4 This is the first pre release of Samba 4.17. This is *not*
5 intended for production environments and is designed for testing
6 purposes only. Please report any defects via the Samba bug reporting
7 system at https://bugzilla.samba.org/.
9 Samba 4.17 will be the next version of the Samba suite.
19 Configure without the SMB1 Server
20 ---------------------------------
22 It is now possible to configure Samba without support for
23 the SMB1 protocol in smbd. This can be selected at configure
24 time with either of the options:
29 By default (without either of these options set) Samba
30 is configured to include SMB1 support (i.e. --with-smb1-server
31 is the default). When Samba is configured without SMB1 support,
32 none of the SMB1 code is included inside smbd except the minimal
33 stub code needed to allow a client to connect as SMB1 and immediately
34 negotiate the selected protocol into SMB2 (as a Windows server also
37 None of the SMB1-only smb.conf parameters are removed when
38 configured without SMB1, but these parameters are ignored by
39 the smbd server. This allows deployment without having to change
40 an existing smb.conf file.
42 This option allows sites, OEMs and integrators to configure Samba
43 to remove the old and insecure SMB1 protocol from their products.
45 Note that the Samba client libraries still support SMB1 connections
46 even when Samba is configured as --without-smb1-server. This is
47 to ensure maximum compatibility with environments containing old
50 Bronze bit and S4U support with MIT Kerberos 1.20
51 -------------------------------------------------
53 In 2020 Microsoft Security Response Team received another Kerberos-related
54 report. Eventually, that led to a security update of the CVE-2020-17049,
55 Kerberos KDC Security Feature Bypass Vulnerability, also known as a ‘Bronze
56 Bit’. With this vulnerability, a compromised service that is configured to use
57 Kerberos constrained delegation feature could tamper with a service ticket that
58 is not valid for delegation to force the KDC to accept it.
60 With the release of MIT Kerberos 1.20, Samba AD DC is able able to mitigate the
61 ‘Bronze Bit’ attack. MIT Kerberos KDC's KDB (Kerberos Database Driver) API was
62 changed to allow passing more details between KDC and KDB components. When built
63 against MIT Kerberos, Samba AD DC supports MIT Kerberos 1.19 and 1.20 versions
64 but 'Bronze Bit' mitigation is provided only with MIT Kerberos 1.20.
66 In addition to fixing the ‘Bronze Bit’ issue, Samba AD DC now fully supports
67 S4U2Self and S4U2Proxy Kerberos extensions.
69 Resource Based Constrained Delegation (RBCD) support
70 ----------------------------------------------------
72 Samba AD DC built with MIT Kerberos 1.20 offers RBCD support now. With MIT
73 Kerberos 1.20 we have complete RBCD support passing Sambas S4U testsuite.
74 Note that samba-tool lacks support for setting this up yet!
76 To complete RBCD support and make it useful to Administrators we added the
77 Asserted Identity [1] SID into the PAC for constrained delegation. This is
78 available for Samba AD compiled with MIT Kerberos 1.20.
80 [1] https://docs.microsoft.com/en-us/windows-server/security/kerberos/kerberos-constrained-delegation-overview
82 Customizable DNS listening port
83 -------------------------------
85 It is now possible to set a custom listening port for the builtin DNS service,
86 making easy to host another DNS on the same system that would bind to the
87 default port and forward the domain-specific queries to Samba using the custom
88 port. This is the opposite configuration of setting a forwarder in Samba.
90 It makes possible to use another DNS server as a front and forward to Samba.
92 Dynamic DNS updates may not be proxied by the front DNS server when forwarding
93 to Samba. Dynamic DNS update proxying depends on the features of the other DNS
94 server used as a front.
99 * When Samba is configured with both --with-cluster-support and
100 --systemd-install-services then a systemd service file for CTDB will
103 * ctdbd_wrapper has been removed. ctdbd is now started directly from
104 a systemd service file or init script.
106 * The syntax for the ctdb.tunables configuration file has been
107 relaxed. However, trailing garbage after the value, including
108 comments, is no longer permitted. Please see ctdb-tunables(7) for
111 Operation without the (unsalted) NT password hash
112 -------------------------------------------------
114 When Samba is configured with 'nt hash store = never' then Samba will
115 no longer store the (unsalted) NT password hash for users in Active
116 Directory. (Trust accounts, like computers, domain controllers and
117 inter-domain trusts are not impacted).
119 In the next version of Samba the default for 'nt hash store' will
120 change from 'always' to 'auto', where it will follow (behave as 'nt
121 hash store = never' when 'ntlm auth = disabled' is set.
123 Security-focused deployments of Samba that have eliminated NTLM from
124 their networks will find setting 'ntlm auth = disabled' with 'nt hash
125 store = always' as a useful way to improve compliance with
126 best-practice guidance on password storage (which is to always use an
129 Note that when 'nt hash store = never' is set, then arcfour-hmac-md5
130 Kerberos keys will not be available for users who subsequently change
131 their password, as these keys derive their values from NT hashes. AES
132 keys are stored by default for all deployments of Samba with Domain
133 Functional Level 2008 or later, are supported by all modern clients,
134 and are much more secure.
136 Finally, also note that password history in Active Directory is stored
137 in nTPwdHistory using a series of NT hash values. Therefore the full
138 password history feature is not available in this mode.
140 To provide some protection against password re-use previous Kerberos
141 hash values (the current, old and older values are already stored) are
142 used, providing a history length of 3.
144 There is one small limitation of this workaround: Changing the
145 sAMAccountName, userAccountControl or userPrincipalName of an account
146 can cause the Kerberos password salt to change. This means that after
147 *both* an account rename and a password change, only the current
148 password will be recognised for password history purposes.
154 LanMan Authentication and password storage removed from the AD DC
155 -----------------------------------------------------------------
157 The storage and authentication with LanMan passwords has been entirely
158 removed from the Samba AD DC, even when "lanman auth = yes" is set.
163 Parameter Name Description Default
164 -------------- ----------- -------
165 dns port New default 53
166 nt hash store New parameter always
172 https://wiki.samba.org/index.php/Release_Planning_for_Samba_4.17#Release_blocking_bugs
175 #######################################
176 Reporting bugs & Development Discussion
177 #######################################
179 Please discuss this release on the samba-technical mailing list or by
180 joining the #samba-technical:matrix.org matrix room, or
181 #samba-technical IRC channel on irc.libera.chat
183 If you do report problems then please try to send high quality
184 feedback. If you don't provide vital information to help us track down
185 the problem then you will probably be ignored. All bug reports should
186 be filed under the Samba 4.1 and newer product in the project's Bugzilla
187 database (https://bugzilla.samba.org/).
190 ======================================================================
191 == Our Code, Our Bugs, Our Responsibility.
193 ======================================================================