From 8daa83a594a2e98f39d764422bfbdbc62c9efd44 Mon Sep 17 00:00:00 2001 From: Daniel Baumann Date: Fri, 19 Apr 2024 19:20:00 +0200 Subject: Adding upstream version 2:4.20.0+dfsg. Signed-off-by: Daniel Baumann --- WHATSNEW.txt | 371 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 371 insertions(+) create mode 100644 WHATSNEW.txt (limited to 'WHATSNEW.txt') diff --git a/WHATSNEW.txt b/WHATSNEW.txt new file mode 100644 index 0000000..5c97836 --- /dev/null +++ b/WHATSNEW.txt @@ -0,0 +1,371 @@ + ============================== + Release Notes for Samba 4.20.0 + March 27, 2024 + ============================== + + +This is the first stable release of the Samba 4.20 release series. +Please read the release notes carefully before upgrading. + + +NEW FEATURES/CHANGES +==================== + +New Minimum MIT Krb5 version for Samba AD Domain Controller +----------------------------------------------------------- + +Samba now requires MIT 1.21 when built against a system MIT Krb5 and +acting as an Active Directory DC. This addresses the issues that were +fixed in CVE-2022-37967 (KrbtgtFullPacSignature) and ensures that +Samba builds against the MIT version that allows us to avoid that +attack. + +Removed dependency on Perl JSON module +-------------------------------------- + +Distributions are advised that the Perl JSON package is no longer +required by Samba builds that use the imported Heimdal. The build +instead uses Perl's JSON::PP built into recent perl5 versions. + +Current lists of packages required by Samba for major distributions +are found in the bootstrap/generated-dists/ directory of a Samba +source tree. While there will be some differences - due to features +chosen by packagers - comparing these lists with the build dependencies +in a package may locate other dependencies we no longer require. + +samba-tool user getpassword / syncpasswords ;rounds= change +----------------------------------------------------------- + +The password access tool "samba-tool user getpassword" and the +password sync tool "samba-tool user syncpasswords" allow attributes to +be chosen for output, and accept parameters like +pwdLastSet;format=GeneralizedTime + +These attributes then appear, in the same format, as the attributes in +the LDIF output. This was not the case for the ;rounds= parameter of +virtualCryptSHA256 and virtualCryptSHA512, for example as +--attributes="virtualCryptSHA256;rounds=50000" + +This release makes the behaviour consistent between these two +features. Installations using GPG-encrypted passwords (or plaintext +storage) and the rounds= option, will find the output has changed + +from: +virtualCryptSHA256: {CRYPT}$5$rounds=2561$hXem.M9onhM9Vuix$dFdSBwF + +to: +virtualCryptSHA256;rounds=2561: {CRYPT}$5$rounds=2561$hXem.M9onhM9Vuix$dFdSBwF + +Group Managed service account client-side features +-------------------------------------------------- + +samba-tool has been extended to provide client-side support for Group +Managed Service accounts. These accounts have passwords that change +automatically, giving the advantages of service isolation without risk +of poor, unchanging passwords. + +Where possible, Samba's existing samba-tool password handling +commands, which in the past have only operated against the local +sam.ldb have been extended to permit operation against a remote server +with authenticated access to "-H ldap://$DCNAME" + +Supported operations include: + - reading the current and previous gMSA password via + "samba-tool user getpassword" + - writing a Kerberos Ticket Granting Ticket (TGT) to a local + credentials cache with a new command + "samba-tool user get-kerberos-ticket" + +New Windows Search Protocol Client +---------------------------------- + +Samba now by default builds new experimental Windows Search Protocol (WSP) +command line client "wspsearch" + +The "wspsearch" cmd-line utility allows a WSP search request to be sent +to a server (such as a windows server) that has the (WSP) +Windows Search Protocol service configured and enabled. + +For more details see the wspsearch man page. + +Allow 'smbcacls' to save/restore DACLs to file +-------------------------------------------- + +'smbcacls' has been extended to allow DACLs to be saved and restored +to/from a file. This feature mimics the functionality that windows cmd +line tool 'icacls.exe' provides. Additionally files created either +by 'smbcalcs' or 'icacls.exe' are interchangeable and can be used by +either tool as the same file format is used. + +New options added are: + - '--save savefile' Saves DACLs in sddl format to file + - '--recurse' Performs the '--save' operation above on directory + and all files/directories below. + - '--restore savefile' Restores the stored DACLS to files in directory + +Samba-tool extensions for AD Claims, Authentication Policies and Silos +---------------------------------------------------------------------- + +samba-tool now allows users to be associated with claims. In the +Samba AD DC, claims derive from Active Directory attributes mapped +into specific names. These claims can be used in rules, which are +conditional ACEs in a security descriptor, that decide if a user is +restricted by an authentication policy. + +samba-tool also allows the creation and management of authentication +policies, which are rules about where a user may authenticate from, +if NTLM is permitted, and what services a user may authenticate to. + +Finally, support is added for the creation and management of +authentication silos, which are helpful in defining network boundaries +by grouping users and the services they connect to. + +Please note: The command line syntax for these tools is not final, and +may change before the next release, as we gain user feedback. The +syntax will be locked in once Samba offers 2016 AD Functional Level as +a default. + +AD DC support for Authentication Silos and Authentication Policies +------------------------------------------------------------------ + +The Samba AD DC now also honours any existing claims, authentication +policy and authentication silo configuration previously created (eg +from an import of a Microsoft AD), as well as new configurations +created with samba-tool. The use of Microsoft's Powershell based +client tools is not expected to work. + +To use this feature, the functional level must be set to 2012_R2 or +later with: + + ad dc functional level = 2016 + +in the smb.conf. + +The smb.conf file on each DC must have 'ad dc functional level = 2016' +set to have the partially complete feature available. This will also, +at first startup, update the server's own AD entry with the configured +functional level. + +For new domains, add these parameters to 'samba-tool provision' + +--option="ad dc functional level = 2016" --function-level=2016 + +The second option, setting the overall domain functional level +indicates that all DCs should be at this functional level. + +To raise the domain functional level of an existing domain, after +updating the smb.conf and restarting Samba run +samba-tool domain schemaupgrade --schema=2019 +samba-tool domain functionalprep --function-level=2016 +samba-tool domain level raise --domain-level=2016 --forest-level=2016 + +This support is still new, so is not enabled by default in this +release. The above instructions are set at 2016, which while not +complete, matches what our testing environment validates. + +Conditional ACEs and Resource Attribute ACEs +-------------------------------------------- + +Ordinary Access Control Entries (ACEs) unconditionally allow or deny +access to a given user or group. Conditional ACEs have an additional +section that describes conditions under which the ACE applies. If the +conditional expression is true, the ACE works like an ordinary ACE, +otherwise it is ignored. The condition terms can refer to claims, +group memberships, and attributes on the object itself. These +attributes are described in Resource Attribute ACEs that occur in the +object's System Access Control List (SACL). Conditional ACEs are +described in Microsoft documentation. + +Conditional ACE evaluation is controlled by the "acl claims +evaluation" smb.conf option. The default value is "AD DC only" which +enables them in AD DC settings. The other option is "never", which +disables them altogether. There is currently no option to enable them +on the file server (this is likely to change in future releases). + +The Security Descriptor Definition Language has extensions for +conditional ACEs and resource attribute ACEs; these are now supported +by Samba. + +Service Witness Protocol [MS-SWN] +--------------------------------- + +In a ctdb cluster it is now possible to provide +the SMB witness service that allows clients to +monitor their current smb connection to cluster +node A by asking cluster node B to notify the +client if the ip address from node A or the +whole node A becomes unavailable. + +For disk shares in a ctdb cluster +SMB2_SHARE_CAP_SCALEOUT is now always returned +for SMB3 tree connect responses. + +If the witness service is active +SMB2_SHARE_CAP_CLUSTER is now also returned. + +In order to activate the witness service +"rpc start on demand helpers = no" needs to +be configured in the global section. +At the same time the 'samba-dcerpcd' service +needs to be started explicitly, typically +with the '--libexec-rpcds' option in order +to make all available services usable. +One important aspect is that tcp ports +135 (for the endpoint mapper) and various +ports in the 'rpc server dynamic port range' +will be used to provide the witness service +(rpcd_witness). + +ctdb provides a '47.samba-dcerpcd.script' in order +to manage the samba-dcerpcd.service. +Typically as systemd service, but that's up +to the packager and/or admin. + +Please note that current windows client +requires SMB2_SHARE_CAP_CONTINUOUS_AVAILABILITY +in addition to SMB2_SHARE_CAP_CLUSTER in order +to make use of the witness service. +But SMB2_SHARE_CAP_CONTINUOUS_AVAILABILITY implies +the windows clients always ask for persistent handle +(which are not implemented in samba yet), so +that every open generates a warning in the +windows smb client event log. +That's why SMB2_SHARE_CAP_CONTINUOUS_AVAILABILITY +is not returned by default. +An explicit 'smb3 share cap:CONTINUOUS AVAILABILITY = yes' +is needed. + +There are also new 'net witness' commands in order +to let the admin list active client registrations +or ask specific clients to move their smb connection +to another cluster node. These are available: + + net witness list + net witness client-move + net witness share-move + net witness force-unregister + net witness force-response + +Consult 'man net' or 'net witness help' for further details. + + +REMOVED FEATURES +================ + +Get locally logged on users from utmp +------------------------------------- + +The Workstation Service Remote Protocol [MS-WKST] calls NetWkstaGetInfo +level 102 and NetWkstaEnumUsers level 0 and 1 return the list of locally +logged on users. Samba was getting the list from utmp, which is not +Y2038 safe. This feature has been completely removed and Samba will +always return an empty list. + + +smb.conf changes +================ + + Parameter Name Description Default + -------------- ----------- ------- + acl claims evaluation new AD DC only + smb3 unix extensions Per share - + smb3 share cap:ASYMMETRIC new no + smb3 share cap:CLUSTER new see 'man smb.conf' + smb3 share cap:CONTINUOUS AVAILABILITY new no + smb3 share cap:SCALE OUT new see 'man smb.conf' + + +Changes since 4.20.0rc4 +======================= + +o Douglas Bagnall + * BUG 15606: Avoid null-dereference with bad claims. + * BUG 15613: ndr_pull_security_ace can leave resource attribute ACE coda + claim struct undefined. + +o Ralph Boehme + * BUG 15527: fd_handle_destructor() panics within an smbd_smb2_close() if + vfs_stat_fsp() fails in fd_close(). + +o Björn Jacke + * BUG 15583: set_nt_acl sometimes fails with NT_STATUS_INVALID_PARAMETER - + openat() EACCES. + +o Noel Power + * BUG 15527: fd_handle_destructor() panics within an smbd_smb2_close() if + vfs_stat_fsp() fails in fd_close(). + +o Andreas Schneider + * BUG 15599: libgpo: Segfault in python bindings. + +o Jo Sutton + * BUG 15607: Samba AD is missing some authentication policy tests. + + +CHANGES SINCE 4.20.0rc3 +======================= + +o Andreas Schneider + * BUG 15588: samba-gpupdate: Correctly implement site support. + + +CHANGES SINCE 4.20.0rc2 +======================= + +o Rob van der Linde + * BUG 15575: Remove unsupported "Final" keyword missing from Python 3.6. + +o Stefan Metzmacher + * BUG 15577: Additional witness backports for 4.20.0. + +o Noel Power + * BUG 15579: Error output with wspsearch. + +o Martin Schwenke + * BUG 15580: Packet marshalling push support missing for + CTDB_CONTROL_TCP_CLIENT_DISCONNECTED and + CTDB_CONTROL_TCP_CLIENT_PASSED. + +o Jo Sutton + * BUG 15575: Remove unsupported "Final" keyword missing from Python 3.6. + + +CHANGES SINCE 4.20.0rc1 +======================= + +o Douglas Bagnall + * BUG 15574: Performance regression for NDR parsing of security descriptors. + +o Anoop C S + * BUG 15565: Build and install man page for wspsearch client utility. + +o Andreas Schneider + * BUG 15558: samba-gpupdate logging doesn't work. + + +KNOWN ISSUES +============ + +https://wiki.samba.org/index.php/Release_Planning_for_Samba_4.20#Release_blocking_bugs + + +####################################### +Reporting bugs & Development Discussion +####################################### + +Please discuss this release on the samba-technical mailing list or by +joining the #samba-technical:matrix.org matrix room, or +#samba-technical IRC channel on irc.libera.chat + +If you do report problems then please try to send high quality +feedback. If you don't provide vital information to help us track down +the problem then you will probably be ignored. All bug reports should +be filed under the Samba 4.1 and newer product in the project's Bugzilla +database (https://bugzilla.samba.org/). + + +====================================================================== +== Our Code, Our Bugs, Our Responsibility. +== The Samba Team +====================================================================== + -- cgit v1.2.3