mirror of
https://github.com/samba-team/samba.git
synced 2024-12-24 21:34:56 +03:00
5e473cba0d
Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
254 lines
9.6 KiB
Plaintext
254 lines
9.6 KiB
Plaintext
Release Announcements
|
|
=====================
|
|
|
|
This is the first pre release of Samba 4.19. This is *not*
|
|
intended for production environments and is designed for testing
|
|
purposes only. Please report any defects via the Samba bug reporting
|
|
system at https://bugzilla.samba.org/.
|
|
|
|
Samba 4.19 will be the next version of the Samba suite.
|
|
|
|
|
|
UPGRADING
|
|
=========
|
|
|
|
|
|
NEW FEATURES/CHANGES
|
|
====================
|
|
|
|
Migrated smbget to use common command line parser
|
|
-------------------------------------------------
|
|
|
|
The smbget utility implemented its own command line parsing logic. After
|
|
discovering an issue we decided to migrate it to use the common command line
|
|
parser. This has some advantages as you get all the feature it provides like
|
|
Kerberos authentication. The downside is that breaks the options interface.
|
|
The support for smbgetrc has been removed. You can use an authentication file
|
|
if needed, this is documented in the manpage.
|
|
|
|
Please check the smbget manpage or --help output.
|
|
|
|
gpupdate changes
|
|
----------------
|
|
|
|
The libgpo.get_gpo_list function has been deprecated in favor of
|
|
an implementation written in python. The new function can be imported via
|
|
`import samba.gp`. The python implementation connects to Active Directory
|
|
using the SamDB module, instead of ADS (which is what libgpo uses).
|
|
|
|
Improved winbind logging and a new tool for parsing the winbind logs
|
|
--------------------------------------------------------------------
|
|
|
|
Winbind logs (if smb.conf 'winbind debug traceid = yes' is set) contain new
|
|
trace header fields 'traceid' and 'depth'. Field 'traceid' allows to track the
|
|
trace records belonging to the same request. Field 'depth' allows to track the
|
|
request nesting level. A new tool samba-log-parser is added for better log
|
|
parsing.
|
|
|
|
AD database prepared to FL 2016 standards for new domains
|
|
---------------------------------------------------------
|
|
|
|
While Samba still provides only Functional Level 2008R2 by default,
|
|
Samba as an AD DC will now, in provision ensure that the blank
|
|
database is already prepared for Functional Level 2016, with AD Schema
|
|
2019.
|
|
|
|
This preparation is of the default objects in the database, adding
|
|
containers for Authentication Policies, Authentication Silos and AD
|
|
claims in particular. These DB objects must be updated to allow
|
|
operation of the new features found in higher functional levels.
|
|
|
|
Kerberos Claims, Authentication Silos and NTLM authentication policies
|
|
----------------------------------------------------------------------
|
|
|
|
An initial, partial implementation of Active Directory Functional
|
|
Level 2012, 2012R2 and 2016 is available in this release.
|
|
|
|
In particular Samba will issue Active Directory "Claims" in the PAC,
|
|
for member servers that support these, and honour in-directory
|
|
configuration for Authentication Policies and Authentication Silos.
|
|
|
|
The primary limitation is that while Samba can read and write claims
|
|
in the directory, and populate the PAC, Samba does not yet use them
|
|
for access control decisions.
|
|
|
|
While we continue to develop these features, existing domains can
|
|
test the feature by selecting the functional level in provision or
|
|
raising the DC functional level by setting
|
|
|
|
ad dc functional level = 2016
|
|
|
|
in the smb.conf
|
|
|
|
The smb.conf file on each DC must have 'ad dc functional level = 2016'
|
|
set to have the partially complete feature available. This will also,
|
|
at first startup, update the server's own AD entry with the configured
|
|
functional level.
|
|
|
|
For new domains, add these parameters to 'samba-tool provision'
|
|
|
|
--option="ad dc functional level = 2016" --function-level=2016
|
|
|
|
The second option, setting the overall domain functional level
|
|
indicates that all DCs should be at this functional level.
|
|
|
|
To raise the domain functional level of an existing domain, after
|
|
updating the smb.conf and restarting Samba run
|
|
samba-tool domain schemaupgrade --schema=2019
|
|
samba-tool domain functionalprep --function-level=2016
|
|
samba-tool domain level raise --domain-level=2016 --forest-level=2016
|
|
|
|
Improved KDC Auditing
|
|
---------------------
|
|
|
|
As part of the auditing required to allow successful deployment of
|
|
Authentication Policies and Authentication Silos, our KDC now provides
|
|
Samba-style JSON audit logging of all issued Kerberos tickets,
|
|
including if they would fail a policy that is not yet enforced.
|
|
Additionally most failures are audited, (after the initial
|
|
pre-validation of the request).
|
|
|
|
Kerberos Armoring (FAST) Support for Windows clients
|
|
----------------------------------------------------
|
|
|
|
In domains where the domain controller functional level is set, as
|
|
above, to 2012, 2012_R2 or 2016, Windows clients will, if configured
|
|
via GPO, use FAST to protect user passwords between (in particular) a
|
|
workstation and the KDC on the AD DC. This is a significant security
|
|
improvement, as weak passwords in an AS-REQ are no longer available
|
|
for offline attack.
|
|
|
|
Claims compression in the AD PAC
|
|
--------------------------------
|
|
|
|
Samba as an AD DC will compress "AD claims" using the same compression
|
|
algorithm as Microsoft Windows.
|
|
|
|
Resource SID compression in the AD PAC
|
|
--------------------------------------
|
|
|
|
Samba as an AD DC will now correctly populate the various PAC group
|
|
membership buffers, splitting global and local groups correctly.
|
|
|
|
Additionally, Samba marshals Resource SIDs, being local groups in the
|
|
member server's own domain, to only consume a header and 4 bytes per
|
|
group in the PAC, not a full-length SID worth of space each. This is
|
|
known as "Resource SID compression".
|
|
|
|
New samba-tool support for silos, claims, sites and subnets.
|
|
------------------------------------------------------------
|
|
|
|
samba-tool can now list, show, add and manipulate Authentication Silos
|
|
(silos) and Active Directory Authentication Claims (claims).
|
|
|
|
samba-tool can now list and show Active Directory sites and subnets.
|
|
|
|
A new Object Relational Model (ORM) based architecture, similar to
|
|
that used with Django, has been built to make adding new samba-tool
|
|
subcommands simpler and more consistent, with JSON output available
|
|
standard on these new commands.
|
|
|
|
Updated GnuTLS requirement / in-tree cryptography removal
|
|
----------------------------------------------------------
|
|
|
|
Samba requires GnuTLS 3.6.13 and prefers GnuTLS 3.6.14 or later.
|
|
|
|
This has allowed Samba to remove all of our in-tree cryptography,
|
|
except that found in our Heimdal import. Samba's runtime cryptography
|
|
needs are now all provided by GnuTLS.
|
|
|
|
(The GnuTLS vesion requirement is raised to 3.7.2 on systems without
|
|
the Linux getrandom())
|
|
|
|
We also use Python's cryptography module for our testing.
|
|
|
|
The use of well known cryptography libraries makes Samba easier for
|
|
end-users to validate and deploy, and for distributors to ship. This
|
|
is the end of a very long journey for Samba.
|
|
|
|
Updated Heimdal import
|
|
----------------------
|
|
|
|
Samba's Heimdal branch (known as lorikeet-heimdal) has been updated to
|
|
the current pre-8.0 (master) tree from upstream Heimdal, ensuring that
|
|
this vendored copy, included in our release remains as close as
|
|
possible to the current upstream code.
|
|
|
|
Revocation support in Heimdal KDC for PKINIT certificates
|
|
---------------------------------------------------------
|
|
|
|
Samba will now correctly honour the revocation of 'smart card'
|
|
certificates used for PKINIT Kerberos authentication.
|
|
|
|
This list is reloaded each time the file changes, so no further action
|
|
other than replacing the file is required. The additional krb5.conf
|
|
option is:
|
|
|
|
[kdc]
|
|
pkinit_revoke = FILE:/path/to/crl.pem
|
|
|
|
Information on the "Smart Card login" feature as a whole is at:
|
|
https://wiki.samba.org/index.php/Samba_AD_Smart_Card_Login
|
|
|
|
Protocol level testsuite for (Smart Card Logon) PKINIT
|
|
------------------------------------------------------
|
|
|
|
Previously Samba's PKINIT support in the KDC was tested by use of
|
|
shell scripts around the client tools of MIT or Heimdal Kerberos.
|
|
Samba's independently written python testsuite has been extended to
|
|
validate KDC behaviour for PKINIT.
|
|
|
|
Require encrypted connection to modify unicodePwd on the AD DC
|
|
--------------------------------------------------------------
|
|
|
|
Setting the password on an AD account on should never be attempted
|
|
over a plaintext or signed-only LDAP connection. If the unicodePwd
|
|
(or userPassword) attribute is modified without encryption (as seen by
|
|
Samba), the request will be rejected. This is to encourage the
|
|
administrator to use an encrypted connection in the future.
|
|
|
|
NOTE WELL: If Samba is accessed via a TLS frontend or load balancer,
|
|
the LDAP request will be regarded as plaintext.
|
|
|
|
|
|
================
|
|
REMOVED FEATURES
|
|
================
|
|
|
|
|
|
smb.conf changes
|
|
================
|
|
|
|
Parameter Name Description Default
|
|
-------------- ----------- -------
|
|
winbind debug traceid Add traceid No
|
|
directory name cache size Removed
|
|
|
|
|
|
KNOWN ISSUES
|
|
============
|
|
|
|
https://wiki.samba.org/index.php/Release_Planning_for_Samba_4.19#Release_blocking_bugs
|
|
|
|
|
|
#######################################
|
|
Reporting bugs & Development Discussion
|
|
#######################################
|
|
|
|
Please discuss this release on the samba-technical mailing list or by
|
|
joining the #samba-technical:matrix.org matrix room, or
|
|
#samba-technical IRC channel on irc.libera.chat
|
|
|
|
If you do report problems then please try to send high quality
|
|
feedback. If you don't provide vital information to help us track down
|
|
the problem then you will probably be ignored. All bug reports should
|
|
be filed under the Samba 4.1 and newer product in the project's Bugzilla
|
|
database (https://bugzilla.samba.org/).
|
|
|
|
|
|
======================================================================
|
|
== Our Code, Our Bugs, Our Responsibility.
|
|
== The Samba Team
|
|
======================================================================
|
|
|