The Samba-Bugzilla – Attachment 18242 Details for
Bug 15566
4.20 WHATSNEW for Conditional ACEs, AD Claims, silos and authentication polices
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
patch for WHATSNEW update
3488.patch (text/plain), 6.21 KB, created by
Andrew Bartlett
on 2024-02-08 00:44:52 UTC
(
hide
)
Description:
patch for WHATSNEW update
Filename:
MIME Type:
Creator:
Andrew Bartlett
Created:
2024-02-08 00:44:52 UTC
Size:
6.21 KB
patch
obsolete
>From 06c0a07f9c0f6a6442b7ee12761d05e64265fe11 Mon Sep 17 00:00:00 2001 >From: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> >Date: Mon, 15 Jan 2024 15:22:27 +1300 >Subject: [PATCH 1/3] WHATSNEW: note "acl_claims evaluation" smb.conf option > >BUG: https://bugzilla.samba.org/show_bug.cgi?id=15566 > >Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> >--- > WHATSNEW.txt | 1 + > 1 file changed, 1 insertion(+) > >diff --git a/WHATSNEW.txt b/WHATSNEW.txt >index 8158a80288c..bd9685ad833 100644 >--- a/WHATSNEW.txt >+++ b/WHATSNEW.txt >@@ -127,6 +127,7 @@ smb.conf changes > Parameter Name Description Default > -------------- ----------- ------- > smb3 unix extensions Per share - >+ acl claims evaluation new AD DC only > > > KNOWN ISSUES >-- >GitLab > > >From 1ef714ca9ccb510b5ffb347345a8f4a053a649c6 Mon Sep 17 00:00:00 2001 >From: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> >Date: Mon, 15 Jan 2024 15:21:11 +1300 >Subject: [PATCH 2/3] WHATSNEW: Add some information about new conditional aces > feature > >BUG: https://bugzilla.samba.org/show_bug.cgi?id=15566 > >Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> >--- > WHATSNEW.txt | 24 ++++++++++++++++++++++++ > 1 file changed, 24 insertions(+) > >diff --git a/WHATSNEW.txt b/WHATSNEW.txt >index bd9685ad833..c568b236635 100644 >--- a/WHATSNEW.txt >+++ b/WHATSNEW.txt >@@ -108,6 +108,30 @@ New options added are: > and all files/directories below. > - '--restore savefile' Restores the stored DACLS to files in directory > >+Conditional ACEs and Resource Attribute ACEs >+-------------------------------------------- >+ >+Ordinary Access Control Entries (ACEs) unconditionally allow or deny >+access to a given user or group. Conditional ACEs have an additional >+section that describes conditions under which the ACE applies. If the >+conditional expression is true, the ACE works like an ordinary ACE, >+otherwise it is ignored. The condition terms can refer to claims, >+group memberships, and attributes on the object itself. These >+attributes are described in Resource Attribute ACEs that occur in the >+object's System Access Control List (SACL). Conditional ACEs are >+described in Microsoft documentation. >+ >+Conditional ACE evaluation is controlled by the "acl claims >+evaluation" smb.conf option. The default value is "AD DC only" which >+enables them in AD DC settings. The other option is "never", which >+disables them altogether. There is currently no option to enable them >+on the file server (this is likely to change in future releases). >+ >+The Security Descriptor Definition Language has extensions for >+conditional ACEs and resource attribute ACEs; these are now supported >+by Samba. >+ >+ > REMOVED FEATURES > ================ > >-- >GitLab > > >From 24b589537b8b0847f98f29e1ad20305f455424af Mon Sep 17 00:00:00 2001 >From: Andrew Bartlett <abartlet@samba.org> >Date: Thu, 1 Feb 2024 11:33:27 +1300 >Subject: [PATCH 3/3] WHATSNEW: Explain new AD DC Claims, authentication > policies and Silos > >BUG: https://bugzilla.samba.org/show_bug.cgi?id=15566 > >Signed-off-by: Andrew Bartlett <abartlet@samba.org> >--- > WHATSNEW.txt | 60 ++++++++++++++++++++++++++++++++++++++++++++++++++++ > 1 file changed, 60 insertions(+) > >diff --git a/WHATSNEW.txt b/WHATSNEW.txt >index c568b236635..f7c38dc9f0e 100644 >--- a/WHATSNEW.txt >+++ b/WHATSNEW.txt >@@ -108,6 +108,66 @@ New options added are: > and all files/directories below. > - '--restore savefile' Restores the stored DACLS to files in directory > >+Samba-tool extensions for AD Claims, Authentication Policies and Silos >+---------------------------------------------------------------------- >+ >+samba-tool now allows users to be associated with claims. In the >+Samba AD DC, claims derive from Active Directory attributes mapped >+into specific names. These claims can be used in rules, which are >+conditional ACEs in a security descriptor, that decide if a user is >+restricted by an authentication policy. >+ >+samba-tool also allows the creation and management of authentication >+policies, which are rules about where a user may authenticate from, >+if NTLM is permitted, and what services a user may authenticate to. >+ >+Finally, support is added for the creation and management of >+authentication silos, which are helpful in defining network boundaries >+by grouping users and the services they connect to. >+ >+Please note: The command line syntax for these tools is not final, and >+may change before the next release, as we gain user feedback. The >+syntax will be locked in once Samba offers 2016 AD Functional Level as >+a default. >+ >+AD DC support for Authentication Silos and Authentication Policies >+------------------------------------------------------------------ >+ >+The Samba AD DC now also honours any existing claims, authentication >+policy and authentication silo configuration previously created (eg >+from an import of a Microsoft AD), as well as new configurations >+created with samba-tool. The use of Microsoft's Powershell based >+client tools is not expected to work. >+ >+To use this feature, the functional level must be set to 2012_R2 or >+later with: >+ >+ ad dc functional level = 2016 >+ >+in the smb.conf. >+ >+The smb.conf file on each DC must have 'ad dc functional level = 2016' >+set to have the partially complete feature available. This will also, >+at first startup, update the server's own AD entry with the configured >+functional level. >+ >+For new domains, add these parameters to 'samba-tool provision' >+ >+--option="ad dc functional level = 2016" --function-level=2016 >+ >+The second option, setting the overall domain functional level >+indicates that all DCs should be at this functional level. >+ >+To raise the domain functional level of an existing domain, after >+updating the smb.conf and restarting Samba run >+samba-tool domain schemaupgrade --schema=2019 >+samba-tool domain functionalprep --function-level=2016 >+samba-tool domain level raise --domain-level=2016 --forest-level=2016 >+ >+This support is still new, so is not enabled by default in this >+release. The above instructions are set at 2016, which while not >+complete, matches what our testing environment validates. >+ > Conditional ACEs and Resource Attribute ACEs > -------------------------------------------- > >-- >GitLab >
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=18242">View the attachment on a separate page</a>.</b>
View Attachment As Raw
Flags:
dbagnall
:
review+
Actions:
View
Attachments on
bug 15566
: 18242