1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
991
992
993
994
995
996
997
998
999
1000
1001
1002
1003
1004
1005
1006
1007
1008
1009
1010
1011
1012
1013
1014
1015
1016
1017
1018
1019
1020
1021
1022
1023
1024
1025
1026
1027
1028
1029
1030
1031
1032
1033
1034
1035
1036
1037
1038
1039
1040
1041
1042
1043
1044
1045
1046
1047
1048
1049
1050
1051
1052
1053
1054
1055
1056
1057
1058
1059
1060
1061
1062
1063
1064
1065
1066
1067
1068
1069
1070
1071
1072
1073
1074
1075
1076
1077
1078
1079
1080
1081
1082
1083
1084
1085
1086
1087
1088
1089
1090
1091
1092
1093
1094
1095
1096
1097
1098
1099
1100
1101
1102
1103
1104
1105
1106
1107
1108
1109
1110
1111
1112
1113
1114
1115
1116
1117
1118
1119
1120
1121
1122
1123
1124
1125
1126
1127
1128
1129
1130
1131
1132
1133
1134
1135
1136
|
===============================
Release Notes for Samba 4.16.10
March 29, 2023
===============================
This is a security release in order to address the following defects:
o CVE-2023-0922: The Samba AD DC administration tool, when operating against a
remote LDAP server, will by default send new or reset
passwords over a signed-only connection.
https://www.samba.org/samba/security/CVE-2023-0922.html
o CVE-2023-0614: The fix in 4.6.16, 4.7.9, 4.8.4 and 4.9.7 for CVE-2018-10919
Confidential attribute disclosure via LDAP filters was
insufficient and an attacker may be able to obtain
confidential BitLocker recovery keys from a Samba AD DC.
Installations with such secrets in their Samba AD should
assume they have been obtained and need replacing.
https://www.samba.org/samba/security/CVE-2023-0614.html
Changes since 4.16.9
--------------------
o Andrew Bartlett <abartlet@samba.org>
* BUG 15270: VE-2023-0614.
* BUG 15331: ldb wildcard matching makes excessive allocations.
* BUG 15332: large_ldap test is inefficient.
o Rob van der Linde <rob@catalyst.net.nz>
* BUG 15315: CVE-2023-0922.
o Joseph Sutton <josephsutton@catalyst.net.nz>
* BUG 15270: CVE-2023-0614.
#######################################
Reporting bugs & Development Discussion
#######################################
Please discuss this release on the samba-technical mailing list or by
joining the #samba-technical:matrix.org matrix room, or
#samba-technical IRC channel on irc.libera.chat.
If you do report problems then please try to send high quality
feedback. If you don't provide vital information to help us track down
the problem then you will probably be ignored. All bug reports should
be filed under the Samba 4.1 and newer product in the project's Bugzilla
database (https://bugzilla.samba.org/).
======================================================================
== Our Code, Our Bugs, Our Responsibility.
== The Samba Team
======================================================================
Release notes for older releases follow:
----------------------------------------
==============================
Release Notes for Samba 4.16.9
February 16, 2023
==============================
This is the latest stable release of the Samba 4.16 release series.
Changes since 4.16.8
--------------------
o Jeremy Allison <jra@samba.org>
* BUG 14808: smbc_getxattr() return value is incorrect.
* BUG 15172: Compound SMB2 FLUSH+CLOSE requests from MacOSX are not handled
correctly.
* BUG 15210: synthetic_pathref AFP_AfpInfo failed errors.
* BUG 15226: samba-tool gpo listall fails IPv6 only - finddcs() fails to find
DC when there is only an AAAA record for the DC in DNS.
* BUG 15236: smbd crashes if an FSCTL request is done on a stream handle.
o Ralph Boehme <slow@samba.org>
* BUG 15299: Spotlight doesn't work with latest macOS Ventura.
o Samuel Cabrero <scabrero@suse.de>
* BUG 15240: CVE-2022-38023 [SECURITY] Samba should refuse RC4 (aka md5)
based SChannel on NETLOGON.
o Volker Lendecke <vl@samba.org>
* BUG 15243: %U for include directive doesn't work for share listing
(netshareenum).
* BUG 15266: Shares missing from netshareenum response in samba 4.17.4.
* BUG 15269: ctdb: use-after-free in run_proc.
o Stefan Metzmacher <metze@samba.org>
* BUG 15243: %U for include directive doesn't work for share listing
(netshareenum).
* BUG 15266: Shares missing from netshareenum response in samba 4.17.4.
* BUG 15280: irpc_destructor may crash during shutdown.
* BUG 15286: auth3_generate_session_info_pac leaks wbcAuthUserInfo.
o Andreas Schneider <asn@samba.org>
* BUG 15268: smbclient segfaults with use after free on an optimized build.
o Andrew Walker <awalker@ixsystems.com>
* BUG 15164: Leak in wbcCtxPingDc2.
* BUG 15265: Access based share enum does not work in Samba 4.16+.
* BUG 15267: Crash during share enumeration.
* BUG 15271: rep_listxattr on FreeBSD does not properly check for reads off
end of returned buffer.
#######################################
Reporting bugs & Development Discussion
#######################################
Please discuss this release on the samba-technical mailing list or by
joining the #samba-technical:matrix.org matrix room, or
#samba-technical IRC channel on irc.libera.chat.
If you do report problems then please try to send high quality
feedback. If you don't provide vital information to help us track down
the problem then you will probably be ignored. All bug reports should
be filed under the Samba 4.1 and newer product in the project's Bugzilla
database (https://bugzilla.samba.org/).
======================================================================
== Our Code, Our Bugs, Our Responsibility.
== The Samba Team
======================================================================
----------------------------------------------------------------------
==============================
Release Notes for Samba 4.16.8
December 15, 2022
==============================
This is the latest stable release of the Samba 4.16 release series.
It also contains security changes in order to address the following defects
o CVE-2022-37966: This is the Samba CVE for the Windows Kerberos
RC4-HMAC Elevation of Privilege Vulnerability
disclosed by Microsoft on Nov 8 2022.
A Samba Active Directory DC will issue weak rc4-hmac
session keys for use between modern clients and servers
despite all modern Kerberos implementations supporting
the aes256-cts-hmac-sha1-96 cipher.
On Samba Active Directory DCs and members
'kerberos encryption types = legacy' would force
rc4-hmac as a client even if the server supports
aes128-cts-hmac-sha1-96 and/or aes256-cts-hmac-sha1-96.
https://www.samba.org/samba/security/CVE-2022-37966.html
o CVE-2022-37967: This is the Samba CVE for the Windows
Kerberos Elevation of Privilege Vulnerability
disclosed by Microsoft on Nov 8 2022.
A service account with the special constrained
delegation permission could forge a more powerful
ticket than the one it was presented with.
https://www.samba.org/samba/security/CVE-2022-37967.html
o CVE-2022-38023: The "RC4" protection of the NetLogon Secure channel uses the
same algorithms as rc4-hmac cryptography in Kerberos,
and so must also be assumed to be weak.
https://www.samba.org/samba/security/CVE-2022-38023.html
Note that there are several important behavior changes
included in this release, which may cause compatibility problems
interacting with system still expecting the former behavior.
Please read the advisories of CVE-2022-37966,
CVE-2022-37967 and CVE-2022-38023 carefully!
samba-tool got a new 'domain trust modify' subcommand
-----------------------------------------------------
This allows "msDS-SupportedEncryptionTypes" to be changed
on trustedDomain objects. Even against remote DCs (including Windows)
using the --local-dc-ipaddress= (and other --local-dc-* options).
See 'samba-tool domain trust modify --help' for further details.
smb.conf changes
----------------
Parameter Name Description Default
-------------- ----------- -------
allow nt4 crypto Deprecated no
allow nt4 crypto:COMPUTERACCOUNT New
kdc default domain supported enctypes New (see manpage)
kdc supported enctypes New (see manpage)
kdc force enable rc4 weak session keys New No
reject md5 clients New Default, Deprecated Yes
reject md5 servers New Default, Deprecated Yes
server schannel Deprecated Yes
server schannel require seal New, Deprecated Yes
server schannel require seal:COMPUTERACCOUNT New
winbind sealed pipes Deprecated Yes
Changes since 4.16.7
--------------------
o Jeremy Allison <jra@samba.org>
* BUG 15224: pam_winbind uses time_t and pointers assuming they are of the
same size.
o Andrew Bartlett <abartlet@samba.org>
* BUG 14929: CVE-2022-44640 [SECURITY] Upstream Heimdal free of
user-controlled pointer in FAST.
* BUG 15219: Heimdal session key selection in AS-REQ examines wrong entry.
* BUG 15237: CVE-2022-37966.
* BUG 15258: filter-subunit is inefficient with large numbers of knownfails.
o Ralph Boehme <slow@samba.org>
* BUG 15240: CVE-2022-38023.
* BUG 15252: smbd allows setting FILE_ATTRIBUTE_TEMPORARY on directories.
o Stefan Metzmacher <metze@samba.org>
* BUG 13135: The KDC logic arround msDs-supportedEncryptionTypes differs from
Windows.
* BUG 14611: CVE-2021-20251 [SECURITY] Bad password count not incremented
atomically.
* BUG 15203: CVE-2022-42898 [SECURITY] krb5_pac_parse() buffer parsing
vulnerability.
* BUG 15219: Heimdal session key selection in AS-REQ examines wrong entry.
* BUG 15230: Memory leak in snprintf replacement functions.
* BUG 15237: CVE-2022-37966.
* BUG 15240: CVE-2022-38023.
* BUG 15253: RODC doesn't reset badPwdCount reliable via an RWDC
(CVE-2021-20251 regression).
o Noel Power <noel.power@suse.com>
* BUG 15224: pam_winbind uses time_t and pointers assuming they are of the
same size.
o Andreas Schneider <asn@samba.org>
* BUG 15237: CVE-2022-37966.
* BUG 15243: %U for include directive doesn't work for share listing
(netshareenum).
* BUG 15257: Stack smashing in net offlinejoin requestodj.
o Joseph Sutton <josephsutton@catalyst.net.nz>
* BUG 15197: Windows 11 22H2 and Samba-AD 4.15 Kerberos login issue.
* BUG 15219: Heimdal session key selection in AS-REQ examines wrong entry.
* BUG 15231: CVE-2022-37967.
* BUG 15237: CVE-2022-37966.
o Nicolas Williams <nico@twosigma.com>
* BUG 14929: CVE-2022-44640 [SECURITY] Upstream Heimdal free of
user-controlled pointer in FAST.
#######################################
Reporting bugs & Development Discussion
#######################################
Please discuss this release on the samba-technical mailing list or by
joining the #samba-technical:matrix.org matrix room, or
#samba-technical IRC channel on irc.libera.chat.
If you do report problems then please try to send high quality
feedback. If you don't provide vital information to help us track down
the problem then you will probably be ignored. All bug reports should
be filed under the Samba 4.1 and newer product in the project's Bugzilla
database (https://bugzilla.samba.org/).
======================================================================
== Our Code, Our Bugs, Our Responsibility.
== The Samba Team
======================================================================
----------------------------------------------------------------------
==============================
Release Notes for Samba 4.16.7
November 15, 2022
==============================
This is a security release in order to address the following defects:
o CVE-2022-42898: Samba's Kerberos libraries and AD DC failed to guard against
integer overflows when parsing a PAC on a 32-bit system, which
allowed an attacker with a forged PAC to corrupt the heap.
https://www.samba.org/samba/security/CVE-2022-42898.html
Changes since 4.16.6
--------------------
o Joseph Sutton <josephsutton@catalyst.net.nz>
* BUG 15203: CVE-2022-42898
o Nicolas Williams <nico@twosigma.com>
* BUG 15203: CVE-2022-42898
#######################################
Reporting bugs & Development Discussion
#######################################
Please discuss this release on the samba-technical mailing list or by
joining the #samba-technical:matrix.org matrix room, or
#samba-technical IRC channel on irc.libera.chat.
If you do report problems then please try to send high quality
feedback. If you don't provide vital information to help us track down
the problem then you will probably be ignored. All bug reports should
be filed under the Samba 4.1 and newer product in the project's Bugzilla
database (https://bugzilla.samba.org/).
======================================================================
== Our Code, Our Bugs, Our Responsibility.
== The Samba Team
======================================================================
----------------------------------------------------------------------
==============================
Release Notes for Samba 4.16.6
October 25, 2022
==============================
This is a security release in order to address the following defect:
o CVE-2022-3437: There is a limited write heap buffer overflow in the GSSAPI
unwrap_des() and unwrap_des3() routines of Heimdal (included
in Samba).
https://www.samba.org/samba/security/CVE-2022-3437.html
Changes since 4.16.5
---------------------
o Joseph Sutton <josephsutton@catalyst.net.nz>
* BUG 15134: CVE-2022-3437.
#######################################
Reporting bugs & Development Discussion
#######################################
Please discuss this release on the samba-technical mailing list or by
joining the #samba-technical:matrix.org matrix room, or
#samba-technical IRC channel on irc.libera.chat.
If you do report problems then please try to send high quality
feedback. If you don't provide vital information to help us track down
the problem then you will probably be ignored. All bug reports should
be filed under the Samba 4.1 and newer product in the project's Bugzilla
database (https://bugzilla.samba.org/).
======================================================================
== Our Code, Our Bugs, Our Responsibility.
== The Samba Team
======================================================================
----------------------------------------------------------------------
==============================
Release Notes for Samba 4.16.5
September 07, 2022
==============================
This is the latest stable release of the Samba 4.16 release series.
Changes since 4.16.4
--------------------
o Jeremy Allison <jra@samba.org>
* BUG 15128: Possible use after free of connection_struct when iterating
smbd_server_connection->connections.
o Ralph Boehme <slow@samba.org>
* BUG 15086: Spotlight RPC service returns wrong response when Spotlight is
disabled on a share.
* BUG 15126: acl_xattr VFS module may unintentionally use filesystem
permissions instead of ACL from xattr.
* BUG 15153: Missing SMB2-GETINFO access checks from MS-SMB2 3.3.5.20.1.
* BUG 15161: assert failed: !is_named_stream(smb_fname)") at
../../lib/util/fault.c:197.
o Stefan Metzmacher <metze@samba.org>
* BUG 15148: Missing READ_LEASE break could cause data corruption.
o Andreas Schneider <asn@samba.org>
* BUG 15124: rpcclient can crash using setuserinfo(2).
* BUG 15132: Samba fails to build with glibc 2.36 caused by including
<sys/mount.h> in libreplace.
o Joseph Sutton <josephsutton@catalyst.net.nz>
* BUG 15152: SMB1 negotiation can fail to handle connection errors.
o Michael Tokarev <mjt@tls.msk.ru>
* BUG 15078: samba-tool domain join segfault when joining a samba ad domain.
#######################################
Reporting bugs & Development Discussion
#######################################
Please discuss this release on the samba-technical mailing list or by
joining the #samba-technical:matrix.org matrix room, or
#samba-technical IRC channel on irc.libera.chat.
If you do report problems then please try to send high quality
feedback. If you don't provide vital information to help us track down
the problem then you will probably be ignored. All bug reports should
be filed under the Samba 4.1 and newer product in the project's Bugzilla
database (https://bugzilla.samba.org/).
======================================================================
== Our Code, Our Bugs, Our Responsibility.
== The Samba Team
======================================================================
----------------------------------------------------------------------
==============================
Release Notes for Samba 4.16.4
July 27, 2022
==============================
This is a security release in order to address the following defects:
o CVE-2022-2031: Samba AD users can bypass certain restrictions associated with
changing passwords.
https://www.samba.org/samba/security/CVE-2022-2031.html
o CVE-2022-32744: Samba AD users can forge password change requests for any user.
https://www.samba.org/samba/security/CVE-2022-32744.html
o CVE-2022-32745: Samba AD users can crash the server process with an LDAP add
or modify request.
https://www.samba.org/samba/security/CVE-2022-32745.html
o CVE-2022-32746: Samba AD users can induce a use-after-free in the server
process with an LDAP add or modify request.
https://www.samba.org/samba/security/CVE-2022-32746.html
o CVE-2022-32742: Server memory information leak via SMB1.
https://www.samba.org/samba/security/CVE-2022-32742.html
Changes since 4.16.3
--------------------
o Jeremy Allison <jra@samba.org>
* BUG 15085: CVE-2022-32742.
o Andrew Bartlett <abartlet@samba.org>
* BUG 15009: CVE-2022-32746.
o Andreas Schneider <asn@samba.org>
* BUG 15047: CVE-2022-2031.
o Joseph Sutton <josephsutton@catalyst.net.nz>
* BUG 15008: CVE-2022-32745.
* BUG 15009: CVE-2022-32746.
* BUG 15047: CVE-2022-2031.
* BUG 15074: CVE-2022-32744.
#######################################
Reporting bugs & Development Discussion
#######################################
Please discuss this release on the samba-technical mailing list or by
joining the #samba-technical:matrix.org matrix room, or
#samba-technical IRC channel on irc.libera.chat.
If you do report problems then please try to send high quality
feedback. If you don't provide vital information to help us track down
the problem then you will probably be ignored. All bug reports should
be filed under the Samba 4.1 and newer product in the project's Bugzilla
database (https://bugzilla.samba.org/).
======================================================================
== Our Code, Our Bugs, Our Responsibility.
== The Samba Team
======================================================================
----------------------------------------------------------------------
==============================
Release Notes for Samba 4.16.3
July 18, 2022
==============================
This is the latest stable release of the Samba 4.16 release series.
Changes since 4.16.2
--------------------
o Jeremy Allison <jra@samba.org>
* BUG 15099: Using vfs_streams_xattr and deleting a file causes a panic.
o Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
* BUG 14986: Add support for bind 9.18.
* BUG 15076: logging dsdb audit to specific files does not work.
o Samuel Cabrero <scabrero@samba.org>
* BUG 14979: Problem when winbind renews Kerberos.
* BUG 15095: Samba with new lorikeet-heimdal fails to build on gcc 12.1 in
developer mode.
o Volker Lendecke <vl@samba.org>
* BUG 15105: Crash in streams_xattr because fsp->base_fsp->fsp_name is NULL.
* BUG 15118: Crash in rpcd_classic - NULL pointer deference in
mangle_is_mangled().
o Noel Power <noel.power@suse.com>
* BUG 15100: smbclient commands del & deltree fail with
NT_STATUS_OBJECT_PATH_NOT_FOUND with DFS.
o Christof Schmitt <cs@samba.org>
* BUG 15120: Fix check for chown when processing NFSv4 ACL.
o Andreas Schneider <asn@samba.org>
* BUG 15082: The pcap background queue process should not be stopped.
* BUG 15097: testparm: Fix typo in idmap rangesize check.
* BUG 15106: net ads info returns LDAP server and LDAP server name as null.
* BUG 15108: ldconfig: /lib64/libsmbconf.so.0 is not a symbolic link.
o Martin Schwenke <martin@meltin.net>
* BUG 15090: CTDB child process logging does not work as expected.
#######################################
Reporting bugs & Development Discussion
#######################################
Please discuss this release on the samba-technical mailing list or by
joining the #samba-technical:matrix.org matrix room, or
#samba-technical IRC channel on irc.libera.chat.
If you do report problems then please try to send high quality
feedback. If you don't provide vital information to help us track down
the problem then you will probably be ignored. All bug reports should
be filed under the Samba 4.1 and newer product in the project's Bugzilla
database (https://bugzilla.samba.org/).
======================================================================
== Our Code, Our Bugs, Our Responsibility.
== The Samba Team
======================================================================
----------------------------------------------------------------------
==============================
Release Notes for Samba 4.16.2
June 13, 2022
==============================
This is the latest stable release of the Samba 4.16 release series.
Changes since 4.16.1
--------------------
o Jeremy Allison <jra@samba.org>
* BUG 15042: Use pathref fd instead of io fd in vfs_default_durable_cookie.
o Ralph Boehme <slow@samba.org>
* BUG 15069: vfs_gpfs with vfs_shadowcopy2 fail to restore file if original
file had been deleted.
o Samuel Cabrero <scabrero@samba.org>
* BUG 15087: netgroups support removed.
o Samuel Cabrero <scabrero@suse.de>
* BUG 14674: net ads info shows LDAP Server: 0.0.0.0 depending on contacted
server.
o Volker Lendecke <vl@samba.org>
* BUG 15062: Update from 4.15 to 4.16 breaks discovery of [homes] on
standalone server from Win and IOS.
o Stefan Metzmacher <metze@samba.org>
* BUG 15071: waf produces incorrect names for python extensions with Python
3.11.
o Noel Power <noel.power@suse.com>
* BUG 15075: smbclient -E doesn't work as advertised.
o Andreas Schneider <asn@samba.org>
* BUG 15071: waf produces incorrect names for python extensions with Python
3.11.
* BUG 15081: The samba background daemon doesn't refresh the printcap cache
on startup.
o Robert Sprowson <webpages@sprow.co.uk>
* BUG 14443: Out-by-4 error in smbd read reply max_send clamp..
#######################################
Reporting bugs & Development Discussion
#######################################
Please discuss this release on the samba-technical mailing list or by
joining the #samba-technical:matrix.org matrix room, or
#samba-technical IRC channel on irc.libera.chat.
If you do report problems then please try to send high quality
feedback. If you don't provide vital information to help us track down
the problem then you will probably be ignored. All bug reports should
be filed under the Samba 4.1 and newer product in the project's Bugzilla
database (https://bugzilla.samba.org/).
======================================================================
== Our Code, Our Bugs, Our Responsibility.
== The Samba Team
======================================================================
----------------------------------------------------------------------
==============================
Release Notes for Samba 4.16.1
May 02, 2022
==============================
This is the latest stable release of the Samba 4.16 release series.
Changes since 4.16.0
--------------------
o Jeremy Allison <jra@samba.org>
* BUG 14831: Share and server swapped in smbget password prompt.
* BUG 15022: Durable handles won't reconnect if the leased file is written
to.
* BUG 15023: rmdir silently fails if directory contains unreadable files and
hide unreadable is yes.
* BUG 15038: SMB2_CLOSE_FLAGS_FULL_INFORMATION fails to return information on
renamed file handle.
o Andrew Bartlett <abartlet@samba.org>
* BUG 8731: Need to describe --builtin-libraries= better (compare with
--bundled-libraries).
o Ralph Boehme <slow@samba.org>
* BUG 14957: vfs_shadow_copy2 breaks "smbd async dosmode" sync fallback.
* BUG 15035: shadow_copy2 fails listing snapshotted dirs with
shadow:fixinodes.
o Samuel Cabrero <scabrero@samba.org>
* BUG 15046: PAM Kerberos authentication incorrectly fails with a clock skew
error.
o Pavel Filipenský <pfilipen@redhat.com>
* BUG 15041: Username map - samba erroneously applies unix group memberships
to user account entries.
o Stefan Metzmacher <metze@samba.org>
* BUG 14951: KVNO off by 100000.
o Christof Schmitt <cs@samba.org>
* BUG 15027: Uninitialized litemask in variable in vfs_gpfs module.
* BUG 15055: vfs_gpfs recalls=no option prevents listing files.
o Andreas Schneider <asn@cryptomilk.org>
* BUG 15054: smbd doesn't handle UPNs for looking up names.
#######################################
Reporting bugs & Development Discussion
#######################################
Please discuss this release on the samba-technical mailing list or by
joining the #samba-technical:matrix.org matrix room, or
#samba-technical IRC channel on irc.libera.chat.
If you do report problems then please try to send high quality
feedback. If you don't provide vital information to help us track down
the problem then you will probably be ignored. All bug reports should
be filed under the Samba 4.1 and newer product in the project's Bugzilla
database (https://bugzilla.samba.org/).
======================================================================
== Our Code, Our Bugs, Our Responsibility.
== The Samba Team
======================================================================
----------------------------------------------------------------------
==============================
Release Notes for Samba 4.16.0
March 21, 2022
==============================
This is the first stable release of the Samba 4.16 release series.
Please read the release notes carefully before upgrading.
NEW FEATURES/CHANGES
====================
New samba-dcerpcd binary to provide DCERPC in the member server setup
---------------------------------------------------------------------
In order to make it much easier to break out the DCERPC services
from smbd, a new samba-dcerpcd binary has been created.
samba-dcerpcd can be used in two ways. In the normal case without
startup script modification it is invoked on demand from smbd or
winbind --np-helper to serve DCERPC over named pipes. Note that
in order to run in this mode the smb.conf [global] section has
a new parameter "rpc start on demand helpers = [true|false]".
This parameter is set to "true" by default, meaning no changes to
smb.conf files are needed to run samba-dcerpcd on demand as a named
pipe helper.
It can also be used in a standalone mode where it is started
separately from smbd or winbind but this requires changes to system
startup scripts, and in addition a change to smb.conf, setting the new
[global] parameter "rpc start on demand helpers = false". If "rpc
start on demand helpers" is not set to false, samba-dcerpcd will
refuse to start in standalone mode.
Note that when Samba is run in the Active Directory Domain Controller
mode the samba binary that provides the AD code will still provide its
normal DCERPC services whilst allowing samba-dcerpcd to provide
services like SRVSVC in the same way that smbd used to in this
configuration.
The parameters that allowed some smbd-hosted services to be started
externally are now gone (detailed below) as this is now the default
setting.
samba-dcerpcd can also be useful for use outside of the Samba
framework, for example, use with the Linux kernel SMB2 server ksmbd or
possibly other SMB2 server implementations.
Heimdal-8.0pre used for Samba Internal Kerberos, adds FAST support
------------------------------------------------------------------
Samba has since Samba 4.0 included a snapshot of the Heimdal Kerberos
implementation. This snapshot has now been updated and will closely
match what will be released as Heimdal 8.0 shortly.
This is a major update, previously we used a snapshot of Heimdal from
2011, and brings important new Kerberos security features such as
Kerberos request armoring, known as FAST. This tunnels ticket
requests and replies that might be encrypted with a weak password
inside a wrapper built with a stronger password, say from a machine
account.
In Heimdal and MIT modes Samba's KDC now supports FAST, for the
support of non-Windows clients.
Windows clients will not use this feature however, as they do not
attempt to do so against a server not advertising domain Functional
Level 2012. Samba users are of course free to modify how Samba
advertises itself, but use with Windows clients is not supported "out
of the box".
Finally, Samba also uses a per-KDC, not per-realm 'cookie' to secure part of
the FAST protocol. A future version will align this more closely with
Microsoft AD behaviour.
If FAST needs to be disabled on your Samba KDC, set
kdc enable fast = no
in the smb.conf.
The Samba project wishes to thank the numerous developers who have put
in a massive effort to make this possible over many years. In
particular we thank Stefan Metzmacher, Joseph Sutton, Gary Lockyer,
Isaac Boukris and Andrew Bartlett. Samba's developers in turn thank
their employers and in turn their customers who have supported this
effort over many years.
Certificate Auto Enrollment
---------------------------
Certificate Auto Enrollment allows devices to enroll for certificates from
Active Directory Certificate Services. It is enabled by Group Policy.
To enable Certificate Auto Enrollment, Samba's group policy will need to be
enabled by setting the smb.conf option `apply group policies` to Yes. Samba
Certificate Auto Enrollment depends on certmonger, the cepces certmonger
plugin, and sscep. Samba uses sscep to download the CA root chain, then uses
certmonger paired with cepces to monitor the host certificate templates.
Certificates are installed in /var/lib/samba/certs and private keys are
installed in /var/lib/samba/private/certs.
Ability to add ports to dns forwarder addresses in internal DNS backend
-----------------------------------------------------------------------
The internal DNS server of Samba forwards queries non-AD zones to one or more
configured forwarders. Up until now it has been assumed that these forwarders
listen on port 53. Starting with this version it is possible to configure the
port using host:port notation. See smb.conf for more details. Existing setups
are not affected, as the default port is 53.
CTDB changes
------------
* The "recovery master" role has been renamed "leader"
Documentation and logs now refer to "leader".
The following ctdb tool command names have changed:
recmaster -> leader
setrecmasterrole -> setleaderrole
Command output has changed for the following commands:
status
getcapabilities
The "[legacy] -> recmaster capability" configuration option has been
renamed and moved to the cluster section, so this is now:
[cluster] -> leader capability
* The "recovery lock" has been renamed "cluster lock"
Documentation and logs now refer to "cluster lock".
The "[cluster] -> recovery lock" configuration option has been
deprecated and will be removed in a future version. Please use
"[cluster] -> cluster lock" instead.
If the cluster lock is enabled then traditional elections are not
done and leader elections use a race for the cluster lock. This
avoids various conditions where a node is elected leader but can not
take the cluster lock. Such conditions included:
- At startup, a node elects itself leader of its own cluster before
connecting to other nodes
- Cluster filesystem failover is slow
The abbreviation "reclock" is still used in many places, because a
better abbreviation eludes us (i.e. "clock" is obvious bad) and
changing all instances would require a lot of churn. If the
abbreviation "reclock" for "cluster lock" is confusing, please
consider mentally prefixing it with "really excellent".
* CTDB now uses leader broadcasts and an associated timeout to
determine if an election is required
The leader broadcast timeout can be configured via new configuration
option
[cluster] -> leader timeout
This specifies the number of seconds without leader broadcasts
before a node calls an election. The default is 5.
REMOVED FEATURES
================
Older SMB1 protocol SMBCopy command removed
-------------------------------------------
SMB is a nearly 30-year old protocol, and some protocol commands that
while supported in all versions, have not seen widespread use.
One of those is SMBCopy, a feature for a server-side copy of a file.
This feature has been so unmaintained that Samba has no testsuite for
it.
The SMB1 command SMB_COM_COPY (SMB1 command number 0x29) was
introduced in the LAN Manager 1.0 dialect and it was rendered obsolete
in the NT LAN Manager dialect.
Therefore it has been removed from the Samba smbd server.
We do note that a fully supported and tested server-side copy is
present in SMB2, and can be accessed with "scopy" subcommand in
smbclient)
SMB1 server-side wildcard expansion removed
-------------------------------------------
Server-side wildcard expansion is another feature that sounds useful,
but is also rarely used and has become problematic - imposing extra
work on the server (both in terms of code and CPU time).
In actual OS design, wildcard expansion is handled in the local shell,
not at the remote server using SMB wildcard syntax (which is not shell
syntax).
In Samba 4.16 the ability to process file name wildcards in requests
using the SMB1 commands SMB_COM_RENAME (SMB1 command number 0x7),
SMB_COM_NT_RENAME (SMB1 command number 0xA5) and SMB_COM_DELETE (SMB1
command number 0x6) has been removed.
SMB1 protocol has been deprecated, particularly older dialects
--------------------------------------------------------------
We take this opportunity to remind that we have deprecated and
disabled by default, but not removed, the whole SMB1 protocol since
Samba 4.11. If needed for security purposes or code maintenance we
will continue to remove older protocol commands and dialects that are
unused or have been replaced in more modern SMB1 versions.
We specifically deprecate the older dialects older than "NT LM 0.12"
(also known as "NT LANMAN 1.0" and "NT1").
Please note that "NT LM 0.12" is the dialect used by software as old
as Windows 95, Windows NT and Samba 2.0, so this deprecation applies
to DOS and similar era clients.
We do reassure that that 'simple' operation of older clients than
these (eg DOS) will, while untested, continue for the near future, our
purpose is not to cripple use of Samba in unique situations, but to
reduce the maintaince burden.
Eventually SMB1 as a whole will be removed, but no broader change is
announced for 4.16.
In the rare case where the above changes cause incompatibilities,
users requiring support for these features will need to use older
versions of Samba.
No longer using Linux mandatory locks for sharemodes
====================================================
smbd mapped sharemodes to Linux mandatory locks. This code in the Linux kernel
was broken for a long time, and is planned to be removed with Linux 5.15. This
Samba release removes the usage of mandatory locks for sharemodes and the
"kernel share modes" config parameter is changed to default to "no". The Samba
VFS interface is kept, so that file-system specific VFS modules can still use
private calls for enforcing sharemodes.
smb.conf changes
================
Parameter Name Description Default
-------------- ----------- -------
kernel share modes New default No
dns forwarder Changed
rpc_daemon Removed
rpc_server Removed
rpc start on demand helpers Added true
CHANGES SINCE 4.16.0rc5
=======================
o Andrew Bartlett <abartlet@samba.org>
* BUG 15000: Memory leak in FAST cookie handling.
o Elia Geretto <elia.f.geretto@gmail.com>
* BUG 14983: NT_STATUS_ACCESS_DENIED translates into EPERM instead of EACCES
in SMBC_server_internal.
o Stefan Metzmacher <metze@samba.org>
* BUG 13879: Simple bind doesn't work against an RODC (with non-preloaded
users).
* BUG 14641: Crash of winbind on RODC.
* BUG 15001: LDAP simple binds should honour "old password allowed period".
* BUG 15002: S4U2Self requests don't work against servers without FAST
support.
* BUG 15003: wbinfo -a doesn't work reliable with upn names.
* BUG 15005: A cross-realm kerberos client exchanges fail using KDCs with and
without FAST.
* BUG 15015: PKINIT: hdb_samba4_audit: Unhandled hdb_auth_status=9 =>
INTERNAL_ERROR.
o Garming Sam <garming@catalyst.net.nz>
* BUG 13879: Simple bind doesn't work against an RODC (with non-preloaded
users).
o Andreas Schneider <asn@samba.org>
* BUG 15016: Regression: create krb5 conf = yes doesn't work with a single
KDC.
o Joseph Sutton <josephsutton@catalyst.net.nz>
* BUG 15015: PKINIT: hdb_samba4_audit: Unhandled hdb_auth_status=9 =>
INTERNAL_ERROR.
CHANGES SINCE 4.16.0rc4
=======================
o Jeremy Allison <jra@samba.org>
* BUG 14737: Samba does not response STATUS_INVALID_PARAMETER when opening 2
objects with same lease key.
o Jule Anger <janger@samba.org>
* BUG 14999: Listing shares with smbstatus no longer works.
o Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
* BUG 14996: Fix ldap simple bind with TLS auditing.
o Andrew Bartlett <abartlet@samba.org>
* BUG 14995: Use Heimdal 8.0 (pre) rather than an earlier snapshot.
o Volker Lendecke <vl@samba.org>
* BUG 14989: Fix a use-after-free in SMB1 server.
o Stefan Metzmacher <metze@samba.org>
* BUG 14865: Uncached logon on RODC always fails once.
* BUG 14984: Changing the machine password against an RODC likely destroys
the domain join.
* BUG 14993: authsam_make_user_info_dc() steals memory from its struct
ldb_message *msg argument.
* BUG 14995: Use Heimdal 8.0 (pre) rather than an earlier snapshot.
o Joseph Sutton <josephsutton@catalyst.net.nz>
* BUG 14995: Use Heimdal 8.0 (pre) rather than an earlier snapshot.
CHANGES SINCE 4.16.0rc3
=======================
o Samuel Cabrero <scabrero@suse.de>
* BUG 14979: Problem when winbind renews Kerberos.
o Björn Jacke <bj@sernet.de>
* BUG 13631: DFS fix for AIX broken.
* BUG 14974: Solaris and AIX acl modules: wrong function arguments.
* BUG 7239: Function aixacl_sys_acl_get_file not declared / coredump.
o Andreas Schneider <asn@samba.org>
* BUG 14967: Samba autorid fails to map AD users if id rangesize fits in the
id range only once.
o Martin Schwenke <martin@meltin.net>
* BUG 14958: CTDB can get stuck in election and recovery.
CHANGES SINCE 4.16.0rc2
=======================
o Jeremy Allison <jra@samba.org>
* BUG 14169: Renaming file on DFS root fails with
NT_STATUS_OBJECT_PATH_NOT_FOUND.
* BUG 14938: NT error code is not set when overwriting a file during rename
in libsmbclient.
o Ralph Boehme <slow@samba.org>
* BUG 14674: net ads info shows LDAP Server: 0.0.0.0 depending on contacted
server.
o Pavel Filipenský <pfilipen@redhat.com>
* BUG 14971: virusfilter_vfs_openat: Not scanned: Directory or special file.
o Volker Lendecke <vl@samba.org>
* BUG 14900: Regression: Samba 4.15.2 on macOS segfaults intermittently
during strcpy in tdbsam_getsampwnam.
* BUG 14975: Fix a crash in vfs_full_audit - CREATE_FILE can free a used fsp.
o Stefan Metzmacher <metze@samba.org>
* BUG 14968: smb2_signing_decrypt_pdu() may not decrypt with
gnutls_aead_cipher_decrypt() from gnutls before 3.5.2.
o Andreas Schneider <asn@samba.org>
* BUG 14960: SDB uses HDB flags directly which can lead to unwanted side
effects.
CHANGES SINCE 4.16.0rc1
=======================
o Jeremy Allison <jra@samba.org>
* BUG 14911: CVE-2021-44141: UNIX extensions in SMB1 disclose whether the
outside target of a symlink exists.
o Ralph Boehme <slow@samba.org>
* BUG 14914: CVE-2021-44142: Out-of-Bound Read/Write on Samba vfs_fruit
module.
* BUG 14961: install elasticsearch_mappings.json
o FeRD (Frank Dana) <ferdnyc@gmail.com>
* BUG 14947: samba-bgqd still notifying systemd, triggering log warnings
without NotifyAccess=all.
o Stefan Metzmacher <metze@samba.org>
* BUG 14867: Printing no longer works on Windows 7 with 2021-10 monthly
rollup patch.
* BUG 14956: ndr_push_string() adds implicit termination for
STR_NOTERM|REMAINING empty strings.
o Joseph Sutton <josephsutton@catalyst.net.nz>
* BUG 14950: CVE-2022-0336: Re-adding an SPN skips subsequent SPN conflict
checks.
KNOWN ISSUES
============
https://wiki.samba.org/index.php/Release_Planning_for_Samba_4.16#Release_blocking_bugs
#######################################
Reporting bugs & Development Discussion
#######################################
Please discuss this release on the samba-technical mailing list or by
joining the #samba-technical:matrix.org matrix room, or
#samba-technical IRC channel on irc.libera.chat
If you do report problems then please try to send high quality
feedback. If you don't provide vital information to help us track down
the problem then you will probably be ignored. All bug reports should
be filed under the Samba 4.1 and newer product in the project's Bugzilla
database (https://bugzilla.samba.org/).
======================================================================
== Our Code, Our Bugs, Our Responsibility.
== The Samba Team
======================================================================
|
