Gaining trust: SerNet releases SAMBA+ 4.9.0 packages

SerNet released the first SAMBA+ packages of the 4.9 release series. These packages are available for various SUSE and Red Hat platforms as well as for Debian GNU/Linux and Ubuntu. One of the new features in Samba 4.9 is improved support for trusted domains when Samba is running as Active Directory Domain Controller (AD DC). This main improvement was made possible by a sponsorship from SerNet.

In addition, the new 4.9 series includes many improvements and features, which are documented in the Samba 4.9.0 release notes.

Improved support for trusted domains (as AD DC)

The support for trusted domains/forests has been further improved. External domain trusts, as well as transitive forest trusts, are now supported in both directions (inbound and outbound) for Kerberos and NTLM authentication. Stefan Metzmacher, long time Samba team member and valued SerNet colleague, worked on the topic. SerNet has made this possible through a six-figure development sponsoring.

The following features are new in 4.9 (compared to 4.8):

  • It’s now possible to add users/groups of a trusted domain into domain groups. The group memberships are expanded on trust boundaries.
  • foreignSecurityPrincipal objects (FPO) are now automatically created when members (as SID) of a trusted domain/forest are added to a group.
  • The 'samba-tool group *members' commands allow members to be specified as foreign SIDs.


However there are currently still a few limitations:

  • Both sides of the trust need to fully trust each other!
  • No SID filtering rules are applied at all!
  • This means DCs of domain A can grant domain admin rights in domain B.
  • Selective (CROSS_ORGANIZATION) authentication is not supported. It's possible to create such a trust, but the KDC and winbindd ignore them.
  • Samba can still only operate in a forest with just one single domain.
CTDB changes and further notes

Due to major changes, users should pay a visit to the Samba release notes to carefully read the 'CTDB changes' section and instructions if they use CTDB. The configuration style has been overhauled. The configuration needs to be migrated to run CTDB with the new release. The configuration migration script, which can assist to migrate the old CTDB configuration into the new style, is stored at /usr/share/ctdb/scripts/config_migrate.sh in the new packages. The script takes the /etc/default/sernet-samba-ctdb configuration file and creates a directory including a new example configuration. If CTDB manages Samba services, the created commands.sh file shows how the event scripts can be enabled.

This is the first release of SAMBA+ packages for the Samba 4.9 release series. We recommend to test thoroughly before upgrading and read the release notes carefully! With the release of Samba 4.9 former release series change their status as follows: Samba 4.8 enters maintenance mode, Samba 4.7 enters security releases only mode and Samba 4.6 is discontinued.

Also, the new 4.9 packages won’t be available for some distributions any longer. Please have a look at the SAMBA+ HowTo on OPOSSO.

Newsletter

SerNet's Samba newsletter informs you about all important developments and events with its main focus on new packages.

+ subscribe to Newsletter

RSS Feed

Don't miss any more SAMBA+ news? Read the latest in your feed reader of choice.

+ subscribe to RSS feed

SAMBA+ Shop

Buy software subscriptions and support budgets. SAMBA+ subscriptions are available for 1, 2 and 3 years at the SAMBA+ shop.

+ visit the US Shop ($)

+ visit the World Shop (€)

Contact us
Contact

We are here for you!

Our sales team is happy to help you with any questions about all Samba products and services from SerNet - personally and individually tailored to your needs.

You can call us directly at +1 (415) 248-7818
or outside the US at +49 551 370000-0.
Mail us at sales@remove-this.sernet.com.

Contact us!

linke Spalte
rechte Splate
captcha
* Mandatory Fields
Deutsch English Français