Samba 4.18 Features added/changed
Samba 4.18 is ''Security Fixes_Only Mode.
Samba 4.18.11
- Release Notes for Samba 4.18.11
March 13, 2024
This is the latest stable release of the Samba 4.18 release series.
Changes since 4.18.10
- Martin Schwenke <mschwenke@ddn.com>
- BUG 15580: Packet marshalling push support missing for CTDB_CONTROL_TCP_CLIENT_DISCONNECTED and CTDB_CONTROL_TCP_CLIENT_PASSED
Release Notes Samba 4.18.11
Samba 4.18.10
- Release Notes for Samba 4.18.10
- January 31, 2024
This is the latest stable release of the Samba 4.18 release series.
Changes since 4.18.9
- Ralph Boehme <slow@samba.org>
- Samuel Cabrero <scabrero@samba.org>
- BUG 13577: net changesecretpw cannot set the machine account password if secrets.tdb is empty.
- Bjoern Jacke <bj@sernet.de>
- BUG 12421: Fake directory create times has no effect.
- Björn Jacke <bjacke@samba.org>
- Volker Lendecke <vl@samba.org>
- Stefan Metzmacher <metze@samba.org>
- Martin Schwenke <mschwenke@ddn.com>
- BUG 15523: ctdb RELEASE_IP causes a crash in release_ip if a connection to a non-public address disconnects first.
- Shachar Sharon <ssharon@redhat.com>
- BUG 15440: Unable to copy and write files from clients to Ceph cluster via SMB Linux gateway with Ceph VFS module.
- Jones Syue <jonessyue@qnap.com>
Release Notes Samba 4.18.10
Samba 4.18.9
- Release Notes for Samba 4.18.9
- November 29, 2023
This is the latest stable release of the Samba 4.18 release series.
It contains the security-relevant bugfix CVE-2018-14628:
- Wrong ntSecurityDescriptor values for "CN=Deleted Objects" allow read of object tombstones over LDAP (Administrator action required!)
Description of CVE-2018-14628
All versions of Samba from 4.0.0 onwards are vulnerable to an information leak (compared with the established behaviour of Microsoft's Active Directory) when Samba is an Active Directory Domain Controller.
When a domain was provisioned with an unpatched Samba version, the ntSecurityDescriptor is simply inherited from Domain/Partition-HEAD-Object instead of being very strict (as on a Windows provisioned domain).
This means also non privileged users can use the LDAP_SERVER_SHOW_DELETED_OID control in order to view, the names and preserved attributes of deleted objects.
No information that was hidden before the deletion is visible, but in with the correct ntSecurityDescriptor value in place the whole object is also not visible without administrative rights.
There is no further vulnerability associated with this error, merely an information disclosure.
Action required in order to resolve CVE-2018-14628!
The patched Samba does NOT protect existing domains!
The administrator needs to run the following command (on only one domain controller) in order to apply the protection to an existing domain:
samba-tool dbcheck --cross-ncs --attrs=nTSecurityDescriptor --fix
The above requires manual interaction in order to review the changes before they are applied. Typicall question look like this:
Reset nTSecurityDescriptor on CN=Deleted Objects,DC=samba,DC=org back to provision default? Owner mismatch: SY (in ref) DA(in current) Group mismatch: SY (in ref) DA(in current) Part dacl is different between reference and current here is the detail: (A;;LCRPLORC;;;AU) ACE is not present in the reference (A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;SY) ACE is not present in the reference (A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;DA) ACE is not present in the reference (A;;CCDCLCSWRPWPSDRCWDWO;;;SY) ACE is not present in the current (A;;LCRP;;;BA) ACE is not present in the current [y/N/all/none] y Fixed attribute 'nTSecurityDescriptor' of 'CN=Deleted Objects,DC=samba,DC=org'
The change should be confirmed with 'y' for all objects starting with 'CN=Deleted Objects'.
Changes since 4.18.8
- Michael Adam <obnox@samba.org>
- BUG 15497: Add make command for querying Samba version.
- Ralph Boehme <slow@samba.org>
- Björn Jacke <bj@sernet.de>
- BUG 15093: Files without "read attributes" NFS4 ACL permission are not listed in directories.
- Stefan Metzmacher <metze@samba.org>
- BUG 13595: CVE-2018-14628 [SECURITY] Deleted Object tombstones visible in AD LDAP to normal users.
- Christof Schmitt <cs@samba.org>
- BUG 15507: vfs_gpfs stat calls fail due to file system permissions.
- Christof Schmitt <christof.schmitt@us.ibm.com>
- BUG 15497: Add make command for querying Samba version.
- Martin Schwenke <mschwenke@ddn.com>
- BUG 15479: ctdbd: setproctitle not initialized messages flooding logs.
Release Notes Samba 4.18.9
Samba 4.18.8
- Release Notes for Samba 4.18.8
- October 10, 2023
This is a security release in order to address the following defects:
- Unsanitized pipe names allow SMB clients to connect as root to existing unix domain sockets on the file system.
- SMB client can truncate files to 0 bytes by opening files with OVERWRITE disposition when using the acl_xattr Samba VFS module with the smb.conf setting "acl_xattr:ignore system acls = yes"
- An RODC and a user with the GET_CHANGES right can view all attributes, including secrets and passwords. Additionally, the access check fails open on error conditions.
- Calls to the rpcecho server on the AD DC can request that the server block for a user-defined amount of time, denying service.
- Samba can be made to start multiple incompatible RPC listeners, disrupting service on the AD DC.
Changes since 4.18.7
- Jeremy Allison <jra@samba.org>
- Andrew Bartlett <abartlet@samba.org>
- Ralph Boehme <slow@samba.org>
- Stefan Metzmacher <metze@samba.org>
- Joseph Sutton <josephsutton@catalyst.net.nz>
Release Notes Samba 4.18.8
Samba 4.18.7
- Release Notes for Samba 4.18.7
- September 27, 2023
This is the latest stable release of the Samba 4.18 release series.
Changes since 4.18.6
- Jeremy Allison <jra@samba.org>
- Andrew Bartlett <abartlet@samba.org>
- Ralph Boehme <slow@samba.org>
- BUG 15463: macOS mdfind returns only 50 results.
- Remi Collet <rcollet@redhat.com>
- BUG 14808: smbc_getxattr() return value is incorrect.
- Volker Lendecke <vl@samba.org>
- BUG 15481: GETREALFILENAME_CACHE can modify incoming new filename with previous cache entry value.
- Stefan Metzmacher <metze@samba.org>
- BUG 15464: libnss_winbind causes memory corruption since samba-4.18, impacts sendmail, zabbix, potentially more.
- MikeLiu <mikeliu@qnap.com>
- BUG 15453: File doesn't show when user doesn't have permission if aio_pthread is loaded.
- Martin Schwenke <mschwenke@ddn.com>
- BUG 15451: ctdb_killtcp fails to work with --enable-pcap and libpcap >= 1.9.1.
- Joseph Sutton <josephsutton@catalyst.net.nz>
Release Notes Samba 4.18.6
Samba 4.18.6
- Release Notes for Samba 4.18.6
- August 16, 2023
This is the latest stable release of the Samba 4.18 release series.
Changes since 4.18.5
- Jeremy Allison <jra@samba.org>
- Andrew Bartlett <abartlet@samba.org>
- Ralph Boehme <slow@samba.org>
- Günther Deschner <gd@samba.org>
- BUG 15414: "net offlinejoin provision" does not work as non-root user.
- Pavel Filipenský <pfilipensky@samba.org>
- Stefan Metzmacher <metze@samba.org>
- Noel Power <noel.power@suse.com>
- Arvid Requate <requate@univention.de>
- BUG 9959: Windows client join fails if a second container CN=System exists somewhere.
- Jones Syue <jonessyue@qnap.com>
Release Notes Samba 4.18.6
Samba 4.18.5
- Release Notes for Samba 4.18.5
- July 19, 2023
This is a security release in order to address the following defects:
- When winbind is used for NTLM authentication, a maliciously crafted request can trigger an out-of-bounds read in winbind and possibly crash it.
- SMB2 packet signing is not enforced if an admin configured "server signing = required" or for SMB2 connections to Domain Controllers where SMB2 packet signing is mandatory.
- An infinite loop bug in Samba's mdssvc RPC service for Spotlight can be triggered by an unauthenticated attacker by issuing a malformed RPC request.
- Missing type validation in Samba's mdssvc RPC service for Spotlight can be used by an unauthenticated attacker to trigger a process crash in a shared RPC mdssvc worker process.
- As part of the Spotlight protocol Samba discloses the server-side absolute path of shares and files and directories in search results.
Changes since 4.18.4
- Ralph Boehme <slow@samba.org>
- BUG 15072: CVE-2022-2127: lm_resp_len not checked properly in winbindd_pam_auth_crap_send.
- BUG 15340: CVE-2023-34966: Samba Spotlight mdssvc RPC Request Infinite Loop.
- BUG 15341: CVE-2023-34967: Samba Spotlight mdssvc RPC Request Type Confusion.
- BUG 15388: CVE-2023-34968: Spotlight server-side Share Path Disclosure.
- BUG 15397: CVE-2023-3347: Samba doesn't require SMB2+ signing if `server signing = mandatory` is set.
- Samuel Cabrero <scabrero@samba.org>
- BUG 15072: CVE-2022-2127: lm_resp_len not checked properly in winbindd_pam_auth_crap_send.
- Volker Lendecke <vl@samba.org>
- BUG 15072: CVE-2022-2127: lm_resp_len not checked properly in winbindd_pam_auth_crap_send.
- Stefan Metzmacher <metze@samba.org>
- BUG 15418: Secure channel faulty since Windows 10/11 update 07/2023.
Release Notes Samba 4.18.5
Samba 4.18.4
- Release Notes for Samba 4.18.4
- July 05, 2023
This is the latest stable release of the Samba 4.18 release series.
Changes since 4.18.3
- Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
- BUG 15404: Backport --pidl-developer fixes.
- Samuel Cabrero <scabrero@samba.org>
- BUG 14030: Named crashes on DLZ zone update.
- Björn Jacke <bj@sernet.de>
- BUG 2312: smbcacls and smbcquotas do not check // before the server.
- Volker Lendecke <vl@samba.org>
- Stefan Metzmacher <metze@samba.org>
- BUG 15355: NSS_WRAPPER_HOSTNAME doesn't match NSS_WRAPPER_HOSTS entry and causes test timeouts.
- Noel Power <noel.power@suse.com>
- BUG 15384: net ads lookup (with unspecified realm) fails.
- Christof Schmitt <cs@samba.org>
- BUG 15381: Register Samba processes with GPFS.
- Andreas Schneider <asn@samba.org>
- BUG 15390: Python tarfile extraction needs change to avoid a warning (CVE-2007-4559 mitigation).
- BUG 15398: The winbind child segfaults when listing users with `winbind scan trusted domains = yes`.
- Jones Syue <jonessyue@qnap.com>
Release Notes Samba 4.18.4
Samba 4.18.3
- Release Notes for Samba 4.18.3
- May 31, 2023
This is the latest stable release of the Samba 4.18 release series.
Changes since 4.18.2
- Ralph Boehme <slow@samba.org>
- Volker Lendecke <vl@samba.org>
- Stefan Metzmacher <metze@samba.org>
- Andreas Schneider <asn@samba.org>
- BUG 15360: Setting veto files = /.*/ break listing directories.
- Joseph Sutton <josephsutton@catalyst.net.nz>
- BUG 15363: "samba-tool domain provision" does not run interactive mode if no arguments are given.
- Nathaniel W. Turner <nturner@exagrid.com>
- BUG 15325: dsgetdcname: assumes local system uses IPv4.
Release Notes Samba 4.18.3
Samba 4.18.2
- Release Notes for Samba 4.18.2
- April 19, 2023
This is the latest stable release of the Samba 4.18 release series.
Changes since 4.18.1
- Jeremy Allison <jra@samba.org>
- Andrew Bartlett <abartlet@samba.org>
- Ralph Boehme <slow@samba.org>
- Volker Lendecke <vl@samba.org>
- Rob van der Linde <rob@catalyst.net.nz>
- BUG 15316: Flapping tests in samba_tool_drs_show_repl.py.
- Stefan Metzmacher <metze@samba.org>
- BUG 15317: winbindd idmap child contacts the domain controller without a need.
- BUG 15318: idmap_autorid may fail to map sids of trusted domains for the first time.
- BUG 15319: idmap_hash doesn't use ID_TYPE_BOTH for reverse mappings.
- BUG 15323: net ads search -P doesn't work against servers in other domains.
- BUG 15353: Temporary smbXsrv_tcon_global.tdb can't be parsed.
- Joseph Sutton <josephsutton@catalyst.net.nz>
Release Notes Samba 4.18.2
Samba 4.18.1
- Release Notes for Samba 4.18.1
- March 29, 2023
This is a security release in order to address the following defects:
- The Samba AD DC administration tool, when operating against a remote LDAP server, will by default send new or reset passwords over a signed-only connection.
- The fix in 4.6.16, 4.7.9, 4.8.4 and 4.9.7 for CVE-2018-10919 Confidential attribute disclosure via LDAP filters was insufficient and an attacker may be able to obtain confidential BitLocker recovery keys from a Samba AD DC. Installations with such secrets in their Samba AD should assume they have been obtained and need replacing.
Changes since 4.18.0
- Andrew Bartlett <abartlet@samba.org>
- BUG 15270: CVE-2023-0614.
- BUG 15331: ldb wildcard matching makes excessive allocations.
- BUG 15332: large_ldap test is inefficient.
- Rob van der Linde <rob@catalyst.net.nz>
- Joseph Sutton <josephsutton@catalyst.net.nz>
Release Notes Samba 4.18.1
Samba 4.18.0
Release Announcements
- Release Notes for 4.18.0
- March 8, 2023
This is the first stable release of the Samba 4.18 release series. Please read the release notes carefully before upgrading.
NEW FEATURES/CHANGES
SMB Server performance improvements
The security improvements in recent releases (4.13, 4.14, 4.15, 4.16), mainly as protection against symlink races, caused performance regressions for metadata heavy workloads.
While 4.17 already improved the situation quite a lot, with 4.18 the locking overhead for contended path based operations is reduced by an additional factor of ~ 3 compared to 4.17. It means the throughput of open/close operations reached the level of 4.12 again.
More succinct samba-tool error messages
Historically samba-tool has reported user error or misconfiguration by means of a Python traceback, showing you where in its code it noticed something was wrong, but not always exactly what is amiss. Now it tries harder to identify the true cause and restrict its output to describing that. Particular cases include:
- a username or password is incorrect
- an ldb database filename is wrong (including in smb.conf)
- samba-tool dns: various zones or records do not exist
- samba-tool ntacl: certain files are missing
- the network seems to be down
- bad --realm or --debug arguments
Accessing the old samba-tool messages
This is not new, but users are reminded they can get the full Python stack trace, along with other noise, by using the argument '-d3'. This may be useful when searching the web.
The intention is that when samba-tool encounters an unrecognised problem (especially a bug), it will still output a Python traceback. If you encounter a problem that has been incorrectly identified by samba-tool, please report it on https://bugzilla.samba.org.
Colour output with samba-tool --color
For some time a few samba-tool commands have had a --color=yes|no|auto option, which determines whether the command outputs ANSI colour codes. Now all samba-tool commands support this option, which now also accepts 'always' and 'force' for 'yes', 'never' and 'none' for 'no', and 'tty' and 'if-tty' for 'auto' (this more closely matches convention). With --color=auto, or when --color is omitted, colour codes are only used when output is directed to a terminal.
Most commands have very little colour in any case. For those that already used it, the defaults have changed slightly.
- samba-tool drs showrepl: default is now 'auto', not 'no'
- samba-tool visualize: the interactions between --color-scheme, --color, and --output have changed slightly. When --color-scheme is set it overrides --color for the purpose of the output diagram, but not for other output like error messages.
No colour with NO_COLOR environment variable
With both samba-tool --color=auto (see above) and some other places where we use ANSI colour codes, the NO_COLOR environment variable will disable colour output. See https://no-color.org/ for a description of this variable. `samba-tool --color=always` will use colour regardless of NO_COLOR.
New wbinfo option --change-secret-at
The wbinfo command has a new option, --change-secret-at=<DOMAIN CONTROLLER> which forces the trust account password to be changed at a specified domain controller. If the specified domain controller cannot be contacted the password change fails rather than trying other DCs.
New option to change the NT ACL default location
Usually the NT ACLs are stored in the security.NTACL extended attribute (xattr) of files and directories. The new "acl_xattr:security_acl_name" option allows to redefine the default location. The default "security.NTACL" is a protected location, which means the content of the security.NTACL attribute is not accessible from normal users outside of Samba. When this option is set to use a user-defined value, e.g. user.NTACL then any user can potentially access and overwrite this information. The module prevents access to this xattr over SMB, but the xattr may still be accessed by other means (eg local access, SSH, NFS). This option must only be used when this consequence is clearly understood and when specific precautions are taken to avoid compromising the ACL content.
Azure Active Directory / Office365 synchronisation improvements
Use of the Azure AD Connect cloud sync tool is now supported for password hash synchronisation, allowing Samba AD Domains to synchronise passwords with this popular cloud environment.
REMOVED FEATURES
smb.conf changes
Parameter Name Description Default -------------- ----------- ------- acl_xattr:security_acl_name New security.NTACL server addresses New
CHANGES SINCE 4.18.0rc4
- Jeremy Allison <jra@samba.org>
- BUG 15314: streams_xattr is creating unexpected locks on folders.
- Volker Lendecke <vl@samba.org>
- BUG 15310: New samba-dcerpc architecture does not scale gracefully.
CHANGES SINCE 4.18.0rc3
- Andreas Schneider <asn@samba.org>
- BUG 15308BUG 15308: Avoid that tests fail because other tests didn't do cleanup on failure.
- baixiangcpp <baixiangcpp@gmail.com>
- BUG 15311BUG 15311: fd_load() function implicitly closes the fd where it should not.
CHANGES SINCE 4.18.0rc2
- Jeremy Allison <jra@samba.org>
- BUG 15301: Improve file_modtime() and issues around smb3 unix test.
- Ralph Boehme <slow@samba.org>
- BUG 15299: Spotlight doesn't work with latest macOS Ventura.
- Stefan Metzmacher <metze@samba.org>
- BUG 15298: Build failure on solaris with tevent 0.14.0 (and ldb 2.7.0). (tevent 0.14.1 and ldb 2.7.1 are already released...)
- John Mulligan <jmulligan@redhat.com>
- BUG 15307: vfs_ceph incorrectly uses fsp_get_io_fd() instead of fsp_get_pathref_fd() in close and fstat.
- Andreas Schneider <asn@samba.org>
CHANGES SINCE 4.18.0rc1
- Andrew Bartlett <abartlet@samba.org>
- BUG 10635: Office365 azure Password Sync not working.
- Stefan Metzmacher <metze@samba.org>
- BUG 15286: auth3_generate_session_info_pac leaks wbcAuthUserInfo.
- Noel Power <noel.power@suse.com>
- BUG 15293: With clustering enabled samba-bgqd can core dump due to use after free.
KNOWN ISSUES
Release_Planning_for_Samba_4.18#Release_blocking_bugs
Release Notes Samba 4.18.0