Ubuntu 18.04 Samba Changelog

Hallo zusammen,

mit Ubuntu 18.04 kommt auch wieder ein neues Samba Release rein (4.7.4 statt 4.6.7 in 17.10).

Hier mal ein Auszug aus der Change log von v.4.7.0 (Samba 4.7.0 - Release Notes) was für uns interessant sein könnte oder direkt betrifft:

Authentication and Authorization audit support

Detailed authentication and authorization audit information is now
logged to Samba’s debug logs under the „auth_audit“ debug class,
including in particular the client IP address triggering the audit
line. Additionally, if Samba is compiled against the jansson JSON
library, a JSON representation is logged under the „auth_json_audit“
debug class.

Audit support is comprehensive for all authentication and
authorisation of user accounts in the Samba Active Directory Domain
Controller, as well as the implicit authentication in password
changes. In the file server and classic/NT4 domain controller, NTLM
authentication, SMB and RPC authorization is covered, however password
changes are not at this stage, and this support is not currently
backed by a testsuite.

Multi-process LDAP Server

The LDAP server in the AD DC now honours the process model used for
the rest of the ‚samba‘ process, rather than being forced into a single
process. This aids in Samba’s ability to scale to larger numbers of AD
clients and the AD DC’s overall resiliency, but will mean that there is a
fork()ed child for every LDAP client, which may be more resource
intensive in some situations. If you run Samba in a
resource-constrained VM, consider allocating more RAM and swap space.

Improved Read-Only Domain Controller (RODC) Support

Support for RODCs in Samba AD until now has been experimental. With this latest
version, many of the critical bugs have been fixed and the RODC can be used in
DC environments requiring no writable behaviour. RODCs now correctly support
bad password lockouts and password disclosure auditing through the
msDS-RevealedUsers attribute.

Improvements to DNS during Active Directory domain join

The ‚samba-tool‘ domain join command will now add the A and GUID DNS records
(on both the local and remote servers) during a join if possible via RPC. This
should allow replication to proceed more smoothly post-join.

The mname element of the SOA record will now also be dynamically generated to
point to the local read-write server. ‚samba_dnsupdate‘ should now be more
reliable as it will now find the appropriate name server even when resolv.conf
points to a forwarder.

Significant AD performance and replication improvements

Previously, replication of group memberships was been an incredibly expensive
process for the AD DC. This was mostly due to unnecessary CPU time being spent
parsing member linked attributes. The database now stores these linked
attributes in sorted form to perform efficient searches for existing members.
In domains with a large number of group memberships, a join can now be
completed in half the time compared with Samba 4.6.

LDAP search performance has also improved, particularly in the unindexed search
case. Parsing and processing of security descriptors should now be more
efficient, improving replication but also overall performance.

Ich wollte noch zu jeder Neuerung was schreiben aber das meiste ist denke ich selbsterklärend.

Nachteile hab ich in der neueren Version keine gefunden die uns betreffen. Die Vorteile sind jedoch gewaltig und ich bin gespannt ob wir wieder eine Performance Verbesserung hinbekommen wie beim sprung von 16.04 auf 17.10.

Beste Grüße,


2 „Gefällt mir“