Kuburitswa kweSamba 4.17.0 kwaunzwa, uko kunoenderera mberi nekuvandudzwa kwebazi reSamba 4 nekuita kwakazara kwedomain controller uye Active Directory sevhisi, inoenderana neWindows 2008 kuita uye inokwanisa kushandira ese mavhezheni eWindows vatengi vanotsigirwa ne Microsoft, kusanganisira Windows 11. Samba 4 is a multifunctional server product , iyo inopawo kushandiswa kwefaira yefaira, sevhisi yekudhinda, uye identity server (winbind).
Kuchinja kukuru muSamba 4.17:
- Basa rakaitwa kubvisa kudzoreredzwa mukuita kweakabatikana SMB maseva akaonekwa semhedzisiro yekuwedzera dziviriro kubva kune symlink manipulation kukuvara. Pakati pemagadzirirwo akaitwa, kutaurwa kunoitwa kudzikisa mafoni ehurongwa kana uchitarisa zita redhairekitori uye usingashandisi zviitiko zvekumuka paunenge uchigadzira makwikwi ekuita izvo zvinotungamira kunonoke.
- Iko kugona kuvaka Samba pasina rutsigiro rweSMB1 protocol mu smbd yakapihwa. Kudzima SMB1, iyo "--isina-smb1-server" sarudzo inoshandiswa mukugadzirisa kuvaka script (inobata chete smbd; rutsigiro rweSMB1 runochengetwa mumaraibhurari evatengi).
- Paunenge uchishandisa MIT Kerberos 1.20, kugona kupikisa Bronze Bit kurwisa (CVE-2020-17049) kunoitwa nekuendesa rumwe ruzivo pakati peKDC neKDB zvikamu. Mune iyo default Heimdal Kerberos-based KDC, nyaya yakagadziriswa muna 2021.
- Kana yavakwa neMIT Kerberos 1.20, Samba-based domain controller ikozvino inotsigira Kerberos yekuwedzera S4U2Self uye S4U2Proxy, uye inowedzera kugona kweResource Based Constrained Delegation (RBCD). Kubata RBCD, iwo 'add-principal' uye 'del-principal' subcommands akawedzerwa kune "samba-tool delegation" murairo. Iyo yakasarudzika Heimdal Kerberos-yakavakirwa KDC haisati yatsigira RBCD modhi.
- Iyo yakavakirwa-mukati DNS sevhisi inopa kugona kushandura network chiteshi inogamuchira zvikumbiro (semuenzaniso, kumhanyisa imwe DNS server pane imwecheteyo system inodzosera zvimwe zvikumbiro kuSamba).
- Muchikamu cheCTDB, iyo inobata basa rekugadzirisa masumbu, zvinodiwa zve syntax ye ctdb.tunables file zvakaderedzwa. Kana uchivaka Samba ne "--ine-cluster-rutsigiro" uye "--systemd-install-services" sarudzo, iyo systemd sevhisi yeCTDB inoiswa. Iyo ctdbd_wrapper script yakamiswa - iyo ctdbd process yave kutangwa zvakananga kubva kune systemd sevhisi kana kubva kune init script.
- Iyo 'nt hash store = never' setting yaitwa, iyo inorambidza kuchengetwa kwe "kushama" (isina munyu) hashes ye Active Directory user password. Mune inotevera vhezheni, iyo yakasarudzika 'nt hash store' marongero achaiswa ku "auto", umo iyo "never" modhi ichashandiswa kana iyo 'ntlm auth = disabled' kuseta iripo.
- Kusunga kwave kurongwa kuti uwane iyo smbconf raibhurari API kubva kuPython kodhi.
- Iyo smbstatus chirongwa inoshandisa kugona kuburitsa ruzivo muJSON fomati (inogoneswa neiyo "-json" sarudzo).
- Iyo domain controller inotsigira "Vakadzivirirwa Vashandisi" boka rekuchengetedza, rakaonekwa muWindows Server 2012 R2 uye haribvumire kushandiswa kwemhando dzisina kusimba dzekunyorera (kune vashandisi vari muboka, kutsigirwa kweNTLM kusimbiswa, Kerberos TGTs yakavakirwa paRC4, yakamanikidzwa uye isina kumanikidzwa. delegation yakaremara).
- Tsigiro yeLanMan-yakavakirwa password chitoro uye nzira yechokwadi yakamiswa (iyo "lanman auth=hongu" kuseta iko zvino hakuna mhedzisiro).
Source: opennet.ru