Samba 4.20 Features added/changed
- Release Notes for 4.20.0rc3
- February 26, 2024
This is the third release candidate of Samba 4.20. This is *not* intended for production environments and is designed for testing purposes only. Please report any defects via the Samba bug reporting system at https://bugzilla.samba.org/.
Samba 4.20 will be the next version of the Samba suite.
New Minimum MIT Krb5 version for Samba AD Domain Controller
Samba now requires MIT 1.21 when built against a system MIT Krb5 and acting as an Active Directory DC. This addresses the issues that were fixed in CVE-2022-37967 (KrbtgtFullPacSignature) and ensures that Samba builds against the MIT version that allows us to avoid that attack.
Removed dependency on Perl JSON module
Distributions are advised that the Perl JSON package is no longer required by Samba builds that use the imported Heimdal. The build instead uses Perl's JSON::PP built into recent perl5 versions.
Current lists of packages required by Samba for major distributions are found in the bootstrap/generated-dists/ directory of a Samba source tree. While there will be some differences - due to features chosen by packagers - comparing these lists with the build dependencies in a package may locate other dependencies we no longer require.
samba-tool user getpassword / syncpasswords ;rounds= change
The password access tool "samba-tool user getpassword" and the password sync tool "samba-tool user syncpasswords" allow attributes to be chosen for output, and accept parameters like pwdLastSet;format=GeneralizedTime
These attributes then appear, in the same format, as the attributes in the LDIF output. This was not the case for the ;rounds= parameter of virtualCryptSHA256 and virtualCryptSHA512, for example as --attributes="virtualCryptSHA256;rounds=50000"
This release makes the behaviour consistent between these two features. Installations using GPG-encrypted passwords (or plaintext storage) and the rounds= option, will find the output has changed
Group Managed service account client-side features
samba-tool has been extended to provide client-side support for Group Managed Service accounts. These accounts have passwords that change automatically, giving the advantages of service isolation without risk of poor, unchanging passwords.
Where possible, Samba's existing samba-tool password handling commands, which in the past have only operated against the local sam.ldb have been extended to permit operation against a remote server with authenticated access to "-H ldap://$DCNAME"
Supported operations include:
- reading the current and previous gMSA password via
- "samba-tool user getpassword"
- writing a Kerberos Ticket Granting Ticket (TGT) to a local credentials cache with a new command
- "samba-tool user get-kerberos-ticket"
New Windows Search Protocol Client
Samba now by default builds new experimental Windows Search Protocol (WSP) command line client "wspsearch"
The "wspsearch" cmd-line utility allows a WSP search request to be sent to a server (such as a windows server) that has the (WSP) Windows Search Protocol service configured and enabled.
For more details see the wspsearch man page.
Allow 'smbcacls' to save/restore DACLs to file
'smbcacls' has been extended to allow DACLs to be saved and restored to/from a file. This feature mimics the functionality that windows cmd line tool 'icacls.exe' provides. Additionally files created either by 'smbcalcs' or 'icacls.exe' are interchangeable and can be used by either tool as the same file format is used.
New options added are:
- '--save savefile'
- Saves DACLs in sddl format to file
- Performs the '--save' operation above on directory and all files/directories below.
- '--restore savefile'
- Restores the stored DACLS to files in directory
Samba-tool extensions for AD Claims, Authentication Policies and Silos
samba-tool now allows users to be associated with claims. In the Samba AD DC, claims derive from Active Directory attributes mapped into specific names. These claims can be used in rules, which are conditional ACEs in a security descriptor, that decide if a user is restricted by an authentication policy.
samba-tool also allows the creation and management of authentication policies, which are rules about where a user may authenticate from, if NTLM is permitted, and what services a user may authenticate to.
Finally, support is added for the creation and management of authentication silos, which are helpful in defining network boundaries by grouping users and the services they connect to.
Please note: The command line syntax for these tools is not final, and may change before the next release, as we gain user feedback. The syntax will be locked in once Samba offers 2016 AD Functional Level as a default.
AD DC support for Authentication Silos and Authentication Policies
The Samba AD DC now also honours any existing claims, authentication policy and authentication silo configuration previously created (eg from an import of a Microsoft AD), as well as new configurations created with samba-tool. The use of Microsoft's Powershell based client tools is not expected to work.
To use this feature, the functional level must be set to 2012_R2 or later with:
ad dc functional level = 2016
in the smb.conf.
The smb.conf file on each DC must have 'ad dc functional level = 2016' set to have the partially complete feature available. This will also, at first startup, update the server's own AD entry with the configured functional level.
For new domains, add these parameters to 'samba-tool provision'
--option="ad dc functional level = 2016" --function-level=2016
The second option, setting the overall domain functional level indicates that all DCs should be at this functional level.
To raise the domain functional level of an existing domain, after updating the smb.conf and restarting Samba run
samba-tool domain schemaupgrade --schema=2019 samba-tool domain functionalprep --function-level=2016 samba-tool domain level raise --domain-level=2016 --forest-level=2016
This support is still new, so is not enabled by default in this release. The above instructions are set at 2016, which while not complete, matches what our testing environment validates.
Conditional ACEs and Resource Attribute ACEs
Ordinary Access Control Entries (ACEs) unconditionally allow or deny access to a given user or group. Conditional ACEs have an additional section that describes conditions under which the ACE applies. If the conditional expression is true, the ACE works like an ordinary ACE, otherwise it is ignored. The condition terms can refer to claims, group memberships, and attributes on the object itself. These attributes are described in Resource Attribute ACEs that occur in the object's System Access Control List (SACL). Conditional ACEs are described in Microsoft documentation.
Conditional ACE evaluation is controlled by the "acl claims evaluation" smb.conf option. The default value is "AD DC only" which enables them in AD DC settings. The other option is "never", which disables them altogether. There is currently no option to enable them on the file server (this is likely to change in future releases).
The Security Descriptor Definition Language has extensions for conditional ACEs and resource attribute ACEs; these are now supported by Samba.
Get locally logged on users from utmp
The Workstation Service Remote Protocol [MS-WKST] calls NetWkstaGetInfo level 102 and NetWkstaEnumUsers level 0 and 1 return the list of locally logged on users. Samba was getting the list from utmp, which is not Y2038 safe. This feature has been completely removed and Samba will always return an empty list.
Parameter Name Description Default -------------- ----------- ------- smb3 unix extensions Per share - acl claims evaluation new AD DC only
CHANGES SINCE 4.20.0rc2
- Rob van der Linde <email@example.com>
- BUG 15575: Remove unsupported "Final" keyword missing from Python 3.6.
- Stefan Metzmacher <firstname.lastname@example.org>
- BUG 15577: Additional witness backports for 4.20.0.
- Noel Power <email@example.com>
- BUG 15579: Error output with wspsearch.
- Martin Schwenke <firstname.lastname@example.org>
- BUG 15580: Packet marshalling push support missing for CTDB_CONTROL_TCP_CLIENT_DISCONNECTED and CTDB_CONTROL_TCP_CLIENT_PASSED.
- Jo Sutton <email@example.com>
- BUG 15575: Remove unsupported "Final" keyword missing from Python 3.6.
CHANGES SINCE 4.20.0rc1
- Douglas Bagnall <firstname.lastname@example.org>
- BUG 15574: Performance regression for NDR parsing of security descriptors.
- Anoop C S <email@example.com>
- BUG 15565: Build and install man page for wspsearch client utility.
- Andreas Schneider <firstname.lastname@example.org>
- BUG 15558: samba-gpupdate logging doesn't work.