From e28e24d7861fae1c82f116bd8cea8b1c78ebe5cd Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Thu, 17 Mar 2022 07:53:37 +1300 Subject: [PATCH 1/2] WHATSNEW: older SMB1 command removal/simpliciation and deprecation Signed-off-by: Andrew Bartlett --- WHATSNEW.txt | 74 +++++++++++++++++++++++++++++++++++++++++----------- 1 file changed, 59 insertions(+), 15 deletions(-) diff --git a/WHATSNEW.txt b/WHATSNEW.txt index 83d77b5c028..dd384b1b0b7 100644 --- a/WHATSNEW.txt +++ b/WHATSNEW.txt @@ -135,21 +135,65 @@ CTDB changes REMOVED FEATURES ================ -SMB1 CORE and LANMAN1 protocol wildcard copy, unlink and rename removed -======================================================================= - -In preparation for the removal of the SMB1 server, the unused -SMB1 command SMB_COM_COPY (SMB1 command number 0x29) has been -removed from the Samba smbd server. In addition, the ability -to process file name wildcards in requests using the SMB1 commands -SMB_COM_COPY (SMB1 command number 0x2A), SMB_COM_RENAME (SMB1 command -number 0x7), SMB_COM_NT_RENAME (SMB1 command number 0xA5) and -SMB_COM_DELETE (SMB1 command number 0x6) have been removed. - -This only affects clients using MS-DOS based versions of -SMB1, the last release of which was Windows 98. Users requiring -support for these features will need to use older versions -of Samba. +Older SMB1 protocol SMBCopy command removed +------------------------------------------- + +SMB is a nearly 30-year old protocol, and some protocol commands that +while supported in all versions, have not seen widespread use. + +One of those is SMBCopy, a feature for a server-side copy of a file. +This feature has been so unmaintained that Samba has no testsuite for +it. + +The SMB1 command SMB_COM_COPY (SMB1 command number 0x29) was +introduced in the LAN Manager 1.0 dialect and it was rendered obsolete +in the NT LAN Manager dialect. + +Therefore it has been removed from the Samba smbd server. + +We do note that a fully supported and tested server-side copy is +present in SMB2, and can be accessed with "scopy" subcommand in +smbclient) + +SMB1 server-side wildcard expansion removed +------------------------------------------- + +Server-side wildcard expansion is another feature that sounds useful, +but is also rarely used and has become problematic - imposing extra +work on the server (both in terms of code and CPU time). + +In actual OS design, wildcard expansion is handled in the local shell, +not at the remote server using SMB wildcard syntax (which is not shell +syntax). + +In Samba 4.16 the ability to process file name wildcards in requests +using the SMB1 commands SMB_COM_RENAME (SMB1 command number 0x7), +SMB_COM_NT_RENAME (SMB1 command number 0xA5) and SMB_COM_DELETE (SMB1 +command number 0x6) has been removed. + +SMB1 protocol has been deprecated, particularly older dialects +-------------------------------------------------------------- + +We take this opportunity to remind that we have deprecated and +disabled by default, but not removed, the whole SMB1 protocol since +Samba 4.11. We make a warning that we will continue to remove older +protocol commands and dialects that are unused or replaced in more +modern commands SMB1 versions. + +We specifically deprecate the older dialects before NT LM 0.12, as +used by software as old as Windows 95, Windows NT and Samba. + +We do reassure that that 'simple' operation of older clients than +these (eg DOS) will, while untested, continue for the near future, our +purpose is not to cripple use of Samba in unique situations, but to +reduce the maintaince burden. + +Eventually SMB1 as a whole will be removed, but no broader change is +announced for 4.16. + +In the rare case where the above changes cause incompatibilities, +users requiring support for these features will need to use older +versions of Samba. No longer using Linux mandatory locks for sharemodes ==================================================== -- 2.25.1 From 5f2ee91fae1380a673dc9205c83b8d2379fe98f9 Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Wed, 16 Mar 2022 12:53:47 +1300 Subject: [PATCH 2/2] WHATSNEW for Heimdal upgrade Signed-off-by: Andrew Bartlett --- WHATSNEW.txt | 41 +++++++++++++++++++++++++++++++++++++++++ 1 file changed, 41 insertions(+) diff --git a/WHATSNEW.txt b/WHATSNEW.txt index dd384b1b0b7..d5e0b93979b 100644 --- a/WHATSNEW.txt +++ b/WHATSNEW.txt @@ -52,6 +52,47 @@ samba-dcerpcd can also be useful for use outside of the Samba framework, for example, use with the Linux kernel SMB2 server ksmbd or possibly other SMB2 server implementations. +Heimdal-8.0pre used for Samba Internal Kerberos, adds FAST support +------------------------------------------------------------------ + +Samba has since Samba 4.0 included a snapshot of the Heimdal Kerberos +implementation. This snapshot has now been updated and will closely +match what will be released as Heimdal 8.0 shortly. + +This is a major update, previously we used a snapshot of Heimdal from +2011, and brings important new Kerberos security features such as +Kerberos request armoring, known as FAST. This tunnels ticket +requests and replies that might be encrypted with a weak password +inside a wrapper built with a stronger password, say from a machine +account. + +In Heimdal and MIT modes Samba's KDC now supports FAST, for the +support of non-Windows clients. Samba's winbindd will use it to +protect logins from pam_winbind for example. + +Windows clients will not use this feature however, as they do not +attempt to do so against a server not advertising domain Functional +Level 2012. Samba users are of course free to modify how Samba +advertises itself, but use with Windows clients is not supported "out +of the box". + +Finally, Samba also uses a per-KDC, not per-realm 'cookie' to secure part of +the FAST protocol. A future version will align this more closely with +Microsoft AD behaviour. + +If FAST needs to be disabled on your Samba KDC, set + + kdc enable fast = no + +in the smb.conf. + +The Samba project wishes to thank the numerous developers who have put +in a massive effort to make this possible over many years. In +particular we thank Stefan Metzmacher, Joseph Sutton, Gary Lockyer, +Isaac Boukris and Andrew Bartlett. Samba's developers in turn thank +their employers and in turn their customers who have supported this +effort over many years. + Certificate Auto Enrollment --------------------------- -- 2.25.1