samba - Feb 2023 - [Announce] Samba 4.18.0rc2 Available for Download

Hello

Is it possible to have more details on "Azure Active Directory / 
Office365 synchronisation improvements " ?

I started working on something here : 
https://github.com/sfonteneau/AzureADConnect_Samba4 (WIP)

To activate a pure python synchronization without windows server.

Couldn't that be necessary anymore?

Simon Fonteneau


Le 01/02/2023 ? 18:50, Jule Anger via samba a ?crit?:
> Release Announcements
> ====================>
> This is the second release candidate of Samba 4.18.? This is *not*
> intended for production environments and is designed for testing
> purposes only.? Please report any defects via the Samba bug reporting
> system at https://bugzilla.samba.org/.
>
> Samba 4.18 will be the next version of the Samba suite.
>
>
> UPGRADING
> ========>
>
> NEW FEATURES/CHANGES
> ===================>
> More succinct samba-tool error messages
> ---------------------------------------
>
> Historically samba-tool has reported user error or misconfiguration by
> means of a Python traceback, showing you where in its code it noticed
> something was wrong, but not always exactly what is amiss. Now it
> tries harder to identify the true cause and restrict its output to
> describing that. Particular cases include:
>
> ?* a username or password is incorrect
> ?* an ldb database filename is wrong (including in smb.conf)
> ?* samba-tool dns: various zones or records do not exist
> ?* samba-tool ntacl: certain files are missing
> ?* the network seems to be down
> ?* bad --realm or --debug arguments
>
> Accessing the old samba-tool messages
> -------------------------------------
>
> This is not new, but users are reminded they can get the full Python
> stack trace, along with other noise, by using the argument '-d3'.
> This may be useful when searching the web.
>
> The intention is that when samba-tool encounters an unrecognised
> problem (especially a bug), it will still output a Python traceback.
> If you encounter a problem that has been incorrectly identified by
> samba-tool, please report it on https://bugzilla.samba.org.
>
> Colour output with samba-tool --color
> -------------------------------------
>
> For some time a few samba-tool commands have had a --color=yes|no|auto
> option, which determines whether the command outputs ANSI colour
> codes. Now all samba-tool commands support this option, which now also
> accepts 'always' and 'force' for 'yes',
'never' and 'none' for 'no',
> and 'tty' and 'if-tty' for 'auto' (this more
closely matches
> convention). With --color=auto, or when --color is omitted, colour
> codes are only used when output is directed to a terminal.
>
> Most commands have very little colour in any case. For those that
> already used it, the defaults have changed slightly.
>
> ?* samba-tool drs showrepl: default is now 'auto', not 'no'
>
> ?* samba-tool visualize: the interactions between --color-scheme,
> ?? --color, and --output have changed slightly. When --color-scheme is
> ?? set it overrides --color for the purpose of the output diagram, but
> ?? not for other output like error messages.
>
> New samba-tool dsacl subcommand for deleting ACES
> -------------------------------------------------
>
> The samba-tool dsacl tool can now delete entries in directory access
> control lists. The interface for 'samba-tool dsacl delete' is
similar
> to that of 'samba-tool dsacl set', with the difference being that
the
> ACEs described by the --sddl argument are deleted rather than added.
>
> No colour with NO_COLOR environment variable
> --------------------------------------------
>
> With both samba-tool --color=auto (see above) and some other places
> where we use ANSI colour codes, the NO_COLOR environment variable will
> disable colour output. See https://no-color.org/ for a description of
> this variable. `samba-tool --color=always` will use colour regardless
> of NO_COLOR.
>
> New wbinfo option --change-secret-at
> ------------------------------------
>
> The wbinfo command has a new option, --change-secret-at=<DOMAIN 
> CONTROLLER>
> which forces the trust account password to be changed at a specified 
> domain
> controller. If the specified domain controller cannot be contacted the
> password change fails rather than trying other DCs.
>
> New option to change the NT ACL default location
> ------------------------------------------------
>
> Usually the NT ACLs are stored in the security.NTACL extended
> attribute (xattr) of files and directories. The new
> "acl_xattr:security_acl_name" option allows to redefine the
default
> location. The default "security.NTACL" is a protected location,
which
> means the content of the security.NTACL attribute is not accessible
> from normal users outside of Samba. When this option is set to use a
> user-defined value, e.g. user.NTACL then any user can potentially
> access and overwrite this information. The module prevents access to
> this xattr over SMB, but the xattr may still be accessed by other
> means (eg local access, SSH, NFS). This option must only be used when
> this consequence is clearly understood and when specific precautions
> are taken to avoid compromising the ACL content.
>
> Azure Active Directory / Office365 synchronisation improvements
> --------------------------------------------------------------
>
> Use of the Azure AD Connect cloud sync tool is now supported for
> password hash synchronisation, allowing Samba AD Domains to synchronise
> passwords with this popular cloud environment.
>
> REMOVED FEATURES
> ===============>
>
> smb.conf changes
> ===============>
> ? Parameter Name????????????????????????? Description???? Default
> ? --------------????????????????????????? -----------???? -------
> ? acl_xattr:security_acl_name???????????? New security.NTACL
>
>
> CHANGES SINCE 4.18.0rc1
> ======================>
> o? Andrew Bartlett <abartlet at samba.org>
> ?? * BUG 10635: Office365 azure Password Sync not working.
>
> o? Stefan Metzmacher <metze at samba.org>
> ?? * BUG 15286: auth3_generate_session_info_pac leaks wbcAuthUserInfo.
>
> o? Noel Power <noel.power at suse.com>
> ?? * BUG 15293: With clustering enabled samba-bgqd can core dump due 
> to use
> ???? after free.
>
>
> KNOWN ISSUES
> ===========>
>
https://wiki.samba.org/index.php/Release_Planning_for_Samba_4.18#Release_blocking_bugs
>
>
>
> #######################################
> Reporting bugs & Development Discussion
> #######################################
>
> Please discuss this release on the samba-technical mailing list or by
> joining the #samba-technical:matrix.org matrix room, or
> #samba-technical IRC channel on irc.libera.chat
>
> If you do report problems then please try to send high quality
> feedback. If you don't provide vital information to help us track down
> the problem then you will probably be ignored.? All bug reports should
> be filed under the Samba 4.1 and newer product in the project's
Bugzilla
> database (https://bugzilla.samba.org/).
>
>
> =====================================================================>
== Our Code, Our Bugs, Our Responsibility.
> == The Samba Team
> =====================================================================>
>
> ===============> Download Details
> ===============>
> The uncompressed tarballs and patch files have been signed
> using GnuPG (ID AA99442FB680B620).? The source code can be downloaded
> from:
>
> ??????? https://download.samba.org/pub/samba/rc/
>
> The release notes are available online at:
>
> https://download.samba.org/pub/samba/rc/samba-4.18.0rc2.WHATSNEW.txt
>
> Our Code, Our Bugs, Our Responsibility.
> (https://bugzilla.samba.org/)
>
> ??????????????????????? --Enjoy
> ??????????????????????? The Samba Team
>

On 2/2/23 12:24, Simon FONTENEAU via samba wrote:
> Is it possible to have more details on "Azure Active Directory / 
> Office365 synchronisation improvements " ?
I guess that's basically this bug being fixed:

https://bugzilla.samba.org/show_bug.cgi?id=10635
> I started working on something here : 
> https://github.com/sfonteneau/AzureADConnect_Samba4 (WIP)
> 
> To activate a pure python synchronization without windows server.
> 
> Couldn't that be necessary anymore?
Eventually. I guess after testing the new version on your end you'd know 
for sure.

-slow

-- 
Ralph Boehme, Samba Team                 https://samba.org/
SerNet Samba Team Lead      https://sernet.de/en/team-samba
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature
Type: application/pgp-signature
Size: 840 bytes
Desc: OpenPGP digital signature
URL:
<http://lists.samba.org/pipermail/samba/attachments/20230202/254de9e0/OpenPGP_signature.sig>

With great thanks to testing, funding from and a lab environment
provided by customer (who can identify themselves if they like ;-), we
have found that:

 * Azure AD Connect cloud sync works with the patches I wrote and are
included in this release (and have been backported for the next
4.17.x). 

 * Azure AD Connect works if you put the created user in "Domain
Admins", probably on existing Samba but tested with the patched version.

I personally think that a pure-Samba tool that runs in python and
doesn't require a windows server as a proxy is still a better long-term 
option, so we can control the stack and much more easily address the
issues.  I strongly support your work and wish it the best of success.

Andrew Bartlett

On Thu, 2023-02-02 at 12:24 +0100, Simon FONTENEAU via samba
wrote:
> Hello
> 
> Is it possible to have more details on "Azure Active Directory / 
> Office365 synchronisation improvements " ?
> 
> I started working on something here : 
> https://github.com/sfonteneau/AzureADConnect_Samba4
>  (WIP)
> 
> To activate a pure python synchronization without windows server.
> 
> Couldn't that be necessary anymore?
> 
> Simon Fonteneau
> 
> 
> Le 01/02/2023 ? 18:50, Jule Anger via samba a ?crit :
> > Release Announcements
> > ====================> > 
> > This is the second release candidate of Samba 4.18.  This is *not*
> > intended for production environments and is designed for testing
> > purposes only.  Please report any defects via the Samba bug
> > reporting
> > system at 
> > https://bugzilla.samba.org/
> > .
> > 
> > Samba 4.18 will be the next version of the Samba suite.
> > 
> > 
> > UPGRADING
> > ========> > 
> > 
> > NEW FEATURES/CHANGES
> > ===================> > 
> > More succinct samba-tool error messages
> > ---------------------------------------
> > 
> > Historically samba-tool has reported user error or misconfiguration
> > by
> > means of a Python traceback, showing you where in its code it
> > noticed
> > something was wrong, but not always exactly what is amiss. Now it
> > tries harder to identify the true cause and restrict its output to
> > describing that. Particular cases include:
> > 
> >  * a username or password is incorrect
> >  * an ldb database filename is wrong (including in smb.conf)
> >  * samba-tool dns: various zones or records do not exist
> >  * samba-tool ntacl: certain files are missing
> >  * the network seems to be down
> >  * bad --realm or --debug arguments
> > 
> > Accessing the old samba-tool messages
> > -------------------------------------
> > 
> > This is not new, but users are reminded they can get the full
> > Python
> > stack trace, along with other noise, by using the argument
'-d3'.
> > This may be useful when searching the web.
> > 
> > The intention is that when samba-tool encounters an unrecognised
> > problem (especially a bug), it will still output a Python
> > traceback.
> > If you encounter a problem that has been incorrectly identified by
> > samba-tool, please report it on 
> > https://bugzilla.samba.org
> > .
> > 
> > Colour output with samba-tool --color
> > -------------------------------------
> > 
> > For some time a few samba-tool commands have had a --
> > color=yes|no|auto
> > option, which determines whether the command outputs ANSI colour
> > codes. Now all samba-tool commands support this option, which now
> > also
> > accepts 'always' and 'force' for 'yes',
'never' and 'none' for
> > 'no',
> > and 'tty' and 'if-tty' for 'auto' (this more
closely matches
> > convention). With --color=auto, or when --color is omitted, colour
> > codes are only used when output is directed to a terminal.
> > 
> > Most commands have very little colour in any case. For those that
> > already used it, the defaults have changed slightly.
> > 
> >  * samba-tool drs showrepl: default is now 'auto', not
'no'
> > 
> >  * samba-tool visualize: the interactions between --color-scheme,
> >    --color, and --output have changed slightly. When --color-scheme 
> > is
> >    set it overrides --color for the purpose of the output diagram,
> > but
> >    not for other output like error messages.
> > 
> > New samba-tool dsacl subcommand for deleting ACES
> > -------------------------------------------------
> > 
> > The samba-tool dsacl tool can now delete entries in directory
> > access
> > control lists. The interface for 'samba-tool dsacl delete' is
> > similar
> > to that of 'samba-tool dsacl set', with the difference being
that
> > the
> > ACEs described by the --sddl argument are deleted rather than
> > added.
> > 
> > No colour with NO_COLOR environment variable
> > --------------------------------------------
> > 
> > With both samba-tool --color=auto (see above) and some other places
> > where we use ANSI colour codes, the NO_COLOR environment variable
> > will
> > disable colour output. See 
> > https://no-color.org/
> >  for a description of
> > this variable. `samba-tool --color=always` will use colour
> > regardless
> > of NO_COLOR.
> > 
> > New wbinfo option --change-secret-at
> > ------------------------------------
> > 
> > The wbinfo command has a new option, --change-secret-at=<DOMAIN 
> > CONTROLLER>
> > which forces the trust account password to be changed at a
> > specified 
> > domain
> > controller. If the specified domain controller cannot be contacted
> > the
> > password change fails rather than trying other DCs.
> > 
> > New option to change the NT ACL default location
> > ------------------------------------------------
> > 
> > Usually the NT ACLs are stored in the security.NTACL extended
> > attribute (xattr) of files and directories. The new
> > "acl_xattr:security_acl_name" option allows to redefine the
default
> > location. The default "security.NTACL" is a protected
location,
> > which
> > means the content of the security.NTACL attribute is not accessible
> > from normal users outside of Samba. When this option is set to use
> > a
> > user-defined value, e.g. user.NTACL then any user can potentially
> > access and overwrite this information. The module prevents access
> > to
> > this xattr over SMB, but the xattr may still be accessed by other
> > means (eg local access, SSH, NFS). This option must only be used
> > when
> > this consequence is clearly understood and when specific
> > precautions
> > are taken to avoid compromising the ACL content.
> > 
> > Azure Active Directory / Office365 synchronisation improvements
> > --------------------------------------------------------------
> > 
> > Use of the Azure AD Connect cloud sync tool is now supported for
> > password hash synchronisation, allowing Samba AD Domains to
> > synchronise
> > passwords with this popular cloud environment.
> > 
> > REMOVED FEATURES
> > ===============> > 
> > 
> > smb.conf changes
> > ===============> > 
> >   Parameter Name                          Description     Default
> >   --------------                          -----------     -------
> >   acl_xattr:security_acl_name             New security.NTACL
> > 
> > 
> > CHANGES SINCE 4.18.0rc1
> > ======================> > 
> > o  Andrew Bartlett <
> > abartlet at samba.org
> > >
> >    * BUG 10635: Office365 azure Password Sync not working.
> > 
> > o  Stefan Metzmacher <
> > metze at samba.org
> > >
> >    * BUG 15286: auth3_generate_session_info_pac leaks
> > wbcAuthUserInfo.
> > 
> > o  Noel Power <
> > noel.power at suse.com
> > >
> >    * BUG 15293: With clustering enabled samba-bgqd can core dump
> > due 
> > to use
> >      after free.
> > 
> > 
> > KNOWN ISSUES
> > ===========> > 
> >
https://wiki.samba.org/index.php/Release_Planning_for_Samba_4.18#Release_blocking_bugs
> >  
> > 
> > 
> > 
> > #######################################
> > Reporting bugs & Development Discussion
> > #######################################
> > 
> > Please discuss this release on the samba-technical mailing list or
> > by
> > joining the #samba-technical:matrix.org matrix room, or
> > #samba-technical IRC channel on irc.libera.chat
> > 
> > If you do report problems then please try to send high quality
> > feedback. If you don't provide vital information to help us track
> > down
> > the problem then you will probably be ignored.  All bug reports
> > should
> > be filed under the Samba 4.1 and newer product in the project's
> > Bugzilla
> > database (
> > https://bugzilla.samba.org/
> > ).
> > 
> > 
> > ==================================================================>
> ==> > == Our Code, Our Bugs, Our Responsibility.
> > == The Samba Team
> > ==================================================================>
> ==> >
> > 
> > ===============> > Download Details
> > ===============> > 
> > The uncompressed tarballs and patch files have been signed
> > using GnuPG (ID AA99442FB680B620).  The source code can be
> > downloaded
> > from:
> > 
> >         
> > https://download.samba.org/pub/samba/rc/
> > 
> > 
> > The release notes are available online at:
> > 
> > https://download.samba.org/pub/samba/rc/samba-4.18.0rc2.WHATSNEW.txt
> > 
> > 
> > Our Code, Our Bugs, Our Responsibility.
> > (
> > https://bugzilla.samba.org/
> > )
> > 
> >                         --Enjoy
> >                         The Samba Team
> > 
-- 
Andrew Bartlett (he/him)       https://samba.org/~abartlet/
Samba Team Member (since 2001) https://samba.org
Samba Team Lead, Catalyst IT   https://catalyst.net.nz/services/samba

Proudly developing Samba for Catalyst.Net Ltd - a Catalyst IT group 
company

Samba Development and Support: https://catalyst.net.nz/services/samba

Catalyst IT - Expert Open Source Solutions