4 This is the first release candidate of Samba 4.20. This is *not*
5 intended for production environments and is designed for testing
6 purposes only. Please report any defects via the Samba bug reporting
7 system at https://bugzilla.samba.org/.
9 Samba 4.20 will be the next version of the Samba suite.
19 New Minimum MIT Krb5 version for Samba AD Domain Controller
20 -----------------------------------------------------------
22 Samba now requires MIT 1.21 when built against a system MIT Krb5 and
23 acting as an Active Directory DC. This addresses the issues that were
24 fixed in CVE-2022-37967 (KrbtgtFullPacSignature) and ensures that
25 Samba builds against the MIT version that allows us to avoid that
28 Removed dependency on Perl JSON module
29 --------------------------------------
31 Distributions are advised that the Perl JSON package is no longer
32 required by Samba builds that use the imported Heimdal. The build
33 instead uses Perl's JSON::PP built into recent perl5 versions.
35 Current lists of packages required by Samba for major distributions
36 are found in the bootstrap/generated-dists/ directory of a Samba
37 source tree. While there will be some differences - due to features
38 chosen by packagers - comparing these lists with the build dependencies
39 in a package may locate other dependencies we no longer require.
41 samba-tool user getpassword / syncpasswords ;rounds= change
42 -----------------------------------------------------------
44 The password access tool "samba-tool user getpassword" and the
45 password sync tool "samba-tool user syncpasswords" allow attributes to
46 be chosen for output, and accept parameters like
47 pwdLastSet;format=GeneralizedTime
49 These attributes then appear, in the same format, as the attributes in
50 the LDIF output. This was not the case for the ;rounds= parameter of
51 virtualCryptSHA256 and virtualCryptSHA512, for example as
52 --attributes="virtualCryptSHA256;rounds=50000"
54 This release makes the behaviour consistent between these two
55 features. Installations using GPG-encrypted passwords (or plaintext
56 storage) and the rounds= option, will find the output has changed
59 virtualCryptSHA256: {CRYPT}$5$rounds=2561$hXem.M9onhM9Vuix$dFdSBwF
62 virtualCryptSHA256;rounds=2561: {CRYPT}$5$rounds=2561$hXem.M9onhM9Vuix$dFdSBwF
64 Group Managed service account client-side features
65 --------------------------------------------------
67 samba-tool has been extended to provide client-side support for Group
68 Managed Service accounts. These accounts have passwords that change
69 automatically, giving the advantages of service isolation without risk
70 of poor, unchanging passwords.
72 Where possible, Samba's existing samba-tool password handling
73 commands, which in the past have only operated against the local
74 sam.ldb have been extended to permit operation against a remote server
75 with authenticated access to "-H ldap://$DCNAME"
77 Supported operations include:
78 - reading the current and previous gMSA password via
79 "samba-tool user getpassword"
80 - writing a Kerberos Ticket Granting Ticket (TGT) to a local
81 credentials cache with a new command
82 "samba-tool user get-kerberos-ticket"
84 New Windows Search Protocol Client
85 ----------------------------------
87 Samba now by default builds new experimental Windows Search Protocol (WSP)
88 command line client "wspsearch"
90 The "wspsearch" cmd-line utility allows a WSP search request to be sent
91 to a server (such as a windows server) that has the (WSP)
92 Windows Search Protocol service configured and enabled.
94 For more details see the wspsearch man page.
96 Allow 'smbcacls' to save/restore DACLs to file
97 --------------------------------------------
99 'smbcacls' has been extended to allow DACLs to be saved and restored
100 to/from a file. This feature mimics the functionality that windows cmd
101 line tool 'icacls.exe' provides. Additionally files created either
102 by 'smbcalcs' or 'icacls.exe' are interchangeable and can be used by
103 either tool as the same file format is used.
105 New options added are:
106 - '--save savefile' Saves DACLs in sddl format to file
107 - '--recurse' Performs the '--save' operation above on directory
108 and all files/directories below.
109 - '--restore savefile' Restores the stored DACLS to files in directory
111 Conditional ACEs and Resource Attribute ACEs
112 --------------------------------------------
114 Ordinary Access Control Entries (ACEs) unconditionally allow or deny
115 access to a given user or group. Conditional ACEs have an additional
116 section that describes conditions under which the ACE applies. If the
117 conditional expression is true, the ACE works like an ordinary ACE,
118 otherwise it is ignored. The condition terms can refer to claims,
119 group memberships, and attributes on the object itself. These
120 attributes are described in Resource Attribute ACEs that occur in the
121 object's System Access Control List (SACL). Conditional ACEs are
122 described in Microsoft documentation.
124 Conditional ACE evaluation is controlled by the "acl claims
125 evaluation" smb.conf option. The default value is "AD DC only" which
126 enables them in AD DC settings. The other option is "never", which
127 disables them altogether. There is currently no option to enable them
128 on the file server (this is likely to change in future releases).
130 The Security Descriptor Definition Language has extensions for
131 conditional ACEs and resource attribute ACEs; these are now supported
138 Get locally logged on users from utmp
139 -------------------------------------
141 The Workstation Service Remote Protocol [MS-WKST] calls NetWkstaGetInfo
142 level 102 and NetWkstaEnumUsers level 0 and 1 return the list of locally
143 logged on users. Samba was getting the list from utmp, which is not
144 Y2038 safe. This feature has been completely removed and Samba will
145 always return an empty list.
151 Parameter Name Description Default
152 -------------- ----------- -------
153 smb3 unix extensions Per share -
154 acl claims evaluation new AD DC only
160 https://wiki.samba.org/index.php/Release_Planning_for_Samba_4.20#Release_blocking_bugs
163 #######################################
164 Reporting bugs & Development Discussion
165 #######################################
167 Please discuss this release on the samba-technical mailing list or by
168 joining the #samba-technical:matrix.org matrix room, or
169 #samba-technical IRC channel on irc.libera.chat
171 If you do report problems then please try to send high quality
172 feedback. If you don't provide vital information to help us track down
173 the problem then you will probably be ignored. All bug reports should
174 be filed under the Samba 4.1 and newer product in the project's Bugzilla
175 database (https://bugzilla.samba.org/).
178 ======================================================================
179 == Our Code, Our Bugs, Our Responsibility.
181 ======================================================================