| |
@@ -0,0 +1,155 @@
|
| |
+
|
| |
+ include::{partialsdir}/entities.adoc[]
|
| |
+
|
| |
+ [[sect-file-servers]]
|
| |
+ = File Servers and Domain Controllers
|
| |
+
|
| |
+ == Samba 4.9
|
| |
+ Samba suite has been upgraded to 4.9 series. The upgrade brings a number of
|
| |
+ changes that might affect default configuration or existing deployments.
|
| |
+
|
| |
+ A detailed set of release notes for Samba 4.9 is available at
|
| |
+ https://www.samba.org/samba/history/samba-4.9.0.html
|
| |
+
|
| |
+ === Extended attributes support
|
| |
+ Since Linux systems have support for extended attributes enabled by default,
|
| |
+ parameters "map readonly", "store dos attributes" and "ea support" have had
|
| |
+ their defaults changed to allow better Windows fileserver compatibility in a
|
| |
+ default install.
|
| |
+
|
| |
+ .smb.conf parameters changes
|
| |
+ |===
|
| |
+ |Parameter Name|Description|Default
|
| |
+
|
| |
+ |map readonly
|
| |
+ |Default changed
|
| |
+ |no
|
| |
+
|
| |
+ |store dos attributes
|
| |
+ |Default changed
|
| |
+ |yes
|
| |
+
|
| |
+ |ea support
|
| |
+ |Default changed
|
| |
+ |yes
|
| |
+
|
| |
+ |full_audit:success
|
| |
+ |Default changed
|
| |
+ |none
|
| |
+
|
| |
+ |full_audit:failure
|
| |
+ |Default changed
|
| |
+ |none
|
| |
+ |===
|
| |
+
|
| |
+ === Identity mapping changes
|
| |
+
|
| |
+ Over several releases, Samba configuration checks were improved to detect
|
| |
+ typical identity mapping errors earlier and fail start up before the changes
|
| |
+ might affect actual operation. With changes in identities causing access
|
| |
+ control breaches and possibility of a data leakage to unwanted parties, this
|
| |
+ effort is helping to reduce a number of incorrect but widely deployed cases.
|
| |
+
|
| |
+ Since Samba 4.6, the 'testparm' tool can be used to validate the ID mapping
|
| |
+ configuration. After an upgrade please run it and check if it prints any
|
| |
+ warnings or errors. Please see the 'IDENTITY MAPPING CONSIDERATIONS' section
|
| |
+ in the smb.conf manpage for suggestions and recommendations. There are some ID
|
| |
+ mapping backends which are not allowed to be used for the default backend.
|
| |
+ Winbind daemon will no longer start if an invalid backend is configured as the default
|
| |
+ backend.
|
| |
+
|
| |
+ Since Samba 4.8, configurations with "`security = domain`" or "`security = ads`"
|
| |
+ require a running '`winbindd`' now. The fallback that smbd directly contacts
|
| |
+ domain controllers is gone.
|
| |
+
|
| |
+ Finally, Samba 4.9 differentiates between anonymous and guest access via SMB
|
| |
+ protocol. A side effect of this is that it is now required to have a mapping
|
| |
+ for `BUILTIN\Guests` group. The mapping can be provided automatically if a
|
| |
+ default identity backend allows to create entries on demand. Alternatively,
|
| |
+ `net` utility can be used to provide a group mapping for `BUILTIN\Guests` via
|
| |
+
|
| |
+ net groupmap add sid=S-1-5-32-546 unixgroup=nobody type=builtin
|
| |
+
|
| |
+
|
| |
+ === CTDB configuration changes
|
| |
+ Clustered Samba daemon (`CTDB`) configuration has been completely overhauled.
|
| |
+
|
| |
+ - Daemon and tool options are now specified in a new ctdb.conf
|
| |
+ Samba-style configuration file. See `ctdb.conf(5)` for details.
|
| |
+
|
| |
+ - Event script configuration is no longer specified in the top-level
|
| |
+ configuration file. It can now be specified per event script.
|
| |
+ For example, configuration options for the `50.samba` event script
|
| |
+ can be placed alongside the event script in a file called
|
| |
+ `50.samba.options`. Script options can also be specified in a new
|
| |
+ script.options file. See `ctdb-script.options(5)` for details.
|
| |
+
|
| |
+ - Options that affect CTDB startup should be configured in the
|
| |
+ distribution-specific configuration file. See `ctdb.sysconfig(5)`
|
| |
+ for details.
|
| |
+
|
| |
+ - Tunable settings are now loaded from `ctdb.tunables`. Using
|
| |
+ `CTDB_SET_TunableVariable=<value>` in the main configuration file is
|
| |
+ no longer supported. See `ctdb-tunables(7)` for details.
|
| |
+
|
| |
+ A example script to migrate an old-style configuration to the new
|
| |
+ style is available in `/usr/share/doc/ctdb/examples/config_migrate.sh`.
|
| |
+
|
| |
+ === Kerberos integration
|
| |
+ Local authorization plugin for MIT Kerberos has been added. The plugin controls
|
| |
+ the relationship between Kerberos principals and AD accounts through winbind.
|
| |
+ The module receives the Kerberos principal and the local account name as inputs
|
| |
+ and can then check if they match. This can resolve issues with canonicalized
|
| |
+ names returned by Kerberos within AD. If the user tries to log in as 'alice',
|
| |
+ but the samAccountName is set to ALICE (uppercase), Kerberos would return ALICE
|
| |
+ as the username. Kerberos would not be able to map 'alice' to 'ALICE' in this
|
| |
+ case and auth would fail. With this plugin, account names can be correctly
|
| |
+ mapped. This only applies to GSSAPI authentication, not for getting the initial
|
| |
+ ticket granting ticket.
|
| |
+
|
| |
+ With this plugin, winbind-based configurations are on par with SSSD in AD environment.
|
| |
+
|
| |
+ === Samba AD DC
|
| |
+ Active Directory Domain Controller in Samba 4.9 saw a number of improvements. Most notably,
|
| |
+ a new experimental LDB backend using LMDB is now available. This allows
|
| |
+ databases larger than 4Gb (Currently the limit is set to 6Gb, but this will be
|
| |
+ increased in a future release). To enable lmdb, provision or join a domain using
|
| |
+ the "`--backend-store=mdb`" option.
|
| |
+
|
| |
+ Please note this is an experimental feature and is not recommended for
|
| |
+ production deployments.
|
| |
+
|
| |
+ Samba AD DC in Fedora is built with MIT Kerberos. As of Samba 4.9, MIT Kerberos
|
| |
+ support in Samba AD DC is still experimental and may exhibit bugs. There are
|
| |
+ known and not yet fixed issues in the Samba bug-tracker upstream:
|
| |
+
|
| |
+ - https://bugzilla.samba.org/show_bug.cgi?id=13516
|
| |
+ - https://bugzilla.samba.org/show_bug.cgi?id=13517
|
| |
+
|
| |
+ The support for trusted domains/forests has been further improved. External
|
| |
+ domain trusts, as well a transitive forest trusts, are supported in both
|
| |
+ directions (inbound and outbound) for Kerberos and NTLM authentication.
|
| |
+
|
| |
+ The following features are new in 4.9 (compared to 4.8):
|
| |
+
|
| |
+ - It's now possible to add users/groups of a trusted domain
|
| |
+ into domain groups. The group memberships are expanded
|
| |
+ on trust boundaries.
|
| |
+ - foreignSecurityPrincipal objects (FPO) are now automatically
|
| |
+ created when members (as SID) of a trusted domain/forest
|
| |
+ are added to a group.
|
| |
+ - The '`samba-tool group *members`' commands allow
|
| |
+ members to be specified as foreign SIDs.
|
| |
+
|
| |
+ However there are currently still a few limitations:
|
| |
+
|
| |
+ - Both sides of the trust need to fully trust each other!
|
| |
+ - No SID filtering rules are applied at all!
|
| |
+ - This means DCs of domain A can grant domain admin rights
|
| |
+ in domain B.
|
| |
+ - Selective (CROSS_ORGANIZATION) authentication is
|
| |
+ not supported. It's possible to create such a trust,
|
| |
+ but the KDC and winbindd ignore them.
|
| |
+ - Samba can still only operate in a forest with just
|
| |
+ one single domain.
|
| |
+
|
| |
This pull request adds release notes for Samba 4.9 which is part of Fedora 29 beta.