파일 서버와 도메인 제어기

리눅스 시스템에는 기본적으로 활성화된 확장 속성을 위한 지원을 가지고 있기 때문에, 매개변수 "map readonly", "store dos attributes"과 "ea support"는 기본 설치에서 보다 나은 윈도우즈 파일 서버 호환성을 허용하도록 변경된 기본값을 가지고 있습니다.

Over several releases, Samba configuration checks were improved to detect typical identity mapping errors earlier and fail start up before the changes might affect actual operation. With changes in identities causing access control breaches and possibility of a data leakage to unwanted parties, this effort is helping to reduce a number of incorrect but widely deployed cases.

Since Samba 4.6, the 'testparm' tool can be used to validate the ID mapping configuration. After an upgrade please run it and check if it prints any warnings or errors. Please see the 'IDENTITY MAPPING CONSIDERATIONS' section in the smb.conf manpage for suggestions and recommendations. There are some ID mapping backends which are not allowed to be used for the default backend. Winbind daemon will no longer start if an invalid backend is configured as the default backend.

Since Samba 4.8, configurations with “security = domain” or “security = ads” require a running ‘winbindd’ now. The fallback that smbd directly contacts domain controllers is gone.

Finally, Samba 4.9 differentiates between anonymous and guest access via SMB protocol. A side effect of this is that it is now required to have a mapping for BUILTIN\Guests group. The mapping can be provided automatically if a default identity backend allows to create entries on demand. Alternatively, net utility can be used to provide a group mapping for BUILTIN\Guests via

클러스터된 삼바 데몬(CTDB) 구성은 완전하게 새롭게 변신하였습니다.

오래된-유형 구성을 새로운 유형으로 이전하는 예제 스크립트는 `/usr/share/doc/ctdb/examples/config_migrate.sh`에서 사용 할 수 있습니다.

Local authorization plugin for MIT Kerberos has been added. The plugin controls the relationship between Kerberos principals and AD accounts through winbind. The module receives the Kerberos principal and the local account name as inputs and can then check if they match. This can resolve issues with canonicalized names returned by Kerberos within AD. If the user tries to log in as 'alice', but the samAccountName is set to ALICE (uppercase), Kerberos would return ALICE as the username. Kerberos would not be able to map 'alice' to 'ALICE' in this case and auth would fail. With this plugin, account names can be correctly mapped. This only applies to GSSAPI authentication, not for getting the initial ticket granting ticket.

이와 같은 플러그인와 함께 winbind 기반의 구성은 AD 환경에서 SSSD와 동등합니다.

Active Directory Domain Controller in Samba 4.9 saw a number of improvements. Most notably, a new experimental LDB backend using LMDB is now available. This allows databases larger than 4Gb (Currently the limit is set to 6Gb, but this will be increased in a future release). To enable lmdb, provision or join a domain using the “--backend-store=mdb” option.

이는 실험적인 기능이고 제품 배포에서는 권장되지 않는 것을 확인하세요.

Samba AD DC in Fedora is built with MIT Kerberos. As of Samba 4.9, MIT Kerberos support in Samba AD DC is still experimental and may exhibit bugs. There are known and not yet fixed issues in the Samba bug-tracker upstream:

The support for trusted domains/forests has been further improved. External domain trusts, as well a transitive forest trusts, are supported in both directions (inbound and outbound) for Kerberos and NTLM authentication.

다음 기능은 4.9에서 새롭게 추가되었습니다(4.8 과 비교하여):

아무튼, 이는 현재 여전히 여러 제한 사항이 있습니다: