[Samba] [Announce] Samba 4.18.0rc2 Available for Download

Andrew Bartlett abartlet at samba.org
Fri Feb 3 02:26:11 UTC 2023 

With great thanks to testing, funding from and a lab environment
provided by customer (who can identify themselves if they like ;-), we
have found that:

 * Azure AD Connect cloud sync works with the patches I wrote and are
included in this release (and have been backported for the next
4.17.x). 

 * Azure AD Connect works if you put the created user in "Domain
Admins", probably on existing Samba but tested with the patched version.

I personally think that a pure-Samba tool that runs in python and
doesn't require a windows server as a proxy is still a better long-term 
option, so we can control the stack and much more easily address the
issues.  I strongly support your work and wish it the best of success.

Andrew Bartlett

On Thu, 2023-02-02 at 12:24 +0100, Simon FONTENEAU via samba wrote:
> Hello
> 
> Is it possible to have more details on "Azure Active Directory / 
> Office365 synchronisation improvements " ?
> 
> I started working on something here : 
> https://github.com/sfonteneau/AzureADConnect_Samba4
>  (WIP)
> 
> To activate a pure python synchronization without windows server.
> 
> Couldn't that be necessary anymore?
> 
> Simon Fonteneau
> 
> 
> Le 01/02/2023 à 18:50, Jule Anger via samba a écrit :
> > Release Announcements
> > =====================
> > 
> > This is the second release candidate of Samba 4.18.  This is *not*
> > intended for production environments and is designed for testing
> > purposes only.  Please report any defects via the Samba bug
> > reporting
> > system at 
> > https://bugzilla.samba.org/
> > .
> > 
> > Samba 4.18 will be the next version of the Samba suite.
> > 
> > 
> > UPGRADING
> > =========
> > 
> > 
> > NEW FEATURES/CHANGES
> > ====================
> > 
> > More succinct samba-tool error messages
> > ---------------------------------------
> > 
> > Historically samba-tool has reported user error or misconfiguration
> > by
> > means of a Python traceback, showing you where in its code it
> > noticed
> > something was wrong, but not always exactly what is amiss. Now it
> > tries harder to identify the true cause and restrict its output to
> > describing that. Particular cases include:
> > 
> >  * a username or password is incorrect
> >  * an ldb database filename is wrong (including in smb.conf)
> >  * samba-tool dns: various zones or records do not exist
> >  * samba-tool ntacl: certain files are missing
> >  * the network seems to be down
> >  * bad --realm or --debug arguments
> > 
> > Accessing the old samba-tool messages
> > -------------------------------------
> > 
> > This is not new, but users are reminded they can get the full
> > Python
> > stack trace, along with other noise, by using the argument '-d3'.
> > This may be useful when searching the web.
> > 
> > The intention is that when samba-tool encounters an unrecognised
> > problem (especially a bug), it will still output a Python
> > traceback.
> > If you encounter a problem that has been incorrectly identified by
> > samba-tool, please report it on 
> > https://bugzilla.samba.org
> > .
> > 
> > Colour output with samba-tool --color
> > -------------------------------------
> > 
> > For some time a few samba-tool commands have had a --
> > color=yes|no|auto
> > option, which determines whether the command outputs ANSI colour
> > codes. Now all samba-tool commands support this option, which now
> > also
> > accepts 'always' and 'force' for 'yes', 'never' and 'none' for
> > 'no',
> > and 'tty' and 'if-tty' for 'auto' (this more closely matches
> > convention). With --color=auto, or when --color is omitted, colour
> > codes are only used when output is directed to a terminal.
> > 
> > Most commands have very little colour in any case. For those that
> > already used it, the defaults have changed slightly.
> > 
> >  * samba-tool drs showrepl: default is now 'auto', not 'no'
> > 
> >  * samba-tool visualize: the interactions between --color-scheme,
> >    --color, and --output have changed slightly. When --color-scheme 
> > is
> >    set it overrides --color for the purpose of the output diagram,
> > but
> >    not for other output like error messages.
> > 
> > New samba-tool dsacl subcommand for deleting ACES
> > -------------------------------------------------
> > 
> > The samba-tool dsacl tool can now delete entries in directory
> > access
> > control lists. The interface for 'samba-tool dsacl delete' is
> > similar
> > to that of 'samba-tool dsacl set', with the difference being that
> > the
> > ACEs described by the --sddl argument are deleted rather than
> > added.
> > 
> > No colour with NO_COLOR environment variable
> > --------------------------------------------
> > 
> > With both samba-tool --color=auto (see above) and some other places
> > where we use ANSI colour codes, the NO_COLOR environment variable
> > will
> > disable colour output. See 
> > https://no-color.org/
> >  for a description of
> > this variable. `samba-tool --color=always` will use colour
> > regardless
> > of NO_COLOR.
> > 
> > New wbinfo option --change-secret-at
> > ------------------------------------
> > 
> > The wbinfo command has a new option, --change-secret-at=<DOMAIN 
> > CONTROLLER>
> > which forces the trust account password to be changed at a
> > specified 
> > domain
> > controller. If the specified domain controller cannot be contacted
> > the
> > password change fails rather than trying other DCs.
> > 
> > New option to change the NT ACL default location
> > ------------------------------------------------
> > 
> > Usually the NT ACLs are stored in the security.NTACL extended
> > attribute (xattr) of files and directories. The new
> > "acl_xattr:security_acl_name" option allows to redefine the default
> > location. The default "security.NTACL" is a protected location,
> > which
> > means the content of the security.NTACL attribute is not accessible
> > from normal users outside of Samba. When this option is set to use
> > a
> > user-defined value, e.g. user.NTACL then any user can potentially
> > access and overwrite this information. The module prevents access
> > to
> > this xattr over SMB, but the xattr may still be accessed by other
> > means (eg local access, SSH, NFS). This option must only be used
> > when
> > this consequence is clearly understood and when specific
> > precautions
> > are taken to avoid compromising the ACL content.
> > 
> > Azure Active Directory / Office365 synchronisation improvements
> > --------------------------------------------------------------
> > 
> > Use of the Azure AD Connect cloud sync tool is now supported for
> > password hash synchronisation, allowing Samba AD Domains to
> > synchronise
> > passwords with this popular cloud environment.
> > 
> > REMOVED FEATURES
> > ================
> > 
> > 
> > smb.conf changes
> > ================
> > 
> >   Parameter Name                          Description     Default
> >   --------------                          -----------     -------
> >   acl_xattr:security_acl_name             New security.NTACL
> > 
> > 
> > CHANGES SINCE 4.18.0rc1
> > =======================
> > 
> > o  Andrew Bartlett <
> > abartlet at samba.org
> > >
> >    * BUG 10635: Office365 azure Password Sync not working.
> > 
> > o  Stefan Metzmacher <
> > metze at samba.org
> > >
> >    * BUG 15286: auth3_generate_session_info_pac leaks
> > wbcAuthUserInfo.
> > 
> > o  Noel Power <
> > noel.power at suse.com
> > >
> >    * BUG 15293: With clustering enabled samba-bgqd can core dump
> > due 
> > to use
> >      after free.
> > 
> > 
> > KNOWN ISSUES
> > ============
> > 
> > https://wiki.samba.org/index.php/Release_Planning_for_Samba_4.18#Release_blocking_bugs
> >  
> > 
> > 
> > 
> > #######################################
> > Reporting bugs & Development Discussion
> > #######################################
> > 
> > Please discuss this release on the samba-technical mailing list or
> > by
> > joining the #samba-technical:matrix.org matrix room, or
> > #samba-technical IRC channel on irc.libera.chat
> > 
> > If you do report problems then please try to send high quality
> > feedback. If you don't provide vital information to help us track
> > down
> > the problem then you will probably be ignored.  All bug reports
> > should
> > be filed under the Samba 4.1 and newer product in the project's
> > Bugzilla
> > database (
> > https://bugzilla.samba.org/
> > ).
> > 
> > 
> > ===================================================================
> > ===
> > == Our Code, Our Bugs, Our Responsibility.
> > == The Samba Team
> > ===================================================================
> > ===
> > 
> > 
> > ================
> > Download Details
> > ================
> > 
> > The uncompressed tarballs and patch files have been signed
> > using GnuPG (ID AA99442FB680B620).  The source code can be
> > downloaded
> > from:
> > 
> >         
> > https://download.samba.org/pub/samba/rc/
> > 
> > 
> > The release notes are available online at:
> > 
> > https://download.samba.org/pub/samba/rc/samba-4.18.0rc2.WHATSNEW.txt
> > 
> > 
> > Our Code, Our Bugs, Our Responsibility.
> > (
> > https://bugzilla.samba.org/
> > )
> > 
> >                         --Enjoy
> >                         The Samba Team
> > 
-- 
Andrew Bartlett (he/him)       https://samba.org/~abartlet/
Samba Team Member (since 2001) https://samba.org
Samba Team Lead, Catalyst IT   https://catalyst.net.nz/services/samba

Proudly developing Samba for Catalyst.Net Ltd - a Catalyst IT group 
company

Samba Development and Support: https://catalyst.net.nz/services/samba

Catalyst IT - Expert Open Source Solutions

More information about the samba mailing list