[Samba] [Announce] Samba 4.9.0 Available for Download
Karolin Seeger
kseeger at samba.org
Thu Sep 13 10:19:18 UTC 2018
========================================================
"Former police chief of Houston once
said of me: “Frank Abagnale could write
a check on toilet paper, drawn on the
Confederate States Treasury, sign it
‘U.R. Hooked’ and cash it at any bank
in town, using a Hong Kong driver’s
license for identification.”
Frank W. Abagnale, Catch Me If You Can:
The True Story of a Real Fake
========================================================
Release Announcements
---------------------
=============================
Release Notes for Samba 4.9.0
September 13, 2018
=============================
This is the first stable release of the Samba 4.9 release series.
Please read the release notes carefully before upgrading.
NEW FEATURES/CHANGES
====================
'net ads setspn'
----------------
There is a new 'net ads setspn' sub command for managing Windows SPN(s)
on the AD. This command aims to give the basic functionality that is
provided on windows by 'setspn.exe' e.g. ability to add, delete and list
Windows SPN(s) stored in a Windows AD Computer object.
The format of the command is:
net ads setspn list [machine]
net ads setspn [add | delete ] SPN [machine]
'machine' is the name of the computer account on the AD that is to be managed.
If 'machine' is not specified the name of the 'client' running the command
is used instead.
The format of a Windows SPN is
'serviceclass/host:port/servicename' (servicename and port are optional)
serviceclass/host is generally sufficient to specify a host based service.
'net ads keytab' changes
------------------------
net ads keytab add no longer attempts to convert the passed serviceclass
(e.g. nfs, html etc.) into a Windows SPN which is added to the Windows AD
computer object. By default just the keytab file is modified.
A new keytab subcommand 'add_update_ads' has been added to preserve the
legacy behaviour. However the new 'net ads setspn add' subcommand should
really be used instead.
net ads keytab create no longer tries to generate SPN(s) from existing
entries in a keytab file. If it is required to add Windows SPN(s) then
'net ads setspn add' should be used instead.
Local authorization plugin for MIT Kerberos
-------------------------------------------
This plugin controls the relationship between Kerberos principals and AD
accounts through winbind. The module receives the Kerberos principal and the
local account name as inputs and can then check if they match. This can resolve
issues with canonicalized names returned by Kerberos within AD. If the user
tries to log in as 'alice', but the samAccountName is set to ALICE (uppercase),
Kerberos would return ALICE as the username. Kerberos would not be able to map
'alice' to 'ALICE' in this case and auth would fail. With this plugin, account
names can be correctly mapped. This only applies to GSSAPI authentication,
not for getting the initial ticket granting ticket.
VFS audit modules
-----------------
The vfs_full_audit module has changed its default set of monitored successful
and failed operations from "all" to "none". That helps to prevent potential
denial of service caused by simple addition of the module to the VFS objects.
Also, modules vfs_audit, vfs_ext_audit and vfs_full_audit now accept any valid
syslog(3) facility, in accordance with the manual page.
Database audit support
----------------------
Changes to the Samba AD's sam.ldb database are now logged to Samba's debug log
under the "dsdb_audit" debug class and "dsdb_json_audit" for JSON formatted log
entries.
Transaction commits and roll backs are now logged to Samba's debug logs under
the "dsdb_transaction_audit" debug class and "dsdb_transaction_json_audit" for
JSON formatted log entries.
Password change audit support
-----------------------------
Password changes in the AD DC are now logged to Samba's debug logs under the
"dsdb_password_audit" debug class and "dsdb_password_json_audit" for JSON
formatted log entries.
Group membership change audit support
-------------------------------------
Group membership changes on the AD DC are now logged to
Samba's debug log under the "dsdb_group_audit" debug class and
"dsdb_group_json_audit" for JSON formatted log entries.
Log Authentication duration
---------------------------
For NTLM and Kerberos KDC authentication, the authentication duration is now
logged. Note that the duration is only included in the JSON formatted log
entries.
JSON library Jansson required for the AD DC
-------------------------------------------
By default, the Jansson JSON library is required for Samba to build.
It is strictly required for the Samba AD DC, and is optional for
builds "--without-ad-dc" by specifying "--without-json-audit" at configure
time.
New experimental LMDB LDB backend
---------------------------------
A new experimental LDB backend using LMDB is now available. This allows
databases larger than 4Gb (Currently the limit is set to 6Gb, but this will be
increased in a future release). To enable lmdb, provision or join a domain using
the "--backend-store=mdb" option.
This requires that a version of lmdb greater than 0.9.16 is installed and that
samba has not been built with the "--without-ldb-lmdb" option.
Please note this is an experimental feature and is not recommended for
production deployments.
Password Settings Objects
-------------------------
Support has been added for Password Settings Objects (PSOs). This AD feature is
also known as Fine-Grained Password Policies (FGPP).
PSOs allow AD administrators to override the domain password policy settings
for specific users, or groups of users. For example, PSOs can force certain
users to have longer password lengths, or relax the complexity constraints for
other users, and so on. PSOs can be applied to groups or to individual users.
When multiple PSOs apply to the same user, essentially the PSO with the best
precedence takes effect.
PSOs can be configured and applied to users/groups using the 'samba-tool domain
passwordsettings pso' set of commands.
Domain backup and restore
-------------------------
A new 'samba-tool' subcommand has been added that allows administrators to
create a backup-file of their domain DB. In the event of a catastrophic failure
of the domain, this backup-file can be used to restore Samba services.
The new 'samba-tool domain backup online' command takes a snapshot of the
domain DB from a given DC. In the event of a catastrophic DB failure, all DCs
in the domain should be taken offline, and the backup-file can then be used to
recreate a fresh new DC, using the 'samba-tool domain backup restore' command.
Once the backed-up domain DB has been restored on the new DC, other DCs can
then subsequently be joined to the new DC, in order to repopulate the Samba
network.
Domain rename tool
------------------
Basic support has been added for renaming a Samba domain. The rename feature is
designed for the following cases:
1). Running a temporary alternate domain, in the event of a catastrophic
failure of the regular domain. Using a completely different domain name and
realm means that the original domain and the renamed domain can both run at the
same time, without interfering with each other. This is an advantage over
creating a regular 'online' backup - it means the renamed/alternate domain can
provide core Samba network services, while trouble-shooting the fault on the
original domain can be done in parallel.
2). Creating a realistic lab domain or pre-production domain for testing.
Note that the renamed tool is currently not intended to support a long-term
rename of the production domain. Currently renaming the GPOs is not supported
and would need to be done manually.
The domain rename is done in two steps: first, the 'samba-tool domain backup
rename' command will clone the domain DB, renaming it in the process, and
producing a backup-file. Then, the 'samba-tool domain backup restore' command
takes the backup-file and restores the renamed DB to disk on a fresh DC.
New samba-tool options for diagnosing DRS replication issues
------------------------------------------------------------
The 'samba-tool drs showrepl' command has two new options controlling
the output. With --summary, the command says very little when DRS
replication is working well. With --json, JSON is produced. These
options are intended for human and machine audiences, respectively.
The 'samba-tool visualize uptodateness' visualizes replication lag as
a heat-map matrix based on the DRS uptodateness vectors. This will
show you if (but not why) changes are failing to replicate to some DCs.
Automatic site coverage and GetDCName improvements
--------------------------------------------------
Samba's AD DC now automatically claims otherwise empty sites based on
which DC is the nearest in the replication topology.
This, combined with efforts to correctly identify the client side in
the GetDCName Netlogon call will improve service to sites without a
local DC.
Improved 'samba-tool computer' command
--------------------------------------
The 'samba-tool computer' command allow manipulation of computer
accounts including creating a new computer and resetting the password.
This allows an 'offline join' of a member server or workstation to the
Samba AD domain.
New 'samba-tool ou' command
---------------------------
The new 'samba-tool ou' command allows to manage organizational units.
Available subcommands are:
create - Create an organizational unit.
delete - Delete an organizational unit.
list - List all organizational units
listobjects - List all objects in an organizational unit.
move - Move an organizational unit.
rename - Rename an organizational unit.
In addition to the ou commands, there are new subcommands for the user
and group management, which can make use of the organizational units:
group move - Move a group to an organizational unit/container.
user move - Move a user to an organizational unit/container.
user show - Display a user AD object.
Samba performance tool now operates against Microsoft Windows AD
----------------------------------------------------------------
The Samba AD performance testing tool 'traffic_reply' can now operate
against a Windows based AD domain. Previously it only operated
correctly against Samba.
DNS entries are now cleaned up during DC demote
-----------------------------------------------
DNS records are now cleaned up as part of the 'samba-tool domain
demote' including both the default and '--remove-other-dead-server'
modes.
Additionally, DNS records can be automatically cleaned up for a given
name with the 'samba-tool dns cleanup' command, which aids in cleaning
up partially removed DCs.
samba-tool ntacl sysvolreset is now much faster
-----------------------------------------------
The 'samba-tool ntacl sysvolreset' command, used on the Samba AD DC,
is now much faster than in previous versions, after an internal
rework.
Samba now tested with CI GitLab
-------------------------------
Samba developers now have pre-commit testing available in GitLab,
giving reviewers confidence that the submitted patches pass a full CI
before being submitted to the Samba Team's own autobuild system.
Dynamic DNS record scavenging support
-------------------------------------
It is now possible to enable scavenging of DNS Zones to remove DNS
records that were dynamically created and have not been touched in
some time.
This support should however only be enabled on new zones or new
installations. Sadly old Samba versions suffer from BUG 12451 and
mark dynamic DNS records as static and static records as dynamic.
While a dbcheck rule may be able to find these in the future,
currently a reliable test has not been devised.
Finally, there is not currently a command-line tool to enable this
feature, currently it should be enabled from the DNS Manager tool from
Windows. Also the feature needs to have been enabled by setting the smb.conf
parameter "dns zone scavenging = yes".
Improved support for trusted domains (as AD DC)
-----------------------------------------------
The support for trusted domains/forests has been further improved.
External domain trusts, as well a transitive forest trusts,
are supported in both directions (inbound and outbound)
for Kerberos and NTLM authentication.
The following features are new in 4.9 (compared to 4.8):
- It's now possible to add users/groups of a trusted domain
into domain groups. The group memberships are expanded
on trust boundaries.
- foreignSecurityPrincipal objects (FPO) are now automatically
created when members (as SID) of a trusted domain/forest
are added to a group.
- The 'samba-tool group *members' commands allow
members to be specified as foreign SIDs.
However there are currently still a few limitations:
- Both sides of the trust need to fully trust each other!
- No SID filtering rules are applied at all!
- This means DCs of domain A can grant domain admin rights
in domain B.
- Selective (CROSS_ORGANIZATION) authentication is
not supported. It's possible to create such a trust,
but the KDC and winbindd ignore the