The Samba 4.17.0 release is presented, which continues the development of the Samba 4 branch with a full-fledged implementation of a domain controller and an Active Directory service that is compatible with the implementation of Windows 2008 and is able to serve all versions of Windows clients supported by Microsoft, including Windows 11. Samba 4 is a multifunctional server product , which also provides an implementation of the file server, print service, and identity server (winbind).
Key changes in Samba 4.17:
- Work has been done to eliminate regressions in the performance of loaded SMB servers that appeared as a result of adding protection against vulnerabilities that manipulate symbolic links. Some of the optimizations that have been made include reducing system calls when checking the directory name and not using wakeup events when processing competing operations that cause delays.
- Provided the ability to build Samba without SMB1 protocol support in smbd. To disable SMB1, the configure build script implements the "--without-smb1-server" option (affects only smbd, SMB1 support is retained in client libraries).
- When using MIT Kerberos 1.20, the ability to counter the "Bronze Bit" attack (CVE-2020-17049) was implemented, thanks to the transfer of additional information between the KDC and KDB components. The default Heimdal Kerberos based KDC has been fixed in 2021.
- When built with MIT Kerberos 1.20, the Samba-based domain controller now supports the S4U2Self and S4U2Proxy Kerberos extensions, and adds Resource Based Constrained Delegation (RBCD). Added 'add-principal' and 'del-principal' subcommands to 'samba-tool delegation' command to manage RBCDΠ. The default Heimdal Kerberos based KDC does not yet support RBCD mode.
- The built-in DNS service provides the ability to change the network port that receives requests (for example, to run another DNS server on the same system that forwards certain requests to Samba).
- In the CTDB component responsible for the operation of cluster configurations, the requirements for the syntax of the ctdb.tunables file have been reduced. When building Samba with the "--with-cluster-support" and "--systemd-install-services" options, the systemd service for CTDB is installed. The ctdbd_wrapper script has been deprecated - the ctdbd process is now started directly from the systemd service or from the init script.
- Implemented setting 'nt hash store = never', which prohibits storage of "naked" (without salt) password hashes of Active Directory users. In a future version, the 'nt hash store' setting will default to 'auto', which will use 'never' mode if the 'ntlm auth = disabled' setting is present.
- A binding is proposed for accessing the smbconf library API from Python code.
- The smbstatus program implements the ability to display information in JSON format (enabled with the "--json" option).
- The domain controller implements support for the "Protected Users" security group, which appeared in Windows Server 2012 R2 and does not allow the use of weak encryption types (for users in the group, support for NTLM authentication, Kerberos TGTs based on RC4, limited and unlimited delegation is disabled).
- Removed support for the password store and LanMan-based authentication method (the "lanman auth=yes" setting is now irrelevant).
Source: opennet.ru