Samba 4.10 : Evolution and new features

by | Apr 19, 2019 | Active Directory

Suprise! Samba Active Directory 4.10 has been available for the past couple days. We held back our excitement in telling you so we could test it out a little beforehand. In a previous article, we borrowed the DeLorean to go back in time and discover the origin of the Samba project. It’s time to resume and conclude this trip by telling you about the changes in Samba since 4.0. On the way to decipher the new features of Samba 4.10. Here we go!

Samba Active Directory: a viable alternative to NT4 protocol

Since version 4.0, Samba implements the functions of an Active Directory domain controller. From then on, it becomes possible to leave the NT4 identification and authentication protocol for a truly viable alternative. In addition, Samba 4.0 is able to meet the security requirements of organizations, where the NT4 protocol is struggling to reach the expected level. With this new version of Samba, Windows 2000 and later customers can join the domain and benefit from the services provided by the domain controller:

  • LDAP
  • KDC
  • NTP
  • DNS internal of relying on Blind-DLZ
  • Kerberos PAC

In addition, Samba 4.0.0.0 implements Python-coded interfaces to act on the core business logic historically encoded in C / C++.

How to choose between Active Directory, Workgroup or NT4 protocol? Discover our recommendations!

Samba 4.1.0: AD domain control and SMB protocol

Developers are taking advantage of the release of Samba 4.1.0 to expand the tools for customers of an AD domain controller. With this new version, Samba uses the SMBv2 and SMBv3 protocols for authentication. It then becomes possible to abandon the SMBv1 protocol (for higher versions) which does not provide sufficient security against threats such as ransomware. Replications between domain controllers are also improved in this version.

Samba AD: File service and AD domain control

Starting with Samba AD version 4.2.0, the development team will make improvements in file services, software operation and security, as well as domain controller performance. The end of Samba3 support was announced with version 4.2.0, although it still supports the NT4 identification and authentication protocol.

Here is a brief summary of what you may have missed between version 4.2.0 and 4.10. For the more adventurous, you will find a detailed listing of each release of Samba in our documentation.

Improvements to the file service:

  • Access to Shadow Copy files hosted on a share, allowing you to revert to saved versions of the file sharing tree.
  • SMB 3.1.1.1 support, standard file exchange protocol that appeared with Windows 10.
  • VirusFilter module support that integrates with Sophos, F-Secure and ClamAV antivirus to provide filtering functions on the file server.

Improvements to the domain controller:

  • Encryption of RPC exchanges between domain controllers, avoiding MITM attacks.
  • Improved overall password management strategy.
  • Improved KCC, a mechanism that allows the controller to map the replication topology for operation with a large network.
  • Improved deletion of defective domain controller.
  • Last Login / Last Logoff support.
  • Improved replication and DNS performance.

Evolution of Security:

  • Default disabling of NTLMv1 for any new implementation of the domain controller to handle increasing ransomware attacks.
  • Restriction of the range of ports used by the MS-RPC service.
  • Encryption of sensitive data on disk.
  • Differentiation of password policies between users and user groups.
  • Set up audit of Active Directory events (login, adding AD elements…).
  • Added a script in smb.conf allowing to choose the complexity of passwords, functional on Windows client machines.

Modifications to the functionality :

  • Improved KCC to optimize replication topology based on latencies and network speeds.
  • Creation of an Active Directory recycle bin to recover objects deleted after a bad manipulation.
  • Read-only domain controller (RODC) support to allow sites that do not have sufficient physical security to have a DC that only replicates users’ passwords.
  • General improvement in the functioning of approval relationships.
  • Implementation of Automatic Site Coverage to allow computers on a site without a domain controller to connect to the nearest domain controller.
  • LMDB database support for domains with more than 100,000 objects (users, groups, computers, etc.).

What’s new in Samba 4.10

Samba 4.10 brings its share of new features and various fixes (as any good update should). We let you watch the official Samba changelog if you are not afraid of English. On our side, here are the new features that caught our eye:

  • Possibility to export the GPOs of a domain in a generalized XML file allowing the backup of partial GPOs.
  • The “samba-tool domain backup” command now has an “offline” command to perform an offline backup in a secure way.
  • Samba 4.10 fully supports Python 3 (now used by default). Samba 4.10 will be the latest version to support Python 2.
  • New audit events are also at the heart of Samba 4.10’s new features. Authentication messages now contain the Windows event ID number and user name.

And thus concludes our temporal journey through the various versions of Samba! But don’t be sad, as this isn’t the end of our journey by any means! In fact, you can explore our contribution to the funding of Samba in another article to complement this one. You can always rely on us to keep you informed about the latest developments surrounding Samba Active Directory!

Moreover, now that you are well-versed in the history and features of Samba Active Directory, what’s really holding you back from trying it out? Lack of time? Perhaps fear of not being able to manage it? No worries about that! Now you know of a great company to support you with your migrations and other knowledge transfers. So, leave your licensing fees by the wayside and let’s continue our journey together with Samba AD on the road of Active Directory!

Do you have an Active Directory project? Share it with us!

FAQ WAPT 2.5 : Answers to your questions

FAQ WAPT 2.5 : Answers to your questions

WAPT 2.5 has been available for several months now. In this specific FAQ, you'll find 10 of the most frequently asked questions and comments.If you receive the error: EWaptCertificateUntrustedIssuer ('Issuer CA certificate CN=blemoigne,C=FR can not be found in...

read more
Demonstration

Group demo

07/11/2024 : 10h30 - 11h30

Let's go !