Ukukhishwa kwe-Samba 4.17.0 kuyethulwa, okuqhubeka nokuthuthukiswa kwegatsha le-Samba 4 ngokuqaliswa okuphelele kwesilawuli sesizinda kanye nesevisi ye-Active Directory ehambisana nokuqaliswa kwe-Windows 2008 futhi ekwazi ukuhlinzeka zonke izinguqulo ze Amaklayenti e-Windows asekelwa yi-Microsoft, okuhlanganisa i-Windows 11. I-Samba 4 iwumkhiqizo weseva osebenza ngezindlela eziningi , ophinde unikeze ngokusetshenziswa kweseva yefayela, isevisi yokuphrinta, kanye neseva kamazisi (winbind).
Izinguquko ezibalulekile ku-Samba 4.17:
- Umsebenzi wenziwe ukuze kuqedwe ukuhlehla ekusebenzeni kwamaseva e-SMB amatasa avele ngenxa yokwengeza isivikelo ezingozini zokukhohlisa i-symlink. Phakathi kokuthuthukiswa okwenziwayo, kukhulunywa ngokunciphisa amakholi wesistimu lapho kuhlolwa igama lohla lwemibhalo futhi kungasebenzisi imicimbi yokuvuka lapho kucutshungulwa imisebenzi eqhudelanayo eholela ekubambezelekeni.
- Ikhono lokwakha i-Samba ngaphandle kokusekelwa kwephrothokholi ye-SMB1 ku-smbd linikeziwe. Ukuze ukhubaze i-SMB1, inketho ethi “-without-smb1-server” isetshenziswa kusikripthi sokumisa sokwakha (sithinta i-smbd kuphela; usekelo lwe-SMB1 lugcinwa kulabhulali yeklayenti).
- Uma usebenzisa i-MIT Kerberos 1.20, amandla okulwa nokuhlasela kwe-Bronze Bit (CVE-2020-17049) asetshenziswa ngokudlulisela ulwazi olwengeziwe phakathi kwezingxenye ze-KDC ne-KDB. Ku-KDC esekelwe ku-Heimdal Kerberos, inkinga yalungiswa ngo-2021.
- Uma yakhiwe nge-MIT Kerberos 1.20, isilawuli sesizinda esisekelwe ku-Samba manje sisekela izandiso ze-Kerberos i-S4U2Self ne-S4U2Proxy, futhi sengeza nekhono Le-Resource Based Constrained Delegation (RBCD). Ukuze ulawule i-RBCD, imiyalo 'engeza-principal' kanye 'ne-del-principal' yengezwe emyalweni "wokuthunywa kwe-samba-tool". I-KDC esekelwe ku-Heimdal Kerberos ezenzakalelayo ayikasekeli imodi ye-RBCD.
- Isevisi ye-DNS eyakhelwe ngaphakathi inikeza amandla okushintsha imbobo yenethiwekhi ethola izicelo (isibonelo, ukusebenzisa enye iseva ye-DNS kusistimu efanayo eqondisa kabusha izicelo ezithile ku-Samba).
- Engxenyeni ye-CTDB, enesibopho sokusebenza kokucushwa kweqoqo, izimfuneko ze-syntax yefayela le-ctdb.tunables zehlisiwe. Lapho wakha i-Samba ngezinketho ze-“--with-cluster-support” kanye “--systemd-install-services”, ukufakwa kwesevisi ye-systemd ye-CTDB kuyaqinisekiswa. Iskripthi se-ctdbd_wrapper sinqanyuliwe - inqubo ye-ctdbd manje yethulwa ngokuqondile kusevisi ye-systemd noma kuskripthi se-init.
- Isilungiselelo esithi 'nt hash store = never' senziwe, esivimbela ukugcinwa kwamahashi “nqunu” (ngaphandle kukasawoti) wamaphasiwedi omsebenzisi we-Active Directory. Enguqulweni elandelayo, isilungiselelo esizenzakalelayo se-'nt hash store' sizosethwa ukuze sithi "okuzenzakalelayo", lapho kuzosetshenziswa imodi ethi "ungalokothi" uma ukulungiselelwa kwe-'ntlm auth = disabled' kukhona.
- Kuphakanyiswe isibopho sokufinyelela i-API yelabhulali ye-smbconf kusuka kukhodi yePython.
- Uhlelo lwe-smbstatus lisebenzisa ikhono lokukhipha ulwazi ngefomethi ye-JSON (enikwe amandla ngenketho ethi "-json").
- Isilawuli sesizinda sisekela iqembu lezokuphepha elithi “Abasebenzisi Abavikelwe”, elivele ku-Windows Server 2012 R2 futhi asikuvumeli ukusetshenziswa kwezinhlobo zokubethela ezibuthakathaka (kubasebenzisi abaseqenjini, ukusekelwa kokuqinisekisa kwe-NTLM, i-Kerberos TGTs esekelwe ku-RC4, eboshiwe futhi engavinjelwe ukuthunyelwa kukhutshaziwe).
- Ukusekelwa kwesitolo sephasiwedi esisekelwe ku-LanMan nendlela yokuqinisekisa kunqanyuliwe (ukulungiselelwa kokuthi "lanman auth=yebo" akunawo umthelela).
Source: opennet.ru