Samba 4.20 Features added/changed

From SambaWiki

Samba 20 is Maintenance Mode.

Samba 4.20.5

Release Notes for Samba 4.20.5
September 17, 2024

This is the latest stable release of the Samba 4.20 release series.

Changes since 4.20.4

  • Ralph Boehme <slow@samba.org>
  • BUG 15695: "inherit permissions = yes" triggers assert() in vfs_default when creating a stream.
  • David Disseldorp <ddiss@samba.org>
  • BUG 15699: Incorrect FSCTL_QUERY_ALLOCATED_RANGES response when truncated.
  • Pavel Filipenský <pfilipensky@samba.org>
  • BUG 15698: samba-tool can not load the default configuration file.
  • Stefan Metzmacher <metze@samba.org>
  • BUG 15696: Compound SMB2 requests don't return NT_STATUS_NETWORK_SESSION_EXPIRED for all requests, confuses MacOSX clients.
  • Anoop C S <anoopcs@samba.org>
  • BUG 15686: Add new vfs_ceph module (based on low level API).
  • Shachar Sharon <ssharon@redhat.com>
  • BUG 15686: Add new vfs_ceph module (based on low level API).
  • BUG 15700: Crash when readlinkat fails.
  • Jones Syue <jonessyue@qnap.com>
  • BUG 15677: ntlm_auth make logs more consistent with length check.
Release Notes Samba 4.20.5

Samba 4.20.4

Release Notes for Samba 4.20.4
August 06, 2024

This is the latest stable release of the Samba 4.20 release series.

Changes since 4.20.3

This only fixes a regression in library version strings in Samba 4.20.3.

If you compiled Samba from the sources and don't have other applications relying on Samba's public libraries, there's no reason to upgrade from 4.20.3 to 4.20.4.

  • Andreas Schneider <asn@samba.org>
  • BUG 15673: --version-* options are still not ergonomic, and they reject tilde characters.
  • Stefan Metzmacher <metze@samba.org>
  • BUG 15673: --version-* options are still not ergonomic, and they reject tilde characters.
Release Notes Samba 4.20.4

Samba 4.20.3

Release Notes for Samba 4.20.3
August 02, 2024

This is the latest stable release of the Samba 4.20 release series.

LDAP TLS/SASL channel binding support

The ldap server supports SASL binds with kerberos or NTLMSSP over TLS connections now (either ldaps or starttls).

Setups where

'ldap server require strong auth = allow_sasl_over_tls'

was required before, can now most likely move to the default of

'ldap server require strong auth = yes'.

If SASL binds without correct tls channel bindings are required

'ldap server require strong auth = allow_sasl_without_tls_channel_bindings'

should be used now, as

'allow_sasl_over_tls'

will generate a warning in every start of 'samba', as well as '[samba-tool ]testparm'.

This is similar to LdapEnforceChannelBinding under HKLM\SYSTEM\CurrentControlSet\Services\NTDS\Parameters on Windows.

All client tools using ldaps also include the correct channel bindings now.

smb.conf changes

 Parameter Name                          Description     Default
 --------------                          -----------     -------
 ldap server require strong auth         new values

Changes since 4.20.2

  • Andreas Schneider <asn@samba.org>
  • BUG 15683: Running samba-bgqd a a standalone systemd service does not work.
  • Andrew Bartlett <abartlet@samba.org>
  • BUG 15655: When claims enabled with heimdal kerberos, unable to log on to a Windows computer when user account need to change their own password.
  • Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
  • BUG 15671: Invalid client warning about command line passwords.
  • BUG 15672: Version string is truncated in manpages.
  • BUG 15673: --version-* options are still not ergonomic, and they reject tilde characters.
  • BUG 15674: cmdline_burn does not always burn secrets.
  • BUG 15685: Samba does not parse SDDL found in defaultSecurityDescriptor in AD_DS_Classes_Windows_Server_v1903.ldf.
  • Jo Sutton <josutton@catalyst.net.nz>
  • BUG 15655: When claims enabled with heimdal kerberos, unable to log on to a Windows computer when user account need to change their own password.
  • Pavel Filipenský <pfilipensky@samba.org>
  • BUG 15660: The images don\'t build after the git security release and CentOS 8 Stream is EOL.
  • Ralph Boehme <slow@samba.org>
  • BUG 15676: Fix clock skew error message and memory cache clock skew recovery.
  • Stefan Metzmacher <metze@samba.org>
  • BUG 15603: Heimdal ignores _gsskrb5_decapsulate errors in init_sec_context/repl_mutual.
  • BUG 15621: s4:ldap_server: does not support tls channel bindings for sasl binds.
  • Xavi Hernandez <xhernandez@redhat.com>
  • BUG 15678: CTDB socket output queues may suffer unbounded delays under some special conditions.
Release Notes Samba 4.20.3

Samba 4.20.2

Release Notes for Samba 4.20.2
June 19, 2024

This is the latest stable release of the Samba 4.20 release series.

Changes since 4.20.1

  • Jeremy Allison <jra@samba.org>
  • BUG 15662: vfs_widelinks with DFS shares breaks case insensitivity.
  • Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
  • BUG 13213: Samba build is not reproducible.
  • BUG 15569: ldb qsort might r/w out of bounds with an intransitive compare function.
  • BUG 15625: Many qsort() comparison functions are non-transitive, which can lead to out-of-bounds access in some circumstances.
  • Andrew Bartlett <abartlet@samba.org>
  • BUG 15638: Need to change gitlab-ci.yml tags in all branches to avoid CI bill.
  • BUG 15654: We have added new options --vendor-name and --vendor-patch-revision arguments to ./configure to allow distributions and packagers to put their name in the Samba version string so that when debugging Samba the source of the binary is obvious.
  • Günther Deschner <gd@samba.org>
  • BUG 15665: CTDB RADOS mutex helper misses namespace support.
  • Stefan Metzmacher <metze@samba.org>
  • BUG 13019: Dynamic DNS updates with the internal DNS are not working.
  • BUG 14981: netr_LogonSamLogonEx returns NR_STATUS_ACCESS_DENIED with SysvolReady=0.
  • BUG 15412: Anonymous smb3 signing/encryption should be allowed (similar to Windows Server 2022).
  • BUG 15573: Panic in dreplsrv_op_pull_source_apply_changes_trigger.
  • BUG 15620: s4:nbt_server: does not provide unexpected handling, so winbindd can't use nmb requests instead cldap.
  • BUG 15642: winbindd, net ads join and other things don't work on an ipv6 only host.
  • BUG 15659: Segmentation fault when deleting files in vfs_recycle.
  • BUG 15664: Panic in vfs_offload_token_db_fetch_fsp().
  • BUG 15666: "client use kerberos" and --use-kerberos is ignored for the machine account.
  • Noel Power <noel.power@suse.com>
  • BUG 15435: Regression DFS not working with widelinks = true.
  • Andreas Schneider <asn@samba.org>
  • BUG 15633: samba-gpupdate - Invalid NtVer in netlogon_samlogon_response.
  • BUG 15653: idmap_ad creates an incorrect local krb5.conf in case of trusted domain lookups.
  • BUG 15660: The images don't build after the git security release and CentOS 8 Stream is EOL.
Release Notes Samba 4.20.2

Samba 4.20.1

Release Notes for Samba 4.20.1
May 08, 2024

This is the latest stable release of the Samba 4.20 release series.

Changes since 4.20.0

  • Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
  • BUG 15630: dns update debug message is too noisy.
  • Alexander Bokovoy <ab@samba.org>
  • BUG 15635: Do not fail PAC validation for RFC8009 checksums types.
  • Pavel Filipenský <pfilipensky@samba.org>
  • BUG 15605: Improve performance of lookup_groupmem() in idmap_ad.
  • Anna Popova <popova.anna235@gmail.com>
  • BUG 15636: Smbcacls incorrectly propagates inheritance with Inherit-Only flag.
  • Noel Power <noel.power@suse.com>
  • BUG 15611: http library doesn't support 'chunked transfer encoding'.
  • Andreas Schneider <asn@samba.org>
  • BUG 15600: Provide a systemd service file for the background queue daemon.
https://www.samba.org/samba/history/samba-4.20.1.html

Samba 4.20.0

Release Notes for 4.20.0
March 27, 2024

Release Announcements

This is the first stable release of the Samba 4.20 release series. Please read the release notes carefully before upgrading.

NEW FEATURES/CHANGES

New Minimum MIT Krb5 version for Samba AD Domain Controller

Samba now requires MIT 1.21 when built against a system MIT Krb5 and acting as an Active Directory DC. This addresses the issues that were fixed in CVE-2022-37967 (KrbtgtFullPacSignature) and ensures that Samba builds against the MIT version that allows us to avoid that attack.

Removed dependency on Perl JSON module

Distributions are advised that the Perl JSON package is no longer required by Samba builds that use the imported Heimdal. The build instead uses Perl's JSON::PP built into recent perl5 versions.

Current lists of packages required by Samba for major distributions are found in the bootstrap/generated-dists/ directory of a Samba source tree. While there will be some differences - due to features chosen by packagers - comparing these lists with the build dependencies in a package may locate other dependencies we no longer require.

samba-tool user getpassword / syncpasswords ;rounds= change

The password access tool "samba-tool user getpassword" and the password sync tool "samba-tool user syncpasswords" allow attributes to be chosen for output, and accept parameters like pwdLastSet;format=GeneralizedTime

These attributes then appear, in the same format, as the attributes in the LDIF output. This was not the case for the ;rounds= parameter of virtualCryptSHA256 and virtualCryptSHA512, for example as --attributes="virtualCryptSHA256;rounds=50000"

This release makes the behaviour consistent between these two features. Installations using GPG-encrypted passwords (or plaintext storage) and the rounds= option, will find the output has changed

from:

virtualCryptSHA256: {CRYPT}$5$rounds=2561$hXem.M9onhM9Vuix$dFdSBwF

to:

virtualCryptSHA256;rounds=2561: {CRYPT}$5$rounds=2561$hXem.M9onhM9Vuix$dFdSBwF

Group Managed service account client-side features

samba-tool has been extended to provide client-side support for Group Managed Service accounts. These accounts have passwords that change automatically, giving the advantages of service isolation without risk of poor, unchanging passwords.

Where possible, Samba's existing samba-tool password handling commands, which in the past have only operated against the local sam.ldb have been extended to permit operation against a remote server with authenticated access to "-H ldap://$DCNAME"

Supported operations include:

  • reading the current and previous gMSA password via
"samba-tool user getpassword"
  • writing a Kerberos Ticket Granting Ticket (TGT) to a local credentials cache with a new command
"samba-tool user get-kerberos-ticket"

New Windows Search Protocol Client

Samba now by default builds new experimental Windows Search Protocol (WSP) command line client "wspsearch"

The "wspsearch" cmd-line utility allows a WSP search request to be sent to a server (such as a windows server) that has the (WSP) Windows Search Protocol service configured and enabled.

For more details see the wspsearch man page.

Allow 'smbcacls' to save/restore DACLs to file

'smbcacls' has been extended to allow DACLs to be saved and restored to/from a file. This feature mimics the functionality that windows cmd line tool 'icacls.exe' provides. Additionally files created either by 'smbcacls' or 'icacls.exe' are interchangeable and can be used by either tool as the same file format is used.

New options added are:

'--save savefile'
Saves DACLs in sddl format to file
'--recurse'
Performs the '--save' operation above on directory and all files/directories below.
'--restore savefile'
Restores the stored DACLS to files in directory

Samba-tool extensions for AD Claims, Authentication Policies and Silos

samba-tool now allows users to be associated with claims. In the Samba AD DC, claims derive from Active Directory attributes mapped into specific names. These claims can be used in rules, which are conditional ACEs in a security descriptor, that decide if a user is restricted by an authentication policy.

samba-tool also allows the creation and management of authentication policies, which are rules about where a user may authenticate from, if NTLM is permitted, and what services a user may authenticate to.

Finally, support is added for the creation and management of authentication silos, which are helpful in defining network boundaries by grouping users and the services they connect to.

Please note: The command line syntax for these tools is not final, and may change before the next release, as we gain user feedback. The syntax will be locked in once Samba offers 2016 AD Functional Level as a default.

The Samba AD DC now also honours any existing claims, authentication policy and authentication silo configuration previously created (eg from an import of a Microsoft AD), as well as new configurations created with samba-tool. The use of Microsoft's Powershell based client tools is not expected to work.

To use this feature, the functional level must be set to 2012_R2 or later with:

ad dc functional level = 2016

in the smb.conf.

The smb.conf file on each DC must have 'ad dc functional level = 2016' set to have the partially complete feature available. This will also, at first startup, update the server's own AD entry with the configured functional level.

For new domains, add these parameters to 'samba-tool provision'

--option="ad dc functional level = 2016" --function-level=2016

The second option, setting the overall domain functional level indicates that all DCs should be at this functional level.

To raise the domain functional level of an existing domain, after updating the smb.conf and restarting Samba run

samba-tool domain schemaupgrade --schema=2019
samba-tool domain functionalprep --function-level=2016
samba-tool domain level raise --domain-level=2016 --forest-level=2016

This support is still new, so is not enabled by default in this release. The above instructions are set at 2016, which while not complete, matches what our testing environment validates.

Conditional ACEs and Resource Attribute ACEs

Ordinary Access Control Entries (ACEs) unconditionally allow or deny access to a given user or group. Conditional ACEs have an additional section that describes conditions under which the ACE applies. If the conditional expression is true, the ACE works like an ordinary ACE, otherwise it is ignored. The condition terms can refer to claims, group memberships, and attributes on the object itself. These attributes are described in Resource Attribute ACEs that occur in the object's System Access Control List (SACL). Conditional ACEs are described in Microsoft documentation.

Conditional ACE evaluation is controlled by the "acl claims evaluation" smb.conf option. The default value is "AD DC only" which enables them in AD DC settings. The other option is "never", which disables them altogether. There is currently no option to enable them on the file server (this is likely to change in future releases).

The Security Descriptor Definition Language has extensions for conditional ACEs and resource attribute ACEs; these are now supported by Samba.

Service Witness Protocol [MS-SWN]

In a ctdb cluster it is now possible to provide the SMB witness service that allows clients to monitor their current smb connection to cluster node A by asking cluster node B to notify the client if the ip address from node A or the whole node A becomes unavailable.

For disk shares in a ctdb cluster SMB2_SHARE_CAP_SCALEOUT is now always returned for SMB3 tree connect responses.

If the witness service is active SMB2_SHARE_CAP_CLUSTER is now also returned.

In order to activate the witness service "rpc start on demand helpers = no" needs to be configured in the global section. At the same time the 'samba-dcerpcd' service needs to be started explicitly, typically with the '--libexec-rpcds' option in order to make all available services usable. One important aspect is that tcp ports 135 (for the endpoint mapper) and various ports in the 'rpc server dynamic port range' will be used to provide the witness service (rpcd_witness).

ctdb provides a '47.samba-dcerpcd.script' in order to manage the samba-dcerpcd.service. Typically as systemd service, but that's up to the packager and/or admin.

Please note that current windows client requires SMB2_SHARE_CAP_CONTINUOUS_AVAILABILITY in addition to SMB2_SHARE_CAP_CLUSTER in order to make use of the witness service. But SMB2_SHARE_CAP_CONTINUOUS_AVAILABILITY implies the windows clients always ask for persistent handle (which are not implemented in samba yet), so that every open generates a warning in the windows smb client event log. That's why SMB2_SHARE_CAP_CONTINUOUS_AVAILABILITY is not returned by default. An explicit 'smb3 share cap:CONTINUOUS AVAILABILITY = yes' is needed.

There are also new 'net witness' commands in order to let the admin list active client registrations or ask specific clients to move their smb connection to another cluster node. These are available:

net witness list
net witness client-move
net witness share-move
net witness force-unregister
net witness force-response

Consult 'man net' or 'net witness help' for further details.

REMOVED FEATURES

Get locally logged on users from utmp

The Workstation Service Remote Protocol [MS-WKST] calls NetWkstaGetInfo level 102 and NetWkstaEnumUsers level 0 and 1 return the list of locally logged on users. Samba was getting the list from utmp, which is not Y2038 safe. This feature has been completely removed and Samba will always return an empty list.

smb.conf changes

 Parameter Name                          Description     Default
 --------------                          -----------     -------
 acl claims evaluation                   new             AD DC only
 smb3 unix extensions                    Per share       -
 smb3 share cap:ASYMMETRIC               new             no
 smb3 share cap:CLUSTER                  new             see 'man smb.conf'
 smb3 share cap:CONTINUOUS AVAILABILITY  new             no
 smb3 share cap:SCALE OUT                new             see 'man smb.conf'


Changes since 4.20.0rc4

  • Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
  • BUG 15606: Avoid null-dereference with bad claims.
  • BUG 15613: ndr_pull_security_ace can leave resource attribute ACE coda claim struct undefined.
  • Ralph Boehme <slow@samba.org>
  • BUG 15527: fd_handle_destructor() panics within an smbd_smb2_close() if vfs_stat_fsp() fails in fd_close().
  • Björn Jacke <bjacke@samba.org>
  • BUG 15583: set_nt_acl sometimes fails with NT_STATUS_INVALID_PARAMETER - openat() EACCES.
  • Noel Power <noel.power@suse.com>
  • BUG 15527: fd_handle_destructor() panics within an smbd_smb2_close() if vfs_stat_fsp() fails in fd_close().
  • Andreas Schneider <asn@samba.org>
  • BUG 15599: libgpo: Segfault in python bindings.
  • Jo Sutton <josutton@catalyst.net.nz>
  • BUG 15607: Samba AD is missing some authentication policy tests.

CHANGES SINCE 4.20.0rc3

  • Andreas Schneider <asn@samba.org>
  • BUG 15588: samba-gpupdate: Correctly implement site support.

CHANGES SINCE 4.20.0rc2

  • Rob van der Linde <rob@catalyst.net.nz>
  • BUG 15575: Remove unsupported "Final" keyword missing from Python 3.6.
  • Stefan Metzmacher <metze@samba.org>
  • BUG 15577: Additional witness backports for 4.20.0.
  • Noel Power <noel.power@suse.com>
  • Martin Schwenke <mschwenke@ddn.com>
  • BUG 15580: Packet marshalling push support missing for CTDB_CONTROL_TCP_CLIENT_DISCONNECTED and CTDB_CONTROL_TCP_CLIENT_PASSED.
  • Jo Sutton <josutton@catalyst.net.nz>
  • BUG 15575: Remove unsupported "Final" keyword missing from Python 3.6.

CHANGES SINCE 4.20.0rc1

  • Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
  • BUG 15574: Performance regression for NDR parsing of security descriptors.
  • Anoop C S <anoopcs@samba.org>
  • BUG 15565: Build and install man page for wspsearch client utility.
  • Andreas Schneider <asn@samba.org>
  • BUG 15558: samba-gpupdate logging doesn't work.

KNOWN ISSUES

Release_Planning_for_Samba_4.20#Release_blocking_bugs