[PATCH] WHATSNEW: more news, RODC warning

Andrew Bartlett abartlet at samba.org
Mon Aug 28 09:41:15 UTC 2017 

This patch adds a warning on RODC use before Samba 4.7 and includes
some other changes we got in recently.

Please review/push to 4.7

Andrew Bartlett
-- 
Andrew Bartlett                       http://samba.org/~abartlet/
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba
-------------- next part --------------
From 696a7a4c87993be0fcfd4657d093f4a5bdc8e43c Mon Sep 17 00:00:00 2001
From: Andrew Bartlett <abartlet at samba.org>
Date: Mon, 28 Aug 2017 21:35:34 +1200
Subject: [PATCH 1/4] WHATSNEW: fix spelling

Signed-off-by: Andrew Bartlett <abartlet at samba.org>
---
 WHATSNEW.txt | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/WHATSNEW.txt b/WHATSNEW.txt
index d738e4d..fa26a40 100644
--- a/WHATSNEW.txt
+++ b/WHATSNEW.txt
@@ -53,7 +53,7 @@ Whole DB read locks: Improved LDAP and replication consistency
 --------------------------------------------------------------
 
 Prior to Samba 4.7 and ldb 1.2.0, the LDB database layer used by Samba
-erronously did not take whole-DB read locks to protect search
+erroneously did not take whole-DB read locks to protect search
 and DRS replication operations.
 
 While each object returned remained subject to a record-level lock (so
-- 
2.9.5


From 4225a84823a42a9cabc096557eb106c507058158 Mon Sep 17 00:00:00 2001
From: Andrew Bartlett <abartlet at samba.org>
Date: Mon, 28 Aug 2017 21:35:56 +1200
Subject: [PATCH 2/4] WHATSNEW: explain that we may use much more RAM and SWAP
 with multi-process LDAP

Signed-off-by: Andrew Bartlett <abartlet at samba.org>
---
 WHATSNEW.txt | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/WHATSNEW.txt b/WHATSNEW.txt
index fa26a40..d2a854d 100644
--- a/WHATSNEW.txt
+++ b/WHATSNEW.txt
@@ -144,7 +144,8 @@ the rest of the 'samba' process, rather than being forced into a single
 process.  This aids in Samba's ability to scale to larger numbers of AD
 clients and the AD DC's overall resiliency, but will mean that there is a
 fork()ed child for every LDAP client, which may be more resource
-intensive in some situations.
+intensive in some situations.  If you run Samba in a
+resource-constrained VM, consider allocating more RAM and swap space.
 
 Improved Read-Only Domain Controller (RODC) Support
 ---------------------------------------------------
-- 
2.9.5


From 64acb4aaa6f3e0ca642684264cebc1ebcd7cfc7d Mon Sep 17 00:00:00 2001
From: Andrew Bartlett <abartlet at samba.org>
Date: Mon, 28 Aug 2017 21:36:14 +1200
Subject: [PATCH 3/4] WHATSNEW: warn against using the RODC on older Samba
 versions

Signed-off-by: Andrew Bartlett <abartlet at samba.org>
---
 WHATSNEW.txt | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/WHATSNEW.txt b/WHATSNEW.txt
index d2a854d..2c10970 100644
--- a/WHATSNEW.txt
+++ b/WHATSNEW.txt
@@ -167,6 +167,14 @@ The reliability of RODCs locating a writable partner still requires some
 improvements and so the 'password server' configuration option is generally
 recommended on the RODC.
 
+Samba 4.7 is the first Samba release to be secure as an RODC or when
+hosting an RODC.  If you have been using earlier Samba versions to
+host or be an RODC, please upgrade.
+
+In particular see https://bugzilla.samba.org/show_bug.cgi?id=12977 for
+details on the security implications for password disclosure to an
+RODC using earlier versions.
+
 Additional password hashes stored in supplementalCredentials
 ------------------------------------------------------------
 
-- 
2.9.5


From 4c6bec6adcf33971dcbcba8daeff0d46069bf0a9 Mon Sep 17 00:00:00 2001
From: Andrew Bartlett <abartlet at samba.org>
Date: Mon, 28 Aug 2017 21:37:16 +1200
Subject: [PATCH 4/4] WHATSNEW: We generate SHA265 certificates now

Signed-off-by: Andrew Bartlett <abartlet at samba.org>
---
 WHATSNEW.txt | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/WHATSNEW.txt b/WHATSNEW.txt
index 2c10970..456f59f 100644
--- a/WHATSNEW.txt
+++ b/WHATSNEW.txt
@@ -250,6 +250,15 @@ the talloc_autofree_context() (which is inherently thread-unsafe)
 and still be valgrind-clean on exit. Modules that don't need to
 free long-lived data on exit should use the NULL talloc context.
 
+SHA256 LDAPS Certificates
+-------------------------
+
+The self-signed certificate generated for use on LDAPS will now be
+generated with a SHA256 self-signature, not a SHA1 self-signature.
+
+Replacing this certificate with a certificate signed by a trusted
+CA is still highly recommended.
+
 CTDB changes
 ------------
 
-- 
2.9.5

More information about the samba-technical mailing list