summaryrefslogtreecommitdiffstats
path: root/WHATSNEW.txt
diff options
context:
space:
mode:
Diffstat (limited to 'WHATSNEW.txt')
-rw-r--r--WHATSNEW.txt371
1 files changed, 371 insertions, 0 deletions
diff --git a/WHATSNEW.txt b/WHATSNEW.txt
new file mode 100644
index 0000000..5c97836
--- /dev/null
+++ b/WHATSNEW.txt
@@ -0,0 +1,371 @@
+ ==============================
+ Release Notes for Samba 4.20.0
+ March 27, 2024
+ ==============================
+
+
+This is the first stable release of the Samba 4.20 release series.
+Please read the release notes carefully before upgrading.
+
+
+NEW FEATURES/CHANGES
+====================
+
+New Minimum MIT Krb5 version for Samba AD Domain Controller
+-----------------------------------------------------------
+
+Samba now requires MIT 1.21 when built against a system MIT Krb5 and
+acting as an Active Directory DC. This addresses the issues that were
+fixed in CVE-2022-37967 (KrbtgtFullPacSignature) and ensures that
+Samba builds against the MIT version that allows us to avoid that
+attack.
+
+Removed dependency on Perl JSON module
+--------------------------------------
+
+Distributions are advised that the Perl JSON package is no longer
+required by Samba builds that use the imported Heimdal. The build
+instead uses Perl's JSON::PP built into recent perl5 versions.
+
+Current lists of packages required by Samba for major distributions
+are found in the bootstrap/generated-dists/ directory of a Samba
+source tree. While there will be some differences - due to features
+chosen by packagers - comparing these lists with the build dependencies
+in a package may locate other dependencies we no longer require.
+
+samba-tool user getpassword / syncpasswords ;rounds= change
+-----------------------------------------------------------
+
+The password access tool "samba-tool user getpassword" and the
+password sync tool "samba-tool user syncpasswords" allow attributes to
+be chosen for output, and accept parameters like
+pwdLastSet;format=GeneralizedTime
+
+These attributes then appear, in the same format, as the attributes in
+the LDIF output. This was not the case for the ;rounds= parameter of
+virtualCryptSHA256 and virtualCryptSHA512, for example as
+--attributes="virtualCryptSHA256;rounds=50000"
+
+This release makes the behaviour consistent between these two
+features. Installations using GPG-encrypted passwords (or plaintext
+storage) and the rounds= option, will find the output has changed
+
+from:
+virtualCryptSHA256: {CRYPT}$5$rounds=2561$hXem.M9onhM9Vuix$dFdSBwF
+
+to:
+virtualCryptSHA256;rounds=2561: {CRYPT}$5$rounds=2561$hXem.M9onhM9Vuix$dFdSBwF
+
+Group Managed service account client-side features
+--------------------------------------------------
+
+samba-tool has been extended to provide client-side support for Group
+Managed Service accounts. These accounts have passwords that change
+automatically, giving the advantages of service isolation without risk
+of poor, unchanging passwords.
+
+Where possible, Samba's existing samba-tool password handling
+commands, which in the past have only operated against the local
+sam.ldb have been extended to permit operation against a remote server
+with authenticated access to "-H ldap://$DCNAME"
+
+Supported operations include:
+ - reading the current and previous gMSA password via
+ "samba-tool user getpassword"
+ - writing a Kerberos Ticket Granting Ticket (TGT) to a local
+ credentials cache with a new command
+ "samba-tool user get-kerberos-ticket"
+
+New Windows Search Protocol Client
+----------------------------------
+
+Samba now by default builds new experimental Windows Search Protocol (WSP)
+command line client "wspsearch"
+
+The "wspsearch" cmd-line utility allows a WSP search request to be sent
+to a server (such as a windows server) that has the (WSP)
+Windows Search Protocol service configured and enabled.
+
+For more details see the wspsearch man page.
+
+Allow 'smbcacls' to save/restore DACLs to file
+--------------------------------------------
+
+'smbcacls' has been extended to allow DACLs to be saved and restored
+to/from a file. This feature mimics the functionality that windows cmd
+line tool 'icacls.exe' provides. Additionally files created either
+by 'smbcalcs' or 'icacls.exe' are interchangeable and can be used by
+either tool as the same file format is used.
+
+New options added are:
+ - '--save savefile' Saves DACLs in sddl format to file
+ - '--recurse' Performs the '--save' operation above on directory
+ and all files/directories below.
+ - '--restore savefile' Restores the stored DACLS to files in directory
+
+Samba-tool extensions for AD Claims, Authentication Policies and Silos
+----------------------------------------------------------------------
+
+samba-tool now allows users to be associated with claims. In the
+Samba AD DC, claims derive from Active Directory attributes mapped
+into specific names. These claims can be used in rules, which are
+conditional ACEs in a security descriptor, that decide if a user is
+restricted by an authentication policy.
+
+samba-tool also allows the creation and management of authentication
+policies, which are rules about where a user may authenticate from,
+if NTLM is permitted, and what services a user may authenticate to.
+
+Finally, support is added for the creation and management of
+authentication silos, which are helpful in defining network boundaries
+by grouping users and the services they connect to.
+
+Please note: The command line syntax for these tools is not final, and
+may change before the next release, as we gain user feedback. The
+syntax will be locked in once Samba offers 2016 AD Functional Level as
+a default.
+
+AD DC support for Authentication Silos and Authentication Policies
+------------------------------------------------------------------
+
+The Samba AD DC now also honours any existing claims, authentication
+policy and authentication silo configuration previously created (eg
+from an import of a Microsoft AD), as well as new configurations
+created with samba-tool. The use of Microsoft's Powershell based
+client tools is not expected to work.
+
+To use this feature, the functional level must be set to 2012_R2 or
+later with:
+
+ ad dc functional level = 2016
+
+in the smb.conf.
+
+The smb.conf file on each DC must have 'ad dc functional level = 2016'
+set to have the partially complete feature available. This will also,
+at first startup, update the server's own AD entry with the configured
+functional level.
+
+For new domains, add these parameters to 'samba-tool provision'
+
+--option="ad dc functional level = 2016" --function-level=2016
+
+The second option, setting the overall domain functional level
+indicates that all DCs should be at this functional level.
+
+To raise the domain functional level of an existing domain, after
+updating the smb.conf and restarting Samba run
+samba-tool domain schemaupgrade --schema=2019
+samba-tool domain functionalprep --function-level=2016
+samba-tool domain level raise --domain-level=2016 --forest-level=2016
+
+This support is still new, so is not enabled by default in this
+release. The above instructions are set at 2016, which while not
+complete, matches what our testing environment validates.
+
+Conditional ACEs and Resource Attribute ACEs
+--------------------------------------------
+
+Ordinary Access Control Entries (ACEs) unconditionally allow or deny
+access to a given user or group. Conditional ACEs have an additional
+section that describes conditions under which the ACE applies. If the
+conditional expression is true, the ACE works like an ordinary ACE,
+otherwise it is ignored. The condition terms can refer to claims,
+group memberships, and attributes on the object itself. These
+attributes are described in Resource Attribute ACEs that occur in the
+object's System Access Control List (SACL). Conditional ACEs are
+described in Microsoft documentation.
+
+Conditional ACE evaluation is controlled by the "acl claims
+evaluation" smb.conf option. The default value is "AD DC only" which
+enables them in AD DC settings. The other option is "never", which
+disables them altogether. There is currently no option to enable them
+on the file server (this is likely to change in future releases).
+
+The Security Descriptor Definition Language has extensions for
+conditional ACEs and resource attribute ACEs; these are now supported
+by Samba.
+
+Service Witness Protocol [MS-SWN]
+---------------------------------
+
+In a ctdb cluster it is now possible to provide
+the SMB witness service that allows clients to
+monitor their current smb connection to cluster
+node A by asking cluster node B to notify the
+client if the ip address from node A or the
+whole node A becomes unavailable.
+
+For disk shares in a ctdb cluster
+SMB2_SHARE_CAP_SCALEOUT is now always returned
+for SMB3 tree connect responses.
+
+If the witness service is active
+SMB2_SHARE_CAP_CLUSTER is now also returned.
+
+In order to activate the witness service
+"rpc start on demand helpers = no" needs to
+be configured in the global section.
+At the same time the 'samba-dcerpcd' service
+needs to be started explicitly, typically
+with the '--libexec-rpcds' option in order
+to make all available services usable.
+One important aspect is that tcp ports
+135 (for the endpoint mapper) and various
+ports in the 'rpc server dynamic port range'
+will be used to provide the witness service
+(rpcd_witness).
+
+ctdb provides a '47.samba-dcerpcd.script' in order
+to manage the samba-dcerpcd.service.
+Typically as systemd service, but that's up
+to the packager and/or admin.
+
+Please note that current windows client
+requires SMB2_SHARE_CAP_CONTINUOUS_AVAILABILITY
+in addition to SMB2_SHARE_CAP_CLUSTER in order
+to make use of the witness service.
+But SMB2_SHARE_CAP_CONTINUOUS_AVAILABILITY implies
+the windows clients always ask for persistent handle
+(which are not implemented in samba yet), so
+that every open generates a warning in the
+windows smb client event log.
+That's why SMB2_SHARE_CAP_CONTINUOUS_AVAILABILITY
+is not returned by default.
+An explicit 'smb3 share cap:CONTINUOUS AVAILABILITY = yes'
+is needed.
+
+There are also new 'net witness' commands in order
+to let the admin list active client registrations
+or ask specific clients to move their smb connection
+to another cluster node. These are available:
+
+ net witness list
+ net witness client-move
+ net witness share-move
+ net witness force-unregister
+ net witness force-response
+
+Consult 'man net' or 'net witness help' for further details.
+
+
+REMOVED FEATURES
+================
+
+Get locally logged on users from utmp
+-------------------------------------
+
+The Workstation Service Remote Protocol [MS-WKST] calls NetWkstaGetInfo
+level 102 and NetWkstaEnumUsers level 0 and 1 return the list of locally
+logged on users. Samba was getting the list from utmp, which is not
+Y2038 safe. This feature has been completely removed and Samba will
+always return an empty list.
+
+
+smb.conf changes
+================
+
+ Parameter Name Description Default
+ -------------- ----------- -------
+ acl claims evaluation new AD DC only
+ smb3 unix extensions Per share -
+ smb3 share cap:ASYMMETRIC new no
+ smb3 share cap:CLUSTER new see 'man smb.conf'
+ smb3 share cap:CONTINUOUS AVAILABILITY new no
+ smb3 share cap:SCALE OUT new see 'man smb.conf'
+
+
+Changes since 4.20.0rc4
+=======================
+
+o Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
+ * BUG 15606: Avoid null-dereference with bad claims.
+ * BUG 15613: ndr_pull_security_ace can leave resource attribute ACE coda
+ claim struct undefined.
+
+o Ralph Boehme <slow@samba.org>
+ * BUG 15527: fd_handle_destructor() panics within an smbd_smb2_close() if
+ vfs_stat_fsp() fails in fd_close().
+
+o Björn Jacke <bjacke@samba.org>
+ * BUG 15583: set_nt_acl sometimes fails with NT_STATUS_INVALID_PARAMETER -
+ openat() EACCES.
+
+o Noel Power <noel.power@suse.com>
+ * BUG 15527: fd_handle_destructor() panics within an smbd_smb2_close() if
+ vfs_stat_fsp() fails in fd_close().
+
+o Andreas Schneider <asn@samba.org>
+ * BUG 15599: libgpo: Segfault in python bindings.
+
+o Jo Sutton <josutton@catalyst.net.nz>
+ * BUG 15607: Samba AD is missing some authentication policy tests.
+
+
+CHANGES SINCE 4.20.0rc3
+=======================
+
+o Andreas Schneider <asn@samba.org>
+ * BUG 15588: samba-gpupdate: Correctly implement site support.
+
+
+CHANGES SINCE 4.20.0rc2
+=======================
+
+o Rob van der Linde <rob@catalyst.net.nz>
+ * BUG 15575: Remove unsupported "Final" keyword missing from Python 3.6.
+
+o Stefan Metzmacher <metze@samba.org>
+ * BUG 15577: Additional witness backports for 4.20.0.
+
+o Noel Power <noel.power@suse.com>
+ * BUG 15579: Error output with wspsearch.
+
+o Martin Schwenke <mschwenke@ddn.com>
+ * BUG 15580: Packet marshalling push support missing for
+ CTDB_CONTROL_TCP_CLIENT_DISCONNECTED and
+ CTDB_CONTROL_TCP_CLIENT_PASSED.
+
+o Jo Sutton <josutton@catalyst.net.nz>
+ * BUG 15575: Remove unsupported "Final" keyword missing from Python 3.6.
+
+
+CHANGES SINCE 4.20.0rc1
+=======================
+
+o Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
+ * BUG 15574: Performance regression for NDR parsing of security descriptors.
+
+o Anoop C S <anoopcs@samba.org>
+ * BUG 15565: Build and install man page for wspsearch client utility.
+
+o Andreas Schneider <asn@samba.org>
+ * BUG 15558: samba-gpupdate logging doesn't work.
+
+
+KNOWN ISSUES
+============
+
+https://wiki.samba.org/index.php/Release_Planning_for_Samba_4.20#Release_blocking_bugs
+
+
+#######################################
+Reporting bugs & Development Discussion
+#######################################
+
+Please discuss this release on the samba-technical mailing list or by
+joining the #samba-technical:matrix.org matrix room, or
+#samba-technical IRC channel on irc.libera.chat
+
+If you do report problems then please try to send high quality
+feedback. If you don't provide vital information to help us track down
+the problem then you will probably be ignored. All bug reports should
+be filed under the Samba 4.1 and newer product in the project's Bugzilla
+database (https://bugzilla.samba.org/).
+
+
+======================================================================
+== Our Code, Our Bugs, Our Responsibility.
+== The Samba Team
+======================================================================
+