The Samba 4.15.0 release is presented, which continues the development of the Samba 4 branch with a full-fledged implementation of a domain controller and an Active Directory service that is compatible with the implementation of Windows 2000 and is able to serve all versions of Windows clients supported by Microsoft, including Windows 10. Samba 4 is a multifunctional server product , which also provides an implementation of the file server, print service, and identity server (winbind).
Key changes in Samba 4.15:
- Completed work on upgrading the VFS layer. For historical reasons, the code with the implementation of the file server was tied to the processing of file paths, which was used, among other things, for the SMB2 protocol, translated to the use of descriptors. The upgrade came down to transferring the code that provides access to the server's file system to using file descriptors instead of file paths (for example, the fstat() call is used instead of stat() and SMB_VFS_FSTAT() instead of SMB_VFS_STAT()).
- In the implementation of BIND DLZ (Dynamically-loaded zones), which allows clients to send DNS zone transfer requests to the BIND server and receive a response from Samba, the ability to define access lists has been added to determine which clients are allowed such requests and which are not. DLZ DNS plugin no longer supports Bind 9.8 and 9.9 branches.
- Enabled by default and stabilized support for the SMB3 multi-channel extension (SMB3 Multi-Channel protocol), which allows clients to establish multiple connections to parallelize data transfer within a single SMB session. For example, when accessing a single file, I / O operations can be distributed across several open connections at once. This mode allows you to increase throughput and increase fault tolerance. To disable SMB3 Multi-Channel in smb.conf, change the "server multi channel support" option, which is now enabled by default on Linux and FreeBSD platforms.
- The ability to use the samba-tool command in Samba configurations compiled without support for an Active Directory domain controller (by specifying the "--without-ad-dc" option) has been provided. But in this case, not all functionality is available, for example, the capabilities of the 'samba-tool domain' command are limited.
- Improved command line interface: A new command line option parser has been proposed for various samba utilities. Similar options were unified that differed in different utilities, for example, the processing of options related to encryption, working with digital signatures and using kerberos was unified. Settings are defined in smb.conf to set default options. To display errors in all utilities, STDERR is used (for output to STDOUT, the β-debug-stdoutβ option is proposed).
Added "--client-protection=off|sign|encrypt" option.
Renamed options: --kerberos -> --use-kerberos=required|desired|off --krb5-ccache -> --use-krb5-ccache=CCACHE --scope -> --netbios-scope=SCOPE --use-ccache -> --use- winbind-ccache
Removed options: "-e|-encrypt" and "-S|-signing".
Work has been done to clean up duplicate options in the ldbadd, ldbdel, ldbedit, ldbmodify, ldbrename and ldbsearch, ndrdump, net, sharesec, smbcquotas, nmbd, smbd and winbindd utilities.
- By default, Trusted Domain list scanning is disabled when winbindd is started, which made sense in the NT4 days, but is not relevant for Active Directory.
- Added support for the ODJ (Offline Domain Join) mechanism, which allows you to join a computer to a domain without directly contacting a domain controller. On Samba-based Unix-like operating systems, the 'net offlinejoin' command is offered for joining, and on Windows, you can use the standard djoin.exe program.
- The 'samba-tool dns zoneoptions' command has options for setting the update interval and controlling the purge of obsolete DNS records. If all records for a DNS name are deleted, the node is placed in the "tombstone" state.
- DCE/RPC DNS servers can now be used by the samba-tool and Windows utilities to manipulate DNS records on an external server.
- When executing the "samba-tool domain backup offline" command, the correct setting of locks to the LMDB database was ensured to protect against parallel modification of data during backup.
- Support has been dropped for the experimental SMB protocol dialects SMB2_22, SMB2_24, and SMB3_10, which were only used in test builds of Windows.
- In builds with an experimental implementation of Active Directory based on MIT Kerberos, the requirements for the version of this package have been raised. Builds now require at least MIT Kerberos 1.19 (shipped in Fedora 34).
- Removed NIS support.
- Addressed vulnerability CVE-2021-3671 that could allow an unauthenticated user to crash a Heimdal KDC based domain controller if a TGS-REQ packet is sent that does not specify a server name.
Source: opennet.ru