[SCM] Samba Shared Repository - branch master updated
Garming Sam
garming at samba.org
Mon Jul 3 06:16:03 UTC 2017
The branch, master has been updated
via 1f5a297 s3:rpc_server: wrap make_auth4_context() into {become,unbecome}_root()
via 59bee84 WHATSNEW: Improved AD performance (particularly linked attributes)
via f8e83f3 WHATSNEW: DNS at domain join improvements
via 63a56fe WHATSNEW: Additional hashes introduced with WDigest
via 5e6b4c4 WHATSNEW: Improved RODC support
from 0cfef7f selftest: Prime the netlogon cache during test_idmap_rfc2307
https://git.samba.org/?p=samba.git;a=shortlog;h=master
- Log -----------------------------------------------------------------
commit 1f5a297b516b56ab6afbfc4ba1513dc73764dcf7
Author: Stefan Metzmacher <metze at samba.org>
Date: Fri Jun 30 13:26:17 2017 +0200
s3:rpc_server: wrap make_auth4_context() into {become,unbecome}_root()
This need to create a temporary messaging context in order to do
the auth logging. This can only be done as root.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12850
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Garming Sam <garming at catalyst.net.nz>
Autobuild-User(master): Garming Sam <garming at samba.org>
Autobuild-Date(master): Mon Jul 3 08:15:29 CEST 2017 on sn-devel-144
commit 59bee844b88ea917b2e7036b9d8deecf5b5f5f2b
Author: Garming Sam <garming at catalyst.net.nz>
Date: Mon Jul 3 13:15:50 2017 +1200
WHATSNEW: Improved AD performance (particularly linked attributes)
Signed-off-by: Garming Sam <garming at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit f8e83f39e871c1487164a8729099540c965444c7
Author: Garming Sam <garming at catalyst.net.nz>
Date: Mon Jul 3 13:09:26 2017 +1200
WHATSNEW: DNS at domain join improvements
Signed-off-by: Garming Sam <garming at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 63a56fe821f2b14142c60d51506e9bdef915038c
Author: Garming Sam <garming at catalyst.net.nz>
Date: Mon Jul 3 12:46:09 2017 +1200
WHATSNEW: Additional hashes introduced with WDigest
Signed-off-by: Garming Sam <garming at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 5e6b4c4b13ef2bd0aacd5a203eee0e54a16d8ec4
Author: Garming Sam <garming at catalyst.net.nz>
Date: Mon Jul 3 11:51:10 2017 +1200
WHATSNEW: Improved RODC support
Signed-off-by: Garming Sam <garming at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
-----------------------------------------------------------------------
Summary of changes:
WHATSNEW.txt | 87 ++++++++++++++++++++++++++++++++++++-------
source3/rpc_server/srv_pipe.c | 2 +
2 files changed, 75 insertions(+), 14 deletions(-)
Changeset truncated at 500 lines:
diff --git a/WHATSNEW.txt b/WHATSNEW.txt
index dbca75e..09b3cbb 100644
--- a/WHATSNEW.txt
+++ b/WHATSNEW.txt
@@ -146,6 +146,64 @@ clients and the AD DC's overall resiliency, but will mean that there is a
fork()ed child for every LDAP client, which may be more resource
intensive in some situations.
+Improved Read-Only Domain Controller (RODC) Support
+---------------------------------------------------
+
+Support for RODCs in Samba AD until now has been experimental. With this latest
+version, many of the critical bugs have been fixed and the RODC can be used in
+DC environments requiring no writable behaviour. RODCs now correctly support
+bad password lockouts and password disclosure auditing through the
+msDS-RevealedUsers attribute.
+
+The fixes made to the RWDC will also allow Windows RODC to function more
+correctly and to avoid strange data omissions such as failures to replicate
+groups or updated passwords. Password changes are currently rejected at the
+RODC, although referrals should be given over LDAP. While any bad passwords can
+trigger domain-wide lockout, good passwords which have not been replicated yet
+for a password change can only be used via NTLM on the RODC (and not Kerberos).
+
+The reliability of RODCs locating a writable partner still requires some
+improvements and so the 'password server' configuration option is generally
+recommended on the RODC.
+
+Additional password hashes stored in supplementalCredentials
+------------------------------------------------------------
+
+A new config option 'password hash userPassword schemes' has been added to
+enable generation of SHA-256 and SHA-512 hashes (without storing the plaintext
+password with reversible encryption). This builds upon previous work to improve
+password sync for the AD DC (originally using GPG).
+
+The user command of 'samba-tool' has been updated in order to be able to
+extract these additional hashes, as well as extracting the (HTTP) WDigest
+hashes that we had also been storing in supplementalCredentials.
+
+Improvements to DNS during Active Directory domain join
+-------------------------------------------------------
+
+The 'samba-tool' domain join command will now add the A and GUID DNS records
+(on both the local and remote servers) during a join if possible via RPC. This
+should allow replication to proceed more smoothly post-join.
+
+The mname element of the SOA record will now also be dynamically generated to
+point to the local read-write server. 'samba_dnsupdate' should now be more
+reliable as it will now find the appropriate name server even when resolv.conf
+points to a forwarder.
+
+Significant AD performance and replication improvements
+-------------------------------------------------------
+
+Previously, replication of group memberships was been an incredibly expensive
+process for the AD DC. This was mostly due to unnecessary CPU time being spent
+parsing member linked attributes. The database now stores these linked
+attributes in sorted form to perform efficient searches for existing members.
+In domains with a large number of group memberships, a join can now be
+completed in half the time compared with Samba 4.6.
+
+LDAP search performance has also improved, particularly in the unindexed search
+case. Parsing and processing of security descriptors should now be more
+efficient, improving replication but also overall performance.
+
Query record for open file or directory
---------------------------------------
@@ -195,20 +253,21 @@ for modern SMB1/2/3 clients.
smb.conf changes
================
- Parameter Name Description Default
- -------------- ----------- -------
- allow unsafe cluster upgrade New parameter no
- auth event notification New parameter no
- auth methods Deprecated
- client max protocol Effective SMB3_11
- default changed
- map untrusted to domain New value/ auto
- Default changed/
- Deprecated
- mit kdc command New parameter
- profile acls Deprecated
- rpc server dynamic port range New parameter 49152-65535
- strict sync Default changed yes
+ Parameter Name Description Default
+ -------------- ----------- -------
+ allow unsafe cluster upgrade New parameter no
+ auth event notification New parameter no
+ auth methods Deprecated
+ client max protocol Effective SMB3_11
+ default changed
+ map untrusted to domain New value/ auto
+ Default changed/
+ Deprecated
+ mit kdc command New parameter
+ profile acls Deprecated
+ rpc server dynamic port range New parameter 49152-65535
+ strict sync Default changed yes
+ password hash userPassword schemes New parameter
KNOWN ISSUES
diff --git a/source3/rpc_server/srv_pipe.c b/source3/rpc_server/srv_pipe.c
index f79fbe2..4534200 100644
--- a/source3/rpc_server/srv_pipe.c
+++ b/source3/rpc_server/srv_pipe.c
@@ -844,7 +844,9 @@ static bool api_pipe_bind_req(struct pipes_struct *p,
p->auth.auth_level = DCERPC_AUTH_LEVEL_NONE;
p->auth.auth_context_id = 0;
+ become_root();
status = make_auth4_context(frame, &auth4_context);
+ unbecome_root();
if (!NT_STATUS_IS_OK(status)) {
DEBUG(0, ("Unable to make auth context for authz log.\n"));
TALLOC_FREE(frame);
--
Samba Shared Repository
More information about the samba-cvs
mailing list