English Urdu (Pakistan)
With this plugin, winbind-based configurations are on par with SSSD in AD environment.
Tunable settings are now loaded from `ctdb.tunables`. Using `CTDB_SET_TunableVariable=<value>` in the main configuration file is no longer supported. See `ctdb-tunables(7)` for details.
This means DCs of domain A can grant domain admin rights in domain B.
The support for trusted domains/forests has been further improved. External domain trusts, as well a transitive forest trusts, are supported in both directions (inbound and outbound) for Kerberos and NTLM authentication.
The '`samba-tool group *members`' commands allow members to be specified as foreign SIDs.
The following features are new in 4.9 (compared to 4.8):
smb.conf parameters changes
Since Samba 4.8, configurations with "`security = domain`" or "`security = ads`" require a running '`winbindd`' now. The fallback that smbd directly contacts domain controllers is gone.
Since Samba 4.6, the 'testparm' tool can be used to validate the ID mapping configuration. After an upgrade please run it and check if it prints any warnings or errors. Please see the 'IDENTITY MAPPING CONSIDERATIONS' section in the smb.conf manpage for suggestions and recommendations. There are some ID mapping backends which are not allowed to be used for the default backend. Winbind daemon will no longer start if an invalid backend is configured as the default backend.
Since Linux systems have support for extended attributes enabled by default, parameters "map readonly", "store dos attributes" and "ea support" have had their defaults changed to allow better Windows fileserver compatibility in a default install.
Selective (CROSS_ORGANIZATION) authentication is not supported. It's possible to create such a trust, but the KDC and winbindd ignore them.
Samba suite has been upgraded to 4.9 series. The upgrade brings a number of changes that might affect default configuration or existing deployments.
Samba can still only operate in a forest with just one single domain.
Samba AD DC in Fedora is built with MIT Kerberos. As of Samba 4.9, MIT Kerberos support in Samba AD DC is still experimental and may exhibit bugs. There are known and not yet fixed issues in the Samba bug-tracker upstream:
Samba AD DC
Samba 4.9
Please note this is an experimental feature and is not recommended for production deployments.
|Parameter Name|Description|Default

|map readonly
|Default changed
|no

|store dos attributes
|Default changed
|yes

|ea support
|Default changed
|yes

|full_audit:success
|Default changed
|none

|full_audit:failure
|Default changed
|none
Over several releases, Samba configuration checks were improved to detect typical identity mapping errors earlier and fail start up before the changes might affect actual operation. With changes in identities causing access control breaches and possibility of a data leakage to unwanted parties, this effort is helping to reduce a number of incorrect but widely deployed cases.
Options that affect CTDB startup should be configured in the distribution-specific configuration file. See `ctdb.sysconfig(5)` for details.