The branch, v4-22-stable has been updated
via 70cb2fe5fb5 VERSION: Disable GIT_SNAPSHOT for the 4.22.0rc4 release.
via 9286d9c20ad WHATSNEW: Add release notes for Samba 4.22.0rc4.
via dac386f4095 WHATSNEW: add himmelblaud
via 95099cef157 WHATSNEW: add krb5 netlogon smb.conf options
via d589ae806b2 s3:testparm: make it clear that 'client use krb5
netlogon' is experimental
via 6833384a1b8 samba-tool/testparm: make it clear that 'client use
krb5 netlogon' is experimental
via 9fe35b7767d docs-xml/smbdotconf: make it clear that 'client use
krb5 netlogon' is experimental
via 1c31c4d4498 VERSION: Bump version up to Samba 4.22.0rc4...
from 3f4135db35d VERSION: Disable GIT_SNAPSHOT for the 4.22.0rc3 release.
https://git.samba.org/?p=samba.git;a=shortlog;h=v4-22-stable
- Log -----------------------------------------------------------------
-----------------------------------------------------------------------
Summary of changes:
VERSION | 2 +-
WHATSNEW.txt | 28 +++++++++++++++++++++-
.../smbdotconf/winbind/clientusekrb5netlogon.xml | 5 ++++
python/samba/netcmd/testparm.py | 10 ++++++++
source3/utils/testparm.c | 13 ++++++++++
5 files changed, 56 insertions(+), 2 deletions(-)
Changeset truncated at 500 lines:
diff --git a/VERSION b/VERSION
index dcadc0cf4bd..3527d601e67 100644
--- a/VERSION
+++ b/VERSION
@@ -89,7 +89,7 @@ SAMBA_VERSION_PRE_RELEASE=
# e.g. SAMBA_VERSION_RC_RELEASE=1 #
# -> "3.0.0rc1" #
########################################################
-SAMBA_VERSION_RC_RELEASE=3
+SAMBA_VERSION_RC_RELEASE=4
########################################################
# To mark SVN snapshots this should be set to 'yes' #
diff --git a/WHATSNEW.txt b/WHATSNEW.txt
index b7e111ec06d..ccb811920bb 100644
--- a/WHATSNEW.txt
+++ b/WHATSNEW.txt
@@ -1,7 +1,7 @@
Release Announcements
=====================
-This is the third release candidate of Samba 4.22. This is *not*
+This is the fourth release candidate of Samba 4.22. This is *not*
intended for production environments and is designed for testing
purposes only. Please report any defects via the Samba bug reporting
system at https://bugzilla.samba.org/.
@@ -39,6 +39,17 @@ now be configured to use TCP via the new "client netlogon
ping
protocol" parameter to enable running in environments where firewalls
completely block port 389 or UDP traffic to domain controllers.
+Experimental Himmelblaud Authentication in Samba
+------------------------------------------------
+
+Samba now includes experimental support for Azure Entra ID authentication via
+`himmelblaud`, located in the `rust/` directory. This implementation provides
+basic authentication and is configured through `smb.conf`, utilizing options
+such as `realm`, `winbindd_socket_directory`, and `template_homedir`. New
global
+parameters include `himmelblaud_sfa_fallback`, `himmelblaud_hello_enabled`, and
+`himmelblaud_hsm_pin_path`.
+To enable, configure Samba with `--enable-rust --with-himmelblau`.
+
REMOVED FEATURES
================
@@ -74,10 +85,25 @@ smb.conf changes
smb3 directory leases New Auto
vfs mkdir use tmp name New Auto
client netlogon ping protocol New cldap
+ himmelblaud hello enabled New no
+ himmelblaud hsm pin path New default hsm pin path
+ himmelblaud sfa fallback New no
+ client use krb5 netlogon Experimental no
+ reject aes netlogon servers Experimental no
+ server reject aes schannel Experimental no
+ server support krb5 netlogon Experimental no
fruit:posix_rename Removed
cldap port Removed
+CHANGES SINCE 4.22.0rc3
+=======================
+
+o Stefan Metzmacher <[email protected]>
+ * BUG 15815: client use krb5 netlogon is experimental and should not be used
+ in production.
+
+
CHANGES SINCE 4.22.0rc2
=======================
diff --git a/docs-xml/smbdotconf/winbind/clientusekrb5netlogon.xml
b/docs-xml/smbdotconf/winbind/clientusekrb5netlogon.xml
index ad0fc907903..e65941eb901 100644
--- a/docs-xml/smbdotconf/winbind/clientusekrb5netlogon.xml
+++ b/docs-xml/smbdotconf/winbind/clientusekrb5netlogon.xml
@@ -39,6 +39,11 @@
is detected as active directory domain, e.g.
with 'SECURITY = ADS' or on an active directory domain controller.
</para>
+
+ <para><emphasis>
+ WARNING: This option is experimental in this Samba version
+ (see VERSION section below) and should not be used in production!
+ </emphasis></para>
</description>
<value type="default">default</value>
diff --git a/python/samba/netcmd/testparm.py b/python/samba/netcmd/testparm.py
index 6fbde635a7d..cd854feee9c 100644
--- a/python/samba/netcmd/testparm.py
+++ b/python/samba/netcmd/testparm.py
@@ -191,6 +191,16 @@ class cmd_testparm(Command):
"'allow_sasl_without_tls_channel_bindings' "
"(if really needed).")
+ cli_krb5_netlogon = lp.get("client use krb5 netlogon")
+ if cli_krb5_netlogon not in ["no", "default"]:
+ logger.error(
+ "You have configured "
+ "'client use krb5 netlogon = %s'.\n"
+ "This is experimental in Samba %s "
+ "and should not be used in production!\n\n" %
+ (cli_krb5_netlogon, samba.version))
+ valid = False
+
return valid
def allow_access(self, deny_list, allow_list, cname, caddr):
diff --git a/source3/utils/testparm.c b/source3/utils/testparm.c
index 55c9bf1e076..a93bc020607 100644
--- a/source3/utils/testparm.c
+++ b/source3/utils/testparm.c
@@ -359,6 +359,7 @@ static int do_global_checks(void)
const char **lp_ptr = NULL;
const struct loadparm_substitution *lp_sub =
loadparm_s3_global_substitution();
+ int ival;
fprintf(stderr, "\n");
@@ -784,6 +785,18 @@ static int do_global_checks(void)
"options\n\n");
}
+ ival = lp__client_use_krb5_netlogon();
+ if (ival > 0) {
+ fprintf(stderr,
+ "ERROR: You have configured "
+ "'client use krb5 netlogon = %s'.\n"
+ "This is experimental in Samba %s "
+ "and should not be used in production!\n\n",
+ ival == Auto ? "auto" : "yes",
+ samba_version_string());
+ ret = 1;
+ }
+
if (lp_kerberos_encryption_types() == KERBEROS_ETYPES_LEGACY) {
fprintf(stderr,
"WARNING: You have configured "
--
Samba Shared Repository
