[Announce] Samba 4.17.0rc4 Available for Download
Denis CARDON
dcardon at tranquil.it
Wed Aug 31 07:38:21 UTC 2022
Hi Jule,
it seems that the patch
0001-WHATSNEW-Document-new-Protected-Users-group.patch [1] from Joseph
has not been merged into this latest WHATSNEW. Is there a reason for that?
Cheers,
Denis
[1] https://lists.samba.org/archive/samba-technical/2022-August/137558.html
Le 30/08/2022 à 17:12, Jule Anger via samba-technical a écrit :
> Release Announcements
> =====================
>
> This is the fourth release candidate of Samba 4.17. This is *not*
> intended for production environments and is designed for testing
> purposes only. Please report any defects via the Samba bug reporting
> system at https://bugzilla.samba.org/.
>
> Samba 4.17 will be the next version of the Samba suite.
>
>
> UPGRADING
> =========
>
>
> NEW FEATURES/CHANGES
> ====================
>
> SMB Server performance improvements
> -----------------------------------
>
> The security improvements in recent releases
> (4.13, 4.14, 4.15, 4.16), mainly as protection against symlink races,
> caused performance regressions for meta data heavy workloads.
>
> With 4.17 the situation improved a lot again:
>
> - Pathnames given by a client are devided into dirname and basename.
> The amount of syscalls to validate dirnames is reduced to 2 syscalls
> (openat, close) per component. On modern Linux kernels (>= 5.6) smbd
> makes use of the openat2() syscall with RESOLVE_NO_SYMLINKS,
> in order to just use 2 syscalls (openat2, close) for the whole dirname.
>
> - Contended path based operations used to generate a lot of unsolicited
> wakeup events causing thundering herd problems, which lead to masive
> latencies for some clients. These events are now avoided in order
> to provide stable latencies and much higher throughput of open/close
> operations.
>
> Configure without the SMB1 Server
> ---------------------------------
>
> It is now possible to configure Samba without support for
> the SMB1 protocol in smbd. This can be selected at configure
> time with either of the options:
>
> --with-smb1-server
> --without-smb1-server
>
> By default (without either of these options set) Samba
> is configured to include SMB1 support (i.e. --with-smb1-server
> is the default). When Samba is configured without SMB1 support,
> none of the SMB1 code is included inside smbd except the minimal
> stub code needed to allow a client to connect as SMB1 and immediately
> negotiate the selected protocol into SMB2 (as a Windows server also
> allows).
>
> None of the SMB1-only smb.conf parameters are removed when
> configured without SMB1, but these parameters are ignored by
> the smbd server. This allows deployment without having to change
> an existing smb.conf file.
>
> This option allows sites, OEMs and integrators to configure Samba
> to remove the old and insecure SMB1 protocol from their products.
>
> Note that the Samba client libraries still support SMB1 connections
> even when Samba is configured as --without-smb1-server. This is
> to ensure maximum compatibility with environments containing old
> SMB1 servers.
>
> Bronze bit and S4U support with MIT Kerberos 1.20
> -------------------------------------------------
>
> In 2020 Microsoft Security Response Team received another Kerberos-related
> report. Eventually, that led to a security update of the CVE-2020-17049,
> Kerberos KDC Security Feature Bypass Vulnerability, also known as a ‘Bronze
> Bit’. With this vulnerability, a compromised service that is configured
> to use
> Kerberos constrained delegation feature could tamper with a service
> ticket that
> is not valid for delegation to force the KDC to accept it.
>
> With the release of MIT Kerberos 1.20, Samba AD DC is able able to
> mitigate the
> ‘Bronze Bit’ attack. MIT Kerberos KDC's KDB (Kerberos Database Driver)
> API was
> changed to allow passing more details between KDC and KDB components.
> When built
> against MIT Kerberos, Samba AD DC supports MIT Kerberos 1.19 and 1.20
> versions
> but 'Bronze Bit' mitigation is provided only with MIT Kerberos 1.20.
>
> In addition to fixing the ‘Bronze Bit’ issue, Samba AD DC now fully
> supports
> S4U2Self and S4U2Proxy Kerberos extensions.
>
> Resource Based Constrained Delegation (RBCD) support
> ----------------------------------------------------
>
> Samba AD DC built with MIT Kerberos 1.20 offers RBCD support now. With MIT
> Kerberos 1.20 we have complete RBCD support passing Sambas S4U testsuite.
> Note that samba-tool lacks support for setting this up yet!
>
> To complete RBCD support and make it useful to Administrators we added the
> Asserted Identity [1] SID into the PAC for constrained delegation. This is
> available for Samba AD compiled with MIT Kerberos 1.20.
>
> [1]
> https://docs.microsoft.com/en-us/windows-server/security/kerberos/kerberos-constrained-delegation-overview
>
> Customizable DNS listening port
> -------------------------------
>
> It is now possible to set a custom listening port for the builtin DNS
> service,
> making easy to host another DNS on the same system that would bind to the
> default port and forward the domain-specific queries to Samba using the
> custom
> port. This is the opposite configuration of setting a forwarder in Samba.
>
> It makes possible to use another DNS server as a front and forward to
> Samba.
>
> Dynamic DNS updates may not be proxied by the front DNS server when
> forwarding
> to Samba. Dynamic DNS update proxying depends on the features of the
> other DNS
> server used as a front.
>
> CTDB changes
> ------------
>
> * When Samba is configured with both --with-cluster-support and
> --systemd-install-services then a systemd service file for CTDB will
> be installed.
>
> * ctdbd_wrapper has been removed. ctdbd is now started directly from
> a systemd service file or init script.
>
> * The syntax for the ctdb.tunables configuration file has been
> relaxed. However, trailing garbage after the value, including
> comments, is no longer permitted. Please see ctdb-tunables(7) for
> more details.
>
> Operation without the (unsalted) NT password hash
> -------------------------------------------------
>
> When Samba is configured with 'nt hash store = never' then Samba will
> no longer store the (unsalted) NT password hash for users in Active
> Directory. (Trust accounts, like computers, domain controllers and
> inter-domain trusts are not impacted).
>
> In the next version of Samba the default for 'nt hash store' will
> change from 'always' to 'auto', where it will follow (behave as 'nt
> hash store = never' when 'ntlm auth = disabled' is set.
>
> Security-focused deployments of Samba that have eliminated NTLM from
> their networks will find setting 'ntlm auth = disabled' with 'nt hash
> store = always' as a useful way to improve compliance with
> best-practice guidance on password storage (which is to always use an
> interated hash).
>
> Note that when 'nt hash store = never' is set, then arcfour-hmac-md5
> Kerberos keys will not be available for users who subsequently change
> their password, as these keys derive their values from NT hashes. AES
> keys are stored by default for all deployments of Samba with Domain
> Functional Level 2008 or later, are supported by all modern clients,
> and are much more secure.
>
> Finally, also note that password history in Active Directory is stored
> in nTPwdHistory using a series of NT hash values. Therefore the full
> password history feature is not available in this mode.
>
> To provide some protection against password re-use previous Kerberos
> hash values (the current, old and older values are already stored) are
> used, providing a history length of 3.
>
> There is one small limitation of this workaround: Changing the
> sAMAccountName, userAccountControl or userPrincipalName of an account
> can cause the Kerberos password salt to change. This means that after
> *both* an account rename and a password change, only the current
> password will be recognised for password history purposes.
>
> Python API for smbconf
> ----------------------
>
> Samba's smbconf library provides a generic frontend to various
> configuration backends (plain text file, registry) as a C library. A
> new Python wrapper, importable as 'samba.smbconf' is available. An
> additional module, 'samba.samba3.smbconf', is also available to enable
> registry backend support. These libraries allow Python programs to
> read, and optionally write, Samba configuration natively.
>
> JSON support for smbstatus
> --------------------------
>
> It is now possible to print detailed information in JSON format in
> the smbstatus program using the new option --json. The JSON output
> covers all the existing text output including sessions, connections,
> open files, byte-range locks, notifies and profile data with all
> low-level information maintained by Samba in the respective databases.
>
>
> REMOVED FEATURES
> ================
>
> LanMan Authentication and password storage removed from the AD DC
> -----------------------------------------------------------------
>
> The storage and authentication with LanMan passwords has been entirely
> removed from the Samba AD DC, even when "lanman auth = yes" is set.
>
> smb.conf changes
> ================
>
> Parameter Name Description Default
> -------------- ----------- -------
> dns port New default 53
> nt hash store New parameter always
> volume serial number New parameter -1
>
> CHANGES SINCE 4.17.0rc3
> =======================
>
> o Anoop C S <anoopcs at samba.org>
> * BUG 15157: Make use of glfs_*at() API calls in vfs_glusterfs.
>
>
> CHANGES SINCE 4.17.0rc2
> =======================
>
> o Jeremy Allison <jra at samba.org>
> * BUG 15128: Possible use after free of connection_struct when
> iterating
> smbd_server_connection->connections.
>
> o Christian Ambach <ambi at samba.org>
> * BUG 15145: `net usershare add` fails with flag works with --long
> but fails
> with -l.
>
> o Ralph Boehme <slow at samba.org>
> * BUG 15126: acl_xattr VFS module may unintentionally use filesystem
> permissions instead of ACL from xattr.
>
> o Stefan Metzmacher <metze at samba.org>
> * BUG 15125: Performance regression on contended path based operations.
> * BUG 15148: Missing READ_LEASE break could cause data corruption.
>
> o Andreas Schneider <asn at samba.org>
> * BUG 15141: libsamba-errors uses a wrong version number.
>
> o Joseph Sutton <josephsutton at catalyst.net.nz>
> * BUG 15152: SMB1 negotiation can fail to handle connection errors.
>
>
> CHANGES SINCE 4.17.0rc1
> =======================
>
> o Jeremy Allison <jra at samba.org>
> * BUG 15143: New filename parser doesn't check veto files smb.conf
> parameter.
> * BUG 15144: 4.17.rc1 still uses symlink-race prone unix_convert()
> * BUG 15146: Backport fileserver related changed to 4.17.0rc2
>
> o Jule Anger <janger at samba.org>
> * BUG 15147: Manpage for smbstatus json is missing
>
> o Volker Lendecke <vl at samba.org>
> * BUG 15146: Backport fileserver related changed to 4.17.0rc2
>
> o Stefan Metzmacher <metze at samba.org>
> * BUG 15125: Performance regression on contended path based operations
> * BUG 15146: Backport fileserver related changed to 4.17.0rc2
>
> o Andreas Schneider <asn at samba.org>
> * BUG 15140: Fix issues found by coverity in smbstatus json code
> * BUG 15146: Backport fileserver related changed to 4.17.0rc2
>
>
> KNOWN ISSUES
> ============
>
> https://wiki.samba.org/index.php/Release_Planning_for_Samba_4.17#Release_blocking_bugs
>
>
> #######################################
> Reporting bugs & Development Discussion
> #######################################
>
> Please discuss this release on the samba-technical mailing list or by
> joining the #samba-technical:matrix.org matrix room, or
> #samba-technical IRC channel on irc.libera.chat
>
> If you do report problems then please try to send high quality
> feedback. If you don't provide vital information to help us track down
> the problem then you will probably be ignored. All bug reports should
> be filed under the Samba 4.1 and newer product in the project's Bugzilla
> database (https://bugzilla.samba.org/).
>
>
> ======================================================================
> == Our Code, Our Bugs, Our Responsibility.
> == The Samba Team
> ======================================================================
>
>
> ================
> Download Details
> ================
>
> The uncompressed tarballs and patch files have been signed
> using GnuPG (ID AA99442FB680B620). The source code can be downloaded
> from:
>
> https://download.samba.org/pub/samba/rc/
>
> The release notes are available online at:
>
> https://download.samba.org/pub/samba/rc/samba-4.17.0rc4.WHATSNEW.txt
>
> Our Code, Our Bugs, Our Responsibility.
> (https://bugzilla.samba.org/)
>
> --Enjoy
> The Samba Team
>
More information about the samba-technical
mailing list