[samba] Samba-4.18 и Samba-4.19 в сизифе

Вт Ноя 7 08:36:23 MSK 2023

Здравствуйте.

На прошлой неделе в сизиф уехала Samba-4.18. Это промежуточный 
поддерживаемый релиз.

Сегодня подготовлена Samba-4.19:

#333680 TESTED #5 [test-only] sisyphus libtalloc.git=2.4.1-alt1 
libtdb.git=1.4.9-alt1 libtevent.git=0.15.0-alt1 libldb.git=2.8.0-alt1 
samba.git=4.19.2-alt1 sssd.git=2.9.2-alt1 admc.git=0.14.0-alt1 
gpui.git=0.2.37-alt1 freeipa.git=4.9.12-alt1

Все заинтересованные приглашаются к тестированию.

Из итересного стоит отметить:

* Необходимость под новый питоновский API для работы с групповыми 
политиками.
* Новые требования обработки LDAP-запросов на нешифрованном канале (не
LDAPS) для задания пароля.
* Куча "вкусных" и "полезных" штук, включая возможности поднятия схемы
леса до 2016.
* Обновление сертификатов "на лету" (ранее так делалось smbcontrol
ldap_server reload-certs).
* Частичная поддержка "Политик аутентификации и приемников команд
политик аутентификации" ("Authentication Policies and Authentication
Policy Silos"):
o 
https://learn.microsoft.com/ru-ru/windows-server/security/credentials-protection-and-management/authentication-policies-and-authentication-policy-silos
o 
https://learn.microsoft.com/en-us/windows-server/security/credentials-protection-and-management/authentication-policies-and-authentication-policy-silos
o 
https://www.rebeladmin.com/2016/03/authentication-policies-and-authentication-policy-silos/
o 
https://itworldjd.wordpress.com/2019/12/18/authentication-silos-and-policies/
* Кодовая база KDC Heimdal (наша сборка samba-dc) полностью обновлена.

Рекомендуется ознакомиться в подробным описанием релиза 4.19:

* https://www.samba.org/samba/history/samba-4.19.0.html
* https://wiki.samba.org/index.php/Samba_4.19_Features_added/changed

* https://wiki.samba.org/index.php/Samba_AD_Smart_Card_Login
* https://wiki.samba.org/index.php/AD_Schema_Version_Support (не
обновлено)
* https://wiki.samba.org/index.php/Azure_AD_Connect_Cloud_sync
(samba-tool domain functionalprep --function-level=2012_R2 доступно
уже в Samba-4.17 и Samba-4.18)

Описание выпуска 4.18.x:

4.18.8-alt1

    - Update to stable release of Samba 4.18 with latest bugfixes and 
new features:
     + SMB Server performance improvements. The locking overhead for 
contended path
       based operations is reduced by an additional factor of ~ 3 
compared to 4.17.
     + More succinct samba-tool error messages.
     + Accessing the old samba-tool messages with full Python stack 
trace by using
       the argument '-d3'.
     + New samba-tool dsacl subcommand for deleting ACES
     + Colour output with samba-tool --color and
     + No colour with NO_COLOR environment variable
     + New wbinfo option --change-secret-at which forces the trust 
account password
       to be changed at a specified domain controller.
     + New option acl_xattr:security_acl_name to change the NT ACL 
default protected
       location security.NTACL not accessible from normal users outside 
of Samba.
     + New option server addresses as per-share parameter to limit share 
visibility
       and accessibility to specific server IP addresses. This option 
can offer a
       different set of shares per interface.
     + Azure Active Directory / Office365 synchronisation improvements 
with the
       Azure AD Connect cloud sync tool which now supported for password 
hash
       synchronisation, allowing Samba AD Domains to synchronise 
passwords with this
       popular cloud environment.

Описание выпуска 4.19.x:

4.19.2-alt1

    - Update to stable release of Samba 4.19 with latest bugfixes and 
new features:
     + Migrated smbget to use common command line parser. This has some 
advantages
       as you get all the feature it provides like Kerberos 
authentication. The
       support for smbgetrc has been removed.
     + gpupdate changes: The libgpo.get_gpo_list function has been 
deprecated in
       favor of an implementation written in python,  connects to Active 
Directory
       using the SamDB module, instead of ADS (which is what libgpo uses).
     + Improved winbind logging and a new tool for parsing the winbind 
logs. Winbind
       logs (if smb.conf 'winbind debug traceid = yes' is set) contain 
new trace
       header fields 'traceid' and 'depth'.
     + AD database prepared to Functional Level 2016 standards for new 
domains.
       While Samba still provides only Functional Level 2008R2 by 
default, Samba as
       an AD DC will now, in provision ensure that the blank database is 
already
       prepared for Functional Level 2016, with AD Schema 2019.
     + Kerberos Claims, Authentication Silos and NTLM authentication 
policies.
       The primary limitation is that while Samba can read and write claims
       in the directory, and populate the PAC, Samba does not yet use them
       for access control decisions.
     + Improved KDC Auditing now provides Samba-style JSON audit logging 
of all
       issued Kerberos tickets, including if they would fail a policy 
that is not
       yet enforced. Additionally most failures are audited.
     + Kerberos Armoring (FAST) Support for Windows clients. In domains 
where the
       domain controller functional level is set to 2012, 2012_R2 or 
2016, Windows
       clients will, if configured via GPO, use FAST to protect user 
passwords
       between (in particular) a workstation and the KDC on the AD DC. 
This is a
       significant security improvement, as weak passwords in an AS-REQ 
are no
       longer available for offline attack.
     + Claims compression in the AD PAC. Samba as an AD DC will compress 
"AD claims"
       using the same compression algorithm as Microsoft Windows.
     + Resource SID compression in the AD PAC. Samba as an AD DC will 
now correctly
       populate the various PAC group membership buffers, splitting 
global and local
       groups correctly.
     + Resource Based Constrained Delegation (RBCD) support in both MIT 
and Heimdal.
       Samba 4.17 added to samba-tool delegation the 'add-principal' and
       'del-principal' subcommands in order to manage RBCD, and the 
database changes
       made by these tools are now honoured by the Heimdal KDC once 
Samba is upgraded.
     + New samba-tool support for silos, claims, sites and subnets.
       samba-tool can now list, show, add and manipulate Authentication 
Silos
       (silos) and Active Directory Authentication Claims (claims).
     + Updated Heimdal import. Samba's Heimdal branch (known as 
lorikeet-heimdal)
       has been updated to the current pre-8.0 (master) tree from 
upstream Heimdal,
       ensuring that this vendored copy, included in our release remains 
as close as
       possible to the current upstream code.
     + Revocation support in Heimdal KDC for PKINIT certificates. Samba 
will now
       correctly honour the revocation of 'smart card' certificates used 
for PKINIT
       Kerberos authentication.
     + Require encrypted connection to modify unicodePwd on the AD DC.
     + Samba AD TLS Certificates can be reloaded. The TLS certificates 
used for
       Samba's AD DC LDAP server were previously only read on startup, 
and this
       meant that when then expired it was required to restart Samba, 
disrupting
       service to other users (smbcontrol ldap_server reload-certs).

Ранее сборка Samba-4.17 отправлена на тестирование в p10:

#332201 EPERM #11 p10 libtdb.git=1.4.7-alt1 libtalloc.git=2.3.4-alt1 
libtevent.git=0.13.0-alt1 socket_wrapper.git=1.3.4-alt2 
nss_wrapper.git=1.1.12-alt1 libldb.git=2.6.2-alt1 samba.git=4.17.12-alt2 
sssd.git=2.9.2-alt1 freeipa.git=4.9.11-alt0.p10.1 admc.git=0.14.0-alt1 
gpui.git=0.2.34-alt1 python3-module-requests-gssapi.git=1.2.3-alt1 
cepces.git=0.3.7-alt1

-- 
Синельников Евгений Александрович
Руководитель обособленного подразделения
«Инженерный отдел «Саратовский» ООО "Базальт СПО"
тел. +7 (495) 123-47-99 (доб. 531)
моб. тел. +7-917-207-53-96