Release Announcements
=====================
-This is the first pre release of Samba 4.20. This is *not*
+This is the first pre release of Samba 4.21. This is *not*
intended for production environments and is designed for testing
purposes only. Please report any defects via the Samba bug reporting
system at https://bugzilla.samba.org/.
-Samba 4.20 will be the next version of the Samba suite.
+Samba 4.21 will be the next version of the Samba suite.
UPGRADING
=========
+LDAP TLS/SASL channel binding support
+-------------------------------------
-NEW FEATURES/CHANGES
-====================
+The ldap server supports SASL binds with
+kerberos or NTLMSSP over TLS connections
+now (either ldaps or starttls).
-New Minimum MIT Krb5 version for Samba AD Domain Controller
------------------------------------------------------------
+Setups where 'ldap server require strong auth = allow_sasl_over_tls'
+was required before, can now most likely move to the
+default of 'ldap server require strong auth = yes'.
-Samba now requires MIT 1.21 when built against a system MIT Krb5 and
-acting as an Active Directory DC. This addresses the issues that were
-fixed in CVE-2022-37967 (KrbtgtFullPacSignature) and ensures that
-Samba builds against the MIT version that allows us to avoid that
-attack.
+If SASL binds without correct tls channel bindings are required
+'ldap server require strong auth = allow_sasl_without_tls_channel_bindings'
+should be used now, as 'allow_sasl_over_tls' will generate a
+warning in every start of 'samba', as well as '[samba-tool ]testparm'.
-Removed dependency on Perl JSON module
---------------------------------------
+This is similar to LdapEnforceChannelBinding under
+HKLM\SYSTEM\CurrentControlSet\Services\NTDS\Parameters
+on Windows.
-Distributions are advised that the Perl JSON package is no longer
-required by Samba builds that use the imported Heimdal. The build
-instead uses Perl's JSON::PP built into recent perl5 versions.
+All client tools using ldaps also include the correct
+channel bindings now.
-Current lists of packages required by Samba for major distributions
-are found in the bootstrap/generated-dists/ directory of a Samba
-source tree. While there will be some differences - due to features
-chosen by packagers - comparing these lists with the build dependencies
-in a package may locate other dependencies we no longer require.
-samba-tool user getpassword / syncpasswords ;rounds= change
------------------------------------------------------------
+NEW FEATURES/CHANGES
+====================
-The password access tool "samba-tool user getpassword" and the
-password sync tool "samba-tool user syncpasswords" allow attributes to
-be chosen for output, and accept parameters like
-pwdLastSet;format=GeneralizedTime
+LDB no longer a standalone tarball
+----------------------------------
-These attributes then appear, in the same format, as the attributes in
-the LDIF output. This was not the case for the ;rounds= parameter of
-virtualCryptSHA256 and virtualCryptSHA512, for example as
---attributes="virtualCryptSHA256;rounds=50000"
+LDB, Samba's LDAP-like local database and the power behind the Samba
+AD DC, is no longer available to build as a distinct tarball, but is
+instead provided as an optional public library.
-This release makes the behaviour consistent between these two
-features. Installations using GPG-encrypted passwords (or plaintext
-storage) and the rounds= option, will find the output has changed
+If you need ldb as a public library, say to build sssd, then use
+ ./configure --private-libraries='!ldb'
-from:
-virtualCryptSHA256: {CRYPT}$5$rounds=2561$hXem.M9onhM9Vuix$dFdSBwF
+This re-integration allows LDB tests to use the Samba's full selftest
+system, including our knownfail infrastructure, and decreases the work
+required during security releases as a coordinated release of the ldb
+tarball is not also required.
-to:
-virtualCryptSHA256;rounds=2561: {CRYPT}$5$rounds=2561$hXem.M9onhM9Vuix$dFdSBwF
+This approach has been demonstrated already in Debian, which is already
+building Samba and LDB is this way.
-Group Managed service account client-side features
---------------------------------------------------
+As part of this work, the pyldb-util public library, not known to be
+used by any other software, is made private to Samba.
-samba-tool has been extended to provide client-side support for Group
-Managed Service accounts. These accounts have passwords that change
-automatically, giving the advantages of service isolation without risk
-of poor, unchanging passwords.
+LDB Module API Python bindings removed
+--------------------------------------
-Where possible, Samba's existing samba-tool password handling
-commands, which in the past have only operated against the local
-sam.ldb have been extended to permit operation against a remote server
-with authenticated access to "-H ldap://$DCNAME"
+The LDB Modules API, which we do not promise a stable ABI or API for,
+was wrapped in python in early LDB development. However that wrapping
+never took into account later changes, and so has not worked for a
+number of years. Samba 4.21 and LDB 2.10 removes this unused and
+broken feature.
-Supported operations include:
- - reading the current and previous gMSA password via
- "samba-tool user getpassword"
- - writing a Kerberos Ticket Granting Ticket (TGT) to a local
- credentials cache with a new command
- "samba-tool user get-kerberos-ticket"
+Using ldaps from 'winbindd' and 'net ads'
+-----------------------------------------
-New Windows Search Protocol Client
-----------------------------------
+Beginning with Samba 3.0.22 the 'ldap ssl = start tls' option also
+impacted LDAP connections to active directory domain controllers.
+Using the STARTTLS operation on LDAP port 389 connections. Starting
+with Samba 3.5.0 'ldap ssl ads = yes' was required in addition in
+order let to 'ldap ssl = start tls' have any effect on those
+connections.
-Samba now by default builds new experimental Windows Search Protocol (WSP)
-command line client "wspsearch"
+'ldap ssl ads' was deprecated with Samba 4.8.0 and removed together
+with the whole functionality in Samba 4.14.0, because it didn't support
+tls channel bindings required for the sasl authentication.
-The "wspsearch" cmd-line utility allows a WSP search request to be sent
-to a server (such as a windows server) that has the (WSP)
-Windows Search Protocol service configured and enabled.
+The functionality is now re-added using the correct channel bindings
+based on the gnutls based tls implementation we already have, instead
+of using the tls layer provided by openldap. This makes it available
+and consistent with all LDAP client libraries we use and implement on
+our own.
-For more details see the wspsearch man page.
+The 'client ldap sasl wrapping' option gained the two new possible values:
+'starttls' (using STARTTLS on tcp port 389)
+and
+'ldaps' (using TLS directly on tcp port 636).
-Allow 'smbcacls' to save/restore DACLs to file
---------------------------------------------
+If you had 'ldap ssl = start tls' and 'ldap ssl ads = yes'
+before, you can now use 'client ldap sasl wrapping = starttls'
+in order to get STARTTLS on tcp port 389.
-'smbcacls' has been extended to allow DACLs to be saved and restored
-to/from a file. This feature mimics the functionality that windows cmd
-line tool 'icacls.exe' provides. Additionally files created either
-by 'smbcalcs' or 'icacls.exe' are interchangeable and can be used by
-either tool as the same file format is used.
+As we no longer use the openldap tls layer it is required to configure the
+correct certificate trusts with at least one of the following options:
+'tls trust system cas', 'tls ca directories' or 'tls cafile'.
+While 'tls verify peer' and 'tls crlfile' are also relevant,
+see 'man smb.conf' for further details.
-New options added are:
- - '--save savefile' Saves DACLs in sddl format to file
- - '--recurse' Performs the '--save' operation above on directory
- and all files/directories below.
- - '--restore savefile' Restores the stored DACLS to files in directory
REMOVED FEATURES
================
-Get locally logged on users from utmp
--------------------------------------
-
-The Workstation Service Remote Protocol [MS-WKST] calls NetWkstaGetInfo
-level 102 and NetWkstaEnumUsers level 0 and 1 return the list of locally
-logged on users. Samba was getting the list from utmp, which is not
-Y2038 safe. This feature has been completely removed and Samba will
-always return an empty list.
-
smb.conf changes
================
Parameter Name Description Default
-------------- ----------- -------
- smb3 unix extensions Per share -
+ client ldap sasl wrapping new values
+ client use spnego principal removed
+ ldap server require strong auth new values
+ tls trust system cas new
+ tls ca directories new
KNOWN ISSUES
============
-https://wiki.samba.org/index.php/Release_Planning_for_Samba_4.20#Release_blocking_bugs
+https://wiki.samba.org/index.php/Release_Planning_for_Samba_4.21#Release_blocking_bugs
#######################################
git.samba.org / samba.git / blobdiff