Difference between revisions of "Samba 4.9 Features added/changed"

m (Password Settings Objects added link to explanation)
(samba-tool ntacl sysvolreset is now much faster added link)
Line 147: Line 147:
====samba-tool ntacl sysvolreset is now much faster====
====samba-tool ntacl sysvolreset is now much faster====
The 'samba-tool ntacl sysvolreset' command, used on the Samba AD DC, is now much faster than in previous versions, after an internal rework.
The [[Sysvolreset|  'samba-tool ntacl sysvolreset']] command, used on the Samba AD DC, is now much faster than in previous versions, after an internal rework.
====Samba now tested with CI GitLab====
====Samba now tested with CI GitLab====

Revision as of 08:53, 15 September 2018

Samba 4.9 is Current Stable Release.

Samba 4.9.0

Release Notes for Samba 4.9.0
September 13, 2018

Release Announcements

This is the first stable release of the Samba 4.9 release series. Please read the release notes carefully before upgrading.


'net ads setspn'

There is a new 'net ads setspn' sub command for managing Windows SPN(s) on the AD. This command aims to give the basic functionality that is provided on windows by 'setspn.exe' e.g. ability to add, delete and list Windows SPN(s) stored in a Windows AD Computer object.

The format of the command is:

net ads setspn list [machine]
net ads setspn [add | delete ] SPN [machine]

'machine' is the name of the computer account on the AD that is to be managed. If 'machine' is not specified the name of the 'client' running the command is used instead.

The format of a Windows SPN is

 'serviceclass/host:port/servicename' (servicename and port are optional)

serviceclass/host is generally sufficient to specify a host based service.

'net ads keytab' changes

net ads keytab add no longer attempts to convert the passed serviceclass (e.g. nfs, html etc.) into a Windows SPN which is added to the Windows AD computer object. By default just the keytab file is modified.

A new keytab subcommand 'add_update_ads' has been added to preserve the legacy behaviour. However the new 'net ads setspn add' subcommand should really be used instead.

net ads keytab create no longer tries to generate SPN(s) from existing entries in a keytab file. If it is required to add Windows SPN(s) then 'net ads setspn add' should be used instead.

Local authorization plugin for MIT Kerberos

This plugin controls the relationship between Kerberos principals and AD accounts through winbind. The module receives the Kerberos principal and the local account name as inputs and can then check if they match. This can resolve issues with canonicalized names returned by Kerberos within AD. If the user tries to log in as 'alice', but the samAccountName is set to ALICE (uppercase), Kerberos would return ALICE as the username. Kerberos would not be able to map 'alice' to 'ALICE' in this case and auth would fail. With this plugin account names can be correctly mapped. This only applies to GSSAPI authentication, not for getting the initial ticket granting ticket.

VFS audit modules

The vfs_full_audit module has changed its default set of monitored successful and failed operations from "all" to "none". That helps to prevent potential denial of service caused by simple addition of the module to the VFS objects.

Also, modules vfs_audit, vfs_ext_audit and vfs_full_audit now accept any valid syslog(3) facility, in accordance with the manual page.

Database audit support

Changes to the Samba AD's sam.ldb database are now logged to Samba's debug log under the "dsdb_audit" debug class and "dsdb_json_audit" for JSON formatted log entries.

Transaction commits and roll backs are now logged to Samba's debug logs under the "dsdb_transaction_audit" debug class and "dsdb_transaction_json_audit" for JSON formatted log entries.

Password change audit support

Password changes in the AD DC are now logged to Samba's debug logs under the "dsdb_password_audit" debug class and "dsdb_password_json_audit" for JSON formatted log entries.

Group membership change audit support

Group membership changes on the AD DC are now logged to Samba's debug log under the "dsdb_group_audit" debug class and "dsdb_group_json_audit" for JSON formatted log entries.

Log Authentication duration

For NTLM and Kerberos KDC authentication, the authentication duration is now logged. Note that the duration is only included in the JSON formatted log entries.

JSON library Jansson required for the AD DC

By default, the Jansson JSON library is required for Samba to build. It is strictly required for the Samba AD DC, and is optional for builds "--without-ad-dc" by specifying "--without-json-audit" at configure time.

New Experimental LMDB LDB backend

A new Experimental LDB backend using LMDB is now available. This allows databases larger than 4Gb (Currently the limit is set to 6Gb, but this will be increased in a future release). To enable lmdb, provision or join a domain using the "--backend-store=mdb" option.

This requires that a version of lmdb greater than 0.9.16 is installed and that samba has not been built with the "--without-ldb-lmdb" option.

Please note this is an experimental feature and is not recommended for production deployments.

Password Settings Objects

Support has been added for Password Settings Objects (PSOs). This AD feature is also known as Fine-Grained Password Policies (FGPP).

PSOs allow AD administrators to override the domain password policy settings for specific users, or groups of users. For example, PSOs can force certain users to have longer password lengths, or relax the complexity constraints for other users, and so on. PSOs can be applied to groups or to individual users. When multiple PSOs apply to the same user, essentially the PSO with the best precedence takes effect.

PSOs can be configured and applied to users/groups using the 'samba-tool domain passwordsettings pso' set of commands.

Domain backup and restore

A new 'samba-tool' command has been added that allows administrators to create a backup-file of their domain DB. In the event of a catastrophic failure of the domain, this backup-file can be used to restore Samba services.

The new 'samba-tool domain backup online' command takes a snapshot of the domain DB from a given DC. In the event of a catastrophic DB failure, all DCs in the domain should be taken offline, and the backup-file can then be used to recreate a fresh new DC, using the 'samba-tool domain backup restore' command. Once the backed-up domain DB has been restored on the new DC, other DCs can then subsequently be joined to the new DC, in order to repopulate the Samba network.

Domain rename tool

Basic support has been added for renaming a Samba domain. The rename feature is designed for the following cases:

  1. Running a temporary alternate domain, in the event of a catastrophic failure of the regular domain. Using a completely different domain name and realm means that the original domain and the renamed domain can both run at the same time, without interfering with each other. This is an advantage over creating a regular 'online' backup - it means the renamed/alternate domain can provide core Samba network services, while trouble-shooting the fault on the original domain can be done in parallel.
  2. Creating a realistic lab domain or pre-production domain for testing.

Note that the renamed tool is currently not intended to support a long-term rename of the production domain. Currently renaming the GPOs is not supported and would need to be done manually.

The domain rename is done in two steps:

first, the 'samba-tool domain backup rename' command will clone the domain DB, renaming it in the process, and producing a backup-file.
Then, the 'samba-tool domain backup restore' command takes the backup-file and restores the renamed DB to disk on a fresh DC.

New samba-tool options for diagnosing DRS replication issues

The 'samba-tool drs showrepl' command has two new options controlling the output. With --summary, the command says very little when DRS replication is working well. With --json, JSON is produced. These options are intended for human and machine audiences, respectively.

The 'samba-tool visualize uptodateness' visualizes replication lag as a heat-map matrix based on the DRS uptodateness vectors. This will show you if (but not why) changes are failing to replicate to some DCs.

Automatic site coverage and GetDCName improvements

Samba's AD DC now automatically claims otherwise empty sites based on which DC is the nearest in the replication topology.

This, combined with efforts to correctly identify the client side in the GetDCName Netlogon call will improve service to sites without a local DC.

Improved 'samba-tool computer' command

The 'samba-tool computer' command allow manipulation of computer accounts including creating a new computer and resetting the password. This allows an 'offline join' of a member server or workstation to the Samba AD domain.

New 'samba-tool ou' command

The new 'samba-tool ou' command allows to manage organizational units.

Available subcommands are:

 create       - Create an organizational unit.
 delete       - Delete an organizational unit.
 list         - List all organizational units
 listobjects  - List all objects in an organizational unit.
 move         - Move an organizational unit.
 rename       - Rename an organizational unit.

In addition to the ou commands, there are new subcommands for the user and group management, which can make use of the organizational units:

 group move   - Move a group to an organizational unit/container.
 user move    - Move a user to an organizational unit/container.
 user show    - Display a user AD object.

Samba performance tool now operates against Microsoft Windows AD

The Samba AD performance testing tool 'traffic_reply' can now operate against a Windows based AD domain. Previously it only operated correctly against Samba.

DNS entries are now cleaned up during DC demote

DNS records are now cleaned up as part of the 'samba-tool domain demote' including both the default and '--remove-other-dead-server' modes.

Additionally, DNS records can be automatically cleaned up for a given name with the 'samba-tool dns cleanup' command, which aids in cleaning up partially removed DCs.

samba-tool ntacl sysvolreset is now much faster

The 'samba-tool ntacl sysvolreset' command, used on the Samba AD DC, is now much faster than in previous versions, after an internal rework.

Samba now tested with CI GitLab

Samba developers now have pre-commit testing available in GitLab, giving reviewers confidence that the submitted patches pass a full CI before being submitted to the Samba Team's own autobuild system.

Dynamic DNS record scavenging support

It is now possible to enable scavenging of DNS Zones to remove DNS records that were dynamically created and have not been touched in some time.

This support should however only be enabled on new zones or new installations. Sadly old Samba versions suffer from BUG #12451 and mark dynamic DNS records as static and static records as dynamic. While a dbcheck rule may be able to find these in the future, currently a reliable test has not been devised.

Finally, there is not currently a command-line tool to enable this feature, currently it should be enabled from the DNS Manager tool from Windows. Also the feature needs to have been enabled by setting the smb.conf parameter "dns zone scavenging = yes".

Improved support for trusted domains (as AD DC)

The support for trusted domains/forests has been further improved.

External domain trusts, as well a transitive forest trusts, are supported in both directions (inbound and outbound) for Kerberos and NTLM authentication.

The following features are new in 4.9 (compared to 4.8):

  • It's now possible to add users/groups of a trusted domain into domain groups. The group memberships are expanded on trust boundaries.
  • foreignSecurityPrincipal objects (FPO) are now automatically created when members (as SID) of a trusted domain/forest are added to a group.
  • The 'samba-tool group *members' commands allow members to be specified as foreign SIDs.

However there are currently still a few limitations:

  • Both sides of the trust need to fully trust each other!
  • No SID filtering rules are applied at all!
  • This means DCs of domain A can grant domain admin rights in domain B.
  • Selective (CROSS_ORGANIZATION) authentication is not supported. It's possible to create such a trust, but the KDC and winbindd ignore them.
  • Samba can still only operate in a forest with just one single domain.

CTDB changes

There are many changes to CTDB in this release.

  • Configuration has been completely overhauled
  • Daemon and tool options are now specified in a new ctdb.conf Samba-style configuration file. See ctdb.conf(5) for details.
  • Event script configuration is no longer specified in the top-level configuration file. It can now be specified per event script. For example, configuration options for the 50.samba event script can be placed alongside the event script in a file called 50.samba.options. Script options can also be specified in a new script.options file. See ctdb-script.options(5) for details.
  • Options that affect CTDB startup should be configured in the distribution-specific configuration file. See ctdb.sysconfig(5) for details.
  • Tunable settings are now loaded from ctdb.tunables. Using CTDB_SET_TunableVariable=<value> in the main configuration file is no longer supported. See ctdb-tunables(7) for details.
A example script to migrate an old-style configuration to the new style is available in ctdb/doc/examples/config_migrate.sh.
  • The following configuration variables and corresponding ctdbd command-line options have been removed and not replaced with counterparts in the new configuration scheme:
   CTDB_PIDFILE                      --pidfile
   CTDB_SOCKET			     --socket
   CTDB_NODES			     --nlist
   CTDB_PUBLIC_ADDRESSES	     --public-addresses
   CTDB_EVENT_SCRIPT_DIR	     --event-script-dir
   CTDB_NOTIFY_SCRIPT		     --notification-script
   CTDB_PUBLIC_INTERFACE	     --public-interface
   CTDB_MAX_PERSISTENT_CHECK_ERRORS  --max-persistent-check-errors
  • ify.d/ subdirectory of the configuration directory are now run by unconditionally.
  • Interfaces for public IP addresses must always be specified in the
public_addresses file using the currently supported format.
Some related items that have been removed are:
  • The ctdb command's --socket command-line option
  • The ctdb command's CTDB_NODES environment variable
When writing tests there are still mechanisms available to change the locations of certain directories and files.
  • The following ctdbd.conf and ctdbd options have been replaced by new ctdb.conf options:
   CTDB_LOGGING/--logging                     logging  -> location
   CTDB_DEBUGLEVEL/-d                         logging  -> log level
   CTDB_TRANSPORT/--transport                 cluster  -> transport
   CTDB_NODE_ADDRESS/--listen                 cluster  -> node address
   CTDB_RECOVERY_LOCK/--reclock               cluster  -> recovery lock
   CTDB_DBDIR/--dbdir                         database -> volatile database directory
   CTDB_DBDIR_PERSISTENT/--dbdir-persistent   database -> peristent database directory
   CTDB_DBDIR_STATE/--dbdir-state             database -> state database directory
   CTDB_DEBUG_LOCKS                           database -> lock debug script
   CTDB_DEBUG_HUNG_SCRIPT                     event    -> debug script
   CTDB_NOSETSCHED/--nosetsched               legacy   -> realtime scheduling
   CTDB_CAPABILITY_RECMASTER/--no-recmaster   legacy   -> recmaster capability
   CTDB_CAPABILITY_LMASTER/--no-lmaster       legacy   -> lmaster capability
   CTDB_START_AS_STOPPED/--start-as-stopped   legacy   -> start as stopped
   CTDB_START_AS_DISABLED/--start-as-disabled legacy   -> start as disabled
   CTDB_SCRIPT_LOG_LEVEL/--script-log-level   legacy   -> script log level
  • Event scripts have moved to the scripts/legacy subdirectory of the configuration directory
Event scripts must now end with a ".script" suffix.
  • The "ctdb event" command has changed in 2 ways:
  • A component is now required for all commands
In this release the only valid component is "legacy".
  • There is no longer a default event when running "ctdb event status"
Listing the status of the "monitor" event is now done via:
ctdb event status legacy monitor
See ctdb(1) for details.
  • The following service-related event script options have been removed:
Event scripts for services are now disabled by default. To enable an event script and, therefore, manage a service use a command like the following:
   ctdb event script enable legacy 50.samba
  • Notification scripts have moved to the scripts/notification subdirectory of the configuration directory
Notification scripts must now end with a ".script" suffix.
  • Support for setting CTDB_DBDIR=tmpfs has been removed
This feature has not been implemented in the new configuration system. If this is desired then a tmpfs filesystem should be manually mounted on the directory pointed to by the "volatile database directory" option. See ctdb.conf(5) for more details.
  • The following tunable options are now ctdb.conf options:
   DisabledIPFailover    failover -> disabled
   TDBMutexEnabled       database -> tdb mutexes
  • Support for the NoIPHostOnAllDisabled tunable has been removed
If all nodes are unhealthy or disabled then CTDB will not host public IP addresses. That is, CTDB now behaves as if NoIPHostOnAllDisabled were set to 1.
  • The onnode command's CTDB_NODES_FILE environment variable has been removed
The -f option can still be used to specify an alternate node file.
  • The 10.external event script has been removed
  • The CTDB_SHUTDOWN_TIMEOUT configuration variable has been removed
As with other daemons, if ctdbd does not shut down when requested then manual intervention is required. There is no safe way of automatically killing ctdbd after a failed shutdown.
  • CTDB_SUPPRESS_COREFILE and CTDB_MAX_OPEN_FILES configuration variable have been removed
These should be setup in the systemd unit/system file or, for SYSV init, in the distribution-specific configuration file for the ctdb service.
  • CTDB_PARTIALLY_ONLINE_INTERFACES incompatibility no longer enforced
11.natgw and 91.lvs will no longer fail if CTDB_PARTIALLY_ONLINE_INTERFACES=yes. The incompatibility is, however, well documented. This option will be removed in future and replaced by sensible behaviour where public IP addresses simply switch interfaces or become unavailable when interfaces are down.
  • Configuration file /etc/ctdb/sysconfig/ctdb is no longer supported

GPO Improvements

The 'samba_gpoupdate' command (used in applying Group Policies to the samba machine itself) has been renamed to 'samba_gpupdate' and had the syntax changed to better match the same tool on Windows.


smb.conf changes

As the most popular Samba install platforms (Linux and FreeBSD) both support extended attributes by default, the parameters "map readonly", "store dos attributes" and "ea support" have had their defaults changed to allow better Windows fileserver compatibility in a default install.

 Parameter Name                     Description             Default
 --------------                     -----------             -------
 map readonly                       Default changed              no
 store dos attributes               Default changed             yes
 ea support                         Default changed             yes
 full_audit:success                 Default changed            none
 full_audit:failure                 Default changed            none

VFS interface changes

The VFS ABI interface version has changed to 39. Function changes are:

SMB_VFS_FSYNC: Removed: Only async versions are used.
SMB_VFS_READ: Removed: Only PREAD or async versions are used.
SMB_VFS_WRITE: Removed: Only PWRITE or async versions are used.
SMB_VFS_CHMOD_ACL: Removed: Only CHMOD is used.
SMB_VFS_FCHMOD_ACL: Removed: Only FCHMOD is used.

Any external VFS modules will need to be updated to match these changes in order to work with 4.9.x.


  • Björn Baumbach <bb at sernet.de>
  • BUG #13605: samba_dnsupdate: Honor 'dns zone scavenging' option, only update if needed.
  • Andreas Schneider <asn at samba.org>


  • Jeremy Allison <jra@samba.org>
  • BUG #13565: s3: VFS: vfs_full_audit: Ensure smb_fname_str_do_log() only returns absolute pathnames.
  • Paulo Alcantara <paulo@paulo.ac>
  • BUG #13578: s3: util: Do not take over stderr when there is no log file.
  • Ralph Boehme <slow@samba.org>
  • BUG #13549: Durable Reconnect fails because cookie.allow_reconnect is not set.
  • Alexander Bokovoy <ab@samba.org>
  • BUG #13539: krb5-samba: Interdomain trust uses different salt principal.
  • Volker Lendecke <vl@samba.org>
  • BUG #13441: vfs_fruit: Don't unlink the main file.
  • BUG #13602: smbd: Fix a memleak in async search ask sharemode.
  • Stefan Metzmacher <metze@samba.org>
  • BUG #11517: Fix Samba GPO issue when Trust is enabled.
  • BUG #13539: samba-tool: Add "virtualKerberosSalt" attribute to 'user getpassword/syncpasswords'.
  • Martin Schwenke <martin@meltin.net>
  • BUG #13589: Fix CTDB configuration issues.
  • BUG #13592: ctdbd logs an error until it can successfully connect to eventd.


  • Jeremy Allison <jra@samba.org>
  • BUG #13585: s3: smbd: Ensure get_real_filename() copes with empty pathnames.
  • Tim Beale <timbeale@catalyst.net.nz>
  • BUG #13566: samba domain backup online/rename commands force user to specify password on CLI.
  • Alexander Bokovoy <ab@samba.org>
  • BUG #13579: wafsamba/samba_abi: Always hide ABI symbols which must be local.
  • Volker Lendecke <vl@samba.org>
  • BUG #13584: Fix a panic if fruit_access_check detects a locking conflict.
  • Andreas Schneider <asn@samba.org>
  • Martin Schwenke <martin@meltin.net>
  • BUG #13588: Aliasing issue causes incorrect IPv6 checksum.
  • BUG #13589: Fix CTDB configuration issues.
  • Ralph Wuerthner <ralph.wuerthner@de.ibm.com>
  • BUG #13568: s3: vfs: time_audit: fix handling of token_blob in smb_time_audit_offload_read_recv().


  • Jeremy Allison <jra@samba.org>
  • Andrew Bartlett <abartlet@samba.org>
  • BUG #13374: CVE-2018-1140: ldbsearch '(distinguishedName=abc)' and DNS query with escapes crashes, ldb: Release LDB 1.3.5 for CVE-2018-1140
  • BUG #13552: CVE-2018-10918: cracknames: Fix DoS (NULL pointer de-ref) when not servicePrincipalName is set on a user.
  • Tim Beale <timbeale@catalyst.net.nz>
  • Samuel Cabrero <scabrero@suse.de>
  • BUG #13540: ctdb_mutex_ceph_rados_helper: Set SIGINT signal handler.
  • Günther Deschner <gd@samba.org>
  • David Disseldorp <ddiss@samba.org>
  • BUG #13540: ctdb_mutex_ceph_rados_helper: Fix deadlock via lock renewals.
  • Andrej Gessel <Andrej.Gessel@janztec.com>
  • Amitay Isaacs <amitay@gmail.com>
  • Volker Lendecke <vl@samba.org>
  • BUG #13553: Fix CIDs 1438243, (Unchecked return value) 1438244 (Unsigned compared against 0), 1438245 (Dereference before null check) and 1438246 (Unchecked return value).
  • BUG #13554: ctdb: Fix a cut&paste error.
  • Oleksandr Natalenko <oleksandr@redhat.com>
  • BUG #13559: systemd: Only start smb when network interfaces are up.
  • Noel Power <noel.power@suse.com>
  • BUG #13553: Fix quotas don't work with SMB2.
  • BUG #13563: s3/smbd: Ensure quota code is only called when quota support detected.
  • Anoop C S <anoopcs@redhat.com>
  • BUG #13204: s3/libsmb: Explicitly set delete_on_close token for rmdir.
  • Andreas Schneider <asn@samba.org>
  • BUG #13561: s3:waf: Install eventlogadm to /usr/sbin.
  • Justin Stephenson <jstephen@redhat.com>
  • BUG #13562: Shorten description in vfs_linux_xfs_sgid manual.


  • Jeremy Allison <jra@samba.org>
  • BUG #13537: s3: smbd: Using "sendfile = yes" with SMB2 can cause CPU spin.
  • Ralph Boehme <slow@samba.org>
  • BUG #13535: s3: smbd: Fix path check in smbd_smb2_create_durable_lease_check().
  • Alexander Bokovoy <ab@samba.org>
  • BUG #13538: samba-tool trust: Support discovery via netr_GetDcName.
  • BUG #13542: s4-dsdb: Only build dsdb Python modules for AD DC.
  • Amitay Isaacs <amitay@gmail.com>
  • Gary Lockyer <gary@catalyst.net.nz>
  • BUG #13536: DNS wildcard search does not handle multiple labels correctly.
  • Stefan Metzmacher <metze@samba.org>
  • BUG #13308: samba-tool domain trust: Fix trust compatibility to Windows Server 1709 and FreeIPA.
  • Martin Schwenke <martin@meltin.net>
  • BUG #13520: Fix portability issues on freebsd.
  • BUG #13545: ctdb-protocol: Fix CTDB compilation issues.
  • BUG #13546: ctdb-docs: Replace obsolete reference to CTDB_DEBUG_HUNG_SCRIPT option.
  • BUG #13550: ctdb-doc: Provide an example script for migrating old configuration.
  • BUG #13551: ctdb-event: Implement event tool "script list" command.