WHATSNEW: Improved support for trusted domains (as AD DC) and others

Stefan Metzmacher metze at samba.org
Thu Mar 1 09:24:58 UTC 2018 

Hi Karo,

please find a WHATSNEW update that reflects the current state for
trust support in 4.8.

metze
-------------- next part --------------
From 3823803656945c3511fa829c081f06a65068d864 Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze at samba.org>
Date: Thu, 1 Mar 2018 09:31:17 +0100
Subject: [PATCH 1/3] WHATSNEW: move descriptions of removed feaetures to
 "REMOVED FEATURES"

Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
---
 WHATSNEW.txt | 66 ++++++++++++++++++++++++++++++++----------------------------
 1 file changed, 35 insertions(+), 31 deletions(-)

diff --git a/WHATSNEW.txt b/WHATSNEW.txt
index 357a8f6..f10ec20 100644
--- a/WHATSNEW.txt
+++ b/WHATSNEW.txt
@@ -133,37 +133,6 @@ dot or xdot, this shows the network as a graph with DCs as vertices
 and connections edges. Certain types of degenerate edges are shown in
 different colours or line-styles.
 
-NT4-style replication based net commands removed
-------------------------------------------------
-
-The following commands and sub-commands have been removed from the
-"net" utility:
-
-net rpc samdump
-net rpc vampire ldif
-
-Also, replicating from a real NT4 domain with "net rpc vampire" and
-"net rpc vampire keytab" has been removed.
-
-The NT4-based commands were accidentially broken in 2013, and nobody
-noticed the breakage. So instead of fixing them including tests (which
-would have meant writing a server for the protocols, which we don't
-have) we decided to remove them.
-
-For the same reason, the "samsync", "samdeltas" and "database_redo"
-commands have been removed from rpcclient.
-
-"net rpc vampire keytab" from Active Directory domains continues to be
-supported.
-
-vfs_aio_linux module removed
-----------------------------
-
-The current Linux kernel aio does not match what Samba would
-do. Shipping code that uses it leads people to false
-assumptions. Samba implements async I/O based on threads by default,
-there is no special module required to see benefits of read and write
-request being sent do the disk in parallel.
 
 smbclient reparse point symlink parameters reversed
 ---------------------------------------------------
@@ -202,6 +171,9 @@ software to provide scanning and filtering of files on a Samba share.
 REMOVED FEATURES
 ================
 
+'net serverid' commands removed
+-------------------------------
+
 The two commands 'net serverid list' and 'net serverid wipe' have been
 removed, because the file serverid.tdb is not used anymore.
 
@@ -216,6 +188,38 @@ properly cleaned up after single node crashes. Nowadays smbd and
 winbind take care of cleaning up the msg.lock and msg.sock directories
 automatically.
 
+NT4-style replication based net commands removed
+------------------------------------------------
+
+The following commands and sub-commands have been removed from the
+"net" utility:
+
+net rpc samdump
+net rpc vampire ldif
+
+Also, replicating from a real NT4 domain with "net rpc vampire" and
+"net rpc vampire keytab" has been removed.
+
+The NT4-based commands were accidentially broken in 2013, and nobody
+noticed the breakage. So instead of fixing them including tests (which
+would have meant writing a server for the protocols, which we don't
+have) we decided to remove them.
+
+For the same reason, the "samsync", "samdeltas" and "database_redo"
+commands have been removed from rpcclient.
+
+"net rpc vampire keytab" from Active Directory domains continues to be
+supported.
+
+vfs_aio_linux module removed
+----------------------------
+
+The current Linux kernel aio does not match what Samba would
+do. Shipping code that uses it leads people to false
+assumptions. Samba implements async I/O based on threads by default,
+there is no special module required to see benefits of read and write
+request being sent do the disk in parallel.
+
 
 smb.conf changes
 ================
-- 
1.9.1


From db15c8dc933aa07fe8638b9b2f71dbded9cd6a92 Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze at samba.org>
Date: Thu, 1 Mar 2018 09:32:23 +0100
Subject: [PATCH 2/3] WHATSNEW: reference 'smbclient reparse point symlink
 parameters reversed' to 'UPGRADING'

Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
---
 WHATSNEW.txt | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/WHATSNEW.txt b/WHATSNEW.txt
index f10ec20..3c03af7 100644
--- a/WHATSNEW.txt
+++ b/WHATSNEW.txt
@@ -22,6 +22,12 @@ Unlike in previous releases a transparent downgrade is not possible.
 If you wish to downgrade such a DB to a Samba 4.7 or earlier version,
 please run the source4/scripting/bin/sambaundoguididx script first.
 
+smbclient reparse point symlink parameters reversed
+---------------------------------------------------
+
+See the more detailed description below.
+
+
 NEW FEATURES/CHANGES
 ====================
 
-- 
1.9.1


From d63221adc5da5aa120b69a4dcca9b6e2ff36401b Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze at samba.org>
Date: Thu, 1 Mar 2018 09:52:51 +0100
Subject: [PATCH 3/3] WHATSNEW: add 'Improved support for trusted domains (as
 AD DC)' section

Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
---
 WHATSNEW.txt | 28 ++++++++++++++++++++++++++++
 1 file changed, 28 insertions(+)

diff --git a/WHATSNEW.txt b/WHATSNEW.txt
index 3c03af7..e7ea164 100644
--- a/WHATSNEW.txt
+++ b/WHATSNEW.txt
@@ -167,6 +167,34 @@ domains. Some pam_winbind setups may also require the global list.
 If you have a setup that doesn't require the global list, you should set
 "winbind scan trusted domains = no".
 
+Improved support for trusted domains (as AD DC)
+-----------------------------------------------
+
+The support for trusted domains/forests has improved a lot.
+
+External domain trusts, as well a transitive forest trusts,
+are supported in both directions (inbound and outbound)
+for Kerberos and NTLM authentication now.
+
+The LSA LookupNames and LookupSids implementations
+support resolving names and sids from trusts domains/forest
+now. This is important in order to allow Samba based
+domain members to make use of the trust.
+
+However there are currently still a few limitations:
+
+- It's not possible to add users/groups of a trusted domain
+  into domain groups. So group memberships are not expanded
+  on trust boundaries.
+  See https://bugzilla.samba.org/show_bug.cgi?id=13300
+- Both sides of the trust need to fully trust each other!
+- No SID filtering rules are applied at all!
+- This means DCs of domain A can grant domain admin rights
+  in domain B.
+- Selective (CROSS_ORIGANIZATION) authentication is
+  not supported. It's possible to create such a trust,
+  but the KDC and winbindd ignore them.
+
 VirusFilter VFS module
 ----------------------
 
-- 
1.9.1

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: OpenPGP digital signature
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20180301/5a310d17/signature.sig>

More information about the samba-technical mailing list