Release Announcements
=====================
-This is the first pre release of Samba 4.15. This is *not*
+This is the first pre release of Samba 4.21. This is *not*
intended for production environments and is designed for testing
purposes only. Please report any defects via the Samba bug reporting
system at https://bugzilla.samba.org/.
-Samba 4.15 will be the next version of the Samba suite.
+Samba 4.21 will be the next version of the Samba suite.
UPGRADING
=========
-Removed SMB (development) dialects
-----------------------------------
+LDAP TLS/SASL channel binding support
+-------------------------------------
-The following SMB (development) dialects are no longer
-supported: SMB2_22, SMB2_24 and SMB3_10. They are were
-only supported by Windows technical preview builds.
-They used to be useful in order to test against the
-latest Windows versions, but it's no longer useful
-to have them. If you have them explicitly specified
-in your smb.conf or an the command line,
-you need to replace them like this:
-- SMB2_22 => SMB3_00
-- SMB2_24 => SMB3_00
-- SMB3_10 => SMB3_11
-Note that it's typically not useful to specify
-"client max protocol" or "server max protocol"
-explicitly to a specific dialect, just leave
-them unspecified or specify the value "default".
+The ldap server supports SASL binds with
+kerberos or NTLMSSP over TLS connections
+now (either ldaps or starttls).
-New GPG key
------------
+Setups where 'ldap server require strong auth = allow_sasl_over_tls'
+was required before, can now most likely move to the
+default of 'ldap server require strong auth = yes'.
-The GPG release key for Samba releases changed from:
+If SASL binds without correct tls channel bindings are required
+'ldap server require strong auth = allow_sasl_without_tls_channel_bindings'
+should be used now, as 'allow_sasl_over_tls' will generate a
+warning in every start of 'samba', as well as '[samba-tool ]testparm'.
-pub dsa1024/6F33915B6568B7EA 2007-02-04 [SC] [expires: 2021-02-05]
- Key fingerprint = 52FB C0B8 6D95 4B08 4332 4CDC 6F33 915B 6568 B7EA
-uid [ full ] Samba Distribution Verification Key <samba-bugs@samba.org>
-sub elg2048/9C6ED163DA6DFB44 2007-02-04 [E] [expires: 2021-02-05]
+This is similar to LdapEnforceChannelBinding under
+HKLM\SYSTEM\CurrentControlSet\Services\NTDS\Parameters
+on Windows.
-to the following new key:
+All client tools using ldaps also include the correct
+channel bindings now.
-pub rsa4096/AA99442FB680B620 2020-12-21 [SC] [expires: 2022-12-21]
- Key fingerprint = 81F5 E283 2BD2 545A 1897 B713 AA99 442F B680 B620
-uid [ultimate] Samba Distribution Verification Key <samba-bugs@samba.org>
-sub rsa4096/97EF9386FBFD4002 2020-12-21 [E] [expires: 2022-12-21]
-Starting from Jan 21th 2021, all Samba releases will be signed with the new key.
+NEW FEATURES/CHANGES
+====================
-See also GPG_AA99442FB680B620_replaces_6F33915B6568B7EA.txt
+LDB no longer a standalone tarball
+----------------------------------
+LDB, Samba's LDAP-like local database and the power behind the Samba
+AD DC, is no longer available to build as a distinct tarball, but is
+instead provided as an optional public library.
-NEW FEATURES/CHANGES
-====================
-- bind DLZ: Added the ability to set allow/deny lists for zone
- transfer clients.
- Up to now, any client could use a DNS zone transfer request
- to the bind server, and get an answer from Samba.
- Now the default behaviour will be to deny those request.
- Two new options have been added to manage the list of
- authorized/denied clients for zone transfer requests.
- In order to be accepted, the request must be issued by a client
- that is in the allow list and NOT in the deny list.
-
-samba-tool available without the ad-dc
---------------------------------------
+If you need ldb as a public library, say to build sssd, then use
+ ./configure --private-libraries='!ldb'
-The samba-tool command is now available when samba is configured
---without-ad-dc. Not all features will work, and some ad-dc specific options
-have been disabled. The samba-tool domain options, for example, are limited
-when no ad-dc is present. Samba must still be built with ads in order to enable
-samba-tool.
+This re-integration allows LDB tests to use the Samba's full selftest
+system, including our knownfail infrastructure, and decreases the work
+required during security releases as a coordinated release of the ldb
+tarball is not also required.
-Improved command line user experience
--------------------------------------
+This approach has been demonstrated already in Debian, which is already
+building Samba and LDB is this way.
-Samba utilities did not consistently implement their command line interface. A
-number of options were requiring to specify values in one tool and not in the
-other, some options meant different in different tools.
+As part of this work, the pyldb-util public library, not known to be
+used by any other software, is made private to Samba.
-These should be stories of the past now. A new command line parser has been
-implemented with sanity checking. Also the command line interface has been
-simplified and provides better control for encryption, singing and kerberos.
+LDB Module API Python bindings removed
+--------------------------------------
-Also several command line options have a smb.conf variable to control the
-default now.
+The LDB Modules API, which we do not promise a stable ABI or API for,
+was wrapped in python in early LDB development. However that wrapping
+never took into account later changes, and so has not worked for a
+number of years. Samba 4.21 and LDB 2.10 removes this unused and
+broken feature.
-All tools are logging to stderr by default. You can use --debug-stdout to
-change the behavior.
+Some Samba public libraries made private by default
+---------------------------------------------------
-### Common parser:
+The following Samba C libraries are currently made public due to their
+use by OpenChange or for historical reasons that are no longer clear.
-Options added:
---client-protection=off|sign|encrypt
+ dcerpc-samr, samba-policy, tevent-util, dcerpc, samba-hostconfig,
+ samba-credentials, dcerpc_server, samdb
-Options renamed:
---kerberos -> --use-kerberos=required|desired|off
---krb5-ccache -> --use-krb5-ccache=CCACHE
---scope -> --netbios-scope=SCOPE
---use-ccache -> --use-winbind-ccache
+The libraries used by the OpenChange client now private, but can be
+made public (like ldb above) with:
-Options removed:
--e|--encrypt
--C removed from --use-winbind-ccache
--i removed from --netbios-scope
--S|--signing
+ ./configure --private-libraries='!dcerpc,!samba-hostconfig,!samba-credentials,!ldb'
+The C libraries without any known user or used only for the OpenChange
+server (a dead project) may be made private entirely in a future Samba
+version.
-### Duplicates in command line utils
+If you use a Samba library in this list, please be in touch with the
+samba-technical mailing list.
-ldbadd/ldbsearch/ldbdel/ldbmodify/ldbrename:
--e is not available for --editor anymore
--s is not used for --configfile anymore
+Using ldaps from 'winbindd' and 'net ads'
+-----------------------------------------
-ndrdump:
--l is not available for --load-dso anymore
+Beginning with Samba 3.0.22 the 'ldap ssl = start tls' option also
+impacted LDAP connections to active directory domain controllers.
+Using the STARTTLS operation on LDAP port 389 connections. Starting
+with Samba 3.5.0 'ldap ssl ads = yes' was required in addition in
+order let to 'ldap ssl = start tls' have any effect on those
+connections.
-net:
--l is not available for --long anymore
+'ldap ssl ads' was deprecated with Samba 4.8.0 and removed together
+with the whole functionality in Samba 4.14.0, because it didn't support
+tls channel bindings required for the sasl authentication.
-sharesec:
--V is not available for --viewsddl anymore
+The functionality is now re-added using the correct channel bindings
+based on the gnutls based tls implementation we already have, instead
+of using the tls layer provided by openldap. This makes it available
+and consistent with all LDAP client libraries we use and implement on
+our own.
-smbcquotas:
---user -> --quota-user
+The 'client ldap sasl wrapping' option gained the two new possible values:
+'starttls' (using STARTTLS on tcp port 389)
+and
+'ldaps' (using TLS directly on tcp port 636).
-nmbd:
---log-stdout -> --debug-stdout
+If you had 'ldap ssl = start tls' and 'ldap ssl ads = yes'
+before, you can now use 'client ldap sasl wrapping = starttls'
+in order to get STARTTLS on tcp port 389.
-smbd:
---log-stdout -> --debug-stdout
+As we no longer use the openldap tls layer it is required to configure the
+correct certificate trusts with at least one of the following options:
+'tls trust system cas', 'tls ca directories' or 'tls cafile'.
+While 'tls verify peer' and 'tls crlfile' are also relevant,
+see 'man smb.conf' for further details.
-winbindd:
---log-stdout -> --debug-stdout
+New DNS hostname config option
+------------------------------
-Scanning of trusted domains and enterpise principals
-----------------------------------------------------
+To get `net ads dns register` working correctly running manually or during a
+domain join a special entry in /etc/hosts was required. This not really
+documented and thus the DNS registration mostly didn't work. With the new option
+the default is [netbios name].[realm] which should be correct in the majority of
+use cases.
-As an artifact from the NT4 times, we still scanned the list of trusted domains
-on winbindd startup. This is wrong as we never can get a full picture in Active
-Directory. It is time to change the default value to No. Also with this change
-we always use enterprise principals for Kerberos so that the DC will be able
-to redirect ticket requests to the right DC. This is e.g needed for one way
-trusts. The options `winbind use krb5 enterprise principals` and
-`winbind scan trusted domains` will be deprecated in one of the next releases.
+We will also use the value to create service principal names during a Kerberos
+authentication and DNS functions.
+This is not supported in samba-tool yet.
REMOVED FEATURES
================
-Tru64 ACL support has been removed from this release. The last
-supported release of Tru64 UNIX was in 2012.
-
-NIS support has been removed from this release. This is not
-available in Linux distributions anymore.
-
-The DLZ DNS plugin is no longer built for Bind versions 9.8 and 9.9,
-which have been out of support since 2018.
smb.conf changes
================
Parameter Name Description Default
-------------- ----------- -------
- client use kerberos New desired
- client max protocol Values Removed
- client min protocol Values Removed
- client protection New default
- preopen:posix-basic-regex New No
- preopen:nomatch_log_level New 5
- preopen:match_log_level New 5
- preopen:nodigits_log_level New 1
- preopen:founddigits_log_level New 3
- preopen:reset_log_level New 5
- preopen:push_log_level New 3
- preopen:queue_log_level New 10
- server max protocol Values Removed
- server min protocol Values Removed
- winbind use krb5 enterprise principals Changed Yes
- winbind scan trusted domains Changed No
+ client ldap sasl wrapping new values
+ client use spnego principal removed
+ ldap server require strong auth new values
+ tls trust system cas new
+ tls ca directories new
+ dns hostname client dns name [netbios name].[realm]
KNOWN ISSUES
============
-https://wiki.samba.org/index.php/Release_Planning_for_Samba_4.15#Release_blocking_bugs
+https://wiki.samba.org/index.php/Release_Planning_for_Samba_4.21#Release_blocking_bugs
#######################################
#######################################
Please discuss this release on the samba-technical mailing list or by
-joining the #samba-technical IRC channel on irc.freenode.net.
+joining the #samba-technical:matrix.org matrix room, or
+#samba-technical IRC channel on irc.libera.chat
If you do report problems then please try to send high quality
feedback. If you don't provide vital information to help us track down
git.samba.org / jra / samba-autobuild / .git / blobdiff