Release Announcements
=====================
-This is the first release candidate of Samba 4.16. This is *not*
+This is the first pre release of Samba 4.21. This is *not*
intended for production environments and is designed for testing
purposes only. Please report any defects via the Samba bug reporting
system at https://bugzilla.samba.org/.
-Samba 4.16 will be the next version of the Samba suite.
+Samba 4.21 will be the next version of the Samba suite.
UPGRADING
=========
+LDAP TLS/SASL channel binding support
+-------------------------------------
-NEW FEATURES/CHANGES
-====================
-
-New samba-dcerpcd binary to provide DCERPC in the member server setup
----------------------------------------------------------------------
-
-In order to make it much easier to break out the DCERPC services
-from smbd, a new samba-dcerpcd binary has been created.
-
-samba-dcerpcd can be used in two ways. In the normal case without
-startup script modification it is invoked on demand from smbd or
-winbind --np-helper to serve DCERPC over named pipes. Note that
-in order to run in this mode the smb.conf [global] section has
-a new parameter "rpc start on demand helpers = [true|false]".
-This parameter is set to "true" by default, meaning no changes to
-smb.conf files are needed to run samba-dcerpcd on demand as a named
-pipe helper.
-
-It can also be used in a standalone mode where it is started
-separately from smbd or winbind but this requires changes to system
-startup scripts, and in addition a change to smb.conf, setting the new
-[global] parameter "rpc start on demand helpers = false". If "rpc
-start on demand helpers" is not set to false, samba-dcerpcd will
-refuse to start in standalone mode.
-
-Note that when Samba is run in the Active Directory Domain Controller
-mode the samba binary that provides the AD code will still provide its
-normal DCERPC services whilst allowing samba-dcerpcd to provide
-services like SRVSVC in the same way that smbd used to in this
-configuration.
-
-The parameters that allowed some smbd-hosted services to be started
-externally are now gone (detailed below) as this is now the default
-setting.
-
-samba-dcerpcd can also be useful for use outside of the Samba
-framework, for example, use with the Linux kernel SMB2 server ksmbd or
-possibly other SMB2 server implementations.
-
-Certificate Auto Enrollment
----------------------------
+The ldap server supports SASL binds with
+kerberos or NTLMSSP over TLS connections
+now (either ldaps or starttls).
-Certificate Auto Enrollment allows devices to enroll for certificates from
-Active Directory Certificate Services. It is enabled by Group Policy.
-To enable Certificate Auto Enrollment, Samba's group policy will need to be
-enabled by setting the smb.conf option `apply group policies` to Yes. Samba
-Certificate Auto Enrollment depends on certmonger, the cepces certmonger
-plugin, and sscep. Samba uses sscep to download the CA root chain, then uses
-certmonger paired with cepces to monitor the host certificate templates.
-Certificates are installed in /var/lib/samba/certs and private keys are
-installed in /var/lib/samba/private/certs.
+Setups where 'ldap server require strong auth = allow_sasl_over_tls'
+was required before, can now most likely move to the
+default of 'ldap server require strong auth = yes'.
-Ability to add ports to dns forwarder addresses in internal DNS backend
------------------------------------------------------------------------
+If SASL binds without correct tls channel bindings are required
+'ldap server require strong auth = allow_sasl_without_tls_channel_bindings'
+should be used now, as 'allow_sasl_over_tls' will generate a
+warning in every start of 'samba', as well as '[samba-tool ]testparm'.
-The internal DNS server of Samba forwards queries non-AD zones to one or more
-configured forwarders. Up until now it has been assumed that these forwarders
-listen on port 53. Starting with this version it is possible to configure the
-port using host:port notation. See smb.conf for more details. Existing setups
-are not affected, as the default port is 53.
+This is similar to LdapEnforceChannelBinding under
+HKLM\SYSTEM\CurrentControlSet\Services\NTDS\Parameters
+on Windows.
-CTDB changes
-------------
+All client tools using ldaps also include the correct
+channel bindings now.
-* The "recovery master" role has been renamed "leader"
- Documentation and logs now refer to "leader".
-
- The following ctdb tool command names have changed:
-
- recmaster -> leader
- setrecmasterrole -> setleaderrole
+NEW FEATURES/CHANGES
+====================
- Command output has changed for the following commands:
+LDB no longer a standalone tarball
+----------------------------------
- status
- getcapabilities
+LDB, Samba's LDAP-like local database and the power behind the Samba
+AD DC, is no longer available to build as a distinct tarball, but is
+instead provided as an optional public library.
- The "[legacy] -> recmaster capability" configuration option has been
- renamed and moved to the cluster section, so this is now:
+If you need ldb as a public library, say to build sssd, then use
+ ./configure --private-libraries='!ldb'
- [cluster] -> leader capability
+This re-integration allows LDB tests to use the Samba's full selftest
+system, including our knownfail infrastructure, and decreases the work
+required during security releases as a coordinated release of the ldb
+tarball is not also required.
-* The "recovery lock" has been renamed "cluster lock"
+This approach has been demonstrated already in Debian, which is already
+building Samba and LDB is this way.
- Documentation and logs now refer to "cluster lock".
+As part of this work, the pyldb-util public library, not known to be
+used by any other software, is made private to Samba.
- The "[cluster] -> recovery lock" configuration option has been
- deprecated and will be removed in a future version. Please use
- "[cluster] -> cluster lock" instead.
+LDB Module API Python bindings removed
+--------------------------------------
- If the cluster lock is enabled then traditional elections are not
- done and leader elections use a race for the cluster lock. This
- avoids various conditions where a node is elected leader but can not
- take the cluster lock. Such conditions included:
+The LDB Modules API, which we do not promise a stable ABI or API for,
+was wrapped in python in early LDB development. However that wrapping
+never took into account later changes, and so has not worked for a
+number of years. Samba 4.21 and LDB 2.10 removes this unused and
+broken feature.
- - At startup, a node elects itself leader of its own cluster before
- connecting to other nodes
+Using ldaps from 'winbindd' and 'net ads'
+-----------------------------------------
- - Cluster filesystem failover is slow
+Beginning with Samba 3.0.22 the 'ldap ssl = start tls' option also
+impacted LDAP connections to active directory domain controllers.
+Using the STARTTLS operation on LDAP port 389 connections. Starting
+with Samba 3.5.0 'ldap ssl ads = yes' was required in addition in
+order let to 'ldap ssl = start tls' have any effect on those
+connections.
- The abbreviation "reclock" is still used in many places, because a
- better abbreviation eludes us (i.e. "clock" is obvious bad) and
- changing all instances would require a lot of churn. If the
- abbreviation "reclock" for "cluster lock" is confusing, please
- consider mentally prefixing it with "really excellent".
+'ldap ssl ads' was deprecated with Samba 4.8.0 and removed together
+with the whole functionality in Samba 4.14.0, because it didn't support
+tls channel bindings required for the sasl authentication.
-* CTDB now uses leader broadcasts and an associated timeout to
- determine if an election is required
+The functionality is now re-added using the correct channel bindings
+based on the gnutls based tls implementation we already have, instead
+of using the tls layer provided by openldap. This makes it available
+and consistent with all LDAP client libraries we use and implement on
+our own.
- The leader broadcast timeout can be configured via new configuration
- option
+The 'client ldap sasl wrapping' option gained the two new possible values:
+'starttls' (using STARTTLS on tcp port 389)
+and
+'ldaps' (using TLS directly on tcp port 636).
- [cluster] -> leader timeout
+If you had 'ldap ssl = start tls' and 'ldap ssl ads = yes'
+before, you can now use 'client ldap sasl wrapping = starttls'
+in order to get STARTTLS on tcp port 389.
- This specifies the number of seconds without leader broadcasts
- before a node calls an election. The default is 5.
+As we no longer use the openldap tls layer it is required to configure the
+correct certificate trusts with at least one of the following options:
+'tls trust system cas', 'tls ca directories' or 'tls cafile'.
+While 'tls verify peer' and 'tls crlfile' are also relevant,
+see 'man smb.conf' for further details.
REMOVED FEATURES
================
-SMB1 CORE and LANMAN1 protocol wildcard copy, unlink and rename removed
-=======================================================================
-
-In preparation for the removal of the SMB1 server, the unused
-SMB1 command SMB_COM_COPY (SMB1 command number 0x29) has been
-removed from the Samba smbd server. In addition, the ability
-to process file name wildcards in requests using the SMB1 commands
-SMB_COM_COPY (SMB1 command number 0x2A), SMB_COM_RENAME (SMB1 command
-number 0x7), SMB_COM_NT_RENAME (SMB1 command number 0xA5) and
-SMB_COM_DELETE (SMB1 command number 0x6) have been removed.
-
-This only affects clients using MS-DOS based versions of
-SMB1, the last release of which was Windows 98. Users requiring
-support for these features will need to use older versions
-of Samba.
-
-No longer using Linux mandatory locks for sharemodes
-====================================================
-
-smbd mapped sharemodes to Linux mandatory locks. This code in the Linux kernel
-was broken for a long time, and is planned to be removed with Linux 5.15. This
-Samba release removes the usage of mandatory locks for sharemodes and the
-"kernel share modes" config parameter is changed to default to "no". The Samba
-VFS interface is kept, so that file-system specific VFS modules can still use
-private calls for enforcing sharemodes.
-
smb.conf changes
================
Parameter Name Description Default
-------------- ----------- -------
- kernel share modes New default No
- dns forwarder Changed
- rpc_daemon Removed
- rpc_server Removed
- rpc start on demand helpers Added true
+ client ldap sasl wrapping new values
+ client use spnego principal removed
+ ldap server require strong auth new values
+ tls trust system cas new
+ tls ca directories new
+
KNOWN ISSUES
============
-https://wiki.samba.org/index.php/Release_Planning_for_Samba_4.16#Release_blocking_bugs
+https://wiki.samba.org/index.php/Release_Planning_for_Samba_4.21#Release_blocking_bugs
#######################################
#######################################
Please discuss this release on the samba-technical mailing list or by
-joining the #samba-technical IRC channel on irc.freenode.net.
+joining the #samba-technical:matrix.org matrix room, or
+#samba-technical IRC channel on irc.libera.chat
If you do report problems then please try to send high quality
feedback. If you don't provide vital information to help us track down
git.samba.org / jra / samba-autobuild / .git / blobdiff