Release Announcements
=====================
-This is the first preview release of Samba 4.10. This is *not*
+This is the first pre release of Samba 4.17. This is *not*
intended for production environments and is designed for testing
purposes only. Please report any defects via the Samba bug reporting
system at https://bugzilla.samba.org/.
-Samba 4.10 will be the next version of the Samba suite.
+Samba 4.17 will be the next version of the Samba suite.
UPGRADING
NEW FEATURES/CHANGES
====================
-GPO Improvements
-----------------
+Configure without the SMB1 Server
+---------------------------------
-A new 'samba-tool gpo export' command has been added that can export a
-set of Group Policy Objects from a domain in a generalised XML format.
+It is now possible to configure Samba without support for
+the SMB1 protocol in smbd. This can be selected at configure
+time with either of the options:
-A corresponding 'samba-tool gpo restore' command has been added to
-rebuild the Group Policy Objects from the XML after generalization.
-(The administrator needs to correct the values of XML entities between
-the backup and restore to account for the change in domain).
+--with-smb1-server
+--without-smb1-server
-kdc prefork
------------
+By default (without either of these options set) Samba
+is configured to include SMB1 support (i.e. --with-smb1-server
+is the default). When Samba is configured without SMB1 support,
+none of the SMB1 code is included inside smbd except the minimal
+stub code needed to allow a client to connect as SMB1 and immediately
+negotiate the selected protocol into SMB2 (as a Windows server also
+allows).
-The KDC now supports the pre-fork process model and worker processes will be
-forked for the KDC when the pre-fork process model is selected for samba.
+None of the SMB1-only smb.conf parameters are removed when
+configured without SMB1, but these parameters are ignored by
+the smbd server. This allows deployment without having to change
+an existing smb.conf file.
-prefork 'prefork children'
---------------------------
+This option allows sites, OEMs and integrators to configure Samba
+to remove the old and insecure SMB1 protocol from their products.
-The default value for this smdb.conf parameter has been increased from 1 to
-4.
+Note that the Samba client libraries still support SMB1 connections
+even when Samba is configured as --without-smb1-server. This is
+to ensure maximum compatibility with environments containing old
+SMB1 servers.
-netlogon prefork
-----------------
+Bronze bit and S4U support with MIT Kerberos 1.20
+-------------------------------------------------
-DCERPC now supports pre-forked NETLOGON processes. The netlogon processes are
-pre-forked when the prefork process model is selected for samba.
+In 2020 Microsoft Security Response Team received another Kerberos-related
+report. Eventually, that led to a security update of the CVE-2020-17049,
+Kerberos KDC Security Feature Bypass Vulnerability, also known as a ‘Bronze
+Bit’. With this vulnerability, a compromised service that is configured to use
+Kerberos constrained delegation feature could tamper with a service ticket that
+is not valid for delegation to force the KDC to accept it.
-Offline domain backups
-----------------------
+With the release of MIT Kerberos 1.20, Samba AD DC is able able to mitigate the
+‘Bronze Bit’ attack. MIT Kerberos KDC's KDB (Kerberos Database Driver) API was
+changed to allow passing more details between KDC and KDB components. When built
+against MIT Kerberos, Samba AD DC supports MIT Kerberos 1.19 and 1.20 versions
+but 'Bronze Bit' mitigation is provided only with MIT Kerberos 1.20.
-The 'samba-tool domain backup' command has been extended with a new 'offline'
-option. This safely creates a backup of the local DC's database directly from
-disk. The main benefits of an offline backup are it's quicker, it stores more
-database details (for forensic purposes), and the samba process does not have
-to be running when the backup is made. Refer to the samba-tool help for more
-details on using this command.
+In addition to fixing the ‘Bronze Bit’ issue, Samba AD DC now fully supports
+S4U2Self and S4U2Proxy Kerberos extensions.
-Group membership statistics
----------------------------
+Resource Based Constrained Delegation (RBCD) support
+----------------------------------------------------
-A new 'samba-tool group stats' command has been added. This provides summary
-information about how the users are spread across groups in your domain.
-The 'samba-tool group list --verbose' command has also been updated to include
-the number of users in each group.
+Samba AD DC built with MIT Kerberos 1.20 offers RBCD support now. With MIT
+Kerberos 1.20 we have complete RBCD support passing Sambas S4U testsuite.
+Note that samba-tool lacks support for setting this up yet!
-prefork process restart
------------------------
+To complete RBCD support and make it useful to Administrators we added the
+Asserted Identity [1] SID into the PAC for constrained delegation. This is
+available for Samba AD compiled with MIT Kerberos 1.20.
-The pre-fork process model now restarts failed processes. The delay between
-restart attempts is controlled by the "prefork backoff increment" (default = 10)
-and "prefork maximum backoff" (default = 120) smbd.conf parameters. A linear
-back off strategy is used with "prefork backoff increment" added to the
-delay between restart attempts up until it reaches "prefork maximum backoff".
+[1] https://docs.microsoft.com/en-us/windows-server/security/kerberos/kerberos-constrained-delegation-overview
+
+Customizable DNS listening port
+-------------------------------
+
+It is now possible to set a custom listening port for the builtin DNS service,
+making easy to host another DNS on the same system that would bind to the
+default port and forward the domain-specific queries to Samba using the custom
+port. This is the opposite configuration of setting a forwarder in Samba.
+
+It makes possible to use another DNS server as a front and forward to Samba.
+
+Dynamic DNS updates may not be proxied by the front DNS server when forwarding
+to Samba. Dynamic DNS update proxying depends on the features of the other DNS
+server used as a front.
+
+CTDB changes
+------------
+
+* When Samba is configured with both --with-cluster-support and
+ --systemd-install-services then a systemd service file for CTDB will
+ be installed.
+
+* ctdbd_wrapper has been removed. ctdbd is now started directly from
+ a systemd service file or init script.
+
+* The syntax for the ctdb.tunables configuration file has been
+ relaxed. However, trailing garbage after the value, including
+ comments, is no longer permitted. Please see ctdb-tunables(7) for
+ more details.
-Using the default sequence the restart delays (in seconds) are:
- 0, 10, 20, ..., 120, 120, ...
REMOVED FEATURES
================
-samba_backup
-------------
+LanMan Authentication and password storage removed from the AD DC
+-----------------------------------------------------------------
-The samba_backup script has been removed. This has now been replaced by the
-'samba-tool domain backup offline' command.
+The storage and authentication with LanMan passwords has been entirely
+removed from the Samba AD DC, even when "lanman auth = yes" is set.
smb.conf changes
================
- Parameter Name Description Default
- -------------- ----------- -------
- prefork backoff increment Delay added to process restart 10 (seconds)
- between attempts.
- prefork maximum backoff Maximum delay for process between 120 (seconds)
- process restart attempts
+ Parameter Name Description Default
+ -------------- ----------- -------
+ dns port New default 53
KNOWN ISSUES
============
-https://wiki.samba.org/index.php/Release_Planning_for_Samba_4.10#Release_blocking_bugs
+https://wiki.samba.org/index.php/Release_Planning_for_Samba_4.17#Release_blocking_bugs
#######################################
#######################################
Please discuss this release on the samba-technical mailing list or by
-joining the #samba-technical IRC channel on irc.freenode.net.
+joining the #samba-technical:matrix.org matrix room, or
+#samba-technical IRC channel on irc.libera.chat
If you do report problems then please try to send high quality
feedback. If you don't provide vital information to help us track down
git.samba.org / samba.git / blobdiff