Release Announcements
=====================
-This is the first pre release of Samba 4.17. This is *not*
+This is the first pre release of Samba 4.21. This is *not*
intended for production environments and is designed for testing
purposes only. Please report any defects via the Samba bug reporting
system at https://bugzilla.samba.org/.
-Samba 4.17 will be the next version of the Samba suite.
+Samba 4.21 will be the next version of the Samba suite.
UPGRADING
=========
+LDAP TLS/SASL channel binding support
+-------------------------------------
+
+The ldap server supports SASL binds with
+kerberos or NTLMSSP over TLS connections
+now (either ldaps or starttls).
+
+Setups where 'ldap server require strong auth = allow_sasl_over_tls'
+was required before, can now most likely move to the
+default of 'ldap server require strong auth = yes'.
+
+If SASL binds without correct tls channel bindings are required
+'ldap server require strong auth = allow_sasl_without_tls_channel_bindings'
+should be used now, as 'allow_sasl_over_tls' will generate a
+warning in every start of 'samba', as well as '[samba-tool ]testparm'.
+
+This is similar to LdapEnforceChannelBinding under
+HKLM\SYSTEM\CurrentControlSet\Services\NTDS\Parameters
+on Windows.
+
+All client tools using ldaps also include the correct
+channel bindings now.
+
NEW FEATURES/CHANGES
====================
-Bronze bit and S4U support with MIT Kerberos 1.20
--------------------------------------------------
+LDB no longer a standalone tarball
+----------------------------------
+
+LDB, Samba's LDAP-like local database and the power behind the Samba
+AD DC, is no longer available to build as a distinct tarball, but is
+instead provided as an optional public library.
+
+If you need ldb as a public library, say to build sssd, then use
+ ./configure --private-libraries='!ldb'
+
+This re-integration allows LDB tests to use the Samba's full selftest
+system, including our knownfail infrastructure, and decreases the work
+required during security releases as a coordinated release of the ldb
+tarball is not also required.
+
+This approach has been demonstrated already in Debian, which is already
+building Samba and LDB is this way.
+
+As part of this work, the pyldb-util public library, not known to be
+used by any other software, is made private to Samba.
+
+LDB Module API Python bindings removed
+--------------------------------------
+
+The LDB Modules API, which we do not promise a stable ABI or API for,
+was wrapped in python in early LDB development. However that wrapping
+never took into account later changes, and so has not worked for a
+number of years. Samba 4.21 and LDB 2.10 removes this unused and
+broken feature.
+
+Some Samba public libraries made private by default
+---------------------------------------------------
+
+The following Samba C libraries are currently made public due to their
+use by OpenChange or for historical reasons that are no longer clear.
+
+ dcerpc-samr, samba-policy, tevent-util, dcerpc, samba-hostconfig,
+ samba-credentials, dcerpc_server, samdb
+
+The libraries used by the OpenChange client now private, but can be
+made public (like ldb above) with:
+
+ ./configure --private-libraries='!dcerpc,!samba-hostconfig,!samba-credentials,!ldb'
+
+The C libraries without any known user or used only for the OpenChange
+server (a dead project) may be made private entirely in a future Samba
+version.
-In 2020 Microsoft Security Response Team received another Kerberos-related
-report. Eventually, that led to a security update of the CVE-2020-17049,
-Kerberos KDC Security Feature Bypass Vulnerability, also known as a ‘Bronze
-Bit’. With this vulnerability, a compromised service that is configured to use
-Kerberos constrained delegation feature could tamper with a service ticket that
-is not valid for delegation to force the KDC to accept it.
+If you use a Samba library in this list, please be in touch with the
+samba-technical mailing list.
-With the release of MIT Kerberos 1.20, Samba AD DC is able able to mitigate the
-‘Bronze Bit’ attack. MIT Kerberos KDC's KDB (Kerberos Database Driver) API was
-changed to allow passing more details between KDC and KDB components. When built
-against MIT Kerberos, Samba AD DC supports MIT Kerberos 1.19 and 1.20 versions
-but 'Bronze Bit' mitigation is provided only with MIT Kerberos 1.20.
+Using ldaps from 'winbindd' and 'net ads'
+-----------------------------------------
-In addition to fixing the ‘Bronze Bit’ issue, Samba AD DC now fully supports
-S4U2Self and S4U2Proxy Kerberos extensions.
+Beginning with Samba 3.0.22 the 'ldap ssl = start tls' option also
+impacted LDAP connections to active directory domain controllers.
+Using the STARTTLS operation on LDAP port 389 connections. Starting
+with Samba 3.5.0 'ldap ssl ads = yes' was required in addition in
+order let to 'ldap ssl = start tls' have any effect on those
+connections.
-Resource Based Constrained Delegation (RBCD) support
-----------------------------------------------------
+'ldap ssl ads' was deprecated with Samba 4.8.0 and removed together
+with the whole functionality in Samba 4.14.0, because it didn't support
+tls channel bindings required for the sasl authentication.
-Samba AD DC built with MIT Kerberos 1.20 offers RBCD support now. With MIT
-Kerberos 1.20 we have complete RBCD support passing Sambas S4U testsuite.
-Note that samba-tool lacks support for setting this up yet!
+The functionality is now re-added using the correct channel bindings
+based on the gnutls based tls implementation we already have, instead
+of using the tls layer provided by openldap. This makes it available
+and consistent with all LDAP client libraries we use and implement on
+our own.
-To complete RBCD support and make it useful to Administrators we added the
-Asserted Identity [1] SID into the PAC for constrained delegation. This is
-available for Samba AD compiled with MIT Kerberos 1.20.
+The 'client ldap sasl wrapping' option gained the two new possible values:
+'starttls' (using STARTTLS on tcp port 389)
+and
+'ldaps' (using TLS directly on tcp port 636).
-[1] https://docs.microsoft.com/en-us/windows-server/security/kerberos/kerberos-constrained-delegation-overview
+If you had 'ldap ssl = start tls' and 'ldap ssl ads = yes'
+before, you can now use 'client ldap sasl wrapping = starttls'
+in order to get STARTTLS on tcp port 389.
-Customizable DNS listening port
--------------------------------
+As we no longer use the openldap tls layer it is required to configure the
+correct certificate trusts with at least one of the following options:
+'tls trust system cas', 'tls ca directories' or 'tls cafile'.
+While 'tls verify peer' and 'tls crlfile' are also relevant,
+see 'man smb.conf' for further details.
-It is now possible to set a custom listening port for the builtin DNS service,
-making easy to host another DNS on the same system that would bind to the
-default port and forward the domain-specific queries to Samba using the custom
-port. This is the opposite configuration of setting a forwarder in Samba.
+New DNS hostname config option
+------------------------------
-It makes possible to use another DNS server as a front and forward to Samba.
+To get `net ads dns register` working correctly running manually or during a
+domain join a special entry in /etc/hosts was required. This not really
+documented and thus the DNS registration mostly didn't work. With the new option
+the default is [netbios name].[realm] which should be correct in the majority of
+use cases.
-Dynamic DNS updates may not be proxied by the front DNS server when forwarding
-to Samba. Dynamic DNS update proxying depends on the features of the other DNS
-server used as a front.
+We will also use the value to create service principal names during a Kerberos
+authentication and DNS functions.
+This is not supported in samba-tool yet.
REMOVED FEATURES
================
Parameter Name Description Default
-------------- ----------- -------
- dns port New default 53
+ client ldap sasl wrapping new values
+ client use spnego principal removed
+ ldap server require strong auth new values
+ tls trust system cas new
+ tls ca directories new
+ dns hostname client dns name [netbios name].[realm]
KNOWN ISSUES
============
-https://wiki.samba.org/index.php/Release_Planning_for_Samba_4.17#Release_blocking_bugs
+https://wiki.samba.org/index.php/Release_Planning_for_Samba_4.21#Release_blocking_bugs
#######################################
git.samba.org / jra / samba-autobuild / .git / blobdiff