The branch, master has been updated via 3f923b2 NEWS[4.17.0]: Samba 4.17.0 Available for Download from 2f362d9 NEWS[4.16.5]: Samba 4.16.5 Available for Download
https://git.samba.org/?p=samba-web.git;a=shortlog;h=master - Log ----------------------------------------------------------------- commit 3f923b213b3292d1c734300fcaaf8f7346e30083 Author: Jule Anger <jan...@samba.org> Date: Tue Sep 13 18:03:27 2022 +0200 NEWS[4.17.0]: Samba 4.17.0 Available for Download Signed-off-by: Jule Anger <jan...@samba.org> ----------------------------------------------------------------------- Summary of changes: history/header_history.html | 1 + history/samba-4.17.0.html | 359 +++++++++++++++++++++++ posted_news/20220913-160427.4.17.0.body.html | 12 + posted_news/20220913-160427.4.17.0.headline.html | 3 + 4 files changed, 375 insertions(+) create mode 100644 history/samba-4.17.0.html create mode 100644 posted_news/20220913-160427.4.17.0.body.html create mode 100644 posted_news/20220913-160427.4.17.0.headline.html Changeset truncated at 500 lines: diff --git a/history/header_history.html b/history/header_history.html index 4a4e2b2..1e7d4c3 100755 --- a/history/header_history.html +++ b/history/header_history.html @@ -9,6 +9,7 @@ <li><a href="/samba/history/">Release Notes</a> <li class="navSub"> <ul> + <li><a href="samba-4.17.0.html">samba-4.17.0</a></li> <li><a href="samba-4.16.5.html">samba-4.16.5</a></li> <li><a href="samba-4.16.4.html">samba-4.16.4</a></li> <li><a href="samba-4.16.3.html">samba-4.16.3</a></li> diff --git a/history/samba-4.17.0.html b/history/samba-4.17.0.html new file mode 100644 index 0000000..2c11129 --- /dev/null +++ b/history/samba-4.17.0.html @@ -0,0 +1,359 @@ +<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" + "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> +<html xmlns="http://www.w3.org/1999/xhtml"> +<head> +<title>Samba 4.17.0 - Release Notes</title> +</head> +<body> +<H2>Samba 4.17.0 Available for Download</H2> +<p> +<a href="https://download.samba.org/pub/samba/stable/samba-4.17.0.tar.gz">Samba 4.17.0 (gzipped)</a><br> +<a href="https://download.samba.org/pub/samba/stable/samba-4.17.0.tar.asc">Signature</a> +</p> +<p> +<pre> + ============================== + Release Notes for Samba 4.17.0 + September 13, 2022 + ============================== + + +This is the first stable release of the Samba 4.17 release series. +Please read the release notes carefully before upgrading. + + +NEW FEATURES/CHANGES +==================== + +SMB Server performance improvements +----------------------------------- + +The security improvements in recent releases +(4.13, 4.14, 4.15, 4.16), mainly as protection against symlink races, +caused performance regressions for meta data heavy workloads. + +With 4.17 the situation improved a lot again: + +- Pathnames given by a client are devided into dirname and basename. + The amount of syscalls to validate dirnames is reduced to 2 syscalls + (openat, close) per component. On modern Linux kernels (>= 5.6) smbd + makes use of the openat2() syscall with RESOLVE_NO_SYMLINKS, + in order to just use 2 syscalls (openat2, close) for the whole dirname. + +- Contended path based operations used to generate a lot of unsolicited + wakeup events causing thundering herd problems, which lead to masive + latencies for some clients. These events are now avoided in order + to provide stable latencies and much higher throughput of open/close + operations. + +Configure without the SMB1 Server +--------------------------------- + +It is now possible to configure Samba without support for +the SMB1 protocol in smbd. This can be selected at configure +time with either of the options: + +--with-smb1-server +--without-smb1-server + +By default (without either of these options set) Samba +is configured to include SMB1 support (i.e. --with-smb1-server +is the default). When Samba is configured without SMB1 support, +none of the SMB1 code is included inside smbd except the minimal +stub code needed to allow a client to connect as SMB1 and immediately +negotiate the selected protocol into SMB2 (as a Windows server also +allows). + +None of the SMB1-only smb.conf parameters are removed when +configured without SMB1, but these parameters are ignored by +the smbd server. This allows deployment without having to change +an existing smb.conf file. + +This option allows sites, OEMs and integrators to configure Samba +to remove the old and insecure SMB1 protocol from their products. + +Note that the Samba client libraries still support SMB1 connections +even when Samba is configured as --without-smb1-server. This is +to ensure maximum compatibility with environments containing old +SMB1 servers. + +Bronze bit and S4U support now also with MIT Kerberos 1.20 +---------------------------------------------------------- + +In 2020 Microsoft Security Response Team received another Kerberos-related +report. Eventually, that led to a security update of the CVE-2020-17049, +Kerberos KDC Security Feature Bypass Vulnerability, also known as a âBronze +Bitâ. With this vulnerability, a compromised service that is configured to use +Kerberos constrained delegation feature could tamper with a service ticket that +is not valid for delegation to force the KDC to accept it. + +With the release of MIT Kerberos 1.20, Samba AD DC is able able to mitigate the +âBronze Bitâ attack. MIT Kerberos KDC's KDB (Kerberos Database Driver) API was +changed to allow passing more details between KDC and KDB components. When built +against MIT Kerberos, Samba AD DC supports MIT Kerberos 1.19 and 1.20 versions +but 'Bronze Bit' mitigation is provided only with MIT Kerberos 1.20. + +In addition to fixing the âBronze Bitâ issue, Samba AD DC now fully supports +S4U2Self and S4U2Proxy Kerberos extensions. + +Note the default (Heimdal-based) KDC was already fixed in 2021, +see https://bugzilla.samba.org/show_bug.cgi?id=14642 + +Resource Based Constrained Delegation (RBCD) support +---------------------------------------------------- + +Samba AD DC built with MIT Kerberos 1.20 offers RBCD support now. With MIT +Kerberos 1.20 we have complete RBCD support passing Sambas S4U testsuite. + +samba-tool delegation got the 'add-principal' and 'del-principal' subcommands +in order to manage RBCD. + +To complete RBCD support and make it useful to Administrators we added the +Asserted Identity [1] SID into the PAC for constrained delegation. This is +available for Samba AD compiled with MIT Kerberos 1.20. + +Note the default (Heimdal-based) KDC does not support RBCD yet. + +[1] https://docs.microsoft.com/en-us/windows-server/security/kerberos/kerberos-constrained-delegation-overview + +Customizable DNS listening port +------------------------------- + +It is now possible to set a custom listening port for the builtin DNS service, +making easy to host another DNS on the same system that would bind to the +default port and forward the domain-specific queries to Samba using the custom +port. This is the opposite configuration of setting a forwarder in Samba. + +It makes possible to use another DNS server as a front and forward to Samba. + +Dynamic DNS updates may not be proxied by the front DNS server when forwarding +to Samba. Dynamic DNS update proxying depends on the features of the other DNS +server used as a front. + +CTDB changes +------------ + +* When Samba is configured with both --with-cluster-support and + --systemd-install-services then a systemd service file for CTDB will + be installed. + +* ctdbd_wrapper has been removed. ctdbd is now started directly from + a systemd service file or init script. + +* The syntax for the ctdb.tunables configuration file has been + relaxed. However, trailing garbage after the value, including + comments, is no longer permitted. Please see ctdb-tunables(7) for + more details. + +Operation without the (unsalted) NT password hash +------------------------------------------------- + +When Samba is configured with 'nt hash store = never' then Samba will +no longer store the (unsalted) NT password hash for users in Active +Directory. (Trust accounts, like computers, domain controllers and +inter-domain trusts are not impacted). + +In the next version of Samba the default for 'nt hash store' will +change from 'always' to 'auto', where it will follow (behave as 'nt +hash store = never' when 'ntlm auth = disabled' is set. + +Security-focused deployments of Samba that have eliminated NTLM from +their networks will find setting 'ntlm auth = disabled' with 'nt hash +store = always' as a useful way to improve compliance with +best-practice guidance on password storage (which is to always use an +interated hash). + +Note that when 'nt hash store = never' is set, then arcfour-hmac-md5 +Kerberos keys will not be available for users who subsequently change +their password, as these keys derive their values from NT hashes. AES +keys are stored by default for all deployments of Samba with Domain +Functional Level 2008 or later, are supported by all modern clients, +and are much more secure. + +Finally, also note that password history in Active Directory is stored +in nTPwdHistory using a series of NT hash values. Therefore the full +password history feature is not available in this mode. + +To provide some protection against password re-use previous Kerberos +hash values (the current, old and older values are already stored) are +used, providing a history length of 3. + +There is one small limitation of this workaround: Changing the +sAMAccountName, userAccountControl or userPrincipalName of an account +can cause the Kerberos password salt to change. This means that after +*both* an account rename and a password change, only the current +password will be recognised for password history purposes. + +Python API for smbconf +---------------------- + +Samba's smbconf library provides a generic frontend to various +configuration backends (plain text file, registry) as a C library. A +new Python wrapper, importable as 'samba.smbconf' is available. An +additional module, 'samba.samba3.smbconf', is also available to enable +registry backend support. These libraries allow Python programs to +read, and optionally write, Samba configuration natively. + +JSON support for smbstatus +-------------------------- + +It is now possible to print detailed information in JSON format in +the smbstatus program using the new option --json. The JSON output +covers all the existing text output including sessions, connections, +open files, byte-range locks, notifies and profile data with all +low-level information maintained by Samba in the respective databases. + +Protected Users security group +------------------------------ + +Samba AD DC now includes support for the Protected Users security +group introduced in Windows Server 2012 R2. The feature reduces the +attack surface of user accounts by preventing the use of weak +encryption types. It also mitigates the effects of credential theft by +limiting credential lifetime and scope. + +The protections are intended for user accounts only, and service or +computer accounts should not be added to the Protected Users +group. User accounts added to the group are granted the following +security protections: + + * NTLM authentication is disabled. + * Kerberos ticket-granting tickets (TGTs) encrypted with RC4 are + not issued to or accepted from affected principals. Tickets + encrypted with AES, and service tickets encrypted with RC4, are + not affected by this restriction. + * The lifetime of Kerberos TGTs is restricted to a maximum of four + hours. + * Kerberos constrained and unconstrained delegation is disabled. + +If the Protected Users group is not already present in the domain, it +can be created with 'samba-tool group add'. The new '--special' +parameter must be specified, with 'Protected Users' as the name of the +group. An example command invocation is: + +samba-tool group add 'Protected Users' --special + +or against a remote server: + +samba-tool group add 'Protected Users' --special -H ldap://dc1.example.com -U Administrator + +The Protected Users group is identified in the domain by its having a +RID of 525. Thus, it should only be created with samba-tool and the +'--special' parameter, as above, so that it has the required RID +to function correctly. + + +REMOVED FEATURES +================ + +LanMan Authentication and password storage removed from the AD DC +----------------------------------------------------------------- + +The storage and authentication with LanMan passwords has been entirely +removed from the Samba AD DC, even when "lanman auth = yes" is set. + + +smb.conf changes +================ + + Parameter Name Description Default + -------------- ----------- ------- + dns port New default 53 + fruit:zero_file_id New default yes + nt hash store New parameter always + smb1 unix extensions Replaces "unix extensions" + volume serial number New parameter -1 + winbind debug traceid New parameter no + + +CHANGES SINCE 4.17.0rc4 +======================= + +o Ralph Boehme <s...@samba.org> + * BUG 15126: acl_xattr VFS module may unintentionally use filesystem + permissions instead of ACL from xattr. + * BUG 15153: Missing SMB2-GETINFO access checks from MS-SMB2 3.3.5.20.1. + * BUG 15161: assert failed: !is_named_stream(smb_fname)") at + ../../lib/util/fault.c:197. + +o Volker Lendecke <v...@samba.org> + * BUG 15126: acl_xattr VFS module may unintentionally use filesystem + permissions instead of ACL from xattr. + * BUG 15161: assert failed: !is_named_stream(smb_fname)") at + ../../lib/util/fault.c:197. + +o Stefan Metzmacher <me...@samba.org> + * BUG 15159: Cross-node multi-channel reconnects result in SMB2 Negotiate + returning NT_STATUS_NOT_SUPPORTED. + +o Noel Power <noel.po...@suse.com> + * BUG 15160: winbind at info level debug can coredump when processing + wb_lookupusergroups. + + +CHANGES SINCE 4.17.0rc3 +======================= + +o Anoop C S <anoo...@samba.org> + * BUG 15157: Make use of glfs_*at() API calls in vfs_glusterfs. + + +CHANGES SINCE 4.17.0rc2 +======================= + +o Jeremy Allison <j...@samba.org> + * BUG 15128: Possible use after free of connection_struct when iterating + smbd_server_connection->connections. + +o Christian Ambach <a...@samba.org> + * BUG 15145: `net usershare add` fails with flag works with --long but fails + with -l. + +o Ralph Boehme <s...@samba.org> + * BUG 15126: acl_xattr VFS module may unintentionally use filesystem + permissions instead of ACL from xattr. + +o Stefan Metzmacher <me...@samba.org> + * BUG 15125: Performance regression on contended path based operations. + * BUG 15148: Missing READ_LEASE break could cause data corruption. + +o Andreas Schneider <a...@samba.org> + * BUG 15141: libsamba-errors uses a wrong version number. + +o Joseph Sutton <josephsut...@catalyst.net.nz> + * BUG 15152: SMB1 negotiation can fail to handle connection errors. + + +CHANGES SINCE 4.17.0rc1 +======================= + +o Jeremy Allison <j...@samba.org> + * BUG 15143: New filename parser doesn't check veto files smb.conf parameter. + * BUG 15144: 4.17.rc1 still uses symlink-race prone unix_convert() + * BUG 15146: Backport fileserver related changed to 4.17.0rc2 + +o Jule Anger <jan...@samba.org> + * BUG 15147: Manpage for smbstatus json is missing + +o Volker Lendecke <v...@samba.org> + * BUG 15146: Backport fileserver related changed to 4.17.0rc2 + +o Stefan Metzmacher <me...@samba.org> + * BUG 15125: Performance regression on contended path based operations + * BUG 15146: Backport fileserver related changed to 4.17.0rc2 + +o Andreas Schneider <a...@samba.org> + * BUG 15140: Fix issues found by coverity in smbstatus json code + * BUG 15146: Backport fileserver related changed to 4.17.0rc2 + + +KNOWN ISSUES +============ + +https://wiki.samba.org/index.php/Release_Planning_for_Samba_4.17#Release_blocking_bugs + + +</pre> +</p> +</body> +</html> diff --git a/posted_news/20220913-160427.4.17.0.body.html b/posted_news/20220913-160427.4.17.0.body.html new file mode 100644 index 0000000..2882bf2 --- /dev/null +++ b/posted_news/20220913-160427.4.17.0.body.html @@ -0,0 +1,12 @@ +<!-- BEGIN: posted_news/20220913-160427.4.17.0.body.html --> +<h5><a name="4.17.0">13 September 2022</a></h5> +<p class=headline>Samba 4.17.0 Available for Download</p> +<p> +This is the latest stable release of the Samba 4.17 release series. +</p> +<p> +The uncompressed tarball has been signed using GnuPG (ID AA99442FB680B620). +The source code can be <a href="https://download.samba.org/pub/samba/stable/samba-4.17.0.tar.gz">downloaded now</a>. +See <a href="https://www.samba.org/samba/history/samba-4.17.0.html">the release notes for more info</a>. +</p> +<!-- END: posted_news/20220913-160427.4.17.0.body.html --> diff --git a/posted_news/20220913-160427.4.17.0.headline.html b/posted_news/20220913-160427.4.17.0.headline.html new file mode 100644 index 0000000..83f286c --- /dev/null +++ b/posted_news/20220913-160427.4.17.0.headline.html @@ -0,0 +1,3 @@ +<!-- BEGIN: posted_news/20220913-160427.4.17.0.headline.html --> +<li> 13 September 2022 <a href="#4.17.0">Samba 4.17.0 Available for Download</a></li> +<!-- END: posted_news/20220913-160427.4.17.0.headline.html --> -- Samba Website Repository