Samba 4.13 Features added/changed

From SambaWiki
Revision as of 20:32, 22 September 2020 by Fraz (talk | contribs) (→‎samba 4.13.0)

Samba 4.13 is Current Stable Release.

Samba 4.13

Release Notes for Samba 4.13
September 22, 2020

Release Announcements

This is the first stable release of the Samba 4.13 release series. Please read the release notes carefully before upgrading.


Please avoid to set "server schannel = no" and "server schannel= auto" on all Samba domain controllers due to the wellknown ZeroLogon issue.

For details please see



Python 3.6 or later required

Samba's minimum runtime requirement for python was raised to Python 3.5 with samba 4.12. Samba 4.13 raises this minimum version to Python 3.6 both to access new features and because this is the oldest version we test with in our CI infrastructure.

This is also the last release where it will be possible to build Samba (just the file server) with Python versions 2.6 and 2.7.

As Python 2.7 has been End Of Life upstream since April 2020, Samba is dropping ALL Python 2.x support in the NEXT release.

Samba 4.14 to be released in March 2021 will require Python 3.6 or later to build.

wide links functionality

For this release, the code implementing the insecure "wide links = yes" functionality has been moved out of the core smbd code and into a separate VFS module, vfs_widelinks. Currently this vfs module is implicitly loaded by smbd as the last but one module before vfs_default if "wide links = yes" is enabled on the share (note, the existing restrictions on enabling wide links around the SMB1 "unix extensions" and the "allow insecure wide links" parameters are still in force). The implicit loading was done to allow existing users of "wide links = yes" to keep this functionality without having to make a change to existing working smb.conf files.

Please note that the Samba developers recommend changing any Samba installations that currently use "wide links = yes" to use bind mounts as soon as possible, as "wide links = yes" is an inherently insecure configuration which we would like to remove from Samba. Moving the feature into a VFS module allows this to be done in a cleaner way in future.

A future release to be determined will remove this implicit linkage, causing administrators who need this functionality to have to explicitly add the vfs_widelinks module into the "vfs objects =" parameter lists. The release notes will be updated to note this change when it occurs.

NT4-like 'classic' Samba domain controllers

Samba 4.13 deprecates Samba's original domain controller mode.

Sites using Samba as a Domain Controller should upgrade from the NT4-like 'classic' Domain Controller to a Samba Active Directory DC to ensure full operation with modern windows clients.

SMBv1 only protocol options deprecated

A number of smb.conf parameters for less-secure authentication methods which are only possible over SMBv1 are deprecated in this release.


The deprecated "ldap ssl ads" smb.conf option has been removed.

smb.conf changes

 Parameter Name                     Description                Default
 --------------                     -----------                -------
 ldap ssl ads                       removed
 smb2 disable lock sequence checking				No
 domain logons                      Deprecated                 no
 raw NTLMv2 auth                    Deprecated                 no
 client plaintext auth              Deprecated                 no
 client NTLMv2 auth                 Deprecated                 yes
 client lanman auth                 Deprecated                 no
 client use spnego                  Deprecated                 yes
 server schannel                    To be removed in 4.13.0
 server require schannel:COMPUTER   Added


  • Jeremy Allison <>
  • BUG #14497: CVE-2020-1472(ZeroLogon): s3:rpc_server/netlogon: Protect netr_ServerPasswordSet2 against unencrypted passwords.
  • Günther Deschner <>
  • BUG #14497: CVE-2020-1472(ZeroLogon): s3:rpc_server/netlogon: Support "server require schannel:WORKSTATION$ = no" about unsecure configurations.
  • Gary Lockyer <>
  • Stefan Metzmacher <>
  • BUG #14497: CVE-2020-1472(ZeroLogon): libcli/auth: Reject weak client challenges in netlogon_creds_server_init() "server require schannel:WORKSTATION$ = no".


  • Andreas Schneider <>
  • BUG #14399: waf: Only use gnutls_aead_cipher_encryptv2() for GnuTLS > 3.6.14.
  • BUG #14467: s3:smbd: Fix %U substitutions if it contains a domain name.
  • BUG #14479: The created krb5.conf for 'net ads join' doesn't have a domain entry.
  • Stefan Metzmacher <>
  • BUG #14482: Fix build problem if libbsd-dev is not installed.


  • David Disseldorp <ddiss at>
  • BUG #14437: build: Toggle vfs_snapper using "--with-shared-modules".
  • Volker Lendecke <vl at>
  • BUG #14465: idmap_ad does not deal properly with a RFC4511 section 4.4.1 response.
  • Stefan Metzmacher <metze at>
  • BUG #14428: PANIC: Assert failed in get_lease_type().
  • BUG #14465: idmap_ad does not deal properly with a RFC4511 section 4.4.1


  • Andrew Bartlett <>
  • BUG #14460: Deprecate domain logons, SMBv1 things.
  • Günther Deschner <>
  • Christof Schmitt <>
  • BUG #14166: util: Allow symlinks in directory_create_or_exist.
  • Martin Schwenke <>
  • BUG #14466: ctdb disable/enable can fail due to race condition.


  • Andrew Bartlett <abartlet at>
  • BUG #14450: dbcheck: Allow a dangling forward link outside our known NCs.
  • Isaac Boukris <iboukris at>
  • BUG #14462: Remove deprecated "ldap ssl ads" smb.conf option.
  • Volker Lendecke <vl at>
  • BUG #14435: winbind: Fix lookuprids cache problem.
  • Stefan Metzmacher <metze at>
  • BUG #14354: kdc:db-glue: Ignore KRB5_PROG_ETYPE_NOSUPP also for Primary:Kerberos.
  • Andreas Schneider <asn at>
  • BUG #14358: docs: Fix documentation for require_membership_of of pam_winbind.conf.
  • Martin Schwenke <martin at>
  • BUG #14444: ctdb-scripts: Use nfsconf as a last resort get nfsd thread count.



 Release Notes Samba 4.13.0.