.. Reminder for header structure: Parts (H1) : #################### with overline Chapters (H2) : ******************** with overline Sections (H3) : ==================== Subsections (H4) : -------------------- Subsubsections (H5) : ^^^^^^^^^^^^^^^^^^^^ Paragraphs (H6) : """"""""""""""""""""" .. |date| date:: .. meta:: :description: Evolution of Samba since version 4 :keywords: evolution, Samba-AD, documentation .. |france| image:: ../images/flag_france.png :scale: 5% :alt: This functionality was financed by the French government with the help of Tranquil IT .. |senegal| image:: ../images/flag_senegal.png :scale: 5% :alt: This functionality has been financed by the Central Bank of West African States with the help of Tranquil IT .. |mariane| image:: ../images/flag_mariane.png :scale: 25% :alt: Logo of Mariane .. |bceao| image:: ../images/flag_bceao.png :scale: 30% :alt: Logo of the Central Bank of West African States .. _samba_release_notes: ################################## Evolution of Samba since version 4 ################################## *********** Samba 4.0.0 *********** .. hint:: * release date: **December 2012**; * number of developers on Samba-AD: **2**; * `release note samba-4.0 `_; With this version, Samba implements the functions of an Active Directory domain controller. With Samba Active Directory, there is now a solution that makes it possible to leave behind the NT4 identification and authentication protocol, which is obsolete and no longer achieves the security levels required in modern IT environments. Windows 2000 and later clients can join the domain and benefit from the services provided by the: * :abbr:`LDAP (Lightweight Directory Application Protocol)` [#f1]_; * :abbr:`KDC (Key Distribution Center)`; * :abbr:`NTP (Network Time Protocol)`; * internal :abbr:`DNS (Domaine Name Service)` or relayed by Bind-DLZ; * Kerberos :abbr:`PAC (Privilege Attribute Certificate)`; Samba 4.0.0 implements Python-coded interfaces to act on the core business logic historically coded in C / C++. *********** Samba 4.1.0 *********** .. hint:: * release date: **October 2013**; * number of developers on Samba-AD: **2**; * `release note samba-4.1 `_; Tools for clients of a Samba Active Directory Domain Controller appear and expand with this version. Thus, clients can authenticate to a share using the :ref:`SMBv2 ` and :ref:`SMBv3 ` protocols, allowing the abandonment of :ref:`SMBv1 ` which does not provide sufficient security against emerging threats such as `Ransomware software `_. Replications between domain controllers are improved in this release, although we will see that reliable support for replications had to wait until 4.8. This version also brings many fixes compared to the previous version. *********** Samba 4.2.0 *********** .. hint:: * release date: **March 2015**; * number of developers on Samba-AD: **2**; * `release note samba-4.2 `_; :ref:`According to the release strategy for new Samba releases `, the end of support for the very long Samba3 series is announced. However, despite the perception of the major release change (3 -> 4), Samba4 continues to support the NT4 identification and authentication protocol. This version brings several benefits to the file service: * Support for file and directory compression in :abbr:`BtrFS (B-tree File System)` storage mode. * Support for access to *Shadow Copy* files hosted on a share, allowing you to revert to saved versions of the file server tree. * Support for reading and writing large blocks of files (8MB), in accordance with Windows 2012R2 file server performance. * Support for SMB2 leases to reduce the traffic load between clients and the fileserver. * Support for :abbr:`CTDB (Clustered Database)` *clustering* to allow resilience of the file service in the event of a fileserver crash. * Enhanced support for Apple OS X clients. * Support for :abbr:`WORM (Write Once Read Many)` to improve the nominal performance of the file service. It also benefits the performance of the domain controller: * The :program:`Winbindd` mechanism is greatly improved. :program:`Winbindd` maps group and user identifiers from the Windows universe to group and user identifiers from the Linux universe. These improvements pave the way for the development of features related to trust relationships. * The :abbr:`RPC (Remote Procedure Call)` exchanges between domain controllers are encrypted, avoiding MITM (Man In The Middle) attacks; * The life cycle of passwords is now better managed: .. code-block:: ini Password complexity: on Store plaintext passwords: off Password history length: 24 Minimum password length: 7 Minimum password age (days): 1 Maximum password age (days): 42 * Account lockout duration (mins): 30 * * Account lockout threshold (attempts): 0 * * Reset account lockout after (mins): 30 * *********** Samba 4.3.0 *********** .. hint:: * release date: **September 2015**; * number of developers on Samba-AD: **2**; * `release note samba-4.3 `_; This version brings several benefits to the file service: * Logging of events in multiple formats allowing a better integration in :abbr:`SIEM (Security Information and Event Management)` systems. * Improved support for file modification notifications. * Support for SMB 3.1.1, the standard file exchange protocol that appeared with Windows 10. * Many features are added to manage the fileserver behavior with :abbr:`CLI (Command Line Interface)`. It also benefits the performance of the domain controller: * Trust relationships between domains work globally for authentication, but not for file sharing, which still requires a lot of work on the :program:`Winbindd`. * Improvement of the KCC, a mechanism that allows the controller to map the replication topology for operation with a large network. * Cross-domain trust relationships work globally for authentication, but not for file, which still requires a lot of work on the **Winbindd**. This version also brings many fixes compared to the previous version. *********** Samba 4.4.0 *********** .. hint:: * release date: **March 2016**; * number of developers on Samba-AD: **2**; * `release note samba-4.4 `_ ; This version brings several benefits to the file service: * Improvements to the CTDB file service. * Experimental support for Multi-Channel in SMB3 to improve the resilience and performance of file sharing. It also benefits the performance of the domain controller: * Improvement of many command line options: * :command:`samba-tool domain demote --remove-other-dead-server` to improve the output of a faulty controller from the domain. * **samba-tool drs clone-dc-database** to clone a domain controller without joining it to the domain, to facilitate debugging. * :command:`pdbedit --set-nt-hash` to allow Active Directory passwords to be updated from passwords stored for example in an application directory **OpenLDAP**. * :command:`smbstatus` shows the type of signature and level of encryption for sessions and shares. * :command:`s4-rpc_server` to add a GnuTLS-based backup key implementation. * :command:`ntlm_auth --offline-logon` allows better resilience using cached passwords in case of domain controller failure. * |senegal| [#f2]_ support for *Last Login* / *Last Logoff*. This version also brings many fixes compared to the previous version. *********** Samba 4.5.0 *********** .. hint:: * release date: **September 2016**; * number of developers on Samba-AD: **3**; * `release note samba-4.5 `_; This version brings several benefits to the file service: * Continued improvements to the operation of CTDB. It also benefits the performance of the domain controller. * The :abbr:`NTLMv1 (NT Lan Manager version 1)` is now disabled by default for all new implementations of the Domain Controller to cope with the growing ransomware attacks that propagate using NTLMv1. * Improvement to the KCC to optimize the replication topology according to latencies and network speeds. * The :abbr:`VLV (Virtual List View)` makes it very easy to set up *Yellow Pages* directories in the company. * Improvement to the reliability of replication between controllers of the same domain. * Reanimation of deleted objects to help park operators to restore entries following human handling errors. * Password complexity management plugin. * Improved support for smart card authentication. * Improvement of the cryptographic functions in Samba to ensure better overall network security. This version also brings many fixes compared to the previous version. *********** Samba 4.6.0 *********** .. hint:: * release date: **March 2017**; * number of developers on Samba-AD: **4**; * `release note samba-4.6 `_; This version brings several benefits to the file service: * The *inherit owner* option in the configuration file ``smb.conf`` allows child files and directories to inherit permissions configurations from their parent directory. * Continued improvements to the operation of CTDB; It also benefits the performance of the domain controller: * The :program:`NetLogon` process becomes multi-process to better handle NLTM authentication requests. * Improved replication performance. * Improvement of the DNS. This version also brings many fixes compared to the previous version. *********** Samba 4.7.0 *********** .. hint:: * release date: **September 2017**; * number of developers on Samba-AD: **4**; * `release note samba-4.7 `_; This version brings several benefits to the file service: * Continued improvements to the operation of CTDB. It also benefits the performance of the domain controller: * Improvement of the internal LDAP for consistency of replication. * Partial support of MIT Kerberos. * Ability to restrict the range of ports used by the :abbr:`MS-RPC (Microsoft Remote Procedure Call) service`. * Detailed log of user account authentications and authorizations. * |france| [#f6]_ Support for :abbr:`RODC (Read Only Domain Controller)` to allow sites without sufficient physical security to have a domain controller on the site that replicates only the passwords of site users. Thus, if the RODC is compromised, only the site users’ passwords need to be changed. This method provides better overall security. * |france| [#f3]_ Storage of hashed passwords according to several protocols to simplify password synchronization between application directories and the domain. * Use of SHA256 certificates for LDAPS. * General improvement of the performance of the domain controller. This version also brings many fixes compared to the previous version. *********** Samba 4.8.0 *********** .. hint:: * release date: **March 2018**; * number of developers on Samba-AD: **4**; * `release note samba-4.8 `_; This version brings several benefits to the file service: * *VirusFilter* module that integrates with Sophos, F-Secure and ClamAV anti-virus software to provide filtering functions on the fileserver. It also benefits the performance of the domain controller: * Support for :abbr:`GPO (Group Policy Object)` applied to KDC. * Disk encryption of sensitive attributes. * Implementation of a graphical method to better visualize a complex replication topology. * External domain trust relationships, as well as transitive approval relationships are now supported in both directions (inbound and outbound) for Kerberos and NTLM authentication: * It is not possible to add users/groups from an approved domain to domain groups. Group memberships are therefore not extended to the limits of the trust relationship. * Both parties in the trust relationship must have full trust in each other. * No SID filtering rules are applied, this means that domain controllers in domain A can grant domain administrator rights in domain B; * Selective authentication (CROSS_ORIGANIZATION) is not supported. It is possible to create such trust, but the :program:`KDC` and :program:`Winbindd` will ignore it. This version also brings many fixes compared to the previous version. *********** Samba 4.9.0 *********** .. hint:: * release date: **September 2018**; * number of developers on Samba-AD: **6**; * `release note samba-4.9 `_; **This version is a major milestone because Samba-AD is no longer just for adventurers or small organizations. The historical technical locks disappear with this version and a Samba-AD domain can now technically accommodate several hundred thousand users:** * Command line management of Windows :abbr:`SPN (Service Principal Name)` to facilitate the creation of service accounts. * |france| [#f3]_ *Automatic Site Coverage* allows PCs on a site not equipped with a domain controller to connect to the nearest DC. * :abbr:`PSO (Password Setting Object)`, also known as :abbr:`FGPP (Fine-Grained Password Policies)` allow domain administrators to specify differentiated password policies for individual users or groups of users. * The domain can be backed up in the event of a catastrophic database failure and then restored on a new domain controller. * Partial support for the renaming of a domain, in order to allow the re-creation of a domain in the laboratory that behaves like a domain in production. * |france| [#f3]_ *Improved Auditing Support* to allow Samba logs to be integrated into :abbr:`SIEM (Security Information and Event Management)` according to a standard process in :abbr:`JSON (JavaScript Object Notation)`: * Audit of password changes. * Audit of attribute changes in the LDAP. * Audit of changes to group members. * Audit of the authentication time in NTLM and Kerberos. * |france| [#f3]_ *GPO Import / Export* to help implement a unified security strategy across multiple domains (available in 4.10). * |france| [#f4]_ *Helpers for improving DNS consistency* which makes DNS management easier. * The command :command:`samba-tool ou` allows you to create a new computer on the command line, assign it to a OU and assign it a password. Thus when the computer is connected to the network, it is automatically recognized by the domain controller. * The command :command:`samba-tool ou` allows to manage from the command line the tree structure of the Organizational Units: .. code-block:: ini Available subcommands are: create - Create an organizational unit. delete - Delete an organizational unit. list - List all organizational units listobjects - List all objects in an organizational unit. move - Move an organizational unit. rename - Rename an organizational unit. In addition to the ou commands, there are new subcommands for the user and group management, which can make use of the organizational units: group move - Move a group to an organizational unit/container. user move - Move a user to an organizational unit/container. user show - Display a user AD object. * |france| [#f4]_ *64bit LMDB Support for TDB* to overcome the historical technical limitation of 32 bit that prevented the exploitation of very large domains. * |france| [#f4]_ *Improved DNS-showrepl* to improve the understanding of replication topologies for complex domains. * Improved support for trust relations compared to Samba 4.8: .. code-block:: ini The following features are new in 4.9 (compared to 4.8): - It is now possible to add users/groups of a trusted domain into domain groups. The group memberships are expanded on trust boundaries. - foreignSecurityPrincipal objects (FPO) are now automatically created when members (as SID) of a trusted domain/forest are added to a group. - The 'samba-tool group members' commands allow members to be specified as foreign SIDs. However there are currently still a few limitations: - Both sides of the trust need to fully trust each other! - No SID filtering rules are applied at all! - This means DCs of domain A can grant domain admin rights in domain B. - Selective (CROSS_ORGANIZATION) authentication is not supported. It is possible to create such a trust, but the KDC and winbindd ignore them. - Samba can still only operate in a forest with just one single domain. * |france| [#f5]_ Documentation of the security functions in Samba-AD and the organizational processes of software design, prior to presentation of Samba-AD to a :abbr:`CSPN (Certification de Sécurité de Premier Niveau)`. This version also brings many fixes compared to the previous version. ************ Samba 4.10.0 ************ .. hint:: * release date: **March 2019**; * number of developers on Samba-AD: **7**; * `release note samba-4.10 `_; **This version is a milestone towards 4.11. It is mainly intended to provide administrative toolings:** * Backup and restore of :abbr:`GPO (Group Policy Object)` using the command line. * |france| [#f4]_ *Group membership statistics* to optimize group management because groups with too many users can slow down the operation of the Active Directory. * *Offline Domain Backup* to take a snapshot of a domain and take it back to the clean room to diagnose a compromise. * |france| [#f4]_ *Netlogon prefork*, *KDC prefork*, *Paged results LDAP control* to improve the running performance of Active Directory. * *Python3 support* to anticipate the end of Python2 support. * |france| [#f4]_ Improvement of *JSON logging* for a better traceability of Active Directory events in a log concentrator (evolution in *Group Memberships* and *Logon*). This version also brings many fixes compared to the previous version. ************ Samba 4.11.0 ************ .. hint:: * release date: **September 2019**; * number of developers on Samba-AD: **9**; * `release note samba-4.11 `_; **This version is a major milestone as it lifts the last performance locks for safe and efficient operation of AD domains designed to accommodate the 120,000 users and 150,000 machines of a large French organization. This version also prepares the next phase of development for the implementation of the most advanced security features:** * |france| [#f4]_ *Authentication Logging*, *Bind9 logging* for a better traceability of Active Directory events in a log concentrator. * *GnuTLS 3.2 required* to begin a convergence of the crypto tools historically embedded in Samba-AD, in preparation for the next phase of development that will focus on security features. * |france| [#f7]_ *Default schema updated to 2012_R2* for better compatibility with Microsoft or third party tools that require the schema extensions that came with Windows2012. * |france| [#f4]_ *Performance improvements* to improve, sometimes by orders of magnitude, these processes: * *Reindex performance improvements*. * *Join performance improvements*. * *LDAP Server memory improvements*. * *New LDB <= and >= index mode to improve replication performance*. * *Improvements to ldb search performance*. * *Improvements to subtree rename performance*. This version also brings many fixes compared to the previous version. .. rubric:: Footnotes .. [#f1] The LDAP service implemented in 2008 in Samba is a re-implementation of the LDAP protocol. The origin of this choice is a conflict between Samba developers and the leaders of the OpenLDAP project where OpenLDAP refused to implement Active Directory attributes in OpenLDAP. .. [#f2] |bceao| `The Central Bank of West African States _` has contributed to the funding of this functionality. .. [#f3] |mariane| `The French Ministry of the Environment `_ has contributed to the funding of this feature. .. [#f4] |mariane| `The French Ministry of Public Finance `_ has contributed to the funding of this feature. .. [#f5] |mariane| `The French Cyberdefense Agency `_ has contributed to the financing of this documentation. .. [#f6] |mariane| `The French Ministry of Culture `_ has contributed to the funding of this feature. .. [#f7] |mariane| `The French Interministerial Department of Digital and Information and Communication Systems `_ has contributed to the funding of this feature.