Hard DIsk Sentinel PRO 4.20 Cracked Full Version
Jemima Torguson
Samba now requires MIT 1.21 when built against a system MIT Krb5 and acting as an Active Directory DC. This addresses the issues that were fixed in CVE-2022-37967 (KrbtgtFullPacSignature) and ensures that Samba builds against the MIT version that allows us to avoid that attack.
Current lists of packages required by Samba for major distributions are found in the bootstrap/generated-dists/ directory of a Samba source tree. While there will be some differences - due to features chosen by packagers - comparing these lists with the build dependencies in a package may locate other dependencies we no longer require.
The password access tool "samba-tool user getpassword" and the password sync tool "samba-tool user syncpasswords" allow attributes to be chosen for output, and accept parameters like pwdLastSet;format=GeneralizedTime
samba-tool has been extended to provide client-side support for Group Managed Service accounts. These accounts have passwords that change automatically, giving the advantages of service isolation without risk of poor, unchanging passwords.
Where possible, Samba's existing samba-tool password handling commands, which in the past have only operated against the local sam.ldb have been extended to permit operation against a remote server with authenticated access to "-H ldap://$DCNAME"
'smbcacls' has been extended to allow DACLs to be saved and restored to/from a file. This feature mimics the functionality that windows cmd line tool 'icacls.exe' provides. Additionally files created either by 'smbcacls' or 'icacls.exe' are interchangeable and can be used by either tool as the same file format is used.
samba-tool now allows users to be associated with claims. In the Samba AD DC, claims derive from Active Directory attributes mapped into specific names. These claims can be used in rules, which are conditional ACEs in a security descriptor, that decide if a user is restricted by an authentication policy.
samba-tool also allows the creation and management of authentication policies, which are rules about where a user may authenticate from, if NTLM is permitted, and what services a user may authenticate to.
Please note: The command line syntax for these tools is not final, and may change before the next release, as we gain user feedback. The syntax will be locked in once Samba offers 2016 AD Functional Level as a default.
The Samba AD DC now also honours any existing claims, authentication policy and authentication silo configuration previously created (eg from an import of a Microsoft AD), as well as new configurations created with samba-tool. The use of Microsoft's Powershell based client tools is not expected to work.
The smb.conf file on each DC must have 'ad dc functional level = 2016' set to have the partially complete feature available. This will also, at first startup, update the server's own AD entry with the configured functional level.
Ordinary Access Control Entries (ACEs) unconditionally allow or deny access to a given user or group. Conditional ACEs have an additional section that describes conditions under which the ACE applies. If the conditional expression is true, the ACE works like an ordinary ACE, otherwise it is ignored. The condition terms can refer to claims, group memberships, and attributes on the object itself. These attributes are described in Resource Attribute ACEs that occur in the object's System Access Control List (SACL). Conditional ACEs are described in Microsoft documentation.
Conditional ACE evaluation is controlled by the "acl claims evaluation" smb.conf option. The default value is "AD DC only" which enables them in AD DC settings. The other option is "never", which disables them altogether. There is currently no option to enable them on the file server (this is likely to change in future releases).
In a ctdb cluster it is now possible to provide the SMB witness service that allows clients to monitor their current smb connection to cluster node A by asking cluster node B to notify the client if the ip address from node A or the whole node A becomes unavailable.
In order to activate the witness service "rpc start on demand helpers = no" needs to be configured in the global section. At the same time the 'samba-dcerpcd' service needs to be started explicitly, typically with the '--libexec-rpcds' option in order to make all available services usable. One important aspect is that tcp ports 135 (for the endpoint mapper) and various ports in the 'rpc server dynamic port range' will be used to provide the witness service (rpcd_witness).
Please note that current windows client requires SMB2_SHARE_CAP_CONTINUOUS_AVAILABILITY in addition to SMB2_SHARE_CAP_CLUSTER in order to make use of the witness service. But SMB2_SHARE_CAP_CONTINUOUS_AVAILABILITY implies the windows clients always ask for persistent handle (which are not implemented in samba yet), so that every open generates a warning in the windows smb client event log. That's why SMB2_SHARE_CAP_CONTINUOUS_AVAILABILITY is not returned by default. An explicit 'smb3 share cap:CONTINUOUS AVAILABILITY = yes' is needed.
The Workstation Service Remote Protocol [MS-WKST] calls NetWkstaGetInfo level 102 and NetWkstaEnumUsers level 0 and 1 return the list of locally logged on users. Samba was getting the list from utmp, which is not Y2038 safe. This feature has been completely removed and Samba will always return an empty list.
The smbget utility implemented its own command line parsing logic. After discovering an issue we decided to migrate it to use the common command line parser. This has some advantages as you get all the feature it provides like Kerberos authentication. The downside is that breaks the options interface. The support for smbgetrc has been removed. You can use an authentication file if needed, this is documented in the manpage.
The libgpo.get_gpo_list function has been deprecated in favor of an implementation written in python. The new function can be imported via `import samba.gp`. The python implementation connects to Active Directory using the SamDB module, instead of ADS (which is what libgpo uses).
Winbind logs (if smb.conf 'winbind debug traceid = yes' is set) contain new trace header fields 'traceid' and 'depth'. Field 'traceid' allows to track the trace records belonging to the same request. Field 'depth' allows to track the request nesting level. A new tool samba-log-parser is added for better log parsing.
While Samba still provides only Functional Level 2008R2 by default, Samba as an AD DC will now, in provision ensure that the blank database is already prepared for Functional Level 2016, with AD Schema 2019.
This preparation is of the default objects in the database, adding containers for Authentication Policies, Authentication Silos and AD claims in particular. These DB objects must be updated to allow operation of the new features found in higher functional levels.
As part of the auditing required to allow successful deployment of Authentication Policies and Authentication Silos, our KDC now provides Samba-style JSON audit logging of all issued Kerberos tickets, including if they would fail a policy that is not yet enforced. Additionally most failures are audited, (after the initial pre-validation of the request).
In domains where the domain controller functional level is set, as above, to 2012, 2012_R2 or 2016, Windows clients will, if configured via GPO, use FAST to protect user passwords between (in particular) a workstation and the KDC on the AD DC. This is a significant security improvement, as weak passwords in an AS-REQ are no longer available for offline attack.
Additionally, Samba marshals Resource SIDs, being local groups in the member server's own domain, to only consume a header and 4 bytes per group in the PAC, not a full-length SID worth of space each. This is known as "Resource SID compression".
Samba 4.17 added to samba-tool delegation the 'add-principal' and 'del-principal' subcommands in order to manage RBCD, and the database changes made by these tools are now honoured by the Heimdal KDC once Samba is upgraded.
A new Object Relational Model (ORM) based architecture, similar to that used with Django, has been built to make adding new samba-tool subcommands simpler and more consistent, with JSON output available standard on these new commands.
Samba's Heimdal branch (known as lorikeet-heimdal) has been updated to the current pre-8.0 (master) tree from upstream Heimdal, ensuring that this vendored copy, included in our release remains as close as possible to the current upstream code.
Previously Samba's PKINIT support in the KDC was tested by use of shell scripts around the client tools of MIT or Heimdal Kerberos. Samba's independently written python testsuite has been extended to validate KDC behaviour for PKINIT.
Setting the password on an AD account on should never be attempted over a plaintext or signed-only LDAP connection. If the unicodePwd (or userPassword) attribute is modified without encryption (as seen by Samba), the request will be rejected. This is to encourage the administrator to use an encrypted connection in the future.
The TLS certificates used for Samba's AD DC LDAP server were previously only read on startup, and this meant that when then expired it was required to restart Samba, disrupting service to other users.
Historically samba-tool has reported user error or misconfiguration by means of a Python traceback, showing you where in its code it noticed something was wrong, but not always exactly what is amiss. Now it tries harder to identify the true cause and restrict its output to describing that. Particular cases include:
The intention is that when samba-tool encounters an unrecognised problem (especially a bug), it will still output a Python traceback. If you encounter a problem that has been incorrectly identified by samba-tool, please report it on
7fc3f7cf58