[thirdparty/samba.git] / WHATSNEW.txt

Release Announcements
=====================

This is the first pre release of Samba 4.21.  This is *not*
intended for production environments and is designed for testing
purposes only.  Please report any defects via the Samba bug reporting
system at https://bugzilla.samba.org/.

Samba 4.21 will be the next version of the Samba suite.


UPGRADING
=========

LDAP TLS/SASL channel binding support
-------------------------------------

The ldap server supports SASL binds with
kerberos or NTLMSSP over TLS connections
now (either ldaps or starttls).

Setups where 'ldap server require strong auth = allow_sasl_over_tls'
was required before, can now most likely move to the
default of 'ldap server require strong auth = yes'.

If SASL binds without correct tls channel bindings are required
'ldap server require strong auth = allow_sasl_without_tls_channel_bindings'
should be used now, as 'allow_sasl_over_tls' will generate a
warning in every start of 'samba', as well as '[samba-tool ]testparm'.

This is similar to LdapEnforceChannelBinding under
HKLM\SYSTEM\CurrentControlSet\Services\NTDS\Parameters
on Windows.

All client tools using ldaps also include the correct
channel bindings now.


NEW FEATURES/CHANGES
====================

LDB no longer a standalone tarball
----------------------------------

LDB, Samba's LDAP-like local database and the power behind the Samba
AD DC, is no longer available to build as a distinct tarball, but is
instead provided as an optional public library.

If you need ldb as a public library, say to build sssd, then use
 ./configure --private-libraries='!ldb'

This re-integration allows LDB tests to use the Samba's full selftest
system, including our knownfail infrastructure, and decreases the work
required during security releases as a coordinated release of the ldb
tarball is not also required.

This approach has been demonstrated already in Debian, which is already
building Samba and LDB is this way.

As part of this work, the pyldb-util public library, not known to be
used by any other software, is made private to Samba.

LDB Module API Python bindings removed
--------------------------------------

The LDB Modules API, which we do not promise a stable ABI or API for,
was wrapped in python in early LDB development.  However that wrapping
never took into account later changes, and so has not worked for a
number of years.  Samba 4.21 and LDB 2.10 removes this unused and
broken feature.

Using ldaps from 'winbindd' and 'net ads'
-----------------------------------------

Beginning with Samba 3.0.22 the 'ldap ssl = start tls' option also
impacted LDAP connections to active directory domain controllers.
Using the STARTTLS operation on LDAP port 389 connections. Starting
with Samba 3.5.0 'ldap ssl ads = yes' was required in addition in
order let to 'ldap ssl = start tls' have any effect on those
connections.

'ldap ssl ads' was deprecated with Samba 4.8.0 and removed together
with the whole functionality in Samba 4.14.0, because it didn't support
tls channel bindings required for the sasl authentication.

The functionality is now re-added using the correct channel bindings
based on the gnutls based tls implementation we already have, instead
of using the tls layer provided by openldap. This makes it available
and consistent with all LDAP client libraries we use and implement on
our own.

The 'client ldap sasl wrapping' option gained the two new possible values:
'starttls' (using STARTTLS on tcp port 389)
and
'ldaps' (using TLS directly on tcp port 636).

If you had 'ldap ssl = start tls' and 'ldap ssl ads = yes'
before, you can now use 'client ldap sasl wrapping = starttls'
in order to get STARTTLS on tcp port 389.

As we no longer use the openldap tls layer it is required to configure the
correct certificate trusts with at least one of the following options:
'tls trust system cas', 'tls ca directories' or 'tls cafile'.
While 'tls verify peer' and 'tls crlfile' are also relevant,
see 'man smb.conf' for further details.


REMOVED FEATURES
================


smb.conf changes
================

  Parameter Name                          Description     Default
  --------------                          -----------     -------
  client ldap sasl wrapping               new values
  client use spnego principal             removed
  ldap server require strong auth         new values
  tls trust system cas                    new
  tls ca directories                      new


KNOWN ISSUES
============

https://wiki.samba.org/index.php/Release_Planning_for_Samba_4.21#Release_blocking_bugs


#######################################
Reporting bugs & Development Discussion
#######################################

Please discuss this release on the samba-technical mailing list or by
joining the #samba-technical:matrix.org matrix room, or
#samba-technical IRC channel on irc.libera.chat

If you do report problems then please try to send high quality
feedback. If you don't provide vital information to help us track down
the problem then you will probably be ignored.  All bug reports should
be filed under the Samba 4.1 and newer product in the project's Bugzilla
database (https://bugzilla.samba.org/).


======================================================================
== Our Code, Our Bugs, Our Responsibility.
== The Samba Team
======================================================================
Commit	Line	Data
e30937e2 KS	1	Release Announcements
	2	=====================
	3
c0dc0fd3	4	This is the first pre release of Samba 4.21. This is not
e30937e2 KS	5	intended for production environments and is designed for testing
	6	purposes only. Please report any defects via the Samba bug reporting
	7	system at https://bugzilla.samba.org/.
ba4bb742	8
c0dc0fd3	9	Samba 4.21 will be the next version of the Samba suite.
08401ffd	10
c0a9fdc6	11
a0a2f799 AB	12	UPGRADING
	13	=========
	14
e1c4caed SM	15	LDAP TLS/SASL channel binding support
	16	-------------------------------------
	17
	18	The ldap server supports SASL binds with
	19	kerberos or NTLMSSP over TLS connections
	20	now (either ldaps or starttls).
	21
	22	Setups where 'ldap server require strong auth = allow_sasl_over_tls'
	23	was required before, can now most likely move to the
	24	default of 'ldap server require strong auth = yes'.
	25
	26	If SASL binds without correct tls channel bindings are required
	27	'ldap server require strong auth = allow_sasl_without_tls_channel_bindings'
	28	should be used now, as 'allow_sasl_over_tls' will generate a
	29	warning in every start of 'samba', as well as '[samba-tool ]testparm'.
	30
	31	This is similar to LdapEnforceChannelBinding under
	32	HKLM\SYSTEM\CurrentControlSet\Services\NTDS\Parameters
	33	on Windows.
	34
	35	All client tools using ldaps also include the correct
	36	channel bindings now.
	37
5bcf3f1b	38
c1bbe58c KS	39	NEW FEATURES/CHANGES
c1bbe58c KS	40	====================
62875044	41
9f167b9b AB	42	LDB no longer a standalone tarball
	43	----------------------------------
	44
	45	LDB, Samba's LDAP-like local database and the power behind the Samba
	46	AD DC, is no longer available to build as a distinct tarball, but is
	47	instead provided as an optional public library.
	48
	49	If you need ldb as a public library, say to build sssd, then use
	50	./configure --private-libraries='!ldb'
	51
	52	This re-integration allows LDB tests to use the Samba's full selftest
	53	system, including our knownfail infrastructure, and decreases the work
	54	required during security releases as a coordinated release of the ldb
	55	tarball is not also required.
	56
	57	This approach has been demonstrated already in Debian, which is already
	58	building Samba and LDB is this way.
	59
	60	As part of this work, the pyldb-util public library, not known to be
	61	used by any other software, is made private to Samba.
d63e972a	62
757036ce AB	63	LDB Module API Python bindings removed
	64	--------------------------------------
	65
	66	The LDB Modules API, which we do not promise a stable ABI or API for,
	67	was wrapped in python in early LDB development. However that wrapping
	68	never took into account later changes, and so has not worked for a
	69	number of years. Samba 4.21 and LDB 2.10 removes this unused and
	70	broken feature.
	71
1a02c6e5 SM	72	Using ldaps from 'winbindd' and 'net ads'
	73	-----------------------------------------
	74
	75	Beginning with Samba 3.0.22 the 'ldap ssl = start tls' option also
	76	impacted LDAP connections to active directory domain controllers.
	77	Using the STARTTLS operation on LDAP port 389 connections. Starting
	78	with Samba 3.5.0 'ldap ssl ads = yes' was required in addition in
	79	order let to 'ldap ssl = start tls' have any effect on those
	80	connections.
	81
	82	'ldap ssl ads' was deprecated with Samba 4.8.0 and removed together
	83	with the whole functionality in Samba 4.14.0, because it didn't support
	84	tls channel bindings required for the sasl authentication.
	85
	86	The functionality is now re-added using the correct channel bindings
	87	based on the gnutls based tls implementation we already have, instead
	88	of using the tls layer provided by openldap. This makes it available
	89	and consistent with all LDAP client libraries we use and implement on
	90	our own.
	91
	92	The 'client ldap sasl wrapping' option gained the two new possible values:
	93	'starttls' (using STARTTLS on tcp port 389)
	94	and
	95	'ldaps' (using TLS directly on tcp port 636).
	96
	97	If you had 'ldap ssl = start tls' and 'ldap ssl ads = yes'
	98	before, you can now use 'client ldap sasl wrapping = starttls'
	99	in order to get STARTTLS on tcp port 389.
	100
	101	As we no longer use the openldap tls layer it is required to configure the
	102	correct certificate trusts with at least one of the following options:
	103	'tls trust system cas', 'tls ca directories' or 'tls cafile'.
	104	While 'tls verify peer' and 'tls crlfile' are also relevant,
	105	see 'man smb.conf' for further details.
	106
	107
75a87098 VL	108	REMOVED FEATURES
	109	================
	110
96154829	111
59a07e3f KS	112	smb.conf changes
	113	================
	114
11a3a8d9 SM	115	Parameter Name Description Default
11a3a8d9 SM	116	-------------- ----------- -------
1a02c6e5 SM	117	client ldap sasl wrapping new values
1a02c6e5 SM	118	client use spnego principal removed
e1c4caed	119	ldap server require strong auth new values
1a02c6e5 SM	120	tls trust system cas new
1a02c6e5 SM	121	tls ca directories new
be1935da	122
6a409da9	123
0a4827f5 AB	124	KNOWN ISSUES
0a4827f5 AB	125	============
3e246a3c	126
c0dc0fd3	127	https://wiki.samba.org/index.php/Release_Planning_for_Samba_4.21#Release_blocking_bugs
295f757f	128
8310b8c9 AB	129
8310b8c9 AB	130	#######################################
ba4bb742 GJC	131	Reporting bugs & Development Discussion
	132	#######################################
	133
	134	Please discuss this release on the samba-technical mailing list or by
59e67dc8 AB	135	joining the #samba-technical:matrix.org matrix room, or
59e67dc8 AB	136	#samba-technical IRC channel on irc.libera.chat
ba4bb742 GJC	137
	138	If you do report problems then please try to send high quality
	139	feedback. If you don't provide vital information to help us track down
	140	the problem then you will probably be ignored. All bug reports should
c1bbe58c	141	be filed under the Samba 4.1 and newer product in the project's Bugzilla
ba4bb742 GJC	142	database (https://bugzilla.samba.org/).
	143
	144
	145	======================================================================
	146	== Our Code, Our Bugs, Our Responsibility.
	147	== The Samba Team
	148	======================================================================
51813e3b	149