mirror of
https://github.com/samba-team/samba.git
synced 2024-12-23 17:34:34 +03:00
31637d4037
Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> Autobuild-User(master): Douglas Bagnall <dbagnall@samba.org> Autobuild-Date(master): Thu Dec 21 03:04:12 UTC 2023 on atb-devel-224
131 lines
4.7 KiB
Plaintext
131 lines
4.7 KiB
Plaintext
Release Announcements
|
|
=====================
|
|
|
|
This is the first pre release of Samba 4.20. This is *not*
|
|
intended for production environments and is designed for testing
|
|
purposes only. Please report any defects via the Samba bug reporting
|
|
system at https://bugzilla.samba.org/.
|
|
|
|
Samba 4.20 will be the next version of the Samba suite.
|
|
|
|
|
|
UPGRADING
|
|
=========
|
|
|
|
|
|
NEW FEATURES/CHANGES
|
|
====================
|
|
|
|
New Minimum MIT Krb5 version for Samba AD Domain Controller
|
|
-----------------------------------------------------------
|
|
|
|
Samba now requires MIT 1.21 when built against a system MIT Krb5 and
|
|
acting as an Active Directory DC. This addresses the issues that were
|
|
fixed in CVE-2022-37967 (KrbtgtFullPacSignature) and ensures that
|
|
Samba builds against the MIT version that allows us to avoid that
|
|
attack.
|
|
|
|
Removed dependency on Perl JSON module
|
|
--------------------------------------
|
|
|
|
Distributions are advised that the Perl JSON package is no longer
|
|
required by Samba builds that use the imported Heimdal. The build
|
|
instead uses Perl's JSON::PP built into recent perl5 versions.
|
|
|
|
Current lists of packages required by Samba for major distributions
|
|
are found in the bootstrap/generated-dists/ directory of a Samba
|
|
source tree. While there will be some differences - due to features
|
|
chosen by packagers - comparing these lists with the build dependencies
|
|
in a package may locate other dependencies we no longer require.
|
|
|
|
samba-tool user getpassword / syncpasswords ;rounds= change
|
|
-----------------------------------------------------------
|
|
|
|
The password access tool "samba-tool user getpassword" and the
|
|
password sync tool "samba-tool user syncpasswords" allow attributes to
|
|
be chosen for output, and accept parameters like
|
|
pwdLastSet;format=GeneralizedTime
|
|
|
|
These attributes then appear, in the same format, as the attributes in
|
|
the LDIF output. This was not the case for the ;rounds= parameter of
|
|
virtualCryptSHA256 and virtualCryptSHA512, for example as
|
|
--attributes="virtualCryptSHA256;rounds=50000"
|
|
|
|
This release makes the behaviour consistent between these two
|
|
features. Installations using GPG-encrypted passwords (or plaintext
|
|
storage) and the rounds= option, will find the output has changed
|
|
|
|
from:
|
|
virtualCryptSHA256: {CRYPT}$5$rounds=2561$hXem.M9onhM9Vuix$dFdSBwF
|
|
|
|
to:
|
|
virtualCryptSHA256;rounds=2561: {CRYPT}$5$rounds=2561$hXem.M9onhM9Vuix$dFdSBwF
|
|
|
|
Group Managed service account client-side features
|
|
--------------------------------------------------
|
|
|
|
samba-tool has been extended to provide client-side support for Group
|
|
Managed Service accounts. These accounts have passwords that change
|
|
automatically, giving the advantages of service isolation without risk
|
|
of poor, unchanging passwords.
|
|
|
|
Where possible, Samba's existing samba-tool password handling
|
|
commands, which in the past have only operated against the local
|
|
sam.ldb have been extended to permit operation against a remote server
|
|
with authenticated access to "-H ldap://$DCNAME"
|
|
|
|
Supported operations include:
|
|
- reading the current and previous gMSA password via
|
|
"samba-tool user getpassword"
|
|
- writing a Kerberos Ticket Granting Ticket (TGT) to a local
|
|
credentials cache with a new command
|
|
"samba-tool user get-kerberos-ticket"
|
|
|
|
REMOVED FEATURES
|
|
================
|
|
|
|
Get locally logged on users from utmp
|
|
-------------------------------------
|
|
|
|
The Workstation Service Remote Protocol [MS-WKST] calls NetWkstaGetInfo
|
|
level 102 and NetWkstaEnumUsers level 0 and 1 return the list of locally
|
|
logged on users. Samba was getting the list from utmp, which is not
|
|
Y2038 safe. This feature has been completely removed and Samba will
|
|
always return an empty list.
|
|
|
|
|
|
smb.conf changes
|
|
================
|
|
|
|
Parameter Name Description Default
|
|
-------------- ----------- -------
|
|
smb3 unix extensions Per share -
|
|
|
|
|
|
KNOWN ISSUES
|
|
============
|
|
|
|
https://wiki.samba.org/index.php/Release_Planning_for_Samba_4.20#Release_blocking_bugs
|
|
|
|
|
|
#######################################
|
|
Reporting bugs & Development Discussion
|
|
#######################################
|
|
|
|
Please discuss this release on the samba-technical mailing list or by
|
|
joining the #samba-technical:matrix.org matrix room, or
|
|
#samba-technical IRC channel on irc.libera.chat
|
|
|
|
If you do report problems then please try to send high quality
|
|
feedback. If you don't provide vital information to help us track down
|
|
the problem then you will probably be ignored. All bug reports should
|
|
be filed under the Samba 4.1 and newer product in the project's Bugzilla
|
|
database (https://bugzilla.samba.org/).
|
|
|
|
|
|
======================================================================
|
|
== Our Code, Our Bugs, Our Responsibility.
|
|
== The Samba Team
|
|
======================================================================
|
|
|