Opened 8 months ago
Closed 8 months ago
#18506 closed enhancement (fixed)
samba-4.19.0
| Reported by: | Bruce Dubbs | Owned by: | Douglas R. Reno |
|---|---|---|---|
| Priority: | normal | Milestone: | 12.1 |
| Component: | BOOK | Version: | git |
| Severity: | normal | Keywords: | |
| Cc: |
Description
New minor version.
Change History (3)
comment:1 by , 8 months ago
comment:2 by , 8 months ago
| Owner: | changed from to |
|---|---|
| Status: | new → assigned |
comment:3 by , 8 months ago
| Resolution: | → fixed |
|---|---|
| Status: | assigned → closed |
Note:
See TracTickets
for help on using tickets.
NEW FEATURES/CHANGES
Migrated smbget to use common command line parser
The smbget utility implemented its own command line parsing logic. After discovering an issue we decided to migrate it to use the common command line parser. This has some advantages as you get all the feature it provides like Kerberos authentication. The downside is that breaks the options interface. The support for smbgetrc has been removed. You can use an authentication file if needed, this is documented in the manpage.
Please check the smbget manpage or --help output.
gpupdate changes
The libgpo.get_gpo_list function has been deprecated in favor of an implementation written in python. The new function can be imported via
import samba.gp. The python implementation connects to Active Directory using the SamDB module, instead of ADS (which is what libgpo uses).Improved winbind logging and a new tool for parsing the winbind logs
Winbind logs (if smb.conf 'winbind debug traceid = yes' is set) contain new trace header fields 'traceid' and 'depth'. Field 'traceid' allows to track the trace records belonging to the same request. Field 'depth' allows to track the request nesting level. A new tool samba-log-parser is added for better log parsing.
AD database prepared to FL 2016 standards for new domains
While Samba still provides only Functional Level 2008R2 by default, Samba as an AD DC will now, in provision ensure that the blank database is already prepared for Functional Level 2016, with AD Schema 2019.
This preparation is of the default objects in the database, adding containers for Authentication Policies, Authentication Silos and AD claims in particular. These DB objects must be updated to allow operation of the new features found in higher functional levels.
Kerberos Claims, Authentication Silos and NTLM authentication policies
An initial, partial implementation of Active Directory Functional Level 2012, 2012R2 and 2016 is available in this release.
In particular Samba will issue Active Directory "Claims" in the PAC, for member servers that support these, and honour in-directory configuration for Authentication Policies and Authentication Silos.
The primary limitation is that while Samba can read and write claims in the directory, and populate the PAC, Samba does not yet use them for access control decisions.
While we continue to develop these features, existing domains can test the feature by selecting the functional level in provision or raising the DC functional level by setting
in the smb.conf
The smb.conf file on each DC must have 'ad dc functional level = 2016' set to have the partially complete feature available. This will also, at first startup, update the server's own AD entry with the configured functional level.
For new domains, add these parameters to 'samba-tool provision'
The second option, setting the overall domain functional level indicates that all DCs should be at this functional level.
To raise the domain functional level of an existing domain, after updating the smb.conf and restarting Samba run samba-tool domain schemaupgrade --schema=2019 samba-tool domain functionalprep --function-level=2016 samba-tool domain level raise --domain-level=2016 --forest-level=2016
Improved KDC Auditing
As part of the auditing required to allow successful deployment of Authentication Policies and Authentication Silos, our KDC now provides Samba-style JSON audit logging of all issued Kerberos tickets, including if they would fail a policy that is not yet enforced. Additionally most failures are audited, (after the initial pre-validation of the request).
Kerberos Armoring (FAST) Support for Windows clients
In domains where the domain controller functional level is set, as above, to 2012, 2012_R2 or 2016, Windows clients will, if configured via GPO, use FAST to protect user passwords between (in particular) a workstation and the KDC on the AD DC. This is a significant security improvement, as weak passwords in an AS-REQ are no longer available for offline attack.
Claims compression in the AD PAC
Samba as an AD DC will compress "AD claims" using the same compression algorithm as Microsoft Windows.
Resource SID compression in the AD PAC
Samba as an AD DC will now correctly populate the various PAC group membership buffers, splitting global and local groups correctly.
Additionally, Samba marshals Resource SIDs, being local groups in the member server's own domain, to only consume a header and 4 bytes per group in the PAC, not a full-length SID worth of space each. This is known as "Resource SID compression".
Resource Based Constrained Delegation (RBCD) support in both MIT and Heimdal
Samba AD DC built with MIT Kerberos (1.20 and later) has offered RBCD support since Samba 4.17. Samba 4.19 brings this feature to the default Heimdal KDC.
Samba 4.17 added to samba-tool delegation the 'add-principal' and 'del-principal' subcommands in order to manage RBCD, and the database changes made by these tools are now honoured by the Heimdal KDC once Samba is upgraded.
Likewise, now both MIT (1.20 and later) and Heimdal KDCs add the Asserted Identity [1] SID into the PAC for constrained delegation.
[1] https://docs.microsoft.com/en-us/windows-server/security/kerberos/kerberos-constrained-delegation-overview
New samba-tool support for silos, claims, sites and subnets.
samba-tool can now list, show, add and manipulate Authentication Silos (silos) and Active Directory Authentication Claims (claims).
samba-tool can now list and show Active Directory sites and subnets.
A new Object Relational Model (ORM) based architecture, similar to that used with Django, has been built to make adding new samba-tool subcommands simpler and more consistent, with JSON output available standard on these new commands.
Updated GnuTLS requirement / in-tree cryptography removal
Samba requires GnuTLS 3.6.13 and prefers GnuTLS 3.6.14 or later.
This has allowed Samba to remove all of our in-tree cryptography, except that found in our Heimdal import. Samba's runtime cryptography needs are now all provided by GnuTLS.
(The GnuTLS vesion requirement is raised to 3.7.2 on systems without the Linux getrandom())
We also use Python's cryptography module for our testing.
The use of well known cryptography libraries makes Samba easier for end-users to validate and deploy, and for distributors to ship. This is the end of a very long journey for Samba.
Updated Heimdal import
Samba's Heimdal branch (known as lorikeet-heimdal) has been updated to the current pre-8.0 (master) tree from upstream Heimdal, ensuring that this vendored copy, included in our release remains as close as possible to the current upstream code.
Revocation support in Heimdal KDC for PKINIT certificates
Samba will now correctly honour the revocation of 'smart card' certificates used for PKINIT Kerberos authentication.
This list is reloaded each time the file changes, so no further action other than replacing the file is required. The additional krb5.conf option is:
Information on the "Smart Card login" feature as a whole is at:
Protocol level testsuite for (Smart Card Logon) PKINIT
Previously Samba's PKINIT support in the KDC was tested by use of shell scripts around the client tools of MIT or Heimdal Kerberos. Samba's independently written python testsuite has been extended to validate KDC behaviour for PKINIT.
Require encrypted connection to modify unicodePwd on the AD DC
Setting the password on an AD account on should never be attempted over a plaintext or signed-only LDAP connection. If the unicodePwd (or userPassword) attribute is modified without encryption (as seen by Samba), the request will be rejected. This is to encourage the administrator to use an encrypted connection in the future.
NOTE WELL: If Samba is accessed via a TLS frontend or load balancer, the LDAP request will be regarded as plaintext.
Samba AD TLS Certificates can be reloaded
The TLS certificates used for Samba's AD DC LDAP server were previously only read on startup, and this meant that when then expired it was required to restart Samba, disrupting service to other users.
This will now allow these certificates to be reloaded 'on the fly'