Both a soci al and a techni cal f ork ● M any, m any team m em bers w orked real l y hard to undo the dam age – I w i l l speak m ostl y about the areas I w as i nvol ved i n – M uch great w ork m any others ● W i th Sam ba 4. 0, w e final l y m erged agai n
H ow di d w e get to 4. 0? – a ti m el i ne ● Techni cal and soci al steps ● M erge team m otto: – “Sol vi ng soci al probl em s w i th techni cal sol uti ons si nce. . . ” 2010 2004 2008 2011 2012 G EN SEC Franky proposal w af i ntroduced C om bi ned bui l d Sam ba4 s3f s done C om bi ned G I T tree s3com pat Si ngl e m ake test D evel opm ent 4. 0 rel eased! I D L fil es m erged net4 » sam ba- tool ' as i s' rel ease starts N am ed pi pe f orw ardi ng s3f s proposed
B eyond 4. 0, m erge w ork to 4. 2 and beyond ● A decade l ater , and w e sti l l have w ork to do – W i l l w e ever get beyond source3/ source4? 2014 2004 2013 2015 2016 W hat next? A utoconf rem oved W i nbi ndd m erge 4. 2 rel eased Sam ba4 4. 1 rel eased D atagram D evel opm ent m essagi ng starts
U nl ocki ng possi bi l i ti es ● Each m erge step enabl es another ● N am ed pi pe f orw ardi ng show ed thi s w as possi bl e ● M ergi ng the tree stopped versi on skew ● M ergi ng the I D L avoi ded poi ntl ess di versi on ● M ergi ng the bui l d system s enabl ed a m erged test ● M ergi ng l oadparm w rappers enabl ed shari ng of m ore com pl ex code ● Passdb and auth m odul es provi ded the gl ue ● M ergi ng G EN SEC enabl ed m ergi ng schannel f ul l y ● M ergi ng w i nbi ndd enabl ed i nter-f orest trusts
N ot the onl y w ay i t coul d have been done ● I ' m not i nterested i n re- argui ng the past – But I do have som e apol ogi es f or m y tone and behavi our at poi nts ● I am i nterested i n expl ai ni ng w hy w e di d w hat w e di d ● Sam ba conti nues to evol ve
N am ed pi pe forw ardi ng ● The first and l ongest- l asti ng part of the Franky ef f ort ● A l l ow s ncacn_np connecti ons to be answ ered by the A D D C
U si ng com m on I D L and PI D L ● W e had tw o di vergent sets of I D L – M erged ● W e had hand- generated N D R – Repl aced ● W e had di f f erent copi es of pi dl – M erged
A uthenti cati on ● The m ost sensi ti ve area of the m erge – A key part of the ori gi nal s3com pat ef f ort – Perhaps si ngl e- handedl y derai l ed that m erge ● K ey requi rem ent: – C onsi stent behavi our ● K ey i m pl em entati on pattern – C ode m erge w here possi bl e – Pl ugi n- based code repl acem ent otherw i se
C om m on I D L and structures i n auth ● A uthenti cati on – auth_usersuppl i ed_i nf o m ade com m on – auth4_context m ade avai l abl e i n com m on ● A uthori zati on – auth_sessi on_i nf o m ade i n com m on – Repl aced netr_Sam I nf o3 i n nam ed_pi pe_auth. i dl – Repl aced auth_serversuppl i ed_i nf o w i th auth_sessi on_i nf o ( sl ow l y)
N TLM SSP m erge ● W e had: – tw o N TLM SSP cl i ents – tw o N TLM SSP servers ● W e m erged the N TLM SSP servers i nto l i bcl i / auth ● A nd m oved the source4 N TLM SSP cl i ent i nto l i bcl i / auth ● A G EN SEC m odul e w as bui l t around the new com m on code
auth_generi c – the Troj an horse ● A very poor di sgui se f or G EN SEC ● I ni ti al l y onl y the rpc_server code – N om i nal l y w rappi ng the N TLM SSP gensec m odul e – But w ri tten such that i t coul d w rap anythi ng ● A l so uni fied the code i n the SM B / SM B2 servers
G EN SEC ● G EN SEC w as m erged i nto com m on ● Repl aced the si m i l ar gse l ayer i n the source3 RPC server – gse_krb5 becam e a gensec m odul e ● Rem oved dupl i cati on of code i n the SM B / SM B2 fil e server ● C reated a com m on abstracti on – over the rem ai ni ng exi sti ng source3 code – A bl e to be repl aced by pl ugi n f rom the source4 code
Ful l G SSA PI for SM B ● The bi g ' not i ncrem ental ' step w as to – Rem ove the f ake G SSA PI server f rom source3 – Repl ace i t w i th one usi ng gse_krb5 ● Thi s i s w hat i ncreased the M I T krb5 m i ni m um to 1. 8
auth_sam ba4 ● M uch m ore than a norm al auth m odul e – Si m pl y l oadi ng auth_sam ba4 causes hook f uncti ons to run – Forces A D D C m ode on the rest of the auth/ G EN SEC subsystem s ● Total l y overri des al l the G EN SEC pl ugi ns – A l l ow s a di f f erence, f orced set of m odul es to run ● Local group handl i ng and i dm ap l ookup f orced vi a A D D C codepaths ● The ' norm al ' N TLM f uncti ons are onl y cal l ed f rom w i nbi ndd – For l ocal user authenti cati on on a RW D C
R egardi ng auth_netl ogond? ● I ' m not proud of m y behavi our i n rem ovi ng that code ● M ovi ng the N TLM auth to an I PC m echani sm m ay sti l l be possi bl e
PA SSD B ● I m portant so that exi sti ng tool s keep w orki ng – sm bpassw d – net – pdbedi t ● A l so used i n w i nbi ndd and i n sm bd – Very hel pf ul hook f or i dm ap overri de ● A n i m portant access m ethod f or upgrades – Sam ba-tool dom ai n cl assi cupgrade
pdb_sam ba_dsdb ● Bui l t f or the needs of cl assi cupgrade first – O f fli ne access w as requi red ● no D C unti l provi si on fini shed – U ses the LD B A PI ( hel per f uncti ons) – Based on pdb_ads by Vol ker ● I dm ap hooks read the l ocal i dm ap. l db used i n the A D D C ● G et/Set trusted dom ai n credenti al s
R egardi ng pdb_ads? ● I ' m not proud of m y behavi our i n rem ovi ng that code ● pdb_sam ba_dsdb can use l dapi : / / U RLs i f desi red, once the server i s runni ng
B ui l d system s ● The com bi ned w af bui l d has been cri ti cal ● Rem ovi ng autoconf w as even m ore i m portant i n the l ong term – N o m ore hand- craf ted obj ect l i sts
Testi ng ● C om bi ned m ake test ● Tests A D dom ai n m em ber agai nst our A D D C f or exam pl e ● A l l run f rom sel f test. pl i n sel f test/ ● G l ued together rather than i ntegrated – D one earl y i n the process to reduce breakage and i m prove tests
Test code i n sm btorture{ 3, 4} ● Even at the darkest poi nts of the spl i t, tests w ri tten i n sm btorture4 ● The ' m erged bui l d' w as f or bui l di ng sm btorture4 ● But m any si m pl e tests sti l l added to sm btorture3 ● Bl ackbox test scri pts scattered over the codebase
Test envi ronm ents ● sel f test/ target/Sam ba. pm i s the gl ue – sel f test/ target/Sam ba3. pm – sel f test/ target/Sam ba4. pm ● Lef t over f rom w hen w e had to be abl e to test autoconf al one ● M i chael A dam di d a l ong over- due renam e i n 2015
M essagi ng ● W e now use a com m on datagram - based m essagi ng bus – Thanks to Vol ker Lendecke ● I ni ti al use i s f or sm bcontrol to obtai n a tal l oc report
Recommend
More recommend