Release , who continued the development of the branch with a full implementation of a domain controller and an Active Directory service that is compatible with the implementation of Windows 2000 and is able to serve all versions of Windows clients supported by Microsoft, including Windows 10. Samba 4 is a feature-rich server product that also provides an implementation of a file server, a print service, and an identity server (winbind).
Key in Samba 4.13:
- Added vulnerability protection (CVE-2020-1472) that allows an attacker to gain administrative rights on a domain controller on systems that do not use the "server schannel = yes" setting.
- The minimum Python version requirement has been raised from Python 3.5 to Python 3.6. The ability to build a file server with Python 2 has been preserved for now (before running ./configure' and 'make' you should set the environment variable 'PYTHON=python2'), but in the next branch it will be removed and Python 3.6 will be required for the build.
- The "wide links = yes" functionality, which allows file server administrators to create symbolic links to an area outside the current SMB/CIFS partition, has been moved from smbd to a separate "vfs_widelinks" module. Currently, this module is automatically loaded when the "wide links = yes" parameter is present in the settings. Support for "wide links = yes" is planned to be removed in the future due to security concerns, and samba users are strongly encouraged to use "mount --bind" to mount external parts of the file system instead of "wide links = yes".
- Deprecated support for classic domain controller mode. Users of NT4-like ('classic') domain controllers should switch to using Samba Active Directory domain controllers to be able to work with modern Windows clients.
- The insecure authentication methods that can only be used with the SMBv1 protocol have been deprecated: "domain logons", "raw NTLMv2 auth", "client plaintext auth", "client NTLMv2 auth", "client lanman auth", and "client use spnego".
- Removed support for "ldap ssl ads" option from smb.conf. The "server schannel" option is expected to be removed in the next release.
Source: opennet.ru