[PATCH] WHATSNEW: more news, RODC warning
Andrew Bartlett
abartlet at samba.org
Mon Aug 28 09:41:15 UTC 2017
This patch adds a warning on RODC use before Samba 4.7 and includes
some other changes we got in recently.
Please review/push to 4.7
Andrew Bartlett
--
Andrew Bartlett http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
Samba Developer, Catalyst IT http://catalyst.net.nz/services/samba
-------------- next part --------------
From 696a7a4c87993be0fcfd4657d093f4a5bdc8e43c Mon Sep 17 00:00:00 2001
From: Andrew Bartlett <abartlet at samba.org>
Date: Mon, 28 Aug 2017 21:35:34 +1200
Subject: [PATCH 1/4] WHATSNEW: fix spelling
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
---
WHATSNEW.txt | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/WHATSNEW.txt b/WHATSNEW.txt
index d738e4d..fa26a40 100644
--- a/WHATSNEW.txt
+++ b/WHATSNEW.txt
@@ -53,7 +53,7 @@ Whole DB read locks: Improved LDAP and replication consistency
--------------------------------------------------------------
Prior to Samba 4.7 and ldb 1.2.0, the LDB database layer used by Samba
-erronously did not take whole-DB read locks to protect search
+erroneously did not take whole-DB read locks to protect search
and DRS replication operations.
While each object returned remained subject to a record-level lock (so
--
2.9.5
From 4225a84823a42a9cabc096557eb106c507058158 Mon Sep 17 00:00:00 2001
From: Andrew Bartlett <abartlet at samba.org>
Date: Mon, 28 Aug 2017 21:35:56 +1200
Subject: [PATCH 2/4] WHATSNEW: explain that we may use much more RAM and SWAP
with multi-process LDAP
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
---
WHATSNEW.txt | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/WHATSNEW.txt b/WHATSNEW.txt
index fa26a40..d2a854d 100644
--- a/WHATSNEW.txt
+++ b/WHATSNEW.txt
@@ -144,7 +144,8 @@ the rest of the 'samba' process, rather than being forced into a single
process. This aids in Samba's ability to scale to larger numbers of AD
clients and the AD DC's overall resiliency, but will mean that there is a
fork()ed child for every LDAP client, which may be more resource
-intensive in some situations.
+intensive in some situations. If you run Samba in a
+resource-constrained VM, consider allocating more RAM and swap space.
Improved Read-Only Domain Controller (RODC) Support
---------------------------------------------------
--
2.9.5
From 64acb4aaa6f3e0ca642684264cebc1ebcd7cfc7d Mon Sep 17 00:00:00 2001
From: Andrew Bartlett <abartlet at samba.org>
Date: Mon, 28 Aug 2017 21:36:14 +1200
Subject: [PATCH 3/4] WHATSNEW: warn against using the RODC on older Samba
versions
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
---
WHATSNEW.txt | 8 ++++++++
1 file changed, 8 insertions(+)
diff --git a/WHATSNEW.txt b/WHATSNEW.txt
index d2a854d..2c10970 100644
--- a/WHATSNEW.txt
+++ b/WHATSNEW.txt
@@ -167,6 +167,14 @@ The reliability of RODCs locating a writable partner still requires some
improvements and so the 'password server' configuration option is generally
recommended on the RODC.
+Samba 4.7 is the first Samba release to be secure as an RODC or when
+hosting an RODC. If you have been using earlier Samba versions to
+host or be an RODC, please upgrade.
+
+In particular see https://bugzilla.samba.org/show_bug.cgi?id=12977 for
+details on the security implications for password disclosure to an
+RODC using earlier versions.
+
Additional password hashes stored in supplementalCredentials
------------------------------------------------------------
--
2.9.5
From 4c6bec6adcf33971dcbcba8daeff0d46069bf0a9 Mon Sep 17 00:00:00 2001
From: Andrew Bartlett <abartlet at samba.org>
Date: Mon, 28 Aug 2017 21:37:16 +1200
Subject: [PATCH 4/4] WHATSNEW: We generate SHA265 certificates now
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
---
WHATSNEW.txt | 9 +++++++++
1 file changed, 9 insertions(+)
diff --git a/WHATSNEW.txt b/WHATSNEW.txt
index 2c10970..456f59f 100644
--- a/WHATSNEW.txt
+++ b/WHATSNEW.txt
@@ -250,6 +250,15 @@ the talloc_autofree_context() (which is inherently thread-unsafe)
and still be valgrind-clean on exit. Modules that don't need to
free long-lived data on exit should use the NULL talloc context.
+SHA256 LDAPS Certificates
+-------------------------
+
+The self-signed certificate generated for use on LDAPS will now be
+generated with a SHA256 self-signature, not a SHA1 self-signature.
+
+Replacing this certificate with a certificate signed by a trusted
+CA is still highly recommended.
+
CTDB changes
------------
--
2.9.5
More information about the samba-technical
mailing list