]>
Commit | Line | Data |
---|---|---|
e30937e2 KS |
1 | Release Announcements |
2 | ===================== | |
3 | ||
c0dc0fd3 | 4 | This is the first pre release of Samba 4.21. This is *not* |
e30937e2 KS |
5 | intended for production environments and is designed for testing |
6 | purposes only. Please report any defects via the Samba bug reporting | |
7 | system at https://bugzilla.samba.org/. | |
ba4bb742 | 8 | |
c0dc0fd3 | 9 | Samba 4.21 will be the next version of the Samba suite. |
08401ffd | 10 | |
c0a9fdc6 | 11 | |
a0a2f799 AB |
12 | UPGRADING |
13 | ========= | |
14 | ||
e1c4caed SM |
15 | LDAP TLS/SASL channel binding support |
16 | ------------------------------------- | |
17 | ||
18 | The ldap server supports SASL binds with | |
19 | kerberos or NTLMSSP over TLS connections | |
20 | now (either ldaps or starttls). | |
21 | ||
22 | Setups where 'ldap server require strong auth = allow_sasl_over_tls' | |
23 | was required before, can now most likely move to the | |
24 | default of 'ldap server require strong auth = yes'. | |
25 | ||
26 | If SASL binds without correct tls channel bindings are required | |
27 | 'ldap server require strong auth = allow_sasl_without_tls_channel_bindings' | |
28 | should be used now, as 'allow_sasl_over_tls' will generate a | |
29 | warning in every start of 'samba', as well as '[samba-tool ]testparm'. | |
30 | ||
31 | This is similar to LdapEnforceChannelBinding under | |
32 | HKLM\SYSTEM\CurrentControlSet\Services\NTDS\Parameters | |
33 | on Windows. | |
34 | ||
35 | All client tools using ldaps also include the correct | |
36 | channel bindings now. | |
37 | ||
5bcf3f1b | 38 | |
c1bbe58c KS |
39 | NEW FEATURES/CHANGES |
40 | ==================== | |
62875044 | 41 | |
9f167b9b AB |
42 | LDB no longer a standalone tarball |
43 | ---------------------------------- | |
44 | ||
45 | LDB, Samba's LDAP-like local database and the power behind the Samba | |
46 | AD DC, is no longer available to build as a distinct tarball, but is | |
47 | instead provided as an optional public library. | |
48 | ||
49 | If you need ldb as a public library, say to build sssd, then use | |
50 | ./configure --private-libraries='!ldb' | |
51 | ||
52 | This re-integration allows LDB tests to use the Samba's full selftest | |
53 | system, including our knownfail infrastructure, and decreases the work | |
54 | required during security releases as a coordinated release of the ldb | |
55 | tarball is not also required. | |
56 | ||
57 | This approach has been demonstrated already in Debian, which is already | |
58 | building Samba and LDB is this way. | |
59 | ||
60 | As part of this work, the pyldb-util public library, not known to be | |
61 | used by any other software, is made private to Samba. | |
d63e972a | 62 | |
757036ce AB |
63 | LDB Module API Python bindings removed |
64 | -------------------------------------- | |
65 | ||
66 | The LDB Modules API, which we do not promise a stable ABI or API for, | |
67 | was wrapped in python in early LDB development. However that wrapping | |
68 | never took into account later changes, and so has not worked for a | |
69 | number of years. Samba 4.21 and LDB 2.10 removes this unused and | |
70 | broken feature. | |
71 | ||
1a02c6e5 SM |
72 | Using ldaps from 'winbindd' and 'net ads' |
73 | ----------------------------------------- | |
74 | ||
75 | Beginning with Samba 3.0.22 the 'ldap ssl = start tls' option also | |
76 | impacted LDAP connections to active directory domain controllers. | |
77 | Using the STARTTLS operation on LDAP port 389 connections. Starting | |
78 | with Samba 3.5.0 'ldap ssl ads = yes' was required in addition in | |
79 | order let to 'ldap ssl = start tls' have any effect on those | |
80 | connections. | |
81 | ||
82 | 'ldap ssl ads' was deprecated with Samba 4.8.0 and removed together | |
83 | with the whole functionality in Samba 4.14.0, because it didn't support | |
84 | tls channel bindings required for the sasl authentication. | |
85 | ||
86 | The functionality is now re-added using the correct channel bindings | |
87 | based on the gnutls based tls implementation we already have, instead | |
88 | of using the tls layer provided by openldap. This makes it available | |
89 | and consistent with all LDAP client libraries we use and implement on | |
90 | our own. | |
91 | ||
92 | The 'client ldap sasl wrapping' option gained the two new possible values: | |
93 | 'starttls' (using STARTTLS on tcp port 389) | |
94 | and | |
95 | 'ldaps' (using TLS directly on tcp port 636). | |
96 | ||
97 | If you had 'ldap ssl = start tls' and 'ldap ssl ads = yes' | |
98 | before, you can now use 'client ldap sasl wrapping = starttls' | |
99 | in order to get STARTTLS on tcp port 389. | |
100 | ||
101 | As we no longer use the openldap tls layer it is required to configure the | |
102 | correct certificate trusts with at least one of the following options: | |
103 | 'tls trust system cas', 'tls ca directories' or 'tls cafile'. | |
104 | While 'tls verify peer' and 'tls crlfile' are also relevant, | |
105 | see 'man smb.conf' for further details. | |
106 | ||
107 | ||
75a87098 VL |
108 | REMOVED FEATURES |
109 | ================ | |
110 | ||
96154829 | 111 | |
59a07e3f KS |
112 | smb.conf changes |
113 | ================ | |
114 | ||
11a3a8d9 SM |
115 | Parameter Name Description Default |
116 | -------------- ----------- ------- | |
1a02c6e5 SM |
117 | client ldap sasl wrapping new values |
118 | client use spnego principal removed | |
e1c4caed | 119 | ldap server require strong auth new values |
1a02c6e5 SM |
120 | tls trust system cas new |
121 | tls ca directories new | |
be1935da | 122 | |
6a409da9 | 123 | |
0a4827f5 AB |
124 | KNOWN ISSUES |
125 | ============ | |
3e246a3c | 126 | |
c0dc0fd3 | 127 | https://wiki.samba.org/index.php/Release_Planning_for_Samba_4.21#Release_blocking_bugs |
295f757f | 128 | |
8310b8c9 AB |
129 | |
130 | ####################################### | |
ba4bb742 GJC |
131 | Reporting bugs & Development Discussion |
132 | ####################################### | |
133 | ||
134 | Please discuss this release on the samba-technical mailing list or by | |
59e67dc8 AB |
135 | joining the #samba-technical:matrix.org matrix room, or |
136 | #samba-technical IRC channel on irc.libera.chat | |
ba4bb742 GJC |
137 | |
138 | If you do report problems then please try to send high quality | |
139 | feedback. If you don't provide vital information to help us track down | |
140 | the problem then you will probably be ignored. All bug reports should | |
c1bbe58c | 141 | be filed under the Samba 4.1 and newer product in the project's Bugzilla |
ba4bb742 GJC |
142 | database (https://bugzilla.samba.org/). |
143 | ||
144 | ||
145 | ====================================================================== | |
146 | == Our Code, Our Bugs, Our Responsibility. | |
147 | == The Samba Team | |
148 | ====================================================================== | |
51813e3b | 149 |