Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
home:markusd:samba:samba-4.20-related:samba-4.20-mit-fs
samba-4.20-mit-fs
samba.changes
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File samba.changes of Package samba-4.20-mit-fs
------------------------------------------------------------------- Wed Nov 20 11:44:22 UTC 2024 - macke d <mdbuild@use.startmail.com> - ============================== Release Notes for Samba 4.20.6 November 19, 2024 ============================== This is the latest stable release of the Samba 4.20 release series. Changes since 4.20.5 -------------------- o Douglas Bagnall <douglas.bagnall@catalyst.net.nz> * BUG 15590: libldb: performance issue with indexes (ldb 2.9.2 is already released). o Ralph Boehme <slow@samba.org> * BUG 15624: DH reconnect error handling can lead to stale sharemode entries. * BUG 15732: smbd fails to correctly check sharemode against OVERWRITE dispositions. o Andréas Leroux <aleroux@tranquil.it> * BUG 15692: Missing conversion for msDS-UserTGTLifetime, msDS- ComputerTGTLifetime and msDS-ServiceTGTLifetime on "samba-tool domain auth policy modify". o Stefan Metzmacher <metze@samba.org> * BUG 14356: Protocol error - Unclear debug message "pad length mismatch" for invalid bind packet. * BUG 15280: irpc_destructor may crash during shutdown. * BUG 15425: NetrGetLogonCapabilities QueryLevel 2 needs to be implemented. * BUG 15624: DH reconnect error handling can lead to stale sharemode entries. * BUG 15649: Durable handle is not granted when a previous OPEN exists with NoOplock. * BUG 15651: Durable handle is granted but reconnect fails. * BUG 15708: Disconnected durable handles with RH lease should not be purged by a new non conflicting open. * BUG 15740: gss_accept_sec_context() from Heimdal does not imply GSS_C_MUTUAL_FLAG with GSS_C_DCE_STYLE. * BUG 15749: winbindd should call process_set_title() for locator child. o Christof Schmitt <cs@samba.org> * BUG 15730: VFS_OPEN_HOW_WITH_BACKUP_INTENT breaks shadow_copy2. o Jones Syue <jonessyue@qnap.com> ------------------------------------------------------------------- Tue Sep 17 14:58:31 UTC 2024 - macke d <mdbuild@use.startmail.com> - ============================== Release Notes for Samba 4.20.5 September 17, 2024 ============================== This is the latest stable release of the Samba 4.20 release series. Changes since 4.20.4 -------------------- o Ralph Boehme <slow@samba.org> * BUG 15695: "inherit permissions = yes" triggers assert() in vfs_default when creating a stream. o David Disseldorp <ddiss@samba.org> * BUG 15699: Incorrect FSCTL_QUERY_ALLOCATED_RANGES response when truncated. o Pavel Filipenský <pfilipensky@samba.org> * BUG 15698: samba-tool can not load the default configuration file. o Stefan Metzmacher <metze@samba.org> * BUG 15696: Compound SMB2 requests don't return NT_STATUS_NETWORK_SESSION_EXPIRED for all requests, confuses MacOSX clients. o Anoop C S <anoopcs@samba.org> * BUG 15686: Add new vfs_ceph module (based on low level API). o Shachar Sharon <ssharon@redhat.com> * BUG 15686: Add new vfs_ceph module (based on low level API). * BUG 15700: Crash when readlinkat fails. o Jones Syue <jonessyue@qnap.com> * BUG 15677: ntlm_auth make logs more consistent with length check. ------------------------------------------------------------------- Tue Aug 6 12:15:48 UTC 2024 - macke d <mdbuild@use.startmail.com> - ============================== Release Notes for Samba 4.20.4 August 06, 2024 ============================== This is the latest stable release of the Samba 4.20 release series. Changes since 4.20.3 -------------------- This only fixes a regression in library version strings in Samba 4.20.3, see: https://bugzilla.samba.org/show_bug.cgi?id=15673 If you compiled Samba from the sources and don't have other applications relying on Samba's public libraries, there's no reason to upgrade from 4.20.3 to 4.20.4. o Andreas Schneider <asn@samba.org> * BUG 15673: --version-* options are still not ergonomic, and they reject tilde characters. o Stefan Metzmacher <metze@samba.org> * BUG 15673: --version-* options are still not ergonomic, and they reject tilde characters. ------------------------------------------------------------------- Sun Aug 4 11:56:32 UTC 2024 - macke d <mdbuild@use.startmail.com> - ============================== Release Notes for Samba 4.20.3 August 02, 2024 ============================== This is the latest stable release of the Samba 4.20 release series. LDAP TLS/SASL channel binding support ------------------------------------- The ldap server supports SASL binds with kerberos or NTLMSSP over TLS connections now (either ldaps or starttls). Setups where 'ldap server require strong auth = allow_sasl_over_tls' was required before, can now most likely move to the default of 'ldap server require strong auth = yes'. If SASL binds without correct tls channel bindings are required 'ldap server require strong auth = allow_sasl_without_tls_channel_bindings' should be used now, as 'allow_sasl_over_tls' will generate a warning in every start of 'samba', as well as '[samba-tool ]testparm'. This is similar to LdapEnforceChannelBinding under HKLM\SYSTEM\CurrentControlSet\Services\NTDS\Parameters on Windows. All client tools using ldaps also include the correct channel bindings now. smb.conf changes ================ Parameter Name Description Default -------------- ----------- ------- ldap server require strong auth new values Changes since 4.20.2 -------------------- o Andreas Schneider <asn@samba.org> * BUG 15683: Running samba-bgqd a a standalone systemd service does not work. o Andrew Bartlett <abartlet@samba.org> * BUG 15655: When claims enabled with heimdal kerberos, unable to log on to a Windows computer when user account need to change their own password. o Douglas Bagnall <douglas.bagnall@catalyst.net.nz> * BUG 15671: Invalid client warning about command line passwords. * BUG 15672: Version string is truncated in manpages. * BUG 15673: --version-* options are still not ergonomic, and they reject tilde characters. * BUG 15674: cmdline_burn does not always burn secrets. * BUG 15685: Samba does not parse SDDL found in defaultSecurityDescriptor in AD_DS_Classes_Windows_Server_v1903.ldf. o Jo Sutton <josutton@catalyst.net.nz> * BUG 15655: When claims enabled with heimdal kerberos, unable to log on to a Windows computer when user account need to change their own password. o Pavel Filipenský <pfilipensky@samba.org> * BUG 15660: The images don\'t build after the git security release and CentOS 8 Stream is EOL. o Ralph Boehme <slow@samba.org> * BUG 15676: Fix clock skew error message and memory cache clock skew recovery. o Stefan Metzmacher <metze@samba.org> * BUG 15603: Heimdal ignores _gsskrb5_decapsulate errors in init_sec_context/repl_mutual. * BUG 15621: s4:ldap_server: does not support tls channel bindings for sasl binds. o Xavi Hernandez <xhernandez@redhat.com> * BUG 15678: CTDB socket output queues may suffer unbounded delays under some special conditions. ------------------------------------------------------------------- Thu Jun 20 09:01:06 UTC 2024 - macke d <mdbuild@use.startmail.com> - ============================== Release Notes for Samba 4.20.2 June 19, 2024 ============================== This is the latest stable release of the Samba 4.20 release series. Changes since 4.20.1 -------------------- o Jeremy Allison <jra@samba.org> * BUG 15662: vfs_widelinks with DFS shares breaks case insensitivity. o Douglas Bagnall <douglas.bagnall@catalyst.net.nz> * BUG 13213: Samba build is not reproducible. * BUG 15569: ldb qsort might r/w out of bounds with an intransitive compare function. * BUG 15625: Many qsort() comparison functions are non-transitive, which can lead to out-of-bounds access in some circumstances. o Andrew Bartlett <abartlet@samba.org> * BUG 15638: Need to change gitlab-ci.yml tags in all branches to avoid CI bill. * BUG 15654: We have added new options --vendor-name and --vendor-patch- revision arguments to ./configure to allow distributions and packagers to put their name in the Samba version string so that when debugging Samba the source of the binary is obvious. o Günther Deschner <gd@samba.org> * BUG 15665: CTDB RADOS mutex helper misses namespace support. o Stefan Metzmacher <metze@samba.org> * BUG 13019: Dynamic DNS updates with the internal DNS are not working. * BUG 14981: netr_LogonSamLogonEx returns NR_STATUS_ACCESS_DENIED with SysvolReady=0. * BUG 15412: Anonymous smb3 signing/encryption should be allowed (similar to Windows Server 2022). * BUG 15573: Panic in dreplsrv_op_pull_source_apply_changes_trigger. * BUG 15620: s4:nbt_server: does not provide unexpected handling, so winbindd can't use nmb requests instead cldap. * BUG 15642: winbindd, net ads join and other things don't work on an ipv6 only host. * BUG 15659: Segmentation fault when deleting files in vfs_recycle. * BUG 15664: Panic in vfs_offload_token_db_fetch_fsp(). * BUG 15666: "client use kerberos" and --use-kerberos is ignored for the machine account. o Noel Power <noel.power@suse.com> * BUG 15435: Regression DFS not working with widelinks = true. o Andreas Schneider <asn@samba.org> * BUG 15633: samba-gpupdate - Invalid NtVer in netlogon_samlogon_response. * BUG 15653: idmap_ad creates an incorrect local krb5.conf in case of trusted domain lookups. * BUG 15660: The images don't build after the git security release and CentOS 8 Stream is EOL. ------------------------------------------------------------------- Wed May 8 09:11:21 UTC 2024 - macke d <mdbuild@use.startmail.com> - ============================== Release Notes for Samba 4.20.1 May 08, 2024 ============================== This is the latest stable release of the Samba 4.20 release series. Changes since 4.20.0 -------------------- o Douglas Bagnall <douglas.bagnall@catalyst.net.nz> * BUG 15630: dns update debug message is too noisy. o Alexander Bokovoy <ab@samba.org> * BUG 15635: Do not fail PAC validation for RFC8009 checksums types. o Pavel Filipenský <pfilipensky@samba.org> * BUG 15605: Improve performance of lookup_groupmem() in idmap_ad. o Anna Popova <popova.anna235@gmail.com> * BUG 15636: Smbcacls incorrectly propagates inheritance with Inherit-Only flag. o Noel Power <noel.power@suse.com> * BUG 15611: http library doesn't support 'chunked transfer encoding'. o Andreas Schneider <asn@samba.org> * BUG 15600: Provide a systemd service file for the background queue daemon. ------------------------------------------------------------------- Mon Apr 8 09:34:06 UTC 2024 - macke d <mdbuild@use.startmail.com> - ============================== Release Notes for Samba 4.19.6 April 08, 2024 ============================== This is the latest stable release of the Samba 4.19 release series. Changes since 4.19.5 -------------------- o Ralph Boehme <slow@samba.org> * BUG 15527: fd_handle_destructor() panics within an smbd_smb2_close() if vfs_stat_fsp() fails in fd_close(). o Guenther Deschner <gd@samba.org> * BUG 15588: samba-gpupdate: Correctly implement site support. o Noel Power <noel.power@suse.com> * BUG 15527: fd_handle_destructor() panics within an smbd_smb2_close() if vfs_stat_fsp() fails in fd_close(). o Andreas Schneider <asn@samba.org> * BUG 15588: samba-gpupdate: Correctly implement site support. * BUG 15599: libgpo: Segfault in python bindings. o Martin Schwenke <mschwenke@ddn.com> * BUG 15580: Packet marshalling push support missing for CTDB_CONTROL_TCP_CLIENT_DISCONNECTED and CTDB_CONTROL_TCP_CLIENT_PASSED. ------------------------------------------------------------------- Tue Feb 20 10:09:49 UTC 2024 - macke d <mdbuild@use.startmail.com> - ============================== Release Notes for Samba 4.19.5 February 19, 2024 ============================== This is the latest stable release of the Samba 4.19 release series. Changes since 4.19.4 -------------------- o Ralph Boehme <slow@samba.org> * BUG 13688: Windows 2016 fails to restore previous version of a file from a shadow_copy2 snapshot. * BUG 15549: Symlinks on AIX are broken in 4.19 (and a few version before that). o Bjoern Jacke <bj@sernet.de> * BUG 12421: Fake directory create times has no effect. o Björn Jacke <bjacke@samba.org> * BUG 15550: ctime mixed up with mtime by smbd. o David Mulder <dmulder@samba.org> * BUG 15548: samba-gpupdate --rsop fails if machine is not in a site. o Gabriel Nagy <gabriel.nagy@canonical.com> * BUG 15557: gpupdate: The root cert import when NDES is not available is broken. o Andreas Schneider <asn@samba.org> * BUG 15552: samba-gpupdate should print a useful message if cepces-submit can't be found. * BUG 15558: samba-gpupdate logging doesn't work. o Jones Syue <jonessyue@qnap.com> * BUG 15555: smbpasswd reset permissions only if not 0600. ------------------------------------------------------------------- Mon Jan 8 14:56:54 UTC 2024 - macke d <mdbuild@use.startmail.com> - ============================== Release Notes for Samba 4.19.4 January 08, 2024 ============================== This is the latest stable release of the Samba 4.19 release series. Changes since 4.19.3 -------------------- o Samuel Cabrero <scabrero@samba.org> * BUG 13577: net changesecretpw cannot set the machine account password if secrets.tdb is empty. o Björn Jacke <bjacke@samba.org> * BUG 15540: For generating doc, take, if defined, env XML_CATALOG_FILES. * BUG 15541: Trivial C typo in nsswitch/winbind_nss_netbsd.c. * BUG 15542: vfs_linux_xfs is incorrectly named. o Björn Jacke <bj@sernet.de> * BUG 15377: systemd stumbled over copyright-message at smbd startup. o Volker Lendecke <vl@samba.org> * BUG 15505: Following intermediate abolute share-local symlinks is broken. * BUG 15523: ctdb RELEASE_IP causes a crash in release_ip if a connection to a non-public address disconnects first. * BUG 15544: shadow_copy2 broken when current fileset's directories are removed. o Stefan Metzmacher <metze@samba.org> * BUG 15377: systemd stumbled over copyright-message at smbd startup. * BUG 15523: ctdb RELEASE_IP causes a crash in release_ip if a connection to a non-public address disconnects first. * BUG 15534: smbd does not detect ctdb public ipv6 addresses for multichannel exclusion. o Andreas Schneider <asn@samba.org> * BUG 15469: 'force user = localunixuser' doesn't work if 'allow trusted domains = no' is set. * BUG 15525: smbget debug logging doesn't work. * BUG 15532: smget: username in the smburl and interactive password entry doesn't work. * BUG 15538: smbget auth function doesn't set values for password prompt correctly. o Martin Schwenke <mschwenke@ddn.com> * BUG 15523: ctdb RELEASE_IP causes a crash in release_ip if a connection to a non-public address disconnects first. o Shachar Sharon <ssharon@redhat.com> * BUG 15440: Unable to copy and write files from clients to Ceph cluster via SMB Linux gateway with Ceph VFS module. o Jones Syue <jonessyue@qnap.com> * BUG 15547: Multichannel refresh network information. ------------------------------------------------------------------- Mon Nov 27 13:23:06 UTC 2023 - macke d <mdbuild@use.startmail.com> - ============================== Release Notes for Samba 4.19.3 November 27, 2023 ============================== This is the latest stable release of the Samba 4.19 release series. It contains the security-relevant bugfix CVE-2018-14628: Wrong ntSecurityDescriptor values for "CN=Deleted Objects" allow read of object tombstones over LDAP (Administrator action required!) https://www.samba.org/samba/security/CVE-2018-14628.html Description of CVE-2018-14628 ----------------------------- All versions of Samba from 4.0.0 onwards are vulnerable to an information leak (compared with the established behaviour of Microsoft's Active Directory) when Samba is an Active Directory Domain Controller. When a domain was provisioned with an unpatched Samba version, the ntSecurityDescriptor is simply inherited from Domain/Partition-HEAD-Object instead of being very strict (as on a Windows provisioned domain). This means also non privileged users can use the LDAP_SERVER_SHOW_DELETED_OID control in order to view, the names and preserved attributes of deleted objects. No information that was hidden before the deletion is visible, but in with the correct ntSecurityDescriptor value in place the whole object is also not visible without administrative rights. There is no further vulnerability associated with this error, merely an information disclosure. Action required in order to resolve CVE-2018-14628! --------------------------------------------------- The patched Samba does NOT protect existing domains! The administrator needs to run the following command (on only one domain controller) in order to apply the protection to an existing domain: samba-tool dbcheck --cross-ncs --attrs=nTSecurityDescriptor --fix The above requires manual interaction in order to review the changes before they are applied. Typicall question look like this: Reset nTSecurityDescriptor on CN=Deleted Objects,DC=samba,DC=org back to provision default? Owner mismatch: SY (in ref) DA(in current) Group mismatch: SY (in ref) DA(in current) Part dacl is different between reference and current here is the detail: (A;;LCRPLORC;;;AU) ACE is not present in the reference (A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;SY) ACE is not present in the reference (A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;DA) ACE is not present in the reference (A;;CCDCLCSWRPWPSDRCWDWO;;;SY) ACE is not present in the current (A;;LCRP;;;BA) ACE is not present in the current [y/N/all/none] y Fixed attribute 'nTSecurityDescriptor' of 'CN=Deleted Objects,DC=samba,DC=org' The change should be confirmed with 'y' for all objects starting with 'CN=Deleted Objects'. Changes since 4.19.2 -------------------- o Douglas Bagnall <douglas.bagnall@catalyst.net.nz> * BUG 15520: sid_strings test broken by unix epoch > 1700000000. o Ralph Boehme <slow@samba.org> * BUG 15487: smbd crashes if asked to return full information on close of a stream handle with delete on close disposition set. * BUG 15521: smbd: fix close order of base_fsp and stream_fsp in smb_fname_fsp_destructor(). o Pavel Filipenský <pfilipensky@samba.org> * BUG 15499: Improve logging for failover scenarios. o Björn Jacke <bj@sernet.de> * BUG 15093: Files without "read attributes" NFS4 ACL permission are not listed in directories. o Stefan Metzmacher <metze@samba.org> * BUG 13595: CVE-2018-14628 [SECURITY] Deleted Object tombstones visible in AD LDAP to normal users. * BUG 15492: Kerberos TGS-REQ with User2User does not work for normal accounts. o Christof Schmitt <cs@samba.org> * BUG 15507: vfs_gpfs stat calls fail due to file system permissions. o Andreas Schneider <asn@samba.org> * BUG 15513: Samba doesn't build with Python 3.12. ------------------------------------------------------------------- Mon Oct 16 14:30:16 UTC 2023 - macke d <mdbuild@use.startmail.com> - ============================== Release Notes for Samba 4.19.2 October 16, 2023 ============================== This is the latest stable release of the Samba 4.19 release series. Changes since 4.19.1 -------------------- o Jeremy Allison <jra@samba.org> * BUG 15423: Use-after-free in aio_del_req_from_fsp during smbd shutdown after failed IPC FSCTL_PIPE_TRANSCEIVE. * BUG 15426: clidfs.c do_connect() missing a "return" after a cli_shutdown() call. o Ralph Boehme <slow@samba.org> * BUG 15463: macOS mdfind returns only 50 results. o Volker Lendecke <vl@samba.org> * BUG 15481: GETREALFILENAME_CACHE can modify incoming new filename with previous cache entry value. o Stefan Metzmacher <metze@samba.org> * BUG 15464: libnss_winbind causes memory corruption since samba-4.18, impacts sendmail, zabbix, potentially more. o Martin Schwenke <mschwenke@ddn.com> * BUG 15479: ctdbd: setproctitle not initialized messages flooding logs. o Joseph Sutton <josephsutton@catalyst.net.nz> * BUG 15491: CVE-2023-5568 Heap buffer overflow with freshness tokens in the Heimdal KDC in Samba 4.19 * BUG 15477: The heimdal KDC doesn't detect s4u2self correctly when fast is in use. ------------------------------------------------------------------- Tue Oct 10 15:49:11 UTC 2023 - macke d <mdbuild@use.startmail.com> - ============================== Release Notes for Samba 4.19.1 October 10, 2023 ============================== This is a security release in order to address the following defects: o CVE-2023-3961: Unsanitized pipe names allow SMB clients to connect as root to existing unix domain sockets on the file system. https://www.samba.org/samba/security/CVE-2023-3961.html o CVE-2023-4091: SMB client can truncate files to 0 bytes by opening files with OVERWRITE disposition when using the acl_xattr Samba VFS module with the smb.conf setting "acl_xattr:ignore system acls = yes" https://www.samba.org/samba/security/CVE-2023-4091.html o CVE-2023-4154: An RODC and a user with the GET_CHANGES right can view all attributes, including secrets and passwords. Additionally, the access check fails open on error conditions. https://www.samba.org/samba/security/CVE-2023-4154.html o CVE-2023-42669: Calls to the rpcecho server on the AD DC can request that the server block for a user-defined amount of time, denying service. https://www.samba.org/samba/security/CVE-2023-42669.html o CVE-2023-42670: Samba can be made to start multiple incompatible RPC listeners, disrupting service on the AD DC. https://www.samba.org/samba/security/CVE-2023-42670.html Changes since 4.19.0 -------------------- o Jeremy Allison <jra@samba.org> * BUG 15422: CVE-2023-3961. o Andrew Bartlett <abartlet@samba.org> * BUG 15424: CVE-2023-4154. * BUG 15473: CVE-2023-42670. * BUG 15474: CVE-2023-42669. o Ralph Boehme <slow@samba.org> * BUG 15439: CVE-2023-4091. ------------------------------------------------------------------- Tue Oct 10 15:49:00 UTC 2023 - macke d <mdbuild@use.startmail.com> ============================== Release Notes for Samba 4.19.0 September 04, 2023 ============================== This is the first stable release of the Samba 4.19 release series. Please read the release notes carefully before upgrading. NEW FEATURES/CHANGES ==================== Migrated smbget to use common command line parser ------------------------------------------------- The smbget utility implemented its own command line parsing logic. After discovering an issue we decided to migrate it to use the common command line parser. This has some advantages as you get all the feature it provides like Kerberos authentication. The downside is that breaks the options interface. The support for smbgetrc has been removed. You can use an authentication file if needed, this is documented in the manpage. Please check the smbget manpage or --help output. gpupdate changes ---------------- The libgpo.get_gpo_list function has been deprecated in favor of an implementation written in python. The new function can be imported via `import samba.gp`. The python implementation connects to Active Directory using the SamDB module, instead of ADS (which is what libgpo uses). Improved winbind logging and a new tool for parsing the winbind logs -------------------------------------------------------------------- Winbind logs (if smb.conf 'winbind debug traceid = yes' is set) contain new trace header fields 'traceid' and 'depth'. Field 'traceid' allows to track the trace records belonging to the same request. Field 'depth' allows to track the request nesting level. A new tool samba-log-parser is added for better log parsing. AD database prepared to FL 2016 standards for new domains --------------------------------------------------------- While Samba still provides only Functional Level 2008R2 by default, Samba as an AD DC will now, in provision ensure that the blank database is already prepared for Functional Level 2016, with AD Schema 2019. This preparation is of the default objects in the database, adding containers for Authentication Policies, Authentication Silos and AD claims in particular. These DB objects must be updated to allow operation of the new features found in higher functional levels. Kerberos Claims, Authentication Silos and NTLM authentication policies ---------------------------------------------------------------------- An initial, partial implementation of Active Directory Functional Level 2012, 2012R2 and 2016 is available in this release. In particular Samba will issue Active Directory "Claims" in the PAC, for member servers that support these, and honour in-directory configuration for Authentication Policies and Authentication Silos. The primary limitation is that while Samba can read and write claims in the directory, and populate the PAC, Samba does not yet use them for access control decisions. While we continue to develop these features, existing domains can test the feature by selecting the functional level in provision or raising the DC functional level by setting ad dc functional level = 2016 in the smb.conf The smb.conf file on each DC must have 'ad dc functional level = 2016' set to have the partially complete feature available. This will also, at first startup, update the server's own AD entry with the configured functional level. For new domains, add these parameters to 'samba-tool provision' --option="ad dc functional level = 2016" --function-level=2016 The second option, setting the overall domain functional level indicates that all DCs should be at this functional level. To raise the domain functional level of an existing domain, after updating the smb.conf and restarting Samba run samba-tool domain schemaupgrade --schema=2019 samba-tool domain functionalprep --function-level=2016 samba-tool domain level raise --domain-level=2016 --forest-level=2016 Improved KDC Auditing --------------------- As part of the auditing required to allow successful deployment of Authentication Policies and Authentication Silos, our KDC now provides Samba-style JSON audit logging of all issued Kerberos tickets, including if they would fail a policy that is not yet enforced. Additionally most failures are audited, (after the initial pre-validation of the request). Kerberos Armoring (FAST) Support for Windows clients ---------------------------------------------------- In domains where the domain controller functional level is set, as above, to 2012, 2012_R2 or 2016, Windows clients will, if configured via GPO, use FAST to protect user passwords between (in particular) a workstation and the KDC on the AD DC. This is a significant security improvement, as weak passwords in an AS-REQ are no longer available for offline attack. Claims compression in the AD PAC -------------------------------- Samba as an AD DC will compress "AD claims" using the same compression algorithm as Microsoft Windows. Resource SID compression in the AD PAC -------------------------------------- Samba as an AD DC will now correctly populate the various PAC group membership buffers, splitting global and local groups correctly. Additionally, Samba marshals Resource SIDs, being local groups in the member server's own domain, to only consume a header and 4 bytes per group in the PAC, not a full-length SID worth of space each. This is known as "Resource SID compression". Resource Based Constrained Delegation (RBCD) support in both MIT and Heimdal ----------------------------------------------------------------------------- Samba AD DC built with MIT Kerberos (1.20 and later) has offered RBCD support since Samba 4.17. Samba 4.19 brings this feature to the default Heimdal KDC. Samba 4.17 added to samba-tool delegation the 'add-principal' and 'del-principal' subcommands in order to manage RBCD, and the database changes made by these tools are now honoured by the Heimdal KDC once Samba is upgraded. Likewise, now both MIT (1.20 and later) and Heimdal KDCs add the Asserted Identity [1] SID into the PAC for constrained delegation. [1] https://docs.microsoft.com/en-us/windows-server/security/kerberos/kerberos-constrained-delegation-overview New samba-tool support for silos, claims, sites and subnets. ------------------------------------------------------------ samba-tool can now list, show, add and manipulate Authentication Silos (silos) and Active Directory Authentication Claims (claims). samba-tool can now list and show Active Directory sites and subnets. A new Object Relational Model (ORM) based architecture, similar to that used with Django, has been built to make adding new samba-tool subcommands simpler and more consistent, with JSON output available standard on these new commands. Updated GnuTLS requirement / in-tree cryptography removal ---------------------------------------------------------- Samba requires GnuTLS 3.6.13 and prefers GnuTLS 3.6.14 or later. This has allowed Samba to remove all of our in-tree cryptography, except that found in our Heimdal import. Samba's runtime cryptography needs are now all provided by GnuTLS. (The GnuTLS vesion requirement is raised to 3.7.2 on systems without the Linux getrandom()) We also use Python's cryptography module for our testing. The use of well known cryptography libraries makes Samba easier for end-users to validate and deploy, and for distributors to ship. This is the end of a very long journey for Samba. Updated Heimdal import ---------------------- Samba's Heimdal branch (known as lorikeet-heimdal) has been updated to the current pre-8.0 (master) tree from upstream Heimdal, ensuring that this vendored copy, included in our release remains as close as possible to the current upstream code. Revocation support in Heimdal KDC for PKINIT certificates --------------------------------------------------------- Samba will now correctly honour the revocation of 'smart card' certificates used for PKINIT Kerberos authentication. This list is reloaded each time the file changes, so no further action other than replacing the file is required. The additional krb5.conf option is: [kdc] pkinit_revoke = FILE:/path/to/crl.pem Information on the "Smart Card login" feature as a whole is at: https://wiki.samba.org/index.php/Samba_AD_Smart_Card_Login Protocol level testsuite for (Smart Card Logon) PKINIT ------------------------------------------------------ Previously Samba's PKINIT support in the KDC was tested by use of shell scripts around the client tools of MIT or Heimdal Kerberos. Samba's independently written python testsuite has been extended to validate KDC behaviour for PKINIT. Require encrypted connection to modify unicodePwd on the AD DC -------------------------------------------------------------- Setting the password on an AD account on should never be attempted over a plaintext or signed-only LDAP connection. If the unicodePwd (or userPassword) attribute is modified without encryption (as seen by Samba), the request will be rejected. This is to encourage the administrator to use an encrypted connection in the future. NOTE WELL: If Samba is accessed via a TLS frontend or load balancer, the LDAP request will be regarded as plaintext. Samba AD TLS Certificates can be reloaded ----------------------------------------- The TLS certificates used for Samba's AD DC LDAP server were previously only read on startup, and this meant that when then expired it was required to restart Samba, disrupting service to other users. smbcontrol ldap_server reload-certs This will now allow these certificates to be reloaded 'on the fly' ================ REMOVED FEATURES ================ smb.conf changes ================ Parameter Name Description Default -------------- ----------- ------- winbind debug traceid Add traceid No directory name cache size Removed
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor