The Samba-Bugzilla – Attachment 18426 Details for
Bug 15704
WHATSNEW additions for 4.21 from Catalyst
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
WHATSNEW patch
WHATSNEW-catalyst.patch (text/plain), 14.82 KB, created by
Douglas Bagnall
on 2024-08-30 03:16:49 UTC
(
hide
)
Description:
WHATSNEW patch
Filename:
MIME Type:
Creator:
Douglas Bagnall
Created:
2024-08-30 03:16:49 UTC
Size:
14.82 KB
patch
obsolete
>From fa71441413a6ee9457fffb107c74cb4624fe167e Mon Sep 17 00:00:00 2001 >From: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> >Date: Fri, 30 Aug 2024 14:51:56 +1200 >Subject: [PATCH 01/10] WHATSNEW: LDB unicode changes > >Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> >Signed-off-by: Jennifer Sutton <jennifersutton@catalyst.net.nz> >Signed-off-by: Andrew Bartlett <abartlet@samba.org> >--- > WHATSNEW.txt | 21 +++++++++++++++++++++ > 1 file changed, 21 insertions(+) > >diff --git a/WHATSNEW.txt b/WHATSNEW.txt >index 84677c8af53..51982312962 100644 >--- a/WHATSNEW.txt >+++ b/WHATSNEW.txt >@@ -80,6 +80,27 @@ never took into account later changes, and so has not worked for a > number of years. Samba 4.21 and LDB 2.10 removes this unused and > broken feature. > >+Changes in LDB handling of Unicode >+---------------------------------- >+ >+Developers using LDB up to version 2.9 could call ldb_set_utf8_fns() >+to determine how LDB handled casefolding. This is used internally by >+string comparison functions. In LDB 2.10 this function is deprecated, >+and ldb_set_utf8_functions() is preferred. The new function allows a >+direct comparison function to be set as well as a casefold function. >+This improves performance and allows for more robust handling of >+degenerate cases. The function should be called just after ldb_init(), >+with the following arguments: >+ >+ ldb_set_utf8_functions(ldb, /* the struct ldb_ctx LDB object */ >+ context_variable /* possibly NULL */ >+ casefold_function, >+ case_insensitive_comparison_function); >+ >+The default behaviour of LDB remains to perform ASCII casefolding >+only, as if in the "C" locale. Recent versions have become >+increasingly consistent in this. >+ > Some Samba public libraries made private by default > --------------------------------------------------- > >-- >2.34.1 > > >From 0f00d55b9c599602b8fb40054a2f2afd4cbe637b Mon Sep 17 00:00:00 2001 >From: Andrew Bartlett <abartlet@samba.org> >Date: Fri, 30 Aug 2024 14:53:50 +1200 >Subject: [PATCH 02/10] WHATSNEW: group managed service accounts > >Signed-off-by: Andrew Bartlett <abartlet@samba.org> >Signed-off-by: Jennifer Sutton <jennifersutton@catalyst.net.nz> >Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> >--- > WHATSNEW.txt | 53 ++++++++++++++++++++++++++++++++++++++++++++++++++++ > 1 file changed, 53 insertions(+) > >diff --git a/WHATSNEW.txt b/WHATSNEW.txt >index 51982312962..b45f7604e2f 100644 >--- a/WHATSNEW.txt >+++ b/WHATSNEW.txt >@@ -269,6 +269,59 @@ Configuration is identical to existing module, but using 'ceph_new' instead of > 'ceph' for the relevant smb.conf entries. This new module is expected to > deprecate and replace the old one in next major release. > >+Group Managed Service Accounts >+------------------------------ >+Samba 4.21 adds support for gMSAs (Group Managed Service Accounts), >+completing support for Functional Level 2012. >+ >+The purpose of a gMSA is to allow a single host, or a cluster of >+hosts, to share access to an automatically rotating password, avoiding >+the weak static service passwords that are often the entrypoint of >+attackers to AD domains. Each server has a strong and regularly >+rotated password, which is used to access the gMSA account of (e.g.) >+the database server. >+ >+Samba provides management and client tools, allowing services on Unix >+hosts to access the current and next gMSA passwords, as well as obtain >+a credentials cache. >+ >+Samba 4.20 announced the client-side tools for this feature. To avoid >+duplication and provide consistency, the existing commands for >+password viewing have been extended, so these commands operate both on >+a gMSA (with credentials, over LDAP, specify -H) and locally for >+accounts that have a compatible password (e.g. plaintext via GPG, >+compatible hash) >+ >+ samba-tool user getpassword >+ samba-tool user get-kerberos-ticket >+ samba-tool domain exportkeytab >+ >+An example command, which gets the NT hash for use with NTLM, is >+ >+ samba-tool user getpassword -H ldap://server --machine-pass \ >+ TestUser1 --attributes=unicodePwd >+ >+Kerberos is a better choice (gMSA accounts should not use LDAP simple >+binds, for reasons of both security and compatibility). Use >+ >+ samba-tool user get-kerberos-ticket -H ldap://server --machine-pass \ >+ TestUser1 --output-krb5-ccache=/srv/service/krb5_ccache >+ >+gMSAs disclose a current and previous password. To access the previous >+NT hash, use: >+ >+ samba-tool user getpassword -H ldap://server --machine-pass TestUser1 \ >+ --attrs=unicodePwd;previous=1 >+ >+To access the previous password as UTF8, use: >+ >+ samba-tool user getpassword -H ldap://server --machine-pass TestUser1 \ >+ --attributes=pwdLastSet,virtualClearTextUTF8;previous=1 >+ >+However, Windows tools for dealing with gMSAs tend to use Active >+Directory Web Services (ADWS) from Powershell for setting up the >+accounts, and this separate protocol is not supported by Samba 4.21. >+ > > REMOVED FEATURES > ================ >-- >2.34.1 > > >From 2f4eb19f1dbbb7d8b51930bed7189da4ffb1c68d Mon Sep 17 00:00:00 2001 >From: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> >Date: Fri, 30 Aug 2024 14:54:34 +1200 >Subject: [PATCH 03/10] WHATSNEW: samba-tool domain kds > >Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> >Signed-off-by: Andrew Bartlett <abartlet@samba.org> >Signed-off-by: Jennifer Sutton <jennifersutton@catalyst.net.nz> >--- > WHATSNEW.txt | 12 ++++++++++++ > 1 file changed, 12 insertions(+) > >diff --git a/WHATSNEW.txt b/WHATSNEW.txt >index b45f7604e2f..23efd8ec524 100644 >--- a/WHATSNEW.txt >+++ b/WHATSNEW.txt >@@ -322,6 +322,18 @@ However, Windows tools for dealing with gMSAs tend to use Active > Directory Web Services (ADWS) from Powershell for setting up the > accounts, and this separate protocol is not supported by Samba 4.21. > >+Samba-tool commands for handling gMSA (KDS) root keys >+----------------------------------------------------- >+Group managed service accounts rotate passwords based on root keys, >+which can be managed using samba-tool, with commands such as >+ >+ samba-tool domain kds root_key create >+ samba-tool domain kds root_key list >+ >+Samba will create a new root key for new domains at provision time, >+but users of gMSA accounts on upgraded domains will need to first >+create a root key. >+ > > REMOVED FEATURES > ================ >-- >2.34.1 > > >From 2fe1e90dddf5593afce57c442f09d58358e19c0f Mon Sep 17 00:00:00 2001 >From: Andrew Bartlett <abartlet@samba.org> >Date: Fri, 30 Aug 2024 14:56:32 +1200 >Subject: [PATCH 04/10] WHATSNEW: PKINIT freshness in heimdal > >Signed-off-by: Andrew Bartlett <abartlet@samba.org> >Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> >Signed-off-by: Jennifer Sutton <jennifersutton@catalyst.net.nz> >--- > WHATSNEW.txt | 11 +++++++++++ > 1 file changed, 11 insertions(+) > >diff --git a/WHATSNEW.txt b/WHATSNEW.txt >index 23efd8ec524..0119383a317 100644 >--- a/WHATSNEW.txt >+++ b/WHATSNEW.txt >@@ -334,6 +334,17 @@ Samba will create a new root key for new domains at provision time, > but users of gMSA accounts on upgraded domains will need to first > create a root key. > >+RFC 8070 PKINIT "Freshness extension" supported in the Heimdal KDC >+------------------------------------------------------------------ >+The Heimdal KDC will recognise when a client provides proof that they >+hold the hardware token used for smart-card authentication 'now' and >+has not used a saved future-dated reply. Samba 4.21 now matches >+Windows and will assign an extra SID to the user in this case, >+allowing sensitive resources to be additionally protected. >+ >+Only Windows clients are known to support the client side of this >+feature at this time. >+ > > REMOVED FEATURES > ================ >-- >2.34.1 > > >From 249408a36d6a09d4a0705471669f25df2fea9f56 Mon Sep 17 00:00:00 2001 >From: Andrew Bartlett <abartlet@samba.org> >Date: Fri, 30 Aug 2024 14:57:46 +1200 >Subject: [PATCH 05/10] WHATSNEW: samba-tool authentication policy command > restructure > >Signed-off-by: Andrew Bartlett <abartlet@samba.org> >Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> >Signed-off-by: Jennifer Sutton <jennifersutton@catalyst.net.nz> >--- > WHATSNEW.txt | 6 ++++++ > 1 file changed, 6 insertions(+) > >diff --git a/WHATSNEW.txt b/WHATSNEW.txt >index 0119383a317..24a73c82edf 100644 >--- a/WHATSNEW.txt >+++ b/WHATSNEW.txt >@@ -345,6 +345,12 @@ allowing sensitive resources to be additionally protected. > Only Windows clients are known to support the client side of this > feature at this time. > >+New samba-tool Authentication Policy management command structure >+----------------------------------------------------------------- >+As foreshadowed in the Samba 4.20 release notes, the "samba-tool >+domain auth policy" commands have been reworked to be more intuitive >+based on user feedback and reflection. >+ > > REMOVED FEATURES > ================ >-- >2.34.1 > > >From 6254beacdf924c9915dc47a22d2d440682212dcb Mon Sep 17 00:00:00 2001 >From: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> >Date: Fri, 30 Aug 2024 14:58:35 +1200 >Subject: [PATCH 06/10] WHATSNEW: Functional level 2012R2 > >Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> >Signed-off-by: Andrew Bartlett <abartlet@samba.org> >Signed-off-by: Jennifer Sutton <jennifersutton@catalyst.net.nz> >--- > WHATSNEW.txt | 6 ++++++ > 1 file changed, 6 insertions(+) > >diff --git a/WHATSNEW.txt b/WHATSNEW.txt >index 24a73c82edf..c645f566c95 100644 >--- a/WHATSNEW.txt >+++ b/WHATSNEW.txt >@@ -351,6 +351,12 @@ As foreshadowed in the Samba 4.20 release notes, the "samba-tool > domain auth policy" commands have been reworked to be more intuitive > based on user feedback and reflection. > >+Support for key features of AD Domain/Forest Functional Level 2012R2 >+-------------------------------------------------------------------- >+Combined with other changes in recent versions (such as claims support >+in 4.20), Samba can now claim Functional Level 2012R2 support. This is >+largely due to sponsorship from Tranquil IT. >+ > > REMOVED FEATURES > ================ >-- >2.34.1 > > >From ef8d29e742aead9dc2b8fdc8b026ae9191e93f77 Mon Sep 17 00:00:00 2001 >From: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> >Date: Fri, 30 Aug 2024 14:58:59 +1200 >Subject: [PATCH 07/10] WHATSNEW: build option changes > >Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> >Signed-off-by: Andrew Bartlett <abartlet@samba.org> >Signed-off-by: Jennifer Sutton <jennifersutton@catalyst.net.nz> >--- > WHATSNEW.txt | 9 +++++++++ > 1 file changed, 9 insertions(+) > >diff --git a/WHATSNEW.txt b/WHATSNEW.txt >index c645f566c95..2078a550280 100644 >--- a/WHATSNEW.txt >+++ b/WHATSNEW.txt >@@ -357,6 +357,15 @@ Combined with other changes in recent versions (such as claims support > in 4.20), Samba can now claim Functional Level 2012R2 support. This is > largely due to sponsorship from Tranquil IT. > >+Build system >+------------ >+In previous versions of Samba, packagers of Samba would set their >+package-specific version strings using a patch to the >+SAMBA_VERSION_VENDOR_SUFFIX line in the ./VERSION file. Now that is >+achieved by using --vendor-suffix (at configure time), allowing this >+to be more easily scripted. Vendors are encouraged to include their >+name and full package version to assist with upstream debugging. >+ > > REMOVED FEATURES > ================ >-- >2.34.1 > > >From afa4ea08acdd7532f97d93a09e6d00607a254a87 Mon Sep 17 00:00:00 2001 >From: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> >Date: Fri, 30 Aug 2024 14:59:33 +1200 >Subject: [PATCH 08/10] WHATSNEW: more deterministic builds > >Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> >Signed-off-by: Jennifer Sutton <jennifersutton@catalyst.net.nz> >Signed-off-by: Andrew Bartlett <abartlet@samba.org> >--- > WHATSNEW.txt | 15 +++++++++++++++ > 1 file changed, 15 insertions(+) > >diff --git a/WHATSNEW.txt b/WHATSNEW.txt >index 2078a550280..7dfebc2da75 100644 >--- a/WHATSNEW.txt >+++ b/WHATSNEW.txt >@@ -366,6 +366,21 @@ achieved by using --vendor-suffix (at configure time), allowing this > to be more easily scripted. Vendors are encouraged to include their > name and full package version to assist with upstream debugging. > >+More deterministic builds >+------------------------- >+Samba builds are now more reproducible, providing better assurance >+that the Samba binaries you run are the same as what is expected from >+the source code. If locale settings are not changed, the same objects >+will be produced from each compilation run. If Samba is built in a >+different path, the object code will remain the same, but DWARF >+debugging sections will change (while remaining functionally >+equivalent). >+ >+See https://reproducible-builds.org/ for more information on this >+industry-wide effort and >+https://tests.reproducible-builds.org/debian/rb-pkg/unstable/amd64/samba.html >+for the status in Debian. >+ > > REMOVED FEATURES > ================ >-- >2.34.1 > > >From cc3a945ef082c197df9bb3baabedb707a9a1de07 Mon Sep 17 00:00:00 2001 >From: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> >Date: Fri, 30 Aug 2024 15:00:00 +1200 >Subject: [PATCH 09/10] WHATSNEW: command line secret redaction > >Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> >Signed-off-by: Jennifer Sutton <jennifersutton@catalyst.net.nz> >Signed-off-by: Andrew Bartlett <abartlet@samba.org> >--- > WHATSNEW.txt | 10 ++++++++++ > 1 file changed, 10 insertions(+) > >diff --git a/WHATSNEW.txt b/WHATSNEW.txt >index 7dfebc2da75..a33d8ce480e 100644 >--- a/WHATSNEW.txt >+++ b/WHATSNEW.txt >@@ -381,6 +381,16 @@ industry-wide effort and > https://tests.reproducible-builds.org/debian/rb-pkg/unstable/amd64/samba.html > for the status in Debian. > >+Improved command-line redaction >+------------------------------- >+There are several options that can be used with Samba tools for >+specifying secrets. Although this is best avoided, when these options >+are used, Samba will redact the secrets in /proc, so that they won't >+be seen in ps or top. This is now carried out more thoroughly, >+redacting more options. There is a race inherent in this, and the >+passwords will be visible for a short time. The secrets are also not >+removed from .bash_history and similar files. >+ > > REMOVED FEATURES > ================ >-- >2.34.1 > > >From bfce2149f6f9044d32269b9f426b7134e69e8dda Mon Sep 17 00:00:00 2001 >From: Jennifer Sutton <jennifersutton@catalyst.net.nz> >Date: Fri, 30 Aug 2024 15:00:50 +1200 >Subject: [PATCH 10/10] WHATSNEW: updated name > >Signed-off-by: Jennifer Sutton <jennifersutton@catalyst.net.nz> >Signed-off-by: Andrew Bartlett <abartlet@samba.org> >Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> >--- > WHATSNEW.txt | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > >diff --git a/WHATSNEW.txt b/WHATSNEW.txt >index a33d8ce480e..2fc57b9728f 100644 >--- a/WHATSNEW.txt >+++ b/WHATSNEW.txt >@@ -462,7 +462,7 @@ o Douglas Bagnall <douglas.bagnall@catalyst.net.nz> > * BUG 15673: --version-* options are still not ergonomic, and they reject > tilde characters. > >-o Jo Sutton <josutton@catalyst.net.nz> >+o Jennifer Sutton <jennifersutton@catalyst.net.nz> > * BUG 15690: ldb_version.h is missing from ldb public library > > o Pavel Filipenský <pfilipensky@samba.org> >-- >2.34.1 >
You cannot view the attachment while viewing its details because your browser does not support IFRAMEs.
View the attachment on a separate page
.
View Attachment As Raw
Flags:
abartlet
:
review+
jsutton
:
review+
slow
:
review-
Actions:
View
Attachments on
bug 15704
:
18426
|
18430