English Urdu (Pakistan)
Active Directory Domain Controller in Samba 4.9 saw a number of improvements. Most notably, a new experimental LDB backend using LMDB is now available. This allows databases larger than 4Gb (Currently the limit is set to 6Gb, but this will be increased in a future release). To enable lmdb, provision or join a domain using the "`--backend-store=mdb`" option.
A detailed set of release notes for Samba 4.9 is available at https://www.samba.org/samba/history/samba-4.9.0.html
A example script to migrate an old-style configuration to the new style is available in `/usr/share/doc/ctdb/examples/config_migrate.sh`.
Both sides of the trust need to fully trust each other!
Clustered Samba daemon (`CTDB`) configuration has been completely overhauled.
CTDB configuration changes
Daemon and tool options are now specified in a new ctdb.conf Samba-style configuration file. See `ctdb.conf(5)` for details.
Event script configuration is no longer specified in the top-level configuration file. It can now be specified per event script. For example, configuration options for the `50.samba` event script can be placed alongside the event script in a file called `50.samba.options`. Script options can also be specified in a new script.options file. See `ctdb-script.options(5)` for details.
Extended attributes support
File Servers and Domain Controllers
Finally, Samba 4.9 differentiates between anonymous and guest access via SMB protocol. A side effect of this is that it is now required to have a mapping for `BUILTIN\Guests` group. The mapping can be provided automatically if a default identity backend allows to create entries on demand. Alternatively, `net` utility can be used to provide a group mapping for `BUILTIN\Guests` via
foreignSecurityPrincipal objects (FPO) are now automatically created when members (as SID) of a trusted domain/forest are added to a group.
However there are currently still a few limitations:
Identity mapping changes
It's now possible to add users/groups of a trusted domain into domain groups. The group memberships are expanded on trust boundaries.
Kerberos integration
Local authorization plugin for MIT Kerberos has been added. The plugin controls the relationship between Kerberos principals and AD accounts through winbind. The module receives the Kerberos principal and the local account name as inputs and can then check if they match. This can resolve issues with canonicalized names returned by Kerberos within AD. If the user tries to log in as 'alice', but the samAccountName is set to ALICE (uppercase), Kerberos would return ALICE as the username. Kerberos would not be able to map 'alice' to 'ALICE' in this case and auth would fail. With this plugin, account names can be correctly mapped. This only applies to GSSAPI authentication, not for getting the initial ticket granting ticket.
net groupmap add sid=S-1-5-32-546 unixgroup=nobody type=builtin