From 3aaaf3cef7a35250566eb79b8f412419af05ae66 Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Wed, 12 Sep 2018 11:28:24 +0200 Subject: [PATCH] WHATSNEW.txt: announce 4.9.0 trust improvements Signed-off-by: Stefan Metzmacher --- WHATSNEW.txt | 32 ++++++++++++++++++++++++++++++++ 1 file changed, 32 insertions(+) diff --git a/WHATSNEW.txt b/WHATSNEW.txt index 07cd9f2fc061..7c71544bac71 100644 --- a/WHATSNEW.txt +++ b/WHATSNEW.txt @@ -265,6 +265,38 @@ feature, currently it should be enabled from the DNS Manager tool from Windows. Also the feature needs to have been enabled by setting the smb.conf parameter "dns zone scavenging = yes". +Improved support for trusted domains (as AD DC) +----------------------------------------------- + +The support for trusted domains/forests has been further improved. + +External domain trusts, as well a transitive forest trusts, +are supported in both directions (inbound and outbound) +for Kerberos and NTLM authentication. + +The following features are new in 4.9 (compared to 4.8): + +- It's now possible to add users/groups of a trusted domain + into domain groups. The group memberships are expanded + on trust boundaries. +- foreignSecurityPrincipal objects (FPO) are now automatically + created when members (as SID) of a trusted domain/forest + are added to a group. +- The 'samba-tool group *members' commands allow + members to be specified as foreign SIDs. + +However there are currently still a few limitations: + +- Both sides of the trust need to fully trust each other! +- No SID filtering rules are applied at all! +- This means DCs of domain A can grant domain admin rights + in domain B. +- Selective (CROSS_ORIGANIZATION) authentication is + not supported. It's possible to create such a trust, + but the KDC and winbindd ignore them. +- Samba can still only operate in a forest with just + one single domain. + CTDB changes ------------ -- 2.17.1