[SCM] Samba Shared Repository - branch v4-17-test updated

Stefan Metzmacher metze at samba.org
Mon Sep 5 12:51:14 UTC 2022 

The branch, v4-17-test has been updated
       via  229d55eff3a WHATSNEW: Document new Protected Users group
       via  8a7551c4ac6 WHATSNEW: add more added/updated parameters
       via  b3e04327601 WHATSNEW: Make MIT Kerberos 1.20 updates clearer
      from  e9c554c0a6a s3/winbindd: Fix bad access to sid array (with debug level >= info)

https://git.samba.org/?p=samba.git;a=shortlog;h=v4-17-test


- Log -----------------------------------------------------------------
commit 229d55eff3ad5e99b16f7c79737ab3760d169d22
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date:   Thu Aug 25 16:58:06 2022 +1200

    WHATSNEW: Document new Protected Users group
    
    Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
    Reviewed-by: Stefan Metzmacher <metze at samba.org>

commit 8a7551c4ac6037327f3c9be907b0889a509c6258
Author: Stefan Metzmacher <metze at samba.org>
Date:   Mon Sep 5 14:26:06 2022 +0200

    WHATSNEW: add more added/updated parameters
    
    Signed-off-by: Stefan Metzmacher <metze at samba.org>
    Reviewed-by: Björn Jacke <bjacke at samba.org>

commit b3e043276017c6323afa681df9154df9a4292bd1
Author: Stefan Metzmacher <metze at samba.org>
Date:   Mon Sep 5 14:20:46 2022 +0200

    WHATSNEW: Make MIT Kerberos 1.20 updates clearer
    
    Make it clearer what also applies to Heimdal and what not.
    
    Signed-off-by: Stefan Metzmacher <metze at samba.org>
    Reviewed-by: Björn Jacke <bjacke at samba.org>

-----------------------------------------------------------------------

Summary of changes:
 WHATSNEW.txt | 61 +++++++++++++++++++++++++++++++++++++++++++++++++++++++-----
 1 file changed, 56 insertions(+), 5 deletions(-)


Changeset truncated at 500 lines:

diff --git a/WHATSNEW.txt b/WHATSNEW.txt
index 3591b8a4306..b634beca0a8 100644
--- a/WHATSNEW.txt
+++ b/WHATSNEW.txt
@@ -68,8 +68,8 @@ even when Samba is configured as --without-smb1-server. This is
 to ensure maximum compatibility with environments containing old
 SMB1 servers.
 
-Bronze bit and S4U support with MIT Kerberos 1.20
--------------------------------------------------
+Bronze bit and S4U support now also with MIT Kerberos 1.20
+----------------------------------------------------------
 
 In 2020 Microsoft Security Response Team received another Kerberos-related
 report. Eventually, that led to a security update of the CVE-2020-17049,
@@ -87,17 +87,24 @@ but 'Bronze Bit' mitigation is provided only with MIT Kerberos 1.20.
 In addition to fixing the ‘Bronze Bit’ issue, Samba AD DC now fully supports
 S4U2Self and S4U2Proxy Kerberos extensions.
 
+Note the default (Heimdal-based) KDC was already fixed in 2021,
+see https://bugzilla.samba.org/show_bug.cgi?id=14642
+
 Resource Based Constrained Delegation (RBCD) support
 ----------------------------------------------------
 
 Samba AD DC built with MIT Kerberos 1.20 offers RBCD support now. With MIT
 Kerberos 1.20 we have complete RBCD support passing Sambas S4U testsuite.
-Note that samba-tool lacks support for setting this up yet!
+
+samba-tool delegation got the 'add-principal' and 'del-principal' subcommands
+in order to manage RBCD.
 
 To complete RBCD support and make it useful to Administrators we added the
 Asserted Identity [1] SID into the PAC for constrained delegation. This is
 available for Samba AD compiled with MIT Kerberos 1.20.
 
+Note the default (Heimdal-based) KDC does not support RBCD yet.
+
 [1] https://docs.microsoft.com/en-us/windows-server/security/kerberos/kerberos-constrained-delegation-overview
 
 Customizable DNS listening port
@@ -187,6 +194,45 @@ covers all the existing text output including sessions, connections,
 open files, byte-range locks, notifies and profile data with all
 low-level information maintained by Samba in the respective databases.
 
+Protected Users security group
+------------------------------
+
+Samba AD DC now includes support for the Protected Users security
+group introduced in Windows Server 2012 R2. The feature reduces the
+attack surface of user accounts by preventing the use of weak
+encryption types. It also mitigates the effects of credential theft by
+limiting credential lifetime and scope.
+
+The protections are intended for user accounts only, and service or
+computer accounts should not be added to the Protected Users
+group. User accounts added to the group are granted the following
+security protections:
+
+   * NTLM authentication is disabled.
+   * Kerberos ticket-granting tickets (TGTs) encrypted with RC4 are
+     not issued to or accepted from affected principals. Tickets
+     encrypted with AES, and service tickets encrypted with RC4, are
+     not affected by this restriction.
+   * The lifetime of Kerberos TGTs is restricted to a maximum of four
+     hours.
+   * Kerberos constrained and unconstrained delegation is disabled.
+
+If the Protected Users group is not already present in the domain, it
+can be created with 'samba-tool group add'. The new '--special'
+parameter must be specified, with 'Protected Users' as the name of the
+group. An example command invocation is:
+
+samba-tool group add 'Protected Users' --special
+
+or against a remote server:
+
+samba-tool group add 'Protected Users' --special -H ldap://dc1.example.com -U Administrator
+
+The Protected Users group is identified in the domain by its having a
+RID of 525. Thus, it should only be created with samba-tool and the
+'--special' parameter, as above, so that it has the required RID
+to function correctly.
+
 
 REMOVED FEATURES
 ================
@@ -197,14 +243,19 @@ LanMan Authentication and password storage removed from the AD DC
 The storage and authentication with LanMan passwords has been entirely
 removed from the Samba AD DC, even when "lanman auth = yes" is set.
 
+
 smb.conf changes
 ================
 
   Parameter Name                          Description     Default
   --------------                          -----------     -------
   dns port                                New default     53
-  nt hash store				  New parameter   always
-  volume serial number			  New parameter   -1
+  fruit:zero_file_id                      New default     yes
+  nt hash store                           New parameter   always
+  smb1 unix extensions                    Replaces "unix extensions"
+  volume serial number                    New parameter   -1
+  winbind debug traceid                   New parameter   no
+
 
 CHANGES SINCE 4.17.0rc3
 =======================


-- 
Samba Shared Repository

More information about the samba-cvs mailing list