SAMBA team plots ‘killer appliance’

All that and single sign-on too

The SAMBA team is working on code that will lead to "killer appliances" according to author Jeremy Allison. At the very least, it could offer an opportunity to reduce the need for many of the NT servers that are deployed today.

Winbind hooks into the authentication mechanism used by Linux and most commercial Unixes, and replicates user and group information that's stored on a Windows NT/2000 server. It offers a single sign-on to Windows user information and works transparently with existing Unix software. Currently, sites using the open source SAMBA replacement for Windows file-and-print services must keep the Windows user database and the SAMBA server's user information in sync, a pretty tedious job.

The code is slated for release later this year, but The Register has had a sneak preview. Although the code is still in a pretty rough state, it worked seamlessly with existing Linux software. For example, once logged in using Winbind, group information was visible in KDE's file properties box as well as ls and other command line programs.

"It's the missing link," says Allison, the joint lead for the Samba project. "With Winbind, a Linux, or a Solaris or HP-UX server simply becomes a member server. You still need a PDC [Windows primary domain controller] - but eventually we can replace the PDC."

It works like this. The Linux authentication model uses PAM, or pluggable authentication modules (yes, the M is redundant), originally devised by Sun but adopted by most other commercial Unixes. Client side programs such as ls, ftp su or login make a call to nsswitch, which goes and looks for modules - which might be Unix Yellow Pages, LDAP or local information. Winbind is simply another module - the Winbind daemon caches user information stored on a Windows server. The user only need login as usergroup\username at their terminal.

The Samba code is widely used as a replacement for Windows file and print services. In fact, according to Allison, SAMBA often works more efficiently than the SMB protocol it replaces: by checking the RPC strings for overflows (which is why SAMBA servers can resist crashes NT/2000 can't), as well as using obvious optimisations ignored by Windows. There's not much the team can do about designed-in Windows security flaws, such as sending passwords of new machine as Unicode text over the network.

Appliance manufacturers including Cobalt are already interested, says Allison. The code was developed with input from Sun, which doesn't use Samba in its Cascades code, which also tries to make Windows-hosted Windows services redundant by doing the same jobs on Solaris servers. ®

Sponsored: 10 ways wire data helps conquer IT complexity