Samba 4.13 Features added/changed: Difference between revisions

From SambaWiki
 
(23 intermediate revisions by the same user not shown)
Line 1: Line 1:
Samba 4.13 is [[Samba_Release_Planning#Upcoming_Release|'''next upcoming release series''']].
Samba 4.13 is [[Samba_Release_Planning#Discontinued_.28End_of_Life.29|'''Discontinued (End of Life)''']].
==Samba 4.13rc6==
==Samba 4.13.17==
:Release Notes for Samba 4.13.17
<onlyinclude>
:January 31, 2022
:Release Notes for Samba 4.13rc6
:September 18, 2020


===This is a security release in order to address the following defects:===
===Release Announcements===


* [https://www.samba.org/samba/security/CVE-2021-44142.html CVE-2021-44142]: Out-of-Bound Read/Write on Samba vfs_fruit module.
This is the sixth release condidate of Samba 4.13. This is *not* intended for production environments and is designed for testing purposes only. Please report any defects via the Samba bug reporting system at https://bugzilla.samba.org/.
* [https://www.samba.org/samba/security/CVE-2022-0336.html CVE-2022-0336]: Re-adding an SPN skips subsequent SPN conflict checks.


===Changes since 4.13.16===
===Samba 4.13 will be the next version of the Samba suite.===
===SECURITY===
* [http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1472 CVE-2020-1472]: Unauthenticated domain takeover via netlogon ("ZeroLogon").


* Ralph Boehme <slow@samba.org>
The following applies to Samba used as domain controller only (most seriously the Active Directory DC, but also the classic/NT4-style DC).
:* [https://bugzilla.samba.org/show_bug.cgi?id=14914 BUG 14914]: [https://www.samba.org/samba/security/CVE-2021-44142.html CVE-2021-44142]: Out-of-Bound Read/Write on Samba vfs_fruit module.
* Joseph Sutton <josephsutton@catalyst.net.nz>
:* [https://bugzilla.samba.org/show_bug.cgi?id=14950 BUG 14950]: [https://www.samba.org/samba/security/CVE-2022-0336.html CVE-2022-0336]: Re-adding an SPN skips subsequent SPN conflict checks.


[https://www.samba.org/samba/history/samba-4.13.17.html Release Notes Samba 4.13.17]
Installations running Samba as a file server only are not directly affected by this flaw, though they may need configuration changes to continue to talk to domain controllers (see "file servers and domain members" below).


==Samba 4.13.16==
The netlogon protocol contains a flaw that allows an authentication bypass. This was reported and patched by Microsoft as [http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1472 CVE-2020-1472]. Since the bug is a protocol level flaw, and Samba implements the protocol, Samba is also vulnerable.
:Release Notes for Samba 4.13.16
:January 10, 2022


===This is a security release in order to address the following defects:===
However, since version 4.8 (released in March 2018), the default behaviour of Samba has been to insist on a secure netlogon channel, which is a sufficient fix against the known exploits. This default is equivalent to having 'server schannel = yes' in the smb.conf.


* [https://www.samba.org/samba/security/CVE-2021-43566.html CVE-2021-43566]: mkdir race condition allows share escape in Samba 4.x.
Therefore versions 4.8 and above are not vulnerable unless they have the smb.conf lines
'server schannel = no'
or
'server schannel = auto'.


===Details===
Samba versions 4.7 and below are vulnerable unless they have
'server schannel = yes'
in the smb.conf.


* [https://www.samba.org/samba/security/CVE-2021-43566.html CVE-2021-43566]:
:Note: each domain controller needs the correct settings in its smb.conf.
:All versions of Samba prior to 4.13.16 are vulnerable to a malicious client using an SMB1 or NFS symlink race to allow a directory to be created in an area of the server file system not exported under the share definition. Note that SMB1 has to be enabled, or the share also available via NFS in order for this attack to succeed.


:Clients that have write access to the exported part of the file system under a share via SMB1 unix extensions or NFS can create symlinks that can race the server by renaming an existing path and then replacing it with a symlink. If the client wins the race it can cause the server to create a directory under the new symlink target after the exported share path check has been done. This new symlink target can point to anywhere on the server file system. The authenticated user must have permissions to create a directory under the target directory of the symlink.
Vendors supporting Samba 4.7 and below are advised to patch their installations and packages to add this line to the [global] section if their smb.conf file.


:This is a difficult race to win, but theoretically possible. Note that the proof of concept code supplied wins the race only when the server is slowed down and put under heavy load. Exploitation of this bug has not been seen in the wild.
The 'server schannel = yes' smb.conf line is equivalent to Microsoft's 'FullSecureChannelProtection=1' registry key, the introduction of which we understand forms the core of Microsoft's fix.


Some domains employ third-party software that will not work with a 'server schannel = yes'. For these cases patches are available that allow specific machines to use insecure netlogon. For example, the following smb.conf:


===Changes since 4.13.15===
server schannel = yes
server require schannel:triceratops$ = no
server require schannel:greywacke$ = no


* Jeremy Allison <jra@samba.org>
will allow only "triceratops$" and "greywacke$" to avoid schannel.
:* [https://bugzilla.samba.org/show_bug.cgi?id=13979 BUG 13979]: [https://www.samba.org/samba/security/CVE-2021-43566.html CVE-2021-43566]: mkdir race condition allows share escape in Samba 4.x


[https://www.samba.org/samba/history/samba-4.13.16.html Release Notes Samba 4.13.16]
More details can be found here:
: [[ CVE-2020-1472]]


===UPGRADING===
==Samba 4.13.15==
:Release Notes for Samba 4.13.15
:December 15, 2021

===This is the latest stable release of the Samba 4.13 release series.===

===Important Notes===

===There have been a few regressions in the security release 4.13.14:===

*[https://www.samba.org/samba/security/CVE-2020-25717.html CVE-2020-25717]: A user on the domain can become root on domain members.
::PLEASE [RE-]READ!
::The instructions have been updated and some workarounds initially adviced for 4.13.14 are no longer required and should be reverted in most cases.

* [https://bugzilla.samba.org/show_bug.cgi?id=14902 BUG #14902]: User with multiple spaces (eg Fred<space><space>Nurk) become un-deletable. While this release should fix this bug, it is adviced to have a look at the bug report for more detailed information.

===Changes since 4.13.14===

* Andrew Bartlett <abartlet@samba.org>
:* [https://bugzilla.samba.org/show_bug.cgi?id=14656 BUG #14656]: Spaces incorrectly collapsed in ldb attributes.
:* [https://bugzilla.samba.org/show_bug.cgi?id=14901 BUG #14901]: The [https://www.samba.org/samba/security/CVE-2020-25718.html CVE-2020-25717] username map [script] advice has undesired side effects for the local nt token.
:* [https://bugzilla.samba.org/show_bug.cgi?id=14902 BUG #14902]: User with multiple spaces (eg Fred<space><space>Nurk) become un-deletable.
* Ralph Boehme <slow@samba.org>
:* [https://bugzilla.samba.org/show_bug.cgi?id=14922 BUG #14922]: Kerberos authentication on standalone server in MIT realm broken.
* Alexander Bokovoy <ab@samba.org>
:* [https://bugzilla.samba.org/show_bug.cgi?id=14903 BUG #14903]: Support for ROLE_IPA_DC is incomplete.
* Stefan Metzmacher <metze@samba.org>
:* [https://bugzilla.samba.org/show_bug.cgi?id=14899 BUG #14899]: winbindd doesn't start when "allow trusted domains" is off.
:* [https://bugzilla.samba.org/show_bug.cgi?id=14901 BUG #14901]: The [https://www.samba.org/samba/security/CVE-2020-25718.html CVE-2020-25717] username map [script] advice has undesired side effects for the local nt token.
* Joseph Sutton <josephsutton@catalyst.net.nz>
:* [https://bugzilla.samba.org/show_bug.cgi?id=14901 BUG #14901]: The [https://www.samba.org/samba/security/CVE-2020-25718.html CVE-2020-25717] username map [script] advice has undesired side effects for the local nt token.

[https://www.samba.org/samba/history/samba-4.13.15.html Release Notes Samba 4.13.15]

== Samba 4.13.14 ==
:Release Notes for Samba 4.13.14
:November 9, 2021

===This is a security release in order to address the following defects:===

* [https://www.samba.org/samba/security/CVE-2016-2124.html CVE-2016-2124] (SMB1 client connections can be downgraded to plaintext authentication)
* [https://www.samba.org/samba/security/CVE-2020-25718.html CVE-2020-25717] (A user in an AD Domain could become root on domain members)
::PLEASE READ! There are important behaviour changes described
* [https://www.samba.org/samba/security/CVE-2020-25718.html CVE-2020-25718] (Samba AD DC did not correctly sandbox Kerberos tickets issued by an RODC)
* [https://www.samba.org/samba/security/CVE-2020-25719.html CVE-2020-25719] (Samba AD DC did not always rely on the SID and PAC in Kerberos tickets)
* [https://www.samba.org/samba/security/CVE-2020-25721.html CVE-2020-25721] (Kerberos acceptors need easy access to stable AD identifiers (eg objectSid))
* [https://www.samba.org/samba/security/CVE-2020-25722.html CVE-2020-25722] (Samba AD DC did not do sufficient access and conformance checking of data stored)
* [https://www.samba.org/samba/security/CVE-2021-3738.html CVE-2021-3738] (Use after free in Samba AD DC RPC server)
* [https://www.samba.org/samba/security/CVE-2021-23192.html CVE-2021-23192] (Subsequent DCE/RPC fragment injection vulnerability)

===Changes since 4.13.13===
* Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
:* [https://www.samba.org/samba/security/CVE-2020-25722.html CVE-2020-25722]
* Andrew Bartlett <abartlet@samba.org>
:* [https://www.samba.org/samba/security/CVE-2020-25718.html CVE-2020-25718]
:* [https://www.samba.org/samba/security/CVE-2020-25719.html CVE-2020-25719]
:* [https://www.samba.org/samba/security/CVE-2020-25721.html CVE-2020-25721]
:* [https://www.samba.org/samba/security/CVE-2020-25722.html CVE-2020-25722]
* Ralph Boehme <slow@samba.org>
:* [https://www.samba.org/samba/security/CVE-2020-25717.html CVE-2020-25717]
* Alexander Bokovoy <ab@samba.org>
:* [https://www.samba.org/samba/security/CVE-2020-25717.html CVE-2020-25717]
* Samuel Cabrero <scabrero@samba.org>
:* [https://www.samba.org/samba/security/CVE-2020-25717.html CVE-2020-25717]
* Nadezhda Ivanova <nivanova@symas.com>
:* [https://www.samba.org/samba/security/CVE-2020-25722.html CVE-2020-25722]
* Stefan Metzmacher <metze@samba.org>
:* [https://www.samba.org/samba/security/CVE-2016-2124.html CVE-2016-2124]
:* [https://www.samba.org/samba/security/CVE-2020-25717.html CVE-2020-25717]
:* [https://www.samba.org/samba/security/CVE-2020-25719.html CVE-2020-25719]
:* [https://www.samba.org/samba/security/CVE-2020-25722.html CVE-2020-25722]
:* [https://www.samba.org/samba/security/CVE-2021-23192.html CVE-2021-23192]
:* [https://www.samba.org/samba/security/CVE-2021-3738.html CVE-2021-3738]
:* ldb: version 2.2.3
* Andreas Schneider <asn@samba.org>
:* [https://www.samba.org/samba/security/CVE-2020-25719.html CVE-2020-25719]
* Joseph Sutton <josephsutton@catalyst.net.nz>
:* [https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-17049 CVE-2020-17049]
:* [https://www.samba.org/samba/security/CVE-2020-25718.html CVE-2020-25718]
:* [https://www.samba.org/samba/security/CVE-2020-25719.html CVE-2020-25719]
:* [https://www.samba.org/samba/security/CVE-2020-25721.html CVE-2020-25721]
:* [https://www.samba.org/samba/security/CVE-2020-25722.html CVE-2020-25722]
[https://www.samba.org/samba/history/samba-4.13.14.html Release Notes Samba 4.13.14]

==Samba 4.13.13==
:Release Notes for Samba 4.13.13
:October 29, 2021

===This is the latest stable release of the Samba 4.13 release series.===

===Changes since 4.13.12===
* Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
:* [https://bugzilla.samba.org/show_bug.cgi?id=14868 BUG #14868]: rodc_rwdc test flaps.
:* [https://bugzilla.samba.org/show_bug.cgi?id=14881 BUG #14881]: Backport bronze bit fixes, tests, and selftest improvements.
* Andrew Bartlett <abartlet@samba.org>
:* [https://bugzilla.samba.org/show_bug.cgi?id=14642 BUG #14642]: Provide a fix for MS [http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-17049 CVE-2020-17049] in Samba [SECURITY] 'Bronze bit' S4U2Proxy Constrained Delegation bypass in Samba with embedded Heimdal.
:* [https://bugzilla.samba.org/show_bug.cgi?id=14836 BUG #14836]: Python ldb.msg_diff() memory handling failure.
:* [https://bugzilla.samba.org/show_bug.cgi?id=14845 BUG #14845]: "in" operator on ldb.Message is case sensitive.
:* [https://bugzilla.samba.org/show_bug.cgi?id=14848 BUG #14848]: Release LDB 2.3.1 for Samba 4.14.9.
:* [https://bugzilla.samba.org/show_bug.cgi?id=14871 BUG #14871]: Fix Samba support for UF_NO_AUTH_DATA_REQUIRED.
:* [https://bugzilla.samba.org/show_bug.cgi?id=14874 BUG #14874]: Allow special chars like "@" in samAccountName when generating the salt.
:* [https://bugzilla.samba.org/show_bug.cgi?id=14881 BUG #14881]: Backport bronze bit fixes, tests, and selftest improvements.
* Isaac Boukris <iboukris@gmail.com>
:* [https://bugzilla.samba.org/show_bug.cgi?id=14642 BUG #14642]: Provide a fix for MS [http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-17049 CVE-2020-17049] in Samba [SECURITY] 'Bronze bit' S4U2Proxy Constrained Delegation bypass in Samba with embedded Heimdal.
:* [https://bugzilla.samba.org/show_bug.cgi?id=14881 BUG #14881]: Backport bronze bit fixes, tests, and selftest improvements.
* Viktor Dukhovni <viktor@twosigma.com>
:* [https://bugzilla.samba.org/show_bug.cgi?id=12998 BUG #12998]: Fix transit path validation.
:* [https://bugzilla.samba.org/show_bug.cgi?id=14881 BUG #14881]: Backport bronze bit fixes, tests, and selftest improvements.
* Luke Howard <lukeh@padl.com>
:* [https://bugzilla.samba.org/show_bug.cgi?id=14642 BUG #14642]: Provide a fix for MS [http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-17049 CVE-2020-17049] in Samba [SECURITY] 'Bronze bit' S4U2Proxy Constrained Delegation bypass in Samba with embedded Heimdal.
:* [https://bugzilla.samba.org/show_bug.cgi?id=14881 BUG #14881]: Backport bronze bit fixes, tests, and selftest improvements.
* Stefan Metzmacher <metze@samba.org>
:* [https://bugzilla.samba.org/show_bug.cgi?id=14881 BUG #14881]: Backport bronze bit fixes, tests, and selftest improvements.
* David Mulder <dmulder@suse.com>
:* [https://bugzilla.samba.org/show_bug.cgi?id=14881 BUG #14881]: Backport bronze bit fixes, tests, and selftest improvements.
* Andreas Schneider <asn@samba.org>
:* [https://bugzilla.samba.org/show_bug.cgi?id=14870 BUG #14870]: Prepare to operate with MIT krb5 >= 1.20.
:* [https://bugzilla.samba.org/show_bug.cgi?id=14881 BUG #14881]: Backport bronze bit fixes, tests, and selftest improvements.
* Joseph Sutton <josephsutton@catalyst.net.nz>
:* [https://bugzilla.samba.org/show_bug.cgi?id=14642 BUG #14642]: Provide a fix for MS [http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-17049 CVE-2020-17049] in Samba [SECURITY] 'Bronze bit' S4U2Proxy Constrained Delegation bypass in Samba with embedded Heimdal.
:* [https://bugzilla.samba.org/show_bug.cgi?id=14645 BUG #14645]: rpcclient NetFileEnum and net rpc file both cause lock order violation: brlock.tdb, share_entries.tdb.
:* [https://bugzilla.samba.org/show_bug.cgi?id=14836 BUG #14836]: Python ldb.msg_diff() memory handling failure.
:* [https://bugzilla.samba.org/show_bug.cgi?id=14845 BUG #14845]: "in" operator on ldb.Message is case sensitive.
:* [https://bugzilla.samba.org/show_bug.cgi?id=14848 BUG #14848]: Release LDB 2.3.1 for Samba 4.14.9.
:* [https://bugzilla.samba.org/show_bug.cgi?id=14868 BUG #14868]: rodc_rwdc test flaps.
:* [https://bugzilla.samba.org/show_bug.cgi?id=14871 BUG #14871]: Fix Samba support for UF_NO_AUTH_DATA_REQUIRED.
:* [https://bugzilla.samba.org/show_bug.cgi?id=14874 BUG #14874]: Allow special chars like "@" in samAccountName when generating the salt.
:* [https://bugzilla.samba.org/show_bug.cgi?id=14881 BUG #14881]: Backport bronze bit fixes, tests, and selftest improvements.
* Nicolas Williams <nico@twosigma.com>
:* [https://bugzilla.samba.org/show_bug.cgi?id=14642 BUG #14642]: Provide a fix for MS [http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-17049 CVE-2020-17049] in Samba [SECURITY] 'Bronze bit' S4U2Proxy Constrained Delegation bypass in Samba with embedded Heimdal.
:* [https://bugzilla.samba.org/show_bug.cgi?id=14881 BUG #14881]: Backport bronze bit fixes, tests, and selftest improvements.

[https://www.samba.org/samba/history/samba-4.13.13.html Release Notes Samba 4.13.13].

==Samba 4.13.12==
:Release Notes for Samba 4.13.12
:September 22, 2021

===This is the latest stable release of the Samba 4.13 release series.===

===Changes since 4.13.11===

* Andrew Bartlett <abartlet@samba.org>
:* [https://bugzilla.samba.org/show_bug.cgi?id=14806 BUG #14806]: Address a signifcant performance regression in database access in the AD DC since Samba 4.12.
:* [https://bugzilla.samba.org/show_bug.cgi?id=14807 BUG #14807]: Fix performance regression in lsa_LookupSids3/LookupNames4 since Samba 4.9 by using an explicit database handle cache.
:* [https://bugzilla.samba.org/show_bug.cgi?id=14817 BUG #14817]: An unuthenticated user can crash the AD DC KDC by omitting the server name in a TGS-REQ.
:* [https://bugzilla.samba.org/show_bug.cgi?id=14818 BUG #14818]: Address flapping samba_tool_drs_showrepl test.
:* [https://bugzilla.samba.org/show_bug.cgi?id=14819 BUG #14819]: Address flapping dsdb_schema_attributes test.
* Björn Baumbach <bb@sernet.de>
:* [https://bugzilla.samba.org/show_bug.cgi?id=14817 BUG #14817]: An unuthenticated user can crash the AD DC KDC by omitting the server name in a TGS-REQ
* Luke Howard <lukeh@padl.com>
:* [https://bugzilla.samba.org/show_bug.cgi?id=14817 BUG #14817]: An unuthenticated user can crash the AD DC KDC by omitting the server name in a TGS-REQ.
* Volker Lendecke <vl@samba.org>
:* [https://bugzilla.samba.org/show_bug.cgi?id=14817 BUG #14817]: An unuthenticated user can crash the AD DC KDC by omitting the server name in a TGS-REQ.
* Gary Lockyer <gary@catalyst.net.nz>
:* [https://bugzilla.samba.org/show_bug.cgi?id=14817 BUG #14817]: An unuthenticated user can crash the AD DC KDC by omitting the server name in a TGS-REQ.
* Stefan Metzmacher <metze@samba.org>
:* [https://bugzilla.samba.org/show_bug.cgi?id=14817 BUG #14817]: An unuthenticated user can crash the AD DC KDC by omitting the server name in a TGS-REQ.
* Andreas Schneider <asn@samba.org>
:* [https://bugzilla.samba.org/show_bug.cgi?id=14817 BUG #14817]: An unuthenticated user can crash the AD DC KDC by omitting the server name in a TGS-REQ.
* Martin Schwenke <martin@meltin.net>
:* [https://bugzilla.samba.org/show_bug.cgi?id=14784 BUG #14784]: Fix CTDB flag/status update race conditions.
* Joseph Sutton <josephsutton@catalyst.net.nz>
:* [https://bugzilla.samba.org/show_bug.cgi?id=14817 BUG #14817]: An unuthenticated user can crash the AD DC KDC by omitting the server name in a TGS-REQ.

[https://www.samba.org/samba/history/samba-4.13.12.html Release Notes Samba 4.13.12].

==Samba 4.13.11==
:Release Notes for Samba 4.13.11
:September 07, 2021

===This is the latest stable release of the Samba 4.13 release series.===

===Changes since 4.13.10===

* Jeremy Allison <jra@samba.org>
:* [https://bugzilla.samba.org/show_bug.cgi?id=14769 BUG #14769]: smbd panic on force-close share during offload write.
* Ralph Boehme <slow@samba.org>
:* [https://bugzilla.samba.org/show_bug.cgi?id=14731 BUG #14731]: Fix returned attributes on fake quota file handle and avoid hitting the VFS.
:* [https://bugzilla.samba.org/show_bug.cgi?id=14783 BUG #14783]: smbd "deadtime" parameter doesn't work anymore.
:* [https://bugzilla.samba.org/show_bug.cgi?id=14787 BUG #14787]: net conf list crashes when run as normal user.
* Stefan Metzmacher <metze@samba.org>
:* [https://bugzilla.samba.org/show_bug.cgi?id=14607 BUG #14607]: Work around special SMB2 READ response behavior of NetApp Ontap 7.3.7.
:* [https://bugzilla.samba.org/show_bug.cgi?id=14793 BUG #14793]: Start the SMB encryption as soon as possible.
* Andreas Schneider <asn@samba.org>
:* [https://bugzilla.samba.org/show_bug.cgi?id=14792 BUG #14792]: Winbind should not start if the socket path for the privileged pipe is too long.

[https://www.samba.org/samba/history/samba-4.13.11.html Release Notes Samba 4.13.11].

==Samba 4.13.10==
:Release Notes for Samba 4.13.10
:July 14, 2021

===This is the latest stable release of the Samba 4.13 release series.===

===Changes since 4.13.9===

* Jeremy Allison <jra@samba.org>
:* [https://bugzilla.samba.org/show_bug.cgi?id=14708 BUG #14708]: s3: smbd: Ensure POSIX default ACL is mapped into returned Windows ACL for directory handles.
:* [https://bugzilla.samba.org/show_bug.cgi?id=14721 BUG #14721]: Take a copy to make sure we don't reference free'd memory.
:* [https://bugzilla.samba.org/show_bug.cgi?id=14722 BUG #14722]: s3: lib: Fix talloc heirarcy error in parent_smb_fname().
:* [https://bugzilla.samba.org/show_bug.cgi?id=14736 BUG #14736]: s3: smbd: Remove erroneous TALLOC_FREE(smb_fname_parent) in change_file_owner_to_parent() error path.
* Andrew Bartlett <abartlet@samba.org>
:* [https://bugzilla.samba.org/show_bug.cgi?id=14575 BUG #14575]: samba-tool: Give better error information when the 'domain backup restore' fails with a duplicate SID.
* Ralph Boehme <slow@samba.org>
:* [https://bugzilla.samba.org/show_bug.cgi?id=14714 BUG #14714]: smbd: Correctly initialize close timestamp fields.
:* [https://bugzilla.samba.org/show_bug.cgi?id=14740 BUG #14740]: Spotlight RPC service doesn't work with vfs_glusterfs.
* Volker Lendecke <vl@samba.org>
:* [https://bugzilla.samba.org/show_bug.cgi?id=14475 BUG #14475]: ctdb: Fix a crash in run_proc_signal_handler().
* Stefan Metzmacher <metze@samba.org>
:* [https://bugzilla.samba.org/show_bug.cgi?id=14750 BUG #14750]: gensec_krb5: Restore ipv6 support for kpasswd.
:* [https://bugzilla.samba.org/show_bug.cgi?id=14752 BUG #14752]: smbXsrv_{open,session,tcon}: Protect smbXsrv_{open,session,tcon}_global_traverse_fn against invalid records.
* Joseph Sutton <josephsutton@catalyst.net.nz>
:* [https://bugzilla.samba.org/show_bug.cgi?id=14027 BUG #14027]: samba-tool domain backup offline doesn't work against bind DLZ backend.
:* [https://bugzilla.samba.org/show_bug.cgi?id=14669 BUG #14669]: netcmd: Use next_free_rid() function to calculate a SID for restoring a backup.

[https://www.samba.org/samba/history/samba-4.13.10.html Release Notes Samba 4.13.10].

==Samba 4.13.9==
Release Notes for Samba 4.13.9
May 11, 2021

===This is the latest stable release of the Samba 4.13 release series.===

===Changes since 4.13.8===

* Jeremy Allison <jra@samba.org>
:* [https://bugzilla.samba.org/show_bug.cgi?id=14571 BUG #14571]: s3: smbd: SMB1 SMBsplwr doesn't send a reply packet on success.
* Andrew Bartlett <abartlet@samba.org>
:* [https://bugzilla.samba.org/show_bug.cgi?id=14689 BUG #14689]: Add documentation for dsdb_group_audit and dsdb_group_json_audit to "log level", synchronise "log level" in smb.conf with the code.
* Ralph Boehme <slow@samba.org>
:* [https://bugzilla.samba.org/show_bug.cgi?id=14672 BUG #14672]: Fix smbd panic when two clients open same file.
:* [https://bugzilla.samba.org/show_bug.cgi?id=14675 BUG #14675]: Fix memory leak in the RPC server.
:* [https://bugzilla.samba.org/show_bug.cgi?id=14679 BUG #14679]: s3: smbd: Fix deferred renames.
* Samuel Cabrero <scabrero@samba.org>
:* [https://bugzilla.samba.org/show_bug.cgi?id=14675 BUG #14675]: s3-iremotewinspool: Set the per-request memory context.
* Volker Lendecke <vl@samba.org>
:* [https://bugzilla.samba.org/show_bug.cgi?id=14675 BUG #14675]: rpc_server3: Fix a memleak for internal pipes.
* Stefan Metzmacher <metze@samba.org>
:* [https://bugzilla.samba.org/show_bug.cgi?id=11899 BUG #11899]: third_party: Update socket_wrapper to version 1.3.2.
:* [https://bugzilla.samba.org/show_bug.cgi?id=14640 BUG #14640]: third_party: Update socket_wrapper to version 1.3.3.
* Christof Schmitt <cs@samba.org>
:* [https://bugzilla.samba.org/show_bug.cgi?id=14663 BUG #14663]: idmap_rfc2307 and idmap_nss return wrong mapping for uid/gid conflict.
* Martin Schwenke <martin@meltin.net
:* [https://bugzilla.samba.org/show_bug.cgi?id=14288 BUG #14288] : Fix the build on OmniOS.


[https://www.samba.org/samba/history/samba-4.13.9.html Release Notes Samba 4.13.9].

==Samba 4.13.8==
:Release Notes for Samba 4.13-8
:April 29, 2021

===This is a security release in order to address the following defect:===

* CVE-2021-20254: Negative idmap cache entries can cause incorrect group entries in the Samba file server process token.

===Details===
* [https://www.samba.org/samba/security/CVE-2021-20254.html CVE-2021-20254]
:The Samba smbd file server must map Windows group identities (SIDs) into unix group ids (gids). The code that performs this had a flaw that could allow it to read data beyond the end of the array in the case where a negative cache entry had been added to the mapping cache. This could cause the calling code to return those values into the process token that stores the group membership for a user.

:Most commonly this flaw caused the calling code to crash, but an alert user (Peter Eriksson, IT Department, Linköping University) found this flaw by noticing an unprivileged user was able to delete a file within a network share that they should have been disallowed access to.

:Analysis of the code paths has not allowed us to discover a way for a remote user to be able to trigger this flaw reproducibly or on demand, but this CVE has been issued out of an abundance of caution.

===Changes since 4.13.8===
* Volker Lendecke <vl@samba.org>
:* [https://bugzilla.samba.org/show_bug.cgi?id=14571 BUG #14571]: CVE-2021-20254: Fix buffer overrun in sids_to_unixids().

[https://www.samba.org/samba/history/samba-4.13.8.html Release Notes Samba 4.13.8].

==Samba 4.13.7==
:Release Notes for Samba 4.13.7
:March 24, 2021

===This is a security release in order to address the following defects:===

* [https://www.samba.org/samba/security/CVE-2020-27840.html CVE-2020-27840]: Heap corruption via crafted DN strings.
* [https://www.samba.org/samba/security/CVE-2021-20277.html CVE-2021-20277]: Out of bounds read in AD DC LDAP server.

===Details===
* [https://www.samba.org/samba/security/CVE-2020-27840.html CVE-2020-27840]:
:An anonymous attacker can crash the Samba AD DC LDAP server by sending easily crafted DNs as part of a bind request. More serious heap corruption is likely also possible.
* [https://www.samba.org/samba/security/CVE-2021-20277.html CVE-2021-20277]:
:User-controlled LDAP filter strings against the AD DC LDAP server may crash the LDAP server.

For more details, please refer to the security advisories.

===Changes since 4.12.12===

* Release with dependency on ldb version 2.2.1
* Andrew Bartlett <abartlet@samba.org>
:* [https://bugzilla.samba.org/show_bug.cgi?id=14634 BUG #14634]: [https://www.samba.org/samba/security/CVE-2021-20277.html CVE-2021-20277]: Fix out of bounds read in ldb_handler_fold.
* Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
:* [https://bugzilla.samba.org/show_bug.cgi?id=14634 BUG #14634]: [https://www.samba.org/samba/security/CVE-2020-27840.html CVE-2020-27840]: Fix unauthenticated remote heap corruption via bad DNs.
:* [https://bugzilla.samba.org/show_bug.cgi?id=14634 BUG #14634]: [https://www.samba.org/samba/security/CVE-2021-20277.html CVE-2021-20277]: Fix out of bounds read in ldb_handler_fold.

[https://www.samba.org/samba/history/samba-4.13.7.html Release Notes Samba 4.13.7].

==Samba 4.13.5==
:Release Notes for Samba 4.13.5
:March 09, 2021

===This is the latest stable release of the Samba 4.13 release series.===

===Changes since 4.13.4===
* Trever L. Adams <trever.adams@gmail.com>
:* [https://bugzilla.samba.org/show_bug.cgi?id=14634 BUG #14634]: s3:modules:vfs_virusfilter: Recent talloc changes cause infinite start-up failure.
* Jeremy Allison <jra@samba.org>
:* [https://bugzilla.samba.org/show_bug.cgi?id=13992 BUG #13992]: s3: libsmb: Add missing cli_tdis() in error path if encryption setup failed on temp proxy connection.
:* [https://bugzilla.samba.org/show_bug.cgi?id=14604 BUG #14604]: smbd: In conn_force_tdis_done() when forcing a connection closed force a full reload of services.
* Andrew Bartlett <abartlet@samba.org>
:* [https://bugzilla.samba.org/show_bug.cgi?id=14593 BUG #14593]: dbcheck: Check Deleted Objects and reduce noise in reports about expired tombstones.
* Ralph Boehme <slow@samba.org
:* [https://bugzilla.samba.org/show_bug.cgi?id=14503 BUG #14503]: s3: Fix fcntl waf configure check.
:* [https://bugzilla.samba.org/show_bug.cgi?id=14602 BUG #14602]: s3/auth: Implement "winbind:ignore domains".
:* [https://bugzilla.samba.org/show_bug.cgi?id=14617 BUG #14617]: smbd: Use fsp->conn->session_info for the initial delete-on-close token.
* Peter Eriksson <pen@lysator.liu.se>
:* [https://bugzilla.samba.org/show_bug.cgi?id=14648 BUG #14648]: s3: VFS: nfs4_acls. Add missing TALLOC_FREE(frame) in error path.
* Björn Jacke <bj@sernet.de>
:* [https://bugzilla.samba.org/show_bug.cgi?id=14624 BUG #14624]: classicupgrade: Treat old never expires value right.
* Volker Lendecke <vl@samba.org>
:* [https://bugzilla.samba.org/show_bug.cgi?id=14636 BUG #14636]: g_lock: Fix uninitalized variable reads.
* Stefan Metzmacher <metze@samba.org>
:* [https://bugzilla.samba.org/show_bug.cgi?id=13898 BUG #13898]: s3:pysmbd: Fix fd leak in py_smbd_create_file().
* Andreas Schneider <asn@samba.org>
:* [https://bugzilla.samba.org/show_bug.cgi?id=14625 BUG #14625]: lib:util: Avoid free'ing our own pointer.
* Paul Wise <pabs3@bonedaddy.net>
:* [https://bugzilla.samba.org/show_bug.cgi?id=12505 BUG #12505]: HEIMDAL: krb5_storage_free(NULL) should work.

[https://www.samba.org/samba/history/samba-4.13.5.html Release Notes Samba 4.13.5].

==Samba 4.13.4==
:Release Notes for Samba 4.13.4
:January 26, 2021

===This is the latest stable release of the Samba 4.13 release series.===

===Changes since 4.13.3===

* Jeremy Allison <jra@samba.org>
:* [https://bugzilla.samba.org/show_bug.cgi?id=14607 BUG #14607]: Work around special SMB2 IOCTL response behavior of NetApp Ontap 7.3.7.
:* [https://bugzilla.samba.org/show_bug.cgi?id=14210 BUG #14612]: Temporary DFS share setup doesn't set case parameters in the same way as a regular share definition does.
* Dimitry Andric <dimitry@andric.com>
:* [https://bugzilla.samba.org/show_bug.cgi?id=14605 BUG #14605]: lib: Avoid declaring zero-length VLAs in various messaging functions.
* Andrew Bartlett <abartlet@samba.org>
: [https://bugzilla.samba.org/show_bug.cgi?id=14579 BUG #14579]: Do not create an empty DB when accessing a sam.ldb.
* Ralph Boehme <slow@samba.org>
:* [https://bugzilla.samba.org/show_bug.cgi?id=14596 BUG #14596]: vfs_fruit may close wrong backend fd.
:* [https://bugzilla.samba.org/show_bug.cgi?id=14612 BUG #14612]: Temporary DFS share setup doesn't set case parameters in the same way as a regular share definition does.
* Arne Kreddig <arne@kreddig.net>
:* [https://bugzilla.samba.org/show_bug.cgi?id=14606 BUG #14606]: vfs_virusfilter: Allocate separate memory for config char*.
* Stefan Metzmacher <metze@samba.org>
:* [https://bugzilla.samba.org/show_bug.cgi?id=14596 BUG #14596]: vfs_fruit may close wrong backend fd.
:* [https://bugzilla.samba.org/show_bug.cgi?id=14607 BUG #14607]: Work around special SMB2 IOCTL response behavior of NetApp Ontap 7.3.7.
* Andreas Schneider <asn@samba.org>
:* [https://bugzilla.samba.org/show_bug.cgi?id=14601 BUG #14601]: The cache directory for the user gencache should be created recursively.
* Martin Schwenke <martin@meltin.net>
:* [https://bugzilla.samba.org/show_bug.cgi?id=14594 BUG #14594]: Be more flexible with repository names in CentOS 8 test environments.

[https://www.samba.org/samba/history/samba-4.13.4.html Release Notes Samba 4.13.4].

==Samba 4.13.3==
:Release Notes for Samba 4.13.3
:December 15, 2020

===This is the latest stable release of the Samba 4.13 release series.===

===Changes since 4.13.2===

* Jeremy Allison <jra@samba.org>
:* [https://bugzilla.samba.org/show_bug.cgi?id=14210 BUG #14210]: libcli: smb2: Never print length if smb2_signing_key_valid() fails for crypto blob.
:* [https://bugzilla.samba.org/show_bug.cgi?id=14486 BUG #14486]: s3: modules: gluster. Fix the error I made in preventing talloc leaks from a function.
:* [https://bugzilla.samba.org/show_bug.cgi?id=14515 BUG #14515]: s3: smbd: Don't overwrite contents of fsp->aio_requests[0] with NULL via TALLOC_FREE().
:* [https://bugzilla.samba.org/show_bug.cgi?id=14568 BUG #14568]: s3: spoolss: Make parameters in call to user_ok_token() match all other uses.
:* [https://bugzilla.samba.org/show_bug.cgi?id=14590 BUG #14590]: s3: smbd: Quiet log messages from usershares for an unknown share.
* Ralph Boehme <slow@samba.org>
:* [https://bugzilla.samba.org/show_bug.cgi?id=14248 BUG #14248]: samba process does not honor max log size.
:* [https://bugzilla.samba.org/show_bug.cgi?id=14587 BUG #14587]: vfs_zfsacl: Add missing inherited flag on hidden "magic" everyone@ ACE.
* Isaac Boukris <iboukris@gmail.com>
:* [https://bugzilla.samba.org/show_bug.cgi?id=13124 BUG #13124]: s3-libads: Pass timeout to open_socket_out in ms.
* Günther Deschner <gd@samba.org>
:* [https://bugzilla.samba.org/show_bug.cgi?id=14537 BUG #14486]: s3-vfs_glusterfs: Always disable write-behind translator.
* Volker Lendecke <vl@samba.org>
:* [https://bugzilla.samba.org/show_bug.cgi?id=14517 BUG #14517]: smbclient: Fix recursive mget.
:* [https://bugzilla.samba.org/show_bug.cgi?id=14581 BUG #14581]: clitar: Use do_list()'s recursion in clitar.c.
* Anoop C S <anoopcs@samba.org>
:* [https://bugzilla.samba.org/show_bug.cgi?id=14486 BUG #14486]: manpages/vfs_glusterfs: Mention silent skipping of write-behind translator.
:* [https://bugzilla.samba.org/show_bug.cgi?id=14573 BUG #14573]: vfs_shadow_copy2: Preserve all open flags assuming ROFS.
* Jones Syue <jonessyue@qnap.com>
:* [https://bugzilla.samba.org/show_bug.cgi?id=14514 BUG #14514]: interface: Fix if_index is not parsed correctly.

[https://www.samba.org/samba/history/samba-4.13.3.html Release Notes Samba 4.13.3].

==Samba 4.13.2==
:Release Notes for Samba 4.13.2
:November 03, 2020

===This is the latest stable release of the Samba 4.13 release series.===

===Major enhancements include:===
* [https://bugzilla.samba.org/show_bug.cgi?id=14537 BUG #14537]: ctdb-common: Avoid aliasing errors during code optimization.
* [https://bugzilla.samba.org/show_bug.cgi?id=14486 BUG #14486]: vfs_glusterfs: Avoid data corruption with the write-behind translator.

===Details===

The GlusterFS write-behind performance translator, when used with Samba, could be a source of data corruption. The translator, while processing a write call, immediately returns success but continues writing the data to the server in the background. This can cause data corruption when two clients relying on Samba to provide data consistency are operating on the same file.

The write-behind translator is enabled by default on GlusterFS. The vfs_glusterfs plugin will check for the presence of the translator and refuse to connect if detected. Please disable the write-behind translator for the GlusterFS volume to allow the plugin to connect to the volume.


===Changes since 4.13.1===

* Jeremy Allison <jra@samba.org>
:* [https://bugzilla.samba.org/show_bug.cgi?id=14486 BUG #14486]: s3: modules: vfs_glusterfs: Fix leak of char **lines onto mem_ctx on return.
* Ralph Boehme <slow@samba.org>
:* [https://bugzilla.samba.org/show_bug.cgi?id=14471 BUG #14471]: RN: vfs_zfsacl: Only grant DELETE_CHILD if ACL tag is special.
* Alexander Bokovoy <ab@samba.org>
:* [https://bugzilla.samba.org/show_bug.cgi?id=14538 BUG #14538]: smb.conf.5: Add clarification how configuration changes reflected by Samba.
:* [https://bugzilla.samba.org/show_bug.cgi?id=14552 BUG #14552]: daemons: Report status to systemd even when running in foreground.
:* [https://bugzilla.samba.org/show_bug.cgi?id=14553 BUG #14553]: DNS Resolver: Support both dnspython before and after 2.0.0.
* Günther Deschner <gd@samba.org>
:* [https://bugzilla.samba.org/show_bug.cgi?id=14486 BUG #14486]: s3-vfs_glusterfs: Refuse connection when write-behind xlator is present.
* Amitay Isaacs <amitay@gmail.com>
:* [https://bugzilla.samba.org/show_bug.cgi?id=14487 BUG #14487]: provision: Add support for BIND 9.16.x.
:* [https://bugzilla.samba.org/show_bug.cgi?id=14537 BUG #14537]: ctdb-common: Avoid aliasing errors during code optimization.
:* [https://bugzilla.samba.org/show_bug.cgi?id=14541 BUG #14541]: libndr: Avoid assigning duplicate versions to symbols.
* Björn Jacke <bjacke@samba.org>
:* [https://bugzilla.samba.org/show_bug.cgi?id=14522 BUG #14522]: docs: Fix default value of spoolss:architecture.
* Laurent Menase <laurent.menase@hpe.com>
:* [https://bugzilla.samba.org/show_bug.cgi?id=14388 BUG #14388]: winbind: Fix a memleak.
* Stefan Metzmacher <metze@samba.org>
:* [https://bugzilla.samba.org/show_bug.cgi?id=14531 BUG #14531]: s4:dsdb:acl_read: Implement "List Object" mode feature.
* Sachin Prabhu <sprabhu@redhat.com>
:* [https://bugzilla.samba.org/show_bug.cgi?id=14486 BUG #14486]: docs-xml/manpages: Add warning about write-behind translator for vfs_glusterfs.
* Khem Raj <raj.khem@gmail.com>
:* nsswitch/nsstest.c: Avoid nss function conflicts with glibc nss.h.
* Anoop C S <anoopcs@samba.org>
:* [https://bugzilla.samba.org/show_bug.cgi?id=14530 BUG #14530]: vfs_shadow_copy2: Avoid closing snapsdir twice.
* Andreas Schneider <asn@samba.org>
:* [https://bugzilla.samba.org/show_bug.cgi?id=14547 BUG #14547]: third_party: Update resolv_wrapper to version 1.1.7.
:* [https://bugzilla.samba.org/show_bug.cgi?id=14550 BUG #14550]: examples:auth: Do not install example plugin.
* Martin Schwenke <martin@meltin.net>
:* [https://bugzilla.samba.org/show_bug.cgi?id=14513 BUG #14513]: ctdb-recoverd: Drop unnecessary and broken code.
* Andrew Walker <awalker@ixsystems.com>
:* [https://bugzilla.samba.org/show_bug.cgi?id=14471 BUG #14471]: RN: vfs_zfsacl: Only grant DELETE_CHILD if ACL tag is special.

[https://www.samba.org/samba/history/samba-4.13.2.html Release Notes Samba 4.13.2].

==Samba 4.13.1==
:Release Notes for Samba 4.13.1
:October 29, 2020

===This is a security release in order to address the following defects:===

* [https://www.samba.org/samba/security/CVE-2020-14318.html CVE-2020-14318]: Missing handle permissions check in SMB1/2/3 ChangeNotify.
* [https://www.samba.org/samba/security/CVE-2020-14323.html CVE-2020-14323]: Unprivileged user can crash winbind.
* [https://www.samba.org/samba/security/CVE-2020-14383.html CVE-2020-14383]: An authenticated user can crash the DCE/RPC DNS with easily crafted records.

===Details===

* [https://www.samba.org/samba/security/CVE-2020-14318.html CVE-2020-14318]:
: The SMB1/2/3 protocols have a concept of "ChangeNotify", where a client can request file name notification on a directory handle when a condition such as "new file creation" or "file size change" or "file timestamp update" occurs.

: A missing permissions check on a directory handle requesting ChangeNotify meant that a client with a directory handle open only for FILE_READ_ATTRIBUTES (minimal access rights) could be used to obtain change notify replies from the server. These replies contain information that should not be available to directory handles open for FILE_READ_ATTRIBUTE only.

* [https://www.samba.org/samba/security/CVE-2020-14323.html CVE-2020-14323]:
: winbind in version 3.6 and later implements a request to translate multiple Windows SIDs into names in one request. This was done for performance reasons: The Microsoft RPC call domain controllers offer to do this translation, so it was an obvious extension to also offer this batch operation on the winbind unix domain stream socket that is available to local processes on the Samba server.

:Due to improper input validation a hand-crafted packet can make winbind perform a NULL pointer dereference and thus crash.

* [https://www.samba.org/samba/security/CVE-2020-14383.html CVE-2020-14383]:
: Some DNS records (such as MX and NS records) usually contain data in the additional section. Samba's dnsserver RPC pipe (which is an administrative interface not used in the DNS server itself) made an error in handling the case where there are no records present: instead of noticing the lack of records, it dereferenced uninitialised memory, causing the RPC server to crash. This RPC server, which also serves protocols other than dnsserver, will be restarted after a short delay, but it is easy for an authenticated non-admin attacker to crash it again as soon as it returns. The Samba DNS server itself will continue to operate, but many RPC services will not.

For more details, please refer to the security advisories.
* [[CVE-2020-14318]]
* [[CVE-2020-14323]]
* [[CVE-2020-14383]]

===Changes since 4.13===

o Jeremy Allison <jra@samba.org>
:* [https://bugzilla.samba.org/show_bug.cgi?id=14434 BUG #14434]: [https://www.samba.org/samba/security/CVE-2020-14318.html CVE-2020-14318]: s3: smbd: Ensure change notifies can't get set unless the directory handle is open for SEC_DIR_LIST.
* Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
:* [https://bugzilla.samba.org/show_bug.cgi?id=12795 BUG #12795]: [https://www.samba.org/samba/security/CVE-2020-14383.html CVE-2020-14383]: Remote crash after adding NS or MX records using 'samba-tool'.
:* [https://bugzilla.samba.org/show_bug.cgi?id=14472 BUG #14472]: [https://www.samba.org/samba/security/CVE-2020-14383.html CVE-2020-14383]: Remote crash after adding MX records.
* Volker Lendecke <vl@samba.org>
:* [https://bugzilla.samba.org/show_bug.cgi?id=14436 BUG #14436]: [https://www.samba.org/samba/security/CVE-2020-14323.html CVE-2020-14323]: winbind: Fix invalid lookupsids DoS.

[https://www.samba.org/samba/history/samba-4.13.1.html Release Notes Samba 4.13.1].

==Samba 4.13==
<onlyinclude>
:Release Notes for Samba 4.13
:September 22, 2020

===Release Announcements===
This is the first stable release of the Samba 4.13 release series. Please read the release notes carefully before upgrading.

===ZeroLogon===

Please avoid to set "server schannel = no" and "server schannel= auto" on all Samba domain controllers due to the wellknown ZeroLogon issue.

For details please see
: [[ CVE-2020-1472]]


===NEW FEATURES/CHANGES===
===NEW FEATURES/CHANGES===
Line 154: Line 656:
[[Release_Planning_for_Samba_4.13#Release_blocking_bugs]]
[[Release_Planning_for_Samba_4.13#Release_blocking_bugs]]


https://download.samba.org/pub/samba/rc/samba-4.13.0rc5.WHATSNEW.txt
[https://www.samba.org/samba/history/samba-4.13.0.html Release Notes Samba 4.13.0].

----
----
[[Category:Release Notes]]
[[Category:Release Notes]]

Latest revision as of 08:20, 22 March 2022

Samba 4.13 is Discontinued (End of Life).

Samba 4.13.17

Release Notes for Samba 4.13.17
January 31, 2022

This is a security release in order to address the following defects:

  • CVE-2021-44142: Out-of-Bound Read/Write on Samba vfs_fruit module.
  • CVE-2022-0336: Re-adding an SPN skips subsequent SPN conflict checks.

Changes since 4.13.16

  • Ralph Boehme <slow@samba.org>
  • Joseph Sutton <josephsutton@catalyst.net.nz>
  Release Notes Samba 4.13.17

Samba 4.13.16

Release Notes for Samba 4.13.16
January 10, 2022

This is a security release in order to address the following defects:

  • CVE-2021-43566: mkdir race condition allows share escape in Samba 4.x.

Details

All versions of Samba prior to 4.13.16 are vulnerable to a malicious client using an SMB1 or NFS symlink race to allow a directory to be created in an area of the server file system not exported under the share definition. Note that SMB1 has to be enabled, or the share also available via NFS in order for this attack to succeed.
Clients that have write access to the exported part of the file system under a share via SMB1 unix extensions or NFS can create symlinks that can race the server by renaming an existing path and then replacing it with a symlink. If the client wins the race it can cause the server to create a directory under the new symlink target after the exported share path check has been done. This new symlink target can point to anywhere on the server file system. The authenticated user must have permissions to create a directory under the target directory of the symlink.
This is a difficult race to win, but theoretically possible. Note that the proof of concept code supplied wins the race only when the server is slowed down and put under heavy load. Exploitation of this bug has not been seen in the wild.


Changes since 4.13.15

  • Jeremy Allison <jra@samba.org>
  Release Notes Samba 4.13.16

Samba 4.13.15

Release Notes for Samba 4.13.15
December 15, 2021

This is the latest stable release of the Samba 4.13 release series.

Important Notes

There have been a few regressions in the security release 4.13.14:

  • CVE-2020-25717: A user on the domain can become root on domain members.
PLEASE [RE-]READ!
The instructions have been updated and some workarounds initially adviced for 4.13.14 are no longer required and should be reverted in most cases.
  • BUG #14902: User with multiple spaces (eg Fred<space><space>Nurk) become un-deletable. While this release should fix this bug, it is adviced to have a look at the bug report for more detailed information.

Changes since 4.13.14

  • Andrew Bartlett <abartlet@samba.org>
  • BUG #14656: Spaces incorrectly collapsed in ldb attributes.
  • BUG #14901: The CVE-2020-25717 username map [script] advice has undesired side effects for the local nt token.
  • BUG #14902: User with multiple spaces (eg Fred<space><space>Nurk) become un-deletable.
  • Ralph Boehme <slow@samba.org>
  • BUG #14922: Kerberos authentication on standalone server in MIT realm broken.
  • Alexander Bokovoy <ab@samba.org>
  • BUG #14903: Support for ROLE_IPA_DC is incomplete.
  • Stefan Metzmacher <metze@samba.org>
  • BUG #14899: winbindd doesn't start when "allow trusted domains" is off.
  • BUG #14901: The CVE-2020-25717 username map [script] advice has undesired side effects for the local nt token.
  • Joseph Sutton <josephsutton@catalyst.net.nz>
  Release Notes Samba 4.13.15

Samba 4.13.14

Release Notes for Samba 4.13.14
November 9, 2021

This is a security release in order to address the following defects:

  • CVE-2016-2124 (SMB1 client connections can be downgraded to plaintext authentication)
  • CVE-2020-25717 (A user in an AD Domain could become root on domain members)
PLEASE READ! There are important behaviour changes described
  • CVE-2020-25718 (Samba AD DC did not correctly sandbox Kerberos tickets issued by an RODC)
  • CVE-2020-25719 (Samba AD DC did not always rely on the SID and PAC in Kerberos tickets)
  • CVE-2020-25721 (Kerberos acceptors need easy access to stable AD identifiers (eg objectSid))
  • CVE-2020-25722 (Samba AD DC did not do sufficient access and conformance checking of data stored)
  • CVE-2021-3738 (Use after free in Samba AD DC RPC server)
  • CVE-2021-23192 (Subsequent DCE/RPC fragment injection vulnerability)

Changes since 4.13.13

  • Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
  • Andrew Bartlett <abartlet@samba.org>
  • Ralph Boehme <slow@samba.org>
  • Alexander Bokovoy <ab@samba.org>
  • Samuel Cabrero <scabrero@samba.org>
  • Nadezhda Ivanova <nivanova@symas.com>
  • Stefan Metzmacher <metze@samba.org>
  • Andreas Schneider <asn@samba.org>
  • Joseph Sutton <josephsutton@catalyst.net.nz>
   Release Notes Samba 4.13.14

Samba 4.13.13

Release Notes for Samba 4.13.13
October 29, 2021

This is the latest stable release of the Samba 4.13 release series.

Changes since 4.13.12

  • Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
  • BUG #14868: rodc_rwdc test flaps.
  • BUG #14881: Backport bronze bit fixes, tests, and selftest improvements.
  • Andrew Bartlett <abartlet@samba.org>
  • BUG #14642: Provide a fix for MS CVE-2020-17049 in Samba [SECURITY] 'Bronze bit' S4U2Proxy Constrained Delegation bypass in Samba with embedded Heimdal.
  • BUG #14836: Python ldb.msg_diff() memory handling failure.
  • BUG #14845: "in" operator on ldb.Message is case sensitive.
  • BUG #14848: Release LDB 2.3.1 for Samba 4.14.9.
  • BUG #14871: Fix Samba support for UF_NO_AUTH_DATA_REQUIRED.
  • BUG #14874: Allow special chars like "@" in samAccountName when generating the salt.
  • BUG #14881: Backport bronze bit fixes, tests, and selftest improvements.
  • Isaac Boukris <iboukris@gmail.com>
  • BUG #14642: Provide a fix for MS CVE-2020-17049 in Samba [SECURITY] 'Bronze bit' S4U2Proxy Constrained Delegation bypass in Samba with embedded Heimdal.
  • BUG #14881: Backport bronze bit fixes, tests, and selftest improvements.
  • Viktor Dukhovni <viktor@twosigma.com>
  • BUG #12998: Fix transit path validation.
  • BUG #14881: Backport bronze bit fixes, tests, and selftest improvements.
  • Luke Howard <lukeh@padl.com>
  • BUG #14642: Provide a fix for MS CVE-2020-17049 in Samba [SECURITY] 'Bronze bit' S4U2Proxy Constrained Delegation bypass in Samba with embedded Heimdal.
  • BUG #14881: Backport bronze bit fixes, tests, and selftest improvements.
  • Stefan Metzmacher <metze@samba.org>
  • BUG #14881: Backport bronze bit fixes, tests, and selftest improvements.
  • David Mulder <dmulder@suse.com>
  • BUG #14881: Backport bronze bit fixes, tests, and selftest improvements.
  • Andreas Schneider <asn@samba.org>
  • BUG #14870: Prepare to operate with MIT krb5 >= 1.20.
  • BUG #14881: Backport bronze bit fixes, tests, and selftest improvements.
  • Joseph Sutton <josephsutton@catalyst.net.nz>
  • BUG #14642: Provide a fix for MS CVE-2020-17049 in Samba [SECURITY] 'Bronze bit' S4U2Proxy Constrained Delegation bypass in Samba with embedded Heimdal.
  • BUG #14645: rpcclient NetFileEnum and net rpc file both cause lock order violation: brlock.tdb, share_entries.tdb.
  • BUG #14836: Python ldb.msg_diff() memory handling failure.
  • BUG #14845: "in" operator on ldb.Message is case sensitive.
  • BUG #14848: Release LDB 2.3.1 for Samba 4.14.9.
  • BUG #14868: rodc_rwdc test flaps.
  • BUG #14871: Fix Samba support for UF_NO_AUTH_DATA_REQUIRED.
  • BUG #14874: Allow special chars like "@" in samAccountName when generating the salt.
  • BUG #14881: Backport bronze bit fixes, tests, and selftest improvements.
  • Nicolas Williams <nico@twosigma.com>
  • BUG #14642: Provide a fix for MS CVE-2020-17049 in Samba [SECURITY] 'Bronze bit' S4U2Proxy Constrained Delegation bypass in Samba with embedded Heimdal.
  • BUG #14881: Backport bronze bit fixes, tests, and selftest improvements.
Release Notes Samba 4.13.13.

Samba 4.13.12

Release Notes for Samba 4.13.12
September 22, 2021

This is the latest stable release of the Samba 4.13 release series.

Changes since 4.13.11

  • Andrew Bartlett <abartlet@samba.org>
  • BUG #14806: Address a signifcant performance regression in database access in the AD DC since Samba 4.12.
  • BUG #14807: Fix performance regression in lsa_LookupSids3/LookupNames4 since Samba 4.9 by using an explicit database handle cache.
  • BUG #14817: An unuthenticated user can crash the AD DC KDC by omitting the server name in a TGS-REQ.
  • BUG #14818: Address flapping samba_tool_drs_showrepl test.
  • BUG #14819: Address flapping dsdb_schema_attributes test.
  • Björn Baumbach <bb@sernet.de>
  • BUG #14817: An unuthenticated user can crash the AD DC KDC by omitting the server name in a TGS-REQ
  • Luke Howard <lukeh@padl.com>
  • BUG #14817: An unuthenticated user can crash the AD DC KDC by omitting the server name in a TGS-REQ.
  • Volker Lendecke <vl@samba.org>
  • BUG #14817: An unuthenticated user can crash the AD DC KDC by omitting the server name in a TGS-REQ.
  • Gary Lockyer <gary@catalyst.net.nz>
  • BUG #14817: An unuthenticated user can crash the AD DC KDC by omitting the server name in a TGS-REQ.
  • Stefan Metzmacher <metze@samba.org>
  • BUG #14817: An unuthenticated user can crash the AD DC KDC by omitting the server name in a TGS-REQ.
  • Andreas Schneider <asn@samba.org>
  • BUG #14817: An unuthenticated user can crash the AD DC KDC by omitting the server name in a TGS-REQ.
  • Martin Schwenke <martin@meltin.net>
  • BUG #14784: Fix CTDB flag/status update race conditions.
  • Joseph Sutton <josephsutton@catalyst.net.nz>
  • BUG #14817: An unuthenticated user can crash the AD DC KDC by omitting the server name in a TGS-REQ.
Release Notes Samba 4.13.12.

Samba 4.13.11

Release Notes for Samba 4.13.11
September 07, 2021

This is the latest stable release of the Samba 4.13 release series.

Changes since 4.13.10

  • Jeremy Allison <jra@samba.org>
  • BUG #14769: smbd panic on force-close share during offload write.
  • Ralph Boehme <slow@samba.org>
  • BUG #14731: Fix returned attributes on fake quota file handle and avoid hitting the VFS.
  • BUG #14783: smbd "deadtime" parameter doesn't work anymore.
  • BUG #14787: net conf list crashes when run as normal user.
  • Stefan Metzmacher <metze@samba.org>
  • BUG #14607: Work around special SMB2 READ response behavior of NetApp Ontap 7.3.7.
  • BUG #14793: Start the SMB encryption as soon as possible.
  • Andreas Schneider <asn@samba.org>
  • BUG #14792: Winbind should not start if the socket path for the privileged pipe is too long.
Release Notes Samba 4.13.11.

Samba 4.13.10

Release Notes for Samba 4.13.10
July 14, 2021

This is the latest stable release of the Samba 4.13 release series.

Changes since 4.13.9

  • Jeremy Allison <jra@samba.org>
  • BUG #14708: s3: smbd: Ensure POSIX default ACL is mapped into returned Windows ACL for directory handles.
  • BUG #14721: Take a copy to make sure we don't reference free'd memory.
  • BUG #14722: s3: lib: Fix talloc heirarcy error in parent_smb_fname().
  • BUG #14736: s3: smbd: Remove erroneous TALLOC_FREE(smb_fname_parent) in change_file_owner_to_parent() error path.
  • Andrew Bartlett <abartlet@samba.org>
  • BUG #14575: samba-tool: Give better error information when the 'domain backup restore' fails with a duplicate SID.
  • Ralph Boehme <slow@samba.org>
  • BUG #14714: smbd: Correctly initialize close timestamp fields.
  • BUG #14740: Spotlight RPC service doesn't work with vfs_glusterfs.
  • Volker Lendecke <vl@samba.org>
  • BUG #14475: ctdb: Fix a crash in run_proc_signal_handler().
  • Stefan Metzmacher <metze@samba.org>
  • BUG #14750: gensec_krb5: Restore ipv6 support for kpasswd.
  • BUG #14752: smbXsrv_{open,session,tcon}: Protect smbXsrv_{open,session,tcon}_global_traverse_fn against invalid records.
  • Joseph Sutton <josephsutton@catalyst.net.nz>
  • BUG #14027: samba-tool domain backup offline doesn't work against bind DLZ backend.
  • BUG #14669: netcmd: Use next_free_rid() function to calculate a SID for restoring a backup.
  Release Notes Samba 4.13.10.

Samba 4.13.9

Release Notes for Samba 4.13.9 May 11, 2021

This is the latest stable release of the Samba 4.13 release series.

Changes since 4.13.8

  • Jeremy Allison <jra@samba.org>
  • BUG #14571: s3: smbd: SMB1 SMBsplwr doesn't send a reply packet on success.
  • Andrew Bartlett <abartlet@samba.org>
  • BUG #14689: Add documentation for dsdb_group_audit and dsdb_group_json_audit to "log level", synchronise "log level" in smb.conf with the code.
  • Ralph Boehme <slow@samba.org>
  • BUG #14672: Fix smbd panic when two clients open same file.
  • BUG #14675: Fix memory leak in the RPC server.
  • BUG #14679: s3: smbd: Fix deferred renames.
  • Samuel Cabrero <scabrero@samba.org>
  • BUG #14675: s3-iremotewinspool: Set the per-request memory context.
  • Volker Lendecke <vl@samba.org>
  • BUG #14675: rpc_server3: Fix a memleak for internal pipes.
  • Stefan Metzmacher <metze@samba.org>
  • BUG #11899: third_party: Update socket_wrapper to version 1.3.2.
  • BUG #14640: third_party: Update socket_wrapper to version 1.3.3.
  • Christof Schmitt <cs@samba.org>
  • BUG #14663: idmap_rfc2307 and idmap_nss return wrong mapping for uid/gid conflict.
  • Martin Schwenke <martin@meltin.net


  Release Notes Samba 4.13.9.

Samba 4.13.8

Release Notes for Samba 4.13-8
April 29, 2021

This is a security release in order to address the following defect:

  • CVE-2021-20254: Negative idmap cache entries can cause incorrect group entries in the Samba file server process token.

Details

The Samba smbd file server must map Windows group identities (SIDs) into unix group ids (gids). The code that performs this had a flaw that could allow it to read data beyond the end of the array in the case where a negative cache entry had been added to the mapping cache. This could cause the calling code to return those values into the process token that stores the group membership for a user.
Most commonly this flaw caused the calling code to crash, but an alert user (Peter Eriksson, IT Department, Linköping University) found this flaw by noticing an unprivileged user was able to delete a file within a network share that they should have been disallowed access to.
Analysis of the code paths has not allowed us to discover a way for a remote user to be able to trigger this flaw reproducibly or on demand, but this CVE has been issued out of an abundance of caution.

Changes since 4.13.8

  • Volker Lendecke <vl@samba.org>
  • BUG #14571: CVE-2021-20254: Fix buffer overrun in sids_to_unixids().
  Release Notes Samba 4.13.8.

Samba 4.13.7

Release Notes for Samba 4.13.7
March 24, 2021

This is a security release in order to address the following defects:

Details

An anonymous attacker can crash the Samba AD DC LDAP server by sending easily crafted DNs as part of a bind request. More serious heap corruption is likely also possible.
User-controlled LDAP filter strings against the AD DC LDAP server may crash the LDAP server.

For more details, please refer to the security advisories.

Changes since 4.12.12

  • Release with dependency on ldb version 2.2.1
  • Andrew Bartlett <abartlet@samba.org>
  • Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
  Release Notes Samba 4.13.7.

Samba 4.13.5

Release Notes for Samba 4.13.5
March 09, 2021

This is the latest stable release of the Samba 4.13 release series.

Changes since 4.13.4

  • Trever L. Adams <trever.adams@gmail.com>
  • BUG #14634: s3:modules:vfs_virusfilter: Recent talloc changes cause infinite start-up failure.
  • Jeremy Allison <jra@samba.org>
  • BUG #13992: s3: libsmb: Add missing cli_tdis() in error path if encryption setup failed on temp proxy connection.
  • BUG #14604: smbd: In conn_force_tdis_done() when forcing a connection closed force a full reload of services.
  • Andrew Bartlett <abartlet@samba.org>
  • BUG #14593: dbcheck: Check Deleted Objects and reduce noise in reports about expired tombstones.
  • Ralph Boehme <slow@samba.org
  • BUG #14503: s3: Fix fcntl waf configure check.
  • BUG #14602: s3/auth: Implement "winbind:ignore domains".
  • BUG #14617: smbd: Use fsp->conn->session_info for the initial delete-on-close token.
  • Peter Eriksson <pen@lysator.liu.se>
  • BUG #14648: s3: VFS: nfs4_acls. Add missing TALLOC_FREE(frame) in error path.
  • Björn Jacke <bj@sernet.de>
  • BUG #14624: classicupgrade: Treat old never expires value right.
  • Volker Lendecke <vl@samba.org>
  • BUG #14636: g_lock: Fix uninitalized variable reads.
  • Stefan Metzmacher <metze@samba.org>
  • BUG #13898: s3:pysmbd: Fix fd leak in py_smbd_create_file().
  • Andreas Schneider <asn@samba.org>
  • BUG #14625: lib:util: Avoid free'ing our own pointer.
  • Paul Wise <pabs3@bonedaddy.net>
  • BUG #12505: HEIMDAL: krb5_storage_free(NULL) should work.
  Release Notes Samba 4.13.5.

Samba 4.13.4

Release Notes for Samba 4.13.4
January 26, 2021

This is the latest stable release of the Samba 4.13 release series.

Changes since 4.13.3

  • Jeremy Allison <jra@samba.org>
  • BUG #14607: Work around special SMB2 IOCTL response behavior of NetApp Ontap 7.3.7.
  • BUG #14612: Temporary DFS share setup doesn't set case parameters in the same way as a regular share definition does.
  • Dimitry Andric <dimitry@andric.com>
  • BUG #14605: lib: Avoid declaring zero-length VLAs in various messaging functions.
  • Andrew Bartlett <abartlet@samba.org>
BUG #14579: Do not create an empty DB when accessing a sam.ldb.
  • Ralph Boehme <slow@samba.org>
  • BUG #14596: vfs_fruit may close wrong backend fd.
  • BUG #14612: Temporary DFS share setup doesn't set case parameters in the same way as a regular share definition does.
  • Arne Kreddig <arne@kreddig.net>
  • BUG #14606: vfs_virusfilter: Allocate separate memory for config char*.
  • Stefan Metzmacher <metze@samba.org>
  • BUG #14596: vfs_fruit may close wrong backend fd.
  • BUG #14607: Work around special SMB2 IOCTL response behavior of NetApp Ontap 7.3.7.
  • Andreas Schneider <asn@samba.org>
  • BUG #14601: The cache directory for the user gencache should be created recursively.
  • Martin Schwenke <martin@meltin.net>
  • BUG #14594: Be more flexible with repository names in CentOS 8 test environments.
 Release Notes Samba 4.13.4.

Samba 4.13.3

Release Notes for Samba 4.13.3
December 15, 2020

This is the latest stable release of the Samba 4.13 release series.

Changes since 4.13.2

  • Jeremy Allison <jra@samba.org>
  • BUG #14210: libcli: smb2: Never print length if smb2_signing_key_valid() fails for crypto blob.
  • BUG #14486: s3: modules: gluster. Fix the error I made in preventing talloc leaks from a function.
  • BUG #14515: s3: smbd: Don't overwrite contents of fsp->aio_requests[0] with NULL via TALLOC_FREE().
  • BUG #14568: s3: spoolss: Make parameters in call to user_ok_token() match all other uses.
  • BUG #14590: s3: smbd: Quiet log messages from usershares for an unknown share.
  • Ralph Boehme <slow@samba.org>
  • BUG #14248: samba process does not honor max log size.
  • BUG #14587: vfs_zfsacl: Add missing inherited flag on hidden "magic" everyone@ ACE.
  • Isaac Boukris <iboukris@gmail.com>
  • BUG #13124: s3-libads: Pass timeout to open_socket_out in ms.
  • Günther Deschner <gd@samba.org>
  • BUG #14486: s3-vfs_glusterfs: Always disable write-behind translator.
  • Volker Lendecke <vl@samba.org>
  • BUG #14517: smbclient: Fix recursive mget.
  • BUG #14581: clitar: Use do_list()'s recursion in clitar.c.
  • Anoop C S <anoopcs@samba.org>
  • BUG #14486: manpages/vfs_glusterfs: Mention silent skipping of write-behind translator.
  • BUG #14573: vfs_shadow_copy2: Preserve all open flags assuming ROFS.
  • Jones Syue <jonessyue@qnap.com>
  • BUG #14514: interface: Fix if_index is not parsed correctly.
 Release Notes Samba 4.13.3.

Samba 4.13.2

Release Notes for Samba 4.13.2
November 03, 2020

This is the latest stable release of the Samba 4.13 release series.

Major enhancements include:

  • BUG #14537: ctdb-common: Avoid aliasing errors during code optimization.
  • BUG #14486: vfs_glusterfs: Avoid data corruption with the write-behind translator.

Details

The GlusterFS write-behind performance translator, when used with Samba, could be a source of data corruption. The translator, while processing a write call, immediately returns success but continues writing the data to the server in the background. This can cause data corruption when two clients relying on Samba to provide data consistency are operating on the same file.

The write-behind translator is enabled by default on GlusterFS. The vfs_glusterfs plugin will check for the presence of the translator and refuse to connect if detected. Please disable the write-behind translator for the GlusterFS volume to allow the plugin to connect to the volume.


Changes since 4.13.1

  • Jeremy Allison <jra@samba.org>
  • BUG #14486: s3: modules: vfs_glusterfs: Fix leak of char **lines onto mem_ctx on return.
  • Ralph Boehme <slow@samba.org>
  • BUG #14471: RN: vfs_zfsacl: Only grant DELETE_CHILD if ACL tag is special.
  • Alexander Bokovoy <ab@samba.org>
  • BUG #14538: smb.conf.5: Add clarification how configuration changes reflected by Samba.
  • BUG #14552: daemons: Report status to systemd even when running in foreground.
  • BUG #14553: DNS Resolver: Support both dnspython before and after 2.0.0.
  • Günther Deschner <gd@samba.org>
  • BUG #14486: s3-vfs_glusterfs: Refuse connection when write-behind xlator is present.
  • Amitay Isaacs <amitay@gmail.com>
  • BUG #14487: provision: Add support for BIND 9.16.x.
  • BUG #14537: ctdb-common: Avoid aliasing errors during code optimization.
  • BUG #14541: libndr: Avoid assigning duplicate versions to symbols.
  • Björn Jacke <bjacke@samba.org>
  • BUG #14522: docs: Fix default value of spoolss:architecture.
  • Laurent Menase <laurent.menase@hpe.com>
  • Stefan Metzmacher <metze@samba.org>
  • BUG #14531: s4:dsdb:acl_read: Implement "List Object" mode feature.
  • Sachin Prabhu <sprabhu@redhat.com>
  • BUG #14486: docs-xml/manpages: Add warning about write-behind translator for vfs_glusterfs.
  • Khem Raj <raj.khem@gmail.com>
  • nsswitch/nsstest.c: Avoid nss function conflicts with glibc nss.h.
  • Anoop C S <anoopcs@samba.org>
  • BUG #14530: vfs_shadow_copy2: Avoid closing snapsdir twice.
  • Andreas Schneider <asn@samba.org>
  • BUG #14547: third_party: Update resolv_wrapper to version 1.1.7.
  • BUG #14550: examples:auth: Do not install example plugin.
  • Martin Schwenke <martin@meltin.net>
  • BUG #14513: ctdb-recoverd: Drop unnecessary and broken code.
  • Andrew Walker <awalker@ixsystems.com>
  • BUG #14471: RN: vfs_zfsacl: Only grant DELETE_CHILD if ACL tag is special.
Release Notes Samba 4.13.2.

Samba 4.13.1

Release Notes for Samba 4.13.1
October 29, 2020

This is a security release in order to address the following defects:

  • CVE-2020-14318: Missing handle permissions check in SMB1/2/3 ChangeNotify.
  • CVE-2020-14323: Unprivileged user can crash winbind.
  • CVE-2020-14383: An authenticated user can crash the DCE/RPC DNS with easily crafted records.

Details

The SMB1/2/3 protocols have a concept of "ChangeNotify", where a client can request file name notification on a directory handle when a condition such as "new file creation" or "file size change" or "file timestamp update" occurs.
A missing permissions check on a directory handle requesting ChangeNotify meant that a client with a directory handle open only for FILE_READ_ATTRIBUTES (minimal access rights) could be used to obtain change notify replies from the server. These replies contain information that should not be available to directory handles open for FILE_READ_ATTRIBUTE only.
winbind in version 3.6 and later implements a request to translate multiple Windows SIDs into names in one request. This was done for performance reasons: The Microsoft RPC call domain controllers offer to do this translation, so it was an obvious extension to also offer this batch operation on the winbind unix domain stream socket that is available to local processes on the Samba server.
Due to improper input validation a hand-crafted packet can make winbind perform a NULL pointer dereference and thus crash.
Some DNS records (such as MX and NS records) usually contain data in the additional section. Samba's dnsserver RPC pipe (which is an administrative interface not used in the DNS server itself) made an error in handling the case where there are no records present: instead of noticing the lack of records, it dereferenced uninitialised memory, causing the RPC server to crash. This RPC server, which also serves protocols other than dnsserver, will be restarted after a short delay, but it is easy for an authenticated non-admin attacker to crash it again as soon as it returns. The Samba DNS server itself will continue to operate, but many RPC services will not.

For more details, please refer to the security advisories.

Changes since 4.13

o Jeremy Allison <jra@samba.org>

  • BUG #14434: CVE-2020-14318: s3: smbd: Ensure change notifies can't get set unless the directory handle is open for SEC_DIR_LIST.
  • Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
  • Volker Lendecke <vl@samba.org>
Release Notes Samba 4.13.1.

Samba 4.13

Release Notes for Samba 4.13
September 22, 2020

Release Announcements

This is the first stable release of the Samba 4.13 release series. Please read the release notes carefully before upgrading.

ZeroLogon

Please avoid to set "server schannel = no" and "server schannel= auto" on all Samba domain controllers due to the wellknown ZeroLogon issue.

For details please see

CVE-2020-1472

NEW FEATURES/CHANGES

Python 3.6 or later required

Samba's minimum runtime requirement for python was raised to Python 3.5 with samba 4.12. Samba 4.13 raises this minimum version to Python 3.6 both to access new features and because this is the oldest version we test with in our CI infrastructure.

This is also the last release where it will be possible to build Samba (just the file server) with Python versions 2.6 and 2.7.

As Python 2.7 has been End Of Life upstream since April 2020, Samba is dropping ALL Python 2.x support in the NEXT release.

Samba 4.14 to be released in March 2021 will require Python 3.6 or later to build.

wide links functionality

For this release, the code implementing the insecure "wide links = yes" functionality has been moved out of the core smbd code and into a separate VFS module, vfs_widelinks. Currently this vfs module is implicitly loaded by smbd as the last but one module before vfs_default if "wide links = yes" is enabled on the share (note, the existing restrictions on enabling wide links around the SMB1 "unix extensions" and the "allow insecure wide links" parameters are still in force). The implicit loading was done to allow existing users of "wide links = yes" to keep this functionality without having to make a change to existing working smb.conf files.

Please note that the Samba developers recommend changing any Samba installations that currently use "wide links = yes" to use bind mounts as soon as possible, as "wide links = yes" is an inherently insecure configuration which we would like to remove from Samba. Moving the feature into a VFS module allows this to be done in a cleaner way in future.

A future release to be determined will remove this implicit linkage, causing administrators who need this functionality to have to explicitly add the vfs_widelinks module into the "vfs objects =" parameter lists. The release notes will be updated to note this change when it occurs.

NT4-like 'classic' Samba domain controllers

Samba 4.13 deprecates Samba's original domain controller mode.

Sites using Samba as a Domain Controller should upgrade from the NT4-like 'classic' Domain Controller to a Samba Active Directory DC to ensure full operation with modern windows clients.

SMBv1 only protocol options deprecated

A number of smb.conf parameters for less-secure authentication methods which are only possible over SMBv1 are deprecated in this release.

REMOVED FEATURES

The deprecated "ldap ssl ads" smb.conf option has been removed.

smb.conf changes

 Parameter Name                     Description                Default
 --------------                     -----------                -------
 ldap ssl ads                       removed
 smb2 disable lock sequence checking				No
 domain logons                      Deprecated                 no
 raw NTLMv2 auth                    Deprecated                 no
 client plaintext auth              Deprecated                 no
 client NTLMv2 auth                 Deprecated                 yes
 client lanman auth                 Deprecated                 no
 client use spnego                  Deprecated                 yes
 server schannel                    To be removed in 4.13.0
 server require schannel:COMPUTER   Added


CHANGES SINCE 4.13.0rc5

  • Jeremy Allison <jra@samba.org>
  • BUG #14497: CVE-2020-1472(ZeroLogon): s3:rpc_server/netlogon: Protect netr_ServerPasswordSet2 against unencrypted passwords.
  • Günther Deschner <gd@samba.org>
  • BUG #14497: CVE-2020-1472(ZeroLogon): s3:rpc_server/netlogon: Support "server require schannel:WORKSTATION$ = no" about unsecure configurations.
  • Gary Lockyer <gary@catalyst.net.nz>
  • Stefan Metzmacher <metze@samba.org>
  • BUG #14497: CVE-2020-1472(ZeroLogon): libcli/auth: Reject weak client challenges in netlogon_creds_server_init() "server require schannel:WORKSTATION$ = no".

CHANGES SINCE 4.13.0rc4

  • Andreas Schneider <asn@samba.org>
  • BUG #14399: waf: Only use gnutls_aead_cipher_encryptv2() for GnuTLS > 3.6.14.
  • BUG #14467: s3:smbd: Fix %U substitutions if it contains a domain name.
  • BUG #14479: The created krb5.conf for 'net ads join' doesn't have a domain entry.
  • Stefan Metzmacher <metze@samba.org>
  • BUG #14482: Fix build problem if libbsd-dev is not installed.

CHANGES SINCE 4.13.0rc3

  • David Disseldorp <ddiss at samba.org>
  • BUG #14437: build: Toggle vfs_snapper using "--with-shared-modules".
  • Volker Lendecke <vl at samba.org>
  • BUG #14465: idmap_ad does not deal properly with a RFC4511 section 4.4.1 response.
  • Stefan Metzmacher <metze at samba.org>
  • BUG #14428: PANIC: Assert failed in get_lease_type().
  • BUG #14465: idmap_ad does not deal properly with a RFC4511 section 4.4.1

CHANGES SINCE 4.13.0rc2

  • Andrew Bartlett <abartlet@samba.org>
  • BUG #14460: Deprecate domain logons, SMBv1 things.
  • Günther Deschner <gd@samba.org>
  • Christof Schmitt <cs@samba.org>
  • BUG #14166: util: Allow symlinks in directory_create_or_exist.
  • Martin Schwenke <martin@meltin.net>
  • BUG #14466: ctdb disable/enable can fail due to race condition.

CHANGES SINCE 4.13.0rc1

  • Andrew Bartlett <abartlet at samba.org>
  • BUG #14450: dbcheck: Allow a dangling forward link outside our known NCs.
  • Isaac Boukris <iboukris at gmail.com>
  • BUG #14462: Remove deprecated "ldap ssl ads" smb.conf option.
  • Volker Lendecke <vl at samba.org>
  • BUG #14435: winbind: Fix lookuprids cache problem.
  • Stefan Metzmacher <metze at samba.org>
  • BUG #14354: kdc:db-glue: Ignore KRB5_PROG_ETYPE_NOSUPP also for Primary:Kerberos.
  • Andreas Schneider <asn at samba.org>
  • BUG #14358: docs: Fix documentation for require_membership_of of pam_winbind.conf.
  • Martin Schwenke <martin at meltin.net>
  • BUG #14444: ctdb-scripts: Use nfsconf as a last resort get nfsd thread count.

KNOWN ISSUES

Release_Planning_for_Samba_4.13#Release_blocking_bugs

 Release Notes Samba 4.13.0.