 who actually use their blog to deploy that to actual users. And with that point, if there is cargo doing the Samba stories. Okay. Thanks. So our talk will be stories about BattleFound N1. We are not Samba team developers, we are integrators. So tranquillity, we have a small contracting company, 15% in France since 2002, mostly in free software. But in the real world, we have free software and proprietary one, Windows. And so we have to do with it. And Samba is a piece of it that plug everything together. So we have some expertise and what expertise that is a software deployment configuration software that we have been developing for the last six years. And I mentioned it here because it's one part of our daily job with Samba when we are doing migration. It's also very important to control the desktops and the configuration of desktops. Because when you change big stuff on the server side, often you have to change a few things on the desktop side. So we have both large clients and smaller one. The large one is more interesting from a technical point of view. And the small one helps us to keep our feet on the floor and to know how it happens in the day-to-day world. So Samba and Tranquillity, it's a long love story. It started in 2004 with Samba NTFOR deployment. And actually in France it was quite huge, Samba deployment. And in 2011 we started Samba AD deployment. Like I said before, as long as you knew what to do and not to do, it was already ready for small, small escape production. And actually we are supposed to be the leading Samba integrator in France, at least it's Google France, Google France, they say it. We are above the, with Samba for keyword, we are above Samba.org site. And yeah, up to now we have been doing mostly Samba NTFOR to Samba AD deployment. But now with more and more people looking at Samba and the opportunity of this software, we also do more and more Microsoft Active Directory to Samba AD deployment. So that's a very good thing. And often when we do migration, there is a big part of it that's so restructuring. So there is some domain merge, renaming and fixing up stuff because most of the domains are something like five, 10 or 15 years old and they have some stuff to clean up. So Samba actually is very popular in France, perhaps to some other people in other countries, it seems strange. And in France, I don't know why, perhaps it's free as a beer syndrome. And we like free stuff in France, free as in speech syndrome, or perhaps just only the general de Gaulle syndrome. We don't like the American stuff and we want the French one. So you might say, oh my God, there are still Nt4 domains running out there. Yeah, a lot of them in France. And actually it's moving very fast to Active Directory now, but it has been very strong. And Samba Nt4 actually is not like a Microsoft Nt4 domain which really sucks now. Samba with Samba, you still have the possibility to have LDAP, multi master replication, SMB2, SMB3 protocol, signing and crimson and every modern stuff on your Nt4 domain. You just don't have covers. But most of the other stuff, you could have it. But it's dying. Microsoft won't hit to die. It's like NtLM is bad, NetBios is bad. You have to get rid of that. And on Windows 10, the last version, you have to force SMB1 on the domain controller for it to authenticate Windows 10 computers. So it just- Wanna cry anymore? Wanna cry? So if it's a big issue for many, many companies, they know it makes the switch to Active Directory faster. By the way, when I speak about Active Directory, it's Samba or Microsoft Active Directory. One or the other. Actually Active Directory is a set of technology, but together to provide authentication and identity management. Samba is a Samba implementation, Microsoft is a Microsoft implementation. So I will use Active Directory as just a technology around that. So we need to switch to AD and fast because Nt4 is dying. So actually, when we are dealing with a real world deployment, we can see that there is a lot of creativity among a system administrator. Like in Samba 3, you had the possibility to tweak about every part of it. So people did tweak every part of it, single it, but like ID mapping and the type of database, the underscore in the names, you could have also a dot in NetBear's name that make it very, very hopeful currently. And actually it makes it quite hard. And you can also have a not very friendly environment. Actually, when you've got Samba to Microsoft, to Active Directory Migration and D4 to Active Directory, often people also have many other stuff on their network like hold Red Hat 3. No, we cannot upgrade it. So software just run on that one, on Solaris 8. And I even had a NIS authentication to try to fix when we were upgrading. But it's always possible to set up a proper test environment. And so you know that everything will be fine when you will do the migration. Because the DC is the art of the network. It's a DNS, NTP, and wins. We try to kill it too. But in many networks, if you just stop wins from one day to another, many things just break out because DNS are not properly set up. But that's one good part of our job is to try to clean up everything when we do it. And when you are doing your migration, you can find strange addressing plan. Like once we had a site, it was 2.0.0-8, the domain. And on the second site was 1.0.0.0.0-8. So we don't want to use that for our migration. But after the semi, hey, the ERP, we don't, there is nobody left in the company that know how to change the IP address. So we kept this IP address even during the migration. So you have to deal with many strange things. Many strange, like IP address 200-200.0016-16. I don't know what they got that one. The other one, 192.9, they started right, but they finished wrong. And we still have many people who have public IPv4 on their private network. And actually it's netted on the internet. So we can find many strange things. Yeah, netbios.name and you can also, we had also a few migration from Microsoft with Microsoft Active Directory without dot in their Kaberos domain name. It can be done too. It's awful. And one thing that we think about security, we often think about the internet, the web, the peripheral protection. But actually for us, the wild west is inside with AIX, AIS-400, and NTFOR Solaris, and all the IoT and command and control machine. And I recently even had a Vax. DMS rule. For the first time for me. You know, it's like that's a software in the 80s after the company that does the software went T-SOP and so they took over the development and after their Vax computer went T-SOP, they went virtualizing, and then the virtualizing company went T-SOP and so they took over the virtualization software. And then in 2018, they're still using it. So, but at the heart of all this thing is identity access management, authentication. And for that, in order to tame your network and to tame your windows, it's nothing better than a Vino Linux and Samba is great for that. Some people may ask, how can you, how much does it scale? Currently with 4.7, you can have no problem when you're having like 10,000 users and 5,000 desktops and having many this is with a new KCC is a software that does mapping between replication mapping between the different this is. You can have a, we have a client with 80 this is on his network. So yes, it can scale and more than 100 sites. So, and another thing is that RODC, it's a recently domain controller, is another technology from Microsoft. It's been, has been almost, not completely, but most of it have been implemented in Samba which will be, which will make it possible to go very beyond those limits. Another thing is that in France, we have been working with quite large network and so that other people with larger one who came up to us and asking for, could Samba run on my network? Like something like 1,020, 120,000 users. And well, we went to Andrew and I think it might be hard. And so currently we had some financing to, to try to push Samba beyond those 100, 200,000 users. So it's really getting forward and getting very big. So for, for this type of scale, it should be for Samba 4.9 in a, in a September, in a September or October. I don't know what would be, at least for 4.9. So we have Samba at scale in a central administration of ministries, French ministries in the regional administration, in the city administration and even in defense, French military. You have it in industry, school and of course, school in universities and among those ones, there are still many on Samba 3, waiting to switch to Samba 4 and some of them is because of the scale factor. So there are really huge network to be migrated. So about some of our phone memories. It's like three years ago, I still, I went to a client, he was still running NTFOR on a 13 year old machine. Well, when you open it, it was just a big mess inside, but it was still running. And another, and like I say, if it ain't broke, don't fix it, but well, nobody anymore knew what to do with it. So it was good to migrate to Samba AD. Another, it's a French research lab for space exploration when they think about the project over there, when they send something in spaces for something like 15 years, 20 years. So, whole technology is everywhere. So I even found, yes, Solaris 8NIS and a floppy drive, eight inches floppy drive. I think I never saw that in my life. Actually, they didn't find which computer was it to be for user, but well. And researchers are like artists and they try to have very high level of creativity. Another migration, we went to the client and the computer say that just when we doing the migration, you open, oh, no problem, we'll take the hard drive and just remake the red and stuff like that. And you open it and it's not a drive. That was an old one. And so, you just don't have anything to plug it in. So, you try to find a small IT business in the area to just plug your drive in order to finish a migration. Another one we had recently in the Caribbean, it's like when there was a hurricane season over there, it was just the client say hurry up for your migration before the cut electricity. So, sometimes it gets very, very busy. And one thing on migration that it's very important to do is to have a very good inventory of both your server and your desktops. Like a client telling me after the next morning after migration, oh yeah, we are missing 200 desktops for the migration. See, we didn't found them. And actually, our inventory was right. And theirs was one. But that's got something like 10% discrepancies. But when you have large thousands of desktops, well, there's just a few ones that are lost. And don't forget the DHCP. Like when you got 100,000 users and during the night you forget the DHCP to migrate the DHCP, it's a very, it's not a good morning. So, an example I took two years ago at Samba XP and that was quite a nice one. It's like in Africa, we had central banks that had to be, that was using Samba 3 and T4 and for security reasons they had to migrate to Active Directory. And they were, in this country, they tried to provide, to be as an example for other companies and to show that free software can be used and can save money. So, they went to Samba Active Directory, not Microsoft Active Directory. So, we had 24 sites, 2,000 users in eight countries and two time zones. And the VPN was going through satellite link, two megabits by two megabit per second and 8,800 millisecond latency. So, well, the next time you've got issues with your network, just think about them. And actually, when I asked them, well, you could use, you have money, you could buy better links and fiber optics and stuff like that. And just look at me. And when you've got a coup d'etat or whatever, they cut the link, the satellite link is still up. So, satellite link is important. So, that great dedicated team and a very skilled one, one of the best team I've been working with because they even had a settling antenna that failed because of a hurricane during the migration and we finished the migration using texting and some other way of communication. We had another site, the diesel generator failed and they tell me, well, just put it next week because we will never have four hours of electricity, continuous electricity. No way. So, and actually, even during that time, we had a coup d'etat in a Burkina Faso and, well, they look at who did the coup d'etat and they tell me, huh, in eight days should be okay. And eight day after, we did the migration. Very, very great people. Special skills. Special skills. So, we had a, so the migration, actually it was both a migration to Samba-ED in a domain merge. So, it was 24 Samba-NT4 domains merged into one. And just to tell you that Samba works even on a very strict network, we had 802, 1.1x authentication. So, it was both for the Kaboros account machine, Kaboros account and user Kaboros account. And it's a Cisco, any connect. So, it's not free right use or whatever. It was a proprietary software that was plugged into Samba and all the authentication 802.1x authentication went properly. And we had very strict ACLs and VPN topology was only a start topology. And one site could not see the other site, only the main data center. So, it was very strict and well, Samba worked. So, after all of this, I just would say, so stop complaining next time you got a problem. And think about this example. So, another project we did recently, the Ministry of Agriculture in France. It's 3,000 users on eight sites and 3DC with fiber ticks between all the sites. It was great and low latency and everything. So, it was just immigration of one domain from NTFOR to Samba AD. And it's like Samba is an easy part. We finished immigration at 9 p.m. And we went to bed at 5 a.m. Because we had to deal with everything that was around in the network and to double check that everything was working fine. And actually one thing that we forgot because it was on maintenance that day was the entrance, the visitor entrance software. When we came back the next morning, we were locked out. And so, I had to negotiate with the security guy to let me enter to fix it. So, I couldn't enter. So, another more recent example is the Ministry of Culture in France. It's 8,000 users. So, for this one, it's only the central administration. So, it's only the Paris offices and stuff like that. It's not the regional. So, it's only a few sites. It's not so big. But for the Ministry of Culture, it's the whole network with all the regional offices. So, it's 8,000 users on 170 sites. So, both in France and in the islands. And so, we had something like 150 domains and we did a domain merge going from 150 to 16 domain. So, we had to merge with both all the user database. And like I said before, a big part of the work has to be done on the desktop side. So, we had a use web for the configuration management. So, for the profile migration and rejoin the desktop and reconfigure all the network settings. And so, the next step of the project is to go from 16 domains to one. Actually, when doing immigration like this, one part of it is also a human part and a political part. So, we have sometimes we need to... It's not only the technologies that dictate the planning. Sometimes it's also the organizational part. So, well, sometimes we don't always win. Like, University in the South is of France. It was two years ago. And they had three domains to merge. Two Samba 74 and one MSAD. It was a domain merging for... And so, 100K desktop and 80,000 users. So, it was a ballot between Samba 4 and MSAD. And Microsoft made a 90% rebate on all their license. And from our side, we knew that we were reaching mostly the safe limits from at that time. So, well, they went Microsoft, but I hope to get them back next time. Another little bit of a recent one that we are... Actually, it's this week. A contractor in UK that had a new client at Samba 4AD on his site, but he didn't knew any common line on Linux. So, he tried to, using the wiki of Samba, was able to mostly do it right on his Samba ID. But when he decommissioned the Samba from his domain, and only the Microsoft one, everything just broke. And so, he called Microsoft, which didn't succeed at making it back up. So, Microsoft gave up. And so, they called another British company that told to call us. And so, we used Samba to recreate the domain, just recreating a new domain with the same SID as the old one, piping all the object inside, all the user object, and all the computer object, and the groups. And then, after that, we joined an MSID 2008, and decommissioned the Samba, and then switched to 2016. And he was happy. But he promised me to get some Samba and Linux training. Ah! So, for... So, it's... And like I was thinking, if we can, every two years, switch them from Linux to Windows, and send them from Linux to Windows to Linux, and it's a good business, too. So, things to remember when you do migration. Most of the time, the Samba part is not the hard part. It's the historical stuff is problematic. So, be sure to clean up your LDAP, to clean up all your old users that does not exist for the last five years, and that have not been for the last five years. Clean up the computer's account. In most of our migration, we always have something like 30% of extra accounts that we shouldn't be there. So, identity management is still a big stuff to... It's still a big stuff in companies to make them better. So, have an inventory that everything is connecting to your LDAP and domain authentication. It's like this when we were at the agriculture, and we were locked out, because we forgot to change that one. But it was not totally our fault, because it was changed by another team, the security team, and the leading informers. Inventory your desktops. Because when you do migration, you want to be sure that everything migrates properly. So, you have to know which desktop is still there and which one is not, and which one is away. And the migration, whether it is Microsoft, Samba Migration, or NTFOR to AD Migration, in any case, migration is the easy part. It's everything that is around that is hard, so just check everything, and you need a good configuration management tool for your desktops. So, SCCM for Microsoft, or WAPT, or LANDESC, or whatever, there are many at your possible, but it's a very important part of it. And one last thing I wanted to point out is like a few days ago, there was Andrew Bat, no, last week, Andrew Bat gave a talk in Australia speaking about evolution of Samba, and speaking about French government, and stuff like that. And so, there was many comments and saying, oh, Samba is SMB, is old technology, is dead, and whatever, whatever. Well, I wanted to say that Samba team is kicking and alive and kicking, and there are very many, very great developers and working hard. How self we are not, Samba developers, we are integrators. And Samba needs dollars, no, not pizza. It's written on the website. And so, currently, in the last two years, we have been able to work with French government, mainly, many French government for financing, and some parts of Samba, which allows them to better manage the priorities and the schedule for new functionalities that are required for the deployment. So, French public administration have been heavily involved in the active directory part, not the SMB file server part, but in the active directory part. And one very good thing is that recently, the French ANSI, it's a cyber security agency of the French government, has been looking in a more detailed way into Samba, because, in part because of us, because we put Samba everywhere. So, they want to have a better control on that. And so, they started to look into it. So, I think I went too fast, but time for question. We have 15 minutes for questions. Yeah. So, a big thanks to Samba team for all the great work they are doing. And so, our website with our wiki is deaf.trunkhill.it. And we have a company Twitter account, but for personal, we have only our good old mail. And for your computer management, don't forget to take a look at what I think it's a very useful for migration, Samba migration. Thanks a lot for your patience. And one. The questions ask, please, we keep them. Okay. On the migration projects, you walk through every desktop personally, and you are a very remote. Yeah, that's why I was talking about good configuration management software. It's when we do the migration, most of the time we do it in the evening, at week time, during week time, not on the weekend, because actually, everything mostly works if you do it right. And you need users to see the details. So, it's no use to do it on Saturday evening because if there is nobody, just the IT guys to be there on Sundays and so, ah, sorry, just. So the question was, when you do immigration, do you have to go to every desktops and to switch a configuration, local configuration? So no, like I was talking about configuration management and that's why I was insisting on that part. It's because it's what would take the most of the time if it is not done right. More questions? Do you have any experience with integrating trust relationships with members of the IT domain? So, I think we have, we have Volcker there that could speak a bit more about trust relationships. It's, we have not, most of the time when we have this problem, we do merge. So we don't have to deal with trust relationships. It's getting better. I think, I think I didn't repeat the question either. So, the question was about trust relationships if we are using it in production and on, you know, at work lines. So currently we are not using it. It's getting, because it has been, it was, it's getting better. I don't know what's the status, Volcker. Ah, Andreas. It should work pretty good with 4.7 so trust between SEMI-ED or Microsoft AD. Okay. So, Andreas tell me that it's worked, it should work properly with 4.7. So, what for a long time is Samba being the trusted environment. What we are working on is Samba being the kind, the trusting one. And so, it has some support for Congress that has worked for a while. What we are still working on and it tells me that it will be customer ready with some guidance for it. Okay. So, the trust relationship is already working mainly in 4.7 and in 4.8 it should be customer ready. I don't know if it is a microphone for... We don't know. We don't know. Yes, but you cover it. So, you mostly talked about NT4 to Samba AD migration. What about Microsoft AD to Samba AD migration? Do these projects come often nowadays? So, the question is... The question is mainly we are doing Samba NT4 to Samba AD migration. And is it Microsoft AD to Samba AD? Is it starting to get more often? Well, in the beginning of Samba 4 it was actually almost none, a few years, but no more. But now we get much more interest into Samba 4 AD because it's getting much more mature. And the thing that everybody that is active directory 2008 R2, they are still most of the active directory domain I think are still on 2000 R2, so on 8 R2. And the support is going to stop pretty shortly. So, here they have a real case of choosing between migrating to 2016 and buying all the licenses and all the client access licenses. Also, the time is not the problem with the server license. It's a client access license that's cost a lot. And so, many people are looking at Samba, more and more people are looking at Samba 4 AD. So, they are looking at, but you don't have concrete projects right now? Yeah, we did a few one. A few one? But it's more with smaller, like small business like 100 or 200 users. We didn't have very large network. It's perhaps, I hope, soon. Oh, do I? Yes? What's your favorite Linux distribution to work with? So, what's my favorite Linux distribution? So, for me at the office, I'm on Debian. But for most of the larger clients are on Red Hat or CentOS. So, hmm. But Red Hat has no active directory package right now. So, the question is, Red Hat currently does not have Samba AD compiled on Red Hat. So, one of the issues, and there are a few Red Hat people here, may correct me if I'm wrong. But it's MIT Cabaret is a central part of Red Hat. And as long as Samba is not fully worked with MIT Cabaret, it cannot be included in CentOS or Red Hat natively. But it's in Fedora already. And it's getting in CentOS. So, what we are doing currently with Samba AD on CentOS is we are recompiling with Handal. So, it's not a standard Red Hat approved way of doing things. But it's the mostly tested way. Only does Active Directory and Domain Controller, you don't run other services on the same machine. We deploy a machine that only does the domain controller. So, the question is, if we deploy a machine that does only Domain Controller, it's like, yeah, when you are going to larger clients, they get very picky on security. And so, whether it be Microsoft or Samba, Active Directory is the most essential part of the security. If Active Directory is spawned, then your whole network is at risk. So, you try to put as few stuff on Active Directory as you can because each of the extra stuff is an extra attack path. Thank you. Regarding Red Hat, Red Hat has a product called IBM, IBM management. Do you have any integrations with that? Do they comply with each other or how do you see that? So, you are talking about free IPA. I think, yeah. So, I think Alexander would be better answer the question here. For us, we have been using Samba since the beginning and we are mostly happy with it. And I think free IPA is more dedicated to Linux, Red Hat Linux desktops. But after, for the difference, I think perhaps Alexander would be better answer that. So, I'm working actually on free IPA at Red Hat. And I am working on Samba as well. And my colleague, Andreas, will do the next talk exactly about what we are doing with Samba AD in Fedora. But we spend a lot of time together with our partners doing the upstream Samba development, making them free IPA in Samba to interoperate. So, there is support for trust between Samba AD and free IPA already implemented by the guys from CERNET, mostly Metze and some others. And it's still not working for MIT Kerberos. We have like a single thing to fix there, some hashing issue. But that's the only thing limiting. And that's it. But I'm not going to overtake this session for IPA. No, that's not. Yeah. So, we have five minutes. Yeah. So, Chromebooks now. Yes, we haven't finished yet. Yeah, sorry. So, Jeremy here. Google Chromebooks now are active directly to support. I wonder if you tested it in any of your Samba form or did they want to try running Chromebooks? I mean, it should work. Yeah. Actually, like I think when we are talking about the De Gaulle syndrome, I think it's about the same as Chromebooks currently in France. It's picking up slowly, but much slower than in the US. How do you try it? I've looked at the documentation and all that, but we don't have Chromebook in our cell. But it should be... Actually, we didn't have any clients asking for it yet. So, that's the reason. Yeah, I mean, it should work. There should be no difference between the Microsoft dating companies or something, but I just wouldn't be happy anywhere else to try it. So, just to underline the level of compatibility of Samba form is that Cisco and Econect, which integrates quite heavily with the Kaberos part of Active Directory, it worked for authentication, for network authentication of Kaberos account and machine Kaberos account and user Kaberos account and on the switches, Cisco switches. So, the level of compatibility of Samba is really already very high. That was three years ago. That was three years ago, so now it's much, much better. Go? With the sites I've got running Samba AD, my big problem is getting the information in and out of AD. And I tend to have to look at my clients and say the tools on Windows are better for being like this. Are there any tools you could recommend on Linux but getting information in and out of AD? So, the question is what tools we can use for getting information in and out of AD? So, since Samba 4 is replicating the different protocols of Microsoft AD, so also current tools like RSAT, user and console, GPO console and DNS console, all that work out of the box. After, if you are using PowerShell, there are some PowerShell modules using HTTPS, which HTTP connection, which won't work. But after, you have got a LDAP and directly on Linux, you could have a LDB search and if you know a bit of Python, Samba is just much better. Come on, give you the mic. I just want to point you at the Samba tool. So, we have Samba tool blank user, Samba tool blank group and colleague of mine has just been expanding on this. For example, move users somewhere else and all that stuff. And that's pure Python, directly accessing the local databases. And so, if you are not afraid of having a few lines of script, actually Samba AD is much easier to manage than Microsoft AD. With this, we have time. Thank you very much.