Samba 4.20 Features added/changed

From SambaWiki
Revision as of 10:09, 4 February 2024 by Fraz (talk | contribs) (→‎Samba 4.20.0rc1)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)

Samba 4.20.0rc1

Release Notes for 4.20.0rc1
January 31, 2024

Release Announcements

This is the first release candidate of Samba 4.20. This is *not* intended for production environments and is designed for testing purposes only. Please report any defects via the Samba bug reporting system at https://bugzilla.samba.org/.

Samba 4.20 will be the next version of the Samba suite.


UPGRADING

NEW FEATURES/CHANGES

New Minimum MIT Krb5 version for Samba AD Domain Controller

Samba now requires MIT 1.21 when built against a system MIT Krb5 and acting as an Active Directory DC. This addresses the issues that were fixed in CVE-2022-37967 (KrbtgtFullPacSignature) and ensures that Samba builds against the MIT version that allows us to avoid that attack.

Removed dependency on Perl JSON module

Distributions are advised that the Perl JSON package is no longer required by Samba builds that use the imported Heimdal. The build instead uses Perl's JSON::PP built into recent perl5 versions.

Current lists of packages required by Samba for major distributions are found in the bootstrap/generated-dists/ directory of a Samba source tree. While there will be some differences - due to features chosen by packagers - comparing these lists with the build dependencies in a package may locate other dependencies we no longer require.

samba-tool user getpassword / syncpasswords ;rounds= change

The password access tool "samba-tool user getpassword" and the password sync tool "samba-tool user syncpasswords" allow attributes to be chosen for output, and accept parameters like pwdLastSet;format=GeneralizedTime

These attributes then appear, in the same format, as the attributes in the LDIF output. This was not the case for the ;rounds= parameter of virtualCryptSHA256 and virtualCryptSHA512, for example as --attributes="virtualCryptSHA256;rounds=50000"

This release makes the behaviour consistent between these two features. Installations using GPG-encrypted passwords (or plaintext storage) and the rounds= option, will find the output has changed

from: 

virtualCryptSHA256: {CRYPT}$5$rounds=2561$hXem.M9onhM9Vuix$dFdSBwF

to: 

virtualCryptSHA256;rounds=2561: {CRYPT}$5$rounds=2561$hXem.M9onhM9Vuix$dFdSBwF

Group Managed service account client-side features

samba-tool has been extended to provide client-side support for Group Managed Service accounts. These accounts have passwords that change automatically, giving the advantages of service isolation without risk of poor, unchanging passwords.

Where possible, Samba's existing samba-tool password handling commands, which in the past have only operated against the local sam.ldb have been extended to permit operation against a remote server with authenticated access to "-H ldap://$DCNAME"

Supported operations include:

  • reading the current and previous gMSA password via
"samba-tool user getpassword"
  • writing a Kerberos Ticket Granting Ticket (TGT) to a local credentials cache with a new command
"samba-tool user get-kerberos-ticket"

New Windows Search Protocol Client

Samba now by default builds new experimental Windows Search Protocol (WSP) command line client "wspsearch"

The "wspsearch" cmd-line utility allows a WSP search request to be sent to a server (such as a windows server) that has the (WSP) Windows Search Protocol service configured and enabled.

For more details see the wspsearch man page.

Allow 'smbcacls' to save/restore DACLs to file

'smbcacls' has been extended to allow DACLs to be saved and restored to/from a file. This feature mimics the functionality that windows cmd line tool 'icacls.exe' provides. Additionally files created either by 'smbcalcs' or 'icacls.exe' are interchangeable and can be used by either tool as the same file format is used.

New options added are:

'--save savefile'
Saves DACLs in sddl format to file
'--recurse'
Performs the '--save' operation above on directory and all files/directories below.
'--restore savefile'
Restores the stored DACLS to files in directory

REMOVED FEATURES

Get locally logged on users from utmp

The Workstation Service Remote Protocol [MS-WKST] calls NetWkstaGetInfo level 102 and NetWkstaEnumUsers level 0 and 1 return the list of locally logged on users. Samba was getting the list from utmp, which is not Y2038 safe. This feature has been completely removed and Samba will always return an empty list.

smb.conf changes

 Parameter Name                          Description     Default
 --------------                          -----------     -------
 smb3 unix extensions                    Per share       -


KNOWN ISSUES

Release_Planning_for_Samba_4.20#Release_blocking_bugs
Retrieved from "https://wiki.samba.org/index.php?title=Samba_4.20_Features_added/changed&oldid=19175"