Uploaded image for project: 'RHEL'
  1. RHEL
  2. RHEL-33591

Rebase Samba to the latest 4.20.x release

    • samba-4.20.1-103.el10
    • Rebase
    • rhel-sst-idm-sssd
    • ssg_idm
    • 20
    • 24
    • 0
    • QE ack, Dev ack
    • False
    • Hide

      None

      Show
      None
    • None
    • Red Hat Enterprise Linux
    • None
    • None

      NEW FEATURES/CHANGES
      ====================

      New Minimum MIT Krb5 version for Samba AD Domain Controller
      -----------------------------------------------------------

      Samba now requires MIT 1.21 when built against a system MIT Krb5 and
      acting as an Active Directory DC. This addresses the issues that were
      fixed in CVE-2022-37967 (KrbtgtFullPacSignature) and ensures that
      Samba builds against the MIT version that allows us to avoid that
      attack.

      Removed dependency on Perl JSON module
      --------------------------------------

      Distributions are advised that the Perl JSON package is no longer
      required by Samba builds that use the imported Heimdal. The build
      instead uses Perl's JSON::PP built into recent perl5 versions.

      Current lists of packages required by Samba for major distributions
      are found in the bootstrap/generated-dists/ directory of a Samba
      source tree. While there will be some differences - due to features
      chosen by packagers - comparing these lists with the build dependencies
      in a package may locate other dependencies we no longer require.

      samba-tool user getpassword / syncpasswords ;rounds= change
      -----------------------------------------------------------

      The password access tool "samba-tool user getpassword" and the
      password sync tool "samba-tool user syncpasswords" allow attributes to
      be chosen for output, and accept parameters like
      pwdLastSet;format=GeneralizedTime

      These attributes then appear, in the same format, as the attributes in
      the LDIF output. This was not the case for the ;rounds= parameter of
      virtualCryptSHA256 and virtualCryptSHA512, for example as
      --attributes="virtualCryptSHA256;rounds=50000"

      This release makes the behaviour consistent between these two
      features. Installations using GPG-encrypted passwords (or plaintext
      storage) and the rounds= option, will find the output has changed

      from:
      virtualCryptSHA256:

      {CRYPT}

      $5$rounds=2561$hXem.M9onhM9Vuix$dFdSBwF

      to:
      virtualCryptSHA256;rounds=2561: {CRYPT}

      $5$rounds=2561$hXem.M9onhM9Vuix$dFdSBwF

      Group Managed service account client-side features
      --------------------------------------------------

      samba-tool has been extended to provide client-side support for Group
      Managed Service accounts. These accounts have passwords that change
      automatically, giving the advantages of service isolation without risk
      of poor, unchanging passwords.

      Where possible, Samba's existing samba-tool password handling
      commands, which in the past have only operated against the local
      sam.ldb have been extended to permit operation against a remote server
      with authenticated access to "-H ldap://$DCNAME"

      Supported operations include:

      • reading the current and previous gMSA password via
        "samba-tool user getpassword"
      • writing a Kerberos Ticket Granting Ticket (TGT) to a local
        credentials cache with a new command
        "samba-tool user get-kerberos-ticket"

      New Windows Search Protocol Client
      ----------------------------------

      Samba now by default builds new experimental Windows Search Protocol (WSP)
      command line client "wspsearch"

      The "wspsearch" cmd-line utility allows a WSP search request to be sent
      to a server (such as a windows server) that has the (WSP)
      Windows Search Protocol service configured and enabled.

      For more details see the wspsearch man page.

      Allow 'smbcacls' to save/restore DACLs to file
      --------------------------------------------

      'smbcacls' has been extended to allow DACLs to be saved and restored
      to/from a file. This feature mimics the functionality that windows cmd
      line tool 'icacls.exe' provides. Additionally files created either
      by 'smbcalcs' or 'icacls.exe' are interchangeable and can be used by
      either tool as the same file format is used.

      New options added are:

      • '--save savefile' Saves DACLs in sddl format to file
      • '{}recurse' Performs the '{-}-save' operation above on directory
        and all files/directories below.
      • '--restore savefile' Restores the stored DACLS to files in directory

      Samba-tool extensions for AD Claims, Authentication Policies and Silos
      ----------------------------------------------------------------------

      samba-tool now allows users to be associated with claims. In the
      Samba AD DC, claims derive from Active Directory attributes mapped
      into specific names. These claims can be used in rules, which are
      conditional ACEs in a security descriptor, that decide if a user is
      restricted by an authentication policy.

      samba-tool also allows the creation and management of authentication
      policies, which are rules about where a user may authenticate from,
      if NTLM is permitted, and what services a user may authenticate to.

      Finally, support is added for the creation and management of
      authentication silos, which are helpful in defining network boundaries
      by grouping users and the services they connect to.

      Please note: The command line syntax for these tools is not final, and
      may change before the next release, as we gain user feedback. The
      syntax will be locked in once Samba offers 2016 AD Functional Level as
      a default.

      AD DC support for Authentication Silos and Authentication Policies
      ------------------------------------------------------------------

      The Samba AD DC now also honours any existing claims, authentication
      policy and authentication silo configuration previously created (eg
      from an import of a Microsoft AD), as well as new configurations
      created with samba-tool. The use of Microsoft's Powershell based
      client tools is not expected to work.

      To use this feature, the functional level must be set to 2012_R2 or
      later with:

      ad dc functional level = 2016

      in the smb.conf.

      The smb.conf file on each DC must have 'ad dc functional level = 2016'
      set to have the partially complete feature available. This will also,
      at first startup, update the server's own AD entry with the configured
      functional level.

      For new domains, add these parameters to 'samba-tool provision'

      --option="ad dc functional level = 2016" --function-level=2016

      The second option, setting the overall domain functional level
      indicates that all DCs should be at this functional level.

      To raise the domain functional level of an existing domain, after
      updating the smb.conf and restarting Samba run
      samba-tool domain schemaupgrade --schema=2019
      samba-tool domain functionalprep --function-level=2016
      samba-tool domain level raise --domain-level=2016 --forest-level=2016

      This support is still new, so is not enabled by default in this
      release. The above instructions are set at 2016, which while not
      complete, matches what our testing environment validates.

      Conditional ACEs and Resource Attribute ACEs
      --------------------------------------------

      Ordinary Access Control Entries (ACEs) unconditionally allow or deny
      access to a given user or group. Conditional ACEs have an additional
      section that describes conditions under which the ACE applies. If the
      conditional expression is true, the ACE works like an ordinary ACE,
      otherwise it is ignored. The condition terms can refer to claims,
      group memberships, and attributes on the object itself. These
      attributes are described in Resource Attribute ACEs that occur in the
      object's System Access Control List (SACL). Conditional ACEs are
      described in Microsoft documentation.

      Conditional ACE evaluation is controlled by the "acl claims
      evaluation" smb.conf option. The default value is "AD DC only" which
      enables them in AD DC settings. The other option is "never", which
      disables them altogether. There is currently no option to enable them
      on the file server (this is likely to change in future releases).

      The Security Descriptor Definition Language has extensions for
      conditional ACEs and resource attribute ACEs; these are now supported
      by Samba.

      Service Witness Protocol [MS-SWN]
      ---------------------------------

      In a ctdb cluster it is now possible to provide
      the SMB witness service that allows clients to
      monitor their current smb connection to cluster
      node A by asking cluster node B to notify the
      client if the ip address from node A or the
      whole node A becomes unavailable.

      For disk shares in a ctdb cluster
      SMB2_SHARE_CAP_SCALEOUT is now always returned
      for SMB3 tree connect responses.

      If the witness service is active
      SMB2_SHARE_CAP_CLUSTER is now also returned.

      In order to activate the witness service
      "rpc start on demand helpers = no" needs to
      be configured in the global section.
      At the same time the 'samba-dcerpcd' service
      needs to be started explicitly, typically
      with the '--libexec-rpcds' option in order
      to make all available services usable.
      One important aspect is that tcp ports
      135 (for the endpoint mapper) and various
      ports in the 'rpc server dynamic port range'
      will be used to provide the witness service
      (rpcd_witness).

      ctdb provides a '47.samba-dcerpcd.script' in order
      to manage the samba-dcerpcd.service.
      Typically as systemd service, but that's up
      to the packager and/or admin.

      Please note that current windows client
      requires SMB2_SHARE_CAP_CONTINUOUS_AVAILABILITY
      in addition to SMB2_SHARE_CAP_CLUSTER in order
      to make use of the witness service.
      But SMB2_SHARE_CAP_CONTINUOUS_AVAILABILITY implies
      the windows clients always ask for persistent handle
      (which are not implemented in samba yet), so
      that every open generates a warning in the
      windows smb client event log.
      That's why SMB2_SHARE_CAP_CONTINUOUS_AVAILABILITY
      is not returned by default.
      An explicit 'smb3 share cap:CONTINUOUS AVAILABILITY = yes'
      is needed.

      There are also new 'net witness' commands in order
      to let the admin list active client registrations
      or ask specific clients to move their smb connection
      to another cluster node. These are available:

      net witness list
      net witness client-move
      net witness share-move
      net witness force-unregister
      net witness force-response

      Consult 'man net' or 'net witness help' for further details.

      REMOVED FEATURES
      ================

      Get locally logged on users from utmp
      -------------------------------------

      The Workstation Service Remote Protocol [MS-WKST] calls NetWkstaGetInfo
      level 102 and NetWkstaEnumUsers level 0 and 1 return the list of locally
      logged on users. Samba was getting the list from utmp, which is not
      Y2038 safe. This feature has been completely removed and Samba will
      always return an empty list.

      smb.conf changes
      ================

      Parameter Name Description Default
      -------------- ----------- -------
      acl claims evaluation new AD DC only
      smb3 unix extensions Per share -
      smb3 share cap:ASYMMETRIC new no
      smb3 share cap:CLUSTER new see 'man smb.conf'
      smb3 share cap:CONTINUOUS AVAILABILITY new no
      smb3 share cap:SCALE OUT new see 'man smb.conf'

              anschnei@redhat.com Andreas Schneider
              pfilipen@redhat.com Pavel Filipensky
              Andreas Schneider Andreas Schneider
              Denis Karpelevich Denis Karpelevich
              Marc Muehlfeld Marc Muehlfeld
              Votes:
              0 Vote for this issue
              Watchers:
              8 Start watching this issue

                Created:
                Updated: