Samba 4.10 : Evolution and new features

Samba Active Directory: a viable alternative to NT4 protocol

Since version 4.0, Samba implements the functions of an Active Directory domain controller. From then on, it becomes possible to leave the NT4 identification and authentication protocol for a truly viable alternative. In addition, Samba 4.0 is able to meet the security requirements of organizations, where the NT4 protocol is struggling to reach the expected level. With this new version of Samba, Windows 2000 and later customers can join the domain and benefit from the services provided by the domain controller:

• LDAP
• KDC
• NTP
• DNS internal of relying on Blind-DLZ
• Kerberos PAC

In addition, Samba 4.0.0.0 implements Python-coded interfaces to act on the core business logic historically encoded in C / C++.

Samba 4.1.0: AD domain control and SMB protocol

Developers are taking advantage of the release of Samba 4.1.0 to expand the tools for customers of an AD domain controller. With this new version, Samba uses the SMBv2 and SMBv3 protocols for authentication. It then becomes possible to abandon the SMBv1 protocol (for higher versions) which does not provide sufficient security against threats such as ransomware. Replications between domain controllers are also improved in this version.

Samba AD: File service and AD domain control

Starting with Samba AD version 4.2.0, the development team will make improvements in file services, software operation and security, as well as domain controller performance. The end of Samba3 support was announced with version 4.2.0, although it still supports the NT4 identification and authentication protocol.

Here is a brief summary of what you may have missed between version 4.2.0 and 4.10. For the more adventurous, you will find a detailed listing of each release of Samba in our documentation.

Improvements to the file service:

• Access to Shadow Copy files hosted on a share, allowing you to revert to saved versions of the file sharing tree.
• SMB 3.1.1.1 support, standard file exchange protocol that appeared with Windows 10.
• VirusFilter module support that integrates with Sophos, F-Secure and ClamAV antivirus to provide filtering functions on the file server.

Improvements to the domain controller:

• Encryption of RPC exchanges between domain controllers, avoiding MITM attacks.
• Improved overall password management strategy.
• Improved KCC, a mechanism that allows the controller to map the replication topology for operation with a large network.
• Improved deletion of defective domain controller.
• Last Login / Last Logoff support.
• Improved replication and DNS performance.

Evolution of Security:

• Default disabling of NTLMv1 for any new implementation of the domain controller to handle increasing ransomware attacks.
• Restriction of the range of ports used by the MS-RPC service.
• Encryption of sensitive data on disk.
• Differentiation of password policies between users and user groups.
• Set up audit of Active Directory events (login, adding AD elements…).
• Added a script in smb.conf allowing to choose the complexity of passwords, functional on Windows client machines.

Modifications to the functionality :

• Improved KCC to optimize replication topology based on latencies and network speeds.
• Creation of an Active Directory recycle bin to recover objects deleted after a bad manipulation.
• Read-only domain controller (RODC) support to allow sites that do not have sufficient physical security to have a DC that only replicates users’ passwords.
• General improvement in the functioning of approval relationships.
• Implementation of Automatic Site Coverage to allow computers on a site without a domain controller to connect to the nearest domain controller.
• LMDB database support for domains with more than 100,000 objects (users, groups, computers, etc.).