Release Announcements
=====================
-This is the first pre release of Samba 4.19. This is *not*
+This is the first pre release of Samba 4.21. This is *not*
intended for production environments and is designed for testing
purposes only. Please report any defects via the Samba bug reporting
system at https://bugzilla.samba.org/.
-Samba 4.19 will be the next version of the Samba suite.
+Samba 4.21 will be the next version of the Samba suite.
UPGRADING
=========
+LDAP TLS/SASL channel binding support
+-------------------------------------
-NEW FEATURES/CHANGES
-====================
-
-Migrated smbget to use common command line parser
--------------------------------------------------
-
-The smbget utility implemented its own command line parsing logic. After
-discovering an issue we decided to migrate it to use the common command line
-parser. This has some advantages as you get all the feature it provides like
-Kerberos authentication. The downside is that breaks the options interface.
-The support for smbgetrc has been removed. You can use an authentication file
-if needed, this is documented in the manpage.
-
-Please check the smbget manpage or --help output.
-
-gpupdate changes
-----------------
-
-The libgpo.get_gpo_list function has been deprecated in favor of
-an implementation written in python. The new function can be imported via
-`import samba.gp`. The python implementation connects to Active Directory
-using the SamDB module, instead of ADS (which is what libgpo uses).
-
-Improved winbind logging and a new tool for parsing the winbind logs
---------------------------------------------------------------------
-
-Winbind logs (if smb.conf 'winbind debug traceid = yes' is set) contain new
-trace header fields 'traceid' and 'depth'. Field 'traceid' allows to track the
-trace records belonging to the same request. Field 'depth' allows to track the
-request nesting level. A new tool samba-log-parser is added for better log
-parsing.
-
-AD database prepared to FL 2016 standards for new domains
----------------------------------------------------------
-
-While Samba still provides only Functional Level 2008R2 by default,
-Samba as an AD DC will now, in provision ensure that the blank
-database is already prepared for Functional Level 2016, with AD Schema
-2019.
-
-This preparation is of the default objects in the database, adding
-containers for Authentication Policies, Authentication Silos and AD
-claims in particular. These DB objects must be updated to allow
-operation of the new features found in higher functional levels.
-
-Kerberos Claims, Authentication Silos and NTLM authentication policies
-----------------------------------------------------------------------
-
-An initial, partial implementation of Active Directory Functional
-Level 2012, 2012R2 and 2016 is available in this release.
-
-In particular Samba will issue Active Directory "Claims" in the PAC,
-for member servers that support these, and honour in-directory
-configuration for Authentication Policies and Authentication Silos.
-
-The primary limitation is that while Samba can read and write claims
-in the directory, and populate the PAC, Samba does not yet use them
-for access control decisions.
+The ldap server supports SASL binds with
+kerberos or NTLMSSP over TLS connections
+now (either ldaps or starttls).
-While we continue to develop these features, existing domains can
-test the feature by selecting the functional level in provision or
-raising the DC functional level by setting
+Setups where 'ldap server require strong auth = allow_sasl_over_tls'
+was required before, can now most likely move to the
+default of 'ldap server require strong auth = yes'.
- ad dc functional level = 2016
+If SASL binds without correct tls channel bindings are required
+'ldap server require strong auth = allow_sasl_without_tls_channel_bindings'
+should be used now, as 'allow_sasl_over_tls' will generate a
+warning in every start of 'samba', as well as '[samba-tool ]testparm'.
-in the smb.conf
+This is similar to LdapEnforceChannelBinding under
+HKLM\SYSTEM\CurrentControlSet\Services\NTDS\Parameters
+on Windows.
-The smb.conf file on each DC must have 'ad dc functional level = 2016'
-set to have the partially complete feature available. This will also,
-at first startup, update the server's own AD entry with the configured
-functional level.
+All client tools using ldaps also include the correct
+channel bindings now.
-For new domains, add these parameters to 'samba-tool provision'
---option="ad dc functional level = 2016" --function-level=2016
-
-The second option, setting the overall domain functional level
-indicates that all DCs should be at this functional level.
-
-To raise the domain functional level of an existing domain, after
-updating the smb.conf and restarting Samba run
-samba-tool domain schemaupgrade --schema=2019
-samba-tool domain functionalprep --function-level=2016
-samba-tool domain level raise --domain-level=2016 --forest-level=2016
+NEW FEATURES/CHANGES
+====================
-Improved KDC Auditing
----------------------
+LDB no longer a standalone tarball
+----------------------------------
-As part of the auditing required to allow successful deployment of
-Authentication Policies and Authentication Silos, our KDC now provides
-Samba-style JSON audit logging of all issued Kerberos tickets,
-including if they would fail a policy that is not yet enforced.
-Additionally most failures are audited, (after the initial
-pre-validation of the request).
+LDB, Samba's LDAP-like local database and the power behind the Samba
+AD DC, is no longer available to build as a distinct tarball, but is
+instead provided as an optional public library.
-Kerberos Armoring (FAST) Support for Windows clients
-----------------------------------------------------
+If you need ldb as a public library, say to build sssd, then use
+ ./configure --private-libraries='!ldb'
-In domains where the domain controller functional level is set, as
-above, to 2012, 2012_R2 or 2016, Windows clients will, if configured
-via GPO, use FAST to protect user passwords between (in particular) a
-workstation and the KDC on the AD DC. This is a significant security
-improvement, as weak passwords in an AS-REQ are no longer available
-for offline attack.
+This re-integration allows LDB tests to use the Samba's full selftest
+system, including our knownfail infrastructure, and decreases the work
+required during security releases as a coordinated release of the ldb
+tarball is not also required.
-Claims compression in the AD PAC
---------------------------------
+This approach has been demonstrated already in Debian, which is already
+building Samba and LDB is this way.
-Samba as an AD DC will compress "AD claims" using the same compression
-algorithm as Microsoft Windows.
+As part of this work, the pyldb-util public library, not known to be
+used by any other software, is made private to Samba.
-Resource SID compression in the AD PAC
+LDB Module API Python bindings removed
--------------------------------------
-Samba as an AD DC will now correctly populate the various PAC group
-membership buffers, splitting global and local groups correctly.
-
-Additionally, Samba marshals Resource SIDs, being local groups in the
-member server's own domain, to only consume a header and 4 bytes per
-group in the PAC, not a full-length SID worth of space each. This is
-known as "Resource SID compression".
-
-New samba-tool support for silos, claims, sites and subnets.
-------------------------------------------------------------
-
-samba-tool can now list, show, add and manipulate Authentication Silos
-(silos) and Active Directory Authentication Claims (claims).
-
-samba-tool can now list and show Active Directory sites and subnets.
+The LDB Modules API, which we do not promise a stable ABI or API for,
+was wrapped in python in early LDB development. However that wrapping
+never took into account later changes, and so has not worked for a
+number of years. Samba 4.21 and LDB 2.10 removes this unused and
+broken feature.
-A new Object Relational Model (ORM) based architecture, similar to
-that used with Django, has been built to make adding new samba-tool
-subcommands simpler and more consistent, with JSON output available
-standard on these new commands.
+Some Samba public libraries made private by default
+---------------------------------------------------
-Updated GnuTLS requirement / in-tree cryptography removal
-----------------------------------------------------------
+The following Samba C libraries are currently made public due to their
+use by OpenChange or for historical reasons that are no longer clear.
-Samba requires GnuTLS 3.6.13 and prefers GnuTLS 3.6.14 or later.
+ dcerpc-samr, samba-policy, tevent-util, dcerpc, samba-hostconfig,
+ samba-credentials, dcerpc_server, samdb
-This has allowed Samba to remove all of our in-tree cryptography,
-except that found in our Heimdal import. Samba's runtime cryptography
-needs are now all provided by GnuTLS.
+The libraries used by the OpenChange client now private, but can be
+made public (like ldb above) with:
-(The GnuTLS vesion requirement is raised to 3.7.2 on systems without
-the Linux getrandom())
+ ./configure --private-libraries='!dcerpc,!samba-hostconfig,!samba-credentials,!ldb'
-We also use Python's cryptography module for our testing.
+The C libraries without any known user or used only for the OpenChange
+server (a dead project) may be made private entirely in a future Samba
+version.
-The use of well known cryptography libraries makes Samba easier for
-end-users to validate and deploy, and for distributors to ship. This
-is the end of a very long journey for Samba.
+If you use a Samba library in this list, please be in touch with the
+samba-technical mailing list.
-Updated Heimdal import
-----------------------
-
-Samba's Heimdal branch (known as lorikeet-heimdal) has been updated to
-the current pre-8.0 (master) tree from upstream Heimdal, ensuring that
-this vendored copy, included in our release remains as close as
-possible to the current upstream code.
-
-Revocation support in Heimdal KDC for PKINIT certificates
----------------------------------------------------------
-
-Samba will now correctly honour the revocation of 'smart card'
-certificates used for PKINIT Kerberos authentication.
-
-This list is reloaded each time the file changes, so no further action
-other than replacing the file is required. The additional krb5.conf
-option is:
-
- [kdc]
- pkinit_revoke = FILE:/path/to/crl.pem
+Using ldaps from 'winbindd' and 'net ads'
+-----------------------------------------
-Information on the "Smart Card login" feature as a whole is at:
- https://wiki.samba.org/index.php/Samba_AD_Smart_Card_Login
+Beginning with Samba 3.0.22 the 'ldap ssl = start tls' option also
+impacted LDAP connections to active directory domain controllers.
+Using the STARTTLS operation on LDAP port 389 connections. Starting
+with Samba 3.5.0 'ldap ssl ads = yes' was required in addition in
+order let to 'ldap ssl = start tls' have any effect on those
+connections.
-Protocol level testsuite for (Smart Card Logon) PKINIT
-------------------------------------------------------
+'ldap ssl ads' was deprecated with Samba 4.8.0 and removed together
+with the whole functionality in Samba 4.14.0, because it didn't support
+tls channel bindings required for the sasl authentication.
-Previously Samba's PKINIT support in the KDC was tested by use of
-shell scripts around the client tools of MIT or Heimdal Kerberos.
-Samba's independently written python testsuite has been extended to
-validate KDC behaviour for PKINIT.
+The functionality is now re-added using the correct channel bindings
+based on the gnutls based tls implementation we already have, instead
+of using the tls layer provided by openldap. This makes it available
+and consistent with all LDAP client libraries we use and implement on
+our own.
-Require encrypted connection to modify unicodePwd on the AD DC
---------------------------------------------------------------
+The 'client ldap sasl wrapping' option gained the two new possible values:
+'starttls' (using STARTTLS on tcp port 389)
+and
+'ldaps' (using TLS directly on tcp port 636).
-Setting the password on an AD account on should never be attempted
-over a plaintext or signed-only LDAP connection. If the unicodePwd
-(or userPassword) attribute is modified without encryption (as seen by
-Samba), the request will be rejected. This is to encourage the
-administrator to use an encrypted connection in the future.
+If you had 'ldap ssl = start tls' and 'ldap ssl ads = yes'
+before, you can now use 'client ldap sasl wrapping = starttls'
+in order to get STARTTLS on tcp port 389.
-NOTE WELL: If Samba is accessed via a TLS frontend or load balancer,
-the LDAP request will be regarded as plaintext.
+As we no longer use the openldap tls layer it is required to configure the
+correct certificate trusts with at least one of the following options:
+'tls trust system cas', 'tls ca directories' or 'tls cafile'.
+While 'tls verify peer' and 'tls crlfile' are also relevant,
+see 'man smb.conf' for further details.
-Samba AD TLS Certificates can be reloaded
------------------------------------------
+New DNS hostname config option
+------------------------------
-The TLS certificates used for Samba's AD DC LDAP server were
-previously only read on startup, and this meant that when then expired
-it was required to restart Samba, disrupting service to other users.
+To get `net ads dns register` working correctly running manually or during a
+domain join a special entry in /etc/hosts was required. This not really
+documented and thus the DNS registration mostly didn't work. With the new option
+the default is [netbios name].[realm] which should be correct in the majority of
+use cases.
- smbcontrol ldap_server reload-certs
+We will also use the value to create service principal names during a Kerberos
+authentication and DNS functions.
-This will now allow these certificates to be reloaded 'on the fly'
+This is not supported in samba-tool yet.
-================
REMOVED FEATURES
================
Parameter Name Description Default
-------------- ----------- -------
- winbind debug traceid Add traceid No
- directory name cache size Removed
+ client ldap sasl wrapping new values
+ client use spnego principal removed
+ ldap server require strong auth new values
+ tls trust system cas new
+ tls ca directories new
+ dns hostname client dns name [netbios name].[realm]
KNOWN ISSUES
============
-https://wiki.samba.org/index.php/Release_Planning_for_Samba_4.19#Release_blocking_bugs
+https://wiki.samba.org/index.php/Release_Planning_for_Samba_4.21#Release_blocking_bugs
#######################################
git.samba.org / samba.git / blobdiff