Samba Features added/changed: Difference between revisions

From SambaWiki
No edit summary
No edit summary
Line 3: Line 3:
=Samba 4.10=
=Samba 4.10=
{{:Samba_4.10_Features_added/changed}}
{{:Samba_4.10_Features_added/changed}}
=Samba 4.9=
{{:Samba_4.9_Features_added/changed}}
{{:Samba_4.9_Features_added/changed}}
=Samba 4.8=
{{:Samba_4.8_Features_added/changed}}
{{:Samba_4.8_Features_added/changed}}
=Samba 4.7=
{{:Samba_4.7_Features_added/changed}}

Revision as of 20:19, 9 July 2019

Samba 4.11

Release Notes for Samba 4.11.0
September 17, 2019

Release Announcements

This is the first stable release of the Samba 4.11 release series. Please read the release notes carefully before upgrading.


UPGRADING

AD Database compatibility

Samba 4.11 has changed how the AD database is stored on disk. AD users should not really be affected by this change when upgrading to 4.11. However, AD users should be extremely careful if they need to downgrade from Samba 4.11 to an older release.

Samba 4.11 maintains database compatibility with older Samba releases. The database will automatically get rewritten in the new 4.11 format when you first start the upgraded samba executable.

However, when downgrading from 4.11 you will need to manually downgrade the AD database yourself. Note that you will need to do this step before you install the downgraded Samba packages. For more details, see:

Downgrading_an_Active_Directory_DC

When either upgrading or downgrading, users should also avoid making any database modifications between installing the new Samba packages and starting the samba executable.

SMB1 is disabled by default

The defaults of 'client min protocol' and 'server min protocol' have been changed to SMB2_02.

This means clients without support for SMB2 or SMB3 are no longer able to connect to smbd (by default).

It also means client tools like smbclient and other, as well as applications making use of libsmbclient are no longer able to connect to servers without SMB2 or SMB3 support (by default).

It's still possible to allow SMB1 dialects, e.g. NT1, LANMAN2 and LANMAN1 for client and server, as well as CORE and COREPLUS on the client.

Note: that most commandline tools e.g. smbclient, smbcacls and others also support the '--option' argument to overwrite smb.conf options, e.g. --option='client min protocol=NT1' might be useful.

As Microsoft no longer installs SMB1 support in recent releases or uninstalls it after 30 days without usage, the Samba Team tries to get remove the SMB1 usage as much as possible.

SMB1 is officially deprecated and might be removed step by step in the following years. If you have a strong requirement for SMB1 (except for supporting old Linux Kernels), please file a bug at https://bugzilla.samba.org and let us know about the details.

LanMan and plaintext authentication deprecated

The "lanman auth" and "encrypt passwords" parameters are deprecated with this release as both are only applicable to SMB1 and are quite insecure. NTLM, NTLMv2 and Kerberos authentication are unaffected, as "encrypt passwords = yes" has been the default since Samba 3.0.0.

If you have a strong requirement for these authentication protocols, please file a bug at https://bugzilla.samba.org and let us know about the details.


BIND9_FLATFILE deprecated

The BIND9_FLATFILE DNS backend is deprecated in this release and will be removed in the future. This was only practically useful on a single domain controller or under expert care and supervision.

This release therefore deprecates the "rndc command" smb.conf parameter, which is used to support this configuration. After writing out a list of DCs permitted to make changes to the DNS Zone "rndc command" is called with reload to tell the 'named' server if a DC was added/removed to to the domain.

NEW FEATURES/CHANGES

Default samba process model

The default for the '--model' argument passed to the samba executable has changed from 'standard' to 'prefork'. This means a difference in the number of samba child processes that are created to handle client connections. The previous default would create a separate process for every LDAP or NETLOGON client connection. For a network with a lot of persistent client connections, this could result in significant memory overhead. Now, with the new default of 'prefork', the LDAP, NETLOGON, and KDC services will create a fixed number of worker processes at startup and share the client connections amongst these workers. The number of worker processes can be configured by the 'prefork children' setting in the smb.conf (the default is 4).

Authentication Logging.

Winbind now logs PAM_AUTH and NTLM_AUTH events, a new attribute "logonId" has been added to the Authentication JSON log messages. This contains a random logon id that is generated for each PAM_AUTH and NTLM_AUTH request and is passed to SamLogon, linking the windbind and SamLogon requests.

The serviceDescription of the messages is set to "winbind", the authDescriptionis set to one of:

  "PASSDB, <command>, <pid>"
  "PAM_AUTH, <command>, <pid>"
  "NTLM_AUTH, <command>, <pid>"

where:

  <command> is the name of the command makinmg the winbind request i.e. wbinfo
  <pid>     is the process id of the requesting process.

The version of the JSON Authentication messages has been changed to 1.1 from 1.2

LDAP referrals

The scheme of returned LDAP referrals now reflects the scheme of the original request, i.e. referrals received via ldap are prefixed with "ldap://" and those over ldaps are prefixed with "ldaps://".

Previously all referrals were prefixed with "ldap://".

Bind9 logging

It is now possible to log the duration of DNS operations performed by Bind9. This should aid future diagnosis of performance issues and could be used to monitor DNS performance. The logging is enabled by setting log level to "dns:10" in smb.conf.

The logs are currently Human readable text only, i.e. no JSON formatted output.

Log lines are of the form:

   <function>: DNS timing: result: [<result>] duration: (<duration>)
   zone: [<zone>] name: [<name>] data: []
   durations are in microseconds.

Default schema updated to 2012_R2

Default AD schema changed from 2008_R2 to 2012_R2. 2012_R2 functional level is not yet available. Older schemas can be used by provisioning with the '--base-schema' argument. Existing installations can be updated with the samba-tool command "domain schemaupgrade".

Samba's replication code has also been improved to handle replication with the 2012 schema (the core of this replication fix has also been backported to 4.9.11 and will be in a 4.10.x release).

For more about how the AD schema relates to overall Windows compatibility, please read:

Windows_2012_Server_compatibility

GnuTLS 3.2 required

Samba is making efforts to remove in-tree cryptographic functionality, and to instead rely on externally maintained libraries. To this end, Samba has chosen GnuTLS as our standard cryptographic provider.

Samba now requires GnuTLS 3.2 to be installed (including development headers at build time) for all configurations, not just the Samba AD DC.

NOTE WELL: The use of GnuTLS means that Samba will honour the system-wide 'FIPS mode' (a reference to the US FIPS-140 cryptographic standard) and so will not operate in many still common situations if this system-wide parameter is in effect, as many of our protocols rely on outdated cryptography.

A future Samba version will mitigate this to some extent where good cryptography effectively wraps bad cryptography, but for now that above applies.

samba-tool improvements

A new "samba-tool contact" command has been added to allow the command-line manipulation of contacts, as used for address book lookups in LDAP.

The "samba-tool [user|group|computer|group|contact] edit" command has been improved to operate more pleasantly on international character sets.

100,000 USER and LARGER Samba AD DOMAINS

Extensive efforts have been made to optimise Samba for use in organisations (for example) targeting 100,000 users, plus 120,000 computer objects, as well as large number of group memberships.

Many of the specific efforts are detailed below, but the net results is to remove barriers to significantly larger Samba deployments compared to previous releases.

Reindex performance improvements

The performance of samba-tool dbcheck --reindex has been improved, especially for large domains.

join performance improvements

The performance of samba-tool domain join has been improved, especially for large domains.

LDAP Server memory improvements

The LDAP server has improved memory efficiency, ensuring that large LDAP responses (for example a search for all objects) is not copied multiple times into memory.

Setting lmdb map size

It is now possible to set the lmdb map size (The maximum permitted size for the database). "samba-tool" now accepts the "--backend-store-size" i.e. --backend-store-size=4Gb. If not specified it defaults to 8Gb.

This option is avaiable for the following sub commands:

  • domain provision
  • domain join
  • domain dcpromo
  • drs clone-dc-database

LDB "batch_mode"

To improve performance during batch operations i.e. joins, ldb now accepts a "batch_mode" option. However to prevent any index or database inconsistencies if an operation fails, the entire transaction will be aborted at commit.

New LDB pack format

On first use (startup of 'samba' or the first transaction write) Samba's sam.ldb will be updated to a new more efficient pack format. This will take a few moments.

New LDB <= and >= index mode to improve replication performance

As well as a new pack format, Samba's sam.ldb uses a new index format allowing Samba to efficiently select objects changed since the last replication cycle. This in turn improves performance during replication of large domains.

LDB_Greater_than_and_Less_than_indexing

Improvements to ldb search performance

Search performance on large LDB databases has been improved by reducing memory allocations made on each object.

Improvements to subtree rename performance

Improvements have been made to Samba's handling of subtree renames, for example of containers and organisational units, however large renames are still not recommended.

CTDB changes

  • nfs-linux-kernel-callout now defaults to using systemd service names
The Red Hat service names continue to be the default.
Other distributions should patch this file when packaging it.
  • The onnode -o option has been removed
  • ctdbd logs when it is using more than 90% of a CPU thread
ctdbd is single threaded, so can become saturated if it uses the full capacity of a CPU thread. To help detect this situation, ctdbd now logs messages when CPU utilisation exceeds 90%. Each change in CPU utilisation over 90% is logged. A message is also logged when CPU utilisation drops below the 90% threshold.
  • Script configuration variable CTDB_MONITOR_SWAP_USAGE has been removed
05.system.script now monitors total memory (i.e. physical memory + swap) utilisation using the existing CTDB_MONITOR_MEMORY_USAGE script configuration variable.

CephFS Snapshot Integration


CephFS snapshots can now be exposed as previous file versions using the new ceph_snapshots VFS module. See the vfs_ceph_snapshots(8) man page for details.

REMOVED FEATURES

Web server

As a leftover from work related to the Samba Web Administration Tool (SWAT), Samba still supported a Python WSGI web server (which could still be turned on from the 'server services' smb.conf parameter). This service was unused and has now been removed from Samba.

samba-tool join subdomain

The subdomain role has been removed from the join command. This option did not work and has no tests.

Python2 support

Samba 4.11 will not have any runtime support for Python 2.

If you are building Samba using the '--disable-python' option (i.e. you're excluding all the run-time Python support), then this will continue to work on a system that supports either python2 or python3.

To build Samba with python2 you *must* set the 'PYTHON' environment variable for both the 'configure' and 'make' steps, i.e.

  'PYTHON=python2 ./configure'
  'PYTHON=python2 make'

This will override the python3 default.

Except for this specific build-time use of python2, Samba now requires Python 3.4 as a minimum.

Samba 4.10

Release Notes for Samba 4.10.0
March 19, 2019

Release Announcements

This is the first stable release of the Samba 4.10 release series. Please read the release notes carefully before upgrading.

NEW FEATURES/CHANGES

GPO Improvements

A new 'samba-tool gpo backup' command has been added that can export a set of Group Policy Objects from a domain in a generalised XML format.

A corresponding 'samba-tool gpo restore' command has been added to rebuild the Group Policy Objects from the XML after generalization. (The administrator needs to correct the values of XML entities between the backup and restore to account for the change in domain).

KDC prefork

The KDC now supports the pre-fork process model and worker processes will be forked for the KDC when the pre-fork process model is selected for samba.

Prefork 'prefork children'

The default value for this smdb.conf parameter has been increased from 1 to 4.

Netlogon prefork

DCERPC now supports pre-forked NETLOGON processes. The netlogon processes are pre-forked when the prefork process model is selected for samba.

Offline domain backups

The 'samba-tool domain backup' command has been extended with a new 'offline' option. This safely creates a backup of the local DC's database directly from disk. The main benefits of an offline backup are it's quicker, it stores more database details (for forensic purposes), and the samba process does not have to be running when the backup is made. Refer to the samba-tool help for more details on using this command.

Group membership statistics

A new 'samba-tool group stats' command has been added. This provides summary information about how the users are spread across groups in your domain. The 'samba-tool group list --verbose' command has also been updated to include the number of users in each group.

Paged results LDAP control

The behaviour of the paged results control (1.2.840.113556.1.4.319, RFC2696) has been changed to more closely match Windows servers, to improve memory usage. Paged results may be used internally (or is requested by the user) by LDAP libraries or tools that deal with large result sizes, for example, when listing all the objects in the database.

Previously, results were returned as a snapshot of the database but now, some changes made to the set of results while paging may be reflected in the responses. If strict inter-record consistency is required in answers (which is not possible on Windows with large result sets), consider avoiding the paged results control or alternatively, it might be possible to enforce restrictions using the LDAP filter expression.

For further details see Paged_Results

Prefork process restart

The pre-fork process model now restarts failed processes. The delay between restart attempts is controlled by the "prefork backoff increment" (default = 10) and "prefork maximum backoff" (default = 120) smbd.conf parameters. A linear back off strategy is used with "prefork backoff increment" added to the delay between restart attempts up until it reaches "prefork maximum backoff".

Using the default sequence the restart delays (in seconds) are:

0, 10, 20, ..., 120, 120, ...

Standard process model

When using the standard process model samba forks a new process to handle ldap and netlogon connections. Samba now honours the 'max smbd processes' smb.conf parameter. The default value of 0, indicates there is no limit. The limit is applied individually to netlogon and ldap. When the process limit is exceeded Samba drops new connections immediately.

python3 support

This is the first release of Samba which has full support for Python 3. Samba 4.10 still has support for Python 2, however, Python 3 will be used by default, i.e. 'configure' & 'make' will execute using python3.

To build Samba with python2 you *must* set the 'PYTHON' environment variable for both the 'configure' and 'make' steps, i.e.

  'PYTHON=python2 ./configure'
  'PYTHON=python2 make'

This will override the python3 default.

Alternatively, it is possible to produce Samba Python bindings for both Python 2 and Python 3. To do so, specify '--extra-python=/usr/bin/python2' as part of the 'configure' command. Note that python3 will still be used as the default in this case.

Note:Samba 4.10 supports Python 3.4 onwards.

Future Python support

Samba 4.10 will be the last release that comes with full support for Python 2. Unfortunately, the Samba Team doesn't have the resources to support both Python 2 and Python 3 long-term.

Samba 4.11 will not have any runtime support for Python 2. This means if you use Python 2 bindings it is time to migrate to Python 3 now.

If you are building Samba using the '--disable-python' option (i.e. you're excluding all the run-time Python support), then this will continue to work on a system that supports either python2 or python3.

Note:Samba 4.11 will most likely only support Python 3.6 onwards.

JSON logging

Authentication messages now contain the Windows Event Id "eventId" and logon type "logonType". The supported event codes and logon types are:

Event codes:
4624 Successful logon
4625 Unsuccessful logon
Logon Types:
2 Interactive
3 Network
8 NetworkCleartext

The version number for Authentication messages is now 1.1, changed from 1.0

Password change messages now contain the Windows Event Id "eventId", the supported event Id's are:

4723 Password changed
4724 Password reset

The version number for PasswordChange messages is now 1.1, changed from 1.0

Group membership change messages now contain the Windows Event Id "eventId", the supported event Id's are:

4728 A member was added to a security enabled global group
4729 A member was removed from a security enabled global group
4732 A member was added to a security enabled local group
4733 A member was removed from a security enabled local group
4746 A member was added to a security disabled local group
4747 A member was removed from a security disabled local group
4751 A member was added to a security disabled global group
4752 A member was removed from a security disabled global group
4756 A member was added to a security enabled universal group
4757 A member was removed from a security enabled universal group
4761 A member was added to a security disabled universal group
4762 A member was removed from a security disabled universal group


The version number for GroupChange messages is now 1.1, changed from 1.0. Also A GroupChange message is generated when a new user is created to log that the user has been added to their primary group.

The leading "JSON <message type>:" and source file prefix of the JSON formatted log entries has been removed to make the parsing of the JSON log messages easier. JSON log entries now start with 2 spaces followed by an opening brace i.e. " {"

SMBv2 samba-tool support

On previous releases, some samba-tool commands would not work against a remote DC that had SMBv1 disabled. SMBv2 support has now been added for samba-tool. The affected commands are 'samba-tool domain backup|rename' and the 'samba-tool gpo' set of commands. Refer also BUG #13676.

New glusterfs_fuse VFS module

The new vfs_glusterfs_fuse module improves performance when Samba accesses a glusterfs volume mounted via FUSE (Filesystem in Userspace as part of the Linux kernel). It achieves that by leveraging a mechanism to retrieve the appropriate case of filenames by querying a specific extended attribute in the filesystem. No extra configuration is required to use this module, only glusterfs_fuse needs to be set in the "vfs objects" parameter. Further details can be found in the vfs_glusterfs_fuse(8) manpage. This new vfs_glusterfs_fuse module does not replace the existing vfs_glusterfs module, it just provides an additional, alternative mechanism to access a Gluster volume.

REMOVED FEATURES

MIT Kerberos build of the AD DC

While not removed, the MIT Kerberos build of the Samba AD DC is still considered experimental. Because Samba will not issue security patches for this configuration, such builds now require the explicit configure option: --with-experimental-mit-ad-dc

For further details see Running_a_Samba_AD_DC_with_MIT_Kerberos_KDC

samba_backup

The samba_backup script has been removed. This has now been replaced by the 'samba-tool domain backup offline' command.


SMB client Python bindings

The SMB client python bindings are now deprecated and will be removed in future Samba releases. This will only affects users that may have used the Samba Python bindings to write their own utilities, i.e. users with a custom Python script that includes the line 'from samba import smb'.

smb.conf changes

 Parameter Name                     Description                Default
 --------------                     -----------                -------
 prefork backoff increment   Delay added to process restart    10 (seconds)
                             between attempts.
 prefork maximum backoff     Maximum delay for process between 120 (seconds)
                             process restart attempts
 smbd search ask sharemode   Name changed, old name was
                             "smbd:search ask sharemode"
 smbd async dosmode          Name changed, old name was
                             "smbd:async dosmode"
 smbd max async dosmode      Name changed, old name was
                             "smbd:max async dosmode"
 smbd getinfo ask sharemode  New: similar to "smbd search ask yes
                             sharemode" but for SMB getinfo

Samba 4.9

Release Notes for Samba 4.9.0
September 13, 2018

Release Announcements

This is the first stable release of the Samba 4.9 release series. Please read the release notes carefully before upgrading.

NEW FEATURES/CHANGES

'net ads setspn'

There is a new 'net ads setspn' sub command for managing Windows SPN(s) on the AD. This command aims to give the basic functionality that is provided on windows by 'setspn.exe' e.g. ability to add, delete and list Windows SPN(s) stored in a Windows AD Computer object.

The format of the command is:

net ads setspn list [machine]
net ads setspn [add | delete ] SPN [machine]

'machine' is the name of the computer account on the AD that is to be managed. If 'machine' is not specified the name of the 'client' running the command is used instead.

The format of a Windows SPN is

 'serviceclass/host:port/servicename' (servicename and port are optional)

serviceclass/host is generally sufficient to specify a host based service.

'net ads keytab' changes

net ads keytab add no longer attempts to convert the passed serviceclass (e.g. nfs, html etc.) into a Windows SPN which is added to the Windows AD computer object. By default just the keytab file is modified.

A new keytab subcommand 'add_update_ads' has been added to preserve the legacy behaviour. However the new 'net ads setspn add' subcommand should really be used instead.

net ads keytab create no longer tries to generate SPN(s) from existing entries in a keytab file. If it is required to add Windows SPN(s) then 'net ads setspn add' should be used instead.

Local authorization plugin for MIT Kerberos

This plugin controls the relationship between Kerberos principals and AD accounts through winbind. The module receives the Kerberos principal and the local account name as inputs and can then check if they match. This can resolve issues with canonicalized names returned by Kerberos within AD. If the user tries to log in as 'alice', but the samAccountName is set to ALICE (uppercase), Kerberos would return ALICE as the username. Kerberos would not be able to map 'alice' to 'ALICE' in this case and auth would fail. With this plugin account names can be correctly mapped. This only applies to GSSAPI authentication, not for getting the initial ticket granting ticket.

VFS audit modules

The vfs_full_audit module has changed its default set of monitored successful and failed operations from "all" to "none". That helps to prevent potential denial of service caused by simple addition of the module to the VFS objects.

Also, modules vfs_audit, vfs_ext_audit and vfs_full_audit now accept any valid syslog(3) facility, in accordance with the manual page.

Database audit support

Changes to the Samba AD's sam.ldb database are now logged to Samba's debug log under the "dsdb_audit" debug class and "dsdb_json_audit" for JSON formatted log entries.

Transaction commits and roll backs are now logged to Samba's debug logs under the "dsdb_transaction_audit" debug class and "dsdb_transaction_json_audit" for JSON formatted log entries.

Password change audit support

Password changes in the AD DC are now logged to Samba's debug logs under the "dsdb_password_audit" debug class and "dsdb_password_json_audit" for JSON formatted log entries.

Group membership change audit support

Group membership changes on the AD DC are now logged to Samba's debug log under the "dsdb_group_audit" debug class and "dsdb_group_json_audit" for JSON formatted log entries.

Log Authentication duration

For NTLM and Kerberos KDC authentication, the authentication duration is now logged. Note that the duration is only included in the JSON formatted log entries.

JSON library Jansson required for the AD DC

By default, the Jansson JSON library is required for Samba to build. It is strictly required for the Samba AD DC, and is optional for builds "--without-ad-dc" by specifying "--without-json-audit" at configure time.

New Experimental LMDB LDB backend

A new Experimental LDB backend using LMDB is now available. This allows databases larger than 4Gb (Currently the limit is set to 6Gb, but this will be increased in a future release). To enable lmdb, provision or join a domain using the "--backend-store=mdb" option.

This requires that a version of lmdb greater than 0.9.16 is installed and that samba has not been built with the "--without-ldb-lmdb" option.

Please note this is an experimental feature and is not recommended for production deployments.

Password Settings Objects

Support has been added for Password Settings Objects (PSOs). This AD feature is also known as Fine-Grained Password Policies (FGPP).

PSOs allow AD administrators to override the domain password policy settings for specific users, or groups of users. For example, PSOs can force certain users to have longer password lengths, or relax the complexity constraints for other users, and so on. PSOs can be applied to groups or to individual users. When multiple PSOs apply to the same user, essentially the PSO with the best precedence takes effect.

PSOs can be configured and applied to users/groups using the 'samba-tool domain passwordsettings pso' set of commands.

Domain backup and restore

A new 'samba-tool' command has been added that allows administrators to create a backup-file of their domain DB. In the event of a catastrophic failure of the domain, this backup-file can be used to restore Samba services.

The new 'samba-tool domain backup online' command takes a snapshot of the domain DB from a given DC. In the event of a catastrophic DB failure, all DCs in the domain should be taken offline, and the backup-file can then be used to recreate a fresh new DC, using the 'samba-tool domain backup restore' command. Once the backed-up domain DB has been restored on the new DC, other DCs can then subsequently be joined to the new DC, in order to repopulate the Samba network.

Domain rename tool

Basic support has been added for renaming a Samba domain. The rename feature is designed for the following cases:

  1. Running a temporary alternate domain, in the event of a catastrophic failure of the regular domain. Using a completely different domain name and realm means that the original domain and the renamed domain can both run at the same time, without interfering with each other. This is an advantage over creating a regular 'online' backup - it means the renamed/alternate domain can provide core Samba network services, while trouble-shooting the fault on the original domain can be done in parallel.
  2. Creating a realistic lab domain or pre-production domain for testing.

Note that the renamed tool is currently not intended to support a long-term rename of the production domain. Currently renaming the GPOs is not supported and would need to be done manually.

The domain rename is done in two steps:

first, the 'samba-tool domain backup rename' command will clone the domain DB, renaming it in the process, and producing a backup-file.
Then, the 'samba-tool domain backup restore' command takes the backup-file and restores the renamed DB to disk on a fresh DC.

New samba-tool options for diagnosing DRS replication issues

The 'samba-tool drs showrepl' command has two new options controlling the output. With --summary, the command says very little when DRS replication is working well. With --json, JSON is produced. These options are intended for human and machine audiences, respectively.

The 'samba-tool visualize uptodateness' visualizes replication lag as a heat-map matrix based on the DRS uptodateness vectors. This will show you if (but not why) changes are failing to replicate to some DCs.

Automatic site coverage and GetDCName improvements

Samba's AD DC now automatically claims otherwise empty sites based on which DC is the nearest in the replication topology.

This, combined with efforts to correctly identify the client side in the GetDCName Netlogon call will improve service to sites without a local DC.

Improved 'samba-tool computer' command

The 'samba-tool computer' command allow manipulation of computer accounts including creating a new computer and resetting the password. This allows an 'offline join' of a member server or workstation to the Samba AD domain.

New 'samba-tool ou' command

The new 'samba-tool ou' command allows to manage organizational units.

Available subcommands are:

 create       - Create an organizational unit.
 delete       - Delete an organizational unit.
 list         - List all organizational units
 listobjects  - List all objects in an organizational unit.
 move         - Move an organizational unit.
 rename       - Rename an organizational unit.

In addition to the ou commands, there are new subcommands for the user and group management, which can make use of the organizational units:

 group move   - Move a group to an organizational unit/container.
 user move    - Move a user to an organizational unit/container.
 user show    - Display a user AD object.

Samba performance tool now operates against Microsoft Windows AD

The Samba AD performance testing tool 'traffic_reply' can now operate against a Windows based AD domain. Previously it only operated correctly against Samba.

DNS entries are now cleaned up during DC demote

DNS records are now cleaned up as part of the 'samba-tool domain demote' including both the default and '--remove-other-dead-server' modes.

Additionally, DNS records can be automatically cleaned up for a given name with the 'samba-tool dns cleanup' command, which aids in cleaning up partially removed DCs.

samba-tool ntacl sysvolreset is now much faster

The 'samba-tool ntacl sysvolreset' command, used on the Samba AD DC, is now much faster than in previous versions, after an internal rework.

Samba now tested with CI GitLab

Samba developers now have pre-commit testing available in GitLab, giving reviewers confidence that the submitted patches pass a full CI before being submitted to the Samba Team's own autobuild system.

Dynamic DNS record scavenging support

It is now possible to enable scavenging of DNS Zones to remove DNS records that were dynamically created and have not been touched in some time.

This support should however only be enabled on new zones or new installations. Sadly old Samba versions suffer from BUG #12451 and mark dynamic DNS records as static and static records as dynamic. While a dbcheck rule may be able to find these in the future, currently a reliable test has not been devised.

Finally, there is not currently a command-line tool to enable this feature, currently it should be enabled from the DNS Manager tool from Windows. Also the feature needs to have been enabled by setting the smb.conf parameter "dns zone scavenging = yes".

Improved support for trusted domains (as AD DC)

The support for trusted domains/forests has been further improved.

External domain trusts, as well a transitive forest trusts, are supported in both directions (inbound and outbound) for Kerberos and NTLM authentication.

The following features are new in 4.9 (compared to 4.8):

  • It's now possible to add users/groups of a trusted domain into domain groups. The group memberships are expanded on trust boundaries.
  • foreignSecurityPrincipal objects (FPO) are now automatically created when members (as SID) of a trusted domain/forest are added to a group.
  • The 'samba-tool group *members' commands allow members to be specified as foreign SIDs.

However there are currently still a few limitations:

  • Both sides of the trust need to fully trust each other!
  • No SID filtering rules are applied at all!
  • This means DCs of domain A can grant domain admin rights in domain B.
  • Selective (CROSS_ORGANIZATION) authentication is not supported. It's possible to create such a trust, but the KDC and winbindd ignore them.
  • Samba can still only operate in a forest with just one single domain.

CTDB changes

There are many changes to CTDB in this release.

  • Configuration has been completely overhauled
  • Daemon and tool options are now specified in a new ctdb.conf Samba-style configuration file. See ctdb.conf(5) for details.
  • Event script configuration is no longer specified in the top-level configuration file. It can now be specified per event script. For example, configuration options for the 50.samba event script can be placed alongside the event script in a file called 50.samba.options. Script options can also be specified in a new script.options file. See ctdb-script.options(5) for details.
  • Options that affect CTDB startup should be configured in the distribution-specific configuration file. See ctdb.sysconfig(5) for details.
  • Tunable settings are now loaded from ctdb.tunables. Using CTDB_SET_TunableVariable=<value> in the main configuration file is no longer supported. See ctdb-tunables(7) for details.
A example script to migrate an old-style configuration to the new style is available in ctdb/doc/examples/config_migrate.sh.
  • The following configuration variables and corresponding ctdbd command-line options have been removed and not replaced with counterparts in the new configuration scheme:
   CTDB_PIDFILE                      --pidfile
   CTDB_SOCKET			     --socket
   CTDB_NODES			     --nlist
   CTDB_PUBLIC_ADDRESSES	     --public-addresses
   CTDB_EVENT_SCRIPT_DIR	     --event-script-dir
   CTDB_NOTIFY_SCRIPT		     --notification-script
   CTDB_PUBLIC_INTERFACE	     --public-interface
   CTDB_MAX_PERSISTENT_CHECK_ERRORS  --max-persistent-check-errors
  • ify.d/ subdirectory of the configuration directory are now run by unconditionally.
  • Interfaces for public IP addresses must always be specified in the
public_addresses file using the currently supported format.
Some related items that have been removed are:
  • The ctdb command's --socket command-line option
  • The ctdb command's CTDB_NODES environment variable
When writing tests there are still mechanisms available to change the locations of certain directories and files.
  • The following ctdbd.conf and ctdbd options have been replaced by new ctdb.conf options:
   CTDB_LOGGING/--logging                     logging  -> location
   CTDB_DEBUGLEVEL/-d                         logging  -> log level
   CTDB_TRANSPORT/--transport                 cluster  -> transport
   CTDB_NODE_ADDRESS/--listen                 cluster  -> node address
   CTDB_RECOVERY_LOCK/--reclock               cluster  -> recovery lock
   CTDB_DBDIR/--dbdir                         database -> volatile database directory
   CTDB_DBDIR_PERSISTENT/--dbdir-persistent   database -> peristent database directory
   CTDB_DBDIR_STATE/--dbdir-state             database -> state database directory
   CTDB_DEBUG_LOCKS                           database -> lock debug script
   CTDB_DEBUG_HUNG_SCRIPT                     event    -> debug script
   CTDB_NOSETSCHED/--nosetsched               legacy   -> realtime scheduling
   CTDB_CAPABILITY_RECMASTER/--no-recmaster   legacy   -> recmaster capability
   CTDB_CAPABILITY_LMASTER/--no-lmaster       legacy   -> lmaster capability
   CTDB_START_AS_STOPPED/--start-as-stopped   legacy   -> start as stopped
   CTDB_START_AS_DISABLED/--start-as-disabled legacy   -> start as disabled
   CTDB_SCRIPT_LOG_LEVEL/--script-log-level   legacy   -> script log level
  • Event scripts have moved to the scripts/legacy subdirectory of the configuration directory
Event scripts must now end with a ".script" suffix.
  • The "ctdb event" command has changed in 2 ways:
  • A component is now required for all commands
In this release the only valid component is "legacy".
  • There is no longer a default event when running "ctdb event status"
Listing the status of the "monitor" event is now done via:
ctdb event status legacy monitor
See ctdb(1) for details.
  • The following service-related event script options have been removed:
   CTDB_MANAGES_SAMBA
   CTDB_MANAGES_WINBIND
   CTDB_MANAGES_CLAMD
   CTDB_MANAGES_HTTPD
   CTDB_MANAGES_ISCSI
   CTDB_MANAGES_NFS
   CTDB_MANAGES_VSFTPD
   CTDB_MANAGED_SERVICES
Event scripts for services are now disabled by default. To enable an event script and, therefore, manage a service use a command like the following:
   ctdb event script enable legacy 50.samba
  • Notification scripts have moved to the scripts/notification subdirectory of the configuration directory
Notification scripts must now end with a ".script" suffix.
  • Support for setting CTDB_DBDIR=tmpfs has been removed
This feature has not been implemented in the new configuration system. If this is desired then a tmpfs filesystem should be manually mounted on the directory pointed to by the "volatile database directory" option. See ctdb.conf(5) for more details.
  • The following tunable options are now ctdb.conf options:
   DisabledIPFailover    failover -> disabled
   TDBMutexEnabled       database -> tdb mutexes
  • Support for the NoIPHostOnAllDisabled tunable has been removed
If all nodes are unhealthy or disabled then CTDB will not host public IP addresses. That is, CTDB now behaves as if NoIPHostOnAllDisabled were set to 1.
  • The onnode command's CTDB_NODES_FILE environment variable has been removed
The -f option can still be used to specify an alternate node file.
  • The 10.external event script has been removed
  • The CTDB_SHUTDOWN_TIMEOUT configuration variable has been removed
As with other daemons, if ctdbd does not shut down when requested then manual intervention is required. There is no safe way of automatically killing ctdbd after a failed shutdown.
  • CTDB_SUPPRESS_COREFILE and CTDB_MAX_OPEN_FILES configuration variable have been removed
These should be setup in the systemd unit/system file or, for SYSV init, in the distribution-specific configuration file for the ctdb service.
  • CTDB_PARTIALLY_ONLINE_INTERFACES incompatibility no longer enforced
11.natgw and 91.lvs will no longer fail if CTDB_PARTIALLY_ONLINE_INTERFACES=yes. The incompatibility is, however, well documented. This option will be removed in future and replaced by sensible behaviour where public IP addresses simply switch interfaces or become unavailable when interfaces are down.
  • Configuration file /etc/ctdb/sysconfig/ctdb is no longer supported

GPO Improvements

The 'samba_gpoupdate' command (used in applying Group Policies to the samba machine itself) has been renamed to 'samba_gpupdate' and had the syntax changed to better match the same tool on Windows.

REMOVED FEATURES

smb.conf changes

As the most popular Samba install platforms (Linux and FreeBSD) both support extended attributes by default, the parameters "map readonly", "store dos attributes" and "ea support" have had their defaults changed to allow better Windows fileserver compatibility in a default install.

 Parameter Name                     Description             Default
 --------------                     -----------             -------
 map readonly                       Default changed              no
 store dos attributes               Default changed             yes
 ea support                         Default changed             yes
 full_audit:success                 Default changed            none
 full_audit:failure                 Default changed            none

VFS interface changes

The VFS ABI interface version has changed to 39. Function changes are:

SMB_VFS_FSYNC: Removed: Only async versions are used.
SMB_VFS_READ: Removed: Only PREAD or async versions are used.
SMB_VFS_WRITE: Removed: Only PWRITE or async versions are used.
SMB_VFS_CHMOD_ACL: Removed: Only CHMOD is used.
SMB_VFS_FCHMOD_ACL: Removed: Only FCHMOD is used.

Any external VFS modules will need to be updated to match these changes in order to work with 4.9.x.

Samba 4.8

Release Notes for Samba 4.8.0
March 13, 2018

Release Announcements

This is the first stable release of the Samba 4.8 release series. Please read the release notes carefully before upgrading.

UPGRADING

New GUID Index mode in sam.ldb for the AD DC

Users who upgrade a Samba AD DC in-place will experience a short delay in the first startup of Samba while the sam.ldb is re-indexed.

Unlike in previous releases a transparent downgrade is not possible. If you wish to downgrade such a DB to a Samba 4.7 or earlier version, please run the source4/scripting/bin/sambaundoguididx script first.

Domain member setups require winbindd

Setups with "security = domain" or "security = ads" require a running 'winbindd' now. The fallback that smbd directly contacts domain controllers is gone.

smbclient reparse point symlink parameters reversed

See the more detailed description below.

Changed trusted domains listing with wbinfo -m --verbose

See the more detailed description below.

NEW FEATURES/CHANGES

New GUID Index mode in sam.ldb for the AD DC

The new layout used for sam.ldb is GUID, rather than DN oriented. This provides Samba's Active Directory Domain Controller with a faster database, particularly at larger scale.

The underlying DB is still TDB, simply the choice of key has changed.

The new mode is not optional, so no configuration is required. Older Samba versions cannot read the new database (see the upgrade note above).

KDC GPO application

Adds Group Policy support for the Samba kdc. Applies password policies (minimum/maximum password age, minimum password length, and password complexity) and kerberos policies (user/service ticket lifetime and renew lifetime).

Adds the samba_gpoupdate script for applying and unapplying policy. Can be applied automatically by setting

'apply group policies = yes'.

Time Machine Support with vfs_fruit

Samba can be configured as a Time Machine target for Apple Mac devices through the vfs_fruit module. When enabling a share for Time Machine support the relevant Avahi records to support discovery will be published for installations that have been built against the Avahi client library.

Shares can be designated as a Time Machine share with the following setting:

 'fruit:time machine = yes'

Support for lower casing the MDNS Name

Allows the server name that is advertised through MDNS to be set to the hostname rather than the Samba NETBIOS name. This allows an administrator to make Samba registered MDNS records match the case of the hostname rather than being in all capitals.

This can be set with the following settings:

 'mdns name = mdns'

Encrypted secrets

Attributes deemed to be sensitive are now encrypted on disk. The sensitive values are currently: pekList msDS-ExecuteScriptPassword currentValue dBCSPwd initialAuthIncoming initialAuthOutgoing lmPwdHistory ntPwdHistory priorValue supplementalCredentials trustAuthIncoming trustAuthOutgoing unicodePwd clearTextPassword

This encryption is enabled by default on a new provision or join, it can be disabled at provision or join time with the new option '--plaintext-secrets'.

However, an in-place upgrade will not encrypt the database.

Once encrypted, it is not possible to do an in-place downgrade (eg to 4.7) of the database. To obtain an unencrypted copy of the database a new DC join should be performed, specifying the '--plaintext-secrets' option.

The key file "encrypted_secrets.key" is created in the same directory as the database and should NEVER be disclosed. It is included by the samba_backup script.

Active Directory replication visualisation

To work out what is happening in a replication graph, it is sometimes helpful to use visualisations. We introduce a samba-tool subcommand to write Graphviz dot output and generate text-based heatmaps of the distance in hops between DCs.

There are two subcommands, two graphical modes, and (roughly) two modes of operation with respect to the location of authority.

  • 'samba-tool visualize ntdsconn' looks at NTDS Connections.
  • 'samba-tool visualize reps' looks at repsTo and repsFrom objects.

In '--distance' mode (default), the distances between DCs are shown in a matrix in the terminal. With '--color=yes', this is depicted as a heatmap. With '--utf8' it is a lttle prettier.

In '--dot' mode, Graphviz dot output is generated. When viewed using dot or xdot, this shows the network as a graph with DCs as vertices and connections edges. Certain types of degenerate edges are shown in different colours or line-styles.

smbclient reparse point symlink parameters reversed

A bug in smbclient caused the 'symlink' command to reverse the meaning of the new name and link target parameters when creating a reparse point symlink against a Windows server. As this is a little used feature the ordering of these parameters has been reversed to match the parameter ordering of the UNIX extensions 'symlink' command. The usage message for this command has also been improved to remove confusion.

Winbind changes

The dependency to global list of trusted domains within the winbindd processes has been reduced a lot.

The construction of that global list is not reliable and often incomplete in complex trust setups. In most situations the list is not needed any more for winbindd to operate correctly. E.g. for plain file serving via SMB using a simple idmap setup with autorid, tdb or ad. However some more complex setups require the list, e.g. if you specify idmap backends for specific domains. Some pam_winbind setups may also require the global list.

If you have a setup that doesn't require the global list, you should set "winbind scan trusted domains = no".

Improved support for trusted domains (as AD DC)

The support for trusted domains/forests has improved a lot.

External domain trusts, as well a transitive forest trusts, are supported in both directions (inbound and outbound) for Kerberos and NTLM authentication now.

The LSA LookupNames and LookupSids implementations support resolving names and sids from trusts domains/forest now. This is important in order to allow Samba based domain members to make use of the trust.

However there are currently still a few limitations:

  • It's not possible to add users/groups of a trusted domainvinto domain groups. So group memberships are not expanded on trust boundaries.
See https://bugzilla.samba.org/show_bug.cgi?id=13300
  • Both sides of the trust need to fully trust each other!
  • No SID filtering rules are applied at all!
  • This means DCs of domain A can grant domain admin rights in domain B.
  • Selective (CROSS_ORIGANIZATION) authentication is not supported. It's possible to create such a trust, but the KDC and winbindd ignore them.

Changed trusted domains listing with wbinfo -m --verbose

The trust properties printed by wbinfo -m --verbose have been changed to correctly reflect the view of the system where wbinfo is executed.

The trust type field in particular can show additional values that correctly reflect the type of the trust: "Local" for the local SAM and BUILTIN, "Workstation" for a workstation trust to the primary domain, "RWDC" for the SAM on a AD DC, "RODC" for the SAM on a read-only DC, "PDC" for the SAM on a NT4-style DC, "Forest" for a AD forest trust and "External" for quarantined, external or NT4-style trusts.

Indirect trusts are shown as "Routed" including the routing domain.

Example, on a AD DC (SDOM1):

Domain Name DNS Domain          Trust Type  Transitive  In   Out
BUILTIN                         Local
SDOM1       sdom1.site          RWDC
WDOM3       wdom3.site          Forest      Yes         No   Yes
WDOM2       wdom2.site          Forest      Yes         Yes  Yes
SUBDOM31    subdom31.wdom3.site Routed (via WDOM3)
SUBDOM21    subdom21.wdom2.site Routed (via WDOM2)

Same setup, on a member of WDOM2:

Domain Name DNS Domain          Trust Type  Transitive  In   Out
BUILTIN                         Local
TITAN                           Local
WDOM2       wdom2.site          Workstation Yes         No   Yes
WDOM1       wdom1.site          Routed (via WDOM2)
WDOM3       wdom3.site          Routed (via WDOM2)
SUBDOM21    subdom21.wdom2.site Routed (via WDOM2)
SDOM1       sdom1.site          Routed (via WDOM2)
SUBDOM11    subdom11.wdom1.site Routed (via WDOM2)

The list of trusts may be incomplete and additional domains may appear as "Routed" if a user of an unknown domain is successfully authenticated.

VirusFilter VFS module

This new module integrates with Sophos, F-Secure and ClamAV anti-virus software to provide scanning and filtering of files on a Samba share.

REMOVED FEATURES

'net serverid' commands removed

The two commands 'net serverid list' and 'net serverid wipe' have been removed, because the file serverid.tdb is not used anymore.

'net serverid list' can be replaced by listing all files in the subdirectory "msg.lock" of Samba's "lock directory". The unique id listed by 'net serverid list' is stored in every process' lockfile in "msg.lock".

'net serverid wipe' is not necessary anymore. It was meant primarily for clustered environments, where the serverid.tdb file was not properly cleaned up after single node crashes. Nowadays smbd and winbind take care of cleaning up the msg.lock and msg.sock directories automatically.

NT4-style replication based net commands removed

The following commands and sub-commands have been removed from the "net" utility:

  • net rpc samdump
  • net rpc vampire ldif

Also, replicating from a real NT4 domain with "net rpc vampire" and "net rpc vampire keytab" has been removed.

The NT4-based commands were accidentally broken in 2013, and nobody noticed the breakage. So instead of fixing them including tests (which would have meant writing a server for the protocols, which we don't have) we decided to remove them.

For the same reason, the "samsync", "samdeltas" and "database_redo" commands have been removed from rpcclient.

"net rpc vampire keytab" from Active Directory domains continues to be supported.

vfs_aio_linux module removed

The current Linux kernel aio does not match what Samba would do. Shipping code that uses it leads people to false assumptions. Samba implements async I/O based on threads by default, there is no special module required to see benefits of read and write request being sent do the disk in parallel.

smb.conf changes

 Parameter Name                     Description             Default
 --------------                     -----------             -------
 apply group policies               New                     no
 auth methods                       Removed
 binddns dir                        New
 client schannel                    Default changed/        yes
                                    Deprecated
 gpo update command                 New
 ldap ssl ads                       Deprecated
 map untrusted to domain            Removed
 oplock contention limit            Removed
 prefork children                   New                     1
 mdns name                          New                     netbios
 fruit:time machine                 New                     false
 profile acls                       Removed
 use spnego                         Removed
 server schannel                    Default changed/        yes
                                    Deprecated
 unicode                            Deprecated
 winbind scan trusted domains       New                     yes
 winbind trusted domains only       Removed

Samba 4.7

Release Notes for Samba 4.7.0
September 20, 2017

Release Announcements

This is the first stable release of Samba 4.7.

Please read the release notes carefully before upgrading.

UPGRADING

smbclient changes

'smbclient' no longer prints a 'Domain=[...] OS=[Windows 6.1] Server=[...]' banner when connecting to the first server. With SMB2 and Kerberos there's no way to print this information reliable. Now we avoid it at all consistently. In interactive session the following banner is now presented to the user: 'Try "help" do get a list of possible commands.'.

The default for "client max protocol" has changed to "SMB3_11", which means that 'smbclient' (and related commands) will work against servers without SMB1 support.

It's possible to use the '-m/--max-protocol' option to overwrite the "client max protocol" option temporarily.

Note that the '-e/--encrypt' option also works with most SMB3 servers (e.g. Windows >= 2012 and Samba >= 4.0.0), so the SMB1 unix extensions are not required for encryption.

The change to SMB3_11 as default also means smbclient no longer negotiates SMB1 unix extensions by default, when talking to a Samba server with "unix extensions = yes". As a result, some commands are not available, e.g. 'posix_encrypt', 'posix_open', 'posix_mkdir', 'posix_rmdir', 'posix_unlink', posix_whoami', 'getfacl' and 'symlink'. Using "-mNT1" reenabled them, if the server supports SMB1.

Note: the default ("CORE") for "client min protocol" hasn't changed, so it's still possible to connect to SMB1-only servers by default.

'smbclient' learned a new command 'deltree' that is able to do a recursive deletion of a directory tree.

NEW FEATURES/CHANGES

Whole DB read locks: Improved LDAP and replication consistency

Prior to Samba 4.7 and ldb 1.2.0, the LDB database layer used by Samba erroneously did not take whole-DB read locks to protect search and DRS replication operations.

While each object returned remained subject to a record-level lock (so would remain consistent to itself), under a race condition with a rename or delete, it and any links (like the member attribute) to it would not be returned.

The symptoms of this issue include:

Replication failures with this error showing in the client side logs:

error during DRS repl ADD: No objectClass found in replPropertyMetaData for Failed to commit objects:
WERR_GEN_FAILURE/NT_STATUS_INVALID_NETWORK_RESPONSE

A crash of the server, in particular the rpc_server process with

INTERNAL ERROR: Signal 11

LDAP read inconsistency

A DN subject to a search at the same time as it is being renamed may not appear under either the old or new name, but will re-appear for a subsequent search.

See BUG #12858 for more details and updated advise on database recovery for affected installations.

Samba AD with MIT Kerberos

After four years of development, Samba finally supports compiling and running Samba AD with MIT Kerberos. You can enable it with:

   ./configure --with-system-mitkrb5

Samba requires version 1.15.1 of MIT Kerberos to build with AD DC support. The krb5-devel and krb5-server packages are required. The feature set is not on par with with the Heimdal build but the most important things, like forest and external trusts, are working. Samba uses the KDC binary provided by MIT Kerberos.

Missing features, compared to Heimdal, are:

  • PKINIT support
  • S4U2SELF/S4U2PROXY support
  • RODC support (not fully working with Heimdal either)

The Samba AD process will take care of starting the MIT KDC and it will load a KDB (Kerberos Database) driver to access the Samba AD database. When provisioning an AD DC using 'samba-tool' it will take care of creating a correct kdc.conf file for the MIT KDC.

For further details, see:

Running_a_Samba_AD_DC with_MIT_Kerberos_KDC

Dynamic RPC port range

The dynamic port range for RPC services has been changed from the old default value "1024-1300" to "49152-65535". This port range is not only used by a Samba AD DC but also applies to all other server roles including NT4-style domain controllers. The new value has been defined by Microsoft in Windows Server 2008 and newer versions. To make it easier for Administrators to control those port ranges we use the same default and make it configurable with the option: "rpc server dynamic port range".

The "rpc server port" option sets the first available port from the new "rpc server dynamic port range" option. The option "rpc server port" only applies to Samba provisioned as an AD DC.

Authentication and Authorization audit support

Detailed authentication and authorization audit information is now logged to Samba's debug logs under the "auth_audit" debug class, including in particular the client IP address triggering the audit line. Additionally, if Samba is compiled against the jansson JSON library, a JSON representation is logged under the "auth_json_audit" debug class.

Audit support is comprehensive for all authentication and authorisation of user accounts in the Samba Active Directory Domain Controller, as well as the implicit authentication in password changes. In the file server and classic/NT4 domain controller, NTLM authentication, SMB and RPC authorization is covered, however password changes are not at this stage, and this support is not currently backed by a testsuite.

For further details, see:

Setting_up_Audit_Logging

Multi-process LDAP Server

The LDAP server in the AD DC now honours the process model used for the rest of the 'samba' process, rather than being forced into a single process. This aids in Samba's ability to scale to larger numbers of AD clients and the AD DC's overall resiliency, but will mean that there is a fork()ed child for every LDAP client, which may be more resource intensive in some situations. If you run Samba in a resource-constrained VM, consider allocating more RAM and swap space.

Improved Read-Only Domain Controller (RODC) Support

Support for RODCs in Samba AD until now has been experimental. With this latest version, many of the critical bugs have been fixed and the RODC can be used in DC environments requiring no writable behaviour. RODCs now correctly support bad password lockouts and password disclosure auditing through the msDS-RevealedUsers attribute.

The fixes made to the RWDC will also allow Windows RODC to function more correctly and to avoid strange data omissions such as failures to replicate groups or updated passwords. Password changes are currently rejected at the RODC, although referrals should be given over LDAP. While any bad passwords can trigger domain-wide lockout, good passwords which have not been replicated yet for a password change can only be used via NTLM on the RODC (and not Kerberos).

The reliability of RODCs locating a writable partner still requires some improvements and so the 'password server' configuration option is generally recommended on the RODC.

Samba 4.7 is the first Samba release to be secure as an RODC or when hosting an RODC. If you have been using earlier Samba versions to host or be an RODC, please upgrade.

In particular see https://bugzilla.samba.org/show_bug.cgi?id=12977 for details on the security implications for password disclosure to an RODC using earlier versions.

Additional password hashes stored in supplementalCredentials

A new config option 'password hash userPassword schemes' has been added to enable generation of SHA-256 and SHA-512 hashes (without storing the plaintext password with reversible encryption). This builds upon previous work to improve password sync for the AD DC (originally using GPG).

The user command of 'samba-tool' has been updated in order to be able to extract these additional hashes, as well as extracting the (HTTP) WDigest hashes that we had also been storing in supplementalCredentials.

Improvements to DNS during Active Directory domain join

The 'samba-tool' domain join command will now add the A and GUID DNS records (on both the local and remote servers) during a join if possible via RPC. This should allow replication to proceed more smoothly post-join.

The mname element of the SOA record will now also be dynamically generated to point to the local read-write server. 'samba_dnsupdate' should now be more reliable as it will now find the appropriate name server even when resolv.conf points to a forwarder.

Significant AD performance and replication improvements

Previously, replication of group memberships was been an incredibly expensive process for the AD DC. This was mostly due to unnecessary CPU time being spent parsing member linked attributes. The database now stores these linked attributes in sorted form to perform efficient searches for existing members. In domains with a large number of group memberships, a join can now be completed in half the time compared with Samba 4.6.

LDAP search performance has also improved, particularly in the unindexed search case. Parsing and processing of security descriptors should now be more efficient, improving replication but also overall performance.

Query record for open file or directory

The record attached to an open file or directory in Samba can be queried through the 'net tdb locking' command. In clustered Samba this can be useful to determine the file or directory triggering corresponding "hot" record warnings in ctdb.

Removal of lpcfg_register_defaults_hook()

The undocumented and unsupported function lpcfg_register_defaults_hook() that was used by external projects to call into Samba and modify smb.conf default parameter settings has been removed. If your project was using this call please raise the issue on samba-technical@lists.samba.org in order to design a supported way of obtaining the same functionality.

Change of loadable module interface

The _init function of all loadable modules in Samba has changed from:

NTSTATUS _init(void);

to:

NTSTATUS _init(TALLOC_CTX *);

This allows a program loading a module to pass in a long-lived talloc context (which must be guaranteed to be alive for the lifetime of the module). This allows modules to avoid use of the talloc_autofree_context() (which is inherently thread-unsafe) and still be valgrind-clean on exit. Modules that don't need to free long-lived data on exit should use the NULL talloc context.

Parameter changes

The "strict sync" global parameter has been changed from a default of "no" to "yes". This means smbd will by default obey client requests to synchronize unwritten data in operating system buffers safely onto disk. This is a safer default setting for modern SMB1/2/3 clients.

The 'ntlm auth' option default is renamed to 'ntlmv2-only', reflecting the previous behaviour. Two new values have been provided, 'mschapv2-and-ntlmv2-only' (allowing MSCHAPv2 while denying NTLMv1) and 'disabled', totally disabling NTLM authentication and password changes.

SHA256 LDAPS Certificates

The self-signed certificate generated for use on LDAPS will now be generated with a SHA256 self-signature, not a SHA1 self-signature.

Replacing this certificate with a certificate signed by a trusted CA is still highly recommended.

CTDB changes

  • CTDB no longer allows mixed minor versions in a cluster
See the AllowMixedVersions tunable option in ctdb-tunables(7) and also Upgrading_a_CTDB_cluster#Policy
  • CTDB now ignores hints from Samba about TDB flags when attaching to databases
CTDB will use the correct flags depending on the type of database. For clustered databases, the smb.conf setting dbwrap_tdb_mutexes:*=true will be ignored. Instead, CTDB continues to use the TDBMutexEnabled tunable.
  • New configuration variable CTDB_NFS_CHECKS_DIR
See ctdbd.conf(5) for more details.
  • The CTDB_SERVICE_AUTOSTARTSTOP configuration variable has been removed
To continue to manage/unmanage services while CTDB is running:
  • Start service by hand and then flag it as managed
  • Mark service as unmanaged and shut it down by hand
  • In some cases CTDB does something fancy - e.g. start Samba under "nice", so care is needed. One technique is to disable the eventscript, mark as managed, run the startup event by hand and then re-enable the eventscript.
  • The CTDB_SCRIPT_DEBUGLEVEL configuration variable has been removed
  • The example NFS Ganesha call-out has been improved
  • A new "replicated" database type is available
Replicated databases are intended for CTDB's internal use to replicate state data across the cluster, but may find other uses. The data in replicated databases is valid for the lifetime of CTDB and cleared on first attach.


Using x86_64 Accelerated AES Crypto Instructions

Samba on x86_64 can now be configured to use the Intel accelerated AES instruction set, which has the potential to make SMB3 signing and encryption much faster on client and server. To enable this, configure Samba using the new option --accel-aes=intelaesni.

This is a temporary solution that is being included to allow users to enjoy the benefits of Intel accelerated AES on the x86_64 platform, but the longer-term solution will be to move Samba to a fully supported external crypto library.

The third_party/aesni-intel code will be removed from Samba as soon as external crypto library performance reaches parity.

The default is to build without setting --accel-aes, which uses the existing Samba software AES implementation.

smb.conf changes

 Parameter Name                     Description             Default
 --------------                     -----------             -------
 allow unsafe cluster upgrade       New parameter           no
 auth event notification            New parameter           no
 auth methods                       Deprecated
 client max protocol                Effective               SMB3_11
                                    default changed
 map untrusted to domain            New value/              auto
                                    Default changed/
                                    Deprecated
 mit kdc command                    New parameter
 profile acls                       Deprecated
 rpc server dynamic port range      New parameter           49152-65535
 strict sync                        Default changed         yes
 password hash userPassword schemes New parameter
 ntlm auth                          New values              ntlmv2-only