Software-update: Samba 4.11.0

Samba logo (60 pix)Samba draait op Unix-, BSD- en Linux-servers, en is een opensource-implementatie van het smb/cifs-netwerkprotocol. Sinds versie 3 kan Samba file- en printservices aan Windows-clients aanbieden, en is het in staat om als domaincontroller te fungeren. Uitgebreide documentatie, inclusief praktische how-to's voor een iets oudere versie, kan op deze pagina worden gevonden. De ontwikkelaars hebben versie 4.11.0 klaargezet, met de volgende veranderingen:

Release Notes for Samba 4.11.0

AD Database compatibility
Samba 4.11 has changed how the AD database is stored on disk. AD users should not really be affected by this change when upgrading to 4.11. However, AD users should be extremely careful if they need to downgrade from Samba 4.11 to an older release. Samba 4.11 maintains database compatibility with older Samba releases. The database will automatically get rewritten in the new 4.11 format when you first start the upgraded samba executable. However, when downgrading from 4.11 you will need to manually downgrade the AD database yourself. Note that you will need to do this step before you install the downgraded Samba packages. When either upgrading or downgrading, users should also avoid making any database modifications between installing the new Samba packages and starting the samba executable.

SMB1 is disabled by default
The defaults of 'client min protocol' and 'server min protocol' have been changed to SMB2_02. This means clients without support for SMB2 or SMB3 are no longer able to connect to smbd (by default). It also means client tools like smbclient and other, as well as applications making use of libsmbclient are no longer able to connect to servers without SMB2 or SMB3 support (by default). It's still possible to allow SMB1 dialects, e.g. NT1, LANMAN2 and LANMAN1 for client and server, as well as CORE and COREPLUS on the client. Note that most commandline tools e.g. smbclient, smbcacls and others also support the '--option' argument to overwrite smb.conf options, e.g. --option='client min protocol=NT1' might be useful. As Microsoft no longer installs SMB1 support in recent releases or uninstalls it after 30 days without usage, the Samba Team tries to get remove the SMB1 usage as much as possible. SMB1 is officially deprecated and might be removed step by step in the following years. If you have a strong requirement for SMB1 (except for supporting old Linux Kernels), please file a bug at and let us know about the details.

LanMan and plaintext authentication deprecated
The "lanman auth" and "encrypt passwords" parameters are deprecated with this release as both are only applicable to SMB1 and are quite insecure. NTLM, NTLMv2 and Kerberos authentication are unaffected, as "encrypt passwords = yes" has been the default since Samba 3.0.0. If you have a strong requirement for these authentication protocols, please file a bug at and let us know about the details.

BIND9_FLATFILE deprecated
The BIND9_FLATFILE DNS backend is deprecated in this release and will be removed in the future. This was only practically useful on a single domain controller or under expert care and supervision. This release therefore deprecates the "rndc command" smb.conf parameter, which is used to support this configuration. After writing out a list of DCs permitted to make changes to the DNS Zone "rndc command" is called with reload to tell the 'named' server if a DC was added/removed to to the domain.

  • Default samba process model - The default for the '--model' argument passed to the samba executable has changed from 'standard' to 'prefork'. This means a difference in the number of samba child processes that are created to handle client connections. The previous default would create a separate process for every LDAP or NETLOGON client connection. For a network with a lot of persistent client connections, this could result in significant memory overhead. Now, with the new default of 'prefork', the LDAP, NETLOGON, and KDC services will create a fixed number of worker processes at startup and share the client connections amongst these workers. The number of worker processes can be configured by the 'prefork children' setting in the smb.conf (the default is 4).
  • Authentication Logging - Winbind now logs PAM_AUTH and NTLM_AUTH events, a new attribute "logonId" has been added to the Authentication JSON log messages. This contains a random logon id that is generated for each PAM_AUTH and NTLM_AUTH request and is passed to SamLogon, linking the windbind and SamLogon requests. The version of the JSON Authentication messages has been changed from 1.1 to 1.2.
  • LDAP referrals - The scheme of returned LDAP referrals now reflects the scheme of the original request, i.e. referrals received via ldap are prefixed with "ldap://" and those over ldaps are prefixed with "ldaps://". Previously all referrals were prefixed with "ldap://".
  • Bind9 logging - It is now possible to log the duration of DNS operations performed by Bind9. This should aid future diagnosis of performance issues and could be used to monitor DNS performance. The logging is enabled by setting log level to "dns:10" in smb.conf. The logs are currently human readable text only, i.e. no JSON formatted output.
  • Default schema updated to 2012_R2 - Default AD schema changed from 2008_R2 to 2012_R2. 2012_R2 functional level is not yet available. Older schemas can be used by provisioning with the '--base-schema' argument. Existing installations can be updated with the samba-tool command "domain schemaupgrade". Samba's replication code has also been improved to handle replication with the 2012 schema (the core of this replication fix has also been backported to 4.9.11 and will be in a 4.10.x release). For more about how the AD schema relates to overall Windows compatibility, please read:
  • GnuTLS 3.2 required - Samba is making efforts to remove in-tree cryptographic functionality, and to instead rely on externally maintained libraries. To this end, Samba has chosen GnuTLS as our standard cryptographic provider. Samba now requires GnuTLS 3.2 to be installed (including development headers at build time) for all configurations, not just the Samba AD DC. NOTE WELL: The use of GnuTLS means that Samba will honour the system-wide 'FIPS mode' (a reference to the US FIPS-140 cryptographic standard) and so will not operate in many still common situations if this system-wide parameter is in effect, as many of our protocols rely on outdated cryptography. A future Samba version will mitigate this to some extent where good cryptography effectively wraps bad cryptography, but for now that above applies.
  • samba-tool improvements - A new "samba-tool contact" command has been added to allow the command-line manipulation of contacts, as used for address book lookups in LDAP. The "samba-tool [user|group|computer|group|contact] edit" command has been improved to operate more pleasantly on international character sets.
100,000 USER and LARGER Samba AD DOMAINS
Extensive efforts have been made to optimise Samba for use in organisations (for example) targeting 100,000 users, plus 120,000 computer objects, as well as large number of group memberships. Many of the specific efforts are detailed below, but the net results is to remove barriers to significantly larger Samba deployments compared to previous releases.
  • Reindex performance improvements
  • join performance improvements
  • LDAP Server memory improvements
  • Setting lmdb map size
  • LDB "batch_mode"
  • New LDB pack format
  • New LDB <= and >= index mode to improve replication performance
  • Improvements to ldb search performance
  • Improvements to subtree rename performance
CTDB changes
  • nfs-linux-kernel-callout now defaults to using systemd service names
  • The onnode -o option has been removed
  • ctdbd logs when it is using more than 90% of a CPU thread
  • Script configuration variable CTDB_MONITOR_SWAP_USAGE has been removed
  • CephFS Snapshot Integration
  • Web server - As a leftover from work related to the Samba Web Administration Tool (SWAT), Samba still supported a Python WSGI web server (which could still be turned on from the 'server services' smb.conf parameter). This service was unused and has now been removed from Samba.
  • samba-tool join subdomain - The subdomain role has been removed from the join command. This option did not work and has no tests.
  • Python2 support - Samba 4.11 will not have any runtime support for Python 2. If you are building Samba using the '--disable-python' option (i.e. you're excluding all the run-time Python support), then this will continue to work on a system that supports either python2 or python3. Except for this specific build-time use of python2, Samba now requires Python 3.4 as a minimum.
Versienummer 4.11.0
Releasestatus Final
Besturingssystemen Linux, BSD, macOS, Solaris, UNIX
Website Samba
Licentietype GPL

Door Japke Rosink


24-09-2019 • 10:38

6 Linkedin

Bron: Samba

Reacties (6)

Wijzig sortering
Weet iemand in hoeverre dit ondersteund is door Microsoft? Ik bedoel als in microsoft die aan de samba devs meedeelt dat ze iets breaking zullen introduceren of de samba devs die hulp kunnen vragen aan microsoft voor een bepaald issue dat ze niet in orde krijgen?
Microsoft kan niet zomaar een Breaking-change introduceren, omdat het op heel veel apparaten draait die niet dagelijks geupdate worden. Ik denk dat MS dan een groter probleem heeft dan de ontwikkelaars van Samba.
Er is volgens mij in het verleden wel eens wat documentatie van Microsoft naar het Samba project gegaan, maar tot officiële ondersteuning zal het nooit komen natuurlijk.
Aan de andere kant is MS juist goed bezig, door Linux steeds meer te omarmen in plaats van het als bedreiging te behandelen. Zie bijvoorbeeld Kubernetes in Azure, Visual Studio Code dat ook een Linux build heeft en Ubuntu-mode in Windows 10 om wat voorbeelden te noemen...

[Reactie gewijzigd door CH4OS op 25 september 2019 01:37]

De samba ontwikkelaars hebben direct contact met MS, in hoevere je dat officieel kan noemen..
Er zijn ook MS ontwikkelaars die samba patches aanleveren.
En er wordt door samba ontwikkelaars gewoon gebruikt gemaakt van de MS opensource codes.
De rest wordt reversed engineered.

Momenteel, 4.11.0 sla die nog even over, er komen nog wat belangrijk fixes aan voor 4.11.1
Samba 4.11 heeft flinke wijzigingen intern gehad namelijk en er komen wat dingen naar boven momenteel.

Mijn advies, of wachten tot 4.11.1 of 4.10.8 gebruiken.
Zou mooi zijn als SMBv3 multi-channel geïmplementeerd zou worden :P (supported)

[Reactie gewijzigd door grimson op 25 september 2019 19:21]

Op dit item kan niet meer gereageerd worden.

Tweakers maakt gebruik van cookies

Tweakers plaatst functionele en analytische cookies voor het functioneren van de website en het verbeteren van de website-ervaring. Deze cookies zijn noodzakelijk. Om op Tweakers relevantere advertenties te tonen en om ingesloten content van derden te tonen (bijvoorbeeld video's), vragen we je toestemming. Via ingesloten content kunnen derde partijen diensten leveren en verbeteren, bezoekersstatistieken bijhouden, gepersonaliseerde content tonen, gerichte advertenties tonen en gebruikersprofielen opbouwen. Hiervoor worden apparaatgegevens, IP-adres, geolocatie en surfgedrag vastgelegd.

Meer informatie vind je in ons cookiebeleid.


Toestemming beheren

Hieronder kun je per doeleinde of partij toestemming geven of intrekken. Meer informatie vind je in ons cookiebeleid.

Functioneel en analytisch

Deze cookies zijn noodzakelijk voor het functioneren van de website en het verbeteren van de website-ervaring. Klik op het informatie-icoon voor meer informatie. Meer details


    Relevantere advertenties

    Dit beperkt het aantal keer dat dezelfde advertentie getoond wordt (frequency capping) en maakt het mogelijk om binnen Tweakers contextuele advertenties te tonen op basis van pagina's die je hebt bezocht. Meer details

    Tweakers genereert een willekeurige unieke code als identifier. Deze data wordt niet gedeeld met adverteerders of andere derde partijen en je kunt niet buiten Tweakers gevolgd worden. Indien je bent ingelogd, wordt deze identifier gekoppeld aan je account. Indien je niet bent ingelogd, wordt deze identifier gekoppeld aan je sessie die maximaal 4 maanden actief blijft. Je kunt deze toestemming te allen tijde intrekken.

    Ingesloten content van derden

    Deze cookies kunnen door derde partijen geplaatst worden via ingesloten content. Klik op het informatie-icoon voor meer informatie over de verwerkingsdoeleinden. Meer details