Samba 4.10 : Evolution and new features

by Apr 19, 2019Active Directory0 comments

Samba Active Directory version 4.10 has been release for several days! We managed to hold back our impatience to tell you about it and take the time to test the brand new version. In a previous article, we borrowed the DeLorean to go back in time and discover the origin of the Samba project. It is time to resume and conclude this trip by telling you about the changes in Samba since 4.0. On the way to decipher the new features of Samba 4.10. Let’s do it!

Samba Active Directory: a viable alternative to NT4 protocol

Samba version 4.0 implements the functions of an Active Directory domain controller. From then on, it becomes possible to leave the NT4 identification and authentication protocol for a truly viable alternative. In addition, Samba 4.0 is able to meet the security requirements of organizations, where the NT4 protocol is struggling to reach the expected level. With this new version of Samba, Windows 2000 and later customers can join the domain and benefit from the services provided by the domain controller:

  • LDAP
  • KDC
  • NTP
  • DNS internal of relying on Blind-DLZ
  • Kerberos PAC

In addition, Samba 4.0.0.0 implements Python-coded interfaces to act on the core business logic historically encoded in C / C++.

What to choose between Active Directory, Workgroup or NT4 protocol? Discover our recommendations!

Samba 4.1.0: AD domain controller and SMB protocol

Developers are taking advantage of the release of Samba 4.1.0 to expand the tools for customers of an AD domain controller. With this new version, Samba uses the SMBv2 and SMBv3 protocols for authentication. It then becomes possible to abandon the SMBv1 protocol (for higher versions) which does not provide sufficient security against threats such as ransomware. Replications between domain controllers are also improved in this version.

Samba AD: File service and AD domain controller

Starting with Samba AD version 4.2.0, the development team will make improvements in file services, software operation and security, as well as domain controller performance. The end of Samba3 support is announced with version 4.2.0, which still supports the NT4 identification and authentication protocol.

Here is a brief summary of what you may have missed between version 4.2.0 and Samba 4.10. For the more adventurous, you will find a detailed listing of each release of Samba in our documentation.

File service:

  • Access to Shadow Copy files hosted on a share, allowing you to revert to saved versions of the file sharing tree.
  • SMB 3.1.1.1 support, standard file exchange protocol that appeared with Windows 10.
  • VirusFilter module support that integrates with Sophos, F-Secure and ClamAV antivirus to provide filtering functions on the file server.

  • Encryption of RPC exchanges between domain controllers, avoiding MITM attacks.
  • Improved overall password management strategy.
  • Improved KCC, a mechanism that allows the controller to map the replication topology for operation with a large network.
  • Improved deletion of defective domain controller.
  • Last Login / Last Logoff support.
  • Improved replication and DNS performance.

Security:

  • Default disabling of NTLMv1 for any new implementation of the domain controller to handle increasing ransomware attacks.
  • Restriction of the range of ports used by the MS-RPC service.
  • Encryption of sensitive data on disk.
  • Differentiation of password policies between users and user groups.
  • Set up audit of Active Directory events (login, adding AD elements…).
  • Added a script in smb.conf allowing to choose the complexity of passwords, functional on Windows client machines.

Operation:

  • Improved KCC to optimize replication topology based on latencies and network speeds.
  • Creation of an Active Directory recycle bin to recover objects deleted after a bad manipulation.
  • Read-only domain controller (RODC) support to allow sites that do not have sufficient physical security to have a DC that only replicates users’ passwords.
  • General improvement in the functioning of approval relationships.
  • Implementation of Automatic Site Coverage to allow computers on a site without a domain controller to connect to the nearest domain controller.
  • LMDB database support for domains with more than 100,000 objects (users, groups, computers, etc.).

What’s new in Samba 4.10

Samba 4.10 brings its share of new features and various fixes (as any good update should). We let you watch the official Samba changelog if you are not afraid of English. On our side, here are the new features that caught our eye:

  • Possibility to export the GPOs of a domain in a generalized XML file allowing the backup of partial GPOs.
  • The “samba-tool domain backup” command now has an “offline” command to perform an offline backup in a secure way.
  • Samba 4.10 fully supports Python 3 (now used by default). Samba 4.10 will be the latest version to support Python 2.
  • New audit events are also at the heart of Samba 4.10’s new features. Authentication messages now contain the Windows event ID number and user name.

And that’s the end of our time getaway through the different versions of Samba! But don’t be sad, it doesn’t mean it’s the end of our journey! Indeed, you can discover our participation in the financing of Samba through an article to complete this one. You can always count on us to tell you about the new features of Samba Active Directory!

Moreover, now that you are unbeatable on the history and features of Samba Active Directory, what is stopping you from trying it? Lack of time? The fear of not being able to do it? None of this between us! Now you know a great company to support you in your migration and others training. So drop your license fees on the side and let’s go back to Active Directory together on Samba AD !

Do you have an Active Directory project? Share it with us!

Simple methods for managing your fleet

Simple methods for managing your fleet

At the beginning of April 2019, the ITES (Innovation Technology European Summit) took place in Deauville. Organized by the CRIP (Club of IT Infrastructure and Production Managers) since 2013, the event brings together the various players in the IT eco-system with...

read more