mirror of
https://github.com/samba-team/samba.git
synced 2024-12-24 21:34:56 +03:00
f3528808ab
Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Jo Sutton <josutton@catalyst.net.nz>
209 lines
7.8 KiB
Plaintext
209 lines
7.8 KiB
Plaintext
Release Announcements
|
|
=====================
|
|
|
|
This is the first pre release of Samba 4.21. This is *not*
|
|
intended for production environments and is designed for testing
|
|
purposes only. Please report any defects via the Samba bug reporting
|
|
system at https://bugzilla.samba.org/.
|
|
|
|
Samba 4.21 will be the next version of the Samba suite.
|
|
|
|
|
|
UPGRADING
|
|
=========
|
|
|
|
LDAP TLS/SASL channel binding support
|
|
-------------------------------------
|
|
|
|
The ldap server supports SASL binds with
|
|
kerberos or NTLMSSP over TLS connections
|
|
now (either ldaps or starttls).
|
|
|
|
Setups where 'ldap server require strong auth = allow_sasl_over_tls'
|
|
was required before, can now most likely move to the
|
|
default of 'ldap server require strong auth = yes'.
|
|
|
|
If SASL binds without correct tls channel bindings are required
|
|
'ldap server require strong auth = allow_sasl_without_tls_channel_bindings'
|
|
should be used now, as 'allow_sasl_over_tls' will generate a
|
|
warning in every start of 'samba', as well as '[samba-tool ]testparm'.
|
|
|
|
This is similar to LdapEnforceChannelBinding under
|
|
HKLM\SYSTEM\CurrentControlSet\Services\NTDS\Parameters
|
|
on Windows.
|
|
|
|
All client tools using ldaps also include the correct
|
|
channel bindings now.
|
|
|
|
|
|
NEW FEATURES/CHANGES
|
|
====================
|
|
|
|
LDB no longer a standalone tarball
|
|
----------------------------------
|
|
|
|
LDB, Samba's LDAP-like local database and the power behind the Samba
|
|
AD DC, is no longer available to build as a distinct tarball, but is
|
|
instead provided as an optional public library.
|
|
|
|
If you need ldb as a public library, say to build sssd, then use
|
|
./configure --private-libraries='!ldb'
|
|
|
|
This re-integration allows LDB tests to use the Samba's full selftest
|
|
system, including our knownfail infrastructure, and decreases the work
|
|
required during security releases as a coordinated release of the ldb
|
|
tarball is not also required.
|
|
|
|
This approach has been demonstrated already in Debian, which is already
|
|
building Samba and LDB is this way.
|
|
|
|
As part of this work, the pyldb-util public library, not known to be
|
|
used by any other software, is made private to Samba.
|
|
|
|
LDB Module API Python bindings removed
|
|
--------------------------------------
|
|
|
|
The LDB Modules API, which we do not promise a stable ABI or API for,
|
|
was wrapped in python in early LDB development. However that wrapping
|
|
never took into account later changes, and so has not worked for a
|
|
number of years. Samba 4.21 and LDB 2.10 removes this unused and
|
|
broken feature.
|
|
|
|
Some Samba public libraries made private by default
|
|
---------------------------------------------------
|
|
|
|
The following Samba C libraries are currently made public due to their
|
|
use by OpenChange or for historical reasons that are no longer clear.
|
|
|
|
dcerpc-samr, samba-policy, tevent-util, dcerpc, samba-hostconfig,
|
|
samba-credentials, dcerpc_server, samdb
|
|
|
|
The libraries used by the OpenChange client now private, but can be
|
|
made public (like ldb above) with:
|
|
|
|
./configure --private-libraries='!dcerpc,!samba-hostconfig,!samba-credentials,!ldb'
|
|
|
|
The C libraries without any known user or used only for the OpenChange
|
|
server (a dead project) may be made private entirely in a future Samba
|
|
version.
|
|
|
|
If you use a Samba library in this list, please be in touch with the
|
|
samba-technical mailing list.
|
|
|
|
Using ldaps from 'winbindd' and 'net ads'
|
|
-----------------------------------------
|
|
|
|
Beginning with Samba 3.0.22 the 'ldap ssl = start tls' option also
|
|
impacted LDAP connections to active directory domain controllers.
|
|
Using the STARTTLS operation on LDAP port 389 connections. Starting
|
|
with Samba 3.5.0 'ldap ssl ads = yes' was required in addition in
|
|
order let to 'ldap ssl = start tls' have any effect on those
|
|
connections.
|
|
|
|
'ldap ssl ads' was deprecated with Samba 4.8.0 and removed together
|
|
with the whole functionality in Samba 4.14.0, because it didn't support
|
|
tls channel bindings required for the sasl authentication.
|
|
|
|
The functionality is now re-added using the correct channel bindings
|
|
based on the gnutls based tls implementation we already have, instead
|
|
of using the tls layer provided by openldap. This makes it available
|
|
and consistent with all LDAP client libraries we use and implement on
|
|
our own.
|
|
|
|
The 'client ldap sasl wrapping' option gained the two new possible values:
|
|
'starttls' (using STARTTLS on tcp port 389)
|
|
and
|
|
'ldaps' (using TLS directly on tcp port 636).
|
|
|
|
If you had 'ldap ssl = start tls' and 'ldap ssl ads = yes'
|
|
before, you can now use 'client ldap sasl wrapping = starttls'
|
|
in order to get STARTTLS on tcp port 389.
|
|
|
|
As we no longer use the openldap tls layer it is required to configure the
|
|
correct certificate trusts with at least one of the following options:
|
|
'tls trust system cas', 'tls ca directories' or 'tls cafile'.
|
|
While 'tls verify peer' and 'tls crlfile' are also relevant,
|
|
see 'man smb.conf' for further details.
|
|
|
|
New DNS hostname config option
|
|
------------------------------
|
|
|
|
To get `net ads dns register` working correctly running manually or during a
|
|
domain join a special entry in /etc/hosts was required. This not really
|
|
documented and thus the DNS registration mostly didn't work. With the new option
|
|
the default is [netbios name].[realm] which should be correct in the majority of
|
|
use cases.
|
|
|
|
We will also use the value to create service principal names during a Kerberos
|
|
authentication and DNS functions.
|
|
|
|
This is not supported in samba-tool yet.
|
|
|
|
Samba AD will rotate expired passwords on smartcard-required accounts
|
|
---------------------------------------------------------------------
|
|
|
|
Traditionally in AD, accounts set to be "smart card require for logon"
|
|
will have a password for NTLM fallback and local profile encryption
|
|
(Windows DPAPI). This password previously would not expire.
|
|
|
|
Matching Windows behaviour, when the DC in a FL 2016 domain and the
|
|
msDS-ExpirePasswordsOnSmartCardOnlyAccounts attribute on the domain
|
|
root is set to TRUE, Samba will now expire these passwords and rotate
|
|
them shortly before they expire.
|
|
|
|
Note that the password expiry time must be set to twice the TGT lifetime for
|
|
smooth operation, e.g. daily expiry given a default 10 hour TGT
|
|
lifetime, as the password is only rotated in the second half of its
|
|
life. Again, this matches the Windows behaviour.
|
|
|
|
Provided the default 2016 schema is used, new Samba domains
|
|
provisioned with Samba 4.21 will have this enabled once the domain
|
|
functional level is set to 2016.
|
|
|
|
NOTE: Domains upgraded from older Samba versions will not have this
|
|
set, even after the functional level preparation, matching the
|
|
behaviour of upgraded Windows AD domains.
|
|
|
|
REMOVED FEATURES
|
|
================
|
|
|
|
|
|
smb.conf changes
|
|
================
|
|
|
|
Parameter Name Description Default
|
|
-------------- ----------- -------
|
|
client ldap sasl wrapping new values
|
|
client use spnego principal removed
|
|
ldap server require strong auth new values
|
|
tls trust system cas new
|
|
tls ca directories new
|
|
dns hostname client dns name [netbios name].[realm]
|
|
|
|
|
|
KNOWN ISSUES
|
|
============
|
|
|
|
https://wiki.samba.org/index.php/Release_Planning_for_Samba_4.21#Release_blocking_bugs
|
|
|
|
|
|
#######################################
|
|
Reporting bugs & Development Discussion
|
|
#######################################
|
|
|
|
Please discuss this release on the samba-technical mailing list or by
|
|
joining the #samba-technical:matrix.org matrix room, or
|
|
#samba-technical IRC channel on irc.libera.chat
|
|
|
|
If you do report problems then please try to send high quality
|
|
feedback. If you don't provide vital information to help us track down
|
|
the problem then you will probably be ignored. All bug reports should
|
|
be filed under the Samba 4.1 and newer product in the project's Bugzilla
|
|
database (https://bugzilla.samba.org/).
|
|
|
|
|
|
======================================================================
|
|
== Our Code, Our Bugs, Our Responsibility.
|
|
== The Samba Team
|
|
======================================================================
|