Difference between revisions of "Samba 4.13 Features added/changed"

(KNOWN ISSUES)
(Samba 4.13.2)
 
(2 intermediate revisions by the same user not shown)
Line 1: Line 1:
Samba 4.13 is [[Samba_Release_Planning#Upcoming_Release|'''next upcoming release series''']].
+
Samba 4.13 is [[Samba_Release_Planning#Current_Stable_Release|'''Current Stable Release''']].
==Samba 4.13rc6==
+
==Samba 4.13.2==
<onlyinclude>
+
:Release Notes for Samba 4.13.2
:Release Notes for Samba 4.13rc6
+
:November 03, 2020
:September 18, 2020
+
 
 +
===This is the latest stable release of the Samba 4.13 release series.===
 +
 
 +
===Major enhancements include:===
 +
* [https://bugzilla.samba.org/show_bug.cgi?id=14537 BUG #14537]: ctdb-common: Avoid aliasing errors during code optimization.
 +
* [https://bugzilla.samba.org/show_bug.cgi?id=14486 BUG #14486]: vfs_glusterfs: Avoid data corruption with the write-behind translator.
 +
 
 +
===Details===
 +
 
 +
The GlusterFS write-behind performance translator, when used with Samba, could be a source of data corruption. The translator, while processing a write call, immediately returns success but continues writing the data to the server in the background. This can cause data corruption when two clients relying on Samba to provide data consistency are operating on the same file.
 +
 
 +
The write-behind translator is enabled by default on GlusterFS. The vfs_glusterfs plugin will check for the presence of the translator and refuse to connect if detected. Please disable the write-behind translator for the GlusterFS volume to allow the plugin to connect to the volume.
 +
 
 +
 
 +
===Changes since 4.13.1===
 +
 
 +
*  Jeremy Allison <jra@samba.org>
 +
:* [https://bugzilla.samba.org/show_bug.cgi?id=14486 BUG #14486]: s3: modules: vfs_glusterfs: Fix leak of char **lines onto mem_ctx on return.
 +
*  Ralph Boehme <slow@samba.org>
 +
:* [https://bugzilla.samba.org/show_bug.cgi?id=14471 BUG #14471]: RN: vfs_zfsacl: Only grant DELETE_CHILD if ACL tag is special.
 +
*  Alexander Bokovoy <ab@samba.org>
 +
:* [https://bugzilla.samba.org/show_bug.cgi?id=14538 BUG #14538]: smb.conf.5: Add clarification how configuration changes reflected by Samba.
 +
:* [https://bugzilla.samba.org/show_bug.cgi?id=14552 BUG #14552]: daemons: Report status to systemd even when running in foreground.
 +
:* [https://bugzilla.samba.org/show_bug.cgi?id=14553 BUG #14553]: DNS Resolver: Support both dnspython before and after 2.0.0.
 +
*  Günther Deschner <gd@samba.org>
 +
:* [https://bugzilla.samba.org/show_bug.cgi?id=14486 BUG #14486]: s3-vfs_glusterfs: Refuse connection when write-behind xlator is present.
 +
*  Amitay Isaacs <amitay@gmail.com>
 +
:* [https://bugzilla.samba.org/show_bug.cgi?id=14487 BUG #14487]: provision: Add support for BIND 9.16.x.
 +
:* [https://bugzilla.samba.org/show_bug.cgi?id=14537 BUG #14537]: ctdb-common: Avoid aliasing errors during code optimization.
 +
:* [https://bugzilla.samba.org/show_bug.cgi?id=14541 BUG #14541]: libndr: Avoid assigning duplicate versions to symbols.
 +
*  Björn Jacke <bjacke@samba.org>
 +
:* [https://bugzilla.samba.org/show_bug.cgi?id=14522 BUG #14522]: docs: Fix default value of spoolss:architecture.
 +
*  Laurent Menase <laurent.menase@hpe.com>
 +
:* [https://bugzilla.samba.org/show_bug.cgi?id=14388 BUG #14388]: winbind: Fix a memleak.
 +
*  Stefan Metzmacher <metze@samba.org>
 +
:* [https://bugzilla.samba.org/show_bug.cgi?id=14531 BUG #14531]: s4:dsdb:acl_read: Implement "List Object" mode feature.
 +
*  Sachin Prabhu <sprabhu@redhat.com>
 +
:* [https://bugzilla.samba.org/show_bug.cgi?id=14486 BUG #14486]: docs-xml/manpages: Add warning about write-behind translator for vfs_glusterfs.
 +
*  Khem Raj <raj.khem@gmail.com>
 +
:* nsswitch/nsstest.c: Avoid nss function conflicts with glibc nss.h.
 +
*  Anoop C S <anoopcs@samba.org>
 +
:* [https://bugzilla.samba.org/show_bug.cgi?id=14530 BUG #14530]: vfs_shadow_copy2: Avoid closing snapsdir twice.
 +
*  Andreas Schneider <asn@samba.org>
 +
:* [https://bugzilla.samba.org/show_bug.cgi?id=14547 BUG #14547]: third_party: Update resolv_wrapper to version 1.1.7.
 +
:* [https://bugzilla.samba.org/show_bug.cgi?id=14550 BUG #14550]: examples:auth: Do not install example plugin.
 +
*  Martin Schwenke <martin@meltin.net>
 +
:* [https://bugzilla.samba.org/show_bug.cgi?id=14513 BUG #14513]: ctdb-recoverd: Drop unnecessary and broken code.
 +
*  Andrew Walker <awalker@ixsystems.com>
 +
:* [https://bugzilla.samba.org/show_bug.cgi?id=14471 BUG #14471]: RN: vfs_zfsacl: Only grant DELETE_CHILD if ACL tag is special.
 +
 
 +
[https://www.samba.org/samba/history/samba-4.13.2.html Release Notes Samba 4.13.2].
 +
 
 +
==Samba 4.13.1==
 +
:Release Notes for Samba 4.13.1
 +
:October 29, 2020
 +
 
 +
===This is a security release in order to address the following defects:===
  
===Release Announcements===
+
* [https://www.samba.org/samba/security/CVE-2020-14318.html CVE-2020-14318]: Missing handle permissions check in SMB1/2/3 ChangeNotify.
 +
* [https://www.samba.org/samba/security/CVE-2020-14323.html CVE-2020-14323]: Unprivileged user can crash winbind.
 +
* [https://www.samba.org/samba/security/CVE-2020-14383.html CVE-2020-14383]: An authenticated user can crash the DCE/RPC DNS with easily crafted records.
  
This is the sixth release condidate of Samba 4.13.  This is *not* intended for production environments and is designed for testing purposes only.  Please report any defects via the Samba bug reporting system at https://bugzilla.samba.org/.
+
===Details===
  
===Samba 4.13 will be the next version of the Samba suite.===
+
* [https://www.samba.org/samba/security/CVE-2020-14318.html CVE-2020-14318]:
===SECURITY===
+
: The SMB1/2/3 protocols have a concept of "ChangeNotify", where a client can request file name notification on a directory handle when a condition such as "new file creation" or "file size change" or "file timestamp update" occurs.
* [http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1472 CVE-2020-1472]: Unauthenticated domain takeover via netlogon ("ZeroLogon").
 
  
The following applies to Samba used as domain controller only (most seriously the Active Directory DC, but also the classic/NT4-style DC).
+
: A missing permissions check on a directory handle requesting ChangeNotify meant that a client with a directory handle open only for FILE_READ_ATTRIBUTES (minimal access rights) could be used to obtain change notify replies from the server. These replies contain information that should not be available to directory handles open for FILE_READ_ATTRIBUTE only.
  
Installations running Samba as a file server only are not directly affected by this flaw, though they may need configuration changes to continue to talk to domain controllers (see "file servers and domain members" below).
+
* [https://www.samba.org/samba/security/CVE-2020-14323.html CVE-2020-14323]:
 +
: winbind in version 3.6 and later implements a request to translate multiple Windows SIDs into names in one request. This was done for performance reasons: The Microsoft RPC call domain controllers offer to do this translation, so it was an obvious extension to also offer this batch operation on the winbind unix domain stream socket that is available to local processes on the Samba server.
  
The netlogon protocol contains a flaw that allows an authentication bypass. This was reported and patched by Microsoft as [http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1472 CVE-2020-1472]. Since the bug is a protocol level flaw, and Samba implements the protocol, Samba is also vulnerable.
+
:Due to improper input validation a hand-crafted packet can make winbind perform a NULL pointer dereference and thus crash.
  
However, since version 4.8 (released in March 2018), the default behaviour of Samba has been to insist on a secure netlogon channel, which is a sufficient fix against the known exploits. This default is equivalent to having 'server schannel = yes' in the smb.conf.
+
* [https://www.samba.org/samba/security/CVE-2020-14383.html CVE-2020-14383]:
 +
: Some DNS records (such as MX and NS records) usually contain data in the additional section. Samba's dnsserver RPC pipe (which is an administrative interface not used in the DNS server itself) made an error in handling the case where there are no records present: instead of noticing the lack of records, it dereferenced uninitialised memory, causing the RPC server to crash. This RPC server, which also serves protocols other than dnsserver, will be restarted after a short delay, but it is easy for an authenticated non-admin attacker to crash it again as soon as it returns. The Samba DNS server itself will continue to operate, but many RPC services will not.
  
Therefore versions 4.8 and above are not vulnerable unless they have the smb.conf lines
+
For more details, please refer to the security advisories.
'server schannel = no'
+
* [[CVE-2020-14318]]
or
+
* [[CVE-2020-14323]]
'server schannel = auto'.
+
* [[CVE-2020-14383]]
  
Samba versions 4.7 and below are vulnerable unless they have
+
===Changes since 4.13===
'server schannel = yes'
 
in the smb.conf.
 
  
:Note: each domain controller needs the correct settings in its smb.conf.
+
o  Jeremy Allison <jra@samba.org>
 +
:* [https://bugzilla.samba.org/show_bug.cgi?id=14434 BUG #14434]: [https://www.samba.org/samba/security/CVE-2020-14318.html CVE-2020-14318]: s3: smbd: Ensure change notifies can't get set unless the directory handle is open for SEC_DIR_LIST.
 +
*  Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
 +
:* [https://bugzilla.samba.org/show_bug.cgi?id=12795 BUG #12795]: [https://www.samba.org/samba/security/CVE-2020-14383.html CVE-2020-14383]: Remote crash after adding NS or MX records using 'samba-tool'.
 +
:* [https://bugzilla.samba.org/show_bug.cgi?id=14472 BUG #14472]: [https://www.samba.org/samba/security/CVE-2020-14383.html CVE-2020-14383]: Remote crash after adding MX records.
 +
*  Volker Lendecke <vl@samba.org>
 +
:* [https://bugzilla.samba.org/show_bug.cgi?id=14436 BUG #14436]: [https://www.samba.org/samba/security/CVE-2020-14323.html CVE-2020-14323]: winbind: Fix invalid lookupsids DoS.
  
Vendors supporting Samba 4.7 and below are advised to patch their installations and packages to add this line to the [global] section if their smb.conf file.
+
[https://www.samba.org/samba/history/samba-4.13.1.html Release Notes Samba 4.13.1].
  
The 'server schannel = yes' smb.conf line is equivalent to Microsoft's 'FullSecureChannelProtection=1' registry key, the introduction of which we understand forms the core of Microsoft's fix.
+
==Samba 4.13==
 +
<onlyinclude>
 +
:Release Notes for Samba 4.13
 +
:September 22, 2020
  
Some domains employ third-party software that will not work with a 'server schannel = yes'. For these cases patches are available that allow specific machines to use insecure netlogon. For example, the following smb.conf:
+
===Release Announcements===
 +
This is the first stable release of the Samba 4.13 release series. Please read the release notes carefully before upgrading.
  
  server schannel = yes
+
===ZeroLogon===
  server require schannel:triceratops$ = no
 
  server require schannel:greywacke$ = no
 
  
will allow only "triceratops$" and "greywacke$" to avoid schannel.
+
Please avoid to set "server schannel = no" and "server schannel= auto" on all Samba domain controllers due to the wellknown ZeroLogon issue.
  
More details can be found here:
+
For details please see
 
: [[ CVE-2020-1472]]
 
: [[ CVE-2020-1472]]
 
===UPGRADING===
 
  
 
===NEW FEATURES/CHANGES===
 
===NEW FEATURES/CHANGES===
Line 154: Line 217:
 
[[Release_Planning_for_Samba_4.13#Release_blocking_bugs]]
 
[[Release_Planning_for_Samba_4.13#Release_blocking_bugs]]
  
https://download.samba.org/pub/samba/rc/samba-4.13.0rc6.WHATSNEW.txt
+
  [https://www.samba.org/samba/history/samba-4.13.0.html Release Notes Samba 4.13.0].
 +
 
 
----
 
----
 
[[Category:Release Notes]]
 
[[Category:Release Notes]]

Latest revision as of 09:35, 5 November 2020

Samba 4.13 is Current Stable Release.

Samba 4.13.2

Release Notes for Samba 4.13.2
November 03, 2020

This is the latest stable release of the Samba 4.13 release series.

Major enhancements include:

  • BUG #14537: ctdb-common: Avoid aliasing errors during code optimization.
  • BUG #14486: vfs_glusterfs: Avoid data corruption with the write-behind translator.

Details

The GlusterFS write-behind performance translator, when used with Samba, could be a source of data corruption. The translator, while processing a write call, immediately returns success but continues writing the data to the server in the background. This can cause data corruption when two clients relying on Samba to provide data consistency are operating on the same file.

The write-behind translator is enabled by default on GlusterFS. The vfs_glusterfs plugin will check for the presence of the translator and refuse to connect if detected. Please disable the write-behind translator for the GlusterFS volume to allow the plugin to connect to the volume.


Changes since 4.13.1

  • Jeremy Allison <jra@samba.org>
  • BUG #14486: s3: modules: vfs_glusterfs: Fix leak of char **lines onto mem_ctx on return.
  • Ralph Boehme <slow@samba.org>
  • BUG #14471: RN: vfs_zfsacl: Only grant DELETE_CHILD if ACL tag is special.
  • Alexander Bokovoy <ab@samba.org>
  • BUG #14538: smb.conf.5: Add clarification how configuration changes reflected by Samba.
  • BUG #14552: daemons: Report status to systemd even when running in foreground.
  • BUG #14553: DNS Resolver: Support both dnspython before and after 2.0.0.
  • Günther Deschner <gd@samba.org>
  • BUG #14486: s3-vfs_glusterfs: Refuse connection when write-behind xlator is present.
  • Amitay Isaacs <amitay@gmail.com>
  • BUG #14487: provision: Add support for BIND 9.16.x.
  • BUG #14537: ctdb-common: Avoid aliasing errors during code optimization.
  • BUG #14541: libndr: Avoid assigning duplicate versions to symbols.
  • Björn Jacke <bjacke@samba.org>
  • BUG #14522: docs: Fix default value of spoolss:architecture.
  • Laurent Menase <laurent.menase@hpe.com>
  • Stefan Metzmacher <metze@samba.org>
  • BUG #14531: s4:dsdb:acl_read: Implement "List Object" mode feature.
  • Sachin Prabhu <sprabhu@redhat.com>
  • BUG #14486: docs-xml/manpages: Add warning about write-behind translator for vfs_glusterfs.
  • Khem Raj <raj.khem@gmail.com>
  • nsswitch/nsstest.c: Avoid nss function conflicts with glibc nss.h.
  • Anoop C S <anoopcs@samba.org>
  • BUG #14530: vfs_shadow_copy2: Avoid closing snapsdir twice.
  • Andreas Schneider <asn@samba.org>
  • BUG #14547: third_party: Update resolv_wrapper to version 1.1.7.
  • BUG #14550: examples:auth: Do not install example plugin.
  • Martin Schwenke <martin@meltin.net>
  • BUG #14513: ctdb-recoverd: Drop unnecessary and broken code.
  • Andrew Walker <awalker@ixsystems.com>
  • BUG #14471: RN: vfs_zfsacl: Only grant DELETE_CHILD if ACL tag is special.
Release Notes Samba 4.13.2.

Samba 4.13.1

Release Notes for Samba 4.13.1
October 29, 2020

This is a security release in order to address the following defects:

  • CVE-2020-14318: Missing handle permissions check in SMB1/2/3 ChangeNotify.
  • CVE-2020-14323: Unprivileged user can crash winbind.
  • CVE-2020-14383: An authenticated user can crash the DCE/RPC DNS with easily crafted records.

Details

The SMB1/2/3 protocols have a concept of "ChangeNotify", where a client can request file name notification on a directory handle when a condition such as "new file creation" or "file size change" or "file timestamp update" occurs.
A missing permissions check on a directory handle requesting ChangeNotify meant that a client with a directory handle open only for FILE_READ_ATTRIBUTES (minimal access rights) could be used to obtain change notify replies from the server. These replies contain information that should not be available to directory handles open for FILE_READ_ATTRIBUTE only.
winbind in version 3.6 and later implements a request to translate multiple Windows SIDs into names in one request. This was done for performance reasons: The Microsoft RPC call domain controllers offer to do this translation, so it was an obvious extension to also offer this batch operation on the winbind unix domain stream socket that is available to local processes on the Samba server.
Due to improper input validation a hand-crafted packet can make winbind perform a NULL pointer dereference and thus crash.
Some DNS records (such as MX and NS records) usually contain data in the additional section. Samba's dnsserver RPC pipe (which is an administrative interface not used in the DNS server itself) made an error in handling the case where there are no records present: instead of noticing the lack of records, it dereferenced uninitialised memory, causing the RPC server to crash. This RPC server, which also serves protocols other than dnsserver, will be restarted after a short delay, but it is easy for an authenticated non-admin attacker to crash it again as soon as it returns. The Samba DNS server itself will continue to operate, but many RPC services will not.

For more details, please refer to the security advisories.

Changes since 4.13

o Jeremy Allison <jra@samba.org>

  • BUG #14434: CVE-2020-14318: s3: smbd: Ensure change notifies can't get set unless the directory handle is open for SEC_DIR_LIST.
  • Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
  • Volker Lendecke <vl@samba.org>
Release Notes Samba 4.13.1.

Samba 4.13

Release Notes for Samba 4.13
September 22, 2020

Release Announcements

This is the first stable release of the Samba 4.13 release series. Please read the release notes carefully before upgrading.

ZeroLogon

Please avoid to set "server schannel = no" and "server schannel= auto" on all Samba domain controllers due to the wellknown ZeroLogon issue.

For details please see

CVE-2020-1472

NEW FEATURES/CHANGES

Python 3.6 or later required

Samba's minimum runtime requirement for python was raised to Python 3.5 with samba 4.12. Samba 4.13 raises this minimum version to Python 3.6 both to access new features and because this is the oldest version we test with in our CI infrastructure.

This is also the last release where it will be possible to build Samba (just the file server) with Python versions 2.6 and 2.7.

As Python 2.7 has been End Of Life upstream since April 2020, Samba is dropping ALL Python 2.x support in the NEXT release.

Samba 4.14 to be released in March 2021 will require Python 3.6 or later to build.

wide links functionality

For this release, the code implementing the insecure "wide links = yes" functionality has been moved out of the core smbd code and into a separate VFS module, vfs_widelinks. Currently this vfs module is implicitly loaded by smbd as the last but one module before vfs_default if "wide links = yes" is enabled on the share (note, the existing restrictions on enabling wide links around the SMB1 "unix extensions" and the "allow insecure wide links" parameters are still in force). The implicit loading was done to allow existing users of "wide links = yes" to keep this functionality without having to make a change to existing working smb.conf files.

Please note that the Samba developers recommend changing any Samba installations that currently use "wide links = yes" to use bind mounts as soon as possible, as "wide links = yes" is an inherently insecure configuration which we would like to remove from Samba. Moving the feature into a VFS module allows this to be done in a cleaner way in future.

A future release to be determined will remove this implicit linkage, causing administrators who need this functionality to have to explicitly add the vfs_widelinks module into the "vfs objects =" parameter lists. The release notes will be updated to note this change when it occurs.

NT4-like 'classic' Samba domain controllers

Samba 4.13 deprecates Samba's original domain controller mode.

Sites using Samba as a Domain Controller should upgrade from the NT4-like 'classic' Domain Controller to a Samba Active Directory DC to ensure full operation with modern windows clients.

SMBv1 only protocol options deprecated

A number of smb.conf parameters for less-secure authentication methods which are only possible over SMBv1 are deprecated in this release.

REMOVED FEATURES

The deprecated "ldap ssl ads" smb.conf option has been removed.

smb.conf changes

 Parameter Name                     Description                Default
 --------------                     -----------                -------
 ldap ssl ads                       removed
 smb2 disable lock sequence checking				No
 domain logons                      Deprecated                 no
 raw NTLMv2 auth                    Deprecated                 no
 client plaintext auth              Deprecated                 no
 client NTLMv2 auth                 Deprecated                 yes
 client lanman auth                 Deprecated                 no
 client use spnego                  Deprecated                 yes
 server schannel                    To be removed in 4.13.0
 server require schannel:COMPUTER   Added


CHANGES SINCE 4.13.0rc5

  • Jeremy Allison <jra@samba.org>
  • BUG #14497: CVE-2020-1472(ZeroLogon): s3:rpc_server/netlogon: Protect netr_ServerPasswordSet2 against unencrypted passwords.
  • Günther Deschner <gd@samba.org>
  • BUG #14497: CVE-2020-1472(ZeroLogon): s3:rpc_server/netlogon: Support "server require schannel:WORKSTATION$ = no" about unsecure configurations.
  • Gary Lockyer <gary@catalyst.net.nz>
  • Stefan Metzmacher <metze@samba.org>
  • BUG #14497: CVE-2020-1472(ZeroLogon): libcli/auth: Reject weak client challenges in netlogon_creds_server_init() "server require schannel:WORKSTATION$ = no".

CHANGES SINCE 4.13.0rc4

  • Andreas Schneider <asn@samba.org>
  • BUG #14399: waf: Only use gnutls_aead_cipher_encryptv2() for GnuTLS > 3.6.14.
  • BUG #14467: s3:smbd: Fix %U substitutions if it contains a domain name.
  • BUG #14479: The created krb5.conf for 'net ads join' doesn't have a domain entry.
  • Stefan Metzmacher <metze@samba.org>
  • BUG #14482: Fix build problem if libbsd-dev is not installed.

CHANGES SINCE 4.13.0rc3

  • David Disseldorp <ddiss at samba.org>
  • BUG #14437: build: Toggle vfs_snapper using "--with-shared-modules".
  • Volker Lendecke <vl at samba.org>
  • BUG #14465: idmap_ad does not deal properly with a RFC4511 section 4.4.1 response.
  • Stefan Metzmacher <metze at samba.org>
  • BUG #14428: PANIC: Assert failed in get_lease_type().
  • BUG #14465: idmap_ad does not deal properly with a RFC4511 section 4.4.1

CHANGES SINCE 4.13.0rc2

  • Andrew Bartlett <abartlet@samba.org>
  • BUG #14460: Deprecate domain logons, SMBv1 things.
  • Günther Deschner <gd@samba.org>
  • Christof Schmitt <cs@samba.org>
  • BUG #14166: util: Allow symlinks in directory_create_or_exist.
  • Martin Schwenke <martin@meltin.net>
  • BUG #14466: ctdb disable/enable can fail due to race condition.

CHANGES SINCE 4.13.0rc1

  • Andrew Bartlett <abartlet at samba.org>
  • BUG #14450: dbcheck: Allow a dangling forward link outside our known NCs.
  • Isaac Boukris <iboukris at gmail.com>
  • BUG #14462: Remove deprecated "ldap ssl ads" smb.conf option.
  • Volker Lendecke <vl at samba.org>
  • BUG #14435: winbind: Fix lookuprids cache problem.
  • Stefan Metzmacher <metze at samba.org>
  • BUG #14354: kdc:db-glue: Ignore KRB5_PROG_ETYPE_NOSUPP also for Primary:Kerberos.
  • Andreas Schneider <asn at samba.org>
  • BUG #14358: docs: Fix documentation for require_membership_of of pam_winbind.conf.
  • Martin Schwenke <martin at meltin.net>
  • BUG #14444: ctdb-scripts: Use nfsconf as a last resort get nfsd thread count.

KNOWN ISSUES

Release_Planning_for_Samba_4.13#Release_blocking_bugs

 Release Notes Samba 4.13.0.