WHATSNEW.txt: announce 4.9.0 trust improvements

Stefan Metzmacher metze at samba.org
Wed Sep 12 09:33:20 UTC 2018 

Hi Karo,

here's an update for WHATSNEW.txt regarding the trust improvements
of 4.9.0.

Please review and push for the final release.

Thanks!
metze

-------------- next part --------------
From 3aaaf3cef7a35250566eb79b8f412419af05ae66 Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze at samba.org>
Date: Wed, 12 Sep 2018 11:28:24 +0200
Subject: [PATCH] WHATSNEW.txt: announce 4.9.0 trust improvements

Signed-off-by: Stefan Metzmacher <metze at samba.org>
---
 WHATSNEW.txt | 32 ++++++++++++++++++++++++++++++++
 1 file changed, 32 insertions(+)

diff --git a/WHATSNEW.txt b/WHATSNEW.txt
index 07cd9f2fc061..7c71544bac71 100644
--- a/WHATSNEW.txt
+++ b/WHATSNEW.txt
@@ -265,6 +265,38 @@ feature, currently it should be enabled from the DNS Manager tool from
 Windows. Also the feature needs to have been enabled by setting the smb.conf
 parameter "dns zone scavenging = yes".
 
+Improved support for trusted domains (as AD DC)
+-----------------------------------------------
+
+The support for trusted domains/forests has been further improved.
+
+External domain trusts, as well a transitive forest trusts,
+are supported in both directions (inbound and outbound)
+for Kerberos and NTLM authentication.
+
+The following features are new in 4.9 (compared to 4.8):
+
+- It's now possible to add users/groups of a trusted domain
+  into domain groups. The group memberships are expanded
+  on trust boundaries.
+- foreignSecurityPrincipal objects (FPO) are now automatically
+  created when members (as SID) of a trusted domain/forest
+  are added to a group.
+- The 'samba-tool group *members' commands allow
+  members to be specified as foreign SIDs.
+
+However there are currently still a few limitations:
+
+- Both sides of the trust need to fully trust each other!
+- No SID filtering rules are applied at all!
+- This means DCs of domain A can grant domain admin rights
+  in domain B.
+- Selective (CROSS_ORIGANIZATION) authentication is
+  not supported. It's possible to create such a trust,
+  but the KDC and winbindd ignore them.
+- Samba can still only operate in a forest with just
+  one single domain.
+
 CTDB changes
 ------------
 
-- 
2.17.1

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20180912/c0a1d00b/signature.sig>

More information about the samba-technical mailing list