Release Announcements
=====================
-This is the first preview release of Samba 4.11. This is *not*
+This is the first pre release of Samba 4.17. This is *not*
intended for production environments and is designed for testing
purposes only. Please report any defects via the Samba bug reporting
system at https://bugzilla.samba.org/.
-Samba 4.11 will be the next version of the Samba suite.
+Samba 4.17 will be the next version of the Samba suite.
UPGRADING
NEW FEATURES/CHANGES
====================
-Default samba process model
----------------------------
-
-The default for the --model argument passed to the samba executable has changed
-from 'standard' to 'prefork'. This means a difference in the number of samba
-child processes that are created to handle client connections. The previous
-default would create a separate process for every LDAP or NETLOGON client
-connection. For a network with a lot of persistent client connections, this
-could result in significant memory overhead. Now, with the new default of
-'prefork', the LDAP, NETLOGON, and KDC services will create a fixed number of
-worker processes at startup and share the client connections amongst these
-workers. The number of worker processes can be configured by the 'prefork
-children' setting in the smb.conf (the default is 4).
-
-Authentication Logging.
------------------------
-
-Winbind now logs PAM_AUTH and NTLM_AUTH events, a new attribute "logonId" has
-been added to the Authentication JSON log messages. This contains a random
-logon id that is generated for each PAM_AUTH and NTLM_AUTH request and is passed
-to SamLogon, linking the windbind and SamLogon requests.
-
-The serviceDescription of the messages is set to "winbind", the authDescription
-is set to one of:
- "PASSDB, <command>, <pid>"
- "PAM_AUTH, <command>, <pid>"
- "NTLM_AUTH, <command>, <pid>"
-where:
- <command> is the name of the command makinmg the winbind request i.e. wbinfo
- <pid> is the process id of the requesting process.
-
-The version of the JSON Authentication messages has been changed to 1.2 from 1.1
-
-LDAP referrals
---------------
-
-The scheme of returned LDAP referrals now reflects the scheme of the original
-request, i.e. referrals received via ldap are prefixed with "ldap://"
-and those over ldaps are prefixed with "ldaps://"
-
-Previously all referrals were prefixed with "ldap://"
-
-Bind9 logging
--------------
-
-It is now possible to log the duration of DNS operations performed by Bind9
-This should aid future diagnosis of performance issues, and could be used to
-monitor DNS performance. The logging is enabled by setting log level to
-"dns:10" in smb.conf
-
-The logs are currently Human readable text only, i.e. no JSON formatted output.
-
-Log lines are of the form:
-
- <function>: DNS timing: result: [<result>] duration: (<duration>)
- zone: [<zone>] name: [<name>] data: [<data>]
-
- durations are in microseconds.
-
-Default schema updated to 2012_R2
+Configure without the SMB1 Server
---------------------------------
-Default AD schema changed from 2008_R2 to 2012_R2. 2012_R2 functional level
-is not yet available. Older schemas can be used by provisioning with the
-'--base-schema' argument. Existing installations can be updated with the
-samba-tool command "domain schemaupgrade".
-
-Samba's replication code has also been improved to handle replication
-with the 2012 schema (the core of this replication fix has also been
-backported to 4.9.11 and will be in a 4.10.x release).
-
-GnuTLS 3.2 required
--------------------
-
-Samba is making efforts to remove in-tree cryptographic functionality,
-and to instead rely on externally maintained libraries. To this end,
-Samba has chosen GnuTLS as our standard cryptographic provider.
+It is now possible to configure Samba without support for
+the SMB1 protocol in smbd. This can be selected at configure
+time with either of the options:
-Samba now requires GnuTLS 3.2 to be installed (including development
-headers at build time) for all configurations, not just the Samba AD
-DC.
+--with-smb1-server
+--without-smb1-server
-NOTE WELL: The use of GnuTLS means that Samba will honour the
-system-wide 'FIPS mode' (a reference to the US FIPS-140 cryptographic
-standard) and so will not operate in many still common situations if
-this system-wide parameter is in effect, as many of our protocols rely
-on outdated cryptography.
+By default (without either of these options set) Samba
+is configured to include SMB1 support (i.e. --with-smb1-server
+is the default). When Samba is configured without SMB1 support,
+none of the SMB1 code is included inside smbd except the minimal
+stub code needed to allow a client to connect as SMB1 and immediately
+negotiate the selected protocol into SMB2 (as a Windows server also
+allows).
-A future Samba version will mitigate this to some extent where good
-cryptography effectively wraps bad cryptography, but for now that above
-applies.
+None of the SMB1-only smb.conf parameters are removed when
+configured without SMB1, but these parameters are ignored by
+the smbd server. This allows deployment without having to change
+an existing smb.conf file.
-samba-tool improvements
------------------------
+This option allows sites, OEMs and integrators to configure Samba
+to remove the old and insecure SMB1 protocol from their products.
-A new "samba-tool contact" command has been added to allow the
-command-line manipulation of contacts, as used for address book
-lookups in LDAP.
+Note that the Samba client libraries still support SMB1 connections
+even when Samba is configured as --without-smb1-server. This is
+to ensure maximum compatibility with environments containing old
+SMB1 servers.
-The "samba-tool [user|group|computer|group|contact] edit" command has been
-improved to operate more pleasantly on international character sets.
+Bronze bit and S4U support with MIT Kerberos 1.20
+-------------------------------------------------
-100,000 USER and LARGER Samba AD DOMAINS
-========================================
+In 2020 Microsoft Security Response Team received another Kerberos-related
+report. Eventually, that led to a security update of the CVE-2020-17049,
+Kerberos KDC Security Feature Bypass Vulnerability, also known as a ‘Bronze
+Bit’. With this vulnerability, a compromised service that is configured to use
+Kerberos constrained delegation feature could tamper with a service ticket that
+is not valid for delegation to force the KDC to accept it.
-Extensive efforts have been made to optimise Samba for use in
-organisations (for example) targeting 100,000 users, plus 120,000
-computer objects, as well as large number of group memberships.
+With the release of MIT Kerberos 1.20, Samba AD DC is able able to mitigate the
+‘Bronze Bit’ attack. MIT Kerberos KDC's KDB (Kerberos Database Driver) API was
+changed to allow passing more details between KDC and KDB components. When built
+against MIT Kerberos, Samba AD DC supports MIT Kerberos 1.19 and 1.20 versions
+but 'Bronze Bit' mitigation is provided only with MIT Kerberos 1.20.
-Many of the specific efforts are detailed below, but the net results
-is to remove barriers to significantly larger Samba deployments
-compared to previous releases.
+In addition to fixing the ‘Bronze Bit’ issue, Samba AD DC now fully supports
+S4U2Self and S4U2Proxy Kerberos extensions.
-Reindex performance improvements
---------------------------------
+Resource Based Constrained Delegation (RBCD) support
+----------------------------------------------------
-The performance of samba-tool dbcheck --reindex has been improved,
-especially for large domains.
+Samba AD DC built with MIT Kerberos 1.20 offers RBCD support now. With MIT
+Kerberos 1.20 we have complete RBCD support passing Sambas S4U testsuite.
+Note that samba-tool lacks support for setting this up yet!
-join performance improvements
------------------------------
+To complete RBCD support and make it useful to Administrators we added the
+Asserted Identity [1] SID into the PAC for constrained delegation. This is
+available for Samba AD compiled with MIT Kerberos 1.20.
-The performance of samba-tool domain join has been improved,
-especially for large domains.
+[1] https://docs.microsoft.com/en-us/windows-server/security/kerberos/kerberos-constrained-delegation-overview
-LDAP Server memory improvements
+Customizable DNS listening port
-------------------------------
-The LDAP server has improved memory efficiency, ensuring that large
-LDAP responses (for example a search for all objects) is not copied
-multiple times into memory.
-
-Setting lmdb map size
----------------------
-
-It is now possible to set the lmdb map size (The maximum permitted
-size for the database). "samba-tool" now accepts the
-"--backend-store-size" i.e. --backend-store-size=4Gb. If not
-specified it defaults to 8Gb.
-
-This option is avaiable for the following sub commands:
- * domain provision
- * domain join
- * domain dcpromo
- * drs clone-dc-database
-
-LDB "batch_mode"
-----------------
-
-To improve performance during batch operations i.e. joins, ldb now
-accepts a "batch_mode" option. However to prevent any index or
-database inconsistencies if an operation fails, the entire transaction
-will be aborted at commit.
+It is now possible to set a custom listening port for the builtin DNS service,
+making easy to host another DNS on the same system that would bind to the
+default port and forward the domain-specific queries to Samba using the custom
+port. This is the opposite configuration of setting a forwarder in Samba.
-New LDB pack format
--------------------
+It makes possible to use another DNS server as a front and forward to Samba.
-On first use (startup of 'samba' or the first transaction write)
-Samba's sam.ldb will be updated to a new more efficient pack format.
-This will take a few moments.
-
-New LDB <= and >= index mode to improve replication performance
----------------------------------------------------------------
-
-As well as a new pack format, Samba's sam.ldb uses a new index format
-allowing Samba to efficiently select objects changed since the last
-replication cycle. This in turn improves performance during
-replication of large domains.
-
-Improvements to ldb search performance
---------------------------------------
-
-Search performance on large LDB databases has been improved by
-reducing memory allocations made on each object.
-
-Improvements to subtree rename performance
-------------------------------------------
-
-Improvements have been made to Samba's handling of subtree renames,
-for example of containers and organisational units, however large
-renames are still not recommended.
+Dynamic DNS updates may not be proxied by the front DNS server when forwarding
+to Samba. Dynamic DNS update proxying depends on the features of the other DNS
+server used as a front.
CTDB changes
-============
-
-* nfs-linux-kernel-callout now defaults to using systemd service names
-
- The Red Hat service names continue to be the default.
-
- Other distributions should patch this file when packaging it.
-
-* The onnode -o option has been removed
+------------
-* ctdbd logs when it is using more than 90% of a CPU thread
+* When Samba is configured with both --with-cluster-support and
+ --systemd-install-services then a systemd service file for CTDB will
+ be installed.
- ctdbd is single threaded, so can become saturated if it uses the
- full capacity of a CPU thread. To help detect this situation, ctdbd
- now logs messages when CPU utilisation exceeds 90%. Each change in
- CPU utilisation over 90% is logged. A message is also logged when
- CPU utilisation drops below the 90% threshold.
+* ctdbd_wrapper has been removed. ctdbd is now started directly from
+ a systemd service file or init script.
-* Script configuration variable CTDB_MONITOR_SWAP_USAGE has been removed
-
- 05.system.script now monitors total memory (i.e. physical memory +
- swap) utilisation using the existing CTDB_MONITOR_MEMORY_USAGE
- script configuration variable.
+* The syntax for the ctdb.tunables configuration file has been
+ relaxed. However, trailing garbage after the value, including
+ comments, is no longer permitted. Please see ctdb-tunables(7) for
+ more details.
REMOVED FEATURES
================
-Web server
-----------
-
-As a leftover from work related to the Samba Web Administration Tool (SWAT),
-Samba still supported a Python WSGI web server (which could still be turned on
-from the 'server services' smb.conf parameter). This service was unused and has
-now been removed from Samba.
-
-
-samba-tool join subdommain
---------------------------
-
-The subdommain role has been removed from the join command. This option did
-not work and has no tests.
-
+LanMan Authentication and password storage removed from the AD DC
+-----------------------------------------------------------------
-Python2 support
----------------
-
-Samba 4.11 will not have any runtime support for Python 2.
-
-If you are building Samba using the '--disable-python' option
-(i.e. you're excluding all the run-time Python support), then this
-will continue to work on a system that supports either python2 or
-python3.
-
-To build Samba with python2 you *must* set the 'PYTHON' environment
-variable for both the 'configure' and 'make' steps, i.e.
- 'PYTHON=python2 ./configure'
- 'PYTHON=python2 make'
-This will override the python3 default.
-
-Except for this specific build-time use of python2, Samba now requires
-Python 3.4 as a minimum.
+The storage and authentication with LanMan passwords has been entirely
+removed from the Samba AD DC, even when "lanman auth = yes" is set.
smb.conf changes
================
- Parameter Name Description Default
- -------------- ----------- -------
-
- allocation roundup size Default changed/ 0
- Deprecated
- web port Removed
- fruit:zero_file_id Changed default False
+ Parameter Name Description Default
+ -------------- ----------- -------
+ dns port New default 53
KNOWN ISSUES
============
-https://wiki.samba.org/index.php/Release_Planning_for_Samba_4.11#Release_blocking_bugs
+https://wiki.samba.org/index.php/Release_Planning_for_Samba_4.17#Release_blocking_bugs
#######################################
#######################################
Please discuss this release on the samba-technical mailing list or by
-joining the #samba-technical IRC channel on irc.freenode.net.
+joining the #samba-technical:matrix.org matrix room, or
+#samba-technical IRC channel on irc.libera.chat
If you do report problems then please try to send high quality
feedback. If you don't provide vital information to help us track down