File Servers and Domain Controllers
Samba 4.9
Samba suite has been upgraded to 4.9 series. The upgrade brings a number of changes that might affect default configuration or existing deployments.
A detailed set of release notes for Samba 4.9 is available at https://www.samba.org/samba/history/samba-4.9.0.html
Extended attributes support
Since Linux systems have support for extended attributes enabled by default, parameters "map readonly", "store dos attributes" and "ea support" have had their defaults changed to allow better Windows fileserver compatibility in a default install.
Parameter Name | Description | Default |
---|---|---|
map readonly |
Default changed |
no |
store dos attributes |
Default changed |
yes |
ea support |
Default changed |
yes |
full_audit:success |
Default changed |
none |
full_audit:failure |
Default changed |
none |
Identity mapping changes
Over several releases, Samba configuration checks were improved to detect typical identity mapping errors earlier and fail start up before the changes might affect actual operation. With changes in identities causing access control breaches and possibility of a data leakage to unwanted parties, this effort is helping to reduce a number of incorrect but widely deployed cases.
Since Samba 4.6, the 'testparm' tool can be used to validate the ID mapping configuration. After an upgrade please run it and check if it prints any warnings or errors. Please see the 'IDENTITY MAPPING CONSIDERATIONS' section in the smb.conf manpage for suggestions and recommendations. There are some ID mapping backends which are not allowed to be used for the default backend. Winbind daemon will no longer start if an invalid backend is configured as the default backend.
Since Samba 4.8, configurations with “security = domain” or “security = ads” require a running ‘winbindd’ now. The fallback that smbd directly contacts domain controllers is gone.
Finally, Samba 4.9 differentiates between anonymous and guest access via SMB
protocol. A side effect of this is that it is now required to have a mapping
for BUILTIN\Guests
group. The mapping can be provided automatically if a
default identity backend allows to create entries on demand. Alternatively,
net
utility can be used to provide a group mapping for BUILTIN\Guests
via
net groupmap add sid=S-1-5-32-546 unixgroup=nobody type=builtin
CTDB configuration changes
Clustered Samba daemon (CTDB
) configuration has been completely overhauled.
-
Daemon and tool options are now specified in a new ctdb.conf Samba-style configuration file. See
ctdb.conf(5)
for details. -
Event script configuration is no longer specified in the top-level configuration file. It can now be specified per event script. For example, configuration options for the
50.samba
event script can be placed alongside the event script in a file called50.samba.options
. Script options can also be specified in a new script.options file. Seectdb-script.options(5)
for details. -
Options that affect CTDB startup should be configured in the distribution-specific configuration file. See
ctdb.sysconfig(5)
for details. -
Tunable settings are now loaded from
ctdb.tunables
. UsingCTDB_SET_TunableVariable=<value>
in the main configuration file is no longer supported. Seectdb-tunables(7)
for details.
A example script to migrate an old-style configuration to the new
style is available in /usr/share/doc/ctdb/examples/config_migrate.sh
.
Kerberos integration
Local authorization plugin for MIT Kerberos has been added. The plugin controls the relationship between Kerberos principals and AD accounts through winbind. The module receives the Kerberos principal and the local account name as inputs and can then check if they match. This can resolve issues with canonicalized names returned by Kerberos within AD. If the user tries to log in as 'alice', but the samAccountName is set to ALICE (uppercase), Kerberos would return ALICE as the username. Kerberos would not be able to map 'alice' to 'ALICE' in this case and auth would fail. With this plugin, account names can be correctly mapped. This only applies to GSSAPI authentication, not for getting the initial ticket granting ticket.
With this plugin, winbind-based configurations are on par with SSSD in AD environment.
Samba AD DC
Active Directory Domain Controller in Samba 4.9 saw a number of improvements. Most notably, a new experimental LDB backend using LMDB is now available. This allows databases larger than 4Gb (Currently the limit is set to 6Gb, but this will be increased in a future release). To enable lmdb, provision or join a domain using the “--backend-store=mdb” option.
Please note this is an experimental feature and is not recommended for production deployments.
Samba AD DC in Fedora is built with MIT Kerberos. As of Samba 4.9, MIT Kerberos support in Samba AD DC is still experimental and may exhibit bugs. There are known and not yet fixed issues in the Samba bug-tracker upstream:
The support for trusted domains/forests has been further improved. External domain trusts, as well a transitive forest trusts, are supported in both directions (inbound and outbound) for Kerberos and NTLM authentication.
The following features are new in 4.9 (compared to 4.8):
-
It’s now possible to add users/groups of a trusted domain into domain groups. The group memberships are expanded on trust boundaries.
-
foreignSecurityPrincipal objects (FPO) are now automatically created when members (as SID) of a trusted domain/forest are added to a group.
-
The ‘samba-tool group *members’ commands allow members to be specified as foreign SIDs.
However there are currently still a few limitations:
-
Both sides of the trust need to fully trust each other!
-
No SID filtering rules are applied at all!
-
This means DCs of domain A can grant domain admin rights in domain B.
-
Selective (CROSS_ORGANIZATION) authentication is not supported. It’s possible to create such a trust, but the KDC and winbindd ignore them.
-
Samba can still only operate in a forest with just one single domain.