PR#217: Add release notes for Samba 4.9 - fedora-docs/release-notes

fedora-docs / release-notes

#217 Add release notes for Samba 4.9

Merged 5 years ago by pbokoc. Opened 5 years ago by abbra.

fedora-docs/ abbra/release-notes f29-samba-release-notes into f29

Alexander Bokovoy • 5 years ago

fdbd800

file modified

		`@@ -11,6 +11,7 @@`
		`*** xref:sysadmin/Automation.adoc[Automation]`
		`*** xref:sysadmin/Virtualization.adoc[Virtualization]`
		`*** xref:sysadmin/Mail_Servers.adoc[Mail Servers]`
		`+ *** xref:sysadmin/File_Servers.adoc[File Servers and Domain Controllers]`
		`*** xref:sysadmin/Xorg.adoc[X.Org]`
		`*** xref:sysadmin/System_Utilities.adoc[System Utilities]`
		`** Desktop Users`

modules/release-notes/pages/sysadmin/File_Servers.adoc

file added

+155

		`@@ -0,0 +1,155 @@`
		`+`
		`+ include::{partialsdir}/entities.adoc[]`
		`+`
		`+ [[sect-file-servers]]`
		`+ = File Servers and Domain Controllers`
		`+`
		`+ == Samba 4.9`
		`+ Samba suite has been upgraded to 4.9 series. The upgrade brings a number of`
		`+ changes that might affect default configuration or existing deployments.`
		`+`
		`+ A detailed set of release notes for Samba 4.9 is available at`
		`+ https://www.samba.org/samba/history/samba-4.9.0.html`
		`+`
		`+ === Extended attributes support`
		`+ Since Linux systems have support for extended attributes enabled by default,`
		`+ parameters "map readonly", "store dos attributes" and "ea support" have had`
		`+ their defaults changed to allow better Windows fileserver compatibility in a`
		`+ default install.`
		`+`
		`+ .smb.conf parameters changes`
		`+ \|===`
		`+ \|Parameter Name\|Description\|Default`
		`+`
		`+ \|map readonly`
		`+ \|Default changed`
		`+ \|no`
		`+`
		`+ \|store dos attributes`
		`+ \|Default changed`
		`+ \|yes`
		`+`
		`+ \|ea support`
		`+ \|Default changed`
		`+ \|yes`
		`+`
		`+ \|full_audit:success`
		`+ \|Default changed`
		`+ \|none`
		`+`
		`+ \|full_audit:failure`
		`+ \|Default changed`
		`+ \|none`
		`+ \|===`
		`+`
		`+ === Identity mapping changes`
		`+`
		`+ Over several releases, Samba configuration checks were improved to detect`
		`+ typical identity mapping errors earlier and fail start up before the changes`
		`+ might affect actual operation. With changes in identities causing access`
		`+ control breaches and possibility of a data leakage to unwanted parties, this`
		`+ effort is helping to reduce a number of incorrect but widely deployed cases.`
		`+`
		`+ Since Samba 4.6, the 'testparm' tool can be used to validate the ID mapping`
		`+ configuration. After an upgrade please run it and check if it prints any`
		`+ warnings or errors. Please see the 'IDENTITY MAPPING CONSIDERATIONS' section`
		`+ in the smb.conf manpage for suggestions and recommendations. There are some ID`
		`+ mapping backends which are not allowed to be used for the default backend.`
		`+ Winbind daemon will no longer start if an invalid backend is configured as the default`
		`+ backend.`
		`+`
		+ Since Samba 4.8, configurations with "`security = domain`" or "`security = ads`"
		+ require a running '`winbindd`' now. The fallback that smbd directly contacts
		`+ domain controllers is gone.`
		`+`
		`+ Finally, Samba 4.9 differentiates between anonymous and guest access via SMB`
		`+ protocol. A side effect of this is that it is now required to have a mapping`
		+ for `BUILTIN\Guests` group. The mapping can be provided automatically if a
		`+ default identity backend allows to create entries on demand. Alternatively,`
		+ `net` utility can be used to provide a group mapping for `BUILTIN\Guests` via
		`+`
		`+ net groupmap add sid=S-1-5-32-546 unixgroup=nobody type=builtin`
		`+`
		`+`
		`+ === CTDB configuration changes`
		+ Clustered Samba daemon (`CTDB`) configuration has been completely overhauled.
		`+`
		`+ - Daemon and tool options are now specified in a new ctdb.conf`
		+ Samba-style configuration file. See `ctdb.conf(5)` for details.
		`+`
		`+ - Event script configuration is no longer specified in the top-level`
		`+ configuration file. It can now be specified per event script.`
		+ For example, configuration options for the `50.samba` event script
		`+ can be placed alongside the event script in a file called`
		+ `50.samba.options`. Script options can also be specified in a new
		+ script.options file. See `ctdb-script.options(5)` for details.
		`+`
		`+ - Options that affect CTDB startup should be configured in the`
		+ distribution-specific configuration file. See `ctdb.sysconfig(5)`
		`+ for details.`
		`+`
		+ - Tunable settings are now loaded from `ctdb.tunables`. Using
		+ `CTDB_SET_TunableVariable=<value>` in the main configuration file is
		+ no longer supported. See `ctdb-tunables(7)` for details.
		`+`
		`+ A example script to migrate an old-style configuration to the new`
		+ style is available in `/usr/share/doc/ctdb/examples/config_migrate.sh`.
		`+`
		`+ === Kerberos integration`
		`+ Local authorization plugin for MIT Kerberos has been added. The plugin controls`
		`+ the relationship between Kerberos principals and AD accounts through winbind.`
		`+ The module receives the Kerberos principal and the local account name as inputs`
		`+ and can then check if they match. This can resolve issues with canonicalized`
		`+ names returned by Kerberos within AD. If the user tries to log in as 'alice',`
		`+ but the samAccountName is set to ALICE (uppercase), Kerberos would return ALICE`
		`+ as the username. Kerberos would not be able to map 'alice' to 'ALICE' in this`
		`+ case and auth would fail. With this plugin, account names can be correctly`
		`+ mapped. This only applies to GSSAPI authentication, not for getting the initial`
		`+ ticket granting ticket.`
		`+`
		`+ With this plugin, winbind-based configurations are on par with SSSD in AD environment.`
		`+`
		`+ === Samba AD DC`
		`+ Active Directory Domain Controller in Samba 4.9 saw a number of improvements. Most notably,`
		`+ a new experimental LDB backend using LMDB is now available. This allows`
		`+ databases larger than 4Gb (Currently the limit is set to 6Gb, but this will be`
		`+ increased in a future release). To enable lmdb, provision or join a domain using`
		+ the "`--backend-store=mdb`" option.
		`+`
		`+ Please note this is an experimental feature and is not recommended for`
		`+ production deployments.`
		`+`
		`+ Samba AD DC in Fedora is built with MIT Kerberos. As of Samba 4.9, MIT Kerberos`
		`+ support in Samba AD DC is still experimental and may exhibit bugs. There are`
		`+ known and not yet fixed issues in the Samba bug-tracker upstream:`
		`+`
		`+ - https://bugzilla.samba.org/show_bug.cgi?id=13516`
		`+ - https://bugzilla.samba.org/show_bug.cgi?id=13517`
		`+`
		`+ The support for trusted domains/forests has been further improved. External`
		`+ domain trusts, as well a transitive forest trusts, are supported in both`
		`+ directions (inbound and outbound) for Kerberos and NTLM authentication.`
		`+`
		`+ The following features are new in 4.9 (compared to 4.8):`
		`+`
		`+ - It's now possible to add users/groups of a trusted domain`
		`+ into domain groups. The group memberships are expanded`
		`+ on trust boundaries.`
		`+ - foreignSecurityPrincipal objects (FPO) are now automatically`
		`+ created when members (as SID) of a trusted domain/forest`
		`+ are added to a group.`
		+ - The '`samba-tool group *members`' commands allow
		`+ members to be specified as foreign SIDs.`
		`+`
		`+ However there are currently still a few limitations:`
		`+`
		`+ - Both sides of the trust need to fully trust each other!`
		`+ - No SID filtering rules are applied at all!`
		`+ - This means DCs of domain A can grant domain admin rights`
		`+ in domain B.`
		`+ - Selective (CROSS_ORGANIZATION) authentication is`
		`+ not supported. It's possible to create such a trust,`
		`+ but the KDC and winbindd ignore them.`
		`+ - Samba can still only operate in a forest with just`
		`+ one single domain.`
		`+`