파일 서버와 도메인 제어기

삼바 4.9

삼바군은 4.9 번대로 향상되었습니다. 향상은 기존 구성 또는 존재하는 배포판에 영향을 미칠 수 있는 변경 번호를 가져옵니다.

삼바 4.9의 출시 기록의 상세한 묶음은 https://www.samba.org/samba/history/samba-4.9.0.html에서 사용 할 수 있습니다

확장된 속성 지원

Since Linux systems have support for extended attributes enabled by default, parameters "map readonly", "store dos attributes" and "ea support" have had their defaults changed to allow better Windows fileserver compatibility in a default install.

Table 1. smb.conf 매개변수 변경
Parameter Name Description Default

map readonly

Default changed

no

store dos attributes

Default changed

yes

ea support

Default changed

yes

full_audit:success

Default changed

none

full_audit:failure

Default changed

none

맵핑 변경을 식별합니다

Over several releases, Samba configuration checks were improved to detect typical identity mapping errors earlier and fail start up before the changes might affect actual operation. With changes in identities causing access control breaches and possibility of a data leakage to unwanted parties, this effort is helping to reduce a number of incorrect but widely deployed cases.

Since Samba 4.6, the 'testparm' tool can be used to validate the ID mapping configuration. After an upgrade please run it and check if it prints any warnings or errors. Please see the 'IDENTITY MAPPING CONSIDERATIONS' section in the smb.conf manpage for suggestions and recommendations. There are some ID mapping backends which are not allowed to be used for the default backend. Winbind daemon will no longer start if an invalid backend is configured as the default backend.

Since Samba 4.8, configurations with “security = domain” or “security = ads” require a running ‘winbindd’ now. The fallback that smbd directly contacts domain controllers is gone.

Finally, Samba 4.9 differentiates between anonymous and guest access via SMB protocol. A side effect of this is that it is now required to have a mapping for BUILTIN\Guests group. The mapping can be provided automatically if a default identity backend allows to create entries on demand. Alternatively, net utility can be used to provide a group mapping for BUILTIN\Guests via

net groupmap add sid=S-1-5-32-546 unixgroup=nobody type=builtin

CTDB 구성 변경

클러스터된 삼바 데몬(CTDB) 구성은 완전하게 새롭게 변신하였습니다.

  • 데몬과 도구 선택은 이제 신규 ctdb.conf 삼바-유형의 구성 파일에서 지정되었습니다. 상세히 하기 위해 `ctdb.conf(5)`를 참고하세요.

  • Event script configuration is no longer specified in the top-level configuration file. It can now be specified per event script. For example, configuration options for the 50.samba event script can be placed alongside the event script in a file called 50.samba.options. Script options can also be specified in a new script.options file. See ctdb-script.options(5) for details.

  • Options that affect CTDB startup should be configured in the distribution-specific configuration file. See ctdb.sysconfig(5) for details.

  • Tunable settings are now loaded from ctdb.tunables. Using CTDB_SET_TunableVariable=<value> in the main configuration file is no longer supported. See ctdb-tunables(7) for details.

오래된-유형 구성을 새로운 유형으로 이전하는 예제 스크립트는 `/usr/share/doc/ctdb/examples/config_migrate.sh`에서 사용 할 수 있습니다.

커버러스 통합

Local authorization plugin for MIT Kerberos has been added. The plugin controls the relationship between Kerberos principals and AD accounts through winbind. The module receives the Kerberos principal and the local account name as inputs and can then check if they match. This can resolve issues with canonicalized names returned by Kerberos within AD. If the user tries to log in as 'alice', but the samAccountName is set to ALICE (uppercase), Kerberos would return ALICE as the username. Kerberos would not be able to map 'alice' to 'ALICE' in this case and auth would fail. With this plugin, account names can be correctly mapped. This only applies to GSSAPI authentication, not for getting the initial ticket granting ticket.

이와 같은 플러그인와 함께 winbind 기반의 구성은 AD 환경에서 SSSD와 동등합니다.

삼바 AD DC

Active Directory Domain Controller in Samba 4.9 saw a number of improvements. Most notably, a new experimental LDB backend using LMDB is now available. This allows databases larger than 4Gb (Currently the limit is set to 6Gb, but this will be increased in a future release). To enable lmdb, provision or join a domain using the “--backend-store=mdb” option.

이는 실험적인 기능이고 제품 배포에서는 권장되지 않는 것을 확인하세요.

Samba AD DC in Fedora is built with MIT Kerberos. As of Samba 4.9, MIT Kerberos support in Samba AD DC is still experimental and may exhibit bugs. There are known and not yet fixed issues in the Samba bug-tracker upstream:

The support for trusted domains/forests has been further improved. External domain trusts, as well a transitive forest trusts, are supported in both directions (inbound and outbound) for Kerberos and NTLM authentication.

다음 기능은 4.9에서 새롭게 추가되었습니다(4.8 과 비교하여):

  • 이제 신뢰하는 도메인의 사용자/그룹을 도메인 그룹에 추가 할 수 있습니다. 그룹 구성원은 신뢰 경계선으로 확대 됩니다.

  • foreignSecurityPrincipal objects (FPO) are now automatically created when members (as SID) of a trusted domain/forest are added to a group.

  • ‘삼바-도구l 그룹 *구성원’ 명령은 구성원을 외부 SIDs로 지정 할 수 있습니다.

아무튼, 이는 현재 여전히 여러 제한 사항이 있습니다:

  • 신뢰의 양측은 서로 완전한 신뢰가 필요합니다!

  • SID 필터링 규칙이 전혀 적용되지 않습니다!

  • 이는 도메인 A의 DC가 도메인 B에서 도메인 관리자 권한을 부여 할 수 있음을 의미합니다.

  • Selective (CROSS_ORGANIZATION) authentication is not supported. It’s possible to create such a trust, but the KDC and winbindd ignore them.

  • 삼바는 하나의 단일 도메인과 함께 있는 상태서만 동작 할 수 있습니다.