Gaining trust: SerNet releases SAMBA+ 4.9.0 packages

SerNet released the first SAMBA+ packages of the 4.9 release series. These packages are available for various SUSE and Red Hat platforms as well as for Debian GNU/Linux and Ubuntu. One of the new features in Samba 4.9 is improved support for trusted domains when Samba is running as Active Directory Domain Controller (AD DC). This main improvement was made possible by a sponsorship from SerNet.

In addition, the new 4.9 series includes many improvements and features, which are documented in the Samba 4.9.0 release notes.

Improved support for trusted domains (as AD DC)

The support for trusted domains/forests has been further improved. External domain trusts, as well as transitive forest trusts, are now supported in both directions (inbound and outbound) for Kerberos and NTLM authentication. Stefan Metzmacher, long time Samba team member and valued SerNet colleague, worked on the topic. SerNet has made this possible through a six-figure development sponsoring.

The following features are new in 4.9 (compared to 4.8):

  • It’s now possible to add users/groups of a trusted domain into domain groups. The group memberships are expanded on trust boundaries.
  • foreignSecurityPrincipal objects (FPO) are now automatically created when members (as SID) of a trusted domain/forest are added to a group.
  • The 'samba-tool group *members' commands allow members to be specified as foreign SIDs.

However there are currently still a few limitations:

  • Both sides of the trust need to fully trust each other!
  • No SID filtering rules are applied at all!
  • This means DCs of domain A can grant domain admin rights in domain B.
  • Selective (CROSS_ORGANIZATION) authentication is not supported. It's possible to create such a trust, but the KDC and winbindd ignore them.
  • Samba can still only operate in a forest with just one single domain.
CTDB changes and further notes

Due to major changes, users should pay a visit to the Samba release notes to carefully read the 'CTDB changes' section and instructions if they use CTDB. The configuration style has been overhauled. The configuration needs to be migrated to run CTDB with the new release. The configuration migration script, which can assist to migrate the old CTDB configuration into the new style, is stored at /usr/share/ctdb/scripts/ in the new packages. The script takes the /etc/default/sernet-samba-ctdb configuration file and creates a directory including a new example configuration. If CTDB manages Samba services, the created file shows how the event scripts can be enabled.

This is the first release of SAMBA+ packages for the Samba 4.9 release series. We recommend to test thoroughly before upgrading and read the release notes carefully! With the release of Samba 4.9 former release series change their status as follows: Samba 4.8 enters maintenance mode, Samba 4.7 enters security releases only mode and Samba 4.6 is discontinued.

Also, the new 4.9 packages won’t be available for some distributions any longer. Please have a look at the SAMBA+ HowTo on OPOSSO.

Contact us
Deutsch English Français