From 110a3588810152248341721b425e3e48281ad99c Mon Sep 17 00:00:00 2001 From: Douglas Bagnall Date: Fri, 30 Aug 2024 14:51:56 +1200 Subject: [PATCH 01/10] WHATSNEW: LDB unicode changes Signed-off-by: Douglas Bagnall Signed-off-by: Jennifer Sutton Signed-off-by: Andrew Bartlett --- WHATSNEW.txt | 21 +++++++++++++++++++++ 1 file changed, 21 insertions(+) diff --git a/WHATSNEW.txt b/WHATSNEW.txt index 84677c8af53..51982312962 100644 --- a/WHATSNEW.txt +++ b/WHATSNEW.txt @@ -80,6 +80,27 @@ never took into account later changes, and so has not worked for a number of years. Samba 4.21 and LDB 2.10 removes this unused and broken feature. +Changes in LDB handling of Unicode +---------------------------------- + +Developers using LDB up to version 2.9 could call ldb_set_utf8_fns() +to determine how LDB handled casefolding. This is used internally by +string comparison functions. In LDB 2.10 this function is deprecated, +and ldb_set_utf8_functions() is preferred. The new function allows a +direct comparison function to be set as well as a casefold function. +This improves performance and allows for more robust handling of +degenerate cases. The function should be called just after ldb_init(), +with the following arguments: + + ldb_set_utf8_functions(ldb, /* the struct ldb_ctx LDB object */ + context_variable /* possibly NULL */ + casefold_function, + case_insensitive_comparison_function); + +The default behaviour of LDB remains to perform ASCII casefolding +only, as if in the "C" locale. Recent versions have become +increasingly consistent in this. + Some Samba public libraries made private by default --------------------------------------------------- -- 2.34.1 From 340aa7bcd7d9c40ff27bb3699802bece696cd0d1 Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Fri, 30 Aug 2024 14:53:50 +1200 Subject: [PATCH 02/10] WHATSNEW: group managed service accounts Signed-off-by: Andrew Bartlett Signed-off-by: Jennifer Sutton Signed-off-by: Douglas Bagnall --- WHATSNEW.txt | 53 ++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 53 insertions(+) diff --git a/WHATSNEW.txt b/WHATSNEW.txt index 51982312962..b45f7604e2f 100644 --- a/WHATSNEW.txt +++ b/WHATSNEW.txt @@ -269,6 +269,59 @@ Configuration is identical to existing module, but using 'ceph_new' instead of 'ceph' for the relevant smb.conf entries. This new module is expected to deprecate and replace the old one in next major release. +Group Managed Service Accounts +------------------------------ +Samba 4.21 adds support for gMSAs (Group Managed Service Accounts), +completing support for Functional Level 2012. + +The purpose of a gMSA is to allow a single host, or a cluster of +hosts, to share access to an automatically rotating password, avoiding +the weak static service passwords that are often the entrypoint of +attackers to AD domains. Each server has a strong and regularly +rotated password, which is used to access the gMSA account of (e.g.) +the database server. + +Samba provides management and client tools, allowing services on Unix +hosts to access the current and next gMSA passwords, as well as obtain +a credentials cache. + +Samba 4.20 announced the client-side tools for this feature. To avoid +duplication and provide consistency, the existing commands for +password viewing have been extended, so these commands operate both on +a gMSA (with credentials, over LDAP, specify -H) and locally for +accounts that have a compatible password (e.g. plaintext via GPG, +compatible hash) + + samba-tool user getpassword + samba-tool user get-kerberos-ticket + samba-tool domain exportkeytab + +An example command, which gets the NT hash for use with NTLM, is + + samba-tool user getpassword -H ldap://server --machine-pass \ + TestUser1 --attributes=unicodePwd + +Kerberos is a better choice (gMSA accounts should not use LDAP simple +binds, for reasons of both security and compatibility). Use + + samba-tool user get-kerberos-ticket -H ldap://server --machine-pass \ + TestUser1 --output-krb5-ccache=/srv/service/krb5_ccache + +gMSAs disclose a current and previous password. To access the previous +NT hash, use: + + samba-tool user getpassword -H ldap://server --machine-pass TestUser1 \ + --attrs=unicodePwd;previous=1 + +To access the previous password as UTF8, use: + + samba-tool user getpassword -H ldap://server --machine-pass TestUser1 \ + --attributes=pwdLastSet,virtualClearTextUTF8;previous=1 + +However, Windows tools for dealing with gMSAs tend to use Active +Directory Web Services (ADWS) from Powershell for setting up the +accounts, and this separate protocol is not supported by Samba 4.21. + REMOVED FEATURES ================ -- 2.34.1 From eec4a660d701da161adbe7cadaf35fc40cd66a62 Mon Sep 17 00:00:00 2001 From: Douglas Bagnall Date: Fri, 30 Aug 2024 14:54:34 +1200 Subject: [PATCH 03/10] WHATSNEW: samba-tool domain kds Signed-off-by: Douglas Bagnall Signed-off-by: Andrew Bartlett Signed-off-by: Jennifer Sutton --- WHATSNEW.txt | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/WHATSNEW.txt b/WHATSNEW.txt index b45f7604e2f..23efd8ec524 100644 --- a/WHATSNEW.txt +++ b/WHATSNEW.txt @@ -322,6 +322,18 @@ However, Windows tools for dealing with gMSAs tend to use Active Directory Web Services (ADWS) from Powershell for setting up the accounts, and this separate protocol is not supported by Samba 4.21. +Samba-tool commands for handling gMSA (KDS) root keys +----------------------------------------------------- +Group managed service accounts rotate passwords based on root keys, +which can be managed using samba-tool, with commands such as + + samba-tool domain kds root_key create + samba-tool domain kds root_key list + +Samba will create a new root key for new domains at provision time, +but users of gMSA accounts on upgraded domains will need to first +create a root key. + REMOVED FEATURES ================ -- 2.34.1 From 1dfcffc9b57079ff00d8841d9040ea478c26fc80 Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Fri, 30 Aug 2024 14:56:32 +1200 Subject: [PATCH 04/10] WHATSNEW: PKINIT freshness in heimdal Signed-off-by: Andrew Bartlett Signed-off-by: Douglas Bagnall Signed-off-by: Jennifer Sutton --- WHATSNEW.txt | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/WHATSNEW.txt b/WHATSNEW.txt index 23efd8ec524..0119383a317 100644 --- a/WHATSNEW.txt +++ b/WHATSNEW.txt @@ -334,6 +334,17 @@ Samba will create a new root key for new domains at provision time, but users of gMSA accounts on upgraded domains will need to first create a root key. +RFC 8070 PKINIT "Freshness extension" supported in the Heimdal KDC +------------------------------------------------------------------ +The Heimdal KDC will recognise when a client provides proof that they +hold the hardware token used for smart-card authentication 'now' and +has not used a saved future-dated reply. Samba 4.21 now matches +Windows and will assign an extra SID to the user in this case, +allowing sensitive resources to be additionally protected. + +Only Windows clients are known to support the client side of this +feature at this time. + REMOVED FEATURES ================ -- 2.34.1 From 544be5f4f1ca2ac577204035df932a3ced856701 Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Fri, 30 Aug 2024 14:57:46 +1200 Subject: [PATCH 05/10] WHATSNEW: samba-tool authentication policy command restructure Signed-off-by: Andrew Bartlett Signed-off-by: Douglas Bagnall Signed-off-by: Jennifer Sutton --- WHATSNEW.txt | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/WHATSNEW.txt b/WHATSNEW.txt index 0119383a317..24a73c82edf 100644 --- a/WHATSNEW.txt +++ b/WHATSNEW.txt @@ -345,6 +345,12 @@ allowing sensitive resources to be additionally protected. Only Windows clients are known to support the client side of this feature at this time. +New samba-tool Authentication Policy management command structure +----------------------------------------------------------------- +As foreshadowed in the Samba 4.20 release notes, the "samba-tool +domain auth policy" commands have been reworked to be more intuitive +based on user feedback and reflection. + REMOVED FEATURES ================ -- 2.34.1 From cf6ec773120ecb685acd5f71f52a8551daba1ef7 Mon Sep 17 00:00:00 2001 From: Douglas Bagnall Date: Fri, 30 Aug 2024 14:58:35 +1200 Subject: [PATCH 06/10] WHATSNEW: Functional level 2012R2 Signed-off-by: Douglas Bagnall --- WHATSNEW.txt | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/WHATSNEW.txt b/WHATSNEW.txt index 24a73c82edf..7ea41947e0a 100644 --- a/WHATSNEW.txt +++ b/WHATSNEW.txt @@ -351,6 +351,11 @@ As foreshadowed in the Samba 4.20 release notes, the "samba-tool domain auth policy" commands have been reworked to be more intuitive based on user feedback and reflection. +Support for key features of AD Domain/Forest Functional Level 2012R2 +-------------------------------------------------------------------- +Combined with other changes in recent versions (such as claims support +in 4.20), Samba can now claim Functional Level 2012R2 support. + REMOVED FEATURES ================ -- 2.34.1 From 3963b7c9c6c3b1e112f8273bbb8366f9a3125143 Mon Sep 17 00:00:00 2001 From: Douglas Bagnall Date: Fri, 30 Aug 2024 14:58:59 +1200 Subject: [PATCH 07/10] WHATSNEW: build option changes Signed-off-by: Douglas Bagnall Signed-off-by: Andrew Bartlett Signed-off-by: Jennifer Sutton --- WHATSNEW.txt | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/WHATSNEW.txt b/WHATSNEW.txt index 7ea41947e0a..068a712a672 100644 --- a/WHATSNEW.txt +++ b/WHATSNEW.txt @@ -356,6 +356,15 @@ Support for key features of AD Domain/Forest Functional Level 2012R2 Combined with other changes in recent versions (such as claims support in 4.20), Samba can now claim Functional Level 2012R2 support. +Build system +------------ +In previous versions of Samba, packagers of Samba would set their +package-specific version strings using a patch to the +SAMBA_VERSION_VENDOR_SUFFIX line in the ./VERSION file. Now that is +achieved by using --vendor-suffix (at configure time), allowing this +to be more easily scripted. Vendors are encouraged to include their +name and full package version to assist with upstream debugging. + REMOVED FEATURES ================ -- 2.34.1 From fd205f983d371f3d69e131c93d5ac2b505532d76 Mon Sep 17 00:00:00 2001 From: Douglas Bagnall Date: Fri, 30 Aug 2024 14:59:33 +1200 Subject: [PATCH 08/10] WHATSNEW: more deterministic builds Signed-off-by: Douglas Bagnall Signed-off-by: Jennifer Sutton Signed-off-by: Andrew Bartlett --- WHATSNEW.txt | 15 +++++++++++++++ 1 file changed, 15 insertions(+) diff --git a/WHATSNEW.txt b/WHATSNEW.txt index 068a712a672..7e45d1b1873 100644 --- a/WHATSNEW.txt +++ b/WHATSNEW.txt @@ -365,6 +365,21 @@ achieved by using --vendor-suffix (at configure time), allowing this to be more easily scripted. Vendors are encouraged to include their name and full package version to assist with upstream debugging. +More deterministic builds +------------------------- +Samba builds are now more reproducible, providing better assurance +that the Samba binaries you run are the same as what is expected from +the source code. If locale settings are not changed, the same objects +will be produced from each compilation run. If Samba is built in a +different path, the object code will remain the same, but DWARF +debugging sections will change (while remaining functionally +equivalent). + +See https://reproducible-builds.org/ for more information on this +industry-wide effort and +https://tests.reproducible-builds.org/debian/rb-pkg/unstable/amd64/samba.html +for the status in Debian. + REMOVED FEATURES ================ -- 2.34.1 From c3de84cc7f2e6c42808417648be45c6510958c16 Mon Sep 17 00:00:00 2001 From: Douglas Bagnall Date: Fri, 30 Aug 2024 15:00:00 +1200 Subject: [PATCH 09/10] WHATSNEW: command line secret redaction Signed-off-by: Douglas Bagnall Signed-off-by: Jennifer Sutton Signed-off-by: Andrew Bartlett --- WHATSNEW.txt | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/WHATSNEW.txt b/WHATSNEW.txt index 7e45d1b1873..5eb0965bcea 100644 --- a/WHATSNEW.txt +++ b/WHATSNEW.txt @@ -380,6 +380,16 @@ industry-wide effort and https://tests.reproducible-builds.org/debian/rb-pkg/unstable/amd64/samba.html for the status in Debian. +Improved command-line redaction +------------------------------- +There are several options that can be used with Samba tools for +specifying secrets. Although this is best avoided, when these options +are used, Samba will redact the secrets in /proc, so that they won't +be seen in ps or top. This is now carried out more thoroughly, +redacting more options. There is a race inherent in this, and the +passwords will be visible for a short time. The secrets are also not +removed from .bash_history and similar files. + REMOVED FEATURES ================ -- 2.34.1 From b09e26a952370ccb4df49eacb4a976bfc1c9dc0d Mon Sep 17 00:00:00 2001 From: Jennifer Sutton Date: Fri, 30 Aug 2024 15:00:50 +1200 Subject: [PATCH 10/10] WHATSNEW: updated name Signed-off-by: Jennifer Sutton Signed-off-by: Andrew Bartlett Signed-off-by: Douglas Bagnall --- WHATSNEW.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/WHATSNEW.txt b/WHATSNEW.txt index 5eb0965bcea..ff06e692e9b 100644 --- a/WHATSNEW.txt +++ b/WHATSNEW.txt @@ -461,7 +461,7 @@ o Douglas Bagnall * BUG 15673: --version-* options are still not ergonomic, and they reject tilde characters. -o Jo Sutton +o Jennifer Sutton * BUG 15690: ldb_version.h is missing from ldb public library o Pavel Filipenský -- 2.34.1