[SCM] Samba Shared Repository - branch v4-16-test updated

Stefan Metzmacher metze at samba.org
Thu Mar 17 10:29:23 UTC 2022 

The branch, v4-16-test has been updated
       via  e79f04a3179 WHATSNEW for Heimdal upgrade
       via  f4236271500 WHATSNEW: older SMB1 command removal/simpliciation and deprecation
      from  41054b61231 s4:kdc: tunnel the check_client_access status to hdb_samba4_audit()

https://git.samba.org/?p=samba.git;a=shortlog;h=v4-16-test


- Log -----------------------------------------------------------------
commit e79f04a317906b1fbd9a53c831800088e2aab680
Author: Andrew Bartlett <abartlet at samba.org>
Date:   Wed Mar 16 12:53:47 2022 +1300

    WHATSNEW for Heimdal upgrade
    
    Signed-off-by: Andrew Bartlett <abartlet at samba.org>
    Signed-off-by: Stefan Metzmacher <metze at samba.org>
    Reviewed-by: Jeremy Allison <jra at samba.org>

commit f42362715008716ed8508645329a9b16995e7db9
Author: Andrew Bartlett <abartlet at samba.org>
Date:   Thu Mar 17 07:53:37 2022 +1300

    WHATSNEW: older SMB1 command removal/simpliciation and deprecation
    
    Signed-off-by: Andrew Bartlett <abartlet at samba.org>
    Reviewed-by: Jeremy Allison <jra at samba.org>

-----------------------------------------------------------------------

Summary of changes:
 WHATSNEW.txt | 118 +++++++++++++++++++++++++++++++++++++++++++++++++++--------
 1 file changed, 103 insertions(+), 15 deletions(-)


Changeset truncated at 500 lines:

diff --git a/WHATSNEW.txt b/WHATSNEW.txt
index 83d77b5c028..31f656e4095 100644
--- a/WHATSNEW.txt
+++ b/WHATSNEW.txt
@@ -52,6 +52,46 @@ samba-dcerpcd can also be useful for use outside of the Samba
 framework, for example, use with the Linux kernel SMB2 server ksmbd or
 possibly other SMB2 server implementations.
 
+Heimdal-8.0pre used for Samba Internal Kerberos, adds FAST support
+------------------------------------------------------------------
+
+Samba has since Samba 4.0 included a snapshot of the Heimdal Kerberos
+implementation.  This snapshot has now been updated and will closely
+match what will be released as Heimdal 8.0 shortly.
+
+This is a major update, previously we used a snapshot of Heimdal from
+2011, and brings important new Kerberos security features such as
+Kerberos request armoring, known as FAST.  This tunnels ticket
+requests and replies that might be encrypted with a weak password
+inside a wrapper built with a stronger password, say from a machine
+account.
+
+In Heimdal and MIT modes Samba's KDC now supports FAST, for the
+support of non-Windows clients.
+
+Windows clients will not use this feature however, as they do not
+attempt to do so against a server not advertising domain Functional
+Level 2012.  Samba users are of course free to modify how Samba
+advertises itself, but use with Windows clients is not supported "out
+of the box".
+
+Finally, Samba also uses a per-KDC, not per-realm 'cookie' to secure part of
+the FAST protocol.  A future version will align this more closely with
+Microsoft AD behaviour.
+
+If FAST needs to be disabled on your Samba KDC, set
+
+ kdc enable fast = no
+
+in the smb.conf.
+
+The Samba project wishes to thank the numerous developers who have put
+in a massive effort to make this possible over many years.  In
+particular we thank Stefan Metzmacher, Joseph Sutton, Gary Lockyer,
+Isaac Boukris and Andrew Bartlett.  Samba's developers in turn thank
+their employers and in turn their customers who have supported this
+effort over many years.
+
 Certificate Auto Enrollment
 ---------------------------
 
@@ -135,21 +175,69 @@ CTDB changes
 REMOVED FEATURES
 ================
 
-SMB1 CORE and LANMAN1 protocol wildcard copy, unlink and rename removed
-=======================================================================
-
-In preparation for the removal of the SMB1 server, the unused
-SMB1 command SMB_COM_COPY (SMB1 command number 0x29) has been
-removed from the Samba smbd server. In addition, the ability
-to process file name wildcards in requests using the SMB1 commands
-SMB_COM_COPY (SMB1 command number 0x2A), SMB_COM_RENAME (SMB1 command
-number 0x7), SMB_COM_NT_RENAME (SMB1 command number 0xA5) and
-SMB_COM_DELETE (SMB1 command number 0x6) have been removed.
-
-This only affects clients using MS-DOS based versions of
-SMB1, the last release of which was Windows 98. Users requiring
-support for these features will need to use older versions
-of Samba.
+Older SMB1 protocol SMBCopy command removed
+-------------------------------------------
+
+SMB is a nearly 30-year old protocol, and some protocol commands that
+while supported in all versions, have not seen widespread use.
+
+One of those is SMBCopy, a feature for a server-side copy of a file.
+This feature has been so unmaintained that Samba has no testsuite for
+it.
+
+The SMB1 command SMB_COM_COPY (SMB1 command number 0x29) was
+introduced in the LAN Manager 1.0 dialect and it was rendered obsolete
+in the NT LAN Manager dialect.
+
+Therefore it has been removed from the Samba smbd server.
+
+We do note that a fully supported and tested server-side copy is
+present in SMB2, and can be accessed with "scopy" subcommand in
+smbclient)
+
+SMB1 server-side wildcard expansion removed
+-------------------------------------------
+
+Server-side wildcard expansion is another feature that sounds useful,
+but is also rarely used and has become problematic - imposing extra
+work on the server (both in terms of code and CPU time).
+
+In actual OS design, wildcard expansion is handled in the local shell,
+not at the remote server using SMB wildcard syntax (which is not shell
+syntax).
+
+In Samba 4.16 the ability to process file name wildcards in requests
+using the SMB1 commands SMB_COM_RENAME (SMB1 command number 0x7),
+SMB_COM_NT_RENAME (SMB1 command number 0xA5) and SMB_COM_DELETE (SMB1
+command number 0x6) has been removed.
+
+SMB1 protocol has been deprecated, particularly older dialects
+--------------------------------------------------------------
+
+We take this opportunity to remind that we have deprecated and
+disabled by default, but not removed, the whole SMB1 protocol since
+Samba 4.11.  If needed for security purposes or code maintenance we
+will continue to remove older protocol commands and dialects that are
+unused or have been replaced in more modern SMB1 versions.
+
+We specifically deprecate the older dialects older than "NT LM 0.12"
+(also known as "NT LANMAN 1.0" and "NT1").
+
+Please note that "NT LM 0.12" is the dialect used by software as old
+as Windows 95, Windows NT and Samba 2.0, so this deprecation applies
+to DOS and similar era clients.
+
+We do reassure that that 'simple' operation of older clients than
+these (eg DOS) will, while untested, continue for the near future, our
+purpose is not to cripple use of Samba in unique situations, but to
+reduce the maintaince burden.
+
+Eventually SMB1 as a whole will be removed, but no broader change is
+announced for 4.16.
+
+In the rare case where the above changes cause incompatibilities,
+users requiring support for these features will need to use older
+versions of Samba.
 
 No longer using Linux mandatory locks for sharemodes
 ====================================================


-- 
Samba Shared Repository

More information about the samba-cvs mailing list