PR#54: Add section about changes in domain controllers (FreeIPA and Samba) - fedora-docs/release-notes

fedora-docs / release-notes

#54 Add section about changes in domain controllers (FreeIPA and Samba)

Merged 6 years ago by sclark. Opened 6 years ago by abbra.

fedora-docs/ abbra/release-notes f27-samba-ad into f27

Add section about changes in domain controllers (FreeIPA and Samba)

Alexander Bokovoy • 6 years ago

e9ba864

_topic_map.yml

file modified

		`@@ -50,6 +50,8 @@`
		`File: Security`
		`- Name: Mail Servers`
		`File: Mail_Servers`
		`+ - Name: Domain Controllers`
		`+ File: Domain_Controllers`
		`- Name: X.Org`
		`File: Xorg`
		`- Name: Changes in Fedora for Desktop Users`

en-US/sysadmin/Domain_Controllers.adoc

file added

+51

		`@@ -0,0 +1,51 @@`
		`+`
		`+ include::en-US/entities.adoc[]`
		`+`
		`+ [[sect-domain-controllers]]`
		`+ == Domain Controllers`
		`+`
		`+ [[sect-domain-controllers-samba-changes]]`
		`+ === Samba changes`
		`+`
		`+ Samba project completed conversion of Samba AD DC to support MIT Kerberos. Fedora 27 is the first Fedora version to include Samba AD domain controller functionality.`
		`+`
		`+ The Samba AD process will take care of starting the MIT KDC and it will load a KDB (Kerberos Database) driver to access the Samba AD database. When`
		`+ provisioning an AD DC using 'samba-tool' it will take care of creating a correct kdc.conf file for the MIT KDC.`
		`+`
		`+ For further details, see: link:++https://wiki.samba.org/index.php/Running_a_Samba_AD_DC_with_MIT_Kerberos_KDC++[upstream's documentation].`
		`+`
		`+ Important changes to note:`
		`+`
		`+ * Two different deployment modes are now supported for Samba domain controller:`
		`+ - Traditional domain controller (NT-style domain controller)`
		`+ - Active Directory domain controller (new mode).`
		`+ * Samba upgraded to version 4.7.`
		+ * The default for `client max protocol` has changed to `SMB3_11`, which means that `smbclient` (and related commands) will work against servers without SMB1 support. It is possible to use the `m/--max-protocol` option to overwrite the `client max protocol` option temporarily.
		+ * Encryption support in `smbclient` (option `-e/--encrypt`) works with SMB3 servers as well (Windows Server 2012 or later, Samba 4.0.0 or later).
		+ * The change to `SMB3_11` as default also means `smbclient` no longer negotiates `SMB1` unix extensions by default, when talking to a Samba server with `unix extensions = yes`. As a result, some commands are not available, e.g. `posix_encrypt`, `posix_open`, `posix_mkdir`, `posix_rmdir`, `posix_unlink`, `posix_whoami`, `getfacl` and `symlink`. Using `-mNT1` reenables them, if the server supports SMB1.
		+ * `smbclient` learned a new command 'deltree' that is able to do a recursive deletion of a directory tree.
		+ * The dynamic port range for RPC services has been changed from the old default value `1024-1300` to `49152-65535`. This port range is not only used by a Samba AD DC, but also applies to all other server roles including NT4-style domain controllers. The new value has been defined by Microsoft in Windows Server 2008 and newer versions. To make it easier for Administrators to control those port ranges we use the same default and make it configurable with the option: `rpc server dynamic port range`. The `rpc server port` option sets the first available port from the new `rpc server dynamic port range` option. The option `rpc server port` only applies to Samba provisioned as an AD DC.
		`+`
		`+ Samba AD DC with MIT Kerberos does not have all the features of Heimdal Kerberos build. Missing features, compared to a Heimdal Kerberos build, are:`
		`+`
		`+ * PKINIT support`
		`+ * S4U2SELF/S4U2PROXY support`
		`+ * Read-only domain controller support (RODC). This functionality is not fully working with Heimdal Kerberos build either.`
		`+`
		`+`
		`+ [[sect-domain-controllers-freeipa-changes]]`
		`+ === FreeIPA changes`
		`+`
		`+ FreeIPA has been upgraded to version 4.6. This is a major FreeIPA release which supports Python 3.`
		`+`
		`+ Major changes compared to FreeIPA 4.4 which was shipped in Fedora 26:`
		`+`
		`+ * FreeIPA is using Python 3 now`
		`+ * Security defaults are in line with the rest of Fedora. In particular, newly issued certificates default to SHA-256.`
		+ * Smartcard support was added to FreeIPA and SSSD. New `ipa-advise` recipes are available to configure FreeIPA-enrolled clients and servers to support smartcard authentication.
		`+ * FreeIPA web UI can now be accessed using smartcard authentication. This feature is not enabled by default.`
		`+ * Kerberos PKINIT is enabled by default on new installations with an integrated Certificate Authority. This allows to use smartcards to login to FreeIPA-enrolled hosts and obtain Kerberos tickets.`
		+ * Kerberos authentication indicator `pkinit` is automatically issued when Kerberos PKINIT pre-authentication succeeds. As result, elevated security requirements can be assigned to Kerberos services that require to only smartcard (`pkinit`), multi-factor (`otp`), or RADIUS (`radius`) authentication to succeed prior accessing them.
		`+ * Users from trusted Active Directory domains can now login to FreeIPA web UI and perform self-service operations.`
		`+ * FreeIPA can now be installed in an environment subject to FIPS 140-2 requirements.`
		`+`