Release Announcements
=====================
-This is the first release condidate of Samba 4.13. This is *not*
+This is the first pre release of Samba 4.21. This is *not*
intended for production environments and is designed for testing
purposes only. Please report any defects via the Samba bug reporting
system at https://bugzilla.samba.org/.
-Samba 4.13 will be the next version of the Samba suite.
+Samba 4.21 will be the next version of the Samba suite.
UPGRADING
=========
+LDAP TLS/SASL channel binding support
+-------------------------------------
+
+The ldap server supports SASL binds with
+kerberos or NTLMSSP over TLS connections
+now (either ldaps or starttls).
+
+Setups where 'ldap server require strong auth = allow_sasl_over_tls'
+was required before, can now most likely move to the
+default of 'ldap server require strong auth = yes'.
+
+If SASL binds without correct tls channel bindings are required
+'ldap server require strong auth = allow_sasl_without_tls_channel_bindings'
+should be used now, as 'allow_sasl_over_tls' will generate a
+warning in every start of 'samba', as well as '[samba-tool ]testparm'.
+
+This is similar to LdapEnforceChannelBinding under
+HKLM\SYSTEM\CurrentControlSet\Services\NTDS\Parameters
+on Windows.
+
+All client tools using ldaps also include the correct
+channel bindings now.
+
NEW FEATURES/CHANGES
====================
-Python 3.6 Required
--------------------
-
-Samba's minimum runtime requirement for python was raised to Python
-3.5 with samba 4.12. Samba 4.13 raises this minimum version to Python
-3.6 both to access new features and because this is the oldest version
-we test with in our CI infrastructure.
-
-(Build time support for the file server with Python 2.6 has not
-changed)
-
-wide links functionality
-------------------------
-
-For this release, the code implementing the insecure "wide links = yes"
-functionality has been moved out of the core smbd code and into a separate
-VFS module, vfs_widelinks. Currently this vfs module is implicitly loaded
-by smbd as the last but one module before vfs_default if "wide links = yes"
-is enabled on the share (note, the existing restrictions on enabling wide
-links around the SMB1 "unix extensions" and the "allow insecure wide links"
-parameters are still in force). The implicit loading was done to allow
-existing users of "wide links = yes" to keep this functionality without
-having to make a change to existing working smb.conf files.
-
-Please note that the Samba developers recommend changing any Samba
-installations that currently use "wide links = yes" to use bind mounts
-as soon as possible, as "wide links = yes" is an inherently insecure
-configuration which we would like to remove from Samba. Moving the
-feature into a VFS module allows this to be done in a cleaner way
-in future.
-
-A future release to be determined will remove this implicit linkage,
-causing administrators who need this functionality to have to explicitly
-add the vfs_widelinks module into the "vfs objects =" parameter lists.
-The release notes will be updated to note this change when it occurs.
+LDB no longer a standalone tarball
+----------------------------------
+
+LDB, Samba's LDAP-like local database and the power behind the Samba
+AD DC, is no longer available to build as a distinct tarball, but is
+instead provided as an optional public library.
+
+If you need ldb as a public library, say to build sssd, then use
+ ./configure --private-libraries='!ldb'
+
+This re-integration allows LDB tests to use the Samba's full selftest
+system, including our knownfail infrastructure, and decreases the work
+required during security releases as a coordinated release of the ldb
+tarball is not also required.
+
+This approach has been demonstrated already in Debian, which is already
+building Samba and LDB is this way.
+
+As part of this work, the pyldb-util public library, not known to be
+used by any other software, is made private to Samba.
+
+LDB Module API Python bindings removed
+--------------------------------------
+
+The LDB Modules API, which we do not promise a stable ABI or API for,
+was wrapped in python in early LDB development. However that wrapping
+never took into account later changes, and so has not worked for a
+number of years. Samba 4.21 and LDB 2.10 removes this unused and
+broken feature.
+
+Using ldaps from 'winbindd' and 'net ads'
+-----------------------------------------
+
+Beginning with Samba 3.0.22 the 'ldap ssl = start tls' option also
+impacted LDAP connections to active directory domain controllers.
+Using the STARTTLS operation on LDAP port 389 connections. Starting
+with Samba 3.5.0 'ldap ssl ads = yes' was required in addition in
+order let to 'ldap ssl = start tls' have any effect on those
+connections.
+
+'ldap ssl ads' was deprecated with Samba 4.8.0 and removed together
+with the whole functionality in Samba 4.14.0, because it didn't support
+tls channel bindings required for the sasl authentication.
+
+The functionality is now re-added using the correct channel bindings
+based on the gnutls based tls implementation we already have, instead
+of using the tls layer provided by openldap. This makes it available
+and consistent with all LDAP client libraries we use and implement on
+our own.
+
+The 'client ldap sasl wrapping' option gained the two new possible values:
+'starttls' (using STARTTLS on tcp port 389)
+and
+'ldaps' (using TLS directly on tcp port 636).
+
+If you had 'ldap ssl = start tls' and 'ldap ssl ads = yes'
+before, you can now use 'client ldap sasl wrapping = starttls'
+in order to get STARTTLS on tcp port 389.
+
+As we no longer use the openldap tls layer it is required to configure the
+correct certificate trusts with at least one of the following options:
+'tls trust system cas', 'tls ca directories' or 'tls cafile'.
+While 'tls verify peer' and 'tls crlfile' are also relevant,
+see 'man smb.conf' for further details.
+
REMOVED FEATURES
================
smb.conf changes
================
- Parameter Name Description Default
- -------------- ----------- -------
-
- smb2 disable lock sequence checking No
+ Parameter Name Description Default
+ -------------- ----------- -------
+ client ldap sasl wrapping new values
+ client use spnego principal removed
+ ldap server require strong auth new values
+ tls trust system cas new
+ tls ca directories new
KNOWN ISSUES
============
-https://wiki.samba.org/index.php/Release_Planning_for_Samba_4.13#Release_blocking_bugs
+https://wiki.samba.org/index.php/Release_Planning_for_Samba_4.21#Release_blocking_bugs
#######################################
#######################################
Please discuss this release on the samba-technical mailing list or by
-joining the #samba-technical IRC channel on irc.freenode.net.
+joining the #samba-technical:matrix.org matrix room, or
+#samba-technical IRC channel on irc.libera.chat
If you do report problems then please try to send high quality
feedback. If you don't provide vital information to help us track down
git.samba.org / samba.git / blobdiff