Samba Features added/changed
Samba 4.20
Release Announcements
This is the first stable release of the Samba 4.20 release series. Please read the release notes carefully before upgrading.
NEW FEATURES/CHANGES
New Minimum MIT Krb5 version for Samba AD Domain Controller
Samba now requires MIT 1.21 when built against a system MIT Krb5 and acting as an Active Directory DC. This addresses the issues that were fixed in CVE-2022-37967 (KrbtgtFullPacSignature) and ensures that Samba builds against the MIT version that allows us to avoid that attack.
Removed dependency on Perl JSON module
Distributions are advised that the Perl JSON package is no longer required by Samba builds that use the imported Heimdal. The build instead uses Perl's JSON::PP built into recent perl5 versions.
Current lists of packages required by Samba for major distributions are found in the bootstrap/generated-dists/ directory of a Samba source tree. While there will be some differences - due to features chosen by packagers - comparing these lists with the build dependencies in a package may locate other dependencies we no longer require.
samba-tool user getpassword / syncpasswords ;rounds= change
The password access tool "samba-tool user getpassword" and the password sync tool "samba-tool user syncpasswords" allow attributes to be chosen for output, and accept parameters like pwdLastSet;format=GeneralizedTime
These attributes then appear, in the same format, as the attributes in the LDIF output. This was not the case for the ;rounds= parameter of virtualCryptSHA256 and virtualCryptSHA512, for example as --attributes="virtualCryptSHA256;rounds=50000"
This release makes the behaviour consistent between these two features. Installations using GPG-encrypted passwords (or plaintext storage) and the rounds= option, will find the output has changed
from:
virtualCryptSHA256: {CRYPT}$5$rounds=2561$hXem.M9onhM9Vuix$dFdSBwF
to:
virtualCryptSHA256;rounds=2561: {CRYPT}$5$rounds=2561$hXem.M9onhM9Vuix$dFdSBwF
Group Managed service account client-side features
samba-tool has been extended to provide client-side support for Group Managed Service accounts. These accounts have passwords that change automatically, giving the advantages of service isolation without risk of poor, unchanging passwords.
Where possible, Samba's existing samba-tool password handling commands, which in the past have only operated against the local sam.ldb have been extended to permit operation against a remote server with authenticated access to "-H ldap://$DCNAME"
Supported operations include:
- reading the current and previous gMSA password via
- "samba-tool user getpassword"
- writing a Kerberos Ticket Granting Ticket (TGT) to a local credentials cache with a new command
- "samba-tool user get-kerberos-ticket"
New Windows Search Protocol Client
Samba now by default builds new experimental Windows Search Protocol (WSP) command line client "wspsearch"
The "wspsearch" cmd-line utility allows a WSP search request to be sent to a server (such as a windows server) that has the (WSP) Windows Search Protocol service configured and enabled.
For more details see the wspsearch man page.
Allow 'smbcacls' to save/restore DACLs to file
'smbcacls' has been extended to allow DACLs to be saved and restored to/from a file. This feature mimics the functionality that windows cmd line tool 'icacls.exe' provides. Additionally files created either by 'smbcacls' or 'icacls.exe' are interchangeable and can be used by either tool as the same file format is used.
New options added are:
- '--save savefile'
- Saves DACLs in sddl format to file
- '--recurse'
- Performs the '--save' operation above on directory and all files/directories below.
- '--restore savefile'
- Restores the stored DACLS to files in directory
Samba-tool extensions for AD Claims, Authentication Policies and Silos
samba-tool now allows users to be associated with claims. In the Samba AD DC, claims derive from Active Directory attributes mapped into specific names. These claims can be used in rules, which are conditional ACEs in a security descriptor, that decide if a user is restricted by an authentication policy.
samba-tool also allows the creation and management of authentication policies, which are rules about where a user may authenticate from, if NTLM is permitted, and what services a user may authenticate to.
Finally, support is added for the creation and management of authentication silos, which are helpful in defining network boundaries by grouping users and the services they connect to.
Please note: The command line syntax for these tools is not final, and may change before the next release, as we gain user feedback. The syntax will be locked in once Samba offers 2016 AD Functional Level as a default.
AD DC support for Authentication Silos and Authentication Policies
The Samba AD DC now also honours any existing claims, authentication policy and authentication silo configuration previously created (eg from an import of a Microsoft AD), as well as new configurations created with samba-tool. The use of Microsoft's Powershell based client tools is not expected to work.
To use this feature, the functional level must be set to 2012_R2 or later with:
ad dc functional level = 2016
in the smb.conf.
The smb.conf file on each DC must have 'ad dc functional level = 2016' set to have the partially complete feature available. This will also, at first startup, update the server's own AD entry with the configured functional level.
For new domains, add these parameters to 'samba-tool provision'
--option="ad dc functional level = 2016" --function-level=2016
The second option, setting the overall domain functional level indicates that all DCs should be at this functional level.
To raise the domain functional level of an existing domain, after updating the smb.conf and restarting Samba run
samba-tool domain schemaupgrade --schema=2019 samba-tool domain functionalprep --function-level=2016 samba-tool domain level raise --domain-level=2016 --forest-level=2016
This support is still new, so is not enabled by default in this release. The above instructions are set at 2016, which while not complete, matches what our testing environment validates.
Conditional ACEs and Resource Attribute ACEs
Ordinary Access Control Entries (ACEs) unconditionally allow or deny access to a given user or group. Conditional ACEs have an additional section that describes conditions under which the ACE applies. If the conditional expression is true, the ACE works like an ordinary ACE, otherwise it is ignored. The condition terms can refer to claims, group memberships, and attributes on the object itself. These attributes are described in Resource Attribute ACEs that occur in the object's System Access Control List (SACL). Conditional ACEs are described in Microsoft documentation.
Conditional ACE evaluation is controlled by the "acl claims evaluation" smb.conf option. The default value is "AD DC only" which enables them in AD DC settings. The other option is "never", which disables them altogether. There is currently no option to enable them on the file server (this is likely to change in future releases).
The Security Descriptor Definition Language has extensions for conditional ACEs and resource attribute ACEs; these are now supported by Samba.
Service Witness Protocol [MS-SWN]
In a ctdb cluster it is now possible to provide the SMB witness service that allows clients to monitor their current smb connection to cluster node A by asking cluster node B to notify the client if the ip address from node A or the whole node A becomes unavailable.
For disk shares in a ctdb cluster SMB2_SHARE_CAP_SCALEOUT is now always returned for SMB3 tree connect responses.
If the witness service is active SMB2_SHARE_CAP_CLUSTER is now also returned.
In order to activate the witness service "rpc start on demand helpers = no" needs to be configured in the global section. At the same time the 'samba-dcerpcd' service needs to be started explicitly, typically with the '--libexec-rpcds' option in order to make all available services usable. One important aspect is that tcp ports 135 (for the endpoint mapper) and various ports in the 'rpc server dynamic port range' will be used to provide the witness service (rpcd_witness).
ctdb provides a '47.samba-dcerpcd.script' in order to manage the samba-dcerpcd.service. Typically as systemd service, but that's up to the packager and/or admin.
Please note that current windows client requires SMB2_SHARE_CAP_CONTINUOUS_AVAILABILITY in addition to SMB2_SHARE_CAP_CLUSTER in order to make use of the witness service. But SMB2_SHARE_CAP_CONTINUOUS_AVAILABILITY implies the windows clients always ask for persistent handle (which are not implemented in samba yet), so that every open generates a warning in the windows smb client event log. That's why SMB2_SHARE_CAP_CONTINUOUS_AVAILABILITY is not returned by default. An explicit 'smb3 share cap:CONTINUOUS AVAILABILITY = yes' is needed.
There are also new 'net witness' commands in order to let the admin list active client registrations or ask specific clients to move their smb connection to another cluster node. These are available:
net witness list net witness client-move net witness share-move net witness force-unregister net witness force-response
Consult 'man net' or 'net witness help' for further details.
REMOVED FEATURES
Get locally logged on users from utmp
The Workstation Service Remote Protocol [MS-WKST] calls NetWkstaGetInfo level 102 and NetWkstaEnumUsers level 0 and 1 return the list of locally logged on users. Samba was getting the list from utmp, which is not Y2038 safe. This feature has been completely removed and Samba will always return an empty list.
smb.conf changes
Parameter Name Description Default -------------- ----------- ------- acl claims evaluation new AD DC only smb3 unix extensions Per share - smb3 share cap:ASYMMETRIC new no smb3 share cap:CLUSTER new see 'man smb.conf' smb3 share cap:CONTINUOUS AVAILABILITY new no smb3 share cap:SCALE OUT new see 'man smb.conf'
Samba 4.19
Release Announcements
- Release Notes for 4.19.0
- September 04, 2023
This is the first stable release of the Samba 4.19 release series. Please read the release notes carefully before upgrading.
NEW FEATURES/CHANGES
Migrated smbget to use common command line parser
The smbget utility implemented its own command line parsing logic. After discovering an issue we decided to migrate it to use the common command line parser. This has some advantages as you get all the feature it provides like Kerberos authentication. The downside is that breaks the options interface. The support for smbgetrc has been removed. You can use an authentication file if needed, this is documented in the manpage.
Please check the smbget manpage or --help output.
gpupdate changes
The libgpo.get_gpo_list function has been deprecated in favor of an implementation written in python. The new function can be imported via `import samba.gp`. The python implementation connects to Active Directory using the SamDB module, instead of ADS (which is what libgpo uses).
Improved winbind logging and a new tool for parsing the winbind logs
Winbind logs (if smb.conf 'winbind debug traceid = yes' is set) contain new trace header fields 'traceid' and 'depth'. Field 'traceid' allows to track the trace records belonging to the same request. Field 'depth' allows to track the request nesting level. A new tool samba-log-parser is added for better log parsing.
AD database prepared to FL 2016 standards for new domains
While Samba still provides only Functional Level 2008R2 by default, Samba as an AD DC will now, in provision ensure that the blank database is already prepared for Functional Level 2016, with AD Schema 2019.
This preparation is of the default objects in the database, adding containers for Authentication Policies, Authentication Silos and AD claims in particular. These DB objects must be updated to allow operation of the new features found in higher functional levels.
Kerberos Claims, Authentication Silos and NTLM authentication policies
An initial, partial implementation of Active Directory FunctionalLevel 2012, 2012R2 and 2016 is available in this release.
In particular Samba will issue Active Directory "Claims" in the PAC, for member servers that support these, and honour in-directoryconfiguration for Authentication Policies and Authentication Silos.
The primary limitation is that while Samba can read and write claims in the directory, and populate the PAC, Samba does not yet use them for access control decisions.
While we continue to develop these features, existing domains can test the feature by selecting the functional level in provision or raising the DC functional level by setting
ad dc functional level = 2016
in the smb.conf
The smb.conf file on each DC must have 'ad dc functional level = 2016' set to have the partially complete feature available. This will also, at first startup, update the server's own AD entry with the configured functional level.
For new domains, add these parameters to 'samba-tool provision'
--option="ad dc functional level = 2016" --function-level=2016
The second option, setting the overall domain functional level indicates that all DCs should be at this functional level.
To raise the domain functional level of an existing domain, after updating the smb.conf and restarting Samba run
samba-tool domain schemaupgrade --schema=2019 samba-tool domain functionalprep --function-level=2016 samba-tool domain level raise --domain-level=2016 --forest-level=2016
Improved KDC Auditing
As part of the auditing required to allow successful deployment of Authentication Policies and Authentication Silos, our KDC now provides Samba-style JSON audit logging of all issued Kerberos tickets, including if they would fail a policy that is not yet enforced. Additionally most failures are audited, (after the initial pre-validation of the request).
Kerberos Armoring (FAST) Support for Windows clients
In domains where the domain controller functional level is set, as above, to 2012, 2012_R2 or 2016, Windows clients will, if configured via GPO, use FAST to protect user passwords between (in particular) a workstation and the KDC on the AD DC. This is a significant security improvement, as weak passwords in an AS-REQ are no longer available for offline attack.
Claims compression in the AD PAC
Samba as an AD DC will compress "AD claims" using the same compression algorithm as Microsoft Windows.
Resource SID compression in the AD PAC
Samba as an AD DC will now correctly populate the various PAC group membership buffers, splitting global and local groups correctly.
Additionally, Samba marshals Resource SIDs, being local groups in the member server's own domain, to only consume a header and 4 bytes per group in the PAC, not a full-length SID worth of space each. This is known as "Resource SID compression".
Resource Based Constrained Delegation (RBCD) support in both MIT and Heimdal
Samba AD DC built with MIT Kerberos (1.20 and later) has offered RBCD support since Samba 4.17. Samba 4.19 brings this feature to the default Heimdal KDC.
Samba 4.17 added to samba-tool delegation the 'add-principal' and 'del-principal' subcommands in order to manage RBCD, and the database changes made by these tools are now honoured by the Heimdal KDC once Samba is upgraded.
Likewise, now both MIT (1.20 and later) and Heimdal KDCs add the Asserted Identity [1] SID into the PAC for constrained delegation.
New samba-tool support for silos, claims, sites and subnets.
- samba-tool can now list, show, add and manipulate Authentication Silos (silos) and Active Directory Authentication Claims (claims).
- samba-tool can now list and show Active Directory sites and subnets.
A new Object Relational Model (ORM) based architecture, similar to that used with Django, has been built to make adding new samba-tool subcommands simpler and more consistent, with JSON output available standard on these new commands.
Updated GnuTLS requirement / in-tree cryptography removal
Samba requires GnuTLS 3.6.13 and prefers GnuTLS 3.6.14 or later.
This has allowed Samba to remove all of our in-tree cryptography, except that found in our Heimdal import. Samba's runtime cryptography needs are now all provided by GnuTLS.
note: The GnuTLS vesion requirement is raised to 3.7.2 on systems without the Linux getrandom()
We also use Python's cryptography module for our testing.
The use of well known cryptography libraries makes Samba easier for end-users to validate and deploy, and for distributors to ship. This is the end of a very long journey for Samba.
Updated Heimdal import
Samba's Heimdal branch (known as lorikeet-heimdal) has been updated to the current pre-8.0 (master) tree from upstream Heimdal, ensuring that this vendored copy, included in our release remains as close as possible to the current upstream code.
Revocation support in Heimdal KDC for PKINIT certificates
Samba will now correctly honour the revocation of 'smart card' certificates used for PKINIT Kerberos authentication.
This list is reloaded each time the file changes, so no further action other than replacing the file is required.
The additional krb5.conf option is:
[kdc] pkinit_revoke = FILE:/path/to/crl.pem
Information on the "Smart Card login" feature as a whole is at:
Protocol level testsuite for (Smart Card Logon) PKINIT
Previously Samba's PKINIT support in the KDC was tested by use of shell scripts around the client tools of MIT or Heimdal Kerberos. Samba's independently written python testsuite has been extended to validate KDC behaviour for PKINIT.
Require encrypted connection to modify unicodePwd on the AD DC
Setting the password on an AD account on should never be attempted over a plaintext or signed-only LDAP connection. If the unicodePwd (or userPassword) attribute is modified without encryption (as seen by Samba), the request will be rejected. This is to encourage the administrator to use an encrypted connection in the future.
- NOTE WELL: If Samba is accessed via a TLS frontend or load balancer, the LDAP request will be regarded as plaintext.
Samba AD TLS Certificates can be reloaded
The TLS certificates used for Samba's AD DC LDAP server were previously only read on startup, and this meant that when then expired it was required to restart Samba, disrupting service to other users.
smbcontrol ldap_server reload-certs
This will now allow these certificates to be reloaded 'on the fly'
REMOVED FEATURES
smb.conf changes
Parameter Name Description Default -------------- ----------- ------- winbind debug traceid Add traceid No directory name cache size Removed
Samba 4.18
Release Announcements
- Release Notes for 4.18.0
- March 8, 2023
This is the first stable release of the Samba 4.18 release series. Please read the release notes carefully before upgrading.
NEW FEATURES/CHANGES
SMB Server performance improvements
The security improvements in recent releases (4.13, 4.14, 4.15, 4.16), mainly as protection against symlink races, caused performance regressions for metadata heavy workloads.
While 4.17 already improved the situation quite a lot, with 4.18 the locking overhead for contended path based operations is reduced by an additional factor of ~ 3 compared to 4.17. It means the throughput of open/close operations reached the level of 4.12 again.
More succinct samba-tool error messages
Historically samba-tool has reported user error or misconfiguration by means of a Python traceback, showing you where in its code it noticed something was wrong, but not always exactly what is amiss. Now it tries harder to identify the true cause and restrict its output to describing that. Particular cases include:
- a username or password is incorrect
- an ldb database filename is wrong (including in smb.conf)
- samba-tool dns: various zones or records do not exist
- samba-tool ntacl: certain files are missing
- the network seems to be down
- bad --realm or --debug arguments
Accessing the old samba-tool messages
This is not new, but users are reminded they can get the full Python stack trace, along with other noise, by using the argument '-d3'. This may be useful when searching the web.
The intention is that when samba-tool encounters an unrecognised problem (especially a bug), it will still output a Python traceback. If you encounter a problem that has been incorrectly identified by samba-tool, please report it on https://bugzilla.samba.org.
Colour output with samba-tool --color
For some time a few samba-tool commands have had a --color=yes|no|auto option, which determines whether the command outputs ANSI colour codes. Now all samba-tool commands support this option, which now also accepts 'always' and 'force' for 'yes', 'never' and 'none' for 'no', and 'tty' and 'if-tty' for 'auto' (this more closely matches convention). With --color=auto, or when --color is omitted, colour codes are only used when output is directed to a terminal.
Most commands have very little colour in any case. For those that already used it, the defaults have changed slightly.
- samba-tool drs showrepl: default is now 'auto', not 'no'
- samba-tool visualize: the interactions between --color-scheme, --color, and --output have changed slightly. When --color-scheme is set it overrides --color for the purpose of the output diagram, but not for other output like error messages.
No colour with NO_COLOR environment variable
With both samba-tool --color=auto (see above) and some other places where we use ANSI colour codes, the NO_COLOR environment variable will disable colour output. See https://no-color.org/ for a description of this variable. `samba-tool --color=always` will use colour regardless of NO_COLOR.
New wbinfo option --change-secret-at
The wbinfo command has a new option, --change-secret-at=<DOMAIN CONTROLLER> which forces the trust account password to be changed at a specified domain controller. If the specified domain controller cannot be contacted the password change fails rather than trying other DCs.
New option to change the NT ACL default location
Usually the NT ACLs are stored in the security.NTACL extended attribute (xattr) of files and directories. The new "acl_xattr:security_acl_name" option allows to redefine the default location. The default "security.NTACL" is a protected location, which means the content of the security.NTACL attribute is not accessible from normal users outside of Samba. When this option is set to use a user-defined value, e.g. user.NTACL then any user can potentially access and overwrite this information. The module prevents access to this xattr over SMB, but the xattr may still be accessed by other means (eg local access, SSH, NFS). This option must only be used when this consequence is clearly understood and when specific precautions are taken to avoid compromising the ACL content.
Azure Active Directory / Office365 synchronisation improvements
Use of the Azure AD Connect cloud sync tool is now supported for password hash synchronisation, allowing Samba AD Domains to synchronise passwords with this popular cloud environment.
REMOVED FEATURES
smb.conf changes
Parameter Name Description Default -------------- ----------- ------- acl_xattr:security_acl_name New security.NTACL server addresses New
Samba 4.17
Release Announcements
- Release Notes for 4.17.0
- September 13, 2022
This is the first stable release of the Samba 4.17 release series.
Please read the release notes carefully before upgrading.
NEW FEATURES/CHANGES
SMB Server performance improvements
The security improvements in recent releases (4.13, 4.14, 4.15, 4.16), mainly as protection against symlink races, caused performance regressions for meta data heavy workloads.
With 4.17 the situation improved a lot again:
- Pathnames given by a client are devided into dirname and basename. The amount of syscalls to validate dirnames is reduced to 2 syscalls (openat, close) per component. On modern Linux kernels (>= 5.6) smbd makes use of the openat2() syscall with SOLVE_NO_SYMLINKS, in order to just use 2 syscalls (openat2, close) for the whole dirname.
- Contended path based operations used to generate a lot of unsolicited wakeup events causing thundering herd problems, which lead to masive latencies for some clients. These events are now avoided in order to provide stable latencies and much higher throughput of open/close operations.
Configure without the SMB1 Server
It is now possible to configure Samba without support for the SMB1 protocol in smbd. This can be selected at configure time with either of the options:
--with-smb1-server --without-smb1-server
By default (without either of these options set) Samba is configured to include SMB1 support (i.e. --with-smb1-server is the default). When Samba is configured without SMB1 support, none of the SMB1 code is included inside smbd except the minimal stub code needed to allow a client to connect as SMB1 and immediately negotiate the selected protocol into SMB2 (as a Windows server also allows).
None of the SMB1-only smb.conf parameters are removed when configured without SMB1, but these parameters are ignored by the smbd server. This allows deployment without having to change an existing smb.conf file.
This option allows sites, OEMs and integrators to configure Samba to remove the old and insecure SMB1 protocol from their products.
- Note: that the Samba client libraries still support SMB1 connections even when Samba is configured as --without-smb1-server. This is to ensure maximum compatibility with environments containing old SMB1 servers.
Bronze bit and S4U support now also with MIT Kerberos 1.20
In 2020 Microsoft Security Response Team received another Kerberos-related report. Eventually, that led to a security update of the CVE-2020-17049, Kerberos KDC Security Feature Bypass Vulnerability, also known as a 'Bronze Bit'. With this vulnerability, a compromised service that is configured to use Kerberos constrained delegation feature could tamper with a service ticket that is not valid for delegation to force the KDC to accept it.
With the release of MIT Kerberos 1.20, Samba AD DC is able able to mitigate the 'Bronze Bit' attack. MIT Kerberos KDC's KDB (Kerberos Database Driver) API was changed to allow passing more details between KDC and KDB components. When built against MIT Kerberos, Samba AD DC supports MIT Kerberos 1.19 and 1.20 versions but 'Bronze Bit' mitigation is provided only with MIT Kerberos 1.20.
In addition to fixing the 'Bronze Bit' issue, Samba AD DC now fully supports S4U2Self and S4U2Proxy Kerberos extensions.
- Note: the default (Heimdal-based) KDC was already fixed in 2021, see BUG #14642
Resource Based Constrained Delegation (RBCD) support
Samba AD DC built with MIT Kerberos 1.20 offers RBCD support now. With MIT Kerberos 1.20 we have complete RBCD support passing Sambas S4U testsuite.
samba-tool delegation got the 'add-principal' and 'del-principal' subcommands in order to manage RBCD.
To complete RBCD support and make it useful to Administrators we added the Asserted Identity [1] SID into the PAC for constrained delegation. This is available for Samba AD compiled with MIT Kerberos 1.20.
- Note: the default (Heimdal-based) KDC does not support RBCD yet.
Customizable DNS listening port
It is now possible to set a custom listening port for the builtin DNS service, making easy to host another DNS on the same system that would bind to the default port and forward the domain-specific queries to Samba using the custom port. This is the opposite configuration of setting a forwarder in Samba.
It makes possible to use another DNS server as a front and forward to Samba.
Dynamic DNS updates may not be proxied by the front DNS server when forwarding to Samba. Dynamic DNS update proxying depends on the features of the other DNS server used as a front.
CTDB changes
- When Samba is configured with both --with-cluster-support and --systemd-install-services then a systemd service file for CTDB will be installed.
- ctdbd_wrapper has been removed. ctdbd is now started directly from a systemd service file or init script.
- The syntax for the ctdb.tunables configuration file has been relaxed. However, trailing garbage after the value, including comments, is no longer permitted. Please see ctdb-tunables(7) for more details.
Operation without the (unsalted) NT password hash
When Samba is configured with 'nt hash store = never' then Samba will no longer store the (unsalted) NT password hash for users in Active Directory. (Trust accounts, like computers, domain controllers and inter-domain trusts are not impacted).
In the next version of Samba the default for 'nt hash store' will change from 'always' to 'auto', where it will follow (behave as 'nt hash store = never' when 'ntlm auth = disabled' is set.
Security-focused deployments of Samba that have eliminated NTLM from their networks will find setting 'ntlm auth = disabled' with 'nt hash store = always' as a useful way to improve compliance with best-practice guidance on password storage (which is to always use an interated hash).
- Note: that when 'nt hash store = never' is set, then arcfour-hmac-md5 Kerberos keys will not be available for users who subsequently change their password, as these keys derive their values from NT hashes. AES keys are stored by default for all deployments of Samba with Domain Functional Level 2008 or later, are supported by all modern clients, and are much more secure.
Finally, also note that password history in Active Directory is stored in nTPwdHistory using a series of NT hash values. Therefore the full password history feature is not available in this mode.
To provide some protection against password re-use previous Kerberos hash values (the current, old and older values are already stored) are used, providing a history length of 3.
There is one small limitation of this workaround: Changing the sAMAccountName, userAccountControl or userPrincipalName of an account can cause the Kerberos password salt to change. This means that after *both* an account rename and a password change, only the current password will be recognised for password history purposes.
Python API for smbconf
Samba's smbconf library provides a generic frontend to various configuration backends (plain text file, registry) as a C library. A new Python wrapper, importable as 'samba.smbconf' is available. An additional module, 'samba.samba3.smbconf', is also available to enable registry backend support. These libraries allow Python programs to read, and optionally write, Samba configuration natively.
JSON support for smbstatus
It is now possible to print detailed information in JSON format in the smbstatus program using the new option --json. The JSON output covers all the existing text output including sessions, connections, open files, byte-range locks, notifies and profile data with all low-level information maintained by Samba in the respective databases.
Protected Users security group
Samba AD DC now includes support for the Protected Users security group introduced in Windows Server 2012 R2. The feature reduces the attack surface of user accounts by preventing the use of weak encryption types. It also mitigates the effects of credential theft by limiting credential lifetime and scope.
The protections are intended for user accounts only, and service or computer accounts should not be added to the Protected Users group. User accounts added to the group are granted the following security protections:
- NTLM authentication is disabled.
- Kerberos ticket-granting tickets (TGTs) encrypted with RC4 are not issued to or accepted from affected principals. Tickets encrypted with AES, and service tickets encrypted with RC4, are not affected by this restriction.
- The lifetime of Kerberos TGTs is restricted to a maximum of four hours.
- Kerberos constrained and unconstrained delegation is disabled.
If the Protected Users group is not already present in the domain, it can be created with 'samba-tool group add'. The new '--special' parameter must be specified, with 'Protected Users' as the name of the group. An example command invocation is:
samba-tool group add 'Protected Users' --special
or against a remote server:
samba-tool group add 'Protected Users' --special -H ldap://dc1.example.com -U Administrator
The Protected Users group is identified in the domain by its having a RID of 525. Thus, it should only be created with samba-tool and the '--special' parameter, as above, so that it has the required RID to function correctly.
REMOVED FEATURES
LanMan Authentication and password storage removed from the AD DC
The storage and authentication with LanMan passwords has been entirely removed from the Samba AD DC, even when "lanman auth = yes" is set.
smb.conf changes
Parameter Name Description Default -------------- ----------- ------- dns port New default 53 fruit:zero_file_id New default yes nt hash store New parameter always smb1 unix extensions Replaces "unix extensions" volume serial number New parameter -1 winbind debug traceid New parameter no
Samba 4.16
- Release Notes for Samba 4.16.0
- March 21, 2022
Release Announcements
This is the first stable release of the Samba 4.16 release series. Please read the release notes carefully before upgrading.
NEW FEATURES/CHANGES
New samba-dcerpcd binary to provide DCERPC in the member server setup
In order to make it much easier to break out the DCERPC services from smbd, a new samba-dcerpcd binary has been created.
samba-dcerpcd can be used in two ways. In the normal case without startup script modification it is invoked on demand from smbd or winbind --np-helper to serve DCERPC over named pipes. Note that in order to run in this mode the smb.conf [global] section has a new parameter "rpc start on demand helpers = [true|false]". This parameter is set to "true" by default, meaning no changes to smb.conf files are needed to run samba-dcerpcd on demand as a named pipe helper.
It can also be used in a standalone mode where it is started separately from smbd or winbind but this requires changes to system startup scripts, and in addition a change to smb.conf, setting the new [global] parameter "rpc start on demand helpers = false". If "rpc start on demand helpers" is not set to false, samba-dcerpcd will refuse to start in standalone mode.
Note that when Samba is run in the Active Directory Domain Controller mode the samba binary that provides the AD code will still provide its normal DCERPC services whilst allowing samba-dcerpcd to provide services like SRVSVC in the same way that smbd used to in this configuration.
The parameters that allowed some smbd-hosted services to be started externally are now gone (detailed below) as this is now the default setting.
samba-dcerpcd can also be useful for use outside of the Samba framework, for example, use with the Linux kernel SMB2 server ksmbd or possibly other SMB2 server implementations.
Heimdal-8.0pre used for Samba Internal Kerberos, adds FAST support
Samba has since Samba 4.0 included a snapshot of the Heimdal Kerberos implementation. This snapshot has now been updated and will closely match what will be released as Heimdal 8.0 shortly.
This is a major update, previously we used a snapshot of Heimdal from 2011, and brings important new Kerberos security features such as Kerberos request armoring, known as FAST. This tunnels ticket requests and replies that might be encrypted with a weak password inside a wrapper built with a stronger password, say from a machine account.
In Heimdal and MIT modes Samba's KDC now supports FAST, for the support of non-Windows clients.
Windows clients will not use this feature however, as they do not attempt to do so against a server not advertising domain Functional Level 2012. Samba users are of course free to modify how Samba advertises itself, but use with Windows clients is not supported "out of the box".
Finally, Samba also uses a per-KDC, not per-realm 'cookie' to secure part of the FAST protocol. A future version will align this more closely with Microsoft AD behaviour.
If FAST needs to be disabled on your Samba KDC, set
kdc enable fast = no
in the smb.conf.
The Samba project wishes to thank the numerous developers who have put in a massive effort to make this possible over many years. In particular we thank Stefan Metzmacher, Joseph Sutton, Gary Lockyer, Isaac Boukris and Andrew Bartlett. Samba's developers in turn thank their employers and in turn their customers who have supported this effort over many years.
Certificate Auto Enrollment
Certificate Auto Enrollment allows devices to enroll for certificates from Active Directory Certificate Services. It is enabled by Group Policy. To enable Certificate Auto Enrollment, Samba's group policy will need to be enabled by setting the smb.conf option `apply group policies` to Yes. Samba Certificate Auto Enrollment depends on certmonger, the cepces certmonger plugin, and sscep. Samba uses sscep to download the CA root chain, then uses certmonger paired with cepces to monitor the host certificate templates. Certificates are installed in /var/lib/samba/certs and private keys are installed in /var/lib/samba/private/certs.
Ability to add ports to dns forwarder addresses in internal DNS backend
The internal DNS server of Samba forwards queries non-AD zones to one or more configured forwarders. Up until now it has been assumed that these forwarders listen on port 53. Starting with this version it is possible to configure the port using host:port notation. See smb.conf for more details. Existing setups are not affected, as the default port is 53.
CTDB changes
- The "recovery master" role has been renamed "leader"
- Documentation and logs now refer to "leader".
- The following ctdb tool command names have changed:
recmaster -> leader setrecmasterrole -> setleaderrole
- Command output has changed for the following commands:
status getcapabilities
- The "[legacy] -> recmaster capability" configuration option has been renamed and moved to the cluster section, so this is now:
[cluster] -> leader capability
- The "recovery lock" has been renamed "cluster lock"
- Documentation and logs now refer to "cluster lock".
- The "[cluster] -> recovery lock" configuration option has been deprecated and will be removed in a future version. Please use "[cluster] -> cluster lock" instead.
- If the cluster lock is enabled then traditional elections are not done and leader elections use a race for the cluster lock. This avoids various conditions where a node is elected leader but can not take the cluster lock. Such conditions included:
- At startup, a node elects itself leader of its own cluster before connecting to other nodes
- Cluster filesystem failover is slow
- The abbreviation "reclock" is still used in many places, because a better abbreviation eludes us (i.e. "clock" is obvious bad) and changing all instances would require a lot of churn. If the abbreviation "reclock" for "cluster lock" is confusing, please consider mentally prefixing it with "really excellent".
- CTDB now uses leader broadcasts and an associated timeout to determine if an election is required
- The leader broadcast timeout can be configured via new configuration option
[cluster] -> leader timeout
- This specifies the number of seconds without leader broadcasts before a node calls an election. The default is 5.
REMOVED FEATURES
Older SMB1 protocol SMBCopy command removed
SMB is a nearly 30-year old protocol, and some protocol commands that while supported in all versions, have not seen widespread use.
One of those is SMBCopy, a feature for a server-side copy of a file. This feature has been so unmaintained that Samba has no testsuite for it.
The SMB1 command SMB_COM_COPY (SMB1 command number 0x29) was introduced in the LAN Manager 1.0 dialect and it was rendered obsolete in the NT LAN Manager dialect.
Therefore it has been removed from the Samba smbd server.
We do note that a fully supported and tested server-side copy is present in SMB2, and can be accessed with "scopy" subcommand in smbclient)
SMB1 server-side wildcard expansion removed
Server-side wildcard expansion is another feature that sounds useful, but is also rarely used and has become problematic - imposing extra work on the server (both in terms of code and CPU time).
In actual OS design, wildcard expansion is handled in the local shell, not at the remote server using SMB wildcard syntax (which is not shell syntax).
In Samba 4.16 the ability to process file name wildcards in requests using the SMB1 commands SMB_COM_RENAME (SMB1 command number 0x7), SMB_COM_NT_RENAME (SMB1 command number 0xA5) and SMB_COM_DELETE (SMB1 command number 0x6) has been removed.
SMB1 protocol has been deprecated, particularly older dialects
We take this opportunity to remind that we have deprecated and disabled by default, but not removed, the whole SMB1 protocol since Samba 4.11. If needed for security purposes or code maintenance we will continue to remove older protocol commands and dialects that are unused or have been replaced in more modern SMB1 versions.
We specifically deprecate the older dialects older than "NT LM 0.12" (also known as "NT LANMAN 1.0" and "NT1").
Please note that "NT LM 0.12" is the dialect used by software as old as Windows 95, Windows NT and Samba 2.0, so this deprecation applies to DOS and similar era clients.
We do reassure that that 'simple' operation of older clients than these (eg DOS) will, while untested, continue for the near future, our purpose is not to cripple use of Samba in unique situations, but to reduce the maintaince burden.
Eventually SMB1 as a whole will be removed, but no broader change is announced for 4.16.
In the rare case where the above changes cause incompatibilities, users requiring support for these features will need to use older versions of Samba.
smbd mapped sharemodes to Linux mandatory locks. This code in the Linux kernel was broken for a long time, and is planned to be removed with Linux 5.15. This Samba release removes the usage of mandatory locks for sharemodes and the "kernel share modes" config parameter is changed to default to "no". The Samba VFS interface is kept, so that file-system specific VFS modules can still use private calls for enforcing sharemodes.
smb.conf changes
Parameter Name Description Default -------------- ----------- ------- kernel share modes New default No dns forwarder Changed rpc_daemon Removed rpc_server Removed rpc start on demand helpers Added true
Samba 4.15
- Release Notes for Samba 4.15.0
- September 20, 2021
Release Announcements
This is the first stable release of the Samba 4.15 release series. Please read the release notes carefully before upgrading.
Removed SMB (development) dialects
The following SMB (development) dialects are no longer supported: SMB2_22, SMB2_24 and SMB3_10. They are were only supported by Windows technical preview builds. They used to be useful in order to test against the latest Windows versions, but it's no longer useful to have them. If you have them explicitly specified in your smb.conf or an the command line, you need to replace them like this:
- SMB2_22 => SMB3_00
- SMB2_24 => SMB3_00
- SMB3_10 => SMB3_11
- Note: that it's typically not useful to specify "client max protocol" or "server max protocol" explicitly to a specific dialect, just leave them unspecified or specify the value "default".
New GPG key
The GPG release key for Samba releases changed from:
pub dsa1024/6F33915B6568B7EA 2007-02-04 [SC] [expires: 2021-02-05] Key fingerprint = 52FB C0B8 6D95 4B08 4332 4CDC 6F33 915B 6568 B7EA uid [ full ] Samba Distribution Verification Key <samba-bugs@samba.org> sub elg2048/9C6ED163DA6DFB44 2007-02-04 [E] [expires: 2021-02-05] to the following new key: pub rsa4096/AA99442FB680B620 2020-12-21 [SC] [expires: 2022-12-21] Key fingerprint = 81F5 E283 2BD2 545A 1897 B713 AA99 442F B680 B620 uid [ultimate] Samba Distribution Verification Key <samba-bugs@samba.org> sub rsa4096/97EF9386FBFD4002 2020-12-21 [E] [expires: 2022-12-21]
Starting from Jan 21th 2021, all Samba releases will be signed with the new key.
See also GPG_AA99442FB680B620_replaces_6F33915B6568B7EA.txt
New minimum version for the experimental MIT KDC
The build of the AD DC using the system MIT Kerberos, an experimental feature, now requires MIT Kerberos 1.19. An up-to-date Fedora 34 has this version and has backported fixes for the KDC crash bugs CVE-2021-37750 and CVE-2021-36222.
NEW FEATURES/CHANGES
VFS
The effort to modernize Samba's VFS interface is complete and Samba 4.15.0 ships with a modernized VFS designed for the post SMB1 world.
For details please refer to the documentation at source3/modules/The_New_VFS.txt or visit the The_New_VFS.
Bind DLZ: Added the ability to set allow/deny lists for zone transfer clients
Up to now, any client could use a DNS zone transfer request to the bind server, and get an answer from Samba. Now the default behaviour will be to deny those request. Two new options have been added to manage the list of authorized/denied clients for zone transfer requests. In order to be accepted, the request must be issued by a client that is in the allow list and NOT in the deny list.
"server multi channel support" no longer experimental
This option is enabled by default starting with 4.15 (on Linux and FreeBSD). Due to dependencies on kernel APIs of Linux or FreeBSD, it's only possible to use this feature on Linux and FreeBSD for now.
samba-tool available without the ad-dc
The *samba-tool' command is now available when samba is configured "--without-ad-dc". Not all features will work, and some ad-dc specific options have been disabled. The 'samba-tool domain' options, for example, are limited when no ad-dc is present. Samba must still be built with ads in order to enable samba-tool.
Improved command line user experience
Samba utilities did not consistently implement their command line interface. A number of options were requiring to specify values in one tool and not in the other, some options meant different in different tools.
These should be stories of the past now. A new command line parser has been implemented with sanity checking. Also the command line interface has been simplified and provides better control for encryption, signing and kerberos.
Previously many tools silently ignored unknown options. To prevent unexpected behaviour all tools will now consistently reject unknown options.
Also several command line options have a smb.conf variable to control the default now.
All tools are logging to stderr by default. You can use "--debug-stdout" to change the behavior. All servers will log to stderr at early startup until logging is setup to go to a file by default.
Common parser:
Options added:
--client-protection=off|sign|encrypt
Options renamed:
--kerberos -> --use-kerberos=required|desired|off --krb5-ccache -> --use-krb5-ccache=CCACHE --scope -> --netbios-scope=SCOPE --use-ccache -> --use-winbind-ccache
Options removed:
-e|--encrypt -C removed from --use-winbind-ccache -i removed from --netbios-scope -S|--signing
Duplicates in command line utils
ldbadd/ldbdel/ldbedit/ldbmodify/ldbrename/ldbsearch:
-e is still available as an alias for --editor, as it used to be. -s is no longer reported as an alias for --configfile, it never worked that way as it was shadowed by '-s' for '--scope'.
ndrdump:
-l is not available for --load-dso anymore
net:
-l is not available for --long anymore
sharesec:
-V is not available for --viewsddl anymore
smbcquotas:
--user -> --quota-user
nmbd:
--log-stdout -> --debug-stdout
smbd:
--log-stdout -> --debug-stdout
winbindd:
--log-stdout -> --debug-stdout
Scanning of trusted domains and enterprise principals
As an artifact from the NT4 times, we still scanned the list of trusted domains on winbindd startup. This is wrong as we never can get a full picture in Active Directory. It is time to change the default value to "No". Also with this change we always use enterprise principals for Kerberos so that the DC will be able to redirect ticket requests to the right DC. This is e.g. needed for one way trusts. The options `winbind use krb5 enterprise principals` and `winbind scan trusted domains` will be deprecated in one of the next releases.
Support for Offline Domain Join (ODJ)
The net utility is now able to support the offline domain join feature as known from the Windows djoin.exe command for many years. Samba's implementation is accessible via the 'net offlinejoin' subcommand. It can provision computers and request offline joining for both Windows and Unix machines. It is also possible to provision computers from Windows (using djoin.exe) and use the generated data in Samba's 'net' utility. The existing options for the provisioning and joining steps are documented in the net(8) manpage.
'samba-tool dns zoneoptions' for aging control
The 'samba-tool dns zoneoptions' command can be used to turn aging on and off, alter the refresh and no-refresh periods, and manipulate the timestamps of existing records.
To turn aging on for a zone, you can use something like this:
samba-tool dns zoneoptions --aging=1 --refreshinterval=306600
which turns on aging and ensures no records less than five years old are aged out and scavenged. After aging has been on for sufficient time for records to be renewed, the command
samba-tool dns zoneoptions --refreshinterval=168
will set the refresh period to the standard seven days. Using this two step process will help prevent the temporary loss of dynamic records if scavenging happens before their first renewal.
Marking old records as static or dynamic with 'samba-tool'
A bug in Samba versions prior to 4.9 meant records that were meant to be static were marked as dynamic and vice versa. To fix the timestamps in these domains, it is possible to use the following options, preferably before turning aging on.
--mark-old-records-static --mark-records-dynamic-regex --mark-records-static-regex
The "--mark-old-records-static" option will make records older than the specified date static (that is, with a zero timestamp). For example, if you upgraded to Samba 4.9 in November 2018, you could use ensure no old records will be mistakenly interpreted as dynamic using the following option:
samba-tool dns zoneoptions --mark-old-records-static=2018-11-30
Then, if you know that that will have marked some records as static that should be dynamic, and you know which those are due to your naming scheme, you can use commands like:
samba-tool dns zoneoptions --mark-records-dynamic-regex='\w+-desktop'
where '\w+-desktop' is a perl-compatible regular expression that will match 'bob-desktop', 'alice-desktop', and so on.
These options are deliberately long and cumbersome to type, so people have a chance to think before they get to the end. You can make a mess if you get it wrong.
All 'samba-tool dns zoneoptions' modes can be given a "--dry-run/-n" argument that allows you to inspect the likely results before going ahead.
- NOTE: for aging to work, you need to have "dns zone scavenging = yes" set in the smb.conf of at least one server.
DNS tombstones are now deleted as appropriate
When all the records for a DNS name have been deleted, the node is put in a tombstoned state (separate from general AD object tombstoning, which deleted nodes also go through). These tombstones should be cleaned up periodically. Due to a conflation of scavenging and tombstoning, we have only been deleting tombstones when aging is enabled.
If you have a lot of tombstoned DNS nodes (that is, DNS names for which you have removed all the records), cleaning up these DNS tombstones may take a noticeable time.
DNS tombstones use a consistent timestamp format
DNS records use an hours-since-1601 timestamp format except for in the case of tombstone records where a 100-nanosecond-intervals-since-1601 format is used (this latter format being the most common in Windows). We had mixed that up, which might have had strange effects in zones where aging was enabled (and hence tombstone timestamps were used).
samba-tool dns update and RPC changes
The dnsserver DCERPC pipe can be used by 'samba-tool' and Windows tools to manipulate dns records on the remote server. A bug in Samba meant it was not possible to update an existing DNS record to change the TTL. The general behaviour of RPC updates is now closer to that of Windows.
'samba-tool dns update' is now a bit more careful in rejecting and warning you about malformed IPv4 and IPv6 addresses.
CVE-2021-3671: Crash in Heimdal KDC and updated security release policy
An unuthenticated user can crash the AD DC KDC by omitting the server name in a TGS-REQ. Per Samba's updated security process a specific security release was not made for this issue as it is a recoverable Denial Of Service. See Samba_Security_Process
samba-tool domain backup offline with the LMDB backend
'samba-tool domain backup offline', when operating with the LMDB backend now correctly takes out locks against concurrent modification of the database during the backup. If you use this tool on a Samba AD DC using LMDB, you should upgrade to this release for safer backups.
REMOVED FEATURES
- Tru64 ACL support has been removed from this release. The last supported release of Tru64 UNIX was in 2012.
- NIS support has been removed from this release. This is not available in Linux distributions anymore.
- The DLZ DNS plugin is no longer built for Bind versions 9.8 and 9.9, which have been out of support since 2018.
smb.conf changes
Parameter Name Description Default -------------- ----------- ------- client use kerberos New desired client max protocol Values Removed client min protocol Values Removed client protection New default client smb3 signing algorithms New see man smb.conf client smb3 encryption algorithms New see man smb.conf preopen:posix-basic-regex New No preopen:nomatch_log_level New 5 preopen:match_log_level New 5 preopen:nodigits_log_level New 1 preopen:founddigits_log_level New 3 preopen:reset_log_level New 5 preopen:push_log_level New 3 preopen:queue_log_level New 10 server max protocol Values Removed server min protocol Values Removed server multi channel support Changed Yes (on Linux and FreeBSD) server smb3 signing algorithms New see man smb.conf server smb3 encryption algorithms New see man smb.conf winbind use krb5 enterprise principals Changed Yes winbind scan trusted domains Changed No
Samba 4.14
- Release Notes for Samba 4.14.0
- March 9, 2021
Release Announcements
This is the first stable release of the Samba 4.14 release series. Please read the release notes carefully before upgrading.
New GPG key
The GPG release key for Samba releases changed from:
pub dsa1024/6F33915B6568B7EA 2007-02-04 [SC] [expires: 2021-02-05] Key fingerprint = 52FB C0B8 6D95 4B08 4332 4CDC 6F33 915B 6568 B7EA uid [ full ] Samba Distribution Verification Key <samba-bugs@samba.org> sub elg2048/9C6ED163DA6DFB44 2007-02-04 [E] [expires: 2021-02-05] to the following new key: pub rsa4096/AA99442FB680B620 2020-12-21 [SC] [expires: 2022-12-21] Key fingerprint = 81F5 E283 2BD2 545A 1897 B713 AA99 442F B680 B620 uid [ultimate] Samba Distribution Verification Key <samba-bugs@samba.org> sub rsa4096/97EF9386FBFD4002 2020-12-21 [E] [expires: 2022-12-21]
Starting from Jan 21th 2021, all Samba releases will be signed with the new key.
See also GPG_AA99442FB680B620_replaces_6F33915B6568B7EA.txt
NEW FEATURES/CHANGES
Here is a copy of a clarification note added to the Samba code in the file: VFS-License-clarification.txt.
A clarification of our GNU GPL License enforcement boundary within the Samba Virtual File System (VFS) layer. Samba is licensed under the GNU GPL. All code committed to the Samba project or that creates a "modified version" or software "based on" Samba must be either licensed under the GNU GPL or a compatible license. Samba has several plug-in interfaces where external code may be called from Samba GNU GPL licensed code. The most important of these is the Samba VFS layer. Samba VFS modules are intimately connected by header files and API definitions to the part of the Samba code that provides file services, and as such, code that implements a plug-in Samba VFS module must be licensed under the GNU GPL or a compatible license. However, Samba VFS modules may themselves call third-party external libraries that are not part of the Samba project and are externally developed and maintained. As long as these third-party external libraries do not use any of the Samba internal structure, APIs or interface definitions created by the Samba project (to the extent that they would be considered subject to the GNU GPL), then the Samba Team will not consider such third-party external libraries called from Samba VFS modules as "based on" and/or creating a "modified version" of the Samba code for the purposes of GNU GPL. Accordingly, we do not require such libraries be licensed under the GNU GPL or a GNU GPL compatible license.
VFS
The effort to modernize Samba's VFS interface has reached a major milestone with the next release Samba 4.14.
For details please refer to the documentation at source3/modules/The_New_VFS.txt or visit the The_New_VFS.
Printing
Publishing printers in AD is more reliable and more printer features are added to the published information in AD. Samba now also supports Windows drivers for the ARM64 architecture.
Client Group Policy
This release extends Samba to support Group Policy functionality for Winbind clients. Active Directory Administrators can set policies that apply Sudoers configuration, and cron jobs to run hourly, daily, weekly or monthly.
To enable the application of Group Policies on a client, set the global smb.conf option 'apply group policies' to 'yes'. Policies are applied on an interval of every 90 minutes, plus a random offset between 0 and 30 minutes.
Policies applied by Samba are 'non-tattooing', meaning that changes can be reverted by executing the `samba-gpupdate --unapply` command. Policies can be re-applied using the `samba-gpupdate --force` command. To view what policies have been or will be applied to a system, use the `samba-gpupdate --rsop` command.
Administration of Samba policy requires that a Samba ADMX template be uploaded to the SYSVOL share. The samba-tool command `samba-tool gpo admxload` is provided as a convenient method for adding this policy. Once uploaded, policies can be modified in the Group Policy Management Editor under Computer Configuration/Policies/Administrative Templates. Alternatively, Samba policy may be managed using the `samba-tool gpo manage` command. This tool does not require the admx templates to be installed.
Python 3.6 or later required
Samba's minimum runtime requirement for python was raised to Python 3.6 with samba 4.13. Samba 4.14 raises this minimum version to Python 3.6 also to build Samba. It is no longer possible to build Samba (even just the file server) with Python versions 2.6 and 2.7.
As Python 2.7 has been End Of Life upstream since April 2020, Samba is dropping ALL Python 2.x support in this release.
Miscellaneous samba-tool changes
The 'samba-tool' subcommands to manage AD objects (e.g. users, computers and groups) now consistently use the "add" command when adding a new object to the AD. The previous deprecation warnings when using the 'add' commands have been removed. For compatibility reasons, both the 'add' and 'create' commands can be used now.
Users, groups and contacts can now be renamed with the respective rename commands.
Locked users can be unlocked with the new 'samba-tool user unlock' command.
The 'samba-tool user list' and 'samba-tool group listmembers' commands provide additional options to hide expired and disabled user accounts (--hide-expired and --hide-disabled).
CTDB CHANGES
- The NAT gateway and LVS features now uses the term "leader" to refer to the main node in a group through which traffic is routed and "follower" for other members of a group. The command for determining the leader has changed to "ctdb natgw leader" (from "ctdb natgw master"). The configuration keyword for indicating that a node can not be the leader of a group has changed to "follower-only" (from "slave-only"). Identical changes were made for LVS.
- Remove "ctdb isnotrecmaster" command. It isn't used by CTDB's scripts and can be checked by users with "ctdb pnn" and "ctdb recmaster".
smb.conf changes
Parameter Name Description Default -------------- ----------- ------- smb encrypt Removed async dns timeout New 10 client smb encrypt New default honor change notify privilege New No smbd force process locks New No server smb encrypt New default
Samba 4.13
- Release Notes for Samba 4.13
- September 22, 2020
Release Announcements
This is the first stable release of the Samba 4.13 release series. Please read the release notes carefully before upgrading.
ZeroLogon
Please avoid to set "server schannel = no" and "server schannel= auto" on all Samba domain controllers due to the wellknown ZeroLogon issue.
For details please see
NEW FEATURES/CHANGES
Python 3.6 or later required
Samba's minimum runtime requirement for python was raised to Python 3.5 with samba 4.12. Samba 4.13 raises this minimum version to Python 3.6 both to access new features and because this is the oldest version we test with in our CI infrastructure.
This is also the last release where it will be possible to build Samba (just the file server) with Python versions 2.6 and 2.7.
As Python 2.7 has been End Of Life upstream since April 2020, Samba is dropping ALL Python 2.x support in the NEXT release.
Samba 4.14 to be released in March 2021 will require Python 3.6 or later to build.
wide links functionality
For this release, the code implementing the insecure "wide links = yes" functionality has been moved out of the core smbd code and into a separate VFS module, vfs_widelinks. Currently this vfs module is implicitly loaded by smbd as the last but one module before vfs_default if "wide links = yes" is enabled on the share (note, the existing restrictions on enabling wide links around the SMB1 "unix extensions" and the "allow insecure wide links" parameters are still in force). The implicit loading was done to allow existing users of "wide links = yes" to keep this functionality without having to make a change to existing working smb.conf files.
Please note that the Samba developers recommend changing any Samba installations that currently use "wide links = yes" to use bind mounts as soon as possible, as "wide links = yes" is an inherently insecure configuration which we would like to remove from Samba. Moving the feature into a VFS module allows this to be done in a cleaner way in future.
A future release to be determined will remove this implicit linkage, causing administrators who need this functionality to have to explicitly add the vfs_widelinks module into the "vfs objects =" parameter lists. The release notes will be updated to note this change when it occurs.
NT4-like 'classic' Samba domain controllers
Samba 4.13 deprecates Samba's original domain controller mode.
Sites using Samba as a Domain Controller should upgrade from the NT4-like 'classic' Domain Controller to a Samba Active Directory DC to ensure full operation with modern windows clients.
SMBv1 only protocol options deprecated
A number of smb.conf parameters for less-secure authentication methods which are only possible over SMBv1 are deprecated in this release.
REMOVED FEATURES
The deprecated "ldap ssl ads" smb.conf option has been removed.
smb.conf changes
Parameter Name Description Default -------------- ----------- ------- ldap ssl ads removed smb2 disable lock sequence checking No domain logons Deprecated no raw NTLMv2 auth Deprecated no client plaintext auth Deprecated no client NTLMv2 auth Deprecated yes client lanman auth Deprecated no client use spnego Deprecated yes server schannel To be removed in 4.13.0 server require schannel:COMPUTER Added
Samba 4.12
- Release Notes for Samba 4.12.0
- March 03, 2020
Release Announcements
This is the first stable release of the Samba 4.12 release series.
Please read the release notes carefully before upgrading.
NEW FEATURES/CHANGES
Python 3.5 Required
Samba's minimum runtime requirement for python was raised to Python 3.4 with samba 4.11. Samba 4.12 raises this minimum version to Python 3.5 both to access new features and because this is the oldest version we test with in our CI infrastructure.
- (Build time support for the file server with Python 2.6 has not changed)
Removing in-tree cryptography: GnuTLS 3.4.7 required
Samba is making efforts to remove in-tree cryptographic functionality, and to instead rely on externally maintained libraries. To this end, Samba has chosen GnuTLS as our standard cryptographic provider.
Samba now requires GnuTLS 3.4.7 to be installed (including development headers at build time) for all configurations, not just the Samba AD DC.
Thanks to this work Samba no longer ships an in-tree DES implementation and on GnuTLS 3.6.5 or later Samba will include no in-tree cryptography other than the MD4 hash and that implemented in our copy of Heimdal.
Using GnuTLS for SMB3 encryption you will notice huge performance and copy speed improvements. Tests with the CIFS Kernel client from Linux Kernel 5.3 show a 3x speed improvement for writing and a 2.5x speed improvement for reads!
- NOTE WELL: The use of GnuTLS means that Samba will honour the system-wide 'FIPS mode' (a reference to the US FIPS-140 cryptographic standard) and so will not operate in many still common situations if this system-wide parameter is in effect, as many of our protocols rely on outdated cryptography.
A future Samba version will mitigate this to some extent where good cryptography effectively wraps bad cryptography, but for now that above applies.
zlib library is now required to build Samba
Samba no longer includes a local copy of zlib in our source tarball. By removing this we do not need to ship (even where we did not build) the old, broken zip encryption code found there.
New Spotlight backend for Elasticsearch
Support for the macOS specific Spotlight search protocol has been enhanced significantly. Starting with 4.12 Samba supports using Elasticsearch as search backend. Various new parameters have been added to configure this:
spotlight backend = noindex | elasticsearch | tracker elasticsearch:address = ADDRESS elasticsearch:port = PORT elasticsearch:use tls = BOOLEAN elasticsearch:index = INDEXNAME elasticsearch:mappings = PATH elasticsearch:max results = NUMBER
Samba also ships a Spotlight client command "mdfind" which can be used to search any SMB server that runs the Spotlight RPC service. See the manpage of mdfind for details.
Note that when upgrading existing installations that are using the previous default Spotlight backend Gnome Tracker must explicitly set "spotlight backend = tracker" as the new default is "noindex".
"net ads kerberos pac save" and "net eventlog export"
The "net ads kerberos pac save" and "net eventlog export" tools will no longer silently overwrite an existing file during data export. If the filename given exits, an error will be shown.
Fuzzing
A large number of fuzz targets have been added to Samba, and Samba has been registered in Google's oss-fuzz cloud fuzzing service. In particular, we now have good fuzzing coverage of our generated NDR parsing code.
A large number of issues have been found and fixed thanks to this effort.
'samba-tool' improvements add contacts as member to groups
Previously 'samba-tool group addmemers' can just add users, groups and computers as members to groups. But also contacts can be members of groups. Samba 4.12 adds the functionality to add contacts to groups. Since contacts have no sAMAccountName, it's possible that there are more than one contact with the same name in different organizational units. Therefore it's necessary to have an option to handle group members by their DN.
To get the DN of an object there is now the "--full-dn" option available for all necessary commands.
The MS Windows UI allows to search for specific types of group members when searching for new members for a group. This feature is included here with the new samba-tool group addmembers "--object-type=OBJECTYPE" option. The different types are selected accordingly to the Windows UI. The default samba-toole behaviour shouldn't be changed.
Allow filtering by OU or subtree in samba-tool
A new "--base-dn" and "--member-base-dn" option is added to relevant samba-tool user, group and ou management commands to allow operation on just one part of the AD tree, such as a single OU.
VFS
SMB_VFS_NTIMES
Samba now uses a sentinel value based on utimensat(2) UTIME_OMIT to denote to-be-ignored timestamp variables passed to the SMB_VFS_NTIMES() VFS function.
VFS modules can check whether any of the time values inside a struct smb_file_time is to be ignored by calling is_omit_timespec() on the value.
'io_uring' vfs module
The module makes use of the new io_uring infrastructure (intruduced in Linux 5.1), see https://lwn.net/Articles/776703/
Currently this implements SMB_VFS_{PREAD,PWRITE,FSYNC}_SEND/RECV and avoids the overhead of the userspace threadpool in the default vfs backend. See also vfs_io_uring(8).
In order to build the module you need the liburing userspace library and its developement headers installed, see https://git.kernel.dk/cgit/liburing/
At runtime you'll need a Linux kernel with version 5.1 or higher. Note that 5.4.14 and 5.4.15 have a regression that breaks the Samba module! The regression was fixed in Linux 5.4.16 again.
MS-DFS changes in the VFS
This release changes set getting and setting of MS-DFS redirects on the filesystem to go through two new VFS functions:
SMB_VFS_CREATE_DFS_PATHAT() SMB_VFS_READ_DFS_PATHAT()
instead of smbd explicitly storing MS-DFS redirects inside symbolic links on the filesystem. The underlying default implementations of this has not changed, the redirects are still stored inside symbolic links on the filesystem, but moving the creation and reading of these links into the VFS as first-class functions now allows alternate methods of storing them (maybe in extended attributes) for OEMs who don't want to mis-use filesystem symbolic links in this way.
CTDB changes
- The ctdb_mutex_fcntl_helper periodically re-checks the lock file
- The re-check period is specified using a 2nd argument to this helper. The default re-check period is 5s.
- If the file no longer exists or the inode number changes then the helper exits. This triggers an election.
REMOVED FEATURES
smb.conf "write cache size"
The smb.conf parameter "write cache size" has been removed.
Since the in-memory write caching code was written, our write path has changed significantly. In particular we have gained very flexible support for async I/O, with the new linux io_uring interface in development. The old write cache concept which cached data in main memory followed by a blocking pwrite no longer gives any improvement on modern systems, and may make performance worse on memory-contrained systems, so this functionality should not be enabled in core smbd code.
In addition, it complicated the write code, which is a performance critical code path.
If required for specialist purposes, it can be recreated as a VFS module.
Retiring DES encryption types in Kerberos.
With this release, support for DES encryption types has been removed from Samba, and setting DES_ONLY flag for an account will cause Kerberos authentication to fail for that account (see RFC-6649).
Samba-DC: DES keys no longer saved in DB.
When a new password is set for an account, Samba DC will store random keys in DB instead of DES keys derived from the password. If the account is being migrated to Windbows or to an older version of Samba in order to use DES keys, the password must be reset to make it work.
Heimdal-DC: removal of weak-crypto.
Following removal of DES encryption types from Samba, the embedded Heimdal build has been updated to not compile weak crypto code (HEIM_WEAK_CRYPTO).
vfs_netatalk: The netatalk VFS module has been removed.
The netatalk VFS module has been removed. It was unmaintained and is not needed any more.
BIND9_FLATFILE deprecated
The BIND9_FLATFILE DNS backend is deprecated in this release and will be removed in the future. This was only practically useful on a single domain controller or under expert care and supervision.
This release removes the 'rndc command' smb.conf parameter, which supported this configuration by writing out a list of DCs permitted to make changes to the DNS Zone and nudging the 'named' server if a new DC was added to the domain. Administrators using BIND9_FLATFILE will need to maintain this manually from now on.
smb.conf changes
Parameter Name Description Default -------------- ----------- ------- elasticsearch:address New localhost elasticsearch:port New 9200 elasticsearch:use tls New No elasticsearch:index New _all elasticsearch:mappings New DATADIR/elasticsearch_mappings.json elasticsearch:max results New 100 nfs4:acedup Changed default merge rndc command Removed write cache size Removed spotlight backend New noindex
Samba 4.11
- Release Notes for Samba 4.11.0
- September 17, 2019
Release Announcements
This is the first stable release of the Samba 4.11 release series. Please read the release notes carefully before upgrading.
UPGRADING
AD Database compatibility
Samba 4.11 has changed how the AD database is stored on disk. AD users should not really be affected by this change when upgrading to 4.11. However, AD users should be extremely careful if they need to downgrade from Samba 4.11 to an older release.
Samba 4.11 maintains database compatibility with older Samba releases. The database will automatically get rewritten in the new 4.11 format when you first start the upgraded samba executable.
However, when downgrading from 4.11 you will need to manually downgrade the AD database yourself. Note that you will need to do this step before you install the downgraded Samba packages. For more details, see:
When either upgrading or downgrading, users should also avoid making any database modifications between installing the new Samba packages and starting the samba executable.
SMB1 is disabled by default
The defaults of 'client min protocol' and 'server min protocol' have been changed to SMB2_02.
This means clients without support for SMB2 or SMB3 are no longer able to connect to smbd (by default).
It also means client tools like smbclient and other, as well as applications making use of libsmbclient are no longer able to connect to servers without SMB2 or SMB3 support (by default).
It's still possible to allow SMB1 dialects, e.g. NT1, LANMAN2 and LANMAN1 for client and server, as well as CORE and COREPLUS on the client.
- Note: that most commandline tools e.g. smbclient, smbcacls and others also support the '--option' argument to overwrite smb.conf options, e.g. --option='client min protocol=NT1' might be useful.
As Microsoft no longer installs SMB1 support in recent releases or uninstalls it after 30 days without usage, the Samba Team tries to get remove the SMB1 usage as much as possible.
SMB1 is officially deprecated and might be removed step by step in the following years. If you have a strong requirement for SMB1 (except for supporting old Linux Kernels), please file a bug at https://bugzilla.samba.org and let us know about the details.
LanMan and plaintext authentication deprecated
The "lanman auth" and "encrypt passwords" parameters are deprecated with this release as both are only applicable to SMB1 and are quite insecure. NTLM, NTLMv2 and Kerberos authentication are unaffected, as "encrypt passwords = yes" has been the default since Samba 3.0.0.
If you have a strong requirement for these authentication protocols, please file a bug at https://bugzilla.samba.org and let us know about the details.
BIND9_FLATFILE deprecated
The BIND9_FLATFILE DNS backend is deprecated in this release and will be removed in the future. This was only practically useful on a single domain controller or under expert care and supervision.
This release therefore deprecates the "rndc command" smb.conf parameter, which is used to support this configuration. After writing out a list of DCs permitted to make changes to the DNS Zone "rndc command" is called with reload to tell the 'named' server if a DC was added/removed to to the domain.
NEW FEATURES/CHANGES
Default samba process model
The default for the '--model' argument passed to the samba executable has changed from 'standard' to 'prefork'. This means a difference in the number of samba child processes that are created to handle client connections. The previous default would create a separate process for every LDAP or NETLOGON client connection. For a network with a lot of persistent client connections, this could result in significant memory overhead. Now, with the new default of 'prefork', the LDAP, NETLOGON, and KDC services will create a fixed number of worker processes at startup and share the client connections amongst these workers. The number of worker processes can be configured by the 'prefork children' setting in the smb.conf (the default is 4).
Authentication Logging.
Winbind now logs PAM_AUTH and NTLM_AUTH events, a new attribute "logonId" has been added to the Authentication JSON log messages. This contains a random logon id that is generated for each PAM_AUTH and NTLM_AUTH request and is passed to SamLogon, linking the windbind and SamLogon requests.
The serviceDescription of the messages is set to "winbind", the authDescriptionis set to one of:
"PASSDB, <command>, <pid>" "PAM_AUTH, <command>, <pid>" "NTLM_AUTH, <command>, <pid>"
where:
<command> is the name of the command makinmg the winbind request i.e. wbinfo <pid> is the process id of the requesting process.
The version of the JSON Authentication messages has been changed to 1.1 from 1.2
LDAP referrals
The scheme of returned LDAP referrals now reflects the scheme of the original request, i.e. referrals received via ldap are prefixed with "ldap://" and those over ldaps are prefixed with "ldaps://".
Previously all referrals were prefixed with "ldap://".
Bind9 logging
It is now possible to log the duration of DNS operations performed by Bind9. This should aid future diagnosis of performance issues and could be used to monitor DNS performance. The logging is enabled by setting log level to "dns:10" in smb.conf.
The logs are currently Human readable text only, i.e. no JSON formatted output.
Log lines are of the form:
<function>: DNS timing: result: [<result>] duration: (<duration>) zone: [<zone>] name: [<name>] data: []
durations are in microseconds.
Default schema updated to 2012_R2
Default AD schema changed from 2008_R2 to 2012_R2. 2012_R2 functional level is not yet available. Older schemas can be used by provisioning with the '--base-schema' argument. Existing installations can be updated with the samba-tool command "domain schemaupgrade".
Samba's replication code has also been improved to handle replication with the 2012 schema (the core of this replication fix has also been backported to 4.9.11 and will be in a 4.10.x release).
For more about how the AD schema relates to overall Windows compatibility, please read:
GnuTLS 3.2 required
Samba is making efforts to remove in-tree cryptographic functionality, and to instead rely on externally maintained libraries. To this end, Samba has chosen GnuTLS as our standard cryptographic provider.
Samba now requires GnuTLS 3.2 to be installed (including development headers at build time) for all configurations, not just the Samba AD DC.
- NOTE WELL: The use of GnuTLS means that Samba will honour the system-wide 'FIPS mode' (a reference to the US FIPS-140 cryptographic standard) and so will not operate in many still common situations if this system-wide parameter is in effect, as many of our protocols rely on outdated cryptography.
A future Samba version will mitigate this to some extent where good cryptography effectively wraps bad cryptography, but for now that above applies.
samba-tool improvements
A new "samba-tool contact" command has been added to allow the command-line manipulation of contacts, as used for address book lookups in LDAP.
The "samba-tool [user|group|computer|group|contact] edit" command has been improved to operate more pleasantly on international character sets.
100,000 USER and LARGER Samba AD DOMAINS
Extensive efforts have been made to optimise Samba for use in organisations (for example) targeting 100,000 users, plus 120,000 computer objects, as well as large number of group memberships.
Many of the specific efforts are detailed below, but the net results is to remove barriers to significantly larger Samba deployments compared to previous releases.
Reindex performance improvements
The performance of samba-tool dbcheck --reindex has been improved, especially for large domains.
join performance improvements
The performance of samba-tool domain join has been improved, especially for large domains.
LDAP Server memory improvements
The LDAP server has improved memory efficiency, ensuring that large LDAP responses (for example a search for all objects) is not copied multiple times into memory.
Setting lmdb map size
It is now possible to set the lmdb map size (The maximum permitted size for the database). "samba-tool" now accepts the "--backend-store-size" i.e. --backend-store-size=4Gb. If not specified it defaults to 8Gb.
This option is avaiable for the following sub commands:
- domain provision
- domain join
- domain dcpromo
- drs clone-dc-database
LDB "batch_mode"
To improve performance during batch operations i.e. joins, ldb now accepts a "batch_mode" option. However to prevent any index or database inconsistencies if an operation fails, the entire transaction will be aborted at commit.
New LDB pack format
On first use (startup of 'samba' or the first transaction write) Samba's sam.ldb will be updated to a new more efficient pack format. This will take a few moments.
New LDB <= and >= index mode to improve replication performance
As well as a new pack format, Samba's sam.ldb uses a new index format allowing Samba to efficiently select objects changed since the last replication cycle. This in turn improves performance during replication of large domains.
Improvements to ldb search performance
Search performance on large LDB databases has been improved by reducing memory allocations made on each object.
Improvements to subtree rename performance
Improvements have been made to Samba's handling of subtree renames, for example of containers and organisational units, however large renames are still not recommended.
CTDB changes
- nfs-linux-kernel-callout now defaults to using systemd service names
- The Red Hat service names continue to be the default.
- Other distributions should patch this file when packaging it.
- The onnode -o option has been removed
- ctdbd logs when it is using more than 90% of a CPU thread
- ctdbd is single threaded, so can become saturated if it uses the full capacity of a CPU thread. To help detect this situation, ctdbd now logs messages when CPU utilisation exceeds 90%. Each change in CPU utilisation over 90% is logged. A message is also logged when CPU utilisation drops below the 90% threshold.
- Script configuration variable CTDB_MONITOR_SWAP_USAGE has been removed
- 05.system.script now monitors total memory (i.e. physical memory + swap) utilisation using the existing CTDB_MONITOR_MEMORY_USAGE script configuration variable.
CephFS Snapshot Integration
CephFS snapshots can now be exposed as previous file versions using the new ceph_snapshots VFS module. See the vfs_ceph_snapshots(8) man page for details.
REMOVED FEATURES
Web server
As a leftover from work related to the Samba Web Administration Tool (SWAT), Samba still supported a Python WSGI web server (which could still be turned on from the 'server services' smb.conf parameter). This service was unused and has now been removed from Samba.
samba-tool join subdomain
The subdomain role has been removed from the join command. This option did not work and has no tests.
Python2 support
Samba 4.11 will not have any runtime support for Python 2.
If you are building Samba using the '--disable-python' option (i.e. you're excluding all the run-time Python support), then this will continue to work on a system that supports either python2 or python3.
To build Samba with python2 you *must* set the 'PYTHON' environment variable for both the 'configure' and 'make' steps, i.e.
'PYTHON=python2 ./configure' 'PYTHON=python2 make'
This will override the python3 default.
Except for this specific build-time use of python2, Samba now requires Python 3.4 as a minimum.
Samba 4.10
- Release Notes for Samba 4.10.0
- March 19, 2019
Release Announcements
This is the first stable release of the Samba 4.10 release series. Please read the release notes carefully before upgrading.
NEW FEATURES/CHANGES
GPO Improvements
A new 'samba-tool gpo backup' command has been added that can export a set of Group Policy Objects from a domain in a generalised XML format.
A corresponding 'samba-tool gpo restore' command has been added to rebuild the Group Policy Objects from the XML after generalization. (The administrator needs to correct the values of XML entities between the backup and restore to account for the change in domain).
KDC prefork
The KDC now supports the pre-fork process model and worker processes will be forked for the KDC when the pre-fork process model is selected for samba.
Prefork 'prefork children'
The default value for this smdb.conf parameter has been increased from 1 to 4.
Netlogon prefork
DCERPC now supports pre-forked NETLOGON processes. The netlogon processes are pre-forked when the prefork process model is selected for samba.
Offline domain backups
The 'samba-tool domain backup' command has been extended with a new 'offline' option. This safely creates a backup of the local DC's database directly from disk. The main benefits of an offline backup are it's quicker, it stores more database details (for forensic purposes), and the samba process does not have to be running when the backup is made. Refer to the samba-tool help for more details on using this command.
Group membership statistics
A new 'samba-tool group stats' command has been added. This provides summary information about how the users are spread across groups in your domain. The 'samba-tool group list --verbose' command has also been updated to include the number of users in each group.
Paged results LDAP control
The behaviour of the paged results control (1.2.840.113556.1.4.319, RFC2696) has been changed to more closely match Windows servers, to improve memory usage. Paged results may be used internally (or is requested by the user) by LDAP libraries or tools that deal with large result sizes, for example, when listing all the objects in the database.
Previously, results were returned as a snapshot of the database but now, some changes made to the set of results while paging may be reflected in the responses. If strict inter-record consistency is required in answers (which is not possible on Windows with large result sets), consider avoiding the paged results control or alternatively, it might be possible to enforce restrictions using the LDAP filter expression.
For further details see Paged_Results
Prefork process restart
The pre-fork process model now restarts failed processes. The delay between restart attempts is controlled by the "prefork backoff increment" (default = 10) and "prefork maximum backoff" (default = 120) smbd.conf parameters. A linear back off strategy is used with "prefork backoff increment" added to the delay between restart attempts up until it reaches "prefork maximum backoff".
Using the default sequence the restart delays (in seconds) are:
- 0, 10, 20, ..., 120, 120, ...
Standard process model
When using the standard process model samba forks a new process to handle ldap and netlogon connections. Samba now honours the 'max smbd processes' smb.conf parameter. The default value of 0, indicates there is no limit. The limit is applied individually to netlogon and ldap. When the process limit is exceeded Samba drops new connections immediately.
python3 support
This is the first release of Samba which has full support for Python 3. Samba 4.10 still has support for Python 2, however, Python 3 will be used by default, i.e. 'configure' & 'make' will execute using python3.
To build Samba with python2 you *must* set the 'PYTHON' environment variable for both the 'configure' and 'make' steps, i.e.
'PYTHON=python2 ./configure' 'PYTHON=python2 make'
This will override the python3 default.
Alternatively, it is possible to produce Samba Python bindings for both Python 2 and Python 3. To do so, specify '--extra-python=/usr/bin/python2' as part of the 'configure' command. Note that python3 will still be used as the default in this case.
- Note:Samba 4.10 supports Python 3.4 onwards.
Future Python support
Samba 4.10 will be the last release that comes with full support for Python 2. Unfortunately, the Samba Team doesn't have the resources to support both Python 2 and Python 3 long-term.
Samba 4.11 will not have any runtime support for Python 2. This means if you use Python 2 bindings it is time to migrate to Python 3 now.
If you are building Samba using the '--disable-python' option (i.e. you're excluding all the run-time Python support), then this will continue to work on a system that supports either python2 or python3.
- Note:Samba 4.11 will most likely only support Python 3.6 onwards.
JSON logging
Authentication messages now contain the Windows Event Id "eventId" and logon type "logonType". The supported event codes and logon types are:
- Event codes:
- 4624 Successful logon
- 4625 Unsuccessful logon
- Logon Types:
- 2 Interactive
- 3 Network
- 8 NetworkCleartext
The version number for Authentication messages is now 1.1, changed from 1.0
Password change messages now contain the Windows Event Id "eventId", the supported event Id's are:
- 4723 Password changed
- 4724 Password reset
The version number for PasswordChange messages is now 1.1, changed from 1.0
Group membership change messages now contain the Windows Event Id "eventId", the supported event Id's are:
- 4728 A member was added to a security enabled global group
- 4729 A member was removed from a security enabled global group
- 4732 A member was added to a security enabled local group
- 4733 A member was removed from a security enabled local group
- 4746 A member was added to a security disabled local group
- 4747 A member was removed from a security disabled local group
- 4751 A member was added to a security disabled global group
- 4752 A member was removed from a security disabled global group
- 4756 A member was added to a security enabled universal group
- 4757 A member was removed from a security enabled universal group
- 4761 A member was added to a security disabled universal group
- 4762 A member was removed from a security disabled universal group
The version number for GroupChange messages is now 1.1, changed from 1.0. Also A GroupChange message is generated when a new user is created to log that the user has been added to their primary group.
The leading "JSON <message type>:" and source file prefix of the JSON formatted log entries has been removed to make the parsing of the JSON log messages easier. JSON log entries now start with 2 spaces followed by an opening brace i.e. " {"
SMBv2 samba-tool support
On previous releases, some samba-tool commands would not work against a remote DC that had SMBv1 disabled. SMBv2 support has now been added for samba-tool. The affected commands are 'samba-tool domain backup|rename' and the 'samba-tool gpo' set of commands. Refer also BUG #13676.
New glusterfs_fuse VFS module
The new vfs_glusterfs_fuse module improves performance when Samba accesses a glusterfs volume mounted via FUSE (Filesystem in Userspace as part of the Linux kernel). It achieves that by leveraging a mechanism to retrieve the appropriate case of filenames by querying a specific extended attribute in the filesystem. No extra configuration is required to use this module, only glusterfs_fuse needs to be set in the "vfs objects" parameter. Further details can be found in the vfs_glusterfs_fuse(8) manpage. This new vfs_glusterfs_fuse module does not replace the existing vfs_glusterfs module, it just provides an additional, alternative mechanism to access a Gluster volume.
REMOVED FEATURES
MIT Kerberos build of the AD DC
While not removed, the MIT Kerberos build of the Samba AD DC is still considered experimental. Because Samba will not issue security patches for this configuration, such builds now require the explicit configure option: --with-experimental-mit-ad-dc
For further details see Running_a_Samba_AD_DC_with_MIT_Kerberos_KDC
samba_backup
The samba_backup script has been removed. This has now been replaced by the 'samba-tool domain backup offline' command.
SMB client Python bindings
The SMB client python bindings are now deprecated and will be removed in future Samba releases. This will only affects users that may have used the Samba Python bindings to write their own utilities, i.e. users with a custom Python script that includes the line 'from samba import smb'.
smb.conf changes
Parameter Name Description Default -------------- ----------- ------- prefork backoff increment Delay added to process restart 10 (seconds) between attempts. prefork maximum backoff Maximum delay for process between 120 (seconds) process restart attempts smbd search ask sharemode Name changed, old name was "smbd:search ask sharemode" smbd async dosmode Name changed, old name was "smbd:async dosmode" smbd max async dosmode Name changed, old name was "smbd:max async dosmode" smbd getinfo ask sharemode New: similar to "smbd search ask yes sharemode" but for SMB getinfo
Samba 4.9
- Release Notes for Samba 4.9.0
- September 13, 2018
Release Announcements
This is the first stable release of the Samba 4.9 release series. Please read the release notes carefully before upgrading.
NEW FEATURES/CHANGES
'net ads setspn'
There is a new 'net ads setspn' sub command for managing Windows SPN(s) on the AD. This command aims to give the basic functionality that is provided on windows by 'setspn.exe' e.g. ability to add, delete and list Windows SPN(s) stored in a Windows AD Computer object.
The format of the command is:
net ads setspn list [machine] net ads setspn [add | delete ] SPN [machine]
'machine' is the name of the computer account on the AD that is to be managed. If 'machine' is not specified the name of the 'client' running the command is used instead.
The format of a Windows SPN is
'serviceclass/host:port/servicename' (servicename and port are optional)
serviceclass/host is generally sufficient to specify a host based service.
'net ads keytab' changes
net ads keytab add no longer attempts to convert the passed serviceclass (e.g. nfs, html etc.) into a Windows SPN which is added to the Windows AD computer object. By default just the keytab file is modified.
A new keytab subcommand 'add_update_ads' has been added to preserve the legacy behaviour. However the new 'net ads setspn add' subcommand should really be used instead.
net ads keytab create no longer tries to generate SPN(s) from existing entries in a keytab file. If it is required to add Windows SPN(s) then 'net ads setspn add' should be used instead.
Local authorization plugin for MIT Kerberos
This plugin controls the relationship between Kerberos principals and AD accounts through winbind. The module receives the Kerberos principal and the local account name as inputs and can then check if they match. This can resolve issues with canonicalized names returned by Kerberos within AD. If the user tries to log in as 'alice', but the samAccountName is set to ALICE (uppercase), Kerberos would return ALICE as the username. Kerberos would not be able to map 'alice' to 'ALICE' in this case and auth would fail. With this plugin account names can be correctly mapped. This only applies to GSSAPI authentication, not for getting the initial ticket granting ticket.
VFS audit modules
The vfs_full_audit module has changed its default set of monitored successful and failed operations from "all" to "none". That helps to prevent potential denial of service caused by simple addition of the module to the VFS objects.
Also, modules vfs_audit, vfs_ext_audit and vfs_full_audit now accept any valid syslog(3) facility, in accordance with the manual page.
Database audit support
Changes to the Samba AD's sam.ldb database are now logged to Samba's debug log under the "dsdb_audit" debug class and "dsdb_json_audit" for JSON formatted log entries.
Transaction commits and roll backs are now logged to Samba's debug logs under the "dsdb_transaction_audit" debug class and "dsdb_transaction_json_audit" for JSON formatted log entries.
Password change audit support
Password changes in the AD DC are now logged to Samba's debug logs under the "dsdb_password_audit" debug class and "dsdb_password_json_audit" for JSON formatted log entries.
Group membership change audit support
Group membership changes on the AD DC are now logged to Samba's debug log under the "dsdb_group_audit" debug class and "dsdb_group_json_audit" for JSON formatted log entries.
Log Authentication duration
For NTLM and Kerberos KDC authentication, the authentication duration is now logged. Note that the duration is only included in the JSON formatted log entries.
JSON library Jansson required for the AD DC
By default, the Jansson JSON library is required for Samba to build. It is strictly required for the Samba AD DC, and is optional for builds "--without-ad-dc" by specifying "--without-json-audit" at configure time.
New Experimental LMDB LDB backend
A new Experimental LDB backend using LMDB is now available. This allows databases larger than 4Gb (Currently the limit is set to 6Gb, but this will be increased in a future release). To enable lmdb, provision or join a domain using the "--backend-store=mdb" option.
This requires that a version of lmdb greater than 0.9.16 is installed and that samba has not been built with the "--without-ldb-lmdb" option.
Please note this is an experimental feature and is not recommended for production deployments.
Password Settings Objects
Support has been added for Password Settings Objects (PSOs). This AD feature is also known as Fine-Grained Password Policies (FGPP).
PSOs allow AD administrators to override the domain password policy settings for specific users, or groups of users. For example, PSOs can force certain users to have longer password lengths, or relax the complexity constraints for other users, and so on. PSOs can be applied to groups or to individual users. When multiple PSOs apply to the same user, essentially the PSO with the best precedence takes effect.
PSOs can be configured and applied to users/groups using the 'samba-tool domain passwordsettings pso' set of commands.
Domain backup and restore
A new 'samba-tool' command has been added that allows administrators to create a backup-file of their domain DB. In the event of a catastrophic failure of the domain, this backup-file can be used to restore Samba services.
The new 'samba-tool domain backup online' command takes a snapshot of the domain DB from a given DC. In the event of a catastrophic DB failure, all DCs in the domain should be taken offline, and the backup-file can then be used to recreate a fresh new DC, using the 'samba-tool domain backup restore' command. Once the backed-up domain DB has been restored on the new DC, other DCs can then subsequently be joined to the new DC, in order to repopulate the Samba network.
Domain rename tool
Basic support has been added for renaming a Samba domain. The rename feature is designed for the following cases:
- Running a temporary alternate domain, in the event of a catastrophic failure of the regular domain. Using a completely different domain name and realm means that the original domain and the renamed domain can both run at the same time, without interfering with each other. This is an advantage over creating a regular 'online' backup - it means the renamed/alternate domain can provide core Samba network services, while trouble-shooting the fault on the original domain can be done in parallel.
- Creating a realistic lab domain or pre-production domain for testing.
Note that the renamed tool is currently not intended to support a long-term rename of the production domain. Currently renaming the GPOs is not supported and would need to be done manually.
The domain rename is done in two steps:
- first, the 'samba-tool domain backup rename' command will clone the domain DB, renaming it in the process, and producing a backup-file.
- Then, the 'samba-tool domain backup restore' command takes the backup-file and restores the renamed DB to disk on a fresh DC.
New samba-tool options for diagnosing DRS replication issues
The 'samba-tool drs showrepl' command has two new options controlling the output. With --summary, the command says very little when DRS replication is working well. With --json, JSON is produced. These options are intended for human and machine audiences, respectively.
The 'samba-tool visualize uptodateness' visualizes replication lag as a heat-map matrix based on the DRS uptodateness vectors. This will show you if (but not why) changes are failing to replicate to some DCs.
Automatic site coverage and GetDCName improvements
Samba's AD DC now automatically claims otherwise empty sites based on which DC is the nearest in the replication topology.
This, combined with efforts to correctly identify the client side in the GetDCName Netlogon call will improve service to sites without a local DC.
Improved 'samba-tool computer' command
The 'samba-tool computer' command allow manipulation of computer accounts including creating a new computer and resetting the password. This allows an 'offline join' of a member server or workstation to the Samba AD domain.
New 'samba-tool ou' command
The new 'samba-tool ou' command allows to manage organizational units.
Available subcommands are:
create - Create an organizational unit. delete - Delete an organizational unit. list - List all organizational units listobjects - List all objects in an organizational unit. move - Move an organizational unit. rename - Rename an organizational unit.
In addition to the ou commands, there are new subcommands for the user and group management, which can make use of the organizational units:
group move - Move a group to an organizational unit/container. user move - Move a user to an organizational unit/container. user show - Display a user AD object.
Samba performance tool now operates against Microsoft Windows AD
The Samba AD performance testing tool 'traffic_reply' can now operate against a Windows based AD domain. Previously it only operated correctly against Samba.
DNS entries are now cleaned up during DC demote
DNS records are now cleaned up as part of the 'samba-tool domain demote' including both the default and '--remove-other-dead-server' modes.
Additionally, DNS records can be automatically cleaned up for a given name with the 'samba-tool dns cleanup' command, which aids in cleaning up partially removed DCs.
samba-tool ntacl sysvolreset is now much faster
The 'samba-tool ntacl sysvolreset' command, used on the Samba AD DC, is now much faster than in previous versions, after an internal rework.
Samba now tested with CI GitLab
Samba developers now have pre-commit testing available in GitLab, giving reviewers confidence that the submitted patches pass a full CI before being submitted to the Samba Team's own autobuild system.
Dynamic DNS record scavenging support
It is now possible to enable scavenging of DNS Zones to remove DNS records that were dynamically created and have not been touched in some time.
This support should however only be enabled on new zones or new installations. Sadly old Samba versions suffer from BUG #12451 and mark dynamic DNS records as static and static records as dynamic. While a dbcheck rule may be able to find these in the future, currently a reliable test has not been devised.
Finally, there is not currently a command-line tool to enable this feature, currently it should be enabled from the DNS Manager tool from Windows. Also the feature needs to have been enabled by setting the smb.conf parameter "dns zone scavenging = yes".
Improved support for trusted domains (as AD DC)
The support for trusted domains/forests has been further improved.
External domain trusts, as well a transitive forest trusts, are supported in both directions (inbound and outbound) for Kerberos and NTLM authentication.
The following features are new in 4.9 (compared to 4.8):
- It's now possible to add users/groups of a trusted domain into domain groups. The group memberships are expanded on trust boundaries.
- foreignSecurityPrincipal objects (FPO) are now automatically created when members (as SID) of a trusted domain/forest are added to a group.
- The 'samba-tool group *members' commands allow members to be specified as foreign SIDs.
However there are currently still a few limitations:
- Both sides of the trust need to fully trust each other!
- No SID filtering rules are applied at all!
- This means DCs of domain A can grant domain admin rights in domain B.
- Selective (CROSS_ORGANIZATION) authentication is not supported. It's possible to create such a trust, but the KDC and winbindd ignore them.
- Samba can still only operate in a forest with just one single domain.
CTDB changes
There are many changes to CTDB in this release.
- Configuration has been completely overhauled
- Daemon and tool options are now specified in a new ctdb.conf Samba-style configuration file. See ctdb.conf(5) for details.
- Event script configuration is no longer specified in the top-level configuration file. It can now be specified per event script. For example, configuration options for the 50.samba event script can be placed alongside the event script in a file called 50.samba.options. Script options can also be specified in a new script.options file. See ctdb-script.options(5) for details.
- Options that affect CTDB startup should be configured in the distribution-specific configuration file. See ctdb.sysconfig(5) for details.
- Tunable settings are now loaded from ctdb.tunables. Using CTDB_SET_TunableVariable=<value> in the main configuration file is no longer supported. See ctdb-tunables(7) for details.
- A example script to migrate an old-style configuration to the new style is available in ctdb/doc/examples/config_migrate.sh.
- The following configuration variables and corresponding ctdbd command-line options have been removed and not replaced with counterparts in the new configuration scheme:
CTDB_PIDFILE --pidfile CTDB_SOCKET --socket CTDB_NODES --nlist CTDB_PUBLIC_ADDRESSES --public-addresses CTDB_EVENT_SCRIPT_DIR --event-script-dir CTDB_NOTIFY_SCRIPT --notification-script CTDB_PUBLIC_INTERFACE --public-interface CTDB_MAX_PERSISTENT_CHECK_ERRORS --max-persistent-check-errors
- ify.d/ subdirectory of the configuration directory are now run by unconditionally.
- Interfaces for public IP addresses must always be specified in the
- public_addresses file using the currently supported format.
- Some related items that have been removed are:
- The ctdb command's --socket command-line option
- The ctdb command's CTDB_NODES environment variable
- When writing tests there are still mechanisms available to change the locations of certain directories and files.
- The following ctdbd.conf and ctdbd options have been replaced by new ctdb.conf options:
CTDB_LOGGING/--logging logging -> location CTDB_DEBUGLEVEL/-d logging -> log level CTDB_TRANSPORT/--transport cluster -> transport CTDB_NODE_ADDRESS/--listen cluster -> node address CTDB_RECOVERY_LOCK/--reclock cluster -> recovery lock CTDB_DBDIR/--dbdir database -> volatile database directory CTDB_DBDIR_PERSISTENT/--dbdir-persistent database -> peristent database directory CTDB_DBDIR_STATE/--dbdir-state database -> state database directory CTDB_DEBUG_LOCKS database -> lock debug script CTDB_DEBUG_HUNG_SCRIPT event -> debug script CTDB_NOSETSCHED/--nosetsched legacy -> realtime scheduling CTDB_CAPABILITY_RECMASTER/--no-recmaster legacy -> recmaster capability CTDB_CAPABILITY_LMASTER/--no-lmaster legacy -> lmaster capability CTDB_START_AS_STOPPED/--start-as-stopped legacy -> start as stopped CTDB_START_AS_DISABLED/--start-as-disabled legacy -> start as disabled CTDB_SCRIPT_LOG_LEVEL/--script-log-level legacy -> script log level
- Event scripts have moved to the scripts/legacy subdirectory of the configuration directory
- Event scripts must now end with a ".script" suffix.
- The "ctdb event" command has changed in 2 ways:
- A component is now required for all commands
- In this release the only valid component is "legacy".
- There is no longer a default event when running "ctdb event status"
- Listing the status of the "monitor" event is now done via:
- ctdb event status legacy monitor
- See ctdb(1) for details.
- The following service-related event script options have been removed:
CTDB_MANAGES_SAMBA CTDB_MANAGES_WINBIND CTDB_MANAGES_CLAMD CTDB_MANAGES_HTTPD CTDB_MANAGES_ISCSI CTDB_MANAGES_NFS CTDB_MANAGES_VSFTPD CTDB_MANAGED_SERVICES
- Event scripts for services are now disabled by default. To enable an event script and, therefore, manage a service use a command like the following:
ctdb event script enable legacy 50.samba
- Notification scripts have moved to the scripts/notification subdirectory of the configuration directory
- Notification scripts must now end with a ".script" suffix.
- Support for setting CTDB_DBDIR=tmpfs has been removed
- This feature has not been implemented in the new configuration system. If this is desired then a tmpfs filesystem should be manually mounted on the directory pointed to by the "volatile database directory" option. See ctdb.conf(5) for more details.
- The following tunable options are now ctdb.conf options:
DisabledIPFailover failover -> disabled TDBMutexEnabled database -> tdb mutexes
- Support for the NoIPHostOnAllDisabled tunable has been removed
- If all nodes are unhealthy or disabled then CTDB will not host public IP addresses. That is, CTDB now behaves as if NoIPHostOnAllDisabled were set to 1.
- The onnode command's CTDB_NODES_FILE environment variable has been removed
- The -f option can still be used to specify an alternate node file.
- The 10.external event script has been removed
- The CTDB_SHUTDOWN_TIMEOUT configuration variable has been removed
- As with other daemons, if ctdbd does not shut down when requested then manual intervention is required. There is no safe way of automatically killing ctdbd after a failed shutdown.
- CTDB_SUPPRESS_COREFILE and CTDB_MAX_OPEN_FILES configuration variable have been removed
- These should be setup in the systemd unit/system file or, for SYSV init, in the distribution-specific configuration file for the ctdb service.
- CTDB_PARTIALLY_ONLINE_INTERFACES incompatibility no longer enforced
- 11.natgw and 91.lvs will no longer fail if CTDB_PARTIALLY_ONLINE_INTERFACES=yes. The incompatibility is, however, well documented. This option will be removed in future and replaced by sensible behaviour where public IP addresses simply switch interfaces or become unavailable when interfaces are down.
- Configuration file /etc/ctdb/sysconfig/ctdb is no longer supported
GPO Improvements
The 'samba_gpoupdate' command (used in applying Group Policies to the samba machine itself) has been renamed to 'samba_gpupdate' and had the syntax changed to better match the same tool on Windows.
REMOVED FEATURES
smb.conf changes
As the most popular Samba install platforms (Linux and FreeBSD) both support extended attributes by default, the parameters "map readonly", "store dos attributes" and "ea support" have had their defaults changed to allow better Windows fileserver compatibility in a default install.
Parameter Name Description Default -------------- ----------- ------- map readonly Default changed no store dos attributes Default changed yes ea support Default changed yes full_audit:success Default changed none full_audit:failure Default changed none
VFS interface changes
The VFS ABI interface version has changed to 39. Function changes are:
- SMB_VFS_FSYNC: Removed: Only async versions are used.
- SMB_VFS_READ: Removed: Only PREAD or async versions are used.
- SMB_VFS_WRITE: Removed: Only PWRITE or async versions are used.
- SMB_VFS_CHMOD_ACL: Removed: Only CHMOD is used.
- SMB_VFS_FCHMOD_ACL: Removed: Only FCHMOD is used.
Any external VFS modules will need to be updated to match these changes in order to work with 4.9.x.
Samba 4.8
- Release Notes for Samba 4.8.0
- March 13, 2018
Release Announcements
This is the first stable release of the Samba 4.8 release series. Please read the release notes carefully before upgrading.
UPGRADING
New GUID Index mode in sam.ldb for the AD DC
Users who upgrade a Samba AD DC in-place will experience a short delay in the first startup of Samba while the sam.ldb is re-indexed.
Unlike in previous releases a transparent downgrade is not possible. If you wish to downgrade such a DB to a Samba 4.7 or earlier version, please run the source4/scripting/bin/sambaundoguididx script first.
Domain member setups require winbindd
Setups with "security = domain" or "security = ads" require a running 'winbindd' now. The fallback that smbd directly contacts domain controllers is gone.
smbclient reparse point symlink parameters reversed
See the more detailed description below.
Changed trusted domains listing with wbinfo -m --verbose
See the more detailed description below.
NEW FEATURES/CHANGES
New GUID Index mode in sam.ldb for the AD DC
The new layout used for sam.ldb is GUID, rather than DN oriented. This provides Samba's Active Directory Domain Controller with a faster database, particularly at larger scale.
The underlying DB is still TDB, simply the choice of key has changed.
The new mode is not optional, so no configuration is required. Older Samba versions cannot read the new database (see the upgrade note above).
KDC GPO application
Adds Group Policy support for the Samba kdc. Applies password policies (minimum/maximum password age, minimum password length, and password complexity) and kerberos policies (user/service ticket lifetime and renew lifetime).
Adds the samba_gpoupdate script for applying and unapplying policy. Can be applied automatically by setting
'apply group policies = yes'.
Time Machine Support with vfs_fruit
Samba can be configured as a Time Machine target for Apple Mac devices through the vfs_fruit module. When enabling a share for Time Machine support the relevant Avahi records to support discovery will be published for installations that have been built against the Avahi client library.
Shares can be designated as a Time Machine share with the following setting:
'fruit:time machine = yes'
Support for lower casing the MDNS Name
Allows the server name that is advertised through MDNS to be set to the hostname rather than the Samba NETBIOS name. This allows an administrator to make Samba registered MDNS records match the case of the hostname rather than being in all capitals.
This can be set with the following settings:
'mdns name = mdns'
Encrypted secrets
Attributes deemed to be sensitive are now encrypted on disk. The sensitive values are currently: pekList msDS-ExecuteScriptPassword currentValue dBCSPwd initialAuthIncoming initialAuthOutgoing lmPwdHistory ntPwdHistory priorValue supplementalCredentials trustAuthIncoming trustAuthOutgoing unicodePwd clearTextPassword
This encryption is enabled by default on a new provision or join, it can be disabled at provision or join time with the new option '--plaintext-secrets'.
However, an in-place upgrade will not encrypt the database.
Once encrypted, it is not possible to do an in-place downgrade (eg to 4.7) of the database. To obtain an unencrypted copy of the database a new DC join should be performed, specifying the '--plaintext-secrets' option.
The key file "encrypted_secrets.key" is created in the same directory as the database and should NEVER be disclosed. It is included by the samba_backup script.
Active Directory replication visualisation
To work out what is happening in a replication graph, it is sometimes helpful to use visualisations. We introduce a samba-tool subcommand to write Graphviz dot output and generate text-based heatmaps of the distance in hops between DCs.
There are two subcommands, two graphical modes, and (roughly) two modes of operation with respect to the location of authority.
- 'samba-tool visualize ntdsconn' looks at NTDS Connections.
- 'samba-tool visualize reps' looks at repsTo and repsFrom objects.
In '--distance' mode (default), the distances between DCs are shown in a matrix in the terminal. With '--color=yes', this is depicted as a heatmap. With '--utf8' it is a lttle prettier.
In '--dot' mode, Graphviz dot output is generated. When viewed using dot or xdot, this shows the network as a graph with DCs as vertices and connections edges. Certain types of degenerate edges are shown in different colours or line-styles.
smbclient reparse point symlink parameters reversed
A bug in smbclient caused the 'symlink' command to reverse the meaning of the new name and link target parameters when creating a reparse point symlink against a Windows server. As this is a little used feature the ordering of these parameters has been reversed to match the parameter ordering of the UNIX extensions 'symlink' command. The usage message for this command has also been improved to remove confusion.
Winbind changes
The dependency to global list of trusted domains within the winbindd processes has been reduced a lot.
The construction of that global list is not reliable and often incomplete in complex trust setups. In most situations the list is not needed any more for winbindd to operate correctly. E.g. for plain file serving via SMB using a simple idmap setup with autorid, tdb or ad. However some more complex setups require the list, e.g. if you specify idmap backends for specific domains. Some pam_winbind setups may also require the global list.
If you have a setup that doesn't require the global list, you should set "winbind scan trusted domains = no".
Improved support for trusted domains (as AD DC)
The support for trusted domains/forests has improved a lot.
External domain trusts, as well a transitive forest trusts, are supported in both directions (inbound and outbound) for Kerberos and NTLM authentication now.
The LSA LookupNames and LookupSids implementations support resolving names and sids from trusts domains/forest now. This is important in order to allow Samba based domain members to make use of the trust.
However there are currently still a few limitations:
- It's not possible to add users/groups of a trusted domainvinto domain groups. So group memberships are not expanded on trust boundaries.
- Both sides of the trust need to fully trust each other!
- No SID filtering rules are applied at all!
- This means DCs of domain A can grant domain admin rights in domain B.
- Selective (CROSS_ORIGANIZATION) authentication is not supported. It's possible to create such a trust, but the KDC and winbindd ignore them.
Changed trusted domains listing with wbinfo -m --verbose
The trust properties printed by wbinfo -m --verbose have been changed to correctly reflect the view of the system where wbinfo is executed.
The trust type field in particular can show additional values that correctly reflect the type of the trust: "Local" for the local SAM and BUILTIN, "Workstation" for a workstation trust to the primary domain, "RWDC" for the SAM on a AD DC, "RODC" for the SAM on a read-only DC, "PDC" for the SAM on a NT4-style DC, "Forest" for a AD forest trust and "External" for quarantined, external or NT4-style trusts.
Indirect trusts are shown as "Routed" including the routing domain.
Example, on a AD DC (SDOM1):
Domain Name DNS Domain Trust Type Transitive In Out BUILTIN Local SDOM1 sdom1.site RWDC WDOM3 wdom3.site Forest Yes No Yes WDOM2 wdom2.site Forest Yes Yes Yes SUBDOM31 subdom31.wdom3.site Routed (via WDOM3) SUBDOM21 subdom21.wdom2.site Routed (via WDOM2)
Same setup, on a member of WDOM2:
Domain Name DNS Domain Trust Type Transitive In Out BUILTIN Local TITAN Local WDOM2 wdom2.site Workstation Yes No Yes WDOM1 wdom1.site Routed (via WDOM2) WDOM3 wdom3.site Routed (via WDOM2) SUBDOM21 subdom21.wdom2.site Routed (via WDOM2) SDOM1 sdom1.site Routed (via WDOM2) SUBDOM11 subdom11.wdom1.site Routed (via WDOM2)
The list of trusts may be incomplete and additional domains may appear as "Routed" if a user of an unknown domain is successfully authenticated.
VirusFilter VFS module
This new module integrates with Sophos, F-Secure and ClamAV anti-virus software to provide scanning and filtering of files on a Samba share.
REMOVED FEATURES
'net serverid' commands removed
The two commands 'net serverid list' and 'net serverid wipe' have been removed, because the file serverid.tdb is not used anymore.
'net serverid list' can be replaced by listing all files in the subdirectory "msg.lock" of Samba's "lock directory". The unique id listed by 'net serverid list' is stored in every process' lockfile in "msg.lock".
'net serverid wipe' is not necessary anymore. It was meant primarily for clustered environments, where the serverid.tdb file was not properly cleaned up after single node crashes. Nowadays smbd and winbind take care of cleaning up the msg.lock and msg.sock directories automatically.
NT4-style replication based net commands removed
The following commands and sub-commands have been removed from the "net" utility:
- net rpc samdump
- net rpc vampire ldif
Also, replicating from a real NT4 domain with "net rpc vampire" and "net rpc vampire keytab" has been removed.
The NT4-based commands were accidentally broken in 2013, and nobody noticed the breakage. So instead of fixing them including tests (which would have meant writing a server for the protocols, which we don't have) we decided to remove them.
For the same reason, the "samsync", "samdeltas" and "database_redo" commands have been removed from rpcclient.
"net rpc vampire keytab" from Active Directory domains continues to be supported.
vfs_aio_linux module removed
The current Linux kernel aio does not match what Samba would do. Shipping code that uses it leads people to false assumptions. Samba implements async I/O based on threads by default, there is no special module required to see benefits of read and write request being sent do the disk in parallel.
smb.conf changes
Parameter Name Description Default -------------- ----------- ------- apply group policies New no auth methods Removed binddns dir New client schannel Default changed/ yes Deprecated gpo update command New ldap ssl ads Deprecated map untrusted to domain Removed oplock contention limit Removed prefork children New 1 mdns name New netbios fruit:time machine New false profile acls Removed use spnego Removed server schannel Default changed/ yes Deprecated unicode Deprecated winbind scan trusted domains New yes winbind trusted domains only Removed
Samba 4.7
- Release Notes for Samba 4.7.0
- September 20, 2017
Release Announcements
This is the first stable release of Samba 4.7.
Please read the release notes carefully before upgrading.
UPGRADING
smbclient changes
'smbclient' no longer prints a 'Domain=[...] OS=[Windows 6.1] Server=[...]' banner when connecting to the first server. With SMB2 and Kerberos there's no way to print this information reliable. Now we avoid it at all consistently. In interactive session the following banner is now presented to the user: 'Try "help" do get a list of possible commands.'.
The default for "client max protocol" has changed to "SMB3_11", which means that 'smbclient' (and related commands) will work against servers without SMB1 support.
It's possible to use the '-m/--max-protocol' option to overwrite the "client max protocol" option temporarily.
Note that the '-e/--encrypt' option also works with most SMB3 servers (e.g. Windows >= 2012 and Samba >= 4.0.0), so the SMB1 unix extensions are not required for encryption.
The change to SMB3_11 as default also means smbclient no longer negotiates SMB1 unix extensions by default, when talking to a Samba server with "unix extensions = yes". As a result, some commands are not available, e.g. 'posix_encrypt', 'posix_open', 'posix_mkdir', 'posix_rmdir', 'posix_unlink', posix_whoami', 'getfacl' and 'symlink'. Using "-mNT1" reenabled them, if the server supports SMB1.
- Note: the default ("CORE") for "client min protocol" hasn't changed, so it's still possible to connect to SMB1-only servers by default.
'smbclient' learned a new command 'deltree' that is able to do a recursive deletion of a directory tree.
NEW FEATURES/CHANGES
Whole DB read locks: Improved LDAP and replication consistency
Prior to Samba 4.7 and ldb 1.2.0, the LDB database layer used by Samba erroneously did not take whole-DB read locks to protect search and DRS replication operations.
While each object returned remained subject to a record-level lock (so would remain consistent to itself), under a race condition with a rename or delete, it and any links (like the member attribute) to it would not be returned.
The symptoms of this issue include:
Replication failures with this error showing in the client side logs:
- error during DRS repl ADD: No objectClass found in replPropertyMetaData for Failed to commit objects:
WERR_GEN_FAILURE/NT_STATUS_INVALID_NETWORK_RESPONSE
A crash of the server, in particular the rpc_server process with
INTERNAL ERROR: Signal 11
LDAP read inconsistency
- A DN subject to a search at the same time as it is being renamed may not appear under either the old or new name, but will re-appear for a subsequent search.
See BUG #12858 for more details and updated advise on database recovery for affected installations.
Samba AD with MIT Kerberos
After four years of development, Samba finally supports compiling and running Samba AD with MIT Kerberos. You can enable it with:
./configure --with-system-mitkrb5
Samba requires version 1.15.1 of MIT Kerberos to build with AD DC support. The krb5-devel and krb5-server packages are required. The feature set is not on par with with the Heimdal build but the most important things, like forest and external trusts, are working. Samba uses the KDC binary provided by MIT Kerberos.
Missing features, compared to Heimdal, are:
- PKINIT support
- S4U2SELF/S4U2PROXY support
- RODC support (not fully working with Heimdal either)
The Samba AD process will take care of starting the MIT KDC and it will load a KDB (Kerberos Database) driver to access the Samba AD database. When provisioning an AD DC using 'samba-tool' it will take care of creating a correct kdc.conf file for the MIT KDC.
For further details, see:
Dynamic RPC port range
The dynamic port range for RPC services has been changed from the old default value "1024-1300" to "49152-65535". This port range is not only used by a Samba AD DC but also applies to all other server roles including NT4-style domain controllers. The new value has been defined by Microsoft in Windows Server 2008 and newer versions. To make it easier for Administrators to control those port ranges we use the same default and make it configurable with the option: "rpc server dynamic port range".
The "rpc server port" option sets the first available port from the new "rpc server dynamic port range" option. The option "rpc server port" only applies to Samba provisioned as an AD DC.
Authentication and Authorization audit support
Detailed authentication and authorization audit information is now logged to Samba's debug logs under the "auth_audit" debug class, including in particular the client IP address triggering the audit line. Additionally, if Samba is compiled against the jansson JSON library, a JSON representation is logged under the "auth_json_audit" debug class.
Audit support is comprehensive for all authentication and authorisation of user accounts in the Samba Active Directory Domain Controller, as well as the implicit authentication in password changes. In the file server and classic/NT4 domain controller, NTLM authentication, SMB and RPC authorization is covered, however password changes are not at this stage, and this support is not currently backed by a testsuite.
For further details, see:
Multi-process LDAP Server
The LDAP server in the AD DC now honours the process model used for the rest of the 'samba' process, rather than being forced into a single process. This aids in Samba's ability to scale to larger numbers of AD clients and the AD DC's overall resiliency, but will mean that there is a fork()ed child for every LDAP client, which may be more resource intensive in some situations. If you run Samba in a resource-constrained VM, consider allocating more RAM and swap space.
Improved Read-Only Domain Controller (RODC) Support
Support for RODCs in Samba AD until now has been experimental. With this latest version, many of the critical bugs have been fixed and the RODC can be used in DC environments requiring no writable behaviour. RODCs now correctly support bad password lockouts and password disclosure auditing through the msDS-RevealedUsers attribute.
The fixes made to the RWDC will also allow Windows RODC to function more correctly and to avoid strange data omissions such as failures to replicate groups or updated passwords. Password changes are currently rejected at the RODC, although referrals should be given over LDAP. While any bad passwords can trigger domain-wide lockout, good passwords which have not been replicated yet for a password change can only be used via NTLM on the RODC (and not Kerberos).
The reliability of RODCs locating a writable partner still requires some improvements and so the 'password server' configuration option is generally recommended on the RODC.
Samba 4.7 is the first Samba release to be secure as an RODC or when hosting an RODC. If you have been using earlier Samba versions to host or be an RODC, please upgrade.
In particular see https://bugzilla.samba.org/show_bug.cgi?id=12977 for details on the security implications for password disclosure to an RODC using earlier versions.
Additional password hashes stored in supplementalCredentials
A new config option 'password hash userPassword schemes' has been added to enable generation of SHA-256 and SHA-512 hashes (without storing the plaintext password with reversible encryption). This builds upon previous work to improve password sync for the AD DC (originally using GPG).
The user command of 'samba-tool' has been updated in order to be able to extract these additional hashes, as well as extracting the (HTTP) WDigest hashes that we had also been storing in supplementalCredentials.
Improvements to DNS during Active Directory domain join
The 'samba-tool' domain join command will now add the A and GUID DNS records (on both the local and remote servers) during a join if possible via RPC. This should allow replication to proceed more smoothly post-join.
The mname element of the SOA record will now also be dynamically generated to point to the local read-write server. 'samba_dnsupdate' should now be more reliable as it will now find the appropriate name server even when resolv.conf points to a forwarder.
Significant AD performance and replication improvements
Previously, replication of group memberships was been an incredibly expensive process for the AD DC. This was mostly due to unnecessary CPU time being spent parsing member linked attributes. The database now stores these linked attributes in sorted form to perform efficient searches for existing members. In domains with a large number of group memberships, a join can now be completed in half the time compared with Samba 4.6.
LDAP search performance has also improved, particularly in the unindexed search case. Parsing and processing of security descriptors should now be more efficient, improving replication but also overall performance.
Query record for open file or directory
The record attached to an open file or directory in Samba can be queried through the 'net tdb locking' command. In clustered Samba this can be useful to determine the file or directory triggering corresponding "hot" record warnings in ctdb.
Removal of lpcfg_register_defaults_hook()
The undocumented and unsupported function lpcfg_register_defaults_hook() that was used by external projects to call into Samba and modify smb.conf default parameter settings has been removed. If your project was using this call please raise the issue on samba-technical@lists.samba.org in order to design a supported way of obtaining the same functionality.
Change of loadable module interface
The _init function of all loadable modules in Samba has changed from:
NTSTATUS _init(void);
to:
NTSTATUS _init(TALLOC_CTX *);
This allows a program loading a module to pass in a long-lived talloc context (which must be guaranteed to be alive for the lifetime of the module). This allows modules to avoid use of the talloc_autofree_context() (which is inherently thread-unsafe) and still be valgrind-clean on exit. Modules that don't need to free long-lived data on exit should use the NULL talloc context.
Parameter changes
The "strict sync" global parameter has been changed from a default of "no" to "yes". This means smbd will by default obey client requests to synchronize unwritten data in operating system buffers safely onto disk. This is a safer default setting for modern SMB1/2/3 clients.
The 'ntlm auth' option default is renamed to 'ntlmv2-only', reflecting the previous behaviour. Two new values have been provided, 'mschapv2-and-ntlmv2-only' (allowing MSCHAPv2 while denying NTLMv1) and 'disabled', totally disabling NTLM authentication and password changes.
SHA256 LDAPS Certificates
The self-signed certificate generated for use on LDAPS will now be generated with a SHA256 self-signature, not a SHA1 self-signature.
Replacing this certificate with a certificate signed by a trusted CA is still highly recommended.
CTDB changes
- CTDB no longer allows mixed minor versions in a cluster
- See the AllowMixedVersions tunable option in ctdb-tunables(7) and also Upgrading_a_CTDB_cluster#Policy
- CTDB now ignores hints from Samba about TDB flags when attaching to databases
- CTDB will use the correct flags depending on the type of database. For clustered databases, the smb.conf setting dbwrap_tdb_mutexes:*=true will be ignored. Instead, CTDB continues to use the TDBMutexEnabled tunable.
- New configuration variable CTDB_NFS_CHECKS_DIR
- See ctdbd.conf(5) for more details.
- The CTDB_SERVICE_AUTOSTARTSTOP configuration variable has been removed
- To continue to manage/unmanage services while CTDB is running:
- Start service by hand and then flag it as managed
- Mark service as unmanaged and shut it down by hand
- In some cases CTDB does something fancy - e.g. start Samba under "nice", so care is needed. One technique is to disable the eventscript, mark as managed, run the startup event by hand and then re-enable the eventscript.
- The CTDB_SCRIPT_DEBUGLEVEL configuration variable has been removed
- The example NFS Ganesha call-out has been improved
- A new "replicated" database type is available
- Replicated databases are intended for CTDB's internal use to replicate state data across the cluster, but may find other uses. The data in replicated databases is valid for the lifetime of CTDB and cleared on first attach.
Using x86_64 Accelerated AES Crypto Instructions
Samba on x86_64 can now be configured to use the Intel accelerated AES instruction set, which has the potential to make SMB3 signing and encryption much faster on client and server. To enable this, configure Samba using the new option --accel-aes=intelaesni.
This is a temporary solution that is being included to allow users to enjoy the benefits of Intel accelerated AES on the x86_64 platform, but the longer-term solution will be to move Samba to a fully supported external crypto library.
The third_party/aesni-intel code will be removed from Samba as soon as external crypto library performance reaches parity.
The default is to build without setting --accel-aes, which uses the existing Samba software AES implementation.
smb.conf changes
Parameter Name Description Default -------------- ----------- ------- allow unsafe cluster upgrade New parameter no auth event notification New parameter no auth methods Deprecated client max protocol Effective SMB3_11 default changed map untrusted to domain New value/ auto Default changed/ Deprecated mit kdc command New parameter profile acls Deprecated rpc server dynamic port range New parameter 49152-65535 strict sync Default changed yes password hash userPassword schemes New parameter ntlm auth New values ntlmv2-only
Samba 4.6
- Release Notes for Samba 4.6.0
- March 7, 2017
Release Announcements
This is the first stable release of Samba 4.6.
Please read the release notes carefully before upgrading.
UPGRADING
ID Mapping
We discovered that the majority of users have an invalid or incorrect ID mapping configuration. We implemented checks in the 'testparm' tool to validate the ID mapping configuration. You should run it and check if it prints any warnings or errors after upgrading! If it does you should fix them. See the 'IDENTITY MAPPING CONSIDERATIONS' section in the smb.conf manpage. There are some ID mapping backends which are not allowed to be used for the default backend. Winbind will no longer start if an invalid backend is configured as the default backend.
To avoid problems in future we advise all users to run 'testparm' after changing the smb.conf file!
vfs_fruit option "fruit:resource" spelling correction
Due to a spelling error in the vfs_fruit option parsing for the "fruit:resource" option, users who have set this option in their smb.conf were still using the default setting "fruit:resource = file" as the parser was looking for the string "fruit:ressource" (two "s").
After upgrading to this Samba version 4.6, you MUST either remove the option from your smb.conf or set it to the default "fruit:resource = file", otherwise your macOS clients will not be able to access the resource fork data.
This version Samba 4.6 accepts both the correct and incorrect spelling, but the next Samba version 4.7 will not accept the wrong spelling.
Users who were using the wrong spelling "ressource" with two "s" can keep the setting, but are advised to switch to the correct spelling.
vfs_fruit Netatalk metadata xattr name on *BSD
Users on *BSD must rename the metadata xattr used by vfs_fruit when using the default setting "fruit:metadata = netatalk".
Due to a glitch in the Samba xattr API compatibility layer for FreeBSD and a mistake in vfs_fruit, vfs_fruit ended up using the wrong xattr name when configured with "fruit:metadata = netatalk" (default). Instead of the correct
org.netatalk.Metadata
it used
netatalk.Metadata
Starting with Samba 4.6 vfs_fruit will use the correct "org.netatalk.Metadata" which means existing installations must rename this xattrs. For this purpose Samba now includes a new tool `mvxattr`. See below for further details.
NEW FEATURES/CHANGES
Kerberos client encryption types
Some parts of Samba (most notably winbindd) perform Kerberos client operations based on a Samba-generated krb5.conf file. A new parameter, "kerberos encryption types" allows configuring the encryption types set in this file, thereby allowing the user to enforce strong or legacy encryption in Kerberos exchanges.
The default value of "all" is compatible with previous behavior, allowing all encryption algorithms to be negotiated. Setting the parameter to "strong" only allows AES-based algorithms to be negotiated. Setting the parameter to "legacy" allows only RC4-HMAC-MD5 - the legacy algorithm for Active Directory. This can solves some corner cases of mixed environments with Server 2003R2 and newer DCs.
Printing
Support for uploading printer drivers from newer Windows clients (Windows 10) has been added until our implementation of [MS-PAR] protocol is ready. Several issues with uploading different printing drivers have been addressed.
The OS Version for the printing server has been increased to announce Windows Server 2003 R2 SP2. If a driver needs a newer version then you should check the smb.conf manpage for details.
New option for owner inheritance
The "inherit owner" smb.conf parameter instructs smbd to set the owner of files to be the same as the parent directory's owner. Up until now, this parameter could be set to "yes" or "no". A new option, "unix only", enables this feature only for the UNIX owner of the file, not affecting the SID owner in the Windows NT ACL of the file. This can be used to emulate something very similar to folder quotas.
Multi-process Netlogon support
The Netlogon server in the Samba AD DC can now run as multiple processes. The Netlogon server is a part of the AD DC that handles NTLM authentication on behalf of domain members, including file servers, NTLM-authenticated web servers and 802.1x gateways. The previous restriction to running as a single process has been removed, and it will now run in the same process model as the rest of the 'samba' binary.
As part of this change, the NETLOGON service will now run on a distinct TCP port, rather than being shared with all other RPC services (LSA, SAMR, DRSUAPI etc).
New options for controlling TCP ports used for RPC services
The new 'rpc server port' option controls the default port used for RPC services other than Netlogon. The Netlogon server honours instead the 'rpc server port:netlogon' option. The default value for both these options is the first available port including or after 1024.
AD LDAP and replication performance improvements
Samba's LDB (the database holding the AD directory tree, as seen via LDAP) and our DRSUAPI replication code continues to improve, particularly in respect to the handling of large numbers of objects or linked attributes.
- We now respect an 'uptodateness vector' which will dramatically reduce the over-replication of links from new DCs.
- We have also made the parsing of on-disk linked attributes much more efficient.
- We rely on ldb 1.1.28. This ldb version has improved memory handling for ldb search results, improving poorly indexed and unindexed search result processing speed by around 20%.
DNS improvements
The samba-tool dns subcommand is now much more robust and can delete records in a number of situations where it was not possible to do so in the past.
On the server side, DNS names are now more strictly validated.
CTDB changes
- "ctdb event" is a new top-level command for interacting with event scripts
- "ctdb event status" replaces "ctdb scriptstatus" - the latter is maintained for backward compatibility but the output format has been cleaned up
- "ctdb event run" replaces "ctdb eventscript"
- "ctdb event script enable" replaces "ctdb enablescript"
- "ctdb event script disable" replaces "ctdb disablescript"
The new command "ctdb event script list" lists event scripts.
- CTDB's back-end for running event scripts has been replaced by a separate, long-running daemon ctdbd_eventd.
- Running ctdb interactively will log to stderr
- CTDB logs now include process id for each process
- CTDB tags log messages differently. Changes include:
- ctdb-recoverd: Messages from CTDB's recovery daemon
- ctdb-recovery: Messages from CTDB database recovery
- ctdb-eventd: Messages from CTDB's event daemon
- ctdb-takeover: Messages from CTDB's public IP takeover subsystem
- The mapping between symbolic and numeric debug levels has changed
- Configurations containing numeric debug levels should be updated. Symbolic debug levels are recommended. See the DEBUG LEVEL section of ctdb(7) for details.
- Tunable IPAllocAlgorithm replaces LCP2PublicIPs, DeterministicIPs
- See ctdb-tunables(7) for details.
- CTDB's configuration tunables should be consistently set across a cluster
- This has always been the cases for most tunables but this fact is now documented.
- CTDB ships with recovery lock helper call-outs for etcd and Ceph RADOS
- To build/install these, use the
- "--enable-etcd-reclock" and
- "--enable-ceph-reclock" configure options.
- To build/install these, use the
winbind changes
winbind contains code that tries to emulate the group membership calculation that domain controllers do when a user logs in. This group membership calculation is a very complex process, in particular for domain trust relationship situations. Also, in many scenarios it is impossible for winbind to correctly do this calculation due to access restrictions in the domains: winbind using its machine account simply does not have the rights to ask for an arbitrary user's group memberships.
When a user logs in to a Samba server, the domain controller correctly calculates the user's group memberships authoritatively and makes the information available to the Samba server. This is the only reliable way Samba can get informed about the groups a user is member of.
Because of its flakiness, the fallback group membership code is unwished, and our code pathes try hard to only use of the group memberships calculated by the domain controller.
However, a lot of admins rely on the fallback behavior in order to support access for nfs access, ssh public key authentication and passwordless sudo.
That's the reason for changing this back between 4.6.0rc4 and 4.6.0 (See BUG #12612).
The winbind change to simplify the calculation of supplementary groups to make it more reliable and predictable has been deferred to 4.7 or later.
This means that "id <username>" without the user having logged in previously stops showing any supplementary groups. Also, it will show "DOMAIN\Domain Users" as the primary group. Once the user has logged in, "id <username>" will correctly show the primary group and supplementary group list.
winbind primary group and nss info
With 4.6, it will be possible to optionally use the primary group as set in the "Unix Attributes" tab for the local unix token of a domain user. Before 4.6, the Windows primary group was always chosen as primary group for the local unix token.
To activate the unix primary group, set
idmap config <DOMAIN> : unix_primary_group = yes
Similarly, set
idmap config <DOMAIN> : unix_nss_info = yes
to retrieve the home directory and login shell from the "Unix Attributes" of the user. This supersedes the "winbind nss info" parameter with a per-domain configuration option.
mvxattr
mvxattr is a simple utility to recursively rename extended attributes of all files and directories in a directory tree.
Usage: mvxattr -s STRING -d STRING PATH [PATH ...] -s, --from=STRING xattr source name -d, --to=STRING xattr destination name -l, --follow-symlinks follow symlinks, the default is to ignore them -p, --print print files where the xattr got renamed -v, --verbose print files as they are checked -f, --force force overwriting of destination xattr
Help options: -?, --help Show this help message --usage Display brief usage message
idmap_hash
The idmap_hash module is marked as deprecated with this release and will be removed in a future version. See the manpage of the module for details.
smb.conf changes
Parameter Name Description Default -------------- ----------- ------- kerberos encryption types New all inherit owner New option fruit:resource Spelling correction lsa over netlogon New (deprecated) no rpc server port New 0
Samba 4.5
- Release Notes for Samba 4.5.0
- September 7, 2016
Release Announcements
This is the first stable release of the Samba 4.5 release series.
UPGRADING
NTLMv1 authentication disabled by default
In order to improve security we have changed the default value for the "ntlm auth" option from "yes" to "no". This may have impact on very old clients which doesn't support NTLMv2 yet.
The primary user of NTLMv1 is MSCHAPv2 for VPNs and 802.1x.
By default, Samba will only allow NTLMv2 via NTLMSSP now, as we have the following default "lanman auth = no", "ntlm auth = no" and "raw NTLMv2 auth = no".
NEW FEATURES/CHANGES
Support for LDAP_SERVER_NOTIFICATION_OID
The ldap server has support for the LDAP_SERVER_NOTIFICATION_OID control. This can be used to monitor the Active Directory database for changes.
KCC improvements for sparse network replication
The Samba KCC will now be the default knowledge consistency checker in Samba AD. Instead of using full mesh replication between every DC, the KCC will set up connections to optimize replication latency and cost (using site links to calculate the routes). This change should allow larger domains to function significantly better in terms of replication traffic and the time spent performing DRS replication.
VLV - Virtual List View
The VLV Control allows applications to page the LDAP directory in the way you might expect a live phone book application to operate, without first downloading the entire directory.
DRS Replication for the AD DC
DRS Replication in Samba 4.5 is now much more efficient in handling linked attributes, particularly in large domains with over 1000 group memberships or other links.
Replication is also much more reliable in the handling of tree renames, such as the rename of an organizational unit containing many users. Extensive tests have been added to ensure this code remains reliable, particularly in the case of conflicts between objects added with the same name on different servers.
Schema updates are also handled much more reliably.
samba-tool drs replicate with new options
'samba-tool drs replicate' got two new options:
- The option '--local-online' will do the DsReplicaSync() via IRPC to the local dreplsrv service.
- The option '--async-op' will add DRSUAPI_DRS_ASYNC_OP to the DsReplicaSync(), which won't wait for the replication result.
replPropertyMetaData Changes
During the development of the DRS replication, tests showed that Samba stores the replPropertyMetaData object incorrectly. To address this, be aware that 'dbcheck' will now detect and offer to fix all objects in the domain for this error.
For further information and instructions how to fix the problem, see https://wiki.samba.org/index.php/Updating_Samba#Fixing_replPropertyMetaData_Attributes
Linked attributes on deleted objects
In Active Directory, an object that has been tombstoned or recycled has no linked attributes. However, Samba incorrectly maintained such links, slowing replication and run-time performance. 'dbcheck' now offers to remove such links, and they are no longer kept after the object is tombstoned or recycled.
Improved AD DC performance
Many other improvements have been made to our LDAP database layer in the AD DC, to improve performance, both during 'samba-tool domain provision' and at runtime.
Other dbcheck improvements
- 'samba-tool dbcheck' can now find and fix a missing or corrupted 'deleted objects' container.
- BUG #11433: samba-dbcheck no longer offers to resort auxiliary class values in objectClass as these were then re-sorted at the next dbcheck indefinitely.
Tombstone Reanimation
Samba now supports tombstone reanimation, a feature in the AD DC allowing tombstones, that is objects which have been deleted, to be restored with the original SID and GUID still in place.
Multiple DNS Forwarders on the AD DC
Previously, the Samba internal DNS server supported only one DNS forwarder. The "dns forwarder" option has been enhanced and now supports a space-separated list of multiple DNS server IP addresses. As a result, Samba is now able to fall back to alternative DNS servers. In case that a DNS query to the first server timed out, it is sent to the next DNS server listed in the option.
Password quality plugin support in the AD DC
The check password script now operates correctly in the AD DC
pwdLastSet is now correctly honoured
BUG #9654: The pwdLastSet attribute is now correctly handled (this previously permitted passwords that expire next).
net ads dns unregister
It is now possible to remove the DNS entries created with 'net ads register' with the matching 'net ads unregister' command.
samba-tool improvements
Running 'samba-tool' on the command line should now be a lot snappier. The tool now only loads the code specific to the subcommand that you wish to run.
SMB 2.1 Leases enabled by default=
Leasing is an SMB 2.1 (and higher) feature which allows clients to aggressively cache files locally above and beyond the caching allowed by SMB 1 oplocks. This feature was disabled in previous releases, but the SMB2 leasing code is now considered mature and stable enough to be enabled by default.
Open File Description (OFD) Locks
On systems that support them (currently only Linux), the fileserver now uses Open File Description (OFD) locks instead of POSIX locks to implement client byte range locks. As these locks are associated with a specific file descriptor on a file this allows more efficient use when multiple descriptors having file locks are opened onto the same file. An internal tunable "smbd:force process locks = true" may be used to turn off OFD locks if there appear to be problems with them.
Password sync as Active Directory domain controller
The new commands 'samba-tool user getpassword' and 'samba-tool user syncpasswords' provide access and syncing of various password fields.
If compiled with GPGME support (--with-gpgme) it's possible to store cleartext passwords in a PGP/OpenGPG encrypted form by configuring the new "password hash gpg key ids" option. This requires gpgme devel and python packages to be installed (e.g. libgpgme11-dev and python-gpgme on Debian/Ubuntu).
Python crypto requirements
Some samba-tool subcommands require python-crypto and/or python-m2crypto packages to be installed.
SmartCard/PKINIT improvements
'samba-tool user create' accepts --smartcard-required and 'samba-tool user setpassword' accepts "--smartcard-required" and "--clear-smartcard-required".
Specifying "--smartcard-required" results in the UF_SMARTCARD_REQUIRED flags being set in the userAccountControl attribute. At the same time, the account password is reset to a random NTHASH value.
Interactive password logons are rejected, if the UF_SMARTCARD_REQUIRED bit is set in the userAccountControl attribute of a user.
When doing a PKINIT based Kerberos logon the KDC adds the required PAC_CREDENTIAL_INFO element to the authorization data. That means the NTHASH is shared between the PKINIT based client and the domain controller, which allows the client to do NTLM based authentication on behalf of the user. It also allows an offline logon using a smartcard to work on Windows clients.
CTDB changes
- New improved 'ctdb tool'
- 'ctdb tool' has been completely rewritten using new client API.
- Usage messages are much improved.
- Sample CTDB configuration file is installed as ctdbd.conf.
- The use of real-time scheduling when taking locks has been narrowed to limit potential performance impacts on nodes.
- CTDB_RECOVERY_LOCK now supports specification of an external helper to take and hold the recovery lock.
- See the RECOVERY LOCK section in ctdb(7) for details. Documentation for writing helpers is provided in doc/cluster_mutex_helper.txt.
- "ctdb natgwlist" has been replaced by a top level "ctdb natgw" command that has "master", "list" and "status" subcommands.
- The 'onnode' command no longer supports the "recmaster", "lvs" and "natgw" node specifications.
- Faster resetting of TCP connections to public IP addresses during failover.
- Tunables MaxRedirectCount, ReclockPingPeriod, DeferredRebalanceOnNodeAdd are now obsolete/ignored.
- "ctdb listvars" now lists all variables, including the first one.
- "ctdb xpnn", "ctdb rebalanceip" and "ctdb rebalancenode" have been removed.
- These are not needed because "ctdb reloadips" should do the correct rebalancing.
- Output for the following commands has been simplified:
- ctdb getdbseqnum
- ctdb getdebug
- ctdb getmonmode
- ctdb getpid
- ctdb getreclock
- ctdb getpid
- ctdb pnn
- These now simply print the requested output with no preamble. This means that scripts no longer need to strip part of the output.
- "ctdb getreclock" now prints nothing when the recovery lock is not set.
- Output for the following commands has been improved:
- ctdb setdebug
- ctdb uptime
- 'ctdb process-exists' has been updated to only take a PID argument.
- The PNN can be specified with -n <PNN>. Output also cleaned up.
- LVS support has been reworked - related commands and configuration variables have changed
- 'ctdb lvsmaster' and 'ctdb lvs' have been replaced by a top level
- 'ctdb lvs' command that has "master", "list" and "status" subcommands.
- See the LVS sections in ctdb(7) and ctdbd.conf(5) for details, including configuration changes.
- Improved sample NFS Ganesha call-out
New shadow_copy2 options
shadow:snapprefix
- With growing number of snapshots file-systems need some mechanism to differentiate one set of snapshots from other, e.g. monthly, weekly, manual, special events, etc. Therefore, these file-systems provide different ways to tag snapshots, e.g. provide a configurable way to name snapshots, which is not just based on time. With only shadow:format it is very difficult to filter these snapshots. With this optional parameter, one can specify a variable prefix component for names of the snapshot directories in the file-system. If this parameter is set, together with the shadow:format and shadow:delimiter parameters it determines the possible names of snapshot directories in the file-system. The option only supports Basic Regular Expression (BRE).
shadow:delimiter
- This optional parameter is used as a delimiter between "shadow:snapprefix" and "shadow:format" This parameter is used only when "shadow:snapprefix" is set.
- Default: shadow:delimiter = "_GMT"
REMOVED FEATURES
"only user" and "username" parameters
These two parameters have long been deprecated and superseded by "valid users" and "invalid users".
Samba 4.4
- Release Notes for Samba 4.4.0
- March 22, 2016
This is the first stable release of the Samba 4.4 release series.
UPGRADING
Nothing special.
NEW FEATURES/CHANGES
Asynchronous flush requests
Flush requests from SMB2/3 clients are handled asynchronously and do not block the processing of other requests. Note that 'strict sync' has to be set to 'yes' for Samba to honor flush requests from SMB clients.
s3: smbd
Remove '--with-aio-support' configure option. We no longer would ever prefer POSIX-RT aio, use pthread_aio instead.
samba-tool sites
The 'samba-tool sites' subcommand can now be run against another server by specifying an LDB URL using the '-H' option and not against the local database only (which is still the default when no URL is given).
samba-tool domain demote
Add '--remove-other-dead-server' option to 'samba-tool domain demote' subcommand. The new version of this tool now can remove another DC that is itself offline. The '--remove-other-dead-server' removes as many references to the DC as possible.
samba-tool drs clone-dc-database
Replicate an initial clone of domain, but do not join it. This is developed for debugging purposes, but not for setting up another DC.
pdbedit
Add '--set-nt-hash' option to pdbedit to update user password from nt-hash hexstring. 'pdbedit -vw' shows also password hashes.
smbstatus
'smbstatus' was enhanced to show the state of signing and encryption for sessions and shares.
smbget
The -u and -p options for user and password were replaced by the -U option that accepts username[%password] as in many other tools of the Samba suite. Similary, smbgetrc files do not accept username and password options any more, only a single "user" option which also accepts user%password combinations.
s4-rpc_server
Add a GnuTLS based backupkey implementation.
ntlm_auth
Using the '--offline-logon' enables ntlm_auth to use cached passwords when the DC is offline.
Allow '--password' force a local password check for ntlm-server-1 mode.
vfs_offline
A new VFS module called vfs_offline has been added to mark all files in the share as offline. It can be useful for shares mounted on top of a remote file system (either through a samba VFS module or via FUSE).
KCC
The Samba KCC has been improved, but is still disabled by default.
DNS
There were several improvements concerning the Samba DNS server.
Active Directory
There were some improvements in the Active Directory area.
WINS nsswitch module
The WINS nsswitch module has been rewritten to address memory issues and to simplify the code. The module now uses libwbclient to do WINS queries. This means that winbind needs to be running in order to resolve WINS names using the nss_wins module. This does not affect smbd.
CTDB changes
- CTDB now uses a newly implemented parallel database recovery scheme that avoids deadlocks with smbd.
- In certain circumstances CTDB and smbd could deadlock. The new recovery implementation avoid this. It also provides improved recovery performance.
- All files are now installed into and referred to by the paths configured at build time. Therefore, CTDB will now work properly when installed into the default location at /usr/local.
- Public CTDB header files are no longer installed, since Samba and CTDB are built from within the same source tree.
- CTDB_DBDIR can now be set to tmpfs[:<tmpfs-options>]
- This will cause volatile TDBs to be located in a tmpfs. This can help to avoid performance problems associated with contention on the disk where volatile TDBs are usually stored. See ctdbd.conf(5) for more details.
- Configuration variable CTDB_NATGW_SLAVE_ONLY is no longer used.
- Instead, nodes should be annotated with the "slave-only" option in the CTDB NAT gateway nodes file. This file must be consistent across nodes in a NAT gateway group. See ctdbd.conf(5) for more details.
- New event script 05.system allows various system resources to be monitored
- This can be helpful for explaining poor performance or unexpected behaviour. New configuration variables are CTDB_MONITOR_FILESYSTEM_USAGE, CTDB_MONITOR_MEMORY_USAGE and CTDB_MONITOR_SWAP_USAGE. Default values cause warnings to be logged. See the SYSTEM RESOURCE MONITORING CONFIGURATION in ctdbd.conf(5) for more information.
- The memory, swap and filesystem usage monitoring previously found in 00.ctdb and 40.fs_use is no longer available. Therefore, configuration variables CTDB_CHECK_FS_USE, CTDB_MONITOR_FREE_MEMORY, CTDB_MONITOR_FREE_MEMORY_WARN and CTDB_CHECK_SWAP_IS_NOT_USED are now ignored.
- The 62.cnfs eventscript has been removed. To get a similar effect just do something like this:
mmaddcallback ctdb-disable-on-quorumLoss \ --command /usr/bin/ctdb \ --event quorumLoss --parms "disable"
mmaddcallback ctdb-enable-on-quorumReached \ --command /usr/bin/ctdb \ --event quorumReached --parms "enable"
- The CTDB tunable parameter EventScriptTimeoutCount has been renamed to MonitorTimeoutCount
- It has only ever been used to limit timed-out monitor events.
- Configurations containing CTDB_SET_EventScriptTimeoutCount=<n> will cause CTDB to fail at startup. Useful messages will be logged.
- The commandline option "-n all" to CTDB tool has been removed.
- The option was not uniformly implemented for all the commands. Instead of command "ctdb ip -n all", use "ctdb ip all".
- All CTDB current manual pages are now correctly installed
EXPERIMENTAL FEATURES
SMB3 Multi-Channel
Samba 4.4.0 adds *experimental* support for SMB3 Multi-Channel. Multi-Channel is an SMB3 protocol feature that allows the client to bind multiple transport connections into one authenticated SMB session. This allows for increased fault tolerance and throughput. The client chooses transport connections as reported by the server and also chooses over which of the bound transport connections to send traffic. I/O operations for a given file handle can span multiple network connections this way. An SMB multi-channel session will be valid as long as at least one of its channels are up.
In Samba, multi-channel can be enabled by setting the new smb.conf option "server multi channel support" to "yes". It is disabled by default.
Samba has to report interface speeds and some capabilities to the client. On Linux, Samba can auto-detect the speed of an interface. But to support other platforms, and in order to be able to manually override the detected values, the "interfaces" smb.conf option has been given an extended syntax, by which an interface specification can additionally carry speed and capability information. The extended syntax looks like this for setting the speed to 1 gigabit per second:
interfaces = 192.168.1.42;speed=1000000000
This extension should be used with care and are mainly intended for testing. See the smb.conf manual page for details.
CAVEAT: While this should be working without problems mostly, there are still corner cases in the treatment of channel failures that may result in DATA CORRUPTION when these race conditions hit.
It is hence
NOT RECOMMENDED TO USE MULTI-CHANNEL IN PRODUCTION
at this stage. This situation can be expected to improve during the life-time of the 4.4 release. Feed-back from test-setups is highly welcome.
REMOVED FEATURES
Public headers
Several public headers are not installed any longer. They are made for internal use only. More public headers will very likely be removed in future releases.
The following headers are not installed any longer: dlinklist.h, gen_ndr/epmapper.h, gen_ndr/mgmt.h, gen_ndr/ndr_atsvc_c.h, gen_ndr/ndr_epmapper_c.h, gen_ndr/ndr_epmapper.h, gen_ndr/ndr_mgmt_c.h, gen_ndr/ndr_mgmt.h,gensec.h, ldap_errors.h, ldap_message.h, ldap_ndr.h, ldap-util.h, pytalloc.h, read_smb.h, registry.h, roles.h, samba_util.h, smb2_constants.h, smb2_create_blob.h, smb2.h, smb2_lease.h, smb2_signing.h, smb_cli.h, smb_cliraw.h, smb_common.h, smb_composite.h, smb_constants.h, smb_raw.h, smb_raw_interfaces.h, smb_raw_signing.h, smb_raw_trans2.h, smb_request.h, smb_seal.h, smb_signing.h, smb_unix_ext.h, smb_util.h, torture.h, tstream_smbXcli_np.h.
vfs_smb_traffic_analyzer
The SMB traffic analyzer VFS module has been removed, because it is not maintained any longer and not widely used.
vfs_scannedonly
The scannedonly VFS module has been removed, because it is not maintained any longer.
smb.conf changes
Parameter Name Description Default -------------- ----------- ------- aio max threads New 100 ldap page size Changed default 1000 server multi channel support New No interfaces Extended syntax
Samba 4.3
- Release Notes for Samba 4.3.0
- September 8, 2015
This is the first stable release of Samba 4.3.
UPGRADING
Read the "New FileChangeNotify subsystem" and "smb.conf changes" sections (below).
NEW FEATURES
Logging
The logging code now supports logging to multiple backends. In addition to the previously available syslog and file backends, the backends for logging to the systemd-journal, lttng and gpfs have been added. Please consult the section for the 'logging' parameter in the smb.conf manpage for details.
Spotlight
Support for Apple's Spotlight has been added by integrating with Gnome Tracker.
For detailed instructions how to build and setup Samba for Spotlight, please see here.
New FileChangeNotify subsystem
Samba now contains a new subsystem to do FileChangeNotify. The previous system used a central database, notify_index.tdb, to store all notification requests. In particular in a cluster this turned out to be a major bottleneck, because some hot records need to be bounced back and forth between nodes on every change event like a new created file.
The new FileChangeNotify subsystem works with a central daemon per node. Every FileChangeNotify request and every event are handled by an asynchronous message from smbd to the notify daemon. The notify daemon maintains a database of all FileChangeNotify requests in memory and will distribute the notify events accordingly. This database is asynchronously distributed in the cluster by the notify daemons.
The notify daemon is supposed to scale a lot better than the previous implementation. The functional advantage is cross-node kernel change notify: Files created via NFS will be seen by SMB clients on other nodes per FileChangeNotify, despite the fact that popular cluster file systems do not offer cross-node inotify.
Two changes to the configuration were required for this new subsystem:
- The parameters "change notify" and "kernel change notify" are not per-share anymore but must be set globally. So it is no longer possible to enable or disable notify per share, the notify daemon has no notion of a share, it only works on absolute paths.
New SMB profiling code
The code for SMB (SMB1, SMB2 and SMB3) profiling uses a tdb instead of sysv IPC shared memory. This avoids performance problems and NUMA effects. The profile stats are a bit more detailed than before.
Improved DCERPC man in the middle detection for kerberos
The gssapi based kerberos backends for gensec have support for DCERPC header signing when using DCERPC_AUTH_LEVEL_PRIVACY.
SMB signing required in winbindd by default
The effective value for "client signing" is required by default for winbindd, if the primary domain uses active directory.
Experimental NTDB was removed
The experimental NTDB library introduced in Samba 4.0 has been removed again.
Improved support for trusted domains (as AD DC)
The support for trusted domains/forests has improved a lot.
samba-tool got "domain trust" subcommands to manage trusts:
create - Create a domain or forest trust. delete - Delete a domain trust. list - List domain trusts. namespaces - Manage forest trust namespaces. show - Show trusted domain details. validate - Validate a domain trust.
External trusts between individual domains work in both ways (inbound and outbound). The same applies to root domains of a forest trust. The transitive routing into the other forest is fully functional for kerberos, but not yet supported for NTLMSSP.
While a lot of things are working fine, there are currently a few limitations:
- Both sides of the trust need to fully trust each other!
- No SID filtering rules are applied at all!
- This means DCs of domain A can grant domain admin rights in domain B.
- It's not possible to add users/groups of a trusted domain into domain groups.
SMB 3.1.1 supported
Both client and server have support for SMB 3.1.1 now.
This is the dialect introduced with Windows 10, it improves the secure negotiation of SMB dialects and features.
There's also a new optinal encryption algorithm aes-gcm-128, but for now this is only selected as fallback and aes-ccm-128 is preferred because of the better performance. This might change in future versions when hardware encryption will be supported.
- See BUG #11451
New smbclient subcommands
- Query a directory for change notifications: notify <dir name>
- Server side copy: scopy <source filename> <destination filename>
New rpcclient subcommands
netshareenumall - Enumerate all shares netsharegetinfo - Get Share Info netsharesetinfo - Set Share Info netsharesetdfsflags - Set DFS flags netfileenum - Enumerate open files netnamevalidate - Validate sharename netfilegetsec - Get File security netsessdel - Delete Session netsessenum - Enumerate Sessions netdiskenum - Enumerate Disks netconnenum - Enumerate Connections netshareadd - Add share netsharedel - Delete share
New modules
idmap_script - see 'man 8 idmap_script' vfs_unityed_media - see 'man 8 vfs_unityed_media' vfs_shell_snap - see 'man 8 vfs_shell_snap'
New sparsely connected replia graph (Improved KCC)
The Knowledge Consistency Checker (KCC) maintains a replication graph for DCs across an AD network. The existing Samba KCC uses a fully connected graph, so that each DC replicates from all the others, which does not scale well with large networks. In 4.3 there is an experimental new KCC that creates a sparsely connected replication graph and closely follows Microsoft's specification. It is turned off by default. To use the new KCC, set "kccsrv:samba_kcc=true" in smb.conf and let us know how it goes. You should consider doing this if you are making a large new network. For small networks there is little benefit and you can always switch over at a later date.
Configurable TLS protocol support, with better defaults
The "tls priority" option can be used to change the supported TLS protocols. The default is to disable SSLv3, which is no longer considered secure.
Samba-tool now supports all 7 FSMO roles
Previously "samba-tool fsmo" could only show, transfer or seize the five well-known FSMO roles:
- Schema Master
- Domain Naming Master
- RID Master
- PDC Emulator
- Infrastructure Master
It can now also show, transfer or seize the DNS infrastructure roles:
- DomainDnsZones Infrastructure Master
- ForestDnsZones Infrastructure Master
CTDB logging changes
The destination for CTDB logging is now set via a single new configuration variable CTDB_LOGGING. This replaces CTDB_LOGFILE and CTDB_SYSLOG, which have both been removed. See ctdbd.conf(5) for details of CTDB_LOGGING.
CTDB no longer runs a separate logging daemon.
CTDB NFS support changes
CTDB's NFS service management has been combined into a single 60.nfs event script. This updated 60.nfs script now uses a call-out to interact with different NFS implementations. See the CTDB_NFS_CALLOUT option in the ctdbd.conf(5) manual page for details. A default call-out is provided to interact with the Linux kernel NFS implementation. The 60.ganesha event script has been removed - a sample call-out is provided for NFS Ganesha, based on this script.
The method of configuring NFS RPC checks has been improved. See ctdb/config/nfs-checks.d/README for details.
Improved Cross-Compiling Support=
A new "hybrid" build configuration mode is added to improve cross-compilation support.
A common challenge in cross-compilation is that of obtaining the results of tests that have to run on the target, during the configuration phase of the build. The Samba build system already supports the following means to do so:
- Executing configure tests using the --cross-execute parameter
- Obtaining the results from an answers file using the --cross-answers parameter
The first method has the drawback of inaccurate results if the tests are run using an emulator, or a need to be connected to a running target while building, if the tests are to be run on an actual target. The second method presents a challenge of figuring out the test results.
The new hybrid mode runs the tests and records the result in an answer file. To activate this mode, use both --cross-execute and --cross-answers in the same configure invocation. This mode can be activated once against a running target, and then the generated answers file can be used in subsequent builds.
Also supplied is an example script that can be used as the cross-execute program. This script copies the test to a running target and runs the test on the target, obtaining the result. The obtained results are more accurate than running the test with an emulator, because they reflect the exact kernel and system libraries that exist on the target.
Improved Sparse File Support
Support for the FSCTL_SET_ZERO_DATA and FSCTL_QUERY_ALLOCATED_RANGES SMB2 requests has been added to the smbd file server.
This allows for clients to deallocate (hole punch) regions within a sparse file, and check which portions of a file are allocated.
Changes
smb.conf changes
Parameter Name Description Default logging New (empty) msdfs shuffle referrals New no smbd profiling level New off spotlight New no tls priority New NORMAL:-VERS-SSL3.0 use ntdb Removed change notify Changed to [global] kernel change notify Changed to [global] client max protocol Changed default SMB3_11 server max protocol Changed default SMB3_11
Removed modules
vfs_notify_fam - see section 'New FileChangeNotify subsystem'.
Samba 4.2
- Release Notes for Samba 4.2.0
- March 4, 2015
This is is the first stable release of Samba 4.2.
Samba 4.2 will be the next version of the Samba suite.
IMPORTANT NOTE ABOUT THE SUPPORT END OF SAMBA 3
With the final release of Samba 4.2, the last series of Samba 3 has been discontinued! People still running 3.6.x or earlier, should consider moving to a more recent and maintained version (4.0 - 4.2). One of the common misconceptions is that Samba 4.x automatically means "Active Directory only": This is wrong!
Acting as an Active Directory Domain Controller is just one of the enhancements included in Samba 4.0 and later. Version 4.0 was just the next release after the 3.6 series and contains all the features of the previous ones - including the NT4-style (classic) domain support. This means you can update a Samba 3.x NT4-style PDC to 4.x, just as you've updated in the past (e.g. from 3.4.x to 3.5.x). You don't have to move your NT4-style domain to an Active Directory!
And of course the possibility remains unchanged, to setup a new NT4-style PDC with Samba 4.x, like done in the past (e.g. with openLDAP backend). Active Directory support in Samba 4 is additional and does not replace any of these features. We do understand the difficulty presented by existing LDAP structures and for that reason there isn't a plan to decommission the classic PDC support. It remains tested by the continuous integration system.
The code that supports the classic Domain Controller is also the same code that supports the internal 'Domain' of standalone servers and Domain Member Servers. This means that we still use this code, even when not acting as an AD Domain Controller. It is also the basis for some of the features of FreeIPA and so it gets development attention from that direction as well.
UPGRADING
Read the "Winbindd/Netlogon improvements" section (below) carefully!
NEW FEATURES
Transparent File Compression
Samba 4.2.0 adds support for the manipulation of file and folder compression flags on the Btrfs filesystem. With the Btrfs Samba VFS module enabled, SMB2+ compression flags can be set remotely from the Windows Explorer File->Properties->Advanced dialog. Files flagged for compression are transparently compressed and uncompressed when accessed or modified.
Previous File Versions with Snapper
The newly added Snapper VFS module exposes snapshots managed by Snapper for use by Samba. This provides the ability for remote clients to access shadow-copies via Windows Explorer using the "previous versions" dialog.
Winbindd/Netlogon improvements
The whole concept of maintaining the netlogon secure channel to (other) domain controllers was rewritten in order to maintain global state in a netlogon_creds_cli.tdb. This is the proper fix for a large number of bugs:
https://bugzilla.samba.org/show_bug.cgi?id=10860 https://bugzilla.samba.org/show_bug.cgi?id=6563 https://bugzilla.samba.org/show_bug.cgi?id=7944 https://bugzilla.samba.org/show_bug.cgi?id=7945 https://bugzilla.samba.org/show_bug.cgi?id=7568 https://bugzilla.samba.org/show_bug.cgi?id=8599
In addition a strong session key is now required by default, which means that communication to older servers or clients might be rejected by default.
- For the client side we have the following new options:
- "require strong key" (yes by default), "reject md5 servers" (no by default). E.g. for Samba 3.0.37 you need "require strong key = no" and
for NT4 DCs you need "require strong key = no" and "client NTLMv2 auth = no",
- On the server side (as domain controller) we have the following new options:
- "allow nt4 crypto" (no by default), "reject md5 client" (no by default). E.g. in order to allow Samba < 3.0.27 or NT4 members to work you need "allow nt4 crypto = yes"
- winbindd does not list group memberships for display purposes (e.g. getent group <domain\<group>) anymore by default.
- The new default is "winbind expand groups = 0" now, the reason for this is the same as for "winbind enum users = no" and "winbind enum groups = no". Providing this information is not always reliably possible, e.g. if there are trusted domains.
Please consult the smb.conf manpage for more details on these new options.
Winbindd use on the Samba AD DC
Winbindd is now used on the Samba AD DC by default, replacing the partial rewrite used for winbind operations in Samba 4.0 and 4.1.
This allows more code to be shared, more options to be honoured, and paves the way for support for trusted domains in the AD DC.
If required the old internal winbind can be activated by setting 'server services = +winbind -winbindd'. Upgrading users with a server services parameter specified should ensure they change 'winbind' to 'winbindd' to obtain the new functionality.
The 'samba' binary still manages the starting of this service, there is no need to start the winbindd binary manually.
Winbind now requires secured connections
To improve protection against rogue domain controllers we now require that when we connect to an AD DC in our forest, that the connection be signed using SMB Signing. Set 'client signing = off' in the smb.conf to disable.
Also and DCE/RPC pipes must be sealed, set 'require strong key = false' and 'winbind sealed pipes = false' to disable.
Finally, the default for 'client ldap sasl wrapping' has been set to 'sign', to ensure the integrity of LDAP connections. Set 'client ldap sasl wrapping = plain' to disable.
Larger IO sizes for SMB2/3 by default
The default values for "smb2 max read", "smb2 max write" and "smb2 max trans" have been changed to 8388608 (8MiB) in order to match the default of Windows 2012R2.
SMB2 leases
The SMB2 protocol allows clients to aggressively cache files locally above and beyond the caching allowed by SMB1 and SMB2 oplocks.
Called SMB2 leases, this can greatly reduce traffic on an SMB2 connection. Samba 4.2 now implements SMB2 leases.
It can be turned on by setting the parameter "smb2 leases = yes" in the [global] section of your smb.conf. This parameter is set to off by default until the SMB2 leasing code is declared fully stable.
Improved DCERPC man in the middle detection
The DCERPC header signing has been implemented in addition to the dcerpc_sec_verification_trailer protection.
Overhauled "net idmap" command
The command line interface of the "net idmap" command has been made systematic, and subcommands for reading and writing the autorid idmap database have been added. Note that the writing commands should be used with great care. See the net(8) manual page for details.
tdb improvements
The tdb library, our core mechanism to store Samba-specific data on disk and share it between processes, has been improved to support process shared robust mutexes on Linux. These mutexes are available on Linux and Solaris and significantly reduce the overhead involved with tdb. To enable mutexes for tdb, set
dbwrap_tdb_mutexes:* = yes
in the [global] section of your smb.conf.
Tdb file space management has also been made more efficient. This will lead to smaller and less fragmented databases.
Messaging improvements
Our internal messaging subsystem, used for example for things like oplock break messages between smbds or setting a process debug level dynamically, has been rewritten to use unix domain datagram messages.
Clustering support
Samba's file server clustering component CTDB is now integrated in the Samba tree. This avoids the confusion of compatibility of Samba and CTDB versions as existed previously.
To build the Samba file server with cluster support, use the configure command line option --with-cluster-support. This will build clustered file server against the in-tree ctdb. Building clustered samba with previous versions of CTDB is no longer supported.
Samba Registry Editor
The utitlity to browse the samba registry has been overhauled by our Google Summer of Code student Chris Davis. Now samba-regedit has a Midnight-Commander-like theme and UI experience. You can browse keys and edit the diffent value types. For a data value type a hexeditor has been implemented.
Bad Password Lockout in the AD DC
Samba's AD DC now implements bad password lockout (on a per-DC basis).
That is, incorrect password attempts are tracked, and accounts locked out if too many bad passwords are submitted. There is also a grace period of 60 minutes on the previous password when used for NTLM authentication (matching Windows 2003 SP1: https://support2.microsoft.com/kb/906305).
The relevant settings can be seen using 'samba-tool domain passwordsettings show' (the new settings being highlighted):
Password informations for domain 'DC=samba,DC=example,DC=com'
- Password complexity: on
- Store plaintext passwords: off
- Password history length: 24
- Minimum password length: 7
- Minimum password age (days): 1
- Maximum password age (days): 42
- Account lockout duration (mins): 30
- Account lockout threshold (attempts): 0
- Reset account lockout after (mins): 30
These values can be set using 'samba-tool domain passwordsettings set'.
Correct defaults in the smb.conf manpages
The default values for smb.conf parameters are now correctly specified in the smb.conf manpage, even when they refer to build-time specified paths. Provided Samba is built on a system with the right tools (xsltproc in particular) required to generate our man pages, then these will be built with the exact same embedded paths as used by the configuration parser at runtime. Additionally, the default values read from the smb.conf manpage are checked by our test suite to match the values seen in testparm and used by the running binaries.
Consistent behaviour between samba-tool testparm and testparm
With the exception of the registry backend, which remains only available in the file server, the behaviour of the smb.conf parser and the tools 'samba-tool testparm' and 'testparm' is now consistent, particularly with regard to default values. Except with regard to registry shares, it is no longer needed to use one tool on the AD DC, and another on the file server.
VFS WORM module
A VFS module for basic WORM (Write once read many) support has been added. It allows an additional layer on top of a Samba share, that provides a basic set of WORM functionality on the client side, to control the writeability of files and folders.
As the module is simply an additional layer, share access and permissions work like expected - only WORM functionality is added on top. Removing the module from the share configuration, removes this layer again. The filesystem ACLs are not affected in any way from the module and treated as usual.
The module does not provide complete WORM functions, like some archiving products do! It is not audit-proof, because the WORM function is only available on the client side, when accessing a share through SMB! If the same folder is shared by other services like NFS, the access only depents on the underlaying filesystem ACLs. Equally if you access the content directly on the server.
For additional information, see
vfs_fruit, a VFS module for OS X clients
A new VFS module that provides enhanced compatibility with Apple SMB clients and interoperability with a Netatalk 3 AFP fileserver.
The module features enhanced performance with reliable named streams support, interoperability with special characters commonly used by OS X client (eg '*', '/'), integrated file locking and Mac metadata access with Netatalk 3 and enhanced performance by implementing Apple's SMB2 extension codenamed "AAPL".
The modules behaviour is fully configurable, please refer to the manpage vfs_fruit for further details.
smbclient archival improvements
Archive creation and extraction support in smbclient has been rewritten to use libarchive. This fixes a number of outstanding bugs in Samba's previous custom tar implementation and also adds support for the extraction of zipped archives.
smbclient archive support can be enabled or disabled at build time with corresponding --with[out]-libarchive configure parameters.
Changes
smb.conf changes
Parameter Name Description Default allow nt4 crypto New no neutralize nt4 emulation New no reject md5 client New no reject md5 servers New no require strong key New yes smb2 max read Changed default 8388608 smb2 max write Changed default 8388608 smb2 max trans Changed default 8388608 winbind expand groups Changed default 0
Samba 4.1
- Release Notes for Samba 4.1.0
- October 11, 2013
This is is the first stable release of Samba 4.1.
Samba 4.1 will be the next version of the Samba suite and includes all the technology found in both the Samba4 series and the stable 3.x series. The primary additional features over Samba 3.6 are support for the Active Directory logon protocols used by Windows 2000 and above.
Major enhancements in Samba 4.1.0 include:
Client tools support SMB2/3
Samba 4.1.0 contains the first release of our client tools and client library that work over the new protocols SMB2 or SMB3. Note that SMB3 only works either to a Samba server version 4.0.0 or above, or to a Windows Server running Windows 2012 or Windows 8.
The default protocol for smbclient and smbcacls is still SMB1 (the NT1 protocol dialect). An SMB2 or SMB3 connection can be selected in one of two ways. The easiest way to test the new protocol connection is to add the -mMAX_PROTOCOL command line switch to either smbclient or smbcacls.
For example, to connect using SMB3 with smbclient a user would type:
smbclient //server/share -Uuser%password -mSMB3
Another example of connecting using SMB2 using smbcacls would be:
smbcacls //server/share -Uuser%password -mSMB2 filename
Note that when connecting using SMB2 or SMB3 protocols the UNIX extensions are no longer available inside the smbclient command set. This is due to UNIX extensions not yet being defined for the SMB2 or SMB3 protocols.
The second way to select SMB2 or SMB3 connections is to set the "client max protocol" parameter in the [global] section of your smb.conf.
Setting this parameter will cause all client connections from Samba and its client tools to offer the requested max protocol to a server on every connection request.
For example, to cause all client tools (including winbindd, rpcclient, and the libsmbclient library) to attempt use SMB3 by default add the line:
client max protocol = SMB3
to the [global] section of your smb.conf. This has not been as widely tested as the -mPROTOCOL options, but is intended to work correctly in the final release of 4.1.0.
Encrypted transport
Although Samba servers have supported encrypted transport connections using the UNIX extensions for many years, selecting SMB3 transport allows encrypted transport connections to Windows servers that support SMB3, as well as Samba servers.
In order to enable this, add the "-e" option to the smbclient command line.
For example, to connect to a Windows 2012 server over SMB3 and select an encrypted transport you would use the following command line:
smbclient //Win2012Server/share -Uuser%password -mSMB3 -e
Directory database replication (AD DC mode)
Directory replication has been reworked in order to improve the correctness and efficiency.
As a net effect of it, replication with other domain controllers with a heavily modified schema is now possible (ie. Windows 2012 DCs or other Windows DC with exchange installed) and replication didn't fail anymore in such environments.
Server-Side Copy Support
Samba 4.1.0 adds support for server-side copy operations via the SMB2 FSCTL_SRV_COPYCHUNK request. Clients making use of server-side copy support, such as Windows Server 2012, should experience considerable performance improvements for file copy operations, as file data need not traverse the network.
This feature is enabled by default on the smbd file server.
Btrfs Filesystem Integration
The Btrfs VFS module provided with Samba 4.1.0 further improves the performance of server-side copy operations on shares backed by a Btrfs filesystem. It does so by allowing multiple files to share the same on-disk extents, avoiding the unnecessary duplication of source and destination file data during a server-side copy operation.
This feature can be explicitly enabled on smbd shares backed by a Btrfs filesystem with the smb.conf parameter:
vfs objects = btrfs
REMOVED COMPONENTS
The Samba Web Administration Tool (SWAT) has been removed. Details why SWAT has been removed can be found on the samba-technical mailing list:
https://lists.samba.org/archive/samba-technical/2013-February/090572.html
Changes
smb.conf changes
Parameter Name Description Default -------------- ----------- ------- acl allow execute always New False password level Removed set directory Removed use ntdb New No
RUNNING Samba 4.1 as an AD DC
A short guide to setting up Samba as an AD DC can be found on the wiki:
Samba 4.0
- Release Notes for Samba 4.0
- December 11, 2012
Release Announcements
This is is the first stable release of Samba 4.0.
This release contains the best of all of Samba's technology parts, both a file server (that you can reasonably expect to upgrade existing Samba 3.x releases to) and the AD domain controller work previously known as 'Samba4'.
Major enhancements in Samba 4.0.0 include:
Active Directory services
Samba 4.0 supports the server-side of the Active Directory logon environment used by Windows 2000 and later, so we can do full domain join and domain logon operations with these clients.
Our Domain Controller (DC) implementation includes our own built-in LDAP server and Kerberos Key Distribution Center (KDC) as well as the Samba3-like logon services provided over CIFS. We correctly generate the infamous Kerberos PAC, and include it with the Kerberos tickets we issue.
When running an AD DC, you only need to run 'samba' (not smbd/nmbd/winbindd), as the required services are co-coordinated by this master binary. The tool to administer the Active Directory services is called 'samba-tool'.
A short guide to setting up Samba 4 as an AD DC can be found on the wiki:
File Services
Samba 4.0.0 ships with two distinct file servers. We now use the file server from the Samba 3.x series 'smbd' for all file serving by default.
Samba 4.0 also ships with the 'NTVFS' file server. This file server is what was used prior to the beta2 release of Samba 4.0, and is tuned to match the requirements of an AD domain controller. We continue to support this, not only to provide continuity to installations that have deployed it as part of an AD DC, but also as a running example of the NT-FSA architecture we expect to move smbd to in the longer term.
For pure file server work, the binaries users would expect from that series (smbd, nmbd, winbindd, smbpasswd) continue to be available.
DNS
As DNS is an integral part of Active Directory, we also provide two DNS solutions, a simple internal DNS server for 'out of the box' configurations and a more elaborate BIND plugin using the BIND DLZ mechanism in versions 9.8 and 9.9. During the provision, you can select which backend to use. With the internal backend, your DNS server is good to go. If you chose the BIND_DLZ backend, a configuration file will be generated for bind to make it use this plugin, as well as a file explaining how to set up bind.
NTP
To provide accurate timestamps to Windows clients, we integrate with the NTP project to provide secured NTP replies. To use you need to start ntpd and configure it with the 'restrict ... ms-sntp' and ntpsigndsocket options.
Python Scripting Interface
A new scripting interface has been added to Samba 4, allowing Python programs to interface to Samba's internals, and many tools and internal workings of the DC code is now implemented in python.
Known Issues
- Replication of DNS data from one AD server to another may not work. The DNS data used by the internal DNS server and bind9_dlz is stored in an application partition in our directory. The replication of this partition is not yet reliable.
- Replication may fail on FreeBSD due to getaddrinfo() rejecting names containing _. A workaround will be in a future release.
- samba_upgradeprovision should not be run when upgrading to this release from a recent release. No important database format changes have been made since alpha16.
- Installation on systems without a system iconv (and developer headers at compile time) is known to cause errors when dealing with non-ASCII characters.
- Domain member support in the 'samba' binary is in its infancy, and is not comparable to the support found in winbindd. As such, do not use the 'samba' binary (provided for the AD server) on a member server.
- There is no NetBIOS browsing support (network neighbourhood) available for the AD domain controller. (Support in nmbd and smbd for classic domains and member/standalone servers is unchanged).
- Clock Synchronisation is critical. Many 'wrong password' errors are actually due to Kerberos objecting to a clock skew between client and server. (The NTP work in the previous alphas are partly to assist with this problem).
- The DRS replication code may fail. Please contact the team if you experience issues with DRS replication, as we have fixed many issues here in response to feedback from our production users.
- Linux inotify will now only be supported on systems where glibc also supports it (for details, please refer to bug #8850).
Upgrading
Users upgrading from Samba 3.x domain controllers and wanting to use Samba 4.0 as an AD DC should use the 'samba-tool domain classicupgrade' command. See the wiki for more details Migrating a Samba NT4 Domain to Samba AD (Classic Upgrade).
Users upgrading from Samba 4.0 alpha and beta releases since alpha15 should run 'samba-tool dbcheck --cross-ncs --fix' before re-starting Samba. Users upgrading from earlier alpha releases should contact the team for advice.
Users upgrading an AD DC from any previous release should run 'samba-tool ntacl sysvolreset' to re-sync ACLs on the sysvol share with those matching the GPOs in LDAP and the defaults from an initial provision. This will set an underlying POSIX ACL if required (eg not using the NTVFS file server).
If you used the BIND9_FLATFILE or BIND9_DLZ features, you'll have to add '-dns' to the 'server services' option, as the internal dns server (SAMBA_INTERNAL) is the default now.
Supported features
A whitepaper of currently (un-)supported features is available on the wiki:
smb.conf changes
Parameter Name Description -------------- ----------- acl compatibility Removed allow dns updates New announce as Removed announce version Removed cldap port New client max protocol New client min protocol New client signing Changed default dcerpc endpoint servers New dgram port New directory security mask Removed display charset Removed dns forwarder New dns update command New force security mode Removed force directory security mode Removed homedir map Changed default kernel oplocks Changed default kernel share modes New kpasswd port New krb5 port New nbt client socket address New nbt port New nsupdate command New ntp signd socket directory New ntvfs handler New paranoid server security Removed pid directory New printer admin Removed rndc command New rpc big endian New samba kcc command New security mask Removed send spnego principal Removed server max protocol New server min protocol New server role New server services New server signing Changed default share backend New share modes Removed smb2 max read Changed default smb2 max write Changed default smb2 max trans Changed default socket address Removed spn update command New time offset Removed tls cafile New tls certfile New tls crlfile New tls dh params file New tls enabled New tls keyfile New unicode New web port New winbindd privileged socket directory New winbind sealed pipes New winbindd socket directory New