Samba Features added/changed: Difference between revisions
No edit summary |
No edit summary |
||
Line 3: | Line 3: | ||
=Samba 4.10= |
=Samba 4.10= |
||
{{:Samba_4.10_Features_added/changed}} |
{{:Samba_4.10_Features_added/changed}} |
||
=Samba 4.9= |
|||
{{:Samba_4.9_Features_added/changed}} |
{{:Samba_4.9_Features_added/changed}} |
||
=Samba 4.8= |
|||
{{:Samba_4.8_Features_added/changed}} |
{{:Samba_4.8_Features_added/changed}} |
||
=Samba 4.7= |
|||
{{:Samba_4.7_Features_added/changed}} |
Revision as of 20:19, 9 July 2019
Samba 4.11
- Release Notes for Samba 4.11.0
- September 17, 2019
Release Announcements
This is the first stable release of the Samba 4.11 release series. Please read the release notes carefully before upgrading.
UPGRADING
AD Database compatibility
Samba 4.11 has changed how the AD database is stored on disk. AD users should not really be affected by this change when upgrading to 4.11. However, AD users should be extremely careful if they need to downgrade from Samba 4.11 to an older release.
Samba 4.11 maintains database compatibility with older Samba releases. The database will automatically get rewritten in the new 4.11 format when you first start the upgraded samba executable.
However, when downgrading from 4.11 you will need to manually downgrade the AD database yourself. Note that you will need to do this step before you install the downgraded Samba packages. For more details, see:
When either upgrading or downgrading, users should also avoid making any database modifications between installing the new Samba packages and starting the samba executable.
SMB1 is disabled by default
The defaults of 'client min protocol' and 'server min protocol' have been changed to SMB2_02.
This means clients without support for SMB2 or SMB3 are no longer able to connect to smbd (by default).
It also means client tools like smbclient and other, as well as applications making use of libsmbclient are no longer able to connect to servers without SMB2 or SMB3 support (by default).
It's still possible to allow SMB1 dialects, e.g. NT1, LANMAN2 and LANMAN1 for client and server, as well as CORE and COREPLUS on the client.
- Note: that most commandline tools e.g. smbclient, smbcacls and others also support the '--option' argument to overwrite smb.conf options, e.g. --option='client min protocol=NT1' might be useful.
As Microsoft no longer installs SMB1 support in recent releases or uninstalls it after 30 days without usage, the Samba Team tries to get remove the SMB1 usage as much as possible.
SMB1 is officially deprecated and might be removed step by step in the following years. If you have a strong requirement for SMB1 (except for supporting old Linux Kernels), please file a bug at https://bugzilla.samba.org and let us know about the details.
LanMan and plaintext authentication deprecated
The "lanman auth" and "encrypt passwords" parameters are deprecated with this release as both are only applicable to SMB1 and are quite insecure. NTLM, NTLMv2 and Kerberos authentication are unaffected, as "encrypt passwords = yes" has been the default since Samba 3.0.0.
If you have a strong requirement for these authentication protocols, please file a bug at https://bugzilla.samba.org and let us know about the details.
BIND9_FLATFILE deprecated
The BIND9_FLATFILE DNS backend is deprecated in this release and will be removed in the future. This was only practically useful on a single domain controller or under expert care and supervision.
This release therefore deprecates the "rndc command" smb.conf parameter, which is used to support this configuration. After writing out a list of DCs permitted to make changes to the DNS Zone "rndc command" is called with reload to tell the 'named' server if a DC was added/removed to to the domain.
NEW FEATURES/CHANGES
Default samba process model
The default for the '--model' argument passed to the samba executable has changed from 'standard' to 'prefork'. This means a difference in the number of samba child processes that are created to handle client connections. The previous default would create a separate process for every LDAP or NETLOGON client connection. For a network with a lot of persistent client connections, this could result in significant memory overhead. Now, with the new default of 'prefork', the LDAP, NETLOGON, and KDC services will create a fixed number of worker processes at startup and share the client connections amongst these workers. The number of worker processes can be configured by the 'prefork children' setting in the smb.conf (the default is 4).
Authentication Logging.
Winbind now logs PAM_AUTH and NTLM_AUTH events, a new attribute "logonId" has been added to the Authentication JSON log messages. This contains a random logon id that is generated for each PAM_AUTH and NTLM_AUTH request and is passed to SamLogon, linking the windbind and SamLogon requests.
The serviceDescription of the messages is set to "winbind", the authDescriptionis set to one of:
"PASSDB, <command>, <pid>" "PAM_AUTH, <command>, <pid>" "NTLM_AUTH, <command>, <pid>"
where:
<command> is the name of the command makinmg the winbind request i.e. wbinfo <pid> is the process id of the requesting process.
The version of the JSON Authentication messages has been changed to 1.1 from 1.2
LDAP referrals
The scheme of returned LDAP referrals now reflects the scheme of the original request, i.e. referrals received via ldap are prefixed with "ldap://" and those over ldaps are prefixed with "ldaps://".
Previously all referrals were prefixed with "ldap://".
Bind9 logging
It is now possible to log the duration of DNS operations performed by Bind9. This should aid future diagnosis of performance issues and could be used to monitor DNS performance. The logging is enabled by setting log level to "dns:10" in smb.conf.
The logs are currently Human readable text only, i.e. no JSON formatted output.
Log lines are of the form:
<function>: DNS timing: result: [<result>] duration: (<duration>) zone: [<zone>] name: [<name>] data: []
durations are in microseconds.
Default schema updated to 2012_R2
Default AD schema changed from 2008_R2 to 2012_R2. 2012_R2 functional level is not yet available. Older schemas can be used by provisioning with the '--base-schema' argument. Existing installations can be updated with the samba-tool command "domain schemaupgrade".
Samba's replication code has also been improved to handle replication with the 2012 schema (the core of this replication fix has also been backported to 4.9.11 and will be in a 4.10.x release).
For more about how the AD schema relates to overall Windows compatibility, please read:
GnuTLS 3.2 required
Samba is making efforts to remove in-tree cryptographic functionality, and to instead rely on externally maintained libraries. To this end, Samba has chosen GnuTLS as our standard cryptographic provider.
Samba now requires GnuTLS 3.2 to be installed (including development headers at build time) for all configurations, not just the Samba AD DC.
- NOTE WELL: The use of GnuTLS means that Samba will honour the system-wide 'FIPS mode' (a reference to the US FIPS-140 cryptographic standard) and so will not operate in many still common situations if this system-wide parameter is in effect, as many of our protocols rely on outdated cryptography.
A future Samba version will mitigate this to some extent where good cryptography effectively wraps bad cryptography, but for now that above applies.
samba-tool improvements
A new "samba-tool contact" command has been added to allow the command-line manipulation of contacts, as used for address book lookups in LDAP.
The "samba-tool [user|group|computer|group|contact] edit" command has been improved to operate more pleasantly on international character sets.
100,000 USER and LARGER Samba AD DOMAINS
Extensive efforts have been made to optimise Samba for use in organisations (for example) targeting 100,000 users, plus 120,000 computer objects, as well as large number of group memberships.
Many of the specific efforts are detailed below, but the net results is to remove barriers to significantly larger Samba deployments compared to previous releases.
Reindex performance improvements
The performance of samba-tool dbcheck --reindex has been improved, especially for large domains.
join performance improvements
The performance of samba-tool domain join has been improved, especially for large domains.
LDAP Server memory improvements
The LDAP server has improved memory efficiency, ensuring that large LDAP responses (for example a search for all objects) is not copied multiple times into memory.
Setting lmdb map size
It is now possible to set the lmdb map size (The maximum permitted size for the database). "samba-tool" now accepts the "--backend-store-size" i.e. --backend-store-size=4Gb. If not specified it defaults to 8Gb.
This option is avaiable for the following sub commands:
- domain provision
- domain join
- domain dcpromo
- drs clone-dc-database
LDB "batch_mode"
To improve performance during batch operations i.e. joins, ldb now accepts a "batch_mode" option. However to prevent any index or database inconsistencies if an operation fails, the entire transaction will be aborted at commit.
New LDB pack format
On first use (startup of 'samba' or the first transaction write) Samba's sam.ldb will be updated to a new more efficient pack format. This will take a few moments.
New LDB <= and >= index mode to improve replication performance
As well as a new pack format, Samba's sam.ldb uses a new index format allowing Samba to efficiently select objects changed since the last replication cycle. This in turn improves performance during replication of large domains.
Improvements to ldb search performance
Search performance on large LDB databases has been improved by reducing memory allocations made on each object.
Improvements to subtree rename performance
Improvements have been made to Samba's handling of subtree renames, for example of containers and organisational units, however large renames are still not recommended.
CTDB changes
- nfs-linux-kernel-callout now defaults to using systemd service names
- The Red Hat service names continue to be the default.
- Other distributions should patch this file when packaging it.
- The onnode -o option has been removed
- ctdbd logs when it is using more than 90% of a CPU thread
- ctdbd is single threaded, so can become saturated if it uses the full capacity of a CPU thread. To help detect this situation, ctdbd now logs messages when CPU utilisation exceeds 90%. Each change in CPU utilisation over 90% is logged. A message is also logged when CPU utilisation drops below the 90% threshold.
- Script configuration variable CTDB_MONITOR_SWAP_USAGE has been removed
- 05.system.script now monitors total memory (i.e. physical memory + swap) utilisation using the existing CTDB_MONITOR_MEMORY_USAGE script configuration variable.
CephFS Snapshot Integration
CephFS snapshots can now be exposed as previous file versions using the new ceph_snapshots VFS module. See the vfs_ceph_snapshots(8) man page for details.
REMOVED FEATURES
Web server
As a leftover from work related to the Samba Web Administration Tool (SWAT), Samba still supported a Python WSGI web server (which could still be turned on from the 'server services' smb.conf parameter). This service was unused and has now been removed from Samba.
samba-tool join subdomain
The subdomain role has been removed from the join command. This option did not work and has no tests.
Python2 support
Samba 4.11 will not have any runtime support for Python 2.
If you are building Samba using the '--disable-python' option (i.e. you're excluding all the run-time Python support), then this will continue to work on a system that supports either python2 or python3.
To build Samba with python2 you *must* set the 'PYTHON' environment variable for both the 'configure' and 'make' steps, i.e.
'PYTHON=python2 ./configure' 'PYTHON=python2 make'
This will override the python3 default.
Except for this specific build-time use of python2, Samba now requires Python 3.4 as a minimum.
Samba 4.10
- Release Notes for Samba 4.10.0
- March 19, 2019
Release Announcements
This is the first stable release of the Samba 4.10 release series. Please read the release notes carefully before upgrading.
NEW FEATURES/CHANGES
GPO Improvements
A new 'samba-tool gpo backup' command has been added that can export a set of Group Policy Objects from a domain in a generalised XML format.
A corresponding 'samba-tool gpo restore' command has been added to rebuild the Group Policy Objects from the XML after generalization. (The administrator needs to correct the values of XML entities between the backup and restore to account for the change in domain).
KDC prefork
The KDC now supports the pre-fork process model and worker processes will be forked for the KDC when the pre-fork process model is selected for samba.
Prefork 'prefork children'
The default value for this smdb.conf parameter has been increased from 1 to 4.
Netlogon prefork
DCERPC now supports pre-forked NETLOGON processes. The netlogon processes are pre-forked when the prefork process model is selected for samba.
Offline domain backups
The 'samba-tool domain backup' command has been extended with a new 'offline' option. This safely creates a backup of the local DC's database directly from disk. The main benefits of an offline backup are it's quicker, it stores more database details (for forensic purposes), and the samba process does not have to be running when the backup is made. Refer to the samba-tool help for more details on using this command.
Group membership statistics
A new 'samba-tool group stats' command has been added. This provides summary information about how the users are spread across groups in your domain. The 'samba-tool group list --verbose' command has also been updated to include the number of users in each group.
Paged results LDAP control
The behaviour of the paged results control (1.2.840.113556.1.4.319, RFC2696) has been changed to more closely match Windows servers, to improve memory usage. Paged results may be used internally (or is requested by the user) by LDAP libraries or tools that deal with large result sizes, for example, when listing all the objects in the database.
Previously, results were returned as a snapshot of the database but now, some changes made to the set of results while paging may be reflected in the responses. If strict inter-record consistency is required in answers (which is not possible on Windows with large result sets), consider avoiding the paged results control or alternatively, it might be possible to enforce restrictions using the LDAP filter expression.
For further details see Paged_Results
Prefork process restart
The pre-fork process model now restarts failed processes. The delay between restart attempts is controlled by the "prefork backoff increment" (default = 10) and "prefork maximum backoff" (default = 120) smbd.conf parameters. A linear back off strategy is used with "prefork backoff increment" added to the delay between restart attempts up until it reaches "prefork maximum backoff".
Using the default sequence the restart delays (in seconds) are:
- 0, 10, 20, ..., 120, 120, ...
Standard process model
When using the standard process model samba forks a new process to handle ldap and netlogon connections. Samba now honours the 'max smbd processes' smb.conf parameter. The default value of 0, indicates there is no limit. The limit is applied individually to netlogon and ldap. When the process limit is exceeded Samba drops new connections immediately.
python3 support
This is the first release of Samba which has full support for Python 3. Samba 4.10 still has support for Python 2, however, Python 3 will be used by default, i.e. 'configure' & 'make' will execute using python3.
To build Samba with python2 you *must* set the 'PYTHON' environment variable for both the 'configure' and 'make' steps, i.e.
'PYTHON=python2 ./configure' 'PYTHON=python2 make'
This will override the python3 default.
Alternatively, it is possible to produce Samba Python bindings for both Python 2 and Python 3. To do so, specify '--extra-python=/usr/bin/python2' as part of the 'configure' command. Note that python3 will still be used as the default in this case.
- Note:Samba 4.10 supports Python 3.4 onwards.
Future Python support
Samba 4.10 will be the last release that comes with full support for Python 2. Unfortunately, the Samba Team doesn't have the resources to support both Python 2 and Python 3 long-term.
Samba 4.11 will not have any runtime support for Python 2. This means if you use Python 2 bindings it is time to migrate to Python 3 now.
If you are building Samba using the '--disable-python' option (i.e. you're excluding all the run-time Python support), then this will continue to work on a system that supports either python2 or python3.
- Note:Samba 4.11 will most likely only support Python 3.6 onwards.
JSON logging
Authentication messages now contain the Windows Event Id "eventId" and logon type "logonType". The supported event codes and logon types are:
- Event codes:
- 4624 Successful logon
- 4625 Unsuccessful logon
- Logon Types:
- 2 Interactive
- 3 Network
- 8 NetworkCleartext
The version number for Authentication messages is now 1.1, changed from 1.0
Password change messages now contain the Windows Event Id "eventId", the supported event Id's are:
- 4723 Password changed
- 4724 Password reset
The version number for PasswordChange messages is now 1.1, changed from 1.0
Group membership change messages now contain the Windows Event Id "eventId", the supported event Id's are:
- 4728 A member was added to a security enabled global group
- 4729 A member was removed from a security enabled global group
- 4732 A member was added to a security enabled local group
- 4733 A member was removed from a security enabled local group
- 4746 A member was added to a security disabled local group
- 4747 A member was removed from a security disabled local group
- 4751 A member was added to a security disabled global group
- 4752 A member was removed from a security disabled global group
- 4756 A member was added to a security enabled universal group
- 4757 A member was removed from a security enabled universal group
- 4761 A member was added to a security disabled universal group
- 4762 A member was removed from a security disabled universal group
The version number for GroupChange messages is now 1.1, changed from 1.0. Also A GroupChange message is generated when a new user is created to log that the user has been added to their primary group.
The leading "JSON <message type>:" and source file prefix of the JSON formatted log entries has been removed to make the parsing of the JSON log messages easier. JSON log entries now start with 2 spaces followed by an opening brace i.e. " {"
SMBv2 samba-tool support
On previous releases, some samba-tool commands would not work against a remote DC that had SMBv1 disabled. SMBv2 support has now been added for samba-tool. The affected commands are 'samba-tool domain backup|rename' and the 'samba-tool gpo' set of commands. Refer also BUG #13676.
New glusterfs_fuse VFS module
The new vfs_glusterfs_fuse module improves performance when Samba accesses a glusterfs volume mounted via FUSE (Filesystem in Userspace as part of the Linux kernel). It achieves that by leveraging a mechanism to retrieve the appropriate case of filenames by querying a specific extended attribute in the filesystem. No extra configuration is required to use this module, only glusterfs_fuse needs to be set in the "vfs objects" parameter. Further details can be found in the vfs_glusterfs_fuse(8) manpage. This new vfs_glusterfs_fuse module does not replace the existing vfs_glusterfs module, it just provides an additional, alternative mechanism to access a Gluster volume.
REMOVED FEATURES
MIT Kerberos build of the AD DC
While not removed, the MIT Kerberos build of the Samba AD DC is still considered experimental. Because Samba will not issue security patches for this configuration, such builds now require the explicit configure option: --with-experimental-mit-ad-dc
For further details see Running_a_Samba_AD_DC_with_MIT_Kerberos_KDC
samba_backup
The samba_backup script has been removed. This has now been replaced by the 'samba-tool domain backup offline' command.
SMB client Python bindings
The SMB client python bindings are now deprecated and will be removed in future Samba releases. This will only affects users that may have used the Samba Python bindings to write their own utilities, i.e. users with a custom Python script that includes the line 'from samba import smb'.
smb.conf changes
Parameter Name Description Default -------------- ----------- ------- prefork backoff increment Delay added to process restart 10 (seconds) between attempts. prefork maximum backoff Maximum delay for process between 120 (seconds) process restart attempts smbd search ask sharemode Name changed, old name was "smbd:search ask sharemode" smbd async dosmode Name changed, old name was "smbd:async dosmode" smbd max async dosmode Name changed, old name was "smbd:max async dosmode" smbd getinfo ask sharemode New: similar to "smbd search ask yes sharemode" but for SMB getinfo
Samba 4.9
- Release Notes for Samba 4.9.0
- September 13, 2018
Release Announcements
This is the first stable release of the Samba 4.9 release series. Please read the release notes carefully before upgrading.
NEW FEATURES/CHANGES
'net ads setspn'
There is a new 'net ads setspn' sub command for managing Windows SPN(s) on the AD. This command aims to give the basic functionality that is provided on windows by 'setspn.exe' e.g. ability to add, delete and list Windows SPN(s) stored in a Windows AD Computer object.
The format of the command is:
net ads setspn list [machine] net ads setspn [add | delete ] SPN [machine]
'machine' is the name of the computer account on the AD that is to be managed. If 'machine' is not specified the name of the 'client' running the command is used instead.
The format of a Windows SPN is
'serviceclass/host:port/servicename' (servicename and port are optional)
serviceclass/host is generally sufficient to specify a host based service.
'net ads keytab' changes
net ads keytab add no longer attempts to convert the passed serviceclass (e.g. nfs, html etc.) into a Windows SPN which is added to the Windows AD computer object. By default just the keytab file is modified.
A new keytab subcommand 'add_update_ads' has been added to preserve the legacy behaviour. However the new 'net ads setspn add' subcommand should really be used instead.
net ads keytab create no longer tries to generate SPN(s) from existing entries in a keytab file. If it is required to add Windows SPN(s) then 'net ads setspn add' should be used instead.
Local authorization plugin for MIT Kerberos
This plugin controls the relationship between Kerberos principals and AD accounts through winbind. The module receives the Kerberos principal and the local account name as inputs and can then check if they match. This can resolve issues with canonicalized names returned by Kerberos within AD. If the user tries to log in as 'alice', but the samAccountName is set to ALICE (uppercase), Kerberos would return ALICE as the username. Kerberos would not be able to map 'alice' to 'ALICE' in this case and auth would fail. With this plugin account names can be correctly mapped. This only applies to GSSAPI authentication, not for getting the initial ticket granting ticket.
VFS audit modules
The vfs_full_audit module has changed its default set of monitored successful and failed operations from "all" to "none". That helps to prevent potential denial of service caused by simple addition of the module to the VFS objects.
Also, modules vfs_audit, vfs_ext_audit and vfs_full_audit now accept any valid syslog(3) facility, in accordance with the manual page.
Database audit support
Changes to the Samba AD's sam.ldb database are now logged to Samba's debug log under the "dsdb_audit" debug class and "dsdb_json_audit" for JSON formatted log entries.
Transaction commits and roll backs are now logged to Samba's debug logs under the "dsdb_transaction_audit" debug class and "dsdb_transaction_json_audit" for JSON formatted log entries.
Password change audit support
Password changes in the AD DC are now logged to Samba's debug logs under the "dsdb_password_audit" debug class and "dsdb_password_json_audit" for JSON formatted log entries.
Group membership change audit support
Group membership changes on the AD DC are now logged to Samba's debug log under the "dsdb_group_audit" debug class and "dsdb_group_json_audit" for JSON formatted log entries.
Log Authentication duration
For NTLM and Kerberos KDC authentication, the authentication duration is now logged. Note that the duration is only included in the JSON formatted log entries.
JSON library Jansson required for the AD DC
By default, the Jansson JSON library is required for Samba to build. It is strictly required for the Samba AD DC, and is optional for builds "--without-ad-dc" by specifying "--without-json-audit" at configure time.
New Experimental LMDB LDB backend
A new Experimental LDB backend using LMDB is now available. This allows databases larger than 4Gb (Currently the limit is set to 6Gb, but this will be increased in a future release). To enable lmdb, provision or join a domain using the "--backend-store=mdb" option.
This requires that a version of lmdb greater than 0.9.16 is installed and that samba has not been built with the "--without-ldb-lmdb" option.
Please note this is an experimental feature and is not recommended for production deployments.
Password Settings Objects
Support has been added for Password Settings Objects (PSOs). This AD feature is also known as Fine-Grained Password Policies (FGPP).
PSOs allow AD administrators to override the domain password policy settings for specific users, or groups of users. For example, PSOs can force certain users to have longer password lengths, or relax the complexity constraints for other users, and so on. PSOs can be applied to groups or to individual users. When multiple PSOs apply to the same user, essentially the PSO with the best precedence takes effect.
PSOs can be configured and applied to users/groups using the 'samba-tool domain passwordsettings pso' set of commands.
Domain backup and restore
A new 'samba-tool' command has been added that allows administrators to create a backup-file of their domain DB. In the event of a catastrophic failure of the domain, this backup-file can be used to restore Samba services.
The new 'samba-tool domain backup online' command takes a snapshot of the domain DB from a given DC. In the event of a catastrophic DB failure, all DCs in the domain should be taken offline, and the backup-file can then be used to recreate a fresh new DC, using the 'samba-tool domain backup restore' command. Once the backed-up domain DB has been restored on the new DC, other DCs can then subsequently be joined to the new DC, in order to repopulate the Samba network.
Domain rename tool
Basic support has been added for renaming a Samba domain. The rename feature is designed for the following cases:
- Running a temporary alternate domain, in the event of a catastrophic failure of the regular domain. Using a completely different domain name and realm means that the original domain and the renamed domain can both run at the same time, without interfering with each other. This is an advantage over creating a regular 'online' backup - it means the renamed/alternate domain can provide core Samba network services, while trouble-shooting the fault on the original domain can be done in parallel.
- Creating a realistic lab domain or pre-production domain for testing.
Note that the renamed tool is currently not intended to support a long-term rename of the production domain. Currently renaming the GPOs is not supported and would need to be done manually.
The domain rename is done in two steps:
- first, the 'samba-tool domain backup rename' command will clone the domain DB, renaming it in the process, and producing a backup-file.
- Then, the 'samba-tool domain backup restore' command takes the backup-file and restores the renamed DB to disk on a fresh DC.
New samba-tool options for diagnosing DRS replication issues
The 'samba-tool drs showrepl' command has two new options controlling the output. With --summary, the command says very little when DRS replication is working well. With --json, JSON is produced. These options are intended for human and machine audiences, respectively.
The 'samba-tool visualize uptodateness' visualizes replication lag as a heat-map matrix based on the DRS uptodateness vectors. This will show you if (but not why) changes are failing to replicate to some DCs.
Automatic site coverage and GetDCName improvements
Samba's AD DC now automatically claims otherwise empty sites based on which DC is the nearest in the replication topology.
This, combined with efforts to correctly identify the client side in the GetDCName Netlogon call will improve service to sites without a local DC.
Improved 'samba-tool computer' command
The 'samba-tool computer' command allow manipulation of computer accounts including creating a new computer and resetting the password. This allows an 'offline join' of a member server or workstation to the Samba AD domain.
New 'samba-tool ou' command
The new 'samba-tool ou' command allows to manage organizational units.
Available subcommands are:
create - Create an organizational unit. delete - Delete an organizational unit. list - List all organizational units listobjects - List all objects in an organizational unit. move - Move an organizational unit. rename - Rename an organizational unit.
In addition to the ou commands, there are new subcommands for the user and group management, which can make use of the organizational units:
group move - Move a group to an organizational unit/container. user move - Move a user to an organizational unit/container. user show - Display a user AD object.
Samba performance tool now operates against Microsoft Windows AD
The Samba AD performance testing tool 'traffic_reply' can now operate against a Windows based AD domain. Previously it only operated correctly against Samba.
DNS entries are now cleaned up during DC demote
DNS records are now cleaned up as part of the 'samba-tool domain demote' including both the default and '--remove-other-dead-server' modes.
Additionally, DNS records can be automatically cleaned up for a given name with the 'samba-tool dns cleanup' command, which aids in cleaning up partially removed DCs.
samba-tool ntacl sysvolreset is now much faster
The 'samba-tool ntacl sysvolreset' command, used on the Samba AD DC, is now much faster than in previous versions, after an internal rework.
Samba now tested with CI GitLab
Samba developers now have pre-commit testing available in GitLab, giving reviewers confidence that the submitted patches pass a full CI before being submitted to the Samba Team's own autobuild system.
Dynamic DNS record scavenging support
It is now possible to enable scavenging of DNS Zones to remove DNS records that were dynamically created and have not been touched in some time.
This support should however only be enabled on new zones or new installations. Sadly old Samba versions suffer from BUG #12451 and mark dynamic DNS records as static and static records as dynamic. While a dbcheck rule may be able to find these in the future, currently a reliable test has not been devised.
Finally, there is not currently a command-line tool to enable this feature, currently it should be enabled from the DNS Manager tool from Windows. Also the feature needs to have been enabled by setting the smb.conf parameter "dns zone scavenging = yes".
Improved support for trusted domains (as AD DC)
The support for trusted domains/forests has been further improved.
External domain trusts, as well a transitive forest trusts, are supported in both directions (inbound and outbound) for Kerberos and NTLM authentication.
The following features are new in 4.9 (compared to 4.8):
- It's now possible to add users/groups of a trusted domain into domain groups. The group memberships are expanded on trust boundaries.
- foreignSecurityPrincipal objects (FPO) are now automatically created when members (as SID) of a trusted domain/forest are added to a group.
- The 'samba-tool group *members' commands allow members to be specified as foreign SIDs.
However there are currently still a few limitations:
- Both sides of the trust need to fully trust each other!
- No SID filtering rules are applied at all!
- This means DCs of domain A can grant domain admin rights in domain B.
- Selective (CROSS_ORGANIZATION) authentication is not supported. It's possible to create such a trust, but the KDC and winbindd ignore them.
- Samba can still only operate in a forest with just one single domain.
CTDB changes
There are many changes to CTDB in this release.
- Configuration has been completely overhauled
- Daemon and tool options are now specified in a new ctdb.conf Samba-style configuration file. See ctdb.conf(5) for details.
- Event script configuration is no longer specified in the top-level configuration file. It can now be specified per event script. For example, configuration options for the 50.samba event script can be placed alongside the event script in a file called 50.samba.options. Script options can also be specified in a new script.options file. See ctdb-script.options(5) for details.
- Options that affect CTDB startup should be configured in the distribution-specific configuration file. See ctdb.sysconfig(5) for details.
- Tunable settings are now loaded from ctdb.tunables. Using CTDB_SET_TunableVariable=<value> in the main configuration file is no longer supported. See ctdb-tunables(7) for details.
- A example script to migrate an old-style configuration to the new style is available in ctdb/doc/examples/config_migrate.sh.
- The following configuration variables and corresponding ctdbd command-line options have been removed and not replaced with counterparts in the new configuration scheme:
CTDB_PIDFILE --pidfile CTDB_SOCKET --socket CTDB_NODES --nlist CTDB_PUBLIC_ADDRESSES --public-addresses CTDB_EVENT_SCRIPT_DIR --event-script-dir CTDB_NOTIFY_SCRIPT --notification-script CTDB_PUBLIC_INTERFACE --public-interface CTDB_MAX_PERSISTENT_CHECK_ERRORS --max-persistent-check-errors
- ify.d/ subdirectory of the configuration directory are now run by unconditionally.
- Interfaces for public IP addresses must always be specified in the
- public_addresses file using the currently supported format.
- Some related items that have been removed are:
- The ctdb command's --socket command-line option
- The ctdb command's CTDB_NODES environment variable
- When writing tests there are still mechanisms available to change the locations of certain directories and files.
- The following ctdbd.conf and ctdbd options have been replaced by new ctdb.conf options:
CTDB_LOGGING/--logging logging -> location CTDB_DEBUGLEVEL/-d logging -> log level CTDB_TRANSPORT/--transport cluster -> transport CTDB_NODE_ADDRESS/--listen cluster -> node address CTDB_RECOVERY_LOCK/--reclock cluster -> recovery lock CTDB_DBDIR/--dbdir database -> volatile database directory CTDB_DBDIR_PERSISTENT/--dbdir-persistent database -> peristent database directory CTDB_DBDIR_STATE/--dbdir-state database -> state database directory CTDB_DEBUG_LOCKS database -> lock debug script CTDB_DEBUG_HUNG_SCRIPT event -> debug script CTDB_NOSETSCHED/--nosetsched legacy -> realtime scheduling CTDB_CAPABILITY_RECMASTER/--no-recmaster legacy -> recmaster capability CTDB_CAPABILITY_LMASTER/--no-lmaster legacy -> lmaster capability CTDB_START_AS_STOPPED/--start-as-stopped legacy -> start as stopped CTDB_START_AS_DISABLED/--start-as-disabled legacy -> start as disabled CTDB_SCRIPT_LOG_LEVEL/--script-log-level legacy -> script log level
- Event scripts have moved to the scripts/legacy subdirectory of the configuration directory
- Event scripts must now end with a ".script" suffix.
- The "ctdb event" command has changed in 2 ways:
- A component is now required for all commands
- In this release the only valid component is "legacy".
- There is no longer a default event when running "ctdb event status"
- Listing the status of the "monitor" event is now done via:
- ctdb event status legacy monitor
- See ctdb(1) for details.
- The following service-related event script options have been removed:
CTDB_MANAGES_SAMBA CTDB_MANAGES_WINBIND CTDB_MANAGES_CLAMD CTDB_MANAGES_HTTPD CTDB_MANAGES_ISCSI CTDB_MANAGES_NFS CTDB_MANAGES_VSFTPD CTDB_MANAGED_SERVICES
- Event scripts for services are now disabled by default. To enable an event script and, therefore, manage a service use a command like the following:
ctdb event script enable legacy 50.samba
- Notification scripts have moved to the scripts/notification subdirectory of the configuration directory
- Notification scripts must now end with a ".script" suffix.
- Support for setting CTDB_DBDIR=tmpfs has been removed
- This feature has not been implemented in the new configuration system. If this is desired then a tmpfs filesystem should be manually mounted on the directory pointed to by the "volatile database directory" option. See ctdb.conf(5) for more details.
- The following tunable options are now ctdb.conf options:
DisabledIPFailover failover -> disabled TDBMutexEnabled database -> tdb mutexes
- Support for the NoIPHostOnAllDisabled tunable has been removed
- If all nodes are unhealthy or disabled then CTDB will not host public IP addresses. That is, CTDB now behaves as if NoIPHostOnAllDisabled were set to 1.
- The onnode command's CTDB_NODES_FILE environment variable has been removed
- The -f option can still be used to specify an alternate node file.
- The 10.external event script has been removed
- The CTDB_SHUTDOWN_TIMEOUT configuration variable has been removed
- As with other daemons, if ctdbd does not shut down when requested then manual intervention is required. There is no safe way of automatically killing ctdbd after a failed shutdown.
- CTDB_SUPPRESS_COREFILE and CTDB_MAX_OPEN_FILES configuration variable have been removed
- These should be setup in the systemd unit/system file or, for SYSV init, in the distribution-specific configuration file for the ctdb service.
- CTDB_PARTIALLY_ONLINE_INTERFACES incompatibility no longer enforced
- 11.natgw and 91.lvs will no longer fail if CTDB_PARTIALLY_ONLINE_INTERFACES=yes. The incompatibility is, however, well documented. This option will be removed in future and replaced by sensible behaviour where public IP addresses simply switch interfaces or become unavailable when interfaces are down.
- Configuration file /etc/ctdb/sysconfig/ctdb is no longer supported
GPO Improvements
The 'samba_gpoupdate' command (used in applying Group Policies to the samba machine itself) has been renamed to 'samba_gpupdate' and had the syntax changed to better match the same tool on Windows.
REMOVED FEATURES
smb.conf changes
As the most popular Samba install platforms (Linux and FreeBSD) both support extended attributes by default, the parameters "map readonly", "store dos attributes" and "ea support" have had their defaults changed to allow better Windows fileserver compatibility in a default install.
Parameter Name Description Default -------------- ----------- ------- map readonly Default changed no store dos attributes Default changed yes ea support Default changed yes full_audit:success Default changed none full_audit:failure Default changed none
VFS interface changes
The VFS ABI interface version has changed to 39. Function changes are:
- SMB_VFS_FSYNC: Removed: Only async versions are used.
- SMB_VFS_READ: Removed: Only PREAD or async versions are used.
- SMB_VFS_WRITE: Removed: Only PWRITE or async versions are used.
- SMB_VFS_CHMOD_ACL: Removed: Only CHMOD is used.
- SMB_VFS_FCHMOD_ACL: Removed: Only FCHMOD is used.
Any external VFS modules will need to be updated to match these changes in order to work with 4.9.x.
Samba 4.8
- Release Notes for Samba 4.8.0
- March 13, 2018
Release Announcements
This is the first stable release of the Samba 4.8 release series. Please read the release notes carefully before upgrading.
UPGRADING
New GUID Index mode in sam.ldb for the AD DC
Users who upgrade a Samba AD DC in-place will experience a short delay in the first startup of Samba while the sam.ldb is re-indexed.
Unlike in previous releases a transparent downgrade is not possible. If you wish to downgrade such a DB to a Samba 4.7 or earlier version, please run the source4/scripting/bin/sambaundoguididx script first.
Domain member setups require winbindd
Setups with "security = domain" or "security = ads" require a running 'winbindd' now. The fallback that smbd directly contacts domain controllers is gone.
smbclient reparse point symlink parameters reversed
See the more detailed description below.
Changed trusted domains listing with wbinfo -m --verbose
See the more detailed description below.
NEW FEATURES/CHANGES
New GUID Index mode in sam.ldb for the AD DC
The new layout used for sam.ldb is GUID, rather than DN oriented. This provides Samba's Active Directory Domain Controller with a faster database, particularly at larger scale.
The underlying DB is still TDB, simply the choice of key has changed.
The new mode is not optional, so no configuration is required. Older Samba versions cannot read the new database (see the upgrade note above).
KDC GPO application
Adds Group Policy support for the Samba kdc. Applies password policies (minimum/maximum password age, minimum password length, and password complexity) and kerberos policies (user/service ticket lifetime and renew lifetime).
Adds the samba_gpoupdate script for applying and unapplying policy. Can be applied automatically by setting
'apply group policies = yes'.
Time Machine Support with vfs_fruit
Samba can be configured as a Time Machine target for Apple Mac devices through the vfs_fruit module. When enabling a share for Time Machine support the relevant Avahi records to support discovery will be published for installations that have been built against the Avahi client library.
Shares can be designated as a Time Machine share with the following setting:
'fruit:time machine = yes'
Support for lower casing the MDNS Name
Allows the server name that is advertised through MDNS to be set to the hostname rather than the Samba NETBIOS name. This allows an administrator to make Samba registered MDNS records match the case of the hostname rather than being in all capitals.
This can be set with the following settings:
'mdns name = mdns'
Encrypted secrets
Attributes deemed to be sensitive are now encrypted on disk. The sensitive values are currently: pekList msDS-ExecuteScriptPassword currentValue dBCSPwd initialAuthIncoming initialAuthOutgoing lmPwdHistory ntPwdHistory priorValue supplementalCredentials trustAuthIncoming trustAuthOutgoing unicodePwd clearTextPassword
This encryption is enabled by default on a new provision or join, it can be disabled at provision or join time with the new option '--plaintext-secrets'.
However, an in-place upgrade will not encrypt the database.
Once encrypted, it is not possible to do an in-place downgrade (eg to 4.7) of the database. To obtain an unencrypted copy of the database a new DC join should be performed, specifying the '--plaintext-secrets' option.
The key file "encrypted_secrets.key" is created in the same directory as the database and should NEVER be disclosed. It is included by the samba_backup script.
Active Directory replication visualisation
To work out what is happening in a replication graph, it is sometimes helpful to use visualisations. We introduce a samba-tool subcommand to write Graphviz dot output and generate text-based heatmaps of the distance in hops between DCs.
There are two subcommands, two graphical modes, and (roughly) two modes of operation with respect to the location of authority.
- 'samba-tool visualize ntdsconn' looks at NTDS Connections.
- 'samba-tool visualize reps' looks at repsTo and repsFrom objects.
In '--distance' mode (default), the distances between DCs are shown in a matrix in the terminal. With '--color=yes', this is depicted as a heatmap. With '--utf8' it is a lttle prettier.
In '--dot' mode, Graphviz dot output is generated. When viewed using dot or xdot, this shows the network as a graph with DCs as vertices and connections edges. Certain types of degenerate edges are shown in different colours or line-styles.
smbclient reparse point symlink parameters reversed
A bug in smbclient caused the 'symlink' command to reverse the meaning of the new name and link target parameters when creating a reparse point symlink against a Windows server. As this is a little used feature the ordering of these parameters has been reversed to match the parameter ordering of the UNIX extensions 'symlink' command. The usage message for this command has also been improved to remove confusion.
Winbind changes
The dependency to global list of trusted domains within the winbindd processes has been reduced a lot.
The construction of that global list is not reliable and often incomplete in complex trust setups. In most situations the list is not needed any more for winbindd to operate correctly. E.g. for plain file serving via SMB using a simple idmap setup with autorid, tdb or ad. However some more complex setups require the list, e.g. if you specify idmap backends for specific domains. Some pam_winbind setups may also require the global list.
If you have a setup that doesn't require the global list, you should set "winbind scan trusted domains = no".
Improved support for trusted domains (as AD DC)
The support for trusted domains/forests has improved a lot.
External domain trusts, as well a transitive forest trusts, are supported in both directions (inbound and outbound) for Kerberos and NTLM authentication now.
The LSA LookupNames and LookupSids implementations support resolving names and sids from trusts domains/forest now. This is important in order to allow Samba based domain members to make use of the trust.
However there are currently still a few limitations:
- It's not possible to add users/groups of a trusted domainvinto domain groups. So group memberships are not expanded on trust boundaries.
- Both sides of the trust need to fully trust each other!
- No SID filtering rules are applied at all!
- This means DCs of domain A can grant domain admin rights in domain B.
- Selective (CROSS_ORIGANIZATION) authentication is not supported. It's possible to create such a trust, but the KDC and winbindd ignore them.
Changed trusted domains listing with wbinfo -m --verbose
The trust properties printed by wbinfo -m --verbose have been changed to correctly reflect the view of the system where wbinfo is executed.
The trust type field in particular can show additional values that correctly reflect the type of the trust: "Local" for the local SAM and BUILTIN, "Workstation" for a workstation trust to the primary domain, "RWDC" for the SAM on a AD DC, "RODC" for the SAM on a read-only DC, "PDC" for the SAM on a NT4-style DC, "Forest" for a AD forest trust and "External" for quarantined, external or NT4-style trusts.
Indirect trusts are shown as "Routed" including the routing domain.
Example, on a AD DC (SDOM1):
Domain Name DNS Domain Trust Type Transitive In Out BUILTIN Local SDOM1 sdom1.site RWDC WDOM3 wdom3.site Forest Yes No Yes WDOM2 wdom2.site Forest Yes Yes Yes SUBDOM31 subdom31.wdom3.site Routed (via WDOM3) SUBDOM21 subdom21.wdom2.site Routed (via WDOM2)
Same setup, on a member of WDOM2:
Domain Name DNS Domain Trust Type Transitive In Out BUILTIN Local TITAN Local WDOM2 wdom2.site Workstation Yes No Yes WDOM1 wdom1.site Routed (via WDOM2) WDOM3 wdom3.site Routed (via WDOM2) SUBDOM21 subdom21.wdom2.site Routed (via WDOM2) SDOM1 sdom1.site Routed (via WDOM2) SUBDOM11 subdom11.wdom1.site Routed (via WDOM2)
The list of trusts may be incomplete and additional domains may appear as "Routed" if a user of an unknown domain is successfully authenticated.
VirusFilter VFS module
This new module integrates with Sophos, F-Secure and ClamAV anti-virus software to provide scanning and filtering of files on a Samba share.
REMOVED FEATURES
'net serverid' commands removed
The two commands 'net serverid list' and 'net serverid wipe' have been removed, because the file serverid.tdb is not used anymore.
'net serverid list' can be replaced by listing all files in the subdirectory "msg.lock" of Samba's "lock directory". The unique id listed by 'net serverid list' is stored in every process' lockfile in "msg.lock".
'net serverid wipe' is not necessary anymore. It was meant primarily for clustered environments, where the serverid.tdb file was not properly cleaned up after single node crashes. Nowadays smbd and winbind take care of cleaning up the msg.lock and msg.sock directories automatically.
NT4-style replication based net commands removed
The following commands and sub-commands have been removed from the "net" utility:
- net rpc samdump
- net rpc vampire ldif
Also, replicating from a real NT4 domain with "net rpc vampire" and "net rpc vampire keytab" has been removed.
The NT4-based commands were accidentally broken in 2013, and nobody noticed the breakage. So instead of fixing them including tests (which would have meant writing a server for the protocols, which we don't have) we decided to remove them.
For the same reason, the "samsync", "samdeltas" and "database_redo" commands have been removed from rpcclient.
"net rpc vampire keytab" from Active Directory domains continues to be supported.
vfs_aio_linux module removed
The current Linux kernel aio does not match what Samba would do. Shipping code that uses it leads people to false assumptions. Samba implements async I/O based on threads by default, there is no special module required to see benefits of read and write request being sent do the disk in parallel.
smb.conf changes
Parameter Name Description Default -------------- ----------- ------- apply group policies New no auth methods Removed binddns dir New client schannel Default changed/ yes Deprecated gpo update command New ldap ssl ads Deprecated map untrusted to domain Removed oplock contention limit Removed prefork children New 1 mdns name New netbios fruit:time machine New false profile acls Removed use spnego Removed server schannel Default changed/ yes Deprecated unicode Deprecated winbind scan trusted domains New yes winbind trusted domains only Removed
Samba 4.7
- Release Notes for Samba 4.7.0
- September 20, 2017
Release Announcements
This is the first stable release of Samba 4.7.
Please read the release notes carefully before upgrading.
UPGRADING
smbclient changes
'smbclient' no longer prints a 'Domain=[...] OS=[Windows 6.1] Server=[...]' banner when connecting to the first server. With SMB2 and Kerberos there's no way to print this information reliable. Now we avoid it at all consistently. In interactive session the following banner is now presented to the user: 'Try "help" do get a list of possible commands.'.
The default for "client max protocol" has changed to "SMB3_11", which means that 'smbclient' (and related commands) will work against servers without SMB1 support.
It's possible to use the '-m/--max-protocol' option to overwrite the "client max protocol" option temporarily.
Note that the '-e/--encrypt' option also works with most SMB3 servers (e.g. Windows >= 2012 and Samba >= 4.0.0), so the SMB1 unix extensions are not required for encryption.
The change to SMB3_11 as default also means smbclient no longer negotiates SMB1 unix extensions by default, when talking to a Samba server with "unix extensions = yes". As a result, some commands are not available, e.g. 'posix_encrypt', 'posix_open', 'posix_mkdir', 'posix_rmdir', 'posix_unlink', posix_whoami', 'getfacl' and 'symlink'. Using "-mNT1" reenabled them, if the server supports SMB1.
- Note: the default ("CORE") for "client min protocol" hasn't changed, so it's still possible to connect to SMB1-only servers by default.
'smbclient' learned a new command 'deltree' that is able to do a recursive deletion of a directory tree.
NEW FEATURES/CHANGES
Whole DB read locks: Improved LDAP and replication consistency
Prior to Samba 4.7 and ldb 1.2.0, the LDB database layer used by Samba erroneously did not take whole-DB read locks to protect search and DRS replication operations.
While each object returned remained subject to a record-level lock (so would remain consistent to itself), under a race condition with a rename or delete, it and any links (like the member attribute) to it would not be returned.
The symptoms of this issue include:
Replication failures with this error showing in the client side logs:
- error during DRS repl ADD: No objectClass found in replPropertyMetaData for Failed to commit objects:
WERR_GEN_FAILURE/NT_STATUS_INVALID_NETWORK_RESPONSE
A crash of the server, in particular the rpc_server process with
INTERNAL ERROR: Signal 11
LDAP read inconsistency
- A DN subject to a search at the same time as it is being renamed may not appear under either the old or new name, but will re-appear for a subsequent search.
See BUG #12858 for more details and updated advise on database recovery for affected installations.
Samba AD with MIT Kerberos
After four years of development, Samba finally supports compiling and running Samba AD with MIT Kerberos. You can enable it with:
./configure --with-system-mitkrb5
Samba requires version 1.15.1 of MIT Kerberos to build with AD DC support. The krb5-devel and krb5-server packages are required. The feature set is not on par with with the Heimdal build but the most important things, like forest and external trusts, are working. Samba uses the KDC binary provided by MIT Kerberos.
Missing features, compared to Heimdal, are:
- PKINIT support
- S4U2SELF/S4U2PROXY support
- RODC support (not fully working with Heimdal either)
The Samba AD process will take care of starting the MIT KDC and it will load a KDB (Kerberos Database) driver to access the Samba AD database. When provisioning an AD DC using 'samba-tool' it will take care of creating a correct kdc.conf file for the MIT KDC.
For further details, see:
Dynamic RPC port range
The dynamic port range for RPC services has been changed from the old default value "1024-1300" to "49152-65535". This port range is not only used by a Samba AD DC but also applies to all other server roles including NT4-style domain controllers. The new value has been defined by Microsoft in Windows Server 2008 and newer versions. To make it easier for Administrators to control those port ranges we use the same default and make it configurable with the option: "rpc server dynamic port range".
The "rpc server port" option sets the first available port from the new "rpc server dynamic port range" option. The option "rpc server port" only applies to Samba provisioned as an AD DC.
Authentication and Authorization audit support
Detailed authentication and authorization audit information is now logged to Samba's debug logs under the "auth_audit" debug class, including in particular the client IP address triggering the audit line. Additionally, if Samba is compiled against the jansson JSON library, a JSON representation is logged under the "auth_json_audit" debug class.
Audit support is comprehensive for all authentication and authorisation of user accounts in the Samba Active Directory Domain Controller, as well as the implicit authentication in password changes. In the file server and classic/NT4 domain controller, NTLM authentication, SMB and RPC authorization is covered, however password changes are not at this stage, and this support is not currently backed by a testsuite.
For further details, see:
Multi-process LDAP Server
The LDAP server in the AD DC now honours the process model used for the rest of the 'samba' process, rather than being forced into a single process. This aids in Samba's ability to scale to larger numbers of AD clients and the AD DC's overall resiliency, but will mean that there is a fork()ed child for every LDAP client, which may be more resource intensive in some situations. If you run Samba in a resource-constrained VM, consider allocating more RAM and swap space.
Improved Read-Only Domain Controller (RODC) Support
Support for RODCs in Samba AD until now has been experimental. With this latest version, many of the critical bugs have been fixed and the RODC can be used in DC environments requiring no writable behaviour. RODCs now correctly support bad password lockouts and password disclosure auditing through the msDS-RevealedUsers attribute.
The fixes made to the RWDC will also allow Windows RODC to function more correctly and to avoid strange data omissions such as failures to replicate groups or updated passwords. Password changes are currently rejected at the RODC, although referrals should be given over LDAP. While any bad passwords can trigger domain-wide lockout, good passwords which have not been replicated yet for a password change can only be used via NTLM on the RODC (and not Kerberos).
The reliability of RODCs locating a writable partner still requires some improvements and so the 'password server' configuration option is generally recommended on the RODC.
Samba 4.7 is the first Samba release to be secure as an RODC or when hosting an RODC. If you have been using earlier Samba versions to host or be an RODC, please upgrade.
In particular see https://bugzilla.samba.org/show_bug.cgi?id=12977 for details on the security implications for password disclosure to an RODC using earlier versions.
Additional password hashes stored in supplementalCredentials
A new config option 'password hash userPassword schemes' has been added to enable generation of SHA-256 and SHA-512 hashes (without storing the plaintext password with reversible encryption). This builds upon previous work to improve password sync for the AD DC (originally using GPG).
The user command of 'samba-tool' has been updated in order to be able to extract these additional hashes, as well as extracting the (HTTP) WDigest hashes that we had also been storing in supplementalCredentials.
Improvements to DNS during Active Directory domain join
The 'samba-tool' domain join command will now add the A and GUID DNS records (on both the local and remote servers) during a join if possible via RPC. This should allow replication to proceed more smoothly post-join.
The mname element of the SOA record will now also be dynamically generated to point to the local read-write server. 'samba_dnsupdate' should now be more reliable as it will now find the appropriate name server even when resolv.conf points to a forwarder.
Significant AD performance and replication improvements
Previously, replication of group memberships was been an incredibly expensive process for the AD DC. This was mostly due to unnecessary CPU time being spent parsing member linked attributes. The database now stores these linked attributes in sorted form to perform efficient searches for existing members. In domains with a large number of group memberships, a join can now be completed in half the time compared with Samba 4.6.
LDAP search performance has also improved, particularly in the unindexed search case. Parsing and processing of security descriptors should now be more efficient, improving replication but also overall performance.
Query record for open file or directory
The record attached to an open file or directory in Samba can be queried through the 'net tdb locking' command. In clustered Samba this can be useful to determine the file or directory triggering corresponding "hot" record warnings in ctdb.
Removal of lpcfg_register_defaults_hook()
The undocumented and unsupported function lpcfg_register_defaults_hook() that was used by external projects to call into Samba and modify smb.conf default parameter settings has been removed. If your project was using this call please raise the issue on samba-technical@lists.samba.org in order to design a supported way of obtaining the same functionality.
Change of loadable module interface
The _init function of all loadable modules in Samba has changed from:
NTSTATUS _init(void);
to:
NTSTATUS _init(TALLOC_CTX *);
This allows a program loading a module to pass in a long-lived talloc context (which must be guaranteed to be alive for the lifetime of the module). This allows modules to avoid use of the talloc_autofree_context() (which is inherently thread-unsafe) and still be valgrind-clean on exit. Modules that don't need to free long-lived data on exit should use the NULL talloc context.
Parameter changes
The "strict sync" global parameter has been changed from a default of "no" to "yes". This means smbd will by default obey client requests to synchronize unwritten data in operating system buffers safely onto disk. This is a safer default setting for modern SMB1/2/3 clients.
The 'ntlm auth' option default is renamed to 'ntlmv2-only', reflecting the previous behaviour. Two new values have been provided, 'mschapv2-and-ntlmv2-only' (allowing MSCHAPv2 while denying NTLMv1) and 'disabled', totally disabling NTLM authentication and password changes.
SHA256 LDAPS Certificates
The self-signed certificate generated for use on LDAPS will now be generated with a SHA256 self-signature, not a SHA1 self-signature.
Replacing this certificate with a certificate signed by a trusted CA is still highly recommended.
CTDB changes
- CTDB no longer allows mixed minor versions in a cluster
- See the AllowMixedVersions tunable option in ctdb-tunables(7) and also Upgrading_a_CTDB_cluster#Policy
- CTDB now ignores hints from Samba about TDB flags when attaching to databases
- CTDB will use the correct flags depending on the type of database. For clustered databases, the smb.conf setting dbwrap_tdb_mutexes:*=true will be ignored. Instead, CTDB continues to use the TDBMutexEnabled tunable.
- New configuration variable CTDB_NFS_CHECKS_DIR
- See ctdbd.conf(5) for more details.
- The CTDB_SERVICE_AUTOSTARTSTOP configuration variable has been removed
- To continue to manage/unmanage services while CTDB is running:
- Start service by hand and then flag it as managed
- Mark service as unmanaged and shut it down by hand
- In some cases CTDB does something fancy - e.g. start Samba under "nice", so care is needed. One technique is to disable the eventscript, mark as managed, run the startup event by hand and then re-enable the eventscript.
- The CTDB_SCRIPT_DEBUGLEVEL configuration variable has been removed
- The example NFS Ganesha call-out has been improved
- A new "replicated" database type is available
- Replicated databases are intended for CTDB's internal use to replicate state data across the cluster, but may find other uses. The data in replicated databases is valid for the lifetime of CTDB and cleared on first attach.
Using x86_64 Accelerated AES Crypto Instructions
Samba on x86_64 can now be configured to use the Intel accelerated AES instruction set, which has the potential to make SMB3 signing and encryption much faster on client and server. To enable this, configure Samba using the new option --accel-aes=intelaesni.
This is a temporary solution that is being included to allow users to enjoy the benefits of Intel accelerated AES on the x86_64 platform, but the longer-term solution will be to move Samba to a fully supported external crypto library.
The third_party/aesni-intel code will be removed from Samba as soon as external crypto library performance reaches parity.
The default is to build without setting --accel-aes, which uses the existing Samba software AES implementation.
smb.conf changes
Parameter Name Description Default -------------- ----------- ------- allow unsafe cluster upgrade New parameter no auth event notification New parameter no auth methods Deprecated client max protocol Effective SMB3_11 default changed map untrusted to domain New value/ auto Default changed/ Deprecated mit kdc command New parameter profile acls Deprecated rpc server dynamic port range New parameter 49152-65535 strict sync Default changed yes password hash userPassword schemes New parameter ntlm auth New values ntlmv2-only