Become Part of our Team and Push Digital Sovereignty
- Teamleader IT / Project Manager (m/f/x)
- IT Consultant (m/f/x)
- Outbound Sales Represantative (m/f/x)
The UCS 4.1 release includes the recent Samba version 4.3.1. In this article, I like to address the improvements and new features of this Samba update and their implementation in UCS 4.1.
A new Samba release usually contains quite a number of fixes for bugs that only show up in special situations and require a lot of research on behalf of the Samba team and the bug reporters.
While this hand-weeding of bugs usually dominates patch level releases, the release update from 4.2.3 to 4.3.1 also includes some structural improvements. For example, Samba now supports SMB protocol version 3.1.1 which currently is the latest protocol version spoken by Windows 10 and by the technical preview of Windows Server 2016. Some developers of the Samba team also have improved the performance of the encryption algorithm used for sealed (encrypted) SMB connections, which should improve performance and help reduce the load on file servers.
While other developments are important and interesting groundwork, some are not yet as elaborated to be in the focus of current UCS development. For example, there has been considerable progress in the support of trust relations between domains, but there is a number of open technical tasks to be solved beforehand in order to actually make this feature usable in a productive environment in a secure way.
Speaking of security, Samba now allows the adjustment of the list of supported TLS encryption mechanisms. As a first step, SSLv3 is now disabled by default.
A new Samba release also always requires some adjustments in the UCS source code itself. This time, for example, in the area of Samba3 to Samba4 migration or in the AD Takeover code. In the latter case, the UCS system now also transfers the DNS infrastructure roles to the UCS Samba/AD DC.
Finally, as to new installations, UCS now initializes the Samba/AD domain with a domain function level of 2008 R2. As a consequence, Samba now generates AES 128 and AES 256 Kerberos keys as well by default.
These changes as well as the enhancements in the S4-Connector DNS replication, which have already been shipped lately as an errata update for UCS 4.0-3, will help to improve usage experience for administrators and users of the Windows services provided by UCS 4.1.
Arvid Requate is Open Source software engineer at Univention and mainly engaged in the area of directory services, authentication and Samba.