From fa71441413a6ee9457fffb107c74cb4624fe167e Mon Sep 17 00:00:00 2001 From: Douglas Bagnall Date: Fri, 30 Aug 2024 14:51:56 +1200 Subject: [PATCH 01/10] WHATSNEW: LDB unicode changes Signed-off-by: Douglas Bagnall Signed-off-by: Jennifer Sutton Signed-off-by: Andrew Bartlett --- WHATSNEW.txt | 21 +++++++++++++++++++++ 1 file changed, 21 insertions(+) diff --git a/WHATSNEW.txt b/WHATSNEW.txt index 84677c8af53..51982312962 100644 --- a/WHATSNEW.txt +++ b/WHATSNEW.txt @@ -80,6 +80,27 @@ never took into account later changes, and so has not worked for a number of years. Samba 4.21 and LDB 2.10 removes this unused and broken feature. +Changes in LDB handling of Unicode +---------------------------------- + +Developers using LDB up to version 2.9 could call ldb_set_utf8_fns() +to determine how LDB handled casefolding. This is used internally by +string comparison functions. In LDB 2.10 this function is deprecated, +and ldb_set_utf8_functions() is preferred. The new function allows a +direct comparison function to be set as well as a casefold function. +This improves performance and allows for more robust handling of +degenerate cases. The function should be called just after ldb_init(), +with the following arguments: + + ldb_set_utf8_functions(ldb, /* the struct ldb_ctx LDB object */ + context_variable /* possibly NULL */ + casefold_function, + case_insensitive_comparison_function); + +The default behaviour of LDB remains to perform ASCII casefolding +only, as if in the "C" locale. Recent versions have become +increasingly consistent in this. + Some Samba public libraries made private by default --------------------------------------------------- -- 2.34.1 From 0f00d55b9c599602b8fb40054a2f2afd4cbe637b Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Fri, 30 Aug 2024 14:53:50 +1200 Subject: [PATCH 02/10] WHATSNEW: group managed service accounts Signed-off-by: Andrew Bartlett Signed-off-by: Jennifer Sutton Signed-off-by: Douglas Bagnall --- WHATSNEW.txt | 53 ++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 53 insertions(+) diff --git a/WHATSNEW.txt b/WHATSNEW.txt index 51982312962..b45f7604e2f 100644 --- a/WHATSNEW.txt +++ b/WHATSNEW.txt @@ -269,6 +269,59 @@ Configuration is identical to existing module, but using 'ceph_new' instead of 'ceph' for the relevant smb.conf entries. This new module is expected to deprecate and replace the old one in next major release. +Group Managed Service Accounts +------------------------------ +Samba 4.21 adds support for gMSAs (Group Managed Service Accounts), +completing support for Functional Level 2012. + +The purpose of a gMSA is to allow a single host, or a cluster of +hosts, to share access to an automatically rotating password, avoiding +the weak static service passwords that are often the entrypoint of +attackers to AD domains. Each server has a strong and regularly +rotated password, which is used to access the gMSA account of (e.g.) +the database server. + +Samba provides management and client tools, allowing services on Unix +hosts to access the current and next gMSA passwords, as well as obtain +a credentials cache. + +Samba 4.20 announced the client-side tools for this feature. To avoid +duplication and provide consistency, the existing commands for +password viewing have been extended, so these commands operate both on +a gMSA (with credentials, over LDAP, specify -H) and locally for +accounts that have a compatible password (e.g. plaintext via GPG, +compatible hash) + + samba-tool user getpassword + samba-tool user get-kerberos-ticket + samba-tool domain exportkeytab + +An example command, which gets the NT hash for use with NTLM, is + + samba-tool user getpassword -H ldap://server --machine-pass \ + TestUser1 --attributes=unicodePwd + +Kerberos is a better choice (gMSA accounts should not use LDAP simple +binds, for reasons of both security and compatibility). Use + + samba-tool user get-kerberos-ticket -H ldap://server --machine-pass \ + TestUser1 --output-krb5-ccache=/srv/service/krb5_ccache + +gMSAs disclose a current and previous password. To access the previous +NT hash, use: + + samba-tool user getpassword -H ldap://server --machine-pass TestUser1 \ + --attrs=unicodePwd;previous=1 + +To access the previous password as UTF8, use: + + samba-tool user getpassword -H ldap://server --machine-pass TestUser1 \ + --attributes=pwdLastSet,virtualClearTextUTF8;previous=1 + +However, Windows tools for dealing with gMSAs tend to use Active +Directory Web Services (ADWS) from Powershell for setting up the +accounts, and this separate protocol is not supported by Samba 4.21. + REMOVED FEATURES ================ -- 2.34.1 From 2f4eb19f1dbbb7d8b51930bed7189da4ffb1c68d Mon Sep 17 00:00:00 2001 From: Douglas Bagnall Date: Fri, 30 Aug 2024 14:54:34 +1200 Subject: [PATCH 03/10] WHATSNEW: samba-tool domain kds Signed-off-by: Douglas Bagnall Signed-off-by: Andrew Bartlett Signed-off-by: Jennifer Sutton --- WHATSNEW.txt | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/WHATSNEW.txt b/WHATSNEW.txt index b45f7604e2f..23efd8ec524 100644 --- a/WHATSNEW.txt +++ b/WHATSNEW.txt @@ -322,6 +322,18 @@ However, Windows tools for dealing with gMSAs tend to use Active Directory Web Services (ADWS) from Powershell for setting up the accounts, and this separate protocol is not supported by Samba 4.21. +Samba-tool commands for handling gMSA (KDS) root keys +----------------------------------------------------- +Group managed service accounts rotate passwords based on root keys, +which can be managed using samba-tool, with commands such as + + samba-tool domain kds root_key create + samba-tool domain kds root_key list + +Samba will create a new root key for new domains at provision time, +but users of gMSA accounts on upgraded domains will need to first +create a root key. + REMOVED FEATURES ================ -- 2.34.1 From 2fe1e90dddf5593afce57c442f09d58358e19c0f Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Fri, 30 Aug 2024 14:56:32 +1200 Subject: [PATCH 04/10] WHATSNEW: PKINIT freshness in heimdal Signed-off-by: Andrew Bartlett Signed-off-by: Douglas Bagnall Signed-off-by: Jennifer Sutton --- WHATSNEW.txt | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/WHATSNEW.txt b/WHATSNEW.txt index 23efd8ec524..0119383a317 100644 --- a/WHATSNEW.txt +++ b/WHATSNEW.txt @@ -334,6 +334,17 @@ Samba will create a new root key for new domains at provision time, but users of gMSA accounts on upgraded domains will need to first create a root key. +RFC 8070 PKINIT "Freshness extension" supported in the Heimdal KDC +------------------------------------------------------------------ +The Heimdal KDC will recognise when a client provides proof that they +hold the hardware token used for smart-card authentication 'now' and +has not used a saved future-dated reply. Samba 4.21 now matches +Windows and will assign an extra SID to the user in this case, +allowing sensitive resources to be additionally protected. + +Only Windows clients are known to support the client side of this +feature at this time. + REMOVED FEATURES ================ -- 2.34.1 From 249408a36d6a09d4a0705471669f25df2fea9f56 Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Fri, 30 Aug 2024 14:57:46 +1200 Subject: [PATCH 05/10] WHATSNEW: samba-tool authentication policy command restructure Signed-off-by: Andrew Bartlett Signed-off-by: Douglas Bagnall Signed-off-by: Jennifer Sutton --- WHATSNEW.txt | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/WHATSNEW.txt b/WHATSNEW.txt index 0119383a317..24a73c82edf 100644 --- a/WHATSNEW.txt +++ b/WHATSNEW.txt @@ -345,6 +345,12 @@ allowing sensitive resources to be additionally protected. Only Windows clients are known to support the client side of this feature at this time. +New samba-tool Authentication Policy management command structure +----------------------------------------------------------------- +As foreshadowed in the Samba 4.20 release notes, the "samba-tool +domain auth policy" commands have been reworked to be more intuitive +based on user feedback and reflection. + REMOVED FEATURES ================ -- 2.34.1 From 6254beacdf924c9915dc47a22d2d440682212dcb Mon Sep 17 00:00:00 2001 From: Douglas Bagnall Date: Fri, 30 Aug 2024 14:58:35 +1200 Subject: [PATCH 06/10] WHATSNEW: Functional level 2012R2 Signed-off-by: Douglas Bagnall Signed-off-by: Andrew Bartlett Signed-off-by: Jennifer Sutton --- WHATSNEW.txt | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/WHATSNEW.txt b/WHATSNEW.txt index 24a73c82edf..c645f566c95 100644 --- a/WHATSNEW.txt +++ b/WHATSNEW.txt @@ -351,6 +351,12 @@ As foreshadowed in the Samba 4.20 release notes, the "samba-tool domain auth policy" commands have been reworked to be more intuitive based on user feedback and reflection. +Support for key features of AD Domain/Forest Functional Level 2012R2 +-------------------------------------------------------------------- +Combined with other changes in recent versions (such as claims support +in 4.20), Samba can now claim Functional Level 2012R2 support. This is +largely due to sponsorship from Tranquil IT. + REMOVED FEATURES ================ -- 2.34.1 From ef8d29e742aead9dc2b8fdc8b026ae9191e93f77 Mon Sep 17 00:00:00 2001 From: Douglas Bagnall Date: Fri, 30 Aug 2024 14:58:59 +1200 Subject: [PATCH 07/10] WHATSNEW: build option changes Signed-off-by: Douglas Bagnall Signed-off-by: Andrew Bartlett Signed-off-by: Jennifer Sutton --- WHATSNEW.txt | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/WHATSNEW.txt b/WHATSNEW.txt index c645f566c95..2078a550280 100644 --- a/WHATSNEW.txt +++ b/WHATSNEW.txt @@ -357,6 +357,15 @@ Combined with other changes in recent versions (such as claims support in 4.20), Samba can now claim Functional Level 2012R2 support. This is largely due to sponsorship from Tranquil IT. +Build system +------------ +In previous versions of Samba, packagers of Samba would set their +package-specific version strings using a patch to the +SAMBA_VERSION_VENDOR_SUFFIX line in the ./VERSION file. Now that is +achieved by using --vendor-suffix (at configure time), allowing this +to be more easily scripted. Vendors are encouraged to include their +name and full package version to assist with upstream debugging. + REMOVED FEATURES ================ -- 2.34.1 From afa4ea08acdd7532f97d93a09e6d00607a254a87 Mon Sep 17 00:00:00 2001 From: Douglas Bagnall Date: Fri, 30 Aug 2024 14:59:33 +1200 Subject: [PATCH 08/10] WHATSNEW: more deterministic builds Signed-off-by: Douglas Bagnall Signed-off-by: Jennifer Sutton Signed-off-by: Andrew Bartlett --- WHATSNEW.txt | 15 +++++++++++++++ 1 file changed, 15 insertions(+) diff --git a/WHATSNEW.txt b/WHATSNEW.txt index 2078a550280..7dfebc2da75 100644 --- a/WHATSNEW.txt +++ b/WHATSNEW.txt @@ -366,6 +366,21 @@ achieved by using --vendor-suffix (at configure time), allowing this to be more easily scripted. Vendors are encouraged to include their name and full package version to assist with upstream debugging. +More deterministic builds +------------------------- +Samba builds are now more reproducible, providing better assurance +that the Samba binaries you run are the same as what is expected from +the source code. If locale settings are not changed, the same objects +will be produced from each compilation run. If Samba is built in a +different path, the object code will remain the same, but DWARF +debugging sections will change (while remaining functionally +equivalent). + +See https://reproducible-builds.org/ for more information on this +industry-wide effort and +https://tests.reproducible-builds.org/debian/rb-pkg/unstable/amd64/samba.html +for the status in Debian. + REMOVED FEATURES ================ -- 2.34.1 From cc3a945ef082c197df9bb3baabedb707a9a1de07 Mon Sep 17 00:00:00 2001 From: Douglas Bagnall Date: Fri, 30 Aug 2024 15:00:00 +1200 Subject: [PATCH 09/10] WHATSNEW: command line secret redaction Signed-off-by: Douglas Bagnall Signed-off-by: Jennifer Sutton Signed-off-by: Andrew Bartlett --- WHATSNEW.txt | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/WHATSNEW.txt b/WHATSNEW.txt index 7dfebc2da75..a33d8ce480e 100644 --- a/WHATSNEW.txt +++ b/WHATSNEW.txt @@ -381,6 +381,16 @@ industry-wide effort and https://tests.reproducible-builds.org/debian/rb-pkg/unstable/amd64/samba.html for the status in Debian. +Improved command-line redaction +------------------------------- +There are several options that can be used with Samba tools for +specifying secrets. Although this is best avoided, when these options +are used, Samba will redact the secrets in /proc, so that they won't +be seen in ps or top. This is now carried out more thoroughly, +redacting more options. There is a race inherent in this, and the +passwords will be visible for a short time. The secrets are also not +removed from .bash_history and similar files. + REMOVED FEATURES ================ -- 2.34.1 From bfce2149f6f9044d32269b9f426b7134e69e8dda Mon Sep 17 00:00:00 2001 From: Jennifer Sutton Date: Fri, 30 Aug 2024 15:00:50 +1200 Subject: [PATCH 10/10] WHATSNEW: updated name Signed-off-by: Jennifer Sutton Signed-off-by: Andrew Bartlett Signed-off-by: Douglas Bagnall --- WHATSNEW.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/WHATSNEW.txt b/WHATSNEW.txt index a33d8ce480e..2fc57b9728f 100644 --- a/WHATSNEW.txt +++ b/WHATSNEW.txt @@ -462,7 +462,7 @@ o Douglas Bagnall * BUG 15673: --version-* options are still not ergonomic, and they reject tilde characters. -o Jo Sutton +o Jennifer Sutton * BUG 15690: ldb_version.h is missing from ldb public library o Pavel Filipenský -- 2.34.1