mirror of
https://github.com/samba-team/samba.git
synced 2024-12-24 21:34:56 +03:00
5e89a23ffa
Applications (like OpenSSH) don't know about users and and their relationship to Kerberos principals. This plugin allows that Kerberos principals can be validated against local user accounts. Administrator@WURST.WORLD -> WURST\Administrator https://web.mit.edu/kerberos/krb5-latest/doc/plugindev/localauth.html BUG: https://bugzilla.samba.org/show_bug.cgi?id=13480 Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Alexander Bokovoy <ab@samba.org> Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org> Autobuild-Date(master): Thu Jun 21 15:52:02 CEST 2018 on sn-devel-144
128 lines
4.5 KiB
Plaintext
128 lines
4.5 KiB
Plaintext
Release Announcements
|
|
=====================
|
|
|
|
This is the first preview release of Samba 4.9. This is *not*
|
|
intended for production environments and is designed for testing
|
|
purposes only. Please report any defects via the Samba bug reporting
|
|
system at https://bugzilla.samba.org/.
|
|
|
|
Samba 4.9 will be the next version of the Samba suite.
|
|
|
|
|
|
UPGRADING
|
|
=========
|
|
|
|
|
|
NEW FEATURES/CHANGES
|
|
====================
|
|
|
|
|
|
net ads setspn
|
|
---------------
|
|
|
|
There is a new 'net ads setspn' sub command for managing Windows SPN(s)
|
|
on the AD. This command aims to give the basic functionaility that is
|
|
provided on windows by 'setspn.exe' e.g. ability to add, delete and list
|
|
Windows SPN(s) stored in a Windows AD Computer object.
|
|
|
|
The format of the command is:
|
|
|
|
net ads setspn list [machine]
|
|
net ads setspn [add | delete ] SPN [machine]
|
|
|
|
'machine' is the name of the computer account on the AD that is to be managed.
|
|
If 'machine' is not specified the name of the 'client' running the command
|
|
is used instead.
|
|
|
|
The format of a Windows SPN is
|
|
'serviceclass/host:port/servicename' (servicename and port are optional)
|
|
|
|
serviceclass/host is generally sufficient to specify a host based service.
|
|
|
|
net ads keytab changes
|
|
----------------------
|
|
net ads keytab add no longer attempts to convert the passed serviceclass
|
|
(e.g. nfs, html etc.) into a Windows SPN which is added to the Windows AD
|
|
computer object. By default just the keytab file is modified.
|
|
|
|
A new keytab subcommand 'add_update_ads' has been added to preserve the
|
|
legacy behaviour. However the new 'net ads setspn add' subcommand should
|
|
really be used instead.
|
|
|
|
net ads keytab create no longer tries to generate SPN(s) from existing
|
|
entries in a keytab file. If it is required to add Windows SPN(s) then
|
|
'net ads setspn add' should be used instead.
|
|
|
|
Local authorization plugin for MIT Kerberos
|
|
-------------------------------------------
|
|
|
|
This plugin controls the relationship between Kerberos principals and AD
|
|
accounts through winbind. The module receives the Kerberos principal and the
|
|
local account name as inputs and can then check if they match. This can resolve
|
|
issues with canonicalized names returned by Kerberos within AD. If the user
|
|
tries to log in as 'alice', but the samAccountName is set to ALICE (uppercase),
|
|
Kerberos would return ALICE as the username. Kerberos would not be able to map
|
|
'alice' to 'ALICE' in this case and auth would fail. With this plugin account
|
|
names can be correctly mapped. This only applies to GSSAPI authentication,
|
|
not for the geting the initial ticket granting ticket.
|
|
|
|
REMOVED FEATURES
|
|
================
|
|
|
|
|
|
|
|
smb.conf changes
|
|
================
|
|
|
|
As the most popular Samba install platforms (Linux and FreeBSD) both
|
|
support extended attributes by default, the parameters "map readonly",
|
|
"store dos attributes" and "ea support" have had their defaults changed
|
|
to allow better Windows fileserver compatibility in a default install.
|
|
|
|
Parameter Name Description Default
|
|
-------------- ----------- -------
|
|
map readonly Default changed no
|
|
store dos attributes Default changed yes
|
|
ea support Default changed yes
|
|
|
|
VFS interface changes
|
|
=====================
|
|
|
|
The VFS ABI interface version has changed to 39. Function changes
|
|
are:
|
|
|
|
SMB_VFS_FSYNC: Removed: Only async versions are used.
|
|
SMB_VFS_READ: Removed: Only PREAD or async versions are used.
|
|
SMB_VFS_WRITE: Removed: Only PWRITE or async versions are used.
|
|
SMB_VFS_CHMOD_ACL: Removed: Only CHMOD is used.
|
|
SMB_VFS_FCHMOD_ACL: Removed: Only FCHMOD is used.
|
|
|
|
Any external VFS modules will need to be updated to match these
|
|
changes in order to work with 4.9.x.
|
|
|
|
KNOWN ISSUES
|
|
============
|
|
|
|
https://wiki.samba.org/index.php/Release_Planning_for_Samba_4.9#Release_blocking_bugs
|
|
|
|
|
|
#######################################
|
|
Reporting bugs & Development Discussion
|
|
#######################################
|
|
|
|
Please discuss this release on the samba-technical mailing list or by
|
|
joining the #samba-technical IRC channel on irc.freenode.net.
|
|
|
|
If you do report problems then please try to send high quality
|
|
feedback. If you don't provide vital information to help us track down
|
|
the problem then you will probably be ignored. All bug reports should
|
|
be filed under the Samba 4.1 and newer product in the project's Bugzilla
|
|
database (https://bugzilla.samba.org/).
|
|
|
|
|
|
======================================================================
|
|
== Our Code, Our Bugs, Our Responsibility.
|
|
== The Samba Team
|
|
======================================================================
|
|
|