Evolution of Samba since version 4
Samba 4.0.0
Hint
release date: December 2012;
number of developers on Samba-AD: 2;
With this version, Samba implements the functions of an Active Directory domain controller.
With Samba Active Directory, there is now a solution that makes it possible to leave behind the NT4 identification and authentication protocol, which is obsolete and no longer achieves the security levels required in modern IT environments.
Windows 2000 and later clients can join the domain and benefit from the services provided by the:
LDAP [1];
KDC;
NTP;
internal DNS or relayed by Bind-DLZ;
Kerberos PAC;
Samba 4.0.0 implements Python-coded interfaces to act on the core business logic historically coded in C / C++.
Samba 4.1.0
Hint
release date: October 2013;
number of developers on Samba-AD: 2;
Tools for clients of a Samba Active Directory Domain Controller appear and expand with this version.
Thus, clients can authenticate to a share using the SMBv2 and SMBv3 protocols, allowing the abandonment of SMBv1 which does not provide sufficient security against emerging threats such as Ransomware software.
Replications between domain controllers are improved in this release, although we will see that reliable support for replications had to wait until 4.8.
This version also brings many fixes compared to the previous version.
Samba 4.2.0
Hint
release date: March 2015;
number of developers on Samba-AD: 2;
According to the release strategy for new Samba releases, the end of support for the very long Samba3 series is announced. However, despite the perception of the major release change (3 -> 4), Samba4 continues to support the NT4 identification and authentication protocol.
This version brings several benefits to the file service:
Support for file and directory compression in BtrFS storage mode.
Support for access to Shadow Copy files hosted on a share, allowing you to revert to saved versions of the file server tree.
Support for reading and writing large blocks of files (8MB), in accordance with Windows 2012R2 file server performance.
Support for SMB2 leases to reduce the traffic load between clients and the fileserver.
Support for CTDB clustering to allow resilience of the file service in the event of a fileserver crash.
Enhanced support for Apple OS X clients.
Support for WORM to improve the nominal performance of the file service.
It also benefits the performance of the domain controller:
The Winbindd mechanism is greatly improved. Winbindd maps group and user identifiers from the Windows universe to group and user identifiers from the Linux universe. These improvements pave the way for the development of features related to trust relationships.
The RPC exchanges between domain controllers are encrypted, avoiding MITM (Man In The Middle) attacks;
The life cycle of passwords is now better managed:
Password complexity: on Store plaintext passwords: off Password history length: 24 Minimum password length: 7 Minimum password age (days): 1 Maximum password age (days): 42 * Account lockout duration (mins): 30 * * Account lockout threshold (attempts): 0 * * Reset account lockout after (mins): 30 *
Samba 4.3.0
Hint
release date: September 2015;
number of developers on Samba-AD: 2;
This version brings several benefits to the file service:
Logging of events in multiple formats allowing a better integration in SIEM systems.
Improved support for file modification notifications.
Support for SMB 3.1.1, the standard file exchange protocol that appeared with Windows 10.
Many features are added to manage the fileserver behavior with CLI.
It also benefits the performance of the domain controller:
Trust relationships between domains work globally for authentication, but not for file sharing, which still requires a lot of work on the Winbindd.
Improvement of the KCC, a mechanism that allows the controller to map the replication topology for operation with a large network.
Cross-domain trust relationships work globally for authentication, but not for file, which still requires a lot of work on the Winbindd.
This version also brings many fixes compared to the previous version.
Samba 4.4.0
Hint
release date: March 2016;
number of developers on Samba-AD: 2;
This version brings several benefits to the file service:
Improvements to the CTDB file service.
Experimental support for Multi-Channel in SMB3 to improve the resilience and performance of file sharing.
It also benefits the performance of the domain controller:
Improvement of many command line options:
samba-tool domain demote --remove-other-dead-server to improve the output of a faulty controller from the domain.
samba-tool drs clone-dc-database to clone a domain controller without joining it to the domain, to facilitate debugging.
pdbedit --set-nt-hash to allow Active Directory passwords to be updated from passwords stored for example in an application directory OpenLDAP.
smbstatus shows the type of signature and level of encryption for sessions and shares.
s4-rpc_server to add a GnuTLS-based backup key implementation.
ntlm_auth --offline-logon allows better resilience using cached passwords in case of domain controller failure.
[2] support for Last Login / Last Logoff.
This version also brings many fixes compared to the previous version.
Samba 4.5.0
Hint
release date: September 2016;
number of developers on Samba-AD: 3;
This version brings several benefits to the file service:
Continued improvements to the operation of CTDB.
It also benefits the performance of the domain controller.
The NTLMv1 is now disabled by default for all new implementations of the Domain Controller to cope with the growing ransomware attacks that propagate using NTLMv1.
Improvement to the KCC to optimize the replication topology according to latencies and network speeds.
The VLV makes it very easy to set up Yellow Pages directories in the company.
Improvement to the reliability of replication between controllers of the same domain.
Reanimation of deleted objects to help park operators to restore entries following human handling errors.
Password complexity management plugin.
Improved support for smart card authentication.
Improvement of the cryptographic functions in Samba to ensure better overall network security.
This version also brings many fixes compared to the previous version.
Samba 4.6.0
Hint
release date: March 2017;
number of developers on Samba-AD: 4;
This version brings several benefits to the file service:
The inherit owner option in the configuration file
smb.confallows child files and directories to inherit permissions configurations from their parent directory.Continued improvements to the operation of CTDB;
It also benefits the performance of the domain controller:
The NetLogon process becomes multi-process to better handle NLTM authentication requests.
Improved replication performance.
Improvement of the DNS.
This version also brings many fixes compared to the previous version.
Samba 4.7.0
Hint
release date: September 2017;
number of developers on Samba-AD: 4;
This version brings several benefits to the file service:
Continued improvements to the operation of CTDB.
It also benefits the performance of the domain controller:
Improvement of the internal LDAP for consistency of replication.
Partial support of MIT Kerberos.
Ability to restrict the range of ports used by the MS-RPC (Microsoft Remote Procedure Call) service.
Detailed log of user account authentications and authorizations.
[6] Support for RODC to allow sites without sufficient physical security to have a domain controller on the site that replicates only the passwords of site users.
Thus, if the RODC is compromised, only the site users’ passwords need to be changed. This method provides better overall security.- [3] Storage of hashed passwords according to several protocols to simplify password synchronization between application directories and the domain.
Use of SHA256 certificates for LDAPS.
General improvement of the performance of the domain controller.
This version also brings many fixes compared to the previous version.
Samba 4.8.0
Hint
release date: March 2018;
number of developers on Samba-AD: 4;
This version brings several benefits to the file service:
VirusFilter module that integrates with Sophos, F-Secure and ClamAV anti-virus software to provide filtering functions on the fileserver.
It also benefits the performance of the domain controller:
Support for GPO applied to KDC.
Disk encryption of sensitive attributes.
Implementation of a graphical method to better visualize a complex replication topology.
External domain trust relationships, as well as transitive approval relationships are now supported in both directions (inbound and outbound) for Kerberos and NTLM authentication:
It is not possible to add users/groups from an approved domain to domain groups. Group memberships are therefore not extended to the limits of the trust relationship.
Both parties in the trust relationship must have full trust in each other.
No SID filtering rules are applied, this means that domain controllers in domain A can grant domain administrator rights in domain B;
Selective authentication (CROSS_ORIGANIZATION) is not supported. It is possible to create such trust, but the KDC and Winbindd will ignore it.
This version also brings many fixes compared to the previous version.
Samba 4.9.0
Hint
release date: September 2018;
number of developers on Samba-AD: 6;
This version is a major milestone because Samba-AD is no longer just for adventurers or small organizations. The historical technical locks disappear with this version and a Samba-AD domain can now technically accommodate several hundred thousand users:
Command line management of Windows SPN to facilitate the creation of service accounts.
- [3] Automatic Site Coverage allows PCs on a site not equipped with a domain controller to connect to the nearest DC.
PSO, also known as FGPP allow domain administrators to specify differentiated password policies for individual users or groups of users.
The domain can be backed up in the event of a catastrophic database failure and then restored on a new domain controller.
Partial support for the renaming of a domain, in order to allow the re-creation of a domain in the laboratory that behaves like a domain in production.
- [3] Improved Auditing Support to allow Samba logs to be integrated into SIEM according to a standard process in JSON:
Audit of password changes.
Audit of attribute changes in the LDAP.
Audit of changes to group members.
Audit of the authentication time in NTLM and Kerberos.
- [3] GPO Import / Export to help implement a unified security strategy across multiple domains (available in 4.10).
- [4] Helpers for improving DNS consistency which makes DNS management easier.
The command samba-tool ou allows you to create a new computer on the command line, assign it to a OU and assign it a password. Thus when the computer is connected to the network, it is automatically recognized by the domain controller.
The command samba-tool ou allows to manage from the command line the tree structure of the Organizational Units:
Available subcommands are: create - Create an organizational unit. delete - Delete an organizational unit. list - List all organizational units listobjects - List all objects in an organizational unit. move - Move an organizational unit. rename - Rename an organizational unit. In addition to the ou commands, there are new subcommands for the user and group management, which can make use of the organizational units: group move - Move a group to an organizational unit/container. user move - Move a user to an organizational unit/container. user show - Display a user AD object.
- [4] 64bit LMDB Support for TDB to overcome the historical technical limitation of 32 bit that prevented the exploitation of very large domains.
- [4] Improved DNS-showrepl to improve the understanding of replication topologies for complex domains.
Improved support for trust relations compared to Samba 4.8:
The following features are new in 4.9 (compared to 4.8): - It is now possible to add users/groups of a trusted domain into domain groups. The group memberships are expanded on trust boundaries. - foreignSecurityPrincipal objects (FPO) are now automatically created when members (as SID) of a trusted domain/forest are added to a group. - The 'samba-tool group members' commands allow members to be specified as foreign SIDs. However there are currently still a few limitations: - Both sides of the trust need to fully trust each other! - No SID filtering rules are applied at all! - This means DCs of domain A can grant domain admin rights in domain B. - Selective (CROSS_ORGANIZATION) authentication is not supported. It is possible to create such a trust, but the KDC and winbindd ignore them. - Samba can still only operate in a forest with just one single domain.
- [5] Documentation of the security functions in Samba-AD and the organizational processes of software design, prior to presentation of Samba-AD to a CSPN.
This version also brings many fixes compared to the previous version.
Samba 4.10.0
Hint
release date: March 2019;
number of developers on Samba-AD: 7;
This version is a milestone towards 4.11. It is mainly intended to provide administrative toolings:
Backup and restore of GPO using the command line.
- [4] Group membership statistics to optimize group management because groups with too many users can slow down the operation of the Active Directory.
Offline Domain Backup to take a snapshot of a domain and take it back to the clean room to diagnose a compromise.
- [4] Netlogon prefork, KDC prefork, Paged results LDAP control to improve the running performance of Active Directory.
Python3 support to anticipate the end of Python2 support.
- [4] Improvement of JSON logging for a better traceability of Active Directory events in a log concentrator (evolution in Group Memberships and
Logon).
This version also brings many fixes compared to the previous version.
Samba 4.11.0
Hint
release date: September 2019;
number of developers on Samba-AD: 9;
This version is a major milestone as it lifts the last performance locks for safe and efficient operation of AD domains designed to accommodate the 120,000 users and 150,000 machines of a large French organization. This version also prepares the next phase of development for the implementation of the most advanced security features:
- [4] Authentication Logging, Bind9 logging for a better traceability of Active Directory events in a log concentrator.
GnuTLS 3.2 required to begin a convergence of the crypto tools historically embedded in Samba-AD, in preparation for the next phase of development that will focus on security features.
- [7] Default schema updated to 2012_R2 for better compatibility with Microsoft or third party tools that require the schema extensions that came
with Windows2012.
- [4] Performance improvements to improve, sometimes by orders of magnitude, these processes:
Reindex performance improvements.
Join performance improvements.
LDAP Server memory improvements.
New LDB <= and >= index mode to improve replication performance.
Improvements to ldb search performance.
Improvements to subtree rename performance.
This version also brings many fixes compared to the previous version.
Footnotes