Recently the release of the new version of Samba 4.15.0 was announced, which continues the development of the Samba 4 branch with a full implementation of a domain controller and Active Directory service.
In this new version of Samba the completion of the VFS layer job is highlighted, As well as it was enabled by default and in addition to stabilizing the support for the SMB3 extension, the command line was improved, among other things.
Main new features of Samba 4.15
In this new version it is highlighted that VFS layer modernization work completed and for historical reasons, code with file server implementation tied to file path processing, which was used, among other things, for the SMB2 protocol, which was translated to use descriptors.
Modernization came down to translating code which provides access to the server file system to use file descriptors instead of file paths for example fstat () is used instead of stat () and SMB_VFS_FSTAT () is used instead of SMB_VFS_STAT ().
The implementation of BIND's Dynamically Loaded Zones (DLZ) technology, which enables clients to send DNS zone transfer requests to the BIND server and receive a response from Samba, has added the ability to define access lists to determine what Clients are allowed such requests and which ones are not.
Another novelty that stands out is that was enabled by default plus support has been stabilized for the SMB3 extension (Multichannel SMB3), which allows clients to establish multiple connections to parallelize data transfers within a single SMB session. For example, when accessing the same file, I / O operations can be spread across multiple open connections at the same time. This mode improves performance and increases fault tolerance. To disable multichannel SMB3 in smb.conf, change the "multichannel server support" option, which is now enabled by default on Linux and FreeBSD platforms.
It is possible to use the samba-tool command in Samba configurations built without Active Directory domain controller support (with the "–without-ad-dc" option specified). But in this case, not all functions are available, for example the capabilities of the command 'samba tool domain' are limited.
Moreover, it is noted that the command line interface has been improved and a new command line option parser has been proposed for use in various samba utilities. Similar options have been unified, which differ in different utilities, for example, the handling of options related to encryption, working with digital signatures and the use of kerberos has been unified. Smb.conf defines the settings to set the default options for the options.
In addition, added support for Offline Domain Join mechanism (ODJ), which allows you to join a computer to a domain without directly contacting a domain controller. On Unix-like Samba-based operating systems, the 'net offlinejoin' command is offered to join, and on Windows you can use the standard djoin.exe program.
Of the other changes that stand out:
- To display errors in all utilities, STDERR is used (for output to STDOUT, the "–debug-stdout" option is provided).
Added option "–client-protection = off | sign | encrypt '. - The DLZ DNS plugin no longer supports link branches 9.8 and 9.9.
- By default, trusted domain list parsing is disabled when starting winbindd, which made sense in NT4 days, but is not relevant for Active Directory.
- DCE / RPC DNS servers can now be used by the samba tool and Windows utilities to manipulate DNS records on an external server.
- When the command "samba-tool domain backup offline" is executed, the correct configuration of locks in the LMDB database is guaranteed to protect against modification of parallel data during the backup.
- Support for experimental dialects of the SMB protocol has been discontinued: SMB2_22, SMB2_24, and SMB3_10, which were used only in trial versions of Windows.
- Experimental builds with experimental Active Directory implementation based on MIT Kerberos, requirements have been raised for the version of this package. Builds now require at least MIT Kerberos 1.19 (shipped with Fedora 34).
- NIS support removed.
- Fixed the CVE-2021-3671 vulnerability that could allow an unauthenticated user to lock down a Heimdal KDC-based domain controller if a TGS-REQ packet is sent without a server name.
Finally if you are interested in knowing more about it, you can check the details in the following link.