Release , who continued the development of the branch with a full implementation of a domain controller and an Active Directory service that is compatible with the implementation of Windows 2000 and is able to serve all versions of Windows clients supported by Microsoft, including Windows 10. Samba 4 is a feature-rich server product that also provides an implementation of a file server, a print service, and an identity server (winbind).
Key in Samba 4.12:
- Removed built-in implementations of cryptographic functions from the codebase in favor of using external libraries. It was decided to use GnuTLS as the main crypto library (at least version 3.4.7 is required). In addition to reducing the potential threats associated with the discovery of vulnerabilities in the built-in implementations of cryptographic algorithms, the transition to GnuTLS also allowed for significant performance improvements when using encryption in SMB3. When tested with the implementation of the CIFS client from the Linux 5.3 kernel, a 3x increase in write speed and 2.5x read speed was recorded.
- Added a new backend for searching on SMB partitions using the protocol search engine based (previously provided a backend based on ). The "mdfind" utility has also been added to the composition with the implementation of a client that allows you to send search requests to any SMB server running the Spotlight RPC service. 'spotlight backend' setting changed from default to 'noindex' (Tracker or Elasticsearch should be explicitly set to 'tracker' or 'elasticsearch').
- Changed the behavior of the 'net ads kerberos pac save' and 'net eventlog export' operations, which now do not overwrite the file, and if they try to export to an existing file, they display an error.
- Adding contact entries for group members has been improved in samba-tool. While previously, using the 'samba-tool group addmemers' command, you could simply add users, groups, and computers as new members of groups, now there is support for adding contacts as members of groups.
- samba-tool allows filtering by organizational unit (OU, Organizational Unit) or subtree. New flags "--base-dn" and "--member-base-dn" have been added, which make it possible to perform an operation only with a certain part of the Active Directory tree, for example, only within one OU.
- Added new VFS module 'io_uring' using new Linux kernel interface for asynchronous I/O. Io_uring supports I/O polling and can work with buffering (the previously proposed "aio" mechanism did not support buffered I/O). When working with polling enabled, io_uring is significantly ahead of aio in terms of performance. Samba now supports SMB_VFS_{PREAD,PWRITE,FSYNC}_SEND/RECV based on io_uring and reduces the overhead of maintaining a user-space threadpool when using the default VFS backend. Building the 'io_uring' VFS module requires a library and Linux kernel 5.1+.
- VFS provides the ability to specify a special UTIME_OMIT time value to flag the need to ignore time in the SMB_VFS_NTIMES() function.
- smb.conf dropped support for the "write cache size" parameter, which became meaningless after io_uring was added.
- Samba-DC and Kerberos have dropped support for DES encryption. Removed weak-crypto code from Heimdal-DC.
- Removed the vfs_netatalk module, which was left unmaintained and out of date.
- The BIND9_FLATFILE backend has been deprecated and will be removed in a future release.
- The zlib library is included in the build dependencies. The built-in implementation of zlib has been removed from the codebase (the code was based on an old version of zlib that didn't properly support encryption).
- Established fuzzing testing of the code base, including in the service
oss fuzz. During fuzzing testing, many bugs were identified and fixed. - Minimum Python version requirements raised from Python
3.4 to Python 3.5. The ability to build a file server with Python 2 is preserved for now (before running ./configure' and 'make', you must set the environment variable 'PYTHON=python2').
Source: opennet.ru