Software 43099 Published by

The fourth release candidate for Samba 4.22.0 has been released for testing. The update introduces several new features, including SMB3 Directory Leases, Netlogon Ping over LDAP and LDAPS, as well as experimental Himmelblaud Authentication in Samba. Samba has introduced support for SMB3 Directory Leases, enabling clients to cache directory listings and minimize SMB requests.

Netlogon Ping over LDAP and LDAPS enables Samba to retrieve domain controller information through straightforward queries on the AD rootDSE's netlogon attribute. Samba can now be configured to utilize TCP through the newly introduced "client netlogon ping protocol" parameter, facilitating operation in environments where firewalls entirely restrict port 389 or UDP traffic to domain controllers.



Experimental Himmelblaud Authentication in Samba features preliminary support for Azure Entra ID authentication through `himmelblaud`, which can be found in the `rust/` directory. This implementation offers fundamental authentication and is set up via `smb.conf`.

The following features have been removed: the "nmbd proxy logon" feature, the parameter "cldap port," and the option "fruit:posix_rename." Since version 4.22.0rc3, the following modifications have been implemented: the "nmbd proxy logon" feature has been removed, the "cldap port" has been eliminated, and the "fruit:posix_rename" option has been discontinued.

Here the full announcement:

Samba 4.22.0rc4 Available for Download

This is the fourth release candidate of Samba 4.22.  This is *not* intended for production environments and is designed for testing purposes only.  Please report any defects via the Samba bug reporting system at https://bugzilla.samba.org/.

Samba 4.22 will be the next version of the Samba suite.

Gnome_shell_screenshot_9vr5u1

UPGRADING

NEW FEATURES/CHANGES

SMB3 Directory Leases
Starting with Samba 4.22 SMB3 Directory Leases are supported. The new global option "smb3 directory leases" controls whether the feature is enabled or not. By default, SMB3 Directory Leases are enabled on non-clustered Samba and disabled on clustered Samba, based on the "clustering" option. See man smb.conf for more details.

SMB3 Directory Leases allow clients to cache directory listings and, depending on the workload, result in a decent reduction in SMB requests from clients.

Netlogon Ping over LDAP and LDAPS
Samba must query domain controller information via simple queries on the AD rootdse's netlogon attribute. Typically this is done via connectionless LDAP, using UDP on port 389. The same information is also available via classic LDAP rootdse queries over TCP. Samba can now be configured to use TCP via the new "client netlogon ping protocol" parameter to enable running in environments where firewalls completely block port 389 or UDP traffic to domain controllers.

Experimental Himmelblaud Authentication in Samba
Samba now includes experimental support for Azure Entra ID authentication via `himmelblaud`, located in the `rust/` directory. This implementation provides basic authentication and is configured through `smb.conf`, utilizing options such as `realm`, `winbindd_socket_directory`, and `template_homedir`. New global parameters include `himmelblaud_sfa_fallback`, `himmelblaud_hello_enabled`, and `himmelblaud_hsm_pin_path`. To enable, configure Samba with `--enable-rust --with-himmelblau`.

REMOVED FEATURES

The "nmbd proxy logon" feature was removed. This was used before Samba4 acquired a NBT server.

The parameter "cldap port" has been removed. CLDAP runs over UDP port 389, we don't see a reason why this should ever be changed to a different port. Moreover, we had several places in the code where Samba did not respect this parameter, so the behaviour was at least inconsistent.

fruit:posix_rename
This option of the vfs_fruit VFS module that could be used to enable POSIX directory rename behaviour for OS X clients has been removed as it could result in severe problems for Windows clients.

As a possible workaround it is possible to prevent creation of .DS_Store files (a Finder thingy to store directory view settings) on network mounts by running

  $ defaults write com.apple.desktopservices DSDontWriteNetworkStores true

on the Mac.

smb.conf changes

  Parameter Name                          Description     Default
  --------------                          -----------     -------
  smb3 directory leases                   New             Auto
  vfs mkdir use tmp name                  New             Auto
  client netlogon ping protocol           New             cldap
  himmelblaud hello enabled               New             no
  himmelblaud hsm pin path                New             default hsm
pin path
  himmelblaud sfa fallback                New             no
  client use krb5 netlogon                Experimental    no
  reject aes netlogon servers             Experimental    no
  server reject aes schannel              Experimental    no
  server support krb5 netlogon            Experimental    no
  fruit:posix_rename                      Removed
  cldap port                              Removed

CHANGES SINCE 4.22.0rc3


o  Stefan Metzmacher [metze@samba.org]
   * BUG 15815: client use krb5 netlogon is experimental and should not
be used
     in production.

CHANGES SINCE 4.22.0rc2


o  Douglas Bagnall [douglas.bagnall@catalyst.net.nz]
   * BUG 15738: Creation of GPOs applicable to more than one group is
impossible
     with Samba 4.20.0 and later.

o  Björn Baumbach [bb@sernet.de]
   * BUG 15806: samba-tool acl commands broken for relative path names
   * BUG 15807: pysmbd seg faults when file is not found.

o  Ralph Boehme [slow@samba.org]
   * BUG 15796: Spotlight search results don't show file size and
creation date.

o  Pavel Filipenský [pfilipensky@samba.org]
   * BUG 15759: net ads create/join/winbind producing unix dysfunctional
     keytabs.

o  Volker Lendecke [vl@samba.org]
   * BUG 15806: samba-tool acl commands broken for relative path names.
   * BUG 15807: pysmbd seg faults when file is not found.

o  Stefan Metzmacher [metze@samba.org]
   * BUG 15680: Trust domains are not created.

o  Andreas Schneider [asn@samba.org]
   * BUG 15680: Trust domains are not created.

o  Shweta Sodani [ssodani@redhat.com]
   * BUG 15703: General improvements for vfs_ceph_new module.

CHANGES SINCE 4.21.0rc1


o  Björn Baumbach [bb@sernet.de]
   * BUG 15798: libnet4: seg fault after dc lookup failure

KNOWN ISSUES

https://wiki.samba.org/index.php/Release_Planning_for_Samba_4.22#Release_blocking_bugs

Reporting bugs & Development Discussion

Please discuss this release on the samba-technical mailing list or by joining the #samba-technical:matrix.org matrix room, or #samba-technical IRC channel on irc.libera.chat

If you do report problems then please try to send high quality feedback. If you don't provide vital information to help us track down the problem then you will probably be ignored.  All bug reports should be filed under the Samba 4.1 and newer product in the project's Bugzilla database ( https://bugzilla.samba.org/).

Download Details

The uncompressed tarballs and patch files have been signed using GnuPG (ID AA99442FB680B620).  The source code can be downloaded from:

        https://download.samba.org/pub/samba/rc/

The release notes are available online at:

https://download.samba.org/pub/samba/rc/samba-4.22.0rc4.WHATSNEW.txt

Our Code, Our Bugs, Our Responsibility.
( https://bugzilla.samba.org/)

                        --Enjoy
                        The Samba Team