presented release Samba 4.17.0 , which continued the development of the Samba 4 branch with the full implementation of the Domain and Service controller Active Directory, compatible with the implementation of Windows 2008 and capable of all supported Microsoft versions of Windows clients, including Windows 11. Samba 4 is A multifunctional server product that also provides the implementation of the file server, the seal service and the identification server. > Changes in samba 4.17:
- Work was carried out to eliminate regression in the performance of loaded SMB servers that appeared as a result of adding protection against vulnerabilities that manipulate symbolic links. From the optimizations carried out, a reduction in system calls is mentioned when checking the name of the catalog and not using Wakeup Creatures in the processing of competing operations leading to delays.
- Provides the possibility of assembling Samba without supporting the SMB1 protocol in SMBD. To disconnect SMB1 in the assfigure assembly script, an option “–without-SMB1-server” (affects only SMBD, in client libraries SMB1 support is preserved).
- When using Mit Kerberos 1.20, the possibility of counteracting the attack “Bronze Bit” ( eliminated in 2021.
- When assembling MIT Kerberos 1.20, the Samba domain controller has support for S4U2SELF and S4U2Proxy, as well as the possibility of limited delegation based on resources ( RBCD , Resource Based Constrained Delegation). To manage RBCDV, the Samba-Tool Delegation command added subcommunications ‘Add -principal’ and ‘Del-Principal’. In the default KDC based on Heimdal Kerberos, the RBCD mode is not yet supported.
- In the built-in DNS service, it is possible to change the network port receiving requests (for example, to launch another DNS server on the same system, redirecting certain requests for Samba).
- In the CTDB component, which is responsible for the operation of cluster configurations, the requirements for the syntax of the CTDB.tunAbles file are reduced. When assembling Samba with the options “–with-Cluster-Support” and “–SyStemd-inchstall-services” installation of the SystemD service for CTDB is provided. The supply of the CTDBD_WRAPPER script is stopped – the CTDBD process is now launched directly from the SystemD service or from the initialization script.
- Settings ‘NT Hash Store = Never’ prohibiting storage of “naked” (without salt) hash passwords Active Directory users. In the next version, the setting ‘NT Hash Store’ by default will be set into the “Auto” value, in which the “Never” mode will be used in the case of the setting ‘NTLM AUTH = Disabled’.
/Media reports.