The Samba-Bugzilla – Attachment 18430 Details for
Bug 15704
WHATSNEW additions for 4.21 from Catalyst
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
v2 patch
WHATSNEW-catalyst-v2.patch (text/plain), 14.67 KB, created by
Douglas Bagnall
on 2024-08-30 23:54:30 UTC
(
hide
)
Description:
v2 patch
Filename:
MIME Type:
Creator:
Douglas Bagnall
Created:
2024-08-30 23:54:30 UTC
Size:
14.67 KB
patch
obsolete
>From 110a3588810152248341721b425e3e48281ad99c Mon Sep 17 00:00:00 2001 >From: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> >Date: Fri, 30 Aug 2024 14:51:56 +1200 >Subject: [PATCH 01/10] WHATSNEW: LDB unicode changes > >Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> >Signed-off-by: Jennifer Sutton <jennifersutton@catalyst.net.nz> >Signed-off-by: Andrew Bartlett <abartlet@samba.org> >--- > WHATSNEW.txt | 21 +++++++++++++++++++++ > 1 file changed, 21 insertions(+) > >diff --git a/WHATSNEW.txt b/WHATSNEW.txt >index 84677c8af53..51982312962 100644 >--- a/WHATSNEW.txt >+++ b/WHATSNEW.txt >@@ -80,6 +80,27 @@ never took into account later changes, and so has not worked for a > number of years. Samba 4.21 and LDB 2.10 removes this unused and > broken feature. > >+Changes in LDB handling of Unicode >+---------------------------------- >+ >+Developers using LDB up to version 2.9 could call ldb_set_utf8_fns() >+to determine how LDB handled casefolding. This is used internally by >+string comparison functions. In LDB 2.10 this function is deprecated, >+and ldb_set_utf8_functions() is preferred. The new function allows a >+direct comparison function to be set as well as a casefold function. >+This improves performance and allows for more robust handling of >+degenerate cases. The function should be called just after ldb_init(), >+with the following arguments: >+ >+ ldb_set_utf8_functions(ldb, /* the struct ldb_ctx LDB object */ >+ context_variable /* possibly NULL */ >+ casefold_function, >+ case_insensitive_comparison_function); >+ >+The default behaviour of LDB remains to perform ASCII casefolding >+only, as if in the "C" locale. Recent versions have become >+increasingly consistent in this. >+ > Some Samba public libraries made private by default > --------------------------------------------------- > >-- >2.34.1 > > >From 340aa7bcd7d9c40ff27bb3699802bece696cd0d1 Mon Sep 17 00:00:00 2001 >From: Andrew Bartlett <abartlet@samba.org> >Date: Fri, 30 Aug 2024 14:53:50 +1200 >Subject: [PATCH 02/10] WHATSNEW: group managed service accounts > >Signed-off-by: Andrew Bartlett <abartlet@samba.org> >Signed-off-by: Jennifer Sutton <jennifersutton@catalyst.net.nz> >Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> >--- > WHATSNEW.txt | 53 ++++++++++++++++++++++++++++++++++++++++++++++++++++ > 1 file changed, 53 insertions(+) > >diff --git a/WHATSNEW.txt b/WHATSNEW.txt >index 51982312962..b45f7604e2f 100644 >--- a/WHATSNEW.txt >+++ b/WHATSNEW.txt >@@ -269,6 +269,59 @@ Configuration is identical to existing module, but using 'ceph_new' instead of > 'ceph' for the relevant smb.conf entries. This new module is expected to > deprecate and replace the old one in next major release. > >+Group Managed Service Accounts >+------------------------------ >+Samba 4.21 adds support for gMSAs (Group Managed Service Accounts), >+completing support for Functional Level 2012. >+ >+The purpose of a gMSA is to allow a single host, or a cluster of >+hosts, to share access to an automatically rotating password, avoiding >+the weak static service passwords that are often the entrypoint of >+attackers to AD domains. Each server has a strong and regularly >+rotated password, which is used to access the gMSA account of (e.g.) >+the database server. >+ >+Samba provides management and client tools, allowing services on Unix >+hosts to access the current and next gMSA passwords, as well as obtain >+a credentials cache. >+ >+Samba 4.20 announced the client-side tools for this feature. To avoid >+duplication and provide consistency, the existing commands for >+password viewing have been extended, so these commands operate both on >+a gMSA (with credentials, over LDAP, specify -H) and locally for >+accounts that have a compatible password (e.g. plaintext via GPG, >+compatible hash) >+ >+ samba-tool user getpassword >+ samba-tool user get-kerberos-ticket >+ samba-tool domain exportkeytab >+ >+An example command, which gets the NT hash for use with NTLM, is >+ >+ samba-tool user getpassword -H ldap://server --machine-pass \ >+ TestUser1 --attributes=unicodePwd >+ >+Kerberos is a better choice (gMSA accounts should not use LDAP simple >+binds, for reasons of both security and compatibility). Use >+ >+ samba-tool user get-kerberos-ticket -H ldap://server --machine-pass \ >+ TestUser1 --output-krb5-ccache=/srv/service/krb5_ccache >+ >+gMSAs disclose a current and previous password. To access the previous >+NT hash, use: >+ >+ samba-tool user getpassword -H ldap://server --machine-pass TestUser1 \ >+ --attrs=unicodePwd;previous=1 >+ >+To access the previous password as UTF8, use: >+ >+ samba-tool user getpassword -H ldap://server --machine-pass TestUser1 \ >+ --attributes=pwdLastSet,virtualClearTextUTF8;previous=1 >+ >+However, Windows tools for dealing with gMSAs tend to use Active >+Directory Web Services (ADWS) from Powershell for setting up the >+accounts, and this separate protocol is not supported by Samba 4.21. >+ > > REMOVED FEATURES > ================ >-- >2.34.1 > > >From eec4a660d701da161adbe7cadaf35fc40cd66a62 Mon Sep 17 00:00:00 2001 >From: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> >Date: Fri, 30 Aug 2024 14:54:34 +1200 >Subject: [PATCH 03/10] WHATSNEW: samba-tool domain kds > >Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> >Signed-off-by: Andrew Bartlett <abartlet@samba.org> >Signed-off-by: Jennifer Sutton <jennifersutton@catalyst.net.nz> >--- > WHATSNEW.txt | 12 ++++++++++++ > 1 file changed, 12 insertions(+) > >diff --git a/WHATSNEW.txt b/WHATSNEW.txt >index b45f7604e2f..23efd8ec524 100644 >--- a/WHATSNEW.txt >+++ b/WHATSNEW.txt >@@ -322,6 +322,18 @@ However, Windows tools for dealing with gMSAs tend to use Active > Directory Web Services (ADWS) from Powershell for setting up the > accounts, and this separate protocol is not supported by Samba 4.21. > >+Samba-tool commands for handling gMSA (KDS) root keys >+----------------------------------------------------- >+Group managed service accounts rotate passwords based on root keys, >+which can be managed using samba-tool, with commands such as >+ >+ samba-tool domain kds root_key create >+ samba-tool domain kds root_key list >+ >+Samba will create a new root key for new domains at provision time, >+but users of gMSA accounts on upgraded domains will need to first >+create a root key. >+ > > REMOVED FEATURES > ================ >-- >2.34.1 > > >From 1dfcffc9b57079ff00d8841d9040ea478c26fc80 Mon Sep 17 00:00:00 2001 >From: Andrew Bartlett <abartlet@samba.org> >Date: Fri, 30 Aug 2024 14:56:32 +1200 >Subject: [PATCH 04/10] WHATSNEW: PKINIT freshness in heimdal > >Signed-off-by: Andrew Bartlett <abartlet@samba.org> >Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> >Signed-off-by: Jennifer Sutton <jennifersutton@catalyst.net.nz> >--- > WHATSNEW.txt | 11 +++++++++++ > 1 file changed, 11 insertions(+) > >diff --git a/WHATSNEW.txt b/WHATSNEW.txt >index 23efd8ec524..0119383a317 100644 >--- a/WHATSNEW.txt >+++ b/WHATSNEW.txt >@@ -334,6 +334,17 @@ Samba will create a new root key for new domains at provision time, > but users of gMSA accounts on upgraded domains will need to first > create a root key. > >+RFC 8070 PKINIT "Freshness extension" supported in the Heimdal KDC >+------------------------------------------------------------------ >+The Heimdal KDC will recognise when a client provides proof that they >+hold the hardware token used for smart-card authentication 'now' and >+has not used a saved future-dated reply. Samba 4.21 now matches >+Windows and will assign an extra SID to the user in this case, >+allowing sensitive resources to be additionally protected. >+ >+Only Windows clients are known to support the client side of this >+feature at this time. >+ > > REMOVED FEATURES > ================ >-- >2.34.1 > > >From 544be5f4f1ca2ac577204035df932a3ced856701 Mon Sep 17 00:00:00 2001 >From: Andrew Bartlett <abartlet@samba.org> >Date: Fri, 30 Aug 2024 14:57:46 +1200 >Subject: [PATCH 05/10] WHATSNEW: samba-tool authentication policy command > restructure > >Signed-off-by: Andrew Bartlett <abartlet@samba.org> >Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> >Signed-off-by: Jennifer Sutton <jennifersutton@catalyst.net.nz> >--- > WHATSNEW.txt | 6 ++++++ > 1 file changed, 6 insertions(+) > >diff --git a/WHATSNEW.txt b/WHATSNEW.txt >index 0119383a317..24a73c82edf 100644 >--- a/WHATSNEW.txt >+++ b/WHATSNEW.txt >@@ -345,6 +345,12 @@ allowing sensitive resources to be additionally protected. > Only Windows clients are known to support the client side of this > feature at this time. > >+New samba-tool Authentication Policy management command structure >+----------------------------------------------------------------- >+As foreshadowed in the Samba 4.20 release notes, the "samba-tool >+domain auth policy" commands have been reworked to be more intuitive >+based on user feedback and reflection. >+ > > REMOVED FEATURES > ================ >-- >2.34.1 > > >From cf6ec773120ecb685acd5f71f52a8551daba1ef7 Mon Sep 17 00:00:00 2001 >From: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> >Date: Fri, 30 Aug 2024 14:58:35 +1200 >Subject: [PATCH 06/10] WHATSNEW: Functional level 2012R2 > >Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> >--- > WHATSNEW.txt | 5 +++++ > 1 file changed, 5 insertions(+) > >diff --git a/WHATSNEW.txt b/WHATSNEW.txt >index 24a73c82edf..7ea41947e0a 100644 >--- a/WHATSNEW.txt >+++ b/WHATSNEW.txt >@@ -351,6 +351,11 @@ As foreshadowed in the Samba 4.20 release notes, the "samba-tool > domain auth policy" commands have been reworked to be more intuitive > based on user feedback and reflection. > >+Support for key features of AD Domain/Forest Functional Level 2012R2 >+-------------------------------------------------------------------- >+Combined with other changes in recent versions (such as claims support >+in 4.20), Samba can now claim Functional Level 2012R2 support. >+ > > REMOVED FEATURES > ================ >-- >2.34.1 > > >From 3963b7c9c6c3b1e112f8273bbb8366f9a3125143 Mon Sep 17 00:00:00 2001 >From: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> >Date: Fri, 30 Aug 2024 14:58:59 +1200 >Subject: [PATCH 07/10] WHATSNEW: build option changes > >Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> >Signed-off-by: Andrew Bartlett <abartlet@samba.org> >Signed-off-by: Jennifer Sutton <jennifersutton@catalyst.net.nz> >--- > WHATSNEW.txt | 9 +++++++++ > 1 file changed, 9 insertions(+) > >diff --git a/WHATSNEW.txt b/WHATSNEW.txt >index 7ea41947e0a..068a712a672 100644 >--- a/WHATSNEW.txt >+++ b/WHATSNEW.txt >@@ -356,6 +356,15 @@ Support for key features of AD Domain/Forest Functional Level 2012R2 > Combined with other changes in recent versions (such as claims support > in 4.20), Samba can now claim Functional Level 2012R2 support. > >+Build system >+------------ >+In previous versions of Samba, packagers of Samba would set their >+package-specific version strings using a patch to the >+SAMBA_VERSION_VENDOR_SUFFIX line in the ./VERSION file. Now that is >+achieved by using --vendor-suffix (at configure time), allowing this >+to be more easily scripted. Vendors are encouraged to include their >+name and full package version to assist with upstream debugging. >+ > > REMOVED FEATURES > ================ >-- >2.34.1 > > >From fd205f983d371f3d69e131c93d5ac2b505532d76 Mon Sep 17 00:00:00 2001 >From: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> >Date: Fri, 30 Aug 2024 14:59:33 +1200 >Subject: [PATCH 08/10] WHATSNEW: more deterministic builds > >Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> >Signed-off-by: Jennifer Sutton <jennifersutton@catalyst.net.nz> >Signed-off-by: Andrew Bartlett <abartlet@samba.org> >--- > WHATSNEW.txt | 15 +++++++++++++++ > 1 file changed, 15 insertions(+) > >diff --git a/WHATSNEW.txt b/WHATSNEW.txt >index 068a712a672..7e45d1b1873 100644 >--- a/WHATSNEW.txt >+++ b/WHATSNEW.txt >@@ -365,6 +365,21 @@ achieved by using --vendor-suffix (at configure time), allowing this > to be more easily scripted. Vendors are encouraged to include their > name and full package version to assist with upstream debugging. > >+More deterministic builds >+------------------------- >+Samba builds are now more reproducible, providing better assurance >+that the Samba binaries you run are the same as what is expected from >+the source code. If locale settings are not changed, the same objects >+will be produced from each compilation run. If Samba is built in a >+different path, the object code will remain the same, but DWARF >+debugging sections will change (while remaining functionally >+equivalent). >+ >+See https://reproducible-builds.org/ for more information on this >+industry-wide effort and >+https://tests.reproducible-builds.org/debian/rb-pkg/unstable/amd64/samba.html >+for the status in Debian. >+ > > REMOVED FEATURES > ================ >-- >2.34.1 > > >From c3de84cc7f2e6c42808417648be45c6510958c16 Mon Sep 17 00:00:00 2001 >From: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> >Date: Fri, 30 Aug 2024 15:00:00 +1200 >Subject: [PATCH 09/10] WHATSNEW: command line secret redaction > >Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> >Signed-off-by: Jennifer Sutton <jennifersutton@catalyst.net.nz> >Signed-off-by: Andrew Bartlett <abartlet@samba.org> >--- > WHATSNEW.txt | 10 ++++++++++ > 1 file changed, 10 insertions(+) > >diff --git a/WHATSNEW.txt b/WHATSNEW.txt >index 7e45d1b1873..5eb0965bcea 100644 >--- a/WHATSNEW.txt >+++ b/WHATSNEW.txt >@@ -380,6 +380,16 @@ industry-wide effort and > https://tests.reproducible-builds.org/debian/rb-pkg/unstable/amd64/samba.html > for the status in Debian. > >+Improved command-line redaction >+------------------------------- >+There are several options that can be used with Samba tools for >+specifying secrets. Although this is best avoided, when these options >+are used, Samba will redact the secrets in /proc, so that they won't >+be seen in ps or top. This is now carried out more thoroughly, >+redacting more options. There is a race inherent in this, and the >+passwords will be visible for a short time. The secrets are also not >+removed from .bash_history and similar files. >+ > > REMOVED FEATURES > ================ >-- >2.34.1 > > >From b09e26a952370ccb4df49eacb4a976bfc1c9dc0d Mon Sep 17 00:00:00 2001 >From: Jennifer Sutton <jennifersutton@catalyst.net.nz> >Date: Fri, 30 Aug 2024 15:00:50 +1200 >Subject: [PATCH 10/10] WHATSNEW: updated name > >Signed-off-by: Jennifer Sutton <jennifersutton@catalyst.net.nz> >Signed-off-by: Andrew Bartlett <abartlet@samba.org> >Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> >--- > WHATSNEW.txt | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > >diff --git a/WHATSNEW.txt b/WHATSNEW.txt >index 5eb0965bcea..ff06e692e9b 100644 >--- a/WHATSNEW.txt >+++ b/WHATSNEW.txt >@@ -461,7 +461,7 @@ o Douglas Bagnall <douglas.bagnall@catalyst.net.nz> > * BUG 15673: --version-* options are still not ergonomic, and they reject > tilde characters. > >-o Jo Sutton <josutton@catalyst.net.nz> >+o Jennifer Sutton <jennifersutton@catalyst.net.nz> > * BUG 15690: ldb_version.h is missing from ldb public library > > o Pavel Filipenský <pfilipensky@samba.org> >-- >2.34.1 >
You cannot view the attachment while viewing its details because your browser does not support IFRAMEs.
View the attachment on a separate page
.
View Attachment As Raw
Flags:
slow
:
review+
Actions:
View
Attachments on
bug 15704
:
18426
| 18430