WHATSNEW.txt: announce 4.9.0 trust improvements
Stefan Metzmacher
metze at samba.org
Wed Sep 12 09:33:20 UTC 2018
Hi Karo,
here's an update for WHATSNEW.txt regarding the trust improvements
of 4.9.0.
Please review and push for the final release.
Thanks!
metze
-------------- next part --------------
From 3aaaf3cef7a35250566eb79b8f412419af05ae66 Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze at samba.org>
Date: Wed, 12 Sep 2018 11:28:24 +0200
Subject: [PATCH] WHATSNEW.txt: announce 4.9.0 trust improvements
Signed-off-by: Stefan Metzmacher <metze at samba.org>
---
WHATSNEW.txt | 32 ++++++++++++++++++++++++++++++++
1 file changed, 32 insertions(+)
diff --git a/WHATSNEW.txt b/WHATSNEW.txt
index 07cd9f2fc061..7c71544bac71 100644
--- a/WHATSNEW.txt
+++ b/WHATSNEW.txt
@@ -265,6 +265,38 @@ feature, currently it should be enabled from the DNS Manager tool from
Windows. Also the feature needs to have been enabled by setting the smb.conf
parameter "dns zone scavenging = yes".
+Improved support for trusted domains (as AD DC)
+-----------------------------------------------
+
+The support for trusted domains/forests has been further improved.
+
+External domain trusts, as well a transitive forest trusts,
+are supported in both directions (inbound and outbound)
+for Kerberos and NTLM authentication.
+
+The following features are new in 4.9 (compared to 4.8):
+
+- It's now possible to add users/groups of a trusted domain
+ into domain groups. The group memberships are expanded
+ on trust boundaries.
+- foreignSecurityPrincipal objects (FPO) are now automatically
+ created when members (as SID) of a trusted domain/forest
+ are added to a group.
+- The 'samba-tool group *members' commands allow
+ members to be specified as foreign SIDs.
+
+However there are currently still a few limitations:
+
+- Both sides of the trust need to fully trust each other!
+- No SID filtering rules are applied at all!
+- This means DCs of domain A can grant domain admin rights
+ in domain B.
+- Selective (CROSS_ORIGANIZATION) authentication is
+ not supported. It's possible to create such a trust,
+ but the KDC and winbindd ignore them.
+- Samba can still only operate in a forest with just
+ one single domain.
+
CTDB changes
------------
--
2.17.1
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20180912/c0a1d00b/signature.sig>
More information about the samba-technical
mailing list