Uploaded image for project: 'RHEL'
  1. RHEL
  2. RHEL-59788

Rebase Samba to the latest 4.21.x release

    • samba-4.21.1-4.el9
    • Rebase
    • rhel-sst-idm-sssd
    • ssg_idm
    • 0
    • False
    • Hide

      None

      Show
      None
    • None
    • None
    • None

      NEW FEATURES/CHANGES
      ====================

      LDB no longer a standalone tarball
      ----------------------------------

      LDB, Samba's LDAP-like local database and the power behind the Samba
      AD DC, is no longer available to build as a distinct tarball, but is
      instead provided as an optional public library.

      If you need ldb as a public library, say to build sssd, then use
      ./configure --private-libraries='!ldb'

      This re-integration allows LDB tests to use the Samba's full selftest
      system, including our knownfail infrastructure, and decreases the work
      required during security releases as a coordinated release of the ldb
      tarball is not also required.

      This approach has been demonstrated already in Debian, which is already
      building Samba and LDB is this way.

      As part of this work, the pyldb-util public library, not known to be
      used by any other software, is made private to Samba.

      LDB Module API Python bindings removed
      --------------------------------------

      The LDB Modules API, which we do not promise a stable ABI or API for,
      was wrapped in python in early LDB development. However that wrapping
      never took into account later changes, and so has not worked for a
      number of years. Samba 4.21 and LDB 2.10 removes this unused and
      broken feature.

      Changes in LDB handling of Unicode
      ----------------------------------

      Developers using LDB up to version 2.9 could call ldb_set_utf8_fns()
      to determine how LDB handled casefolding. This is used internally by
      string comparison functions. In LDB 2.10 this function is deprecated,
      and ldb_set_utf8_functions() is preferred. The new function allows a
      direct comparison function to be set as well as a casefold function.
      This improves performance and allows for more robust handling of
      degenerate cases. The function should be called just after ldb_init(),
      with the following arguments:

      ldb_set_utf8_functions(ldb, /* the struct ldb_ctx LDB object */
      context_variable /* possibly NULL */
      casefold_function,
      case_insensitive_comparison_function);

      The default behaviour of LDB remains to perform ASCII casefolding
      only, as if in the "C" locale. Recent versions have become
      increasingly consistent in this.

      Some Samba public libraries made private by default
      ---------------------------------------------------

      The following Samba C libraries are currently made public due to their
      use by OpenChange or for historical reasons that are no longer clear.

      dcerpc-samr, samba-policy, tevent-util, dcerpc, samba-hostconfig,
      samba-credentials, dcerpc_server, samdb

      The libraries used by the OpenChange client now private, but can be
      made public (like ldb above) with:

      ./configure --private-libraries='!dcerpc,!samba-hostconfig,!samba-credentials,!ldb'

      The C libraries without any known user or used only for the OpenChange
      server (a dead project) may be made private entirely in a future Samba
      version.

      If you use a Samba library in this list, please be in touch with the
      samba-technical mailing list.

      Using ldaps from 'winbindd' and 'net ads'
      -----------------------------------------

      Beginning with Samba 3.0.22 the 'ldap ssl = start tls' option also
      impacted LDAP connections to active directory domain controllers.
      Using the STARTTLS operation on LDAP port 389 connections. Starting
      with Samba 3.5.0 'ldap ssl ads = yes' was required in addition in
      order let to 'ldap ssl = start tls' have any effect on those
      connections.

      'ldap ssl ads' was deprecated with Samba 4.8.0 and removed together
      with the whole functionality in Samba 4.14.0, because it didn't support
      tls channel bindings required for the sasl authentication.

      The functionality is now re-added using the correct channel bindings
      based on the gnutls based tls implementation we already have, instead
      of using the tls layer provided by openldap. This makes it available
      and consistent with all LDAP client libraries we use and implement on
      our own.

      The 'client ldap sasl wrapping' option gained the two new possible values:
      'starttls' (using STARTTLS on tcp port 389)
      and
      'ldaps' (using TLS directly on tcp port 636).

      If you had 'ldap ssl = start tls' and 'ldap ssl ads = yes'
      before, you can now use 'client ldap sasl wrapping = starttls'
      in order to get STARTTLS on tcp port 389.

      As we no longer use the openldap tls layer it is required to configure the
      correct certificate trusts with at least one of the following options:
      'tls trust system cas', 'tls ca directories' or 'tls cafile'.
      While 'tls verify peer' and 'tls crlfile' are also relevant,
      see 'man smb.conf' for further details.

      New DNS hostname config option
      ------------------------------

      To get `net ads dns register` working correctly running manually or during a
      domain join a special entry in /etc/hosts was required. This not really
      documented and thus the DNS registration mostly didn't work. With the new option
      the default is [netbios name].[realm] which should be correct in the majority of
      use cases.

      We will also use the value to create service principal names during a Kerberos
      authentication and DNS functions.

      This is not supported in samba-tool yet.

      Samba AD will rotate expired passwords on smartcard-required accounts
      ---------------------------------------------------------------------

      Traditionally in AD, accounts set to be "smart card require for logon"
      will have a password for NTLM fallback and local profile encryption
      (Windows DPAPI). This password previously would not expire.

      Matching Windows behaviour, when the DC in a FL 2016 domain and the
      msDS-ExpirePasswordsOnSmartCardOnlyAccounts attribute on the domain
      root is set to TRUE, Samba will now expire these passwords and rotate
      them shortly before they expire.

      Note that the password expiry time must be set to twice the TGT lifetime for
      smooth operation, e.g. daily expiry given a default 10 hour TGT
      lifetime, as the password is only rotated in the second half of its
      life. Again, this matches the Windows behaviour.

      Provided the default 2016 schema is used, new Samba domains
      provisioned with Samba 4.21 will have this enabled once the domain
      functional level is set to 2016.

      NOTE: Domains upgraded from older Samba versions will not have this
      set, even after the functional level preparation, matching the
      behaviour of upgraded Windows AD domains.

      Per-user and group "veto files" and "hide files"
      ------------------------------------------------

      "veto files" and "hide files" can optionally be restricted to certain users and
      groups. To apply a veto or hide directive to a filename for a specific user or
      group, a parametric option like this can be used:
      hide files : USERNAME = /somefile.txt/
      veto files : GROUPNAME = /otherfile.txt/
      For details consult the updated smb.conf manpage.

      Automatic keytab update after machine password change
      -----------------------------------------------------

      When machine account password is updated, either by winbind doing regular
      updates or manually (e.g. net ads changetrustpw), now winbind will also support
      update of keytab entries in case you use newly added option
      'sync machine password to keytab'.
      The new parameter allows you to describe what keytabs and how should be updated.
      From smb.conf(5) manpage - each keytab can have exactly one of these four forms:

      account_name
      sync_spns
      spn_prefixes=value1[,value2[...]]
      spns=value1[,value2[...]]

      The functionaity provided by the removed commands "net ads keytab
      add/delete/add_update_ads" can be achieved via the 'sync machine password to
      keytab' as in these examples:

      "net ads keytab add wurst/brot@REALM"

      • this command is not adding <principal> to AD, so the best fit can be specifier
        "spns"
      • add to smb.conf:
        sync machine password to keytab = /path/to/keytab1:spns=wurst/brot@REALM:machine_password
      • run:
        "net ads keytab create"

      "net ads keytab delete wurst/brot@REALM"

      • remove the principal (or the whole keytab line if there was just one)
      • run:
        "net ads keytab create"

      "net ads keytab add_update_ads wurst/brot@REALM"

      • this command was adding the principal to AD, so for this case use a keytab
        with specifier sync_spns
      • add to smb.conf:
        sync machine password to keytab = /path/to/keytab2:sync_spns:machine_password
      • run:
        "net ads setspn add wurst/brot@REALM" # this adds the principal to AD
        "net ads keytab create" # this sync it from AD to local keytab

      A new parameter 'sync machine password script' allows to specify external script
      that will be triggered after the automatic keytab update. If keytabs should be
      generated in clustered environments it is recommended to update them on all
      nodes. Check in smb.conf(5) the scripts winbind_ctdb_updatekeytab.sh and
      46.update-keytabs.script in section 'sync machine password script' for details.

      For detailed information check the smb.conf(5) and net(8) manpages.

      New cephfs VFS module
      ---------------------
      Introduce new vfs-to-cephfs bridge which uses libcephfs low-level APIs (instead
      of path-based operations in the existing module). It allows users to pass
      explicit user-credentials per call (including supplementary groups), as well as
      faster operations using inode and file-handle caching on the Samba side.
      Configuration is identical to existing module, but using 'ceph_new' instead of
      'ceph' for the relevant smb.conf entries. This new module is expected to
      deprecate and replace the old one in next major release.

      Group Managed Service Accounts
      ------------------------------
      Samba 4.21 adds support for gMSAs (Group Managed Service Accounts),
      completing support for Functional Level 2012.

      The purpose of a gMSA is to allow a single host, or a cluster of
      hosts, to share access to an automatically rotating password, avoiding
      the weak static service passwords that are often the entrypoint of
      attackers to AD domains. Each server has a strong and regularly
      rotated password, which is used to access the gMSA account of (e.g.)
      the database server.

      Samba provides management and client tools, allowing services on Unix
      hosts to access the current and next gMSA passwords, as well as obtain
      a credentials cache.

      Samba 4.20 announced the client-side tools for this feature. To avoid
      duplication and provide consistency, the existing commands for
      password viewing have been extended, so these commands operate both on
      a gMSA (with credentials, over LDAP, specify -H) and locally for
      accounts that have a compatible password (e.g. plaintext via GPG,
      compatible hash)

      samba-tool user getpassword
      samba-tool user get-kerberos-ticket
      samba-tool domain exportkeytab

      An example command, which gets the NT hash for use with NTLM, is

      samba-tool user getpassword -H ldap://server --machine-pass \
      TestUser1 --attributes=unicodePwd

      Kerberos is a better choice (gMSA accounts should not use LDAP simple
      binds, for reasons of both security and compatibility). Use

      samba-tool user get-kerberos-ticket -H ldap://server --machine-pass \
      TestUser1 --output-krb5-ccache=/srv/service/krb5_ccache

      gMSAs disclose a current and previous password. To access the previous
      NT hash, use:

      samba-tool user getpassword -H ldap://server --machine-pass TestUser1 \
      --attrs=unicodePwd;previous=1

      To access the previous password as UTF8, use:

      samba-tool user getpassword -H ldap://server --machine-pass TestUser1 \
      --attributes=pwdLastSet,virtualClearTextUTF8;previous=1

      However, Windows tools for dealing with gMSAs tend to use Active
      Directory Web Services (ADWS) from Powershell for setting up the
      accounts, and this separate protocol is not supported by Samba 4.21.

      Samba-tool commands for handling gMSA (KDS) root keys
      -----------------------------------------------------
      Group managed service accounts rotate passwords based on root keys,
      which can be managed using samba-tool, with commands such as

      samba-tool domain kds root_key create
      samba-tool domain kds root_key list

      Samba will create a new root key for new domains at provision time,
      but users of gMSA accounts on upgraded domains will need to first
      create a root key.

      RFC 8070 PKINIT "Freshness extension" supported in the Heimdal KDC
      ------------------------------------------------------------------
      The Heimdal KDC will recognise when a client provides proof that they
      hold the hardware token used for smart-card authentication 'now' and
      has not used a saved future-dated reply. Samba 4.21 now matches
      Windows and will assign an extra SID to the user in this case,
      allowing sensitive resources to be additionally protected.

      Only Windows clients are known to support the client side of this
      feature at this time.

      New samba-tool Authentication Policy management command structure
      -----------------------------------------------------------------
      As foreshadowed in the Samba 4.20 release notes, the "samba-tool
      domain auth policy" commands have been reworked to be more intuitive
      based on user feedback and reflection.

      Support for key features of AD Domain/Forest Functional Level 2012R2
      --------------------------------------------------------------------
      Combined with other changes in recent versions (such as claims support
      in 4.20), Samba can now claim Functional Level 2012R2 support.

      Build system
      ------------
      In previous versions of Samba, packagers of Samba would set their
      package-specific version strings using a patch to the
      SAMBA_VERSION_VENDOR_SUFFIX line in the ./VERSION file. Now that is
      achieved by using --vendor-suffix (at configure time), allowing this
      to be more easily scripted. Vendors are encouraged to include their
      name and full package version to assist with upstream debugging.

      More deterministic builds
      -------------------------
      Samba builds are now more reproducible, providing better assurance
      that the Samba binaries you run are the same as what is expected from
      the source code. If locale settings are not changed, the same objects
      will be produced from each compilation run. If Samba is built in a
      different path, the object code will remain the same, but DWARF
      debugging sections will change (while remaining functionally
      equivalent).

      See https://reproducible-builds.org/ for more information on this
      industry-wide effort and
      https://tests.reproducible-builds.org/debian/rb-pkg/unstable/amd64/samba.html
      for the status in Debian.

      Improved command-line redaction
      -------------------------------
      There are several options that can be used with Samba tools for
      specifying secrets. Although this is best avoided, when these options
      are used, Samba will redact the secrets in /proc, so that they won't
      be seen in ps or top. This is now carried out more thoroughly,
      redacting more options. There is a race inherent in this, and the
      passwords will be visible for a short time. The secrets are also not
      removed from .bash_history and similar files.

      REMOVED FEATURES
      ================

      Following commands are removed:

      net ads keytab add <principal>
      net ads keytab delete <principal>
      net ads keytab add_update_ads

      smb.conf changes
      ================

      Parameter Name Description Default
      -------------- ----------- -------
      client ldap sasl wrapping new values
      client use spnego principal removed
      ldap server require strong auth new values
      tls trust system cas new
      tls ca directories new
      dns hostname client dns name [netbios name].[realm]
      valid users Hardening
      invalid users Hardening
      read list Hardening
      write list Hardening
      veto files Added per-user and per-group vetos
      hide files Added per-user and per-group hides
      sync machine password to keytab keytabs
      sync machine password script script

              pfilipen@redhat.com Pavel Filipensky
              pfilipen@redhat.com Pavel Filipensky
              Andreas Schneider Andreas Schneider
              Denis Karpelevich Denis Karpelevich
              Votes:
              0 Vote for this issue
              Watchers:
              6 Start watching this issue

                Created:
                Updated: