sin/samba-mirror
1
0
Fork 0
mirror of https://github.com/samba-team/samba.git synced 2024-12-22 13:34:15 +03:00
Code
f353ce5f96
samba-mirror/WHATSNEW.txt
Stefan Metzmacher 1a02c6e59c WHATSNEW: document ldaps/tls related option changes 
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Wed Apr 24 00:59:53 UTC 2024 on atb-devel-224
2024-04-24 00:59:53 +00:00

150 lines
5.3 KiB
Plaintext
Raw Blame History

Release Announcements
=====================
This is the first pre release of Samba 4.21. This is *not*
intended for production environments and is designed for testing
purposes only. Please report any defects via the Samba bug reporting
system at https://bugzilla.samba.org/.
Samba 4.21 will be the next version of the Samba suite.
UPGRADING
=========
LDAP TLS/SASL channel binding support
-------------------------------------
The ldap server supports SASL binds with
kerberos or NTLMSSP over TLS connections
now (either ldaps or starttls).
Setups where 'ldap server require strong auth = allow_sasl_over_tls'
was required before, can now most likely move to the
default of 'ldap server require strong auth = yes'.
If SASL binds without correct tls channel bindings are required
'ldap server require strong auth = allow_sasl_without_tls_channel_bindings'
should be used now, as 'allow_sasl_over_tls' will generate a
warning in every start of 'samba', as well as '[samba-tool ]testparm'.
This is similar to LdapEnforceChannelBinding under
HKLM\SYSTEM\CurrentControlSet\Services\NTDS\Parameters
on Windows.
All client tools using ldaps also include the correct
channel bindings now.
NEW FEATURES/CHANGES
====================
LDB no longer a standalone tarball
----------------------------------
LDB, Samba's LDAP-like local database and the power behind the Samba
AD DC, is no longer available to build as a distinct tarball, but is
instead provided as an optional public library.
If you need ldb as a public library, say to build sssd, then use
./configure --private-libraries='!ldb'
This re-integration allows LDB tests to use the Samba's full selftest
system, including our knownfail infrastructure, and decreases the work
required during security releases as a coordinated release of the ldb
tarball is not also required.
This approach has been demonstrated already in Debian, which is already
building Samba and LDB is this way.
As part of this work, the pyldb-util public library, not known to be
used by any other software, is made private to Samba.
LDB Module API Python bindings removed
--------------------------------------
The LDB Modules API, which we do not promise a stable ABI or API for,
was wrapped in python in early LDB development. However that wrapping
never took into account later changes, and so has not worked for a
number of years. Samba 4.21 and LDB 2.10 removes this unused and
broken feature.
Using ldaps from 'winbindd' and 'net ads'
-----------------------------------------
Beginning with Samba 3.0.22 the 'ldap ssl = start tls' option also
impacted LDAP connections to active directory domain controllers.
Using the STARTTLS operation on LDAP port 389 connections. Starting
with Samba 3.5.0 'ldap ssl ads = yes' was required in addition in
order let to 'ldap ssl = start tls' have any effect on those
connections.
'ldap ssl ads' was deprecated with Samba 4.8.0 and removed together
with the whole functionality in Samba 4.14.0, because it didn't support
tls channel bindings required for the sasl authentication.
The functionality is now re-added using the correct channel bindings
based on the gnutls based tls implementation we already have, instead
of using the tls layer provided by openldap. This makes it available
and consistent with all LDAP client libraries we use and implement on
our own.
The 'client ldap sasl wrapping' option gained the two new possible values:
'starttls' (using STARTTLS on tcp port 389)
and
'ldaps' (using TLS directly on tcp port 636).
If you had 'ldap ssl = start tls' and 'ldap ssl ads = yes'
before, you can now use 'client ldap sasl wrapping = starttls'
in order to get STARTTLS on tcp port 389.
As we no longer use the openldap tls layer it is required to configure the
correct certificate trusts with at least one of the following options:
'tls trust system cas', 'tls ca directories' or 'tls cafile'.
While 'tls verify peer' and 'tls crlfile' are also relevant,
see 'man smb.conf' for further details.
REMOVED FEATURES
================
smb.conf changes
================
Parameter Name Description Default
-------------- ----------- -------
client ldap sasl wrapping new values
client use spnego principal removed
ldap server require strong auth new values
tls trust system cas new
tls ca directories new
KNOWN ISSUES
============
https://wiki.samba.org/index.php/Release_Planning_for_Samba_4.21#Release_blocking_bugs
#######################################
Reporting bugs & Development Discussion
#######################################
Please discuss this release on the samba-technical mailing list or by
joining the #samba-technical:matrix.org matrix room, or
#samba-technical IRC channel on irc.libera.chat
If you do report problems then please try to send high quality
feedback. If you don't provide vital information to help us track down
the problem then you will probably be ignored. All bug reports should
be filed under the Samba 4.1 and newer product in the project's Bugzilla
database (https://bugzilla.samba.org/).
======================================================================
== Our Code, Our Bugs, Our Responsibility.
== The Samba Team
======================================================================
View Git Blame Copy Permalink