The branch, master has been updated via 223b2b0 NEWS[4.19.0]: Samba 4.19.0 Available for Download from c567968 NEWS[4.19.0rc4]: Samba 4.19.0rc4 Available for Download
https://git.samba.org/?p=samba-web.git;a=shortlog;h=master - Log ----------------------------------------------------------------- commit 223b2b02ee646ff8778b10b4d86a3c7ed9222e3a Author: Jule Anger <jan...@samba.org> Date: Mon Sep 4 14:54:17 2023 +0200 NEWS[4.19.0]: Samba 4.19.0 Available for Download Signed-off-by: Jule Anger <jan...@samba.org> ----------------------------------------------------------------------- Summary of changes: history/header_history.html | 1 + history/samba-4.19.0.html | 346 +++++++++++++++++++++++ posted_news/20230904-125507.4.19.0.body.html | 12 + posted_news/20230904-125507.4.19.0.headline.html | 3 + 4 files changed, 362 insertions(+) create mode 100644 history/samba-4.19.0.html create mode 100644 posted_news/20230904-125507.4.19.0.body.html create mode 100644 posted_news/20230904-125507.4.19.0.headline.html Changeset truncated at 500 lines: diff --git a/history/header_history.html b/history/header_history.html index da9f631..ad9978a 100755 --- a/history/header_history.html +++ b/history/header_history.html @@ -9,6 +9,7 @@ <li><a href="/samba/history/">Release Notes</a> <li class="navSub"> <ul> + <li><a href="samba-4.19.0.html">samba-4.19.0</a></li> <li><a href="samba-4.18.6.html">samba-4.18.6</a></li> <li><a href="samba-4.18.5.html">samba-4.18.5</a></li> <li><a href="samba-4.18.4.html">samba-4.18.4</a></li> diff --git a/history/samba-4.19.0.html b/history/samba-4.19.0.html new file mode 100644 index 0000000..47f0f6b --- /dev/null +++ b/history/samba-4.19.0.html @@ -0,0 +1,346 @@ +<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" + "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> +<html xmlns="http://www.w3.org/1999/xhtml"> +<head> +<title>Samba 4.19.0 - Release Notes</title> +</head> +<body> +<H2>Samba 4.19.0 Available for Download</H2> +<p> +<a href="https://download.samba.org/pub/samba/stable/samba-4.19.0.tar.gz">Samba 4.19.0 (gzipped)</a><br> +<a href="https://download.samba.org/pub/samba/stable/samba-4.19.0.tar.asc">Signature</a> +</p> +<p> +<pre> + ============================== + Release Notes for Samba 4.19.0 + September 04, 2023 + ============================== + +This is the first stable release of the Samba 4.19 release series. +Please read the release notes carefully before upgrading. + +NEW FEATURES/CHANGES +==================== + +Migrated smbget to use common command line parser +------------------------------------------------- + +The smbget utility implemented its own command line parsing logic. After +discovering an issue we decided to migrate it to use the common command line +parser. This has some advantages as you get all the feature it provides like +Kerberos authentication. The downside is that breaks the options interface. +The support for smbgetrc has been removed. You can use an authentication file +if needed, this is documented in the manpage. + +Please check the smbget manpage or --help output. + +gpupdate changes +---------------- + +The libgpo.get_gpo_list function has been deprecated in favor of +an implementation written in python. The new function can be imported via +`import samba.gp`. The python implementation connects to Active Directory +using the SamDB module, instead of ADS (which is what libgpo uses). + +Improved winbind logging and a new tool for parsing the winbind logs +-------------------------------------------------------------------- + +Winbind logs (if smb.conf 'winbind debug traceid = yes' is set) contain new +trace header fields 'traceid' and 'depth'. Field 'traceid' allows to track the +trace records belonging to the same request. Field 'depth' allows to track the +request nesting level. A new tool samba-log-parser is added for better log +parsing. + +AD database prepared to FL 2016 standards for new domains +--------------------------------------------------------- + +While Samba still provides only Functional Level 2008R2 by default, +Samba as an AD DC will now, in provision ensure that the blank +database is already prepared for Functional Level 2016, with AD Schema +2019. + +This preparation is of the default objects in the database, adding +containers for Authentication Policies, Authentication Silos and AD +claims in particular. These DB objects must be updated to allow +operation of the new features found in higher functional levels. + +Kerberos Claims, Authentication Silos and NTLM authentication policies +---------------------------------------------------------------------- + +An initial, partial implementation of Active Directory Functional +Level 2012, 2012R2 and 2016 is available in this release. + +In particular Samba will issue Active Directory "Claims" in the PAC, +for member servers that support these, and honour in-directory +configuration for Authentication Policies and Authentication Silos. + +The primary limitation is that while Samba can read and write claims +in the directory, and populate the PAC, Samba does not yet use them +for access control decisions. + +While we continue to develop these features, existing domains can +test the feature by selecting the functional level in provision or +raising the DC functional level by setting + + ad dc functional level = 2016 + +in the smb.conf + +The smb.conf file on each DC must have 'ad dc functional level = 2016' +set to have the partially complete feature available. This will also, +at first startup, update the server's own AD entry with the configured +functional level. + +For new domains, add these parameters to 'samba-tool provision' + +--option="ad dc functional level = 2016" --function-level=2016 + +The second option, setting the overall domain functional level +indicates that all DCs should be at this functional level. + +To raise the domain functional level of an existing domain, after +updating the smb.conf and restarting Samba run +samba-tool domain schemaupgrade --schema=2019 +samba-tool domain functionalprep --function-level=2016 +samba-tool domain level raise --domain-level=2016 --forest-level=2016 + +Improved KDC Auditing +--------------------- + +As part of the auditing required to allow successful deployment of +Authentication Policies and Authentication Silos, our KDC now provides +Samba-style JSON audit logging of all issued Kerberos tickets, +including if they would fail a policy that is not yet enforced. +Additionally most failures are audited, (after the initial +pre-validation of the request). + +Kerberos Armoring (FAST) Support for Windows clients +---------------------------------------------------- + +In domains where the domain controller functional level is set, as +above, to 2012, 2012_R2 or 2016, Windows clients will, if configured +via GPO, use FAST to protect user passwords between (in particular) a +workstation and the KDC on the AD DC. This is a significant security +improvement, as weak passwords in an AS-REQ are no longer available +for offline attack. + +Claims compression in the AD PAC +-------------------------------- + +Samba as an AD DC will compress "AD claims" using the same compression +algorithm as Microsoft Windows. + +Resource SID compression in the AD PAC +-------------------------------------- + +Samba as an AD DC will now correctly populate the various PAC group +membership buffers, splitting global and local groups correctly. + +Additionally, Samba marshals Resource SIDs, being local groups in the +member server's own domain, to only consume a header and 4 bytes per +group in the PAC, not a full-length SID worth of space each. This is +known as "Resource SID compression". + +Resource Based Constrained Delegation (RBCD) support in both MIT and Heimdal +----------------------------------------------------------------------------- + +Samba AD DC built with MIT Kerberos (1.20 and later) has offered RBCD +support since Samba 4.17. Samba 4.19 brings this feature to the +default Heimdal KDC. + +Samba 4.17 added to samba-tool delegation the 'add-principal' and +'del-principal' subcommands in order to manage RBCD, and the database +changes made by these tools are now honoured by the Heimdal KDC once +Samba is upgraded. + +Likewise, now both MIT (1.20 and later) and Heimdal KDCs add the +Asserted Identity [1] SID into the PAC for constrained delegation. + +[1] https://docs.microsoft.com/en-us/windows-server/security/kerberos/kerberos-constrained-delegation-overview + +New samba-tool support for silos, claims, sites and subnets. +------------------------------------------------------------ + +samba-tool can now list, show, add and manipulate Authentication Silos +(silos) and Active Directory Authentication Claims (claims). + +samba-tool can now list and show Active Directory sites and subnets. + +A new Object Relational Model (ORM) based architecture, similar to +that used with Django, has been built to make adding new samba-tool +subcommands simpler and more consistent, with JSON output available +standard on these new commands. + +Updated GnuTLS requirement / in-tree cryptography removal +---------------------------------------------------------- + +Samba requires GnuTLS 3.6.13 and prefers GnuTLS 3.6.14 or later. + +This has allowed Samba to remove all of our in-tree cryptography, +except that found in our Heimdal import. Samba's runtime cryptography +needs are now all provided by GnuTLS. + +(The GnuTLS vesion requirement is raised to 3.7.2 on systems without +the Linux getrandom()) + +We also use Python's cryptography module for our testing. + +The use of well known cryptography libraries makes Samba easier for +end-users to validate and deploy, and for distributors to ship. This +is the end of a very long journey for Samba. + +Updated Heimdal import +---------------------- + +Samba's Heimdal branch (known as lorikeet-heimdal) has been updated to +the current pre-8.0 (master) tree from upstream Heimdal, ensuring that +this vendored copy, included in our release remains as close as +possible to the current upstream code. + +Revocation support in Heimdal KDC for PKINIT certificates +--------------------------------------------------------- + +Samba will now correctly honour the revocation of 'smart card' +certificates used for PKINIT Kerberos authentication. + +This list is reloaded each time the file changes, so no further action +other than replacing the file is required. The additional krb5.conf +option is: + + [kdc] + pkinit_revoke = FILE:/path/to/crl.pem + +Information on the "Smart Card login" feature as a whole is at: + https://wiki.samba.org/index.php/Samba_AD_Smart_Card_Login + +Protocol level testsuite for (Smart Card Logon) PKINIT +------------------------------------------------------ + +Previously Samba's PKINIT support in the KDC was tested by use of +shell scripts around the client tools of MIT or Heimdal Kerberos. +Samba's independently written python testsuite has been extended to +validate KDC behaviour for PKINIT. + +Require encrypted connection to modify unicodePwd on the AD DC +-------------------------------------------------------------- + +Setting the password on an AD account on should never be attempted +over a plaintext or signed-only LDAP connection. If the unicodePwd +(or userPassword) attribute is modified without encryption (as seen by +Samba), the request will be rejected. This is to encourage the +administrator to use an encrypted connection in the future. + +NOTE WELL: If Samba is accessed via a TLS frontend or load balancer, +the LDAP request will be regarded as plaintext. + +Samba AD TLS Certificates can be reloaded +----------------------------------------- + +The TLS certificates used for Samba's AD DC LDAP server were +previously only read on startup, and this meant that when then expired +it was required to restart Samba, disrupting service to other users. + + smbcontrol ldap_server reload-certs + +This will now allow these certificates to be reloaded 'on the fly' + +================ +REMOVED FEATURES +================ + + +smb.conf changes +================ + + Parameter Name Description Default + -------------- ----------- ------- + winbind debug traceid Add traceid No + directory name cache size Removed + + +CHANGES SINCE 4.19.0rc4 +======================= + +o MikeLiu <mike...@qnap.com> + * BUG 15453: File doesn't show when user doesn't have permission if + aio_pthread is loaded. + +o Martin Schwenke <mschwe...@ddn.com> + * BUG 15451: ctdb_killtcp fails to work with --enable-pcap and libpcap ⥠+ 1.9.1. + + +CHANGES SINCE 4.19.0rc3 +======================= + +o Martin Schwenke <mschwe...@ddn.com> + * BUG 15460: Logging to stdout/stderr with DEBUG_SYSLOG_FORMAT_ALWAYS can log + to syslog. + +o Joseph Sutton <josephsut...@catalyst.net.nz> + * BUG 15458: âsamba-tool domain level raiseâ fails unless given a URL. + + +CHANGES SINCE 4.19.0rc2 +======================= + +o Jeremy Allison <j...@samba.org> + * BUG 15420: reply_sesssetup_and_X() can dereference uninitialized tmp + pointer. + * BUG 15430: missing return in reply_exit_done(). + * BUG 15432: TREE_CONNECT without SETUP causes smbd to use uninitialized + pointer. + +o Andrew Bartlett <abart...@samba.org> + * BUG 15401: Avoid infinite loop in initial user sync with Azure AD Connect + when synchronising a large Samba AD domain. + * BUG 15407: Samba replication logs show (null) DN. + +o Stefan Metzmacher <me...@samba.org> + * BUG 15346: 2-3min delays at reconnect with smb2_validate_sequence_number: + bad message_id 2. + * BUG 15446: DCERPC_PKT_CO_CANCEL and DCERPC_PKT_ORPHANED can't be parsed. + +o Martin Schwenke <mschwe...@ddn.com> + * BUG 15438: CID 1539212 causes real issue when output contains only + newlines. + +o Joseph Sutton <josephsut...@catalyst.net.nz> + * BUG 15452: KDC encodes INT64 claims incorrectly. + +o Jones Syue <joness...@qnap.com> + * BUG 15449: mdssvc: Do an early talloc_free() in _mdssvc_open(). + + +CHANGES SINCE 4.19.0rc1 +======================= + +o Andrew Bartlett <abart...@samba.org> + * BUG 9959: Windows client join fails if a second container CN=System exists + somewhere. + +o Noel Power <noel.po...@suse.com> + * BUG 15435: regression DFS not working with widelinks = true. + +o Arvid Requate <requ...@univention.de> + * BUG 9959: Windows client join fails if a second container CN=System exists + somewhere. + +o Joseph Sutton <josephsut...@catalyst.net.nz> + * BUG 15443: Heimdal fails to build on 32-bit FreeBSD. + +o Jones Syue <joness...@qnap.com> + * BUG 15441: samba-tool ntacl get segfault if aio_pthread appended. + + +KNOWN ISSUES +============ + +https://wiki.samba.org/index.php/Release_Planning_for_Samba_4.19#Release_blocking_bugs + + +</pre> +</p> +</body> +</html> diff --git a/posted_news/20230904-125507.4.19.0.body.html b/posted_news/20230904-125507.4.19.0.body.html new file mode 100644 index 0000000..a086cb5 --- /dev/null +++ b/posted_news/20230904-125507.4.19.0.body.html @@ -0,0 +1,12 @@ +<!-- BEGIN: posted_news/20230904-125507.4.19.0.body.html --> +<h5><a name="4.19.0">04 September 2023</a></h5> +<p class=headline>Samba 4.19.0 Available for Download</p> +<p> +This is the latest stable release of the Samba 4.19 release series. +</p> +<p> +The uncompressed tarball has been signed using GnuPG (ID AA99442FB680B620). +The source code can be <a href="https://download.samba.org/pub/samba/stable/samba-4.19.0.tar.gz">downloaded now</a>. +See <a href="https://www.samba.org/samba/history/samba-4.19.0.html">the release notes for more info</a>. +</p> +<!-- END: posted_news/20230904-125507.4.19.0.body.html --> diff --git a/posted_news/20230904-125507.4.19.0.headline.html b/posted_news/20230904-125507.4.19.0.headline.html new file mode 100644 index 0000000..fd118f6 --- /dev/null +++ b/posted_news/20230904-125507.4.19.0.headline.html @@ -0,0 +1,3 @@ +<!-- BEGIN: posted_news/20230904-125507.4.19.0.headline.html --> +<li> 04 September 2023 <a href="#4.19.0">Samba 4.19.0 Available for Download</a></li> +<!-- END: posted_news/20230904-125507.4.19.0.headline.html --> -- Samba Website Repository